Daily Brief

Hackers focusing on human rights activists in Morocco and Western Sahara have launched a new malicious campaign using deceitful Android apps and phishing for credential harvesting on Windows. Cisco Talos has named the threat actor Starry Addax, which specifically targets the Sahrawi Arab Democratic Republic (SADR) activists. Victims are lured through spear-phishing emails that persuade them to install fake mobile apps or visit counterfeit social media login pages to hijack their credentials. The custom Android malware, named FlexStarling, can download further malicious components and exfiltrate sensitive user data upon installation. FlexStarling malware demands excessive permissions, indicating the threat actors' intention for prolonged, undetected presence on victim devices, emphasizing stealth in their operations. This targeted cyber-attack utilizes a bespoke infrastructure with the aim of maintaining long-term covert surveillance and data harvesting from high-value individual targets. The security landscape is further complicated by the sale of a new commercial Android remote access trojan (RAT), Oxycorat, which possesses extensive data gathering abilities.

Security researchers from Bitdefender identified multiple vulnerabilities in LG smart TVs running webOS. The weaknesses could be exploited to bypass security measures and obtain root access to the televisions. LG has addressed these issues through software updates released on March 22, 2024. The vulnerabilities, with CVE IDs ranging from CVE-2023-6317 to CVE-2023-6320, affect certain versions of webOS. An attacker could chain specific CVEs to elevate device permissions and execute commands as the dbus user. Over 91,000 internet-connected LG smart TVs with exposed vulnerable services were identified worldwide, primarily in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia. The flaws were initially reported to LG in November 2023, leading to the recent fixes to mitigate potential risks.

Over 90,000 LG smart TVs are susceptible to remote attacks due to four vulnerabilities found in the WebOS operating system by Bitdefender researchers. The security flaws enable unauthorized access, allowing for actions like authorization bypass, privilege escalation, and command injection through a service that connects to smartphones. Shodan internet scans show that many of these smart TVs are visible online, indicating a large number of devices being at risk. The affected models and WebOS versions span from webOS 4.9.7 to 7.3.1-43 across various LG smart TV models. LG was notified about the vulnerabilities in November 2023 and took until March 2024 to issue security updates, which users need to apply manually. The importance of timely WebOS updates has been underscored as vulnerable devices might serve as entry points for further attacks on connected devices and networks. Smart TVs, due to their role in users' digital lives, could be leveraged for botnet DDoS attacks, cryptomining, or to hijack associated streaming service accounts.

Researchers uncovered two methods allowing hackers to stealthily extract files from Microsoft SharePoint without triggering major audit log alerts. SharePoint is widely utilized by organizations for document management, necessitating stringent audit measures to detect unauthorized data access. The first technique exploits SharePoint's "Open in App" function to download files and only logs an "Access" event, typically given less attention by administrators. The second technique involves falsifying the User-Agent string to resemble Microsoft SkyDriveSync, making the download appear as a routine file synchronization action. Microsoft deems the flaws moderate in severity and has slated them for future patching, but no immediate fixes are planned. Companies are advised to closely monitor access activity for signs of bulk file downloads and unusual patterns, such as new device logins from atypical locations. Detection of suspicious activity requires heightened monitoring of file synchronization logs for irregularities in frequency and volume of data transfer.

The UK government's cybercrime statistics for 2024 reveal a lack of preparedness among UK businesses in dealing with security breaches. Only 22% of surveyed businesses have a formal incident response plan, with experts expressing astonishment at the nonchalant attitude toward cybersecurity. Despite detecting disruptive breaches, 10% of businesses report to the police, and fewer to the National Cyber Security Centre (NCSC); the Information Commissioner's Office (ICO) is rarely notified. A surprising 39% of businesses take no action post-breach, while some implement minor staff training, firewall updates, or anti-malware enhancements. Medium to large businesses are more proactive in responding to breaches than small and micro businesses, with 74% and 86% respectively making changes to prevent future incidents. Even when breaches have a material impact, such as data theft, 18% of businesses do not respond, showing a glaring gap in risk management. There is a declining trend in businesses seeking cybersecurity information or engaging with official security sources like the NCSC, especially among micro and small businesses. Financial impact varies by business size, with average costs of breaches at £1,206, and significantly higher for material outcomes, emphasizing the potential financial risks associated with cyber incidents.

