Daily Brief

The U.S. Department of Justice and Australian Federal Police have conducted arrests related to the distribution of a malicious software known as Hive RAT. Edmond Chakhmakhchyan from Los Angeles was arrested for selling Hive RAT licenses and offering customer support while explicitly advertising the malware's capabilities on a cybercrime forum. Hive RAT enables users to remotely access and control other people’s computers, steal credentials, and potentially engage in further criminal activities. The Australian suspect, whose identity remains undisclosed, has been charged with multiple counts related to the creation and distribution of the malware. Concurrently, another individual, Charles O. Parks III, was arrested for orchestrating a large-scale cryptojacking operation that defrauded major cloud providers, utilizing stolen computing resources for cryptocurrency mining. Parks employed deceptive practices to exploit elevated cloud computing privileges without payment, causing substantial financial losses to cloud service providers. These arrests underscore significant actions taken by law enforcement globally to tackle the burgeoning threats posed by advanced cybercriminal activities, including malware dissemination and cryptojacking.

Chirp Systems' smart locks can be remotely unlocked due to hard-coded credentials in their Android app. Over 50,000 households using affected Chirp-powered locks risk unauthorized access by strangers. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert and rated the security flaw with a CVSS score of 9.1. Despite being disclosed to Chirp three years ago, the vulnerability wasn't addressed until a recent CISA alert prompted an update for "bug fixes and improved stability." No known exploitation of this vulnerability has occurred, but the potential for gaining unrestricted physical access remains high. Chirp has updated its software after CISA's warning but concerns about the efficiency of the patch remain due to previous long-standing issues. Chirp, acquired by RealPage in 2020, is under the umbrella of private equity firm Thoma Bravo, raising questions about accountability and responsiveness to such critical flaws.

The RansomHub ransomware gang has begun leaking alleged stolen data from Change Healthcare, a United Health subsidiary. Initially, the BlackCat/ALPHV ransomware group claimed responsibility for the cyberattack in February, which disrupted major US healthcare services and reportedly involved the theft of 6 TB of data. Following law enforcement pressure, BlackCat declared the closure of their operations and a supposed exit scam involving a $22 million ransom from Change Healthcare. Subsequently, an affiliate named "Notchy" and RansomHub collaborated to extort Change Healthcare again, threatening to sell the stolen data if their demands were not met. The leaked data includes sensitive corporate and patient information, such as data-sharing agreements with insurance providers and detailed patient care billing. RansomHub has issued a new ultimatum, giving Change Healthcare a five-day deadline to meet their ransom demands to prevent the sale of the data to other parties. BleepingComputer has reached out to Change Healthcare for comments on the incident, but an official statement is pending.

TA558 hacking group employs steganography, embedding malicious code in images to distribute malware. Over 320 organizations worldwide, especially in the hospitality and tourism sectors, targeted by the SteganoAmor campaign. Attacks initiate through malicious emails exploiting the CVE-2017-11882 vulnerability in Microsoft Office, reliant on outdated system versions. Malicious payload disguised within legitimate-looking document attachments and images, fetched using compromised legitimate services like Google Drive. Positive Technologies identifies a diverse array of malware delivered through these tactics, posing severe security risks. The use of legitimate cloud and FTP services to host malware and control servers helps avoid detection by traditional antivirus tools. Updating Microsoft Office can significantly mitigate the threat by closing the exploited security vulnerability.

Microsoft plans to impose a daily limit of 2,000 external recipients for bulk emails via Exchange Online starting January 2025. The new limit aims to prevent the misuse of Exchange Online services and ensure fair usage among all users. This new External Recipient Rate (ERR) limit will act as a sub-limit within the existing 10,000 recipient limit per day. Customers needing to exceed the 2,000 external recipient limit will be required to transition to Azure Communication Services for Email. Google, following a similar path, has tightened spam defenses by implementing stricter requirements for bulk email senders. Bulk email senders targeting Gmail users must now employ SPF/DKIM and DMARC authentication for their domains and adhere to best practices for unsubscribing and message relevance. Failure to comply with Google's new guidelines will lead to rejection of the emails by Gmail.

