Daily Brief

Storm-1811, a financially motivated cybercriminal group, exploits Microsoft Quick Assist to launch social engineering and ransomware attacks. The attackers deploy Black Basta ransomware using a deceptive technique involving voice phishing, remote tools installation like RMM, and malware such as QakBot and Cobalt Strike. The criminals masquerade as IT support to access victims' devices, using Quick Assist under the guise of assisting with spam problems created by their link listing attacks. Once access is gained, the attackers use a cURL command to deploy malicious batch or ZIP files, facilitating further ransomware spread across networks. The misuse of Quick Assist has prompted Microsoft to consider adding warning messages to alert users to potential tech support scams. Industries targeted include manufacturing, construction, food & beverage, and transportation, demonstrating the widespread nature of these ransomware campaigns. Microsoft and cybersecurity experts urge organizations to disable or uninstall unused RMM tools and educate employees on recognizing tech support scams.

Google has issued updates to fix a newly discovered zero-day vulnerability, CVE-2024-4947, in its Chrome browser, actively exploited in the wild. The vulnerability exists due to a type confusion issue in Chrome's V8 JavaScript engine, allowing attackers to execute arbitrary code. Kaspersky researchers flagged the security flaw, marking it the third zero-day patched by Google in just a week. This type of vulnerability enables unauthorized out-of-bounds memory access, potentially leading to system crashes and uncontrolled code execution. Google has now addressed seven zero-day vulnerabilities in Chrome since the beginning of the year. Users are strongly urged to update their Chrome browsers to the latest version (125.0.6422.60/.61 for Windows and macOS, 125.0.6422.60 for Linux) to protect against potential exploits. Updates are also recommended for users of other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi as patches become available.

Google has enhanced Android 15 and Google Play Protect with new security features to combat scams, fraud, and malware on devices. Upgrades focus on blocking spyware and banking trojans which steal banking credentials and multi-factor authentication codes. Enhanced privacy during screen sharing, with sensitive information, such as one-time passcodes, being automatically obscured to thwart data theft. A notification system will alert users when they are connected to an unencrypted cellular network, increasing protection against Stingray attacks and similar threats. Google Play Protect now includes live threat detection using on-device AI to identify and review suspicious app behavior. Developers will benefit from the updated Play Integrity API, which checks if apps are running in secure environments. These updates were announced at Google I/O 2024 and will be implemented in the upcoming updates for Google Play services and Android 15.

The FBI, alongside international law enforcement agencies, has successfully seized control of the ransomware brokerage site BreachForums and its associated Telegram channel. This law enforcement action comes shortly after BreachForums hosted stolen data from Europol's databases. Previous attempts to disable the site have been made, but it has consistently re-emerged until this recent operation. The takedown was coordinated by the Five Eyes intelligence alliance plus police forces from Switzerland, Iceland, and Ukraine. BreachForums had replaced the previously dismantled RaidForums and was known for trading in stolen data and facilitating double extortion ransomware attacks. The site’s former administrator, Conor Brian Fitzpatrick, was sentenced to 20 years of supervised release following his earlier arrest in January. The current website of BreachForums now displays a notice of its seizure by the FBI and DOJ, and a call for information related to cybercriminal activities conducted through the platform. While the takedown represents a significant disruption in cybercriminal operations, the persistence of such illicit online marketplaces suggests ongoing challenges in completely eliminating such criminal enterprises.

Google released an emergency update for Chrome to patch a severe zero-day vulnerability known as CVE-2024-4947, already exploited in the wild. This marks the third zero-day exploit addressed by Google within a single week, highlighting an intensifying security threat. The vulnerability stems from a type confusion issue in Chrome’s V8 JavaScript engine, discovered by researchers at Kaspersky. The flaw can potentially allow attackers to execute arbitrary code on target devices by manipulating browser memory. Chrome updates are deployed automatically, but users can manually verify and finalize the update via the browser's settings. Given the nature of the exploit, Google restricted access to detailed bug information to prevent further abuse until most users have updated. This recent patch is part of a broader trend, with Google fixing a total of seven actively exploited zero-days in Chrome since the onset of 2024.

