Daily Brief

Turla, a Russian hacker group linked to FSB, has used new malware, TinyTurla-NG, to backdoor NGOs and steal data. Exploiting vulnerable WordPress sites, Turla placed C2 infrastructure to control the malware and gather stolen information. Cisco Talos revealed TinyTurla-NG during an investigation of a Polish NGO supporting Ukraine, indicating espionage activities. TinyTurla-NG serves as a persistent backdoor, providing ongoing access to compromised systems and executing commands via infected WordPress websites. The malware focuses on exfiltrating passwords for key management software utilizing TurlaPower-NG PowerShell scripts. Researchers identified several variants of TinyTurla-NG, with attacks dating back to as early as November last year. Despite some coding differences from previous TinyTurla versions, the new backdoor shares similar traits and aims. Indicators of compromise associated with TinyTurla-NG have been published by Cisco Talos to aid in detection and defense.

Russian hacker group Turla used a new malware variant, TinyTurla-NG, to target non-governmental organizations (NGOs) and maintain network access. Compromised WordPress websites were utilized for command and control (C2), hosting malicious scripts, and data exfiltration. Cisco Talos uncovered the threat whilst aiding a Polish NGO that supports Ukraine, revealing the attack dates back to at least December. TinyTurla-NG serves as a 'secret backdoor', ensuring persistent access to systems, even when other entry points are detected and closed. TurlaPower-NG PowerShell scripts exploit this access to steal master passwords and sensitive information, avoiding files like .MP4 videos during data harvesting. At least three variants of the backdoor exist, with the campaign potentially initiated in November, and indicators of compromise have been published by Cisco Talos.

Ivanti Pulse Secure appliance found running on extremely outdated CentOS 6.4 Linux version, unsupported since November 2020. Security flaws in Ivanti Connect Secure, Policy Secure, and ZTA gateways actively exploited by threat actors for malware delivery. Eclypsium's reverse engineering using a PoC exploit unveiled numerous vulnerabilities across outdated packages and libraries. Perl and Linux kernel versions used have not been updated in over 23 and 11 years, respectively, raising significant security concerns. Analysis revealed over 1,200 script issues, 5,218 vulnerabilities in Python files, and 133 outdated certificates. Ivanti's Integrity Checker Tool (ICT) found to skip critical directories, potentially allowing attackers to evade detection. The demonstration of a theoretical attack shows the risk of attackers exploiting zero-day flaws and lack of comprehensive integrity checks. Calls for better systems of checks and balances for validating product integrity, with emphasis on an open system enabling visibility into vendor processes.

A Chinese-speaking cybercrime group, GoldFactory, is deploying malware targeting both Android and iOS users to steal Face ID scans and break into banking accounts. The group has developed Trojan apps called GoldPickaxe and GoldPickaxe.iOS, which trick users into giving biometric data that bypasses bank app security checks in Thailand and Vietnam. The iOS attacks use sophisticated social engineering, enrolling victims in an MDM program via TestFlight and LINE messaging app impersonations, to infiltrate tighter security controls of Apple devices. By combining stolen Face ID scans with deepfake technology and intercepted SMS messages, attackers are able to perform unauthorized banking transactions remotely. The threat actors are highly versatile, utilizing tactics like impersonation, phishing, and ID theft to adapt tools specifically for their target environment. The Gold factory's malware evolution highlights an urgent need for proactive cybersecurity measures, emphasizing user education and modern detection systems to counter new Trojan variants.

Developers of Qakbot malware are testing new variants, evidenced by recent email campaigns using fake Adobe installers. The infamous QBot, linked to significant financial damages and system infections, evaded a takedown and continues to operate. Post-takedown campaigns indicate the malware's spam infrastructure remains intact, with new variants emerging since December. Sophos X-Ops identified up to 10 new Qbot builds employing advanced obfuscation and evasion techniques. Unlike older versions, the new samples do not inject code into benign processes but use .MSI and .CAB files for distribution. The Qbot malware now actively searches for endpoint protection and virtual environments to avoid detection. Researchers underscore the importance of monitoring QBot’s resurgence to keep security measures updated and the community informed.

