Daily Brief

Meta (formerly Facebook) is accused of intercepting and analyzing Snapchat's encrypted data traffic through a program called Project Ghostbusters. The scheme involved the use of Onavo's technology, which Meta acquired, and a research app that collected data on user device usage. Participants, including teenagers, knowingly installed the app that allowed Facebook to decrypt and analyze their SSL/TLS encrypted traffic. The intercepted analytics data from Snapchat, Amazon, and YouTube was allegedly used to gain insights for competitive advantage, harming the competition's ad business and allowing Meta to raise ad prices significantly. Internal communications revealed concerns among Meta's security personnel regarding the legal and ethical implications of the data interception practices. Advertisers have filed a lawsuit claiming that Meta's actions constituted criminal wiretapping and anti-competitive conduct. The case has broader implications involving accusations of misuse of AI and sensitive user data for identity matching and price manipulation in the social media advertising market. Meta has not commented on the allegations at the time of the report.

Hackers have targeted Indian government and energy firms, using malware disguised as an Air Force invite to steal sensitive data via phishing emails. The Dutch cybersecurity firm, EclecticIQ, has observed the campaign since March 7, 2024, and named it Operation FlightNight, noting the use of Slack channels for data exfiltration. Affected entities include those in electronic communications, IT governance, national defense, and private energy companies, with approximately 8.81 GB of data reported as stolen. The malware, HackBrowserData, has been modified to steal a wide array of documents, use Slack for communication, and leverage obfuscation techniques for evasion. A decoy PDF file is used as a lure, while the malware simultaneously harvests documents and browser data, relaying it to the adversary's Slack channel. The methods employed by the attackers resemble previous attacks by using open-source tools and repurposing legitimate services, such as Slack, to minimize detection and costs. This incident highlights an evolving cyber threat landscape where threat actors utilize open-source tools and mainstream platforms to conduct espionage with minimal risk of detection.

Google's Threat Analysis Group (TAG) and Mandiant observed a 64% increase in zero-day exploits targeting enterprise tech in 2023, compared to 2022 levels. Overall, 97 zero-day vulnerabilities were exploited in 2023, up from 62 the previous year, with a significant shift towards enterprise-focused attacks. Notable improvements in software security by major vendors like Apple, Google, and Microsoft have been made, with innovative features designed to prevent common exploitation techniques. Criminals are increasingly exploiting vulnerabilities in third-party components and libraries, affecting multiple end-user products simultaneously. The top exploited enterprise technologies in 2023 included Barracuda Email Security Gateways, Cisco Adaptive Security Appliances, and products by Ivanti and Trend Micro. The majority of zero-day exploits were attributed to commercial surveillance vendors and government-backed cyber spies, with a lesser contribution from financially motivated criminals. China remained the most prolific nation-state actor in zero-day exploits, with evidence of sophisticated attack paths using multiple vulnerabilities to breach networks.

Ransomware-as-a-Service (RaaS) has become the dominant business model amongst cybercriminal groups, with significant developments occurring in the last three months. LockBit's blog takedown and BlackCat's departure from the ransomware ecosystem signal noteworthy shifts, while smaller ransomware groups emerge. RaaS relies on a complex supply chain: operators create ransomware, affiliates distribute it, and initial access brokers provide entry points to target IT infrastructures. There is fierce competition for high-quality affiliates, leading groups to offer better terms and potentially compromise their "returns" to attract sophisticated criminals. Recent law enforcement actions against LockBit and BlackCat have shaken affiliate confidence due to the perceived instability of these large groups. Cybercrime groups build reputations to attract experienced affiliates and maintain trust, reducing the risk that affiliates and victims will be disincentivized from participating. The RaaS ecosystem may fragment, similar to the aftermath of Raid Forums' takedown, with more small groups potentially forming. Security recommendations include monitoring for stolen credentials, patching exploited vulnerabilities, implementing multi-factor authentication, and integrating proactive threat exposure management solutions.

The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical remote code execution vulnerability in Microsoft SharePoint Server (CVE-2023-24955) due to active exploitation. Affected SharePoint Server versions allow an authenticated attacker with Site Owner privileges to remotely execute arbitrary code. Microsoft addressed the issue in its May 2023 Patch Tuesday updates after discovery of the vulnerability. An exploit chain consisting of CVE-2023-24955 and another SharePoint flaw (CVE-2023-29357) was previously demonstrated at a hacking contest, earning researchers $100,000. No specific information has been released about the attackers or potential misuse of the combined exploits. Federal Civilian Executive Branch (FCEB) agencies must implement the patch by April 2024 to mitigate potential threats. Automatic updates for Windows with "Receive updates for other Microsoft products" enabled provide automatic protection against this vulnerability.

