Daily Brief

Panera Bread is facing a nationwide IT outage since Saturday, impacting online ordering, POS systems, phones, and other internal systems. All Panera Bread stores remain open but are only accepting cash transactions; loyalty reward redemptions are suspended due to the downtime. In-store kiosks, employee work schedules, and shift details are currently inaccessible. The company's website and mobile app have been down since the incident began, citing "essential system maintenance and enhancements." The customer service phone line is also out of service; Panera Bread has yet to release an official statement regarding the cause of the outage. The widespread impact and timing of the incident point toward a potential cyberattack, particularly as cybercriminals often strike on weekends when businesses have reduced monitoring. As a food chain giant, Panera Bread operates 2,160 bakery cafes in the U.S. and Ontario, Canada, and is part of the Panera Brands family, which includes Caribou Coffee and Einstein Bros Bagels.

The US charged seven Chinese individuals, allegedly linked to APT31, with cyber espionage against multiple targets, including infrastructure and political figures. APT31, believed to be operated by China's Ministry of State Security, is the same group the UK accuses of attempting to compromise politicians' emails in 2021. Both the UK and the US imposed sanctions on the individuals and a company suspected of being an MSS front, Wuhan Xiaoruizhi Science and Technology. The UK also claims China's agents breached its Electoral Commission and stole data between 2021 and 2022. The US offers a $10 million reward for information leading to the suspects, emphasizing their interest in cybersecurity. The indictment reveals the scope of APT31's alleged activities, targeting thousands globally, stealing sensitive data and intellectual property amounting to billions in losses for the US. A report by the Foundation for Defense of Democracies calls for a US Cyber Force, recognizing the growing cyber threat from nation-states like China and Russia.

The U.S. Treasury has sanctioned two crypto exchanges, Bitpapa and Crypto Explorer, for transactions with Russian entities. Bitpapa facilitated trades with Hydra Market, the largest darknet market, and Garantex, both OFAC-designated. Hydra Market, before its seizure, had substantial global reach with a large number of seller accounts and customers. Crypto Explorer provided services in Russia and UAE, including cash services linked to sanctioned Russian banks. The sanctions are part of efforts to prevent Russia from circumventing U.S. sanctions amid the Ukraine conflict. Designated entities' assets in the U.S. will be frozen and transactions with them are prohibited without OFAC authorization. Previous actions by OFAC include the sanctioning of Garantex and cryptocurrency mixing services used for money laundering by hacker groups.

The U.S. Treasury has sanctioned two cryptocurrency exchanges, Bitpapa and Crypto Explorer, for supporting Russian dark web activities. These exchanges enabled transactions with Hydra Market, the largest darknet market known for drug sales and money laundering, with over $1.35 billion in turnover in 2020. German police seized Hydra Market's servers and bitcoins worth approximately $38.5 million in April 2022. Crypto Explorer also provided financial services facilitating currency conversions and cash services in Moscow and Dubai. Sanctions include freezing of U.S. assets and prohibition of transactions with the sanctioned entities and individuals and aim to impede Russia's evasion of sanctions related to the conflict with Ukraine. Other Russian fintech firms and their owners were also sanctioned for collaborating with blocked Russian banks to help evade sanctions. Entities with at least 50% ownership by blocked persons are subjected to asset freezing, increasing risks for financial institutions engaging with the sanctioned parties.

CISA and the FBI have issued a joint advisory to technology manufacturing executives to review software for SQL injection vulnerabilities. SQL injection attacks exploit security weaknesses, allowing unauthorized access, data breaches, and potentially full system takeovers. The agencies advocate the use of parameterized queries to prevent SQL injection, as this method cannot be interpreted as SQL code by malicious inputs. SQL injection vulnerabilities are ranked third among MITRE’s top 25 most dangerous software weaknesses. The alert was prompted by a Clop ransomware campaign exploiting a zero-day SQLi in the Progress MOVEit Transfer app, impacting numerous organizations. Despite many victims, Clop's ransomware has resulted in estimated payments of $75-100 million. The agencies emphasized the continued presence of SQLi vulnerabilities in software, insisting on immediate implementation of mitigations. The White House ONCD has also recommended the adoption of memory-safe programming languages to mitigate similar security issues, and CISA has advised on securing SOHO routers against coordinated cyberattacks.

