Daily Brief

A new data wiper malware, AcidPour, has been discovered targeting Linux x86 IoT and networking devices. AcidPour is a variant of the AcidRain malware and shares about 30% code overlap. SentinelLabs' researcher Tom Hegel identified AcidPour, which was uploaded from Ukraine on March 16, 2024. The wiper malware targets specific directories and device paths of embedded Linux systems and has improved its targeting to include devices with flash memory and virtual block devices used in LVM. There is evidence that the malware has functionalities or adaptation techniques similar to the VPNFilter malware's 'dstr' plugin. AcidPour’s targets and distribution volume are unknown; SentinelLabs shared the malware's hash for collaborative analysis within the security research community. NSA's Director of Cybersecurity, Rob Joyce, expressed heightened concern due to AcidPour's potential for wider hardware and system impact compared to AcidRain.

Due to the rise in cybercrime, US cyber insurance premiums surged by an average of 11% in the first quarter of 2023. Costs for cyber insurance have become increasingly prohibitive, with some companies seeing increases of 50-100%, thus affecting ease of obtaining coverage. Enhanced security for Active Directory is essential for organizations seeking to manage or lower cyber insurance expenses. Increases in remote work, the volume of cyberattacks, and the number of claims and ransomware payouts contribute to rising cyber insurance rates. Active Directory is a prime target for cyber attackers due to its central role in IT networks, emphasizing the need for strong security measures. Cyber insurers closely evaluate Active Directory security measures, such as regular audits, strict access controls, and patch management, to determine coverage eligibility. To mitigate cyber risks and maintain insurability, companies must adopt comprehensive security strategies, including password policy enforcement and privileged account protection.

AI's large language models (LLMs) are now being used by cyber attackers to modify malware, evading detection tools like YARA rules. Threat actors are experimenting with generative AI to create malicious code snippets, phishing emails, and gather intelligence on potential targets. Recorded Future tested modifying the STEELHOOK malware, associated with APT28, using an LLM while retaining functionality and code integrity. The altered malware successfully bypassed simple string-based detection systems, although there are challenges with processing larger code bases. AI tools could also potentially be used for creating deepfakes of executives and fake websites, or for reconnaissance on critical infrastructure and sensitive information. Multimodal models are capable of extracting additional metadata from public images, increasing the threat to geolocation and infrastructure security. Publicly available images and videos depicting sensitive equipment should be carefully managed to reduce risks. Emerging vulnerabilities include the ability to "jailbreak" LLM tools to produce harmful content, suggesting a heightened need for improved AI security measures.

Atos' stock plummeted up to 20% after Airbus declined to purchase its big data and security business. The cancellation of talks with Airbus led Atos to postpone its 2023 earnings release to reassess strategic options. Atos is considering alternatives in light of French state sovereign interests, following Airbus's withdrawal. Previously, Airbus considered investing at the group level, but activist investors dissuaded the aerospace company. Atos had planned a business split in 2022 but sale discussions for its Tech Foundation with EPEI have also collapsed. The company's value has dramatically dropped from a five-year market cap high of €9.84 billion to just €191.59 million. Atos faces immediate challenges, including upcoming debt repayments and the need for a strategic resolution.

As digital transformation prevails, cybersecurity is now integral to corporate strategy and managing business risks. Chief Information Security Officers (CISOs) must shift their approach to demonstrate the strategic value of cybersecurity to board members. There is a noteworthy lack of specialized cybersecurity expertise in boardrooms, posing a challenge to effective governance and risk management. Recent regulatory changes increase the need for detailed cyber risk disclosures and faster incident reporting, holding executives and board members accountable. CISOs must communicate the importance of cybersecurity as it relates to financial performance, regulatory compliance, and overall risk management. Key board concerns include financial impact of cyber incidents, regulatory compliance, intellectual property protection, resilience against APTs, cloud security, and AI adoption in cybersecurity. CISOs should align cybersecurity discussions with business objectives and demonstrate how investments in cybersecurity serve as assets to the company's value proposition. Effectively conveying the cybersecurity strategy can lead to informed decisions and better alignment of cybersecurity programs with business goals.

