Daily Brief

Threat actors are using counterfeit antivirus sites mimicking Avast, Bitdefender, and Malwarebytes to distribute malware targeting Android and Windows devices. The malware, spread through fake sites, is specifically designed to steal sensitive information via browser data pilfering and exfiltrates it to a remote server. A rogue binary named "AMCoreDat.exe" was identified, acting as a pathway for stealer malware that harvests user data. Various techniques possibly supporting the spread of these deceptive websites include malvertising and SEO poisoning. The cybersecurity landscape has seen an influx of new stealer malware variants like Acrid, SamsStealer, and Waltuhium Grabber, illustrating a sustained market demand for such malicious tools. Recent reports also highlighted a new Android banking trojan named Antidot, disguised as a Google Play update, that exploits Android's APIs to commit theft and further malicious actions. Antidot's capabilities range from keylogging to executing overlay attacks, illustrating advanced functionalities in newly emerging malware.

Cyber threats are increasingly targeting smaller businesses. Cybercriminals are employing more sophisticated methods to attack SMEs. Jamie Levy, a renowned cybersecurity expert, will lead a free webinar targeting these issues. The webinar titled "Navigating the SMB Threat Landscape: Key Insights from Huntress' Threat Report" aims to educate SMEs. Attendees will learn about the latest cyber threats and defensive strategies tailored for small to medium-sized businesses. The session is designed as a crucial resource for SMEs to enhance their cybersecurity measures. Attendees of the webinar will gain valuable insights to stay a step ahead of potential cyber threats. Registration is currently open for this informative online session.

The recent major cybersecurity incidents like the Colonial pipeline and SolarWinds attacks highlight the growing challenge for CISOs to maintain effective security measures within rapidly evolving DevOps environments. Misconfigurations in cloud services such as AWS S3 buckets have underscored the critical need for better collaboration between CISOs and DevOps teams to bolster cloud security configurations. Security practices often lag in pace with the rapid deployment cycles of DevOps, challenging CISOs to enforce security without hindering innovation. The evolving role of CISOs includes more direct communication and cooperation with CTOs and other IT leaders to emphasize security from the outset of project development. CISOs are encouraged to utilize modern security approaches like Managed Detection and Response (MDR) services to transition from a reactive to a proactive security posture. Legal and regulatory challenges are increasing, with implications for CISOs around disclosure and management of cybersecurity risks and breaches. It's vital for CISOs to integrate security as a core component of the DevOps process, ensuring it is proactive, embedded, and aligned with organizational objectives and innovations.

Google has issued a patch for a high-severity type confusion vulnerability in Chrome's V8 engine, identified as CVE-2024-5274. The flaw, reported on May 20, 2024, has been actively exploited in the wild, marking it as a zero-day exploit. This is the fourth zero-day vulnerability in Chrome Google has addressed this month, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947. Type confusion errors can lead to out-of-bounds memory access, system crashes, and arbitrary code execution, posing significant security risks. Google has resolved eight zero-days in Chrome since the beginning of the year, emphasizing ongoing threats and the need for vigilant updates. To mitigate the risk, users are urged to update their Chrome browsers to the latest versions: 125.0.6422.112/.113 for Windows and macOS, and 125.0.6422.112 for Linux. Users of other Chromium-based browsers are also advised to ensure they apply any available updates to protect against this vulnerability.

Cyber actors infiltrated the installer for JAVS Viewer v8.3.7, part of JAVS Suite 8, to deliver RustDoor malware. The compromised installer was downloaded from the official JAVS website on March 5, 2024, bearing an unexpected Authenticode signature. RustDoor malware connects to a C&C server, sending host information, and waits for further instructions. The infected installer activates obfuscated PowerShell scripts and attempts to download an additional payload disguised as a Google Chrome installer. Investigations revealed the malware’s incapability to operate as intended due to software bugs in the “main.exe” component. Detected RustDoor is a Rust-based backdoor previously noted for targeting multiple platforms through illegitimate updates or utilities. The breach highlights potential ties between RustDoor, GateDoor, and a ransomware-as-a-service group named ShadowSyndicate. JAVS has withdrawn the affected software version from its website, reset passwords, and conducted a system audit, asserting that no JAVS source codes or systems were compromised.