Top.gg, a prominent Discord bot platform with over 170,000 members, suffered a supply-chain attack delivering malware designed to steal sensitive data. The attackers have been active since at least November 2022, uploading malicious Python packages to PyPI (Python Package Index) using techniques like account hijacking and typosquatting. The perpetrators set up a fake Python package repository to distribute poisoned versions of legitimate packages, tricking users and development systems. Checkmarx researchers identified a breach in early 2024 when a top.gg maintainer's GitHub account was compromised, leading to malicious commits on Top.gg repositories. The malware establishes persistence by altering the Windows Registry and exfiltrates stolen data via HTTP requests, alongside uploads to file-hosting services. The full extent of the user impact from this campaign remains unknown, but the incident underlines the risks associated with the open-source supply chain and emphasizes the need for secure coding practices.

Over 170,000 users impacted by a sophisticated supply chain attack targeting Python PyPI packages. Malware disseminated via fake packages and doppelganger domain to steal data from browsers, Discord, and crypto wallets. The attack focused on the Top.gg GitHub organization, a Discord server community, with malware-infected clones of popular Python packages like Colorama. Attackers compromised the GitHub accounts of trusted community members to insert malicious code into repositories. The pypihosted.org doppelganger domain was created to mirror the official Python package hosting domain, hiding malware within legitimate package downloads. The inserted malicious code was concealed with obfuscation tactics, including appending extra spaces to make it invisible without scrolling. After the compromise was detected by Top.gg users, efforts to address the breach were initiated, but the full extent of affected users remains unknown. The incident highlights ongoing challenges in securing open-source package ecosystems against multi-vector cyberattacks.

The Top.gg Discord bot community was hit by a supply-chain attack, posing a risk to its 170,000 members. Malicious actors hijacked GitHub accounts and distributed malware-laden Python packages. The attacker's TTPs involved social engineering and setting up a fake Python package infrastructure. Checkmarx identified data theft as the primary objective of this campaign, where stolen information is likely sold for profit. The attackers gained access to Top.gg's GitHub repositories, allowing them to make malicious commits using a maintainer's compromised account. The malware downloaded by the poisoned packages ensures persistence and steals sensitive data to be sent to a command and control server. This supply-chain vulnerability serves as a warning about the risks associated with open-source projects and the necessity for developers to vet their dependencies thoroughly.

A new phishing-as-a-service platform, 'Tycoon 2FA', is actively targeting Microsoft 365 and Gmail accounts to circumvent two-factor authentication (2FA). Discovered by Sekoia analysts in October 2023, Tycoon 2FA has been operational since at least August of that year and is distributed through private Telegram channels. Similarities with other phishing platforms suggest potential collaboration between cybercriminals or code reuse, with ongoing development making it more stealthy. The phishing kit operates by using a reverse proxy server to steal session cookies through an adversary-in-the-middle (AitM) attack, enabling hackers to access authenticated user sessions. Significant updates made to Tycoon 2FA in 2024 enhance evasion and phishing capabilities, including better blocking of traffic from bots and analytical tools. Sekoia's report indicates a broad cybercriminal user base for Tycoon 2FA, with over 1,800 Bitcoin transactions linked to its operators, reflecting the large scale of the phishing campaign. Security professionals have access to a repository of indicators of compromise (IoCs) connected to Tycoon 2FA to aid in detection and prevention efforts.

The U.S. Treasury Department has sanctioned Chinese individuals and a company linked to APT31 for attacks on U.S. critical infrastructure. Wuhan-based Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), believed to be a front for China's MSS, is targeted by these sanctions. Two Chinese nationals, Zhao Guangzong and Ni Gaobin, have been designated for their involvement in cyber-attacks endangering U.S. national security. The coordinated action includes the Department of Justice, FBI, Department of State, and UK authorities, with the UK also imposing sanctions. The Justice Department has unsealed indictments against seven individuals for their roles in malicious operations. As a result of sanctions, all property and interests in the U.S. linked to the targets are frozen, and U.S. transactions with them are prohibited. Financial institutions and entities dealing with these sanctioned individuals and entities may face sanctions or enforcement actions themselves. This action follows similar sanctions by the European Union against individuals and a company connected to the APT10 group in July 2020.