Hackers are increasingly using digital document publishing platforms such as FlipSnack, Issuu, and Publuu to conduct phishing attacks. Cisco Talos researchers highlight that these reputable sites are not commonly blocked by web filters, which aids the attackers. Phishing documents hosted on these platforms often escape detection due to credibility and temporary content hosting, which also evades email security measures. Attackers utilize the free tiers of these services to distribute malicious content while exploiting productivity features to hide phishing links. The phishing technique involves embedding links in legitimate-looking documents, directing victims to fraudulent sites impersonating Microsoft 365 login pages to steal credentials. Cisco Talos underscores the challenge for defense since these DDP sites are not well-known risks and can bypass conventional phishing protections. Organizations are encouraged to stay vigilant and consider additional measures to protect against this evolving threat landscape.

A new data wiping malware variant named AcidPour, targeting Linux x86 devices, has been identified by SentinelOne. AcidPour is a progression from the previously discovered AcidRain malware, known to have been used against Viasat’s KA-SAT modems during the Russo-Ukrainian conflict. This variant is distinctive for being an ELF binary compiled for x86 architecture, with significant codebase differences from its predecessor. Five Eyes nations, along with Ukraine and the EU, attributed the earlier AcidRain attacks to Russia. AcidPour aims to delete data from RAID arrays and UBI file systems by targeting specific file paths, indicating a shift in the threat vectors used by attackers. The specific targets and the extent of the AcidPour malware's deployment are not yet clear; however, Ukrainian agencies have been alerted. The emergence of AcidPour emphasizes the ongoing trend of using wiper malware to severely disrupt targets and escalate the severity of cyberattacks.

A new phishing campaign, named Operation PhantomBlu, deploys NetSupport RAT to gather data from U.S. organizations. Attackers are using Microsoft Office's Object Linking and Embedding (OLE) to execute malicious code without triggering security alerts. The phishing emails mimic communications from accounting departments and entice victims to open a Word document under the guise of a "monthly salary report." An innovative tactic requires recipients to unlock the document with a password and interact with an embedded icon, which triggers malware deployment. The malware delivery utilizes a legitimate email marketing platform and encrypted documents, showcasing a strategy that marries technical evasion with social engineering. Increasing misuse of public cloud services and content delivery networks (CDNs) by threat actors to create undetectable phishing URLs has been observed. Such URLs are reportedly being sold on Telegram as part of a phishing-as-a-service model, with additional tools available to distribute these links widely. Techniques including domain nesting are being used to hide malicious URLs behind reputable infrastructure, making them harder to detect and more likely to fool targets.

A 31-year-old man from Moldova has been sentenced to 42 months in U.S. prison for cybercrime activities. Sandu Boris Diaconu operated E-Root Marketplace, which sold over 350,000 stolen credentials. Diaconu pleaded guilty to charges of conspiracy to commit access device and computer fraud. The marketplace allowed buyers to search for compromised credentials, favoring anonymity and untraceability via Perfect Money. E-Root contributed to ransomware attacks and tax fraud, leveraging stolen SSH and RDP credentials. Diaconu was arrested in the U.K. in May 2021 while attempting to flee and was extradited to the U.S. in October 2023. The U.S. Department of Justice also reported the recovery of $2.3 million in cryptocurrency from a separate romance-scam operation. Web3 anti-fraud company Scam Sniffer highlighted a significant number of victims and financial losses to crypto phishing scams in February 2024.

Over 900 websites using Google's Firebase have inadvertently exposed sensitive data due to misconfiguration. The data breach includes 125 million user records with personal information, passwords, and billing details. Security researchers identified the leak and notified 842 affected websites, but only 24 percent rectified the issue. Misconfigured Firebase databases allowed for public access to 85 million names, 106 million email addresses, and 34 million phone numbers. Less than 1 percent of site owners responded to notifications, highlighting a lack of engagement in rectifying the leaks. The issue of misconfigured databases is widespread, with OWASP listing security misconfiguration as a common vulnerability. The researchers encourage users of Firebase and other cloud services to ensure secure configurations to protect sensitive data.

