Daily Brief

A cybercrime gang, identified as Storm-1811, has exploited Microsoft's Quick Assist tool to deploy Black Basta ransomware in a social engineering scheme. The attacks began in mid-April and involve scammers posing as IT support, using voice phishing to convince victims to grant remote access to their computers. Once access is obtained, attackers gain full control over the victim’s device by tricking them into sharing their screen and approving control requests. Microsoft has acknowledged the issue and is working on enhancements to Quick Assist, including better transparency and warning messages to deter such scams. Victims of the attack often first receive spam emails before being contacted by fake IT support to address the fabricated issues. Microsoft advises customers to either block or uninstall Quick Assist and other remote management tools if they are not in use to mitigate risks. Additional security measures proposed include utilizing threat-hunting queries and indicators of compromise to identify and respond to suspicious network activities. After gaining access, the attackers use tools like PsExec for lateral movement within networks to spread ransomware.

The U.S. Justice Department has charged five individuals linked to cyber schemes that funded North Korea's nuclear initiatives. Charged parties include two apprehended individuals: Christina Marie Chapman in Arizona and Oleksandr Didenko in Poland, alongside three other foreign nationals using aliases. They are accused of various crimes including money laundering, wire fraud, and aggravated identity theft, orchestrated to infiltrate U.S. job markets. Their operations involved using a "laptop farm" run by Chapman to emulate U.S. locations for North Korean IT workers, enabling them to secure employment at Fortune 500 companies. These activities generated over $6.8 million and compromised more than 60 U.S. identities, impacting over 300 U.S. companies and creating false tax liabilities for over 35 citizens. Consequences if convicted are severe, with Chapman facing up to 97.5 years and Didenko up to 67.5 years in prison. The U.S. State Department offers a $5 million reward for information on Chapman's co-conspirators, further indicating the scheme's significant impact on national security.

The Norwegian National Cyber Security Centre (NCSC) is advising organizations to replace SSLVPN/WebVPN solutions with IPsec using IKEv2 by 2025 to enhance security. The move is intended to combat the repeated exploitation of SSL/TLS vulnerabilities by cybercriminals in corporate network breaches. Organizations under the 'Safety Act' or those in critical infrastructure sectors are urged to make the switch by the end of 2024. SSL VPNs use SSL/TLS protocols to create a secure connection, whereas IPsec with IKEv2 offers enhanced security by encrypting and authenticating each packet and periodically refreshing keys. NCSC acknowledges that while IPsec with IKEv2 also has vulnerabilities, it reduces the attack surface significantly due to its reduced tolerance for configuration errors. Interim measures suggested by NCSC include centralized VPN activity logging, strict geofencing, and blocking access from high-risk sources like VPN providers and Tor exit nodes. The urgency is underscored by recent breaches involving exploited vulnerabilities in SSL VPNs by state-sponsored and criminal hacking groups. International consensus, including recommendations from the USA and UK, indicates a shift toward IPsec as a more secure standard for VPN technologies.

MediSecure, an electronic prescription provider in Australia, faced a ransomware attack impacting personal and health information, with scale and specifics still under assessment. The attack, initiated through a third-party vendor, led to the shutdown of MediSecure's website and communication systems to mitigate further risk. Operating since 2009, MediSecure has been instrumental in delivering digital healthcare solutions, specifically managing and dispensing medications electronically. The company has initiated a thorough investigation into the breach and is collaborating with Australia's National Cyber Security Coordinator and the Office of the Australian Information Commissioner. Public statements acknowledged the incident and emphasized immediate steps taken to secure systems and data, although details regarding the ransom demand, if any, were not disclosed. This incident marks one of the significant healthcare-related cyber-attacks in Australia, following the major Medibank breach in October 2022, highlighting ongoing vulnerabilities in the healthcare sector related to cyberattacks.

A new vulnerability, CVE-2023-52424, identified in the IEEE 802.11 Wi-Fi standard enables attackers to force a downgrade to a less secure network. This security flaw affects all operating systems and Wi-Fi protocols, including WEP, WPA3, and 802.11X/EAP. Attackers can spoof network names (SSIDs) to trick victims into connecting to malicious networks to intercept their traffic. The vulnerability undermines the effectiveness of VPNs that deactivate when connecting to trusted networks. Researchers propose enhancing the Wi-Fi standard to include SSID authentication in the network connection process to mitigate the attack. Additional mitigation suggestions include using distinct credentials for different SSIDs, especially in enterprise environments. This discovery follows recent disclosures of similar security issues in Wi-Fi authentication mechanisms.

