Daily Brief

Kansas State University is responding to a cyberattack that disrupted critical network systems, including VPN, email, and video services. Essential systems were immediately taken offline upon detection of the incident, affecting VPN access, email services, video hosting on Canvas and Mediasite, printing, shared drives, and Listservs. University officials have engaged third-party IT forensic experts to help investigate the nature of the attack. Academic deans have received guidance on maintaining educational continuity using alternative resources while some systems remain unavailable. Students and staff are advised to stay alert for any suspicious activity and report it to the IT help desk. Email services for "K-State Today" are expected to be partially restored with a modified format and content limitations. There has been no indication as of yet that there was a data breach affecting personal information of students or staff. This incident marks the second major cyberattack on an educational institution in 2024, following a ransomware attack on Memorial University of Newfoundland.

The US Cyber Safety Review Board (CSRB) may become a permanent entity amidst calls for increased independence and transparency. The CSRB, established by Executive Order in 2021, has published only two reports on major cybersecurity incidents, analyzing Log4J and the LAPSUS$ group. Experts argue for the board's independence to prevent conflicts of interest, citing the potential for biased reporting from private sector members involved in cybersecurity incidents. There is a suggestion that the CSRB operate like the National Transportation Safety Board, with the authority to conduct in-depth investigations and report findings publicly. The cybersecurity industry relies on private companies for intelligence sharing, and the CSRB aims to provide actionable information without legal restrictions or profit considerations. Subpoena power for the CSRB is debated, with some experts in favor to compel information sharing, while others caution against it until further regulation details are established. The hearing concluded without endorsement from Senator Gary Peters, indicating that discussions are ongoing to define the CSRB's role and capabilities.

Haier has issued a legal takedown notice to a German developer for creating and publishing Home Assistant integration plugins on GitHub. The plugins facilitated control of Haier and its affiliated brands' smart appliances through the open-source Home Assistant automation platform. Haier asserts these plugins cause financial harm and violate copyright laws, demanding their immediate removal to avoid further legal actions. The developer, Andre Basche, has indicated he will take down the projects following Haier's legal threats. The open-source nature of the plugins has stirred a community backlash, with calls to boycott Haier-branded products and support for the developer increasing. The long-term viability of the plugins is uncertain, given Haier's stance, but community support may lead to the code being maintained through forks or clones. Haier has not provided an immediate comment on the situation when contacted by the media.

Ransomware attacks are causing severe psychological and physical health issues for cybersecurity professionals, including cases of hospitalization and suicidal ideation. A financial industry cybersecurity worker attributed a heart attack to the stress of managing ransomware, while a charity security staffer was hospitalized due to health problems exacerbated by a ransomware attack. The Royal United Services Institute (RUSI) research details the extensive psychological harm to infosec workers that goes unrecognized, linking high-stress levels and burnout to the cybersecurity field. Victims often feel personal blame for ransomware incidents, leading to mental anguish, doubt in their abilities, and fear of job insecurity and reputational damage. An engineering business established a PTSD support team recognizing the immense pressure on IT staff post-attack, although PTSD was not clinically diagnosed but rather self-identified by the respondents. The stress of potential regulatory action and accountability for breaches further contributes to the long-term mental strain on cybersecurity defenders. Social impacts included strained personal and professional relationships, with prolonged working hours affecting time spent with family and coworkers' behavior. Financial impacts extend beyond the victim organizations to the individuals, with potential job losses and personal costs for therapy to recover from the ransomware incidents.

A new cyberattack campaign targeting vulnerable Docker services has been discovered, utilizing both cryptocurrency mining and fake website traffic generation as monetization methods. The malware deploys XMRig, a tool for mining Monero (XMR) cryptocurrency, and 9Hits Viewer, software that simulates traffic to websites to earn credits within an exchange service. Security experts note this is the first time the 9Hits application has been employed as part of a malware payload, demonstrating threat actors' evolving strategies. Attackers are potentially scanning for open Docker API ports using search engines like Shodan, then installing malicious containers to exploit these services. Once breached, the servers run two containers—one for the 9Hits Viewer to accrue traffic credits fraudulently, and another for the XMRig miner to exploit CPU resources for cryptocurrency mining. Legitimate server workloads suffer due to resource exhaustion caused by the malware, and there's a risk of further compromise, such as adding a remote shell for more severe breaches. The scale and profitability of this campaign remain unknown since the XMRig miner connects to a private mining pool, concealing its activities.