The number of zero-day vulnerabilities exploited in attacks in 2023 shot up to 97, marking a significant 50% increase from the previous year. Google's Threat Analysis Group (TAG) and Mandiant reported that spyware vendors and their government clients were behind many of the exploits. Approximately half of the zero-day exploits were connected to commercial surveillance vendors (CSVs) targeting end-user platforms and enterprise technologies. Notably, Chinese state-sponsored actors were responsible for exploiting 12 zero-day vulnerabilities, evidencing a growing trend in their cyber operations. CSVs were behind 75% of the zero-day exploits targeting Google products and the Android ecosystem in 2023. Google has recommended security measures, such as Memory Tagging Extension (MTE) and Lockdown mode, for high-risk users to defend against zero-day attacks. In response to the malicious use of spyware, the U.S. imposed sanctions and visa restrictions on individuals and firms linked to commercial spyware operations, including Predator spyware operators and their founder.

Microsoft patched a serious vulnerability in Edge browser, tagged as CVE-2024-21388, that allowed silent installation of malicious extensions. Discovered by Guardio Labs and responsibly disclosed, the flaw had a CVSS score of 6.5 and was fixed in the Edge stable version released on January 25, 2024. Attackers could exploit Microsoft's private API, initially for marketing use, to install extensions with extensive permissions covertly. The bug stems from a lack of proper validation, permitting any extension identifier to be installed without user interaction. Guardio's research indicated that JavaScript run on pages like bing[.]com or microsoft[.]com could trigger unauthorized extension installations from the Edge store. Microsoft's advisory acknowledged the vulnerability could lead to a browser sandbox escape and required attackers to prepare the target environment. Although there is no evidence of active exploitation, Guardio Labs highlighted the potential risks of how browser customizations can lead to security compromises.

The Big Issue, a newspaper assisting the homeless, suffered a cybersecurity incident claimed by the Qilin ransomware gang. Qilin claims to have stolen 550 GB of sensitive data from The Big Issue, including personal details of employees and subscribers. Leaked information potentially includes the CEO's driving license, salary details, and employee passport scans. Subscribers' personal email addresses and bank details, such as account numbers and sort codes, might also have been compromised. The Big Issue Group has responded by restricting system access and working with IT security experts, law enforcement, and regulatory agencies while starting system restoration. The publication and distribution of The Big Issue are unaffected, and services to vendors continue, emphasizing the organization's social mission. The ICO has been notified, implying a review of data protection and security practices at The Big Issue.

SASE solutions are increasingly used by organizations to secure their cloud-based network and improve network performance. A new report identifies significant gaps in SASE's ability to defend against web-borne cyber threats, including phishing and malicious browser extensions. Secure browser extensions are critical for a comprehensive security strategy, offering real-time protection and granular visibility against sophisticated threats. The report uses three use cases to illustrate the shortcomings of SASE and the added value of browser extensions: phishing attacks, malicious extensions, and account takeovers. As SaaS applications become the norm, the browser's role as the main workspace has expanded, making it a critical point of vulnerability. LayerX emphasizes that network security alone is not enough; organizations need to adopt additional measures such as secure browser extensions to mitigate risks. For full insights on how secure browser extensions can provide real-time protection and complement SASE, the report is available for download.

A critical vulnerability in the Anyscale Ray AI platform is being exploited for cryptocurrency mining. Attackers exploit CVE-2023-48022 to execute arbitrary code, affecting various sectors, including education and biopharma. The campaign named ShadowRay has been active since September 2023 and targets AI workloads. Big industry players like OpenAI, Uber, and Netflix use the Ray platform, heightening the potential impact. Anyscale acknowledges the issue but has chosen not to fix it, citing design decisions and future authentication plans. Security firm Oligo observed hundreds of Ray GPU clusters compromised, leading to data leaks, including sensitive credentials. Attackers not only mined cryptocurrency but also gained persistent remote access and cloud environment elevation. The exploitability of the flaw underscores the importance of securing AI computing frameworks against cyber threats.

