Daily Brief

ShadowSyndicate ransomware actor is scanning for servers susceptible to CVE-2024-23334, a serious vulnerability in the aiohttp Python library. The flaw allows unauthenticated attackers to traverse directories and access files on affected servers due to faulty validation in static routes. After the vulnerability was patched in version 3.9.2 of aiohttp on January 28, 2024, exploitation attempts have escalated in frequency following a PoC exploit release on February 27. Threat analysts observed scanning originating from IP addresses linked to ShadowSyndicate, a known financially-motivated threat group active since July 2022. It remains uncertain whether these scanning attempts have led to any successful breaches. There are approximately 44,170 aiohttp instances exposed on the internet globally, with the U.S. hosting the largest percentage. Difficulty in patching outdated open-source libraries increases their attractiveness as targets for threat actors, often long after security updates are available.

Cybersecurity researchers at G DATA discovered GitHub repositories used to distribute a malware called RisePro. The gitgub campaign involved 17 repositories across 11 accounts offering cracked software as bait. Microsoft's GitHub has since removed the malicious repositories after they were reported. Attackers employed deceptive tactics, such as bogus build status indicators, to lend an aura of legitimacy to their GitHub repositories. Victims downloading from these repositories received RAR archives containing a payload designed to evade analysis and deliver the RisePro info stealer. RisePro, which emerged in late 2022, is a C++ malware that exfiltrates sensitive data to attackers using Telegram channels. Information-stealing malware like RisePro is on the rise and has become a key method for initiating ransomware and significant data breaches.

The International Monetary Fund (IMF) reported a security breach involving unauthorized access to 11 email accounts. This cyberattack was detected by the IMF in February, with an ongoing investigation to determine the full extent and impact. Despite the breach, the IMF has not found evidence of additional systems being compromised beyond the affected email accounts. Immediate actions were taken to secure the compromised accounts, and the IMF is receiving assistance from independent cybersecurity experts. The IMF uses Microsoft's Office 365 platform; other notable breaches have occurred within this environment, affecting Microsoft itself and Hewlett Packard Enterprise. The incident is reminiscent of attacks by groups such as Midnight Blizzard and Storm-0558 who have targeted U.S. and corporate entities in recent history. The IMF continues to investigate the breach and has not provided additional details at this time; its spokesperson was unavailable for comment.

IT helpdesk workers are facing a growing number of cyberattacks, where attackers impersonate employees to gain access to organizational accounts. The attack methods are not particularly sophisticated, involving cybercriminals requesting changes to identity and access management controls over the phone. Once attackers register their own device to a compromised account, they can control the authentication chain, accessing sensitive data or conducting further malicious activities. Red Canary has observed adversaries exploiting helpdesk accounts to reset passwords and MFA registrations for high-value accounts, exposing organizations to significant risks. Attackers also reverse the roles by impersonating helpdesk staff to phish other employees, leveraging a sense of legitimacy to hijack accounts. Red Canary suggests enhanced security measures for helpdesk interactions, such as verifying employee identities through unique information or shared secrets, and strengthening MFA policies. The report emphasizes the need for a balance between user-friendly access and secure connectivity, noting that almost every MFA factor has potential weaknesses that can be exploited.

The U.S. Department of Justice is taking action to recover $2.3 million in cryptocurrencies linked to a "pig butchering" fraud, affecting at least 37 individuals. Pig butchering scams involve social engineering to deceive victims into investing in fake cryptocurrency platforms, appearing to show false profits. These schemes often begin as romance scams and then introduce the concept of profitable crypto investments to gain trust and defraud victims. Through investigation, authorities traced the fraudulent funds to two Binance wallets and are now using civil forfeiture to retrieve the amounts. The average loss per victim is over $62,000, indicating the severe financial impact of such scams, with annual losses in the U.S. exceeding $2 billion. The FBI has issued warnings about the rising frequency of these cryptocurrency investment schemes, advising public vigilance and caution. Individuals who suspect they've been targeted by scammers are encouraged to report to the authorities and provide relevant information.