The U.S. government has suggested a 15-year prison sentence for Conor Brian Fitzpatrick, creator and lead admin of the cybercrime forum BreachForums. BreachForums, successor to RaidForums, hosted vast quantities of stolen data, with over 888 databases and 14 billion records. Fitzpatrick, known as "Pompompurin", was arrested on March 15, 2023, and was released on bond, only to be re-arrested for breaching release terms. His role in facilitating cybercrime is highlighted by the fact that he brought together over 300,000 members to trade stolen databases and personal data on a large scale. In acting as a middleman, Fitzpatrick greatly facilitated the distribution of stolen data, encouraging the sharing of data samples before transactions. Child pornography was found amongst the confiscated materials, contributing to the gravity of the charges. The defendant's cooperation with the authorities, lack of a violent crime record, and an early plea deal may have influenced his recommended lower-end sentence. The government's proposal includes imprisonment, a fine for possession of child pornography, supervised release, restitution to victims, and forfeiture of assets.

Two new vulnerabilities in Citrix NetScaler ADC and Gateway products have been exploited in the wild before a fix was available. CVE-2023-6548 allows for remote code execution, though it requires an authenticated user with low-level privileges and access to certain management IPs. CVE-2023-6549 poses a denial-of-service threat with an 8.2 CVSS rating, impacting appliances configured as a gateway or AAA virtual server. Even though Citrix's configuration instructions recommend keeping management interfaces private, over 1,400 interfaces were reportedly exposed online. Only customer-managed NetScaler ADC and Gateway instances are affected; cloud-managed services are not vulnerable to these flaws. Citrix and Tenable security researchers urge customers to apply the provided patches immediately to prevent widespread exploitation. The US Cybersecurity and Infrastructure Security Agency has added both CVEs to its Known Exploited Vulnerabilities Catalog, underscoring the seriousness of these exploits.

Infostealer malware represents a significant risk as it captures browser-stored credentials, session cookies, and other data, often self-terminating after data exfiltration. Organizations face ongoing threats from leaked credentials, commonly resulting from password reuse across multiple applications, enabling brute force attacks on various services. Flare monitors over 40 million stealer logs and 14 billion leaked credentials, providing insights into how threat actors acquire and utilize this information. Tier 1 leaked credentials come from third-party breaches and are distributed on the dark web, while Tier 2 credentials are stolen directly through malware, posing a greater risk. Fresh stealer logs (Tier 3) are critical as they might contain active session cookies, enabling attackers to perform session hijacking and potentially bypass 2FA and MFA controls. Implementing strong defense strategies such as employee email monitoring, password resets, password managers, and limited TTL for application sessions can mitigate these cyber risks. Two-factor authentication (2FA) is not foolproof, and attackers employ various tactics, such as social engineering and SIM swapping, to bypass these additional security measures. Flare offers a platform for detection and monitoring of leaked employee credentials on the dark web and other channels, with a setup time of just 30 minutes and a free trial option.

Google's Threat Analysis Group reported new activities by the Russian-linked hacker group COLDRIVER, involving the use of custom malware. COLDRIVER has been known for phishing campaigns but has recently developed a malware called SPICA, written in Rust. The malware is disguised within PDFs that, once interacted with, prompts victims to download a fake decryption tool leading to system compromise. Targets are primarily in defense, governmental sectors, and energy facilities in the U.K., U.S., and other NATO and neighboring Russian countries. SPICA malware allows command execution, theft of browser cookies, file manipulation, and establishes persistence on the infected machine via scheduled tasks. The campaign's infrastructure, including phishing domains and servers linked to indicted Russian operatives, has been added to Google's Safe Browsing blocklists to mitigate risks.

Google's Threat Analysis Group (TAG) has uncovered a custom backdoor malware, known as SPICA, associated with Kremlin cyber spies. The cyber espionage group, identified as COLDRIVER by TAG, has been actively targeting military, government, and academic institutions in the US, UK, NATO countries, and Ukraine. COLDRIVER, also known as Star Blizzard, UNC4057, and Callisto, previously focused on credential phishing but has since advanced their techniques to include malware distribution. The SPICA malware, written in Rust, is capable of executing shell commands, stealing browser cookies, and transferring files, with TAG noting its use as early as September 2023 but with roots tracing back to at least November 2022. The deployment of SPICA involves sophisticated social engineering, where the attackers impersonate known contacts of the target via email and use personal email accounts to circumvent stronger governmental security measures. Google TAG has released indicators of compromise to help organizations identify potential breaches by this backdoor and has observed very targeted campaigns involving the malware. Government agencies and companies like Microsoft have reported on COLDRIVER's evolving phishing tactics and heightened evasion techniques, highlighting the increased threat level from this group.