Wing Security's analysis of 493 companies using SaaS applications in Q4 2023 highlights increased susceptibility to cyber threats. Nation-state actors, such as North Korean group UNC4899 and Russian Midnight Blizzard APT, have been targeting SaaS applications used by high-profile organizations. SaaS applications are now integral to modern organizations and can bypass traditional IT security approvals, posing new supply chain security risks. Unauthorized or unnoticed SaaS use, MFA bypassing practices, forgotten access tokens, and the unchecked integration of AI capabilities create significant security gaps. The proliferation of AI across SaaS platforms has led to inadvertent sharing of sensitive data due to overlooked term changes, increasing the risk of data misuse. Wing Security recommends strategies for mitigating SaaS-related threats, emphasizing the need for continuous monitoring and control of SaaS security settings. The report encourages companies to adopt advanced SaaS security measures and provides actionable tips to safely navigate the evolving SaaS landscape.

GoldFactory, a Chinese-speaking cybercrime group, has developed sophisticated banking trojans targeting the Asia-Pacific region. Their malware suite includes GoldPickaxe for iOS and Android, GoldDigger, and GoldDiggerPlus, with the latter two designed for Android. Malware distribution involves smishing, phishing, and the use of counterfeit websites, with GoldPickaxe iOS leveraging Apple's TestFlight and MDM profiles. GoldPickaxe bypasses facial recognition security by prompting victims to record a video, later used to create deepfake videos for fraudulent transactions. The malware features capabilities for stealing identities, intercepting SMS, and proxying traffic, with Android variants posing as over 20 applications to steal credentials. GoldDigger targets over 50 Vietnamese finance apps, logging keystrokes and on-screen content, and its variant includes an additional trojan, GoldKefu. GoldKefu masquerades as a messaging app and integrates with the Agora SDK to facilitate fake customer service interactions, convincing users of false fund transfers. Cybersecurity experts advise caution against clicking suspicious links, installing apps from untrusted sources, and reviewing app permissions, especially regarding accessibility services.

Cybercriminals are utilizing advertisement technology to track and enhance the effectiveness of their malware distribution, evading conventional detection methods. HP Wolf Security's Q4 2024 Threat Insights Report indicates that malware operators are applying ad tech to improve social engineering tactics and user-targeting precision. The use of ad networks enables attackers to gather analytics on click-through rates and misuse CAPTCHA defenses, thereby hindering automated malware scans and potentially leading to misclassification of malicious files. The analysis of malware trends in Q4 2023 showed an increase in malware delivery through PDF files, rising from 4 percent in earlier quarters to 11 percent. The WikiLoader and DarkGate campaigns are highlighted as examples where attackers employ fake PDFs, such as a parcel delivery notice or OneDrive error message, to deploy malware like Ursnif and enable backdoor access. Attackers are increasingly leveraging cloud services to host malware, exploiting the inherent trust users have in these platforms, as with the Remcos remote access trojan using Discord and TextBin. HP Wolf Security recommends adhering to zero trust principles to mitigate the risk from sophisticated cyber threats, including isolating risky activities like email attachments and browser downloads.

A new mobile trojan called 'Gold Pickaxe' is being used to steal facial recognition data and ID information from Android and iOS users. The malware is distributed via social engineering through phishing or smishing messages on the LINE app, urging users to install fake government apps. Group-IB, a cybersecurity firm, has observed 'Gold Pickaxe' primarily targeting individuals in the Asia-Pacific region, with a focus on Thailand and Vietnam. For iOS, attackers have used a TestFlight URL and later switched to malicious Mobile Device Management profiles to bypass security. Gold Pickaxe performs functions such as intercepting SMS, manipulating network traffic, and requesting ID scans to commit fraud. The Android version of the trojan can carry out a larger range of malicious activities due to fewer security restrictions on the platform. The collected facial data is suspected to be used for unauthorized bank access, but the malware does not compromise the biometric data encrypted in the devices' secure enclaves.

The European Court of Human Rights (ECHR) ruled that mandatory encryption backdoors and extensive data retention violate human rights. The decision comes from a case involving Russia's demand in 2017 that Telegram assist in decrypting user communications. Russian laws were deemed disproportionate and unnecessary in a democratic society, as they risk weakening encryption for all service users. The ruling affects European countries contemplating similar laws that could weaken encryption, such as the proposed Chat Control legislation. Chat Control, an EU data surveillance initiative, aims to scan digital communications for illegal content, which contradicts the ECHR ruling. European Parliament member Patrick Breyer praised the decision, stating that it proves such surveillance tactics are illegal and incompatible with EU law. The judgment puts pressure on EU governments to reconsider their stance on proposals that undermine secure encryption and mass surveillance.

