Daily Brief

Criminal IP, an AI SPERA-developed Cyber Threat Intelligence (CTI) search engine, has integrated with VirusTotal, providing IP address and URL scans. VirusTotal aggregates threat intel from over 70 antivirus engines and contributors, enhancing global cybersecurity through collective intelligence. Criminal IP specializes in real-time threat detection using AI to collect threat information primarily focusing on IP addresses and domains. As a VirusTotal contributor, Criminal IP aids in detecting suspicious IPs, domains, or URLs, and contributes additional detailed analysis for users. The newly added URL scan feature by Criminal IP on VirusTotal includes data extraction on network logs, associated IPs, and potential website vulnerabilities. Criminal IP offers tiered membership plans, from Free to Pro, to access its comprehensive threat intelligence services, accommodating different user needs. AI SPERA released Criminal IP in April 2023 after a year-long beta, creating partnerships with global security firms and achieving high compliance standards. Criminal IP provides multilingual support, reflecting its global user engagement and commitment to diverse cybersecurity communities.

A Software Bill of Materials (SBOM) is now essential to meet regulatory and buyer demands, providing a detailed list of an application's components and metadata. The U.S. Government's Executive Order from May 2021 stressed the importance of SBOMs in improving the nation's cybersecurity. Critics suggest that SBOMs may not offer a complete view of application attack surfaces due to their complexity and continuous evolution. The concept of an eXtended Software Bill of Materials (XBOM) has been introduced as a way to provide a more accurate and comprehensive understanding of applications, infrastructure, and pipelines. XBOMs aim to enhance SBOMs by offering a fuller inventory of application components, related risks, and tracking modifications over time. A webinar titled "Why You Need an XBOM: An eXtended Software Bill of Materials" is scheduled to discuss the limitations of SBOMs and the benefits of XBOMs for application and supply chain security. The webinar, sponsored by Apiiro, will take place on 28 November and aims to guide attendees on elevating their cybersecurity approach using XBOMs.

The Play ransomware strain is being offered as Ransomware-as-a-Service (RaaS) to cybercriminals. Adlumin's report highlights consistent tactics across various attacks, implying use by affiliate purchasers of the RaaS. Attacks feature the use of the same malware-hiding techniques, account creation passwords, and commands. Play ransomware exploits Microsoft Exchange Server vulnerabilities and uses double extortion tactics. The shift to RaaS indicates the evolution of Play from being operator-exclusive to commercially available for affiliates. The accessibility of RaaS kits equipped with tools and support is attracting a broader range of cyber attackers. Businesses and authorities are advised to prepare for an increase in cyber incidents due to the proliferation of RaaS offerings like Play.

Malwarebytes is offering a 50% discount on its Premium + Privacy VPN bundle for Black Friday through Cyber Monday, ending November 30th. The promotional bundle includes real-time malware protection, exploit protection, and behavior detection for ransomware attacks. Malwarebytes Premium actively monitors network connections to block communication with malicious sites and C2 servers. The Privacy VPN feature enables anonymous browsing and downloading, with access to 500 servers across 30+ countries. The VPN service is based on the WireGuard protocol known for modern, high-performance, secure VPN connections. The limited-time offer is aimed at consumers looking for comprehensive cyber protection at a reduced cost. BleepingComputer has a partnership with Malwarebytes and will earn a commission from purchases made via links in the article.

The Canadian government has confirmed a data breach occurred via third-party service providers offering relocation services. Current and former government employees, armed forces, and RCMP personnel data from as far back as 1999 could be compromised. The government is analyzing a large dataset to determine the extent of the breach and identify individuals at risk. Relocation service servers contained sensitive personal and financial information of those utilizing the service. Affected individuals are urged to change login credentials, enable multi-factor authentication, and monitor accounts for unusual activity. The government is offering preventative support such as credit monitoring and replacement of potentially compromised documents. There is little information about the attackers' methods and the full extent of the breach, although ransomware gang LockBit has claimed responsibility and demanded a ransom. Experts and authorities generally advise against paying ransoms to cybercriminals, as there is no guarantee of data recovery or non-release.