Researchers have unveiled a new data leakage vulnerability known as GhostRace (CVE-2024-2193), exploiting speculative execution in modern CPUs. Similar to the Spectre v1 (CVE-2017-5753) vulnerability, GhostRace leverages speculative execution combined with race conditions for data leakage. The vulnerability was uncovered by IBM Research Europe and VUSec, highlighting potential risks in all synchronization primitives using conditional branches. GhostRace allows attackers to exploit speculative execution paths and Speculative Concurrent Use-After-Free (SCUAF) attacks to access sensitive data. The vulnerability arises from race conditions in transiently executed paths, which can result in access to arbitrarily sensitive data from the CPU. AMD suggests that the existing guidance for Spectre mitigations is effective against GhostRace, while Xen hypervisor has provided hardening patches to address potential vulnerabilities. Although patches have been released, the full impact on performance and security under various systems remains under further investigation.

PornHub has restricted access to its website for users in Texas to protest the state's age verification laws. Texas bill HB 1181, which mandates rigorous age checks for adult content viewers in the state, has been reinstated following appeals. The bill includes penalties for non-compliance, with PornHub's parent company Aylo Global Entertainment facing a $1.6 million fine and additional daily charges. The 5th U.S. Circuit Court of Appeals allowed the law's age verification enforcement but paused the required mental health notices. In response, Aylo has blocked several adult content sites for Texas visitors, pointing out the laws' ineffectiveness and potential risks. PornHub advocates for system-level age verification by operating system developers rather than multiple verifications by individual sites, citing privacy and data breach concerns. Such centralized age verification would pose significant data protection challenges for operating system developers and may increase VPN usage to bypass geographic restrictions.

Sandu Boris Diaconu, a Moldovan national, was sentenced to 42 months in prison for running E-Root, a marketplace for hacked computer access. After serving his sentence, Diaconu will be under supervised release for three additional years. Diaconu pled guilty to conspiracy to commit access device and computer fraud, and possessing unauthorized access devices. Arrested in the UK in May 2021, Diaconu was extradited to the US in October 2023 under various fraud charges. The DOJ reported that E-Root listed over 350,000 credentials for sale, affecting multiple industries and global victims. The credentials sold were used for ransomware attacks, fraudulent wire transfers, and tax fraud. E-Root used an encrypted payment system Perfect Money to conceal transactions and also offered illicit cryptocurrency exchange services. The marketplace presented itself as a legitimate e-commerce site with customer services but facilitated criminal activities through the sale of RDP and SSH access to compromised servers.

A former New Jersey telecom manager admitted to conducting unauthorized SIM swaps, pleading guilty to conspiracy charges. Insider abuse facilitated cybercriminals' access to hijack customer accounts to bypass two-factor authentication through SMS. Jonathan Katz, the former manager, abused his position to override security measures for $1,000 per illicit SIM swap. Five victims across multiple states suffered account takeovers, impacting their email, social media, and cryptocurrency wallets. Preventive measures against arbitrary number porting by telecoms were circumvented using Katz's privileged telecom store access. Katz received Bitcoin payments for the swaps, plus a cut of the profits obtained by exploiting the victims' accounts. The crime could lead to a maximum of five years imprisonment and a fine of $250,000 or double the financial gain/loss. Sentencing for Jonathan Katz is scheduled for July 16, 2024.

StopCrypt ransomware, also known as STOP Djvu, has evolved with a new multi-stage process that utilizes shellcodes, making it harder to detect by security tools. Unlike major ransomware gangs targeting big companies, STOP focuses on consumers, seeking smaller ransoms ranging from $400 to $1,000 through widespread distribution. The malware is predominantly spread through malvertising and dubious websites offering adware bundles, which also install password-stealing trojans alongside the ransomware. The latest variant involves a complex execution mechanism, beginning with loading a deceptive DLL and implementing time-delaying loops to evade time-based security defenses. StopCrypt employs dynamic API calls and process hollowing to discretely execute its payload in memory without being noticed. It ensures persistence by modifying ACLs, denying users the ability to remove key malware files, and creates a scheduled task to perpetuate the attack. Encrypted files are appended with the ".msjd" extension, among hundreds of other STOP ransomware extensions, and a ransom note "_readme.txt" is generated within affected directories.