Security researchers identified new malware, LunarWeb and LunarMail, used by Russian hackers targeting a European government's diplomatic agencies. The malware was involved in breaches of the Ministry of Foreign Affairs, affecting diplomatic missions primarily in the Middle East since 2020. Spear-phishing emails with malicious Word documents initiated the infection, installing LunarMail through macros that also ensured persistence via Outlook add-ins. LunarWeb was delivered using a misconfigured network monitoring tool, with techniques to mimic legitimate traffic for covert operations and surveillance. Both backdoors allow remote command execution, data theft, and system manipulation, ensuring deep access and control over compromised systems. ESET attributes these attacks to the Turla group, a Russian state-sponsored entity, with medium confidence based on observed tactics and techniques. The company also released a list of indicators of compromise to help detect and mitigate these threats in affected network environments.

The European Commission has launched an investigation into Meta, scrutinizing its compliance with the Digital Services Act, particularly in safeguarding minors on Facebook and Instagram. Meta is under investigation for potentially exploiting the inexperience of minors, leading to addictive behaviors and excessive content immersion on their platforms. The Commission will assess the effectiveness and appropriateness of Meta’s age-verification tools to prevent minors from accessing harmful content. Additional scrutiny includes the examination of privacy and safety measures for minors, focusing on default settings and recommendation algorithms to ensure they align with legal requirements. Violations of the Digital Services Act could result in fines up to 6 percent of Meta's global annual turnover, approximately $8.5 billion. Separate proceedings are focused on other serious concerns, including Meta's role in the spread of political misinformation by foreign actors. Commissioner Thierry Breton emphasized the importance of rigorous investigations to uphold child protection standards on these widely used social platforms.

British intelligence has shifted its primary focus to countering cyber threats from China, surpassing concerns about other nation-states. The CYBERUK conference underscored the growing concern among UK officials regarding Beijing's attempts to dominate global technology standards and cyber capabilities. Recent discussions at the event highlighted the significant resources GCHQ is dedicating towards understanding and combating potential cyber threats from China. China's cyber strategy includes leveraging an extensive network of hacking groups and data brokers to advance its geopolitical and technological goals. UK intelligence is increasingly collaborating with Five Eyes allies, industry, and academic institutions to enhance cyber resilience against threats posed by nation-states like China and Russia. The narrative at CYBERUK stressed the urgent need for increased cyber resilience to deter future large-scale disruptions or attacks, particularly those that could be orchestrated by China. There is a pressing necessity for the tech industry and governments to innovate and cooperate to effectively counter sophisticated cyber operations from nation-states.

The North Korean Kimsuky hacker group has deployed a Linux backdoor called Gomir, targeting South Korean entities. The Gomir malware, a Linux variant of the GoBear backdoor, was distributed through trojanized software packages. Key capabilities of Gomir include direct command and control communications, persistence on infected systems, and execution of diverse commands. The malware establishes itself by ensuring it runs with root privileges and maintains persistence by copying itself to system directories and setting up a systemd service. Symantec’s investigation revealed that Gomir supports 17 specific operations, similar to those of the Windows version, GoBear. Supply-chain attacks, utilizing trojanized software installers, are identified as the primary method of deploying these malicious tools. Symantec's report includes indicators of compromise to help identify and mitigate these security threats.

The adoption of generative AI (GenAI) tools in the workplace has surged rapidly, with businesses observing a significant rise in AI application usage from 150 in July 2023 to over 500 recently. Many employees use GenAI tools without formal oversight due to free trials and SaaS models, complicating IT and security teams' tracking and management efforts. Nudge Security offers a SaaS management platform that detects all SaaS and GenAI tools used across an organization, providing an immediate comprehensive inventory even for newly adopted tools. The platform allows security teams to review and assess the security of these tools by offering insights into usage, user identity, and integration details with aligned security evaluations. Nudge Security helps identify and manage risky permissions granted via OAuth, enhancing security by understanding and overseeing the scope of access each application has. It supports IT governance by sending timely "nudges" to users when they adopt new AI tools, prompting them to acknowledge the organization’s AI usage policies and encouraging secure practices. Through these mechanisms, Nudge Security enables businesses to maintain a balance between fostering innovation with new AI technologies and ensuring robust protection against associated security risks.