Google has urgently updated Chrome to address the eighth zero-day vulnerability this year, marked as CVE-2024-5274, which was being actively exploited. CVE-2024-5274 is a high-severity 'type confusion' flaw in Chrome's V8 JavaScript engine, leading to potential crashes, data corruption, or arbitrary code execution. The vulnerability was discovered internally by Google employee Clément Lecigne without releasing specific details to the public to prevent further exploitation. Google is limiting access to detailed bug information until most users have installed the update, especially noting that this bug could be in third-party libraries used by other projects. Updates are available on Chrome Stable version 125.0.6422.112/.113 for Windows and Mac, with Linux updates to follow shortly. Chrome users should ensure their browser automatically updates to the latest version and may need to relaunch the browser to apply the update. This third zero-day flaw patched by Google this month highlights ongoing security challenges and the importance of regular updates.

Cybersecurity experts in Japan have identified BLOODALCHEMY malware as an evolved form of Deed RAT and ShadowPad, targeting government bodies in Southeast Asia. Initially spotted by Elastic Security Labs, BLOODALCHEMY has been employed in cyberattacks against ASEAN countries by a group tracked as REF5961. The malware features are minimal yet potent, designed for stealth and specific operations, suggesting it could be part of a larger suite or still in development. BLOODALCHEMY operates by sideloading a DLL through a legitimate process for execution, evading standard detection methods and establishing backdoor access. Analysis reveals techniques and code structure similarities between BLOODALCHEMY and previous malware iterations used by China-linked groups. Attacks involve compromising VPN devices to gain initial access, illustrating the advanced methods and targeted nature of these intrusions. The ongoing campaigns highlight a strategic interest by Chinese-nexus cyber espionage groups, now also expanding their focus to include regions like Africa and the Caribbean.

Apache Flink vulnerability CVE-2020-17519, an improper access control bug discovered in 2020, is actively exploited by cybercriminals. The U.S. government's Known Exploited Vulnerabilities Catalog now includes this bug, requiring federal agencies to patch or decommission affected software by June 13. Apache Flink is an open-source framework used for processing large data streams, managed by the Apache Software Foundation. Despite fixes released in later 2020 versions, many deployments remain unpatched, exposing them to data theft risks. The vulnerability allows attackers to read any file from the Flink JobManager's local filesystem via its REST interface. CISA has yet to define the exact purpose or identity of the attackers exploiting this vulnerability. There's a critical emphasis on the necessity of software patching and updates to protect data and IT infrastructure from known vulnerabilities. Security experts encourage not only government entities but also private organizations to verify their systems' security status concerning this flaw.

ShrinkLocker ransomware utilizes Microsoft BitLocker for encrypting files, then extorting payment from companies. Targets include steel and vaccine manufacturing sectors, and a government entity in Mexico, Indonesia, and Jordan. The malware uses legitimate firmware tools to inflict maximum damage and complicates incident response efforts. Victims' systems are probed for OS specifics using VBScript, followed by partition manipulation and system encryption. Encrypted systems display a BitLocker screen indicating no available recovery options, with recovery keys sent to the attackers and then deleted locally. Kaspersky outlines strategies to detect ShrinkLocker and urges businesses to use managed detection and response systems. Recommended defensive measures include restrictive access permissions, frequent backups, and logging of critical system activities.

Attackers infected the installer of widely used JAVS courtroom recording software with malware, impacting systems globally. The compromised software contained a malicious fffmpeg.exe binary, wrongly attributed to either JAVS or its associated third parties. JAVS removed the trojanized version from its website and verified the integrity of current available files, ensuring they are free from malware. Cybersecurity firm Rapid7 linked the malware, identified as CVE-2024-4978, to operations that sent system information to a C2 server and deployed additional harmful payloads. Customers are advised to reimage affected systems, reset all credentials, and update the JAVS Viewer software to the latest safe version (8.3.9 or higher). The incident is reminiscent of previous supply chain attacks, including the notorious SolarWinds breach attributed to the Russian APT29 group. JAVS has conducted a full system audit and ongoing monitoring in collaboration with cybersecurity authorities to mitigate further risks.