A new variant of the Agent Tesla malware leverages ZPAQ compression to evade detection in email-based attacks. The ZPAQ compression format is less commonly used and has been chosen for its better compression ratio and limited software support, which complicates detection. Agent Tesla, first noticed in 2014, is a .NET-based keylogger and RAT provided via a malware-as-a-service model, often infiltrating systems through phishing. Recent campaigns employ an outdated Microsoft Office vulnerability to deliver the payload, which masquerades as a legitimate PDF file in a ZPAQ compressed format. The delivered malicious .NET executable downloads and decrypts additional files, using common file extensions to disguise malicious network traffic. Once executed, Agent Tesla infects endpoints and obfuscates its activity using .NET Reactor; C2 communications are managed through Telegram. The use of ZPAQ suggests attackers are either targeting specific technically savvy individuals or experimenting with new methods to spread malware and undermine security measures.

EMEA organizations are encouraged to maintain constant vigilance against cyber threats through continuous training. Cybersecurity professionals need up-to-date knowledge on emerging threats and defense strategies. The SANS Institute offers a comprehensive course library for 2024 to enhance cybersecurity skills across the region. Training courses cover a wide array of topics including Cloud Security, DFIR, Offensive Operations, Leadership, OSINT, and ICS. Courses are accessible in various formats and locations, catering to professionals already in the field and those starting new careers. Attendees at SANS events gain practical insights from experts actively working in cybersecurity. Participants have the opportunity to earn GIAC certifications, validating their expertise in the rapidly evolving cyber landscape. The full catalogue of SANS 2024 EMEA training courses is available through the provided link for those interested in advancing their cybersecurity knowledge.

Cybercriminals are evolving their phishing attacks by using QR codes, CAPTCHAs, and steganography to deceive individuals and bypass security systems. Quishing, a combination of QR codes and phishing, allows attackers to embed malicious links inside QR codes, evading email spam filters and complicating their detection by security tools. CAPTCHA-based attacks involve tricking users with realistic-looking credential-harvesting forms on websites, protected by CAPTCHAs to thwart automated security tools and web crawlers. In one instance, attackers targeted employees of Halliburton Corporation by requiring a CAPTCHA and then mimicking a convincing Office 365 login page to collect user credentials. Steganography is utilized in phishing to hide harmful scripts in seemingly innocuous media files, such as images, which are delivered to unsuspecting victims via email attachments or illegitimate download links. ANY.RUN is a sandbox environment providing tools for analysis and detection of phishing techniques, offering insights into these sophisticated cyberattacks. ANY.RUN's current promotional offer aims to enhance cybersecurity measures against these increasingly prevalent and advanced phishing tactics.

Kinsing hackers are exploiting a critical vulnerability in Apache ActiveMQ to infect Linux systems. Infected systems suffer from illicit cryptocurrency mining and system performance degradation. The malware targets misconfigured container environments, using server resources for mining profits. The group also rapidly adapts to exploit newly revealed vulnerabilities in web applications. The recent campaign uses CVE-2023-46604, enabling remote code execution for malware installation. The Kinsing malware ensures persistence by loading a rootkit into the system’s library. Organizations using Apache ActiveMQ are urged to update to patched versions to prevent compromises.

A new malware campaign targeting Indian Android smartphone users has been discovered, using socially engineered messages to distribute fraudulent apps. Attackers are utilizing social media platforms, particularly WhatsApp and Telegram, to trick users into installing malicious apps by impersonating banks and government agencies. The fraudulent apps aim to harvest personal information, including banking details, payment card info, account credentials, and potentially intercept one-time passwords. The malware campaigns involve sending APK files through social media, creating a sense of urgency by falsely claiming users must update their permanent account number (PAN). Upon installation, these apps request sensitive information from the user and proceed to transmit the data to a command-and-control server or a specific phone number. The malware has additional capabilities such as hiding its icon from the home screen and reading and sending SMS messages to facilitate financial fraud. Variants of the trojan have also targeted users' credit card details and cryptocurrency wallet information. In light of increasing threats, Google and Samsung have introduced new security features to protect users against malicious app installations. Android users are reminded to be diligent about app permissions and the legitimacy of app developers.