North Korea-linked Kimsuky hacking group conducts a malware campaign via Facebook Messenger using fictitious accounts. Targets are deceived by fake profiles imitating public officials in the North Korean human rights sector. Attack employs social engineering through private document shares on OneDrive, diverging from traditional email spear-phishing. Decoy documents presented as academic and interview content related to diplomatic summits, hosted with misleading file types to bypass detection. Upon opening the malicious document, a command sequence is triggered, connecting the victim's computer to a control server. Collected data includes IP addresses, user details, and process information, which are sent to the adversary's server for further exploitation. The malware campaign's techniques partially overlap with previous activities identified as part of Kimsuky's operations, indicating a continuation and evolution of their strategic cyber attacks. Genians highlight the importance of early detection of such personalized and covert social media-based attacks, which often remain undetected by standard security measures.

North Korean Kimsuky group targeted South Korean entities using trojanized software to deploy Linux malware, Gomir. Trojanized versions of TrustPKI, NX_PRNMAN, and Wizvera VeraPort utilized to insert malware, including a Windows variant, Troll Stealer. Gomir, a new backdoor similar to Windows' GoBear malware, facilitates direct C2 communications and has robust persistence capabilities. Upon infection, Gomir secures itself on the host machine by copying to /var/log/syslogd, creating a systemd service, and establishing a crontab command for reboot persistence. The backdoor can execute 17 different operations controlled via HTTP POST commands from its command and control center. Symantec identified malicious activities and shared indicators of compromise, emphasizing supply-chain attacks as the prevalent method for these espionage efforts.

Google has issued an emergency security update for Chrome to fix a third zero-day vulnerability exploited within a week. The vulnerability, identified as CVE-2024-4947, involves a type confusion issue in the Chrome V8 JavaScript engine. This high-severity flaw, reported by Kaspersky researchers, allows for arbitrary code execution on targeted devices by manipulating memory buffers. The updated Chrome versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux will be distributed to users in the Stable Desktop channel in the upcoming weeks. Chrome users are urged to ensure their browser is updated to the latest version by manually checking via the Chrome menu and installing available updates. Details about the attacks utilizing this vulnerability remain restricted to prevent further exploits, especially considering the bug may also exist in third-party libraries used by other projects. This zero-day is the seventh to be addressed in Chrome in 2024, signaling a concerning trend in browser security vulnerabilities.

Security researchers have identified 11 vulnerabilities in the GE HealthCare Vivid Ultrasound systems, potentially enabling ransomware attacks and patient data manipulation. The flaws affect both the ultrasound system itself and related software, including the EchoPAC program used on Windows workstations by doctors. Exploitation requires physical access to the healthcare environment, after which a threat actor can execute arbitrary code with administrative privileges. The most critical vulnerability, CVE-2024-27107, involves the use of hardcoded credentials, facilitating unauthorized access to patient data. An attacker could employ various methods for exploitation, including the use of malicious USB drives to automate attacks or accessing the hospital network via stolen VPN credentials. GE HealthCare has responded to the findings, suggesting that existing controls mitigate the risks to an acceptable level, emphasizing that physical access is required for exploitation. Recent security disclosures have heightened concerns regarding the robustness of security measures in healthcare and related IoT devices, underscoring the essential need for constant vigilance and timely updates.

NCSC CTO Ollie Whitehouse discussed the tech industry's role in cybersecurity challenges during the CYBERUK conference. Addressed the market's inability to produce cyber-resilient technology despite technical know-how in fields like memory safety and rust coding. Highlighted a significant rise in known vulnerabilities and a gap between security claims and reality. Emphasized the pervasive issue of technical debt and the need to impose penalties on vendors for security failings. Advocated for stronger regulatory and legislative actions to enforce vendor accountability for cybersecurity. Suggested incentives for companies that proactively improve their security practices, such as increased transparency and tighter regulations. Stressed the importance of continuous investment in security rather than seeking one-time, simplistic solutions. Called for a paradigm shift in how the market values cybersecurity to better prepare for future technologies and security requirements.