Scattered Spider, a cybercrime group suspected to involve young adults from the US and UK, has intensified its criminal activities by engaging in ransomware and high-profile cyber heists targeting Las Vegas casinos. The group's aggressive tactics, especially against MGM Resorts, managed to almost shut down operations for a week, significantly raising its profile among law enforcement agencies. Charles Carmakal of Mandiant Consulting highlighted that these casino attacks garnered the necessary attention for a more rigorous investigation by authorities. The evolution of Scattered Spider from SIM swapping and social engineering to severe ransomware attacks shows a distinct shift in their methods and level of threat. The FBI is reportedly closing in on the group, with ongoing investigations and some arrests already made, although exact timelines for court appearances are not specified. Experts predict that the actions of Scattered Spider will likely have a lasting impact on the landscape of cybercrime due to their high-profile target selection and evolving tactics.

Microsoft's "Cyber Signals" report highlights increased activity by hacking group Storm-0539, especially around major holidays, with notable spikes in gift card theft and fraud. The FBI categorizes Storm-0539’s sophisticated methods as akin to state-sponsored cyberespionage, focusing on organizations issuing gift cards. Storm-0539 employs advanced phishing, multi-factor authentication interception, and lateral movement within networks to generate fraudulent gift cards. Microsoft observed a 60% rise in Storm-0539's activities during the past winter holiday season and a 30% increase from March to May 2024. The group exploits cloud service free trials for large-scale operations and creates fake non-profit websites to facilitate their schemes. Microsoft recommends heightened security measures for gift card portals, including monitoring for anomalies and implementing conditional access. The report assures that these cyberattacks target corporate systems rather than end users, urging vigilance against potential scams around holidays like Memorial Day.

Google's security lead, Matt Linton, criticizes standard phishing tests for being ineffective and fostering resentment towards IT departments. Linton suggests overhauling phishing exercises to align with modern fire drill practices, which are better planned and announced in advance. The approach to cybersecurity should focus on infrastructure improvements rather than individual responsibility, similar to advancements made in fire safety like wider doors and fire sprinklers. Despite the existence of anti-phishing measures in products and email clients, phishing attacks have risen by 58 percent in the past year, fueled by AI advancements by cybercriminals. Linton argues for a shift towards 'secure-by-default' systems and engineering defenses such as unphishable credentials to reduce reliance on user detection of phishing. Current phishing tests often reduce or eliminate controls, misleading participants about real-world risks and potentially leaving security gaps post-test. The UK's National Cyber Security Centre (NCSC) supports the idea that phishing tests can erode trust and skew results based on personality traits and circumstances. Linton proposes that phishing drills should be transparent and educational, focusing on creating a culture that supports reporting and responding to phishing incidents effectively.

GitLab addressed a high-severity XSS vulnerability in its VS code editor (Web IDE), which could allow attackers to take over accounts. The flaw, identified as CVE-2024-4835, allows unauthorized attackers to steal information through maliciously crafted pages, requiring user interaction. Multiple software updates have been released by GitLab to mitigate this and other vulnerabilities, with an urgent call for installations to upgrade. The company also resolved additional security issues including a CSRF vulnerability and a DoS bug affecting GitLab web resources. An older, actively exploited, zero-click vulnerability (CVE-2023-7028) enabled unauthenticated account takeovers via password resets, prompting U.S. federal compliance directives. Less than half of the GitLab instances previously found vulnerable to this older flaw remain accessible online after mitigation efforts. GitLab accounts are particularly critical due to their role in hosting sensitive data like API keys and proprietary code, which can affect entire supply chains if compromised.

Security researchers at Synactiv reverse-engineered Apple's iOS 17.5.1 to address a bug causing old photos to reappear on devices. The investigation revealed that the photos were not stored in iCloud but were remnants on local filesystems reindexed by a flawed migration routine. The issue, first noticed in iOS 17.5 public beta, resulted in user complaints of photos deleted years ago suddenly reappearing. Despite user reports and speculations, Apple did not communicate the cause, leaving room for concerns about data privacy. The issue has been fixed in the iOS 17.5.1 update, which removed the problematic routine. The persistence of deleted files in device memory underscores the importance of understanding data handling and deletion processes in digital devices.