Charles O. Parks III was arrested for committing wire fraud, money laundering, and engaging in unlawful monetary transactions using cloud servers for crypto mining. Parks employed fake corporate identities to establish accounts with major cloud service providers, costing them $3.5 million. He mined cryptocurrencies, including Ether, Litecoin, and Monero, using illicitly obtained computing resources. The fraudulent activities included tricking providers into granting him high-level access and using powerful servers with GPUs. Parks laundered the mined cryptocurrencies through NFTs and various online exchanges, converting them into USD to finance a high-end lifestyle. The indictment notes Parks left substantial unpaid bills at the cloud providers, directly impacting their financials. His initial court hearing is scheduled, with the indictment possibly leading to a 30-year prison sentence. Additional tips were provided to cloud service providers on enhancing security measures against similar fraudulent activities.

Binarly identified an unpatched vulnerability in the Lighttpd web server used in Intel and Lenovo baseboard management controllers (BMCs). The vulnerability originates from a patched flaw in Lighttpd version 1.4.51, made in August 2018, which lacked proper CVE identification and advisory. The flaw, an out-of-bounds read vulnerability, could allow extraction of sensitive data and bypass of security mechanisms like ASLR. Intel and Lenovo have not updated the affected BMCs as these products have reached end-of-life status, leading to a "forever-day" bug. The issue highlights the risk posed by outdated third-party components in firmware, impacting supply chain and end-user security. The absence of detailed advisories on security fixes impedes correct action through the firmware and software development chains.

Dutch chipmaker Nexperia suffered a significant data breach with unauthorized access to its IT servers in March 2024. Hackers, part of the 'Dunghill Leak' linked to Dark Angels ransomware gang, claimed the attack and threatened to release 1 TB of stolen data. Nexperia's initial response included shutting down affected IT systems and disconnecting them from the internet to mitigate the incident. The company has enlisted the services of cybersecurity firm FoxIT to assist in the investigation and evaluate the nature and extent of the breach. Nexperia reported the breach to law enforcement and data protection authorities in the Netherlands. Stolen data allegedly includes microscope scans of electronic components, employee passports, and non-disclosure agreements. No confirmation has been made by Nexperia regarding the authenticity of the data samples leaked online by the ransomware group.

Roku has implemented mandatory two-factor authentication (2FA) after approximately 591,000 user accounts were compromised in two separate incidents. The initial breach affected 15,363 accounts, prompting closer monitoring which then uncovered a second, larger breach impacting around 576,000 accounts. Fewer than 400 of these compromised accounts were used to make unauthorized purchases of subscriptions and Roku hardware. All affected customers have been reimbursed, and Roku reports no access to sensitive information such as full payment details or social security numbers. The breaches were attributed to credential stuffing attacks using login details obtained from breaches of other services. Roku confirmed its systems were not compromised and the credentials used were likely obtained from external sources. All Roku users, regardless of whether they were affected, are advised to reset passwords and use unique, strong passwords managed with tools like password managers. Roku expressed regret for the incidents and reassured customers of their commitment to securing user accounts and data.

The Daixin Team ransomware gang claimed responsibility for a cyberattack on Omni Hotels & Resorts, threatening to release sensitive customer data. Following the attack, Omni Hotels experienced a significant IT systems outage affecting reservations, hotel room door locks, and POS systems nationwide. Omni confirmed the attack on April 2, initially detected on March 29, leading to immediate steps to contain and assess the breach with cybersecurity experts. The nature of the incident was confirmed by sources as a ransomware attack, with Omni restoring services from backups. Daixin Team has added Omni Hotels to their dark web leak site but has not yet provided evidence of the stolen data. Allegedly, the stolen data includes detailed records of all guests from 2017 to the present. Previously, in October 2022, U.S. agencies warned that Daixin was targeting the U.S. Healthcare and Public Health sector, using similar ransomware and extortion tactics. Omni Hotels, with extensive operations across North America, also experienced a data breach in 2016 involving POS malware that compromised payment card information.