An extortionist known as IntelBroker claims to have stolen files from the US Army Aviation and Missile Command (AMCOM) and a $75 billion aerospace and defense company. The stolen data from AMCOM reportedly includes maintenance tasks, PDFs, PNG files, and some .txt files, though these claims have not been officially verified. IntelBroker also boasts selling stolen source code and other data from the defense company's CI/CD pipeline, Bitbucket, Github, and Apache SVN repositories. Both data breaches were announced on dark web platforms, with IntelBroker urging potential buyers to contact via encrypted messages and pay in Monero (XMR). Europol is currently investigating IntelBroker's claim regarding the theft of confidential data from the Europol Platform for Experts, though no core or operational data has been compromised. Additional claims by IntelBroker in recent months include data thefts from the Pentagon, other national security agencies, and private sector entities like Home Depot through third-party vulnerabilities.

Google has introduced new security features in Android 15 and Google Play to enhance protection against malware, scams, and fraud. The updates, revealed at Google I/O 2024, include measures to secure users from banking trojans and spyware, specifically by obscuring one-time passcodes and expanding restricted settings that control app permissions. New functionalities will protect sensitive information during screen-sharing sessions by hiding private notification details and sensitive data entry from remote viewers. Google is rolling out alerts for users when their devices connect to an unencrypted cellular network, helping prevent interception of voice and SMS data. The company introduced Google Play Protect live threat detection that utilizes on-device AI to identify and respond to suspicious app behaviors in real-time. Google's updated Play Integrity API helps developers ensure their apps are operating in secure environments and verify app signals for enhanced security. These enhancements are part of Google's broader effort to help developers create safer applications and provide end-users with robust protections against evolving cyber threats.

Nissan North America experienced a significant data breach impacting over 53,000 current and former employees' personal data. The breach was identified after a threat actor targeted Nissan's external VPN and subsequently demanded a ransom, although no systems were encrypted. Nissan detected the breach in November 2023, with further discovery in February 2024 of exposed Social Security numbers among the accessed files. The company promptly involved law enforcement, contained the incident with the help of cybersecurity experts, and successfully terminated the threat. Despite the exposure of sensitive data, there have been no reports of misuse of the information so far. To assist affected individuals, Nissan is offering two years of free credit monitoring and identity theft protection services through Experian. This incident is part of a series of security issues encountered by various Nissan divisions globally over the past few years.

Two brothers, Anton and James Peraire-Bueno, have been arrested and indicted for stealing $25 million in cryptocurrency via a complex Ethereum blockchain manipulation. The alleged scheme involved tampering with Ethereum's transaction validation processes to divert cryptocurrency during transactions. This theft, executed within approximately 12 seconds, is reported as a "first-of-its-kind" by the U.S. Department of Justice. The pair faces charges of wire fraud, conspiracy to commit wire fraud, and money laundering, with each charge carrying a potential 20-year prison sentence. The investigation was led by the IRS Criminal Investigation Cyber Unit in New York, with assistance from NYPD and U.S. Customs and Border Protection. The brothers used advanced knowledge from their education in computer science and math to learn trading behaviors and effectively hide their identities. Post-theft, they engaged in sophisticated laundering techniques using multiple cryptocurrency addresses, foreign exchanges, and shell companies. They also researched online about executing and concealing the attack and navigating legal challenges potentially arising from their actions.

The FBI has successfully seized BreachForums, a notorious marketplace for stolen data, marking the second takeover within a year. BreachForums was operational from June 2023 until May 2024, facilitating the trade of illegal items like breached databases and hacking tools. This seizure involved a multinational effort with contributions from authorities in Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine. The FBI also took control of the Telegram channel operated by Baphomet, who assumed leadership after the previous administrator's arrest in March 2023. A prior version of the site was taken down in late June 2023, and has faced repeated law enforcement actions against its various domains. While the recent operational status and arrests of administrators such as Baphomet and ShinyHunters are still unconfirmed, their profile images on the seizure banner suggest incarceration. The FBI is actively urging individuals with information related to criminal activities on BreachForums to come forward and contact them via Telegram or email.