Microsoft has confirmed that a newly identified critical security flaw in Exchange Server, tracked as CVE-2024-21410, is actively being exploited. CVE-2024-21410 is a privilege escalation issue with a CVSS score of 9.8, enabling attackers to use leaked NTLM credentials to gain privileges on the Exchange Server. The exploitation allows attackers to authenticate as the user on the Exchange Server by relaying the user's leaked Net-NTLMv2 hash. Microsoft has updated the Exchange Server 2019 with Cumulative Update 14 (CU14) to enable Extended Protection for Authentication (EPA) by default to address the vulnerability. Specifics about the nature of the exploitation or the identity of the attackers remain undisclosed, although similar tactics have been used by Russian state-affiliated groups like APT28. Apart from CVE-2024-21410, Microsoft addresses other actively exploited vulnerabilities during its Patch Tuesday update, including CVE-2024-21351 and CVE-2024-21412, the latter exploited by the Water Hydra APT group. CVE-2024-21413 is also patched, a critical flaw in Outlook that allows for remote code execution and can bypass security measures such as Protected View by exploiting the incorrect parsing of hyperlinks.

North Korea is allegedly operating a revenue-generating scheme that involves selling gambling websites pre-loaded with malware. The operation is linked to the North Korean IT organization Gyeongheung, associated with the secretive "Office 39" of the ruling Workers Party of Korea. South Korean cybercriminal groups have reportedly purchased these websites, which cost around $5,000 monthly, with an additional $3,000 for technical support. The malicious code embedded in the websites' automatic betting features is designed to steal personal information from gamblers for subsequent sale. The cyber operation was profitable, potentially earning billions for its operators, while also offering tech support and bonuses for collecting banking details of Chinese nationals. To avoid UN sanctions, the North Korean IT workers posed as Chinese, using forged IDs and stolen professional credentials, and they laundered money through Chinese-named bank accounts. Some clients did business with the sanctioned North Korean operators, enticed by low costs and language commonalities. This activity not only compromises cybersecurity but also functions as a financial resource for North Korea, circumventing international sanctions.

OpenAI identified and shut down five accounts associated with government agents from China, Iran, Russia, and North Korea, aimed at creating phishing emails and malicious software. The terminated accounts include two China-affiliated threat actors Charcoal Typhoon and Salmon Typhoon, the Iran-affiliated Crimson Sandstorm, the North Korea-affiliated Emerald Sleet, and the Russia-affiliated Forest Blizzard. These threat actors were allegedly using OpenAI's services for activities such as language translation, finding coding errors, and generating code, which could support cyberattacks and phishing campaigns. OpenAI collaborated with Microsoft to detect and disable these malicious accounts and stressed the limited capabilities of GPT-4 in performing malicious cybersecurity tasks. Microsoft’s Threat Intelligence provided additional details on the specific nature of activities conducted by these groups, such as translating technical papers and researching cybersecurity. OpenAI emphasized that their systems are designed to prevent misuse and filter out requests for harmful information and malicious code, suggesting that their AI models are not particularly effective in aiding cybercrime.

Microsoft confirmed that a critical vulnerability in Exchange Server was exploited as a zero-day before a patch was issued on Patch Tuesday. The vulnerability, identified as CVE-2024-21410, allows remote, unauthenticated attackers to escalate privileges via NTLM relay attacks. NTLM relay attacks involve attackers coercing network devices to authenticate against a server they control, enabling privilege escalation and impersonation. Exchange Server 2019 Cumulative Update 14 (CU14) mitigates this issue by enabling NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA). EPA is an enhancement to Windows Server authentication designed to combat relay and man-in-the-middle attacks. Extended Protection (EP) will automatically be enabled on all Exchange servers with the latest CU14 update, but admins can also manually enable it on older versions. Microsoft advises administrators to review the potential impact on their environments, referencing documentation for the ExchangeExtendedProtectionManagement PowerShell script, to avoid functional disruptions. An unrelated critical remote code execution (RCE) vulnerability in Outlook was incorrectly reported as being exploited but has since been patched.

The LockBit ransomware group has claimed responsibility for a cyberattack on Fulton County, Georgia. Fulton County's IT systems, including phone, court, and tax services, were disrupted during the last weekend of January. Nearly three weeks post-incident, services remain impacted, with property tax systems still offline and phone lines only partially restored. Fulton County officials report no confirmed sensitive data theft as of now but acknowledge the breach did occur. LockBit has threatened to publish confidential documents, including citizens' personal data, unless a ransom is paid by February 16. The county is considering using insurance to recover its systems, which suggests they may not pay the ransom to LockBit. Despite service disruptions, penalties for delayed water bill payments will be waived for residents.