CL0P ransomware, tied to Russian origin, escalated its activities significantly in 2023, making it one of the top ransomware groups. Targeting organizations across finance, manufacturing, and healthcare, CL0P uses "steal, encrypt, and leak" tactics and operates a Ransomware-as-a-Service (RaaS) model. Data leaks from non-compliant victims are published on the gang's Tor-hosted site, with a threat to expose unmet ransom demands. Recent exploits by CL0P include the Fortra GoAnywhere MFT zero-day vulnerability affecting over 100 organizations and vulnerabilities within PaperCut and MOVEit software. CL0P's aggressive approach includes quadruple extortion, directly contacting stakeholders and executives after initial data leaks and threats are ignored. SecurityHQ recommends organizations apply timely patches, monitor for suspicious activities, and engage in proactive threat intelligence gathering to defend against CL0P. The SecurityHQ Threat Intelligence team continues to monitor and research cybersecurity threats, offering insights and actionable intelligence to its global clientele.

Cybersecurity researchers have uncovered a complex phishing scam employing invoice-themed emails to spread malware. The attack uses SVG file attachments which trigger malware delivery using the BatCloak obfuscation engine and ScrubCrypt. BatCloak is known for bypassing traditional detection methods by loading next-stage malicious payloads. The malware variants distributed include Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer. Venom RAT, a variant of Quasar RAT, allows attackers to remotely control systems and deploy additional plugins for data theft. The campaign demonstrates sophisticated obfuscation and evasion techniques, including bypassing AMSI and ETW protections and using various scripts. Security researchers stress the intricacy of the attack and the versatility of the malware, exemplified by its plugin distribution system.

Two high-severity vulnerabilities, tracked as CVE-2024-3272 and CVE-2024-3273, affect nearly 92,000 D-Link network-attached storage (NAS) devices, which are now at end-of-life (EoL). Threat actors have been scanning for and exploiting these security flaws, with potential for arbitrary command execution, sensitive data exposure, system configuration alteration, or DoS attacks on affected units. D-Link has declined to provide a patch for the obsolete devices, advising customers to replace their vulnerable units instead. Attacks observed by GreyNoise involve the notorious Mirai botnet malware, indicating that compromised devices could be remotely controlled by cybercriminals. The Shadowserver Foundation recommends that users disconnect these NAS devices from the internet or limit remote access with stringent firewall rules to prevent exploitation. These security incidents highlight the evolving threat landscape wherein cyber attackers, including financially driven and nation-state groups, exploit network device vulnerabilities, adapting their methods and malware accordingly. Palo Alto Networks Unit 42 exposes a trend where malware on infected hosts initiates network vulnerability scanning, which helps attackers conceal their activities, bypass defense mechanisms, and expand the reach of their botnets.

Targus, a company specializing in laptop and tablet accessories, experienced a cyberattack that compromised their file servers. The incident was disclosed in an SEC filing by parent company B. Riley Financial, INC., revealing that the attack occurred on April 5th, 2024. Upon detecting the intrusion, Targus immediately implemented its incident response protocols, with external aid, to investigate and mitigate the effects. Containment measures to eliminate unauthorized access caused a temporary halt to Targus's business operations. There's currently no confirmation on whether data was exfiltrated, but the initial breach involved servers that store sensitive information. Targus has reported the breach to regulatory authorities and law enforcement and is working on recovery with external cybersecurity experts. No cybercriminal groups have yet claimed responsibility for the breach, and further details regarding the nature of the attack are not provided.

Attackers are targeting 92,000 D-Link Network Attached Storage (NAS) devices with a critical remote code execution (RCE) zero-day vulnerability. The flaw involves a hardcoded account with an empty password and a command injection issue, enabling attackers to deploy Mirai malware variants. Cybersecurity firms observed the exploitation began on Monday; the issue was previously disclosed by a security researcher. D-Link confirmed the affected devices are end-of-life and will not receive patches, recommending users to replace these devices. An advisory and a legacy support page were issued by D-Link, but no firmware updates will fully secure the outdated devices. Threat actors are using the compromised devices to add them to botnets for potential large-scale DDoS attacks.