Cisco Duo reported a data breach at a third-party provider responsible for handling SMS and VoIP multi-factor authentication (MFA) messages. Hackers accessed MFA message logs through a phishing attack, obtaining employee credentials and subsequently downloaded message logs for specific accounts between March 1, 2024, and March 31, 2024. The compromised data, which did not include the contents of the messages, could potentially be used for targeted phishing attempts to acquire sensitive information like corporate credentials. Cisco has been actively coordinating with the affected provider to investigate and mitigate the incident, reassuring that no messages were accessed or sent out by the intruders. All affected message logs have been secured, and customers can request details by contacting Cisco Duo; additional security measures have also been implemented. The company advised customers, particularly those with exposed employee data, to stay vigilant against possible SMS phishing or social engineering attacks using the stolen information. Cisco has yet to reveal the identity of the compromised telephony provider or the exact number of customers affected by the breach.

Delinea's Secret Server products have a critical vulnerability that permits admin-level access exploitation. Researcher Johnny Yu discovered the flaw, applicable to both on-prem and cloud solutions, risking high-value organizational data. Despite detailed disclosure by Yu and a campaign for acknowledgment, Delinea fixed the issue without crediting him. The vulnerability involved the SOAP API, addressed in the latest release version 11.7.000001 to counteract risks. Related service outages were reported by Delinea on April 12, hinting at a security incident linked to the vulnerability. Infosec expert Kevin Beaumont suggests the outage might be connected to the patch and urges more transparency from Delinea. Delinea confirmed that there is no evidence of the vulnerability being exploited, ensuring all customer data remains secure. Immediate patch application is strongly advised for on-prem users, while cloud users need clarity on preventative measures taken by Delinea.

Muddled Libra, also known as Starfraud and UNC3944, targets SaaS applications and CSP environments to steal data and for extortion. The group employs sophisticated social engineering, using techniques to avoid detection and to navigate networks using legitimate applications. Their activities include using reconnaissance to target administrative users, often impersonating helpdesk personnel to obtain credentials. An example of their evolved tactics is their exploitation of Okta in cross-tenant impersonation attacks, allowing access across multiple CSPs. The attackers leverage stolen admin credentials for SSO portals, enhancing their ability to perform lateral movements within cloud infrastructures. Their methods focus on targeting major services like AWS IAM, Amazon S3, and Azure Blob Storage to facilitate data theft. Exfiltration of data is accomplished by abusing CSP features, such as AWS DataSync and Azure snapshot techniques. Zimmermann emphasizes the importance of robust secondary authentication methods to counter the expanded tactics of Muddled Libra.

AI technology is rapidly integrating into modern software development, promising dramatic changes in productivity and application design. GitHub Copilot, developed by OpenAI, automatically generates code snippets, but raises security concerns due to potential vulnerabilities like SQL injection and buffer overflows. Studies highlight that Copilot can reproduce existing vulnerabilities, indicating a significant portion of its suggestions may compromise security. Secure coding practices are emphasized as paramount in safeguarding digital infrastructure against the risks posed by AI-generated code. Implementation of strict input validation, secure management of dependencies, regular security assessments, and continuous code review are recommended. Addressing AI's limitations requires a blend of AI-driven tools with developer oversight and sophisticated security strategies. Cydrill offers comprehensive training in proactive and secure coding practices aimed at empowering developers amidst AI integrations. Continuous education on emerging security threats and adherence to best coding practices is crucial in mitigating risks associated with AI-driven development tools.

US Senator Sherrod Brown has urged President Biden to block the sale of Chinese electric vehicles (EVs) in the U.S. to protect domestic industries and national security. Brown expressed concerns that Chinese EVs, heavily subsidized by China, could undermine U.S. automakers and provide China access to sensitive personal data. The call for a ban emphasizes economic and security threats, amidst ongoing U.S.-China technological disputes, including recent U.S. sanctions on Chinese companies aiding military and intelligence sectors. Chinese automakers, representing half of the global annual EV sales, are seen as significant competitors due to lower pricing and heavy state subsidies. Amidst sanctions targeting companies like Huawei for national security reasons, U.S. politicians exhibit concern about Chinese tech impacting U.S. industries. Brown highlighted that Chinese vehicles incorporating extensive data-collecting technology pose additional security risks if allowed operational freedom in the U.S. The senator also referenced Europe's increasing intake of Chinese EVs and ongoing EU investigations into China’s subsidies to its EV sector, raising fears of similar market disruptions in the U.S.