A new phishing campaign has been detected using a novel malware loader to deliver the Agent Tesla keylogger. Victims receive a phishing email that pretends to be a bank payment notice, with a malicious attachment designed to initiate the malware deployment. The loader conceals itself through obfuscation and polymorphic behavior, bypassing antivirus programs and leveraging proxies to disguise traffic. Two variants of the .NET-written loader use different decryption methods to obtain the payload from a remote server and evade Windows Antimalware Scan Interface (AMSI). Agent Tesla is executed in memory, allowing attackers to secretly harvest data and send it via SMTP using a compromised email account. Trustwave's findings point to a significant evolution in Agent Tesla's deployment methods, emphasizing its sophistication and stealth capabilities. The article also references related phishing activities by other cybercrime groups and the use of phishing kits like Tycoon targeting Microsoft 365 users.

Two Chinese advanced persistent threat (APT) groups target ASEAN countries in a cyber espionage campaign, focusing on geopolitical intelligence. Mustang Panda, one group involved, utilized phishing emails and malware packages to compromise targets in Myanmar, the Philippines, Japan, and Singapore. Malware tactics include DLL side-loading and use of benign software's renamed copies to deploy the Mustang Panda malware, PUBLOAD. Unit 42 also detected network traffic between an ASEAN-affiliated entity and the command-and-control infrastructure of a second unnamed Chinese APT group. A separate threat actor, Earth Krahang, has targeted 116 entities across 35 countries using spear-phishing and vulnerabilities in servers to deliver various types of malware. Leaked documents from I-Soon, a Chinese government contractor, expose the sale of malware to Chinese government entities and the presence of “digital quartermasters” supplying multiple state-sponsored cyber groups. The Tianfu Cup, China's hacking contest, is implicated as a source for the Chinese government's accumulation of zero-day exploits and vulnerability exploitation. The leaks provided insight into China's outsourcing of cyber operations to third-party companies, showcasing a competitive market for independent hacker-for-hire entities supporting state espionage objectives.

The trend towards remote working has persisted post-pandemic, posing challenges for IT security teams in safeguarding sensitive data across varied locations. Forcepoint Data Security Everywhere aims to address these challenges by automating data loss prevention (DLP) for both managed and unmanaged devices. The platform enforces DLP policies on data regardless of its location, be it behind a corporate firewall, in the cloud, or on remote user devices, thereby alleviating manual policy implementation across different domains. An AI engine within the platform scans for structured and unstructured data across numerous fields and file types, regulating access permissions and preventing improper data exfiltration. Forcepoint's solution offers a large selection of pre-defined DLP classifiers, policies, and templates to facilitate immediate implementation without extensive IT resource investment. Organizations can easily integrate and enforce robust compliance and privacy standards using the out-of-the-box frameworks provided by Forcepoint's platform.

Finland's Police have confirmed that APT31, a hacking group with ties to the Chinese Ministry of State Security, was responsible for the 2021 breach of its parliament. The breach, initially disclosed in March 2021, involved access to multiple email accounts within the parliament, including those of Finnish MPs. A complex investigation involving Finland's Security and Intelligence Service and international agencies has identified a suspect and detailed a "complex criminal infrastructure." The U.S. Treasury Department sanctioned two APT31 operatives, who are also charged by the Justice Department for involvement in a 14-year span of cyber-operations. The UK has imposed sanctions on the same individuals and their associated front company for attacks on British targets, including parliamentarians and the Electoral Commission. The U.S. Department of State is offering rewards for information on APT31 that could help apprehend any of the seven Chinese MSS hackers linked to the group. APT31 is notorious for extensive cyber-espionage, including the theft of the NSA's EpMe exploit and targeting individuals linked to Joe Biden's presidential campaign.

Cybercriminals offer a Raspberry Pi software called 'GEOBOX' to transform the device into an anonymous cyberattack tool. Sold on Telegram for $80/month or $700/lifetime, GEOBOX provides a means for even inexperienced hackers to conduct various online crimes. The tool was discovered by Resecurity during the investigation of a banking theft affecting a high-profile corporation. GEOBOX devices operate as proxies without storing logs, complicating law enforcement efforts to track and investigate cybercrimes. Raspberry Pis, as low-cost, lightweight computers, serve as perfect vehicles for discreet cyberattacks due to their portability and concealability. GEOBOX equips users with an array of capabilities such as network spoofing, VPN and TOR access, and proxy services, tailored even for low-skilled threat actors. The tool enables a wide range of illicit activities, including financial fraud, malware distribution, and disinformation campaigns, enhancing anonymity for cybercriminals. While GEOBOX's individual functions are not novel compared to other tools or distributions like Kali Linux, its user-friendly bundle appeals to novices in the cybercriminal community.