The London Mayor's Office for Policing and Crime (MOPAC) was found to have exposed sensitive data from complaints against the Metropolitan Police Service due to a webform error. The Information Commissioner’s Office (ICO) deemed the incident "completely avoidable," affecting roughly 400 people who had submitted highly personal information. The breach occurred when an employee mistakenly gave public access to complaint forms that should have been restricted to four colleagues. MOPAC has contacted the affected individuals and taken "remedial steps" such as increased awareness and training to prevent future incidents. The ICO has issued further recommendations to MOPAC surrounding information governance and UK GDPR compliance. MOPAC has expressed regret for the breach and has improved training and data security monitoring in response to the ICO's findings. The exposure of such sensitive information risks undermining public confidence in the criminal justice system, though there is no evidence the data was accessed by unauthorized parties.

Cybersecurity researchers have identified vulnerabilities in third-party ChatGPT plugins that could facilitate unauthorized access to user data. Salt Labs highlighted flaws within the ChatGPT ecosystem and OpenAI's ChatGPT that enable the installation of malicious plugins and hijacking of accounts on third-party sites such as GitHub. OpenAI is set to discontinue the installation of new plugins and creation of new conversations with existing plugins after March 19, 2024. The discovered OAuth workflow exploit permits attackers to trick users into installing arbitrary plugins, potentially leading to data interception and exfiltration. Salt Labs found zero-click account takeover vulnerabilities in PluginLab, providing an attack vector to control an organization's GitHub account. No evidence currently indicates that user data has been compromised through these vulnerabilities. Moreover, security researchers have detailed a novel side-channel attack exploiting token-length to extract sensitive information from encrypted AI assistant communications. The research underscores the complex balance required between security, usability, and performance in the development of AI applications.

Google announces enhanced Safe Browsing for Chrome, offering real-time URL checks to prevent users from visiting malicious sites. The new protection mode on Chrome desktop and iOS will compare sites against Google's updated list of known unsafe sites in real-time, aiming to block 25% more phishing attempts. Previously, Chrome relied on a locally-stored list of unsafe sites, updated every 30-60 minutes; now it will leverage a more dynamic, server-side check without disclosing users' browsing history. Phishing domains often have short lifespans, with 60% existing for less than 10 minutes, necessitating more agile and frequent updates to URL blacklists. To perform checks, Chrome will send truncated, encrypted URL hashes to a privacy server that anonymizes user data before querying Google's Safe Browsing server. The privacy server, an Oblivious HTTP (OHTTP) relay, prevents any single party from seeing both the user's IP address and the URL hash prefixes, preserving user privacy. Google has confirmed that the privacy server's role is to prevent the Safe Browsing server from accessing users' IP addresses and associating URL checks with individual browsing histories.

Chinese internet users searching for Notepad++ and VNote are being targeted by trojanized versions of these applications, distributed through misleading ads on search engines like Baidu. The fake sites serving the infected software resemble legitimate product pages but include inconsistencies in website addresses and mismatched download offers. The malicious Windows installer from the fake Notepad-site points to an official repository, while the Linux and macOS downloads lead to hosted packages on a suspicious server. The altered installers are designed to download an advanced backdoor similar to Geacon, capable of carrying out multiple malicious activities, including file operations and establishing SSH connections. HTTPS protocol is utilized for communication between the infected systems and the command-and-control servers, allowing discreet data transmission. The malvertising campaign that is spreading these malicious installers is linked to other instances of cyber threats, where software masquerading as popular productivity tools was used to deliver malware.

US Senator Ron Wyden expresses concern over Chinese-manufactured electronic safe locks being a national security risk. Wyden's letter to the National Counterintelligence and Security Center (NCSC) raises alarms about potential espionage via backdoor codes in safe locks used by American businesses. Government agencies can access manufacturer reset codes, which could also be exploited by foreign adversaries to steal intellectual property. The Department of Defense is aware of the threat posed by these reset codes but has not informed the public to prevent the disclosure of this vulnerability. Wyden accuses federal agencies of silently protecting their interests while leaving American businesses vulnerable to foreign espionage. The senator urges the NCSC to educate businesses on using locks that meet US government security standards, which presumably do not include such backdoors. SECURAM Systems, a major seller of these electronic safe locks in the US, is obliged to obey Chinese law, including potential surveillance cooperation with the Chinese government.