Google's Threat Analysis Group discovered a new backdoor malware, named Spica, used by Russian-backed hackers. The ColdRiver group, linked to Russia's FSB, used phishing emails with encrypted PDF lures to distribute the Spica backdoor. The PDF documents were seemingly encrypted, with recipients directed to download a fake PDF decryptor that installed Spica. The Spica malware allows attackers to run shell commands, steal browser cookies, transfer files, and exfiltrate documents from infected devices. The malware establishes persistence on targeted systems by creating a scheduled task named 'CalendarChecker.' Google has alerted all compromised Gmail and Workspace users of the government-backed attack and bolstered Safe Browsing protections with relevant domains. ColdRiver, also known as Callisto Group, Seaborgium, and Star Blizzard, has been active since 2015 and is known for sophisticated OSINT and social engineering tactics. The U.S. State Department is offering rewards up to $10 million for information leading to ColdRiver threat actors, emphasizing the severity of their activities.

Critical CI/CD misconfigurations were found in the open-source machine learning framework TensorFlow, which could have allowed supply chain attacks. Attackers could have compromised TensorFlow’s GitHub and PyPi releases or gained remote code execution abilities via a malicious pull request. An external attacker had the potential to gain access to a GitHub Personal Access Token (PAT) and upload malicious code to the TensorFlow repository. The security flaw was due to the use of self-hosted GitHub runners with public repositories, which can execute arbitrary code from a pull request without explicit approval. Security researchers from Praetorian identified non-ephemeral self-hosted runners and overly permissive GITHUB_TOKEN's, leading to extensive privilege escalation possibilities. Among the risks was the ability to push malicious code updates or poison the Python package registry with a tainted .whl file. TensorFlow maintainers have fixed the vulnerabilities by introducing approval requirements for fork pull requests and setting read-only permissions for GITHUB_TOKEN in self-hosted runner workflows. The incident highlights a growing trend of similar CI/CD-related cyber threats, with AI/ML companies at particular risk due to heavy reliance on self-hosted runners for their resource-intensive workflows.

Multi-factor authentication (MFA) is being targeted by cybercriminals using a technique called MFA spamming or MFA fatigue to bypass security. MFA spamming involves bombarding a user with multiple MFA prompts in hopes they will accidentally approve an unauthorized login. Attackers first need the victim's username and password to trigger MFA prompts, which can be acquired through phishing, credential stuffing, or the dark web. To combat MFA spamming, enforcing strong password policies and blocking known breached passwords is essential. Regularly training users to recognize and respond appropriately to suspicious MFA requests can prevent unauthorized account access. Implementing rate limiting on authentication requests and monitoring for unusual MFA activity is recommended to curtail MFA spamming attacks. Organizations are encouraged to adopt Specops Password Policy with Breached Password Protection and use tools like Specops uReset for swift password resets to enhance security measures against these attacks.

Attackers are breaching vulnerable Docker services to deploy an XMRig miner and the 9hits viewer app, which abuses system resources for profit. The compromised Docker hosts facilitate a traffic exchange on the 9hits platform, where members can mutually drive website traffic. This is the first recorded instance of malware introducing the 9hits application, signaling a new method of cyber exploitation trending among hackers. Attackers likely use network scanning tools to find and exploit vulnerable servers, deploying containers via the Docker API from legitimate sources like Dockerhub. The 9hits container operates with a session token, allowing attackers to accrue credits by visiting websites without the risk of being banned. The XMRig miner exploits cloud resources to mine Monero cryptocurrency, while the 9hits viewer consumes significant bandwidth, memory, and CPU power. The illicit use of cloud computing resources results in resource exhaustion, rendering legitimate workloads on infected servers less effective. Cloud computing stakeholders must adopt comprehensive security strategies, including zero-trust models, CWPP, and CSPM, to safeguard against resource exploitation and unauthorized access.

An eight-year-old cybercrime syndicate known as Bigpanzi is behind a massive botnet infecting smart TVs to conduct DDoS attacks and spread political propaganda. The botnet, at its peak, operated with over 170,000 bots every day by compromising Android-based smart TVs and streaming devices through pirated apps and firmware updates. Infection occurs when users are tricked into downloading malicious apps onto their TVs, resulting in the devices being used for cybercrimes, including streaming hijackings, which recently disrupted broadcasts in the UAE. This sophisticated operation has connections to the infamous Mirai botnet, with the pandoraspear malware enhancing its DDoS capabilities. Researchers from Qianxin have narrowed down the identity of the perpetrators to a single company but have not publicly disclosed it. The criminals have adapted by shifting their DDoS activities to a separate botnet and retaliated against security researchers probing into their operations. Although the scale of the infection is significant, the true extent is not fully understood due to the limited data captured by researchers, who only accessed two of the nine C2 domains. The cybersecurity community is encouraged to collaborate in efforts to trace and counter the activities of the Bigpanzi group.