U.S. insurance companies are increasingly using drone photos to evaluate property risks and deny home insurance policies. Major insurers like State Farm and Allstate are selecting only the least risky properties for coverage, using aerial imagery to make their assessments. The Geospatial Insurance Consortium provides detailed imagery to insurers, including post-disaster photos, aided by AI technology from its partnership with Vexcel. Privacy and accuracy concerns arise as some homeowners report being dropped based on outdated or incorrectly analyzed aerial photos. A case in California highlighted the issue, with a homeowner denied renewal despite an independent inspection contradicting the aerial photo assessment. Reports suggest that some insurers, such as Farmers Insurance, have used minor issues depicted in aerial photos to justify dropping claims or policies. State regulations generally protect consumers by restricting the reasons an insurer can deny coverage; however, questionable aerial photos may provide a loophole. The situation pressures homeowners to maintain their properties up to insurers' standards, as evidenced by aerial surveillance, or face the risk of losing their insurance coverage.

Hackers have compromised nearly 2,000 WordPress sites to trick visitors with fake NFT offers and crypto discounts via pop-ups, leading to crypto wallets being drained. Security firm Sucuri reported hackers initially infected 1,000 sites to promote crypto drainers, then expanded their efforts by turning browsers into tools for brute-forcing site admin passwords. The compromised sites, used in a large-scale brute-force campaign, included high-profile targets like Ecuador's Association of Private Banks' website. The cybercriminals' latest move involves using these sites to display fraudulent promotions that encourage users to connect their wallets, which subsequently get emptied by the drainers. An Urlscan search shows over 2,000 websites have loaded these malicious scripts in the past week, but not all are currently active in generating the scam pop-ups. The MetaMask service warns users when visiting sites with these malicious scripts, highlighting the importance of connecting wallets only to trustworthy platforms. Users are advised to remain vigilant and cautious with unexpected pop-up windows, especially those that are not congruent with the website's primary content or design.

Home Depot confirms that a third-party SaaS vendor exposed employee names, work email addresses, and User IDs. The data breach occurred during system testing by the unnamed third-party vendor. Details on the extent of the data exposure and the specific number of employees affected have not been disclosed. An individual on BreachForums, using the moniker "IntelBroker," claims to have uploaded a database containing 10,000 Home Depot employees' information. The stolen employee data could potentially lead to credential theft and unauthorized access to Home Depot's sensitive systems. Home Depot employs approximately 475,000 associates across its stores in the US, Canada, and Mexico. The same individual, IntelBroker, is also linked to the theft of classified information from the Pentagon and other high-profile data breaches. The State Department and other authorities are investigating these cyber incidents involving the IntelBroker.

Cyberattack targeted CVS Group, causing significant disruption to its veterinary operations in the UK. CVS Group is a major provider with 500 practices in the UK, Australia, the Netherlands, and Ireland, employing over 9,100 staff. Unauthorized access to CVS's IT systems prompted the company to shut down its systems to contain the threat. Third-party cybersecurity experts have been engaged to investigate the incident and aid in IT service restoration. The cyberattack's effects are confined to UK operations, with non-UK services not hosted on the affected infrastructure. CVS announced the acceleration of their strategic plan to migrate IT systems to the cloud, promising enhanced security but additional operational disruption. The company’s announcement on the London Stock Exchange site did not confirm if any personal data was compromised, and no ransomware group has claimed the attack.

UK-based CVS Group, a provider of veterinary services, suffered a cyberattack resulting in significant operational disruption. The attack affected the company's IT infrastructure, prompting CVS Group to shut down systems to contain the breach. CVS Group operates 500 veterinary practices and employs approximately 9,100 staff, including 2,400 veterinary surgeons and 3,400 nurses. Third-party cybersecurity specialists have been enlisted to aid in the investigation and restoration of the IT services. The cyber incident is currently limited to UK practices; international operations are unaffected as they do not use CVS Group's IT systems. The company is accelerating a strategic move to migrate all its IT infrastructure to the cloud, expected to enhance security and efficiency but extend operational disruptions. As of now, there has been no claim of responsibility by any ransomware groups, nor has there been confirmation of a data breach affecting staff or clients.