A cyber-espionage campaign linked to the China-based Mustang Panda group has targeted a Philippines government entity during increased South China Sea tensions. Palo Alto Networks' Unit 42 identified three attacks in August 2023 mainly focusing on South Pacific organizations and used legitimate software to sideload malware. Mustang Panda, known by various aliases, uses spear-phishing to deliver malicious payloads and has been active since at least 2012, engaging in espionage against NGOs and governments globally. The Philippines government likely faced a security breach over five days in mid-August through compromised software designed to bypass antivirus solutions. The threat actor also disguised malware traffic as legitimate Microsoft communications for C2 connections and has consistently shown capability in persistent cyberespionage. In addition to the Mustang Panda activity, a South Korean APT actor named Higaisa has also been observed targeting Chinese users with phishing schemes and Rust-based malware.

The Tor Project recently removed several network relays to protect user safety and network security. Relays are essential for anonymizing traffic in the Tor network but were misused for a cryptocurrency scheme. Some relay operators were unaware they were part of a high-risk project or were operating in dangerous regions. The community has debated policies about relay operations and what constitutes policy violations. Profit-driven relay operations conflict with Tor's ethos of volunteerism and fighting against internet censorship. The Tor network could face risks of invasive centralization if for-profit operations scale up significantly. BleepingComputer sought more information from The Tor Project without a response. Unconfirmed reports suggest nearly a thousand blocked relays may be linked to a service known as ATor (AirTor).

LittleDrifter, a USB-propagating worm, has breached systems beyond Ukraine, impacting several countries including the US, Germany, and Vietnam. The worm, affiliated with the state-sponsored Russian espionage group Gamaredon, was supposedly designed to target Ukrainian entities but reached unintended victims. Check Point's research revealed the malware is built in Visual Basic Script (VBS) to spread via USB drives and has ties to Gamaredon's USB PowerShell worm. The Gamaredon group, associated with multiple aliases such as Shuckworm, has a history of cyber espionage focused on Ukrainian government, defense, and critical infrastructure. LittleDrifter is structured to set up communication with designated command and control (C2) servers and disseminates through connected USB drives using deceptive tactics. Gamaredon's operational methodology includes using domain names as a placeholder for C2 server IP addresses, switching them frequently to avoid detection. The primary objective of LittleDrifter appears to be to establish a foothold within the infected system, with contingency plans to communicate with the C2 through a Telegram channel if needed. Although complicated payload deliveries were not observed, the findings suggest that the attacks are highly specified, with LittleDrifter poised for initial foothold operations ahead of further attack stages.

A new variant of Phobos ransomware is using the email address of the malware-sharing collective VX-Underground in its ransom note. Phobos ransomware is related to the Crysis ransomware family and operates as ransomware-as-a-service with affiliates conducting the attacks. The latest variant creates a text note and an HTA file for its ransom message, jokingly stating that 'VX-Underground' is not the decryption password. This ransomware campaign accounts for 4% of all submissions to the ID Ransomware service in 2023. Similar tactics of taunting cybersecurity researchers and communities have been observed with other ransomware groups in the past, sometimes escalating into abusive or harmful actions. The act of misattributing ransomware attacks could be a form of psychological warfare or an attempt to mislead investigators and law enforcement.

Security vulnerability in Progress Software's MOVEit file transfer application led to a massive data breach affecting over 2,620 organizations and more than 77 million individuals. Russian ransomware gang Clop exploited the bug in May, leading to extensive personal data access and leakage. Avast antivirus company, among the victims, acknowledges low-risk personal customer information was accessed but downplays the severity of the breach. Avast offers affected customers six months of free dark web monitoring, alongside a push for an enhanced paid security service, invoking customer backlash. Welltok, another company utilizing MOVEit, reports over 1.6 million patients' data, including sensitive health information, potentially stolen due to the breach. Impacted entities include major healthcare providers such as Stanford Health Care, Corewell Health, and Sutter Health. Welltok's notification to patients indicates that exposed data may include names, addresses, birth dates, Social Security numbers, and health insurance details, among others.