A Chinese APT group, Earth Krahang, has compromised 70 and targeted 116 organizations in 45 countries, with a focus on government entities. The campaign, active since early 2022, employs spear-phishing and exploits vulnerabilities such as CVE-2023-32315 and CVE-2022-21587. The hackers use webshells, build VPN servers, brute-force email passwords, and deploy custom backdoors for espionage. Trend Micro identified malicious tools including Cobalt Strike, RESHELL, and XDealer. Earth Krahang has connections to the China-backed company I-Soon, and their tools have been linked with other Chinese APT groups. The report details the threat actors' methods, including the use of compromised government email accounts for further spear-phishing attacks on other officials.

Fujitsu confirmed that malware compromised its internal systems, potentially leading to a customer data breach. The tech giant discovered that personal and customer information files may have been illicitly accessed and exfiltrated. Details about the type of malware, the exact timing of the intrusion, and the scope of the data accessed remain unspecified. No misuse of customer information has been reported following the incident, per Fujitsu. The company has implemented additional security measures and monitoring tools and has disconnected the affected systems. Fujitsu is notifying impacted individuals and has reported the incident to Japan's Personal Information Protection Commission. The breach adds to Fujitsu's history of security incidents, including the Horizon scandal and a 2022 cloud service vulnerability. In related news, over 70 million AT&T customer records were allegedly leaked on a cybercrime forum, originally stolen in 2021.

Microsoft is deprecating RSA keys under 2048 bits in Windows TLS to enhance security. RSA cryptography relies on key length for strength, with 2048-bit keys being substantially more secure than 1024-bit keys. The deprecation targets TLS server authentication certificates, aligning with internet standards that have discouraged 1024-bit keys since 2013. Organizations using older software or devices with 1024-bit RSA keys will need to update to maintain authentication with Windows servers. Microsoft has yet to announce a specific start date for the deprecation but plans to provide a transition period for affected Windows administrators. Enterprise and test certification authority-issued TLS certificates are exempt from the impact to avoid widespread issues. Microsoft advises organizations to adopt RSA keys of 2048 bits or longer promptly in line with best security practices.

Over 133,000 Fortinet appliances remain unpatched and vulnerable to CVE-2024-21762, a critical remote code execution bug. Asia has the highest number of unpatched Fortinet devices, followed by North America and Europe. The US Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-21762 in its Known Exploited Vulnerability catalog due to active exploitation. Proof of concept exploits for the Fortinet vulnerability are becoming increasingly available online, raising risks for unpatched systems. Fortinet also disclosed another critical RCE flaw, CVE-2023-48788, in March, which could soon be exploited according to experts. CVE-2023-48788 affects FortiClient Endpoint Management Server (EMS) and has a severity score of 9.3. Past Fortinet vulnerabilities have been commonly exploited by nation-state actors and ransomware groups. CISA warns of the state-sponsored offensive cyber group Volt Typhoon potentially leveraging such vulnerabilities.

New DEEP#GOSU malware uses advanced techniques to target Windows systems and evade detection by utilizing PowerShell, VBScript, and legitimate cloud services for command-and-control. Cybersecurity researchers link the campaign to North Korea-sponsored group Kimsuky, utilizing multi-stage threats for stealth operations and long-term surveillance and control. The infection starts with a malicious email attachment with a deceptive shortcut file prompting the execution of embedded malicious scripts. The malware employs Dropbox to distribute payloads and Google Docs for dynamically retrieving configuration data, highlighting a trend towards using cloud services in cyberattacks. Capabilities of the DEEP#GOSU malware include keylogging, clipboard monitoring, file management, remote access via RAT software, and data exfiltration through secure channels. This campaign's discovery follows revelations of other North Korean-linked cyber groups using sophisticated methods for espionage and financial gains, including crypto asset theft. Security experts emphasize the need for vigilance given the increased sophistication and apparent state sponsorship behind contemporary cyber threats.