Apple's anti-fraud technology prevented over $7 billion in fraudulent transactions on the App Store from 2020 to 2023. In 2023 alone, Apple halted $1.8 billion in suspicious transactions and prevented 3.5 million stolen credit cards from being used. Over four years, the tech giant detected and blocked 14 million stolen credit cards and deactivated 3.3 million accounts associated with these cards. The App Review team, comprising 500 experts, reviewed 6.9 million app submissions in 2023, rejecting 1.7 million for failing to meet security and privacy standards. In 2023, Apple removed 152 million fake or fraudulent app ratings and reviews from a total of 1.1 billion submissions. Aggressive enforcement led to the termination of 118,000 developer accounts and the suspension of 91,000 customer accounts for fraud or illegal activities. Despite robust review processes, some fraudulent apps managed to bypass security checks, with incidents involving fake versions of well-known apps like LastPass and Leather cryptocurrency wallet reported in 2023.

A comprehensive cyber defense strategy is essential to prevent, detect, and respond to cyber threats, helping avoid financial loss, reputational damage, and legal consequences. Key components of a robust defense strategy include risk assessments, technology customization, integration of security technologies, and incident response planning. Wazuh, a free and open source security tool, offers unified SIEM and XDR protection and is integral in enhancing security across various platforms, including cloud, on-premise, and containerized environments. Features of Wazuh include threat detection, incident response capabilities, vulnerability detection, security configuration assessments, and compliance with industry standards and regulations. Real-world applications like preventing SSH brute force attacks demonstrate Wazuh’s effectiveness in blocking attackers by integrating active response capabilities. Continuous improvement of cybersecurity measures is crucial, with regular monitoring, user training, and leveraging threat intelligence feeds to address new and emerging security challenges. Wazuh supports integration with third-party platforms enhancing its threat detection and incident response capabilities, making it a versatile tool for maintaining rigorous security standards. With an active community and extensive documentation, Wazuh aids organizations in refining and advancing their cybersecurity defenses to mitigate potential cyber risks effectively.

Financial criminals are exploiting the Windows Quick Assist tool to inject Black Basta ransomware into corporate networks. Attackers initiate their campaign by overwhelming victim’s emails, followed by impersonating IT support via phone to offer help. Victims are deceived into granting remote access to their systems, enabling attackers to deploy malware using scripted commands. Malicious software such as Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike are installed to facilitate further attacks. Post successful breach, perpetrators engage in domain enumeration and lateral movement within the network to deploy ransomware. Attackers also employ scripts to extract login credentials fraudulently, later sending these to their own servers. Microsoft recommends the removal of Quick Assist where unnecessary and advises training employees to spot tech support scams. The Black Basta group, active since April 2022, has successfully compromised over 500 organizations, including entities in critical infrastructure sectors.

The FBI has taken control of BreachForums, a notorious platform used by cybercriminals to leak and sell stolen corporate data. Law enforcement action included seizing the forum’s servers and domains, displaying a seizure message on the website. The seizure banner encourages victims or informants to contact the FBI to help in investigating cybercriminal activities associated with BreachForums. The FBI also seized control of the forum's Telegram channel, further extending their efforts to gather information. The Internet Crime Complaint Center (IC3) subdomain of the FBI hosts a dedicated page providing details of BreachForums' operations and solicits information from the public. Previously, BreachForums operated under different domains, and was preceded by similar hacking forums, illustrating an ongoing pattern of such criminal enterprises. The global cooperation in seizing BreachForums highlights an international response to combat cybercrime effectively.

Banco Santander S.A. disclosed a data breach affecting numerous customers and employees across Spain, Chile, and Uruguay. A third-party service provider's database was accessed by unauthorized parties, leading to the compromise. Immediate actions were taken to contain the breach, including blocking compromised access and enhancing fraud prevention controls. While specific data details remain undisclosed, it was confirmed that transaction information and online banking credentials were not affected. Santander confirmed that the breach did not impact its systems and operations in the affected countries, ensuring that banking services continue uninterrupted. Only the markets of Chile, Spain, and Uruguay were affected; other regions where Santander operates were not impacted. Customers and employees whose information was exposed will be directly notified, and relevant law enforcement agencies have been informed. Investigations into the extent of the data exposed and the implications of the breach are ongoing.