Researchers at ETH Zurich discovered ZenHammer, a variant of the Rowhammer attack targeting AMD Zen CPUs. ZenHammer exploits DDR4 and DDR5 DRAM vulnerabilities previously thought to affect Intel and ARM more than AMD. The technique involves inducing bit flips in DRAM, potentially allowing unauthorized access to data and system privileges. By reverse-engineering DRAM addressing functions and synchronizing attacks with refresh commands, researchers bypassed mitigations like Target Row Refresh. ZenHammer has been shown to affect AMD Zen 2 and Zen 3 platforms, with limited success on the more secure Zen 4/DDR5 setups. The attack is highly technical, requiring in-depth knowledge of both software and hardware to execute successfully. AMD CPU users are urged to apply software patches and firmware updates and consider hardware with built-in protection against Rowhammer attacks.

The Communications Workers Union (CWU) in the UK is dealing with a cyberattack that has caused significant IT and email outages. Third-party cybersecurity experts have been engaged for onsite investigation since March 21, following the detection of a serious IT outage. The extent of the cyberattack is still under evaluation, with some CWU systems taken offline as a precautionary measure. CWU has notified the Information Commissioner's Office and warned its members, which number over 185,000, of potential phishing risks. It is currently unclear if any member personal data has been breached, but digital forensic analysis is underway to identify the specifics of the incident. A spokesperson for the ICO confirmed that the CWU reported the incident and assessment is in progress according to the set guidelines. There have been claims that the cyberattack may have also compromised the CWU's data backup systems, potentially hindering recovery efforts.

Mozilla quickly patched two critical zero-day vulnerabilities exposed during the Pwn2Own hacking competition in Vancouver. Security researcher Manfred Paul discovered the flaws, which could allow out-of-bounds read/write and arbitrary JavaScript execution. The vulnerabilities, now known as CVE-2024-29943 and CVE-2024-29944, affected the desktop version of the Firefox browser. Firefox users need to update to version 124.0.1, released on March 22, to be protected; some users may have to perform a two-step upgrade process. Mozilla's rapid response involved releasing the patch within 24 hours of the exploit's demonstration. Pwn2Own Vancouver saw a total of $1,132,500 awarded for 29 new zero-day disclosures, with Paul earning the top prize and Synacktiv team coming in second.

Researchers have detailed the GoFetch vulnerability affecting Apple M-series and Intel Raptor Lake CPUs, which can leak sensitive data. GoFetch exploits Data Memory-Dependent Prefetchers in CPUs, a feature similar to speculative execution used by previous vulnerabilities like Spectre. A significant flaw with the Apple M1 and M2 chips is that it is not possible to disable this speculative feature to prevent data leakage. Apple's M3 CPUs and Intel's Raptor Lake CPUs can mitigate the vulnerability through software patches by disabling the DMP feature, unlike M1 and M2 chips. The suggested temporary workaround is to run cryptographic operations on Apple's slower Icestorm cores, where the exploit does not have an effect. Even the Icestorm core workaround may not be a long-term solution if future Apple CPUs enable DMP in efficiency cores, thus exposing all operations to potential data leaks. Apple is urged to resolve the DMP issue by either fixing, removing, or replacing the feature to prevent vulnerabilities in future processors.

Hackers compromised several GitHub accounts and the organization account of Top.gg to plant malicious code, conducting a supply chain attack. The threat actors utilized stolen browser cookies for account takeovers, verified malicious commits, a fake Python package mirror, and published rogue packages on PyPI. Sensitive information, including passwords and credentials, has been stolen through trojanized versions of popular Python packages like colorama hosted on a typosquatted domain. The attack was partly revealed earlier by an Egyptian developer and involves obfuscated malware that established persistence and stole data from various personal accounts and wallets. An active repository on GitHub still contains references to the malicious version of colorama, and the compromised accounts have written permissions to the Top.gg repositories. The malware conducts a multi-stage infection, changing Windows Registry entries, and exfiltrates target data using file-sharing services or HTTP requests. This incident emphasizes the need for vigilance when installing packages from even trusted sources like GitHub and PyPI and maintaining robust security practices.