Daily Brief

Researchers from Palo Alto Networks' Unit 42 identified a phishing campaign impacting about 20,000 users chiefly in the UK and Europe's automotive, chemical, and industrial manufacturing sectors. Attackers attempted to steal Microsoft Azure account credentials via phishing emails disguised with urgency, using a DocuSign pretext. The phishing operation aimed to hijack victims' Microsoft Azure cloud environments, facilitating prolonged unauthorized access and potential data theft. Unit 42 could not ascertain the exact number of compromised victims but indicated strong evidence suggesting the concentration of targets in the UK and Europe. The phishing emails directed victims to fake Microsoft Outlook Web Access login pages through malicious links, where credentials were harvested. Although some phishing infrastructure was taken offline, Unit 42 discovered active elements enabling them to study the phishing tactics and the source code used. Attacks were identified as peaking in June and ongoing as of September, according to the researchers' tracking and analysis. Security experts underline the importance of vigilance and verification of email sources and embedded links to mitigate such phishing schemes.

An ongoing phishing attack leverages Google Calendar invites and Google Drawings to bypass spam filters and steal credentials. Over 4,000 emails targeting 300 brands have been sent in just four weeks, impacting sectors like education, healthcare, construction, and banking. Check Point’s research shows that these emails, appearing from a legitimate source, successfully pass through DKIM, SPF, and DMARC checks. The phishing method involves embedding malicious links within Google Calendar invites, which then lead to Google Forms or Drawings urging further actions disguised as harmless clicks. Threat actors also manipulate Google Calendar's functionalities by canceling events to send additional phishing links via follow-up messages. Despite available security measures, many users are still vulnerable if Google Workspace administrators have not enabled protections against unsolicited invites. Check Point advises caution with any unexpected meeting invites that require clicking on links, emphasizing verification of the sender’s authenticity.

Ukrainian national Mark Sokolovsky was sentenced to five years in prison for operating Raccoon Stealer malware. Sokolovsky and his conspirators offered the malware as a service to other criminals, charging $75 weekly or $200 monthly. Raccoon Stealer malware was designed to steal sensitive information like credentials, cryptocurrency wallets, and credit card data from infected devices. Law enforcement, including the FBI and Dutch and Italian authorities, successfully dismantled the malware's infrastructure in March 2022. The takedown coincided with the suspension of the Raccoon Stealer operations, attributed partly to the death of a key developer during the Ukraine conflict. Despite initial disruption, the malware operation has resurfaced multiple times with enhanced data theft capabilities. Sokolovsky was extradited to the U.S. in February 2024, pleaded guilty, and agreed to pay over $910,000 in restitution. The FBI created a dedicated portal to assist victims in determining if their data was compromised by Raccoon Stealer.

Russian group APT29, also known as "Midnight Blizzard," is executing man-in-the-middle (MiTM) attacks using a network of 193 remote desktop protocol (RDP) proxy servers. The attacks target key sectors including government, military, IT, telecommunications, and cybersecurity across multiple countries such as the U.S., France, and Germany. APT29 is employing PyRDP, a Python-based red team tool, to intercept and manipulate communications over RDP, facilitating theft of credentials, data, and execution of malicious commands. This campaign leverages phishing emails to trick victims into connecting to malicious RDP servers, which then share sensitive resources with the attackers. Trend Micro's findings reveal detailed techniques used by the hackers, including logging plaintext credentials, stealing clipboard data, and modifying victims' system settings. To mask their activities, APT29 utilizes commercial VPNs, TOR, and residential proxies that accept cryptocurrency to obfuscate their IP addresses. Recommendations for defense include cautious handling of email attachments and ensuring RDP connections are made to trusted servers only.

The U.S. is considering banning TP-Link routers if they are deemed a national security risk due to their use in cyberattacks. Federal agencies including the Departments of Justice, Commerce, and Defense are conducting the investigations, with TP-Link already subpoenaed by the Commerce Department. TP-Link dominates about 65% of the U.S. market for small office/home office (SOHO) routers, raising suspicions due to its pricing strategy. Over 300 U.S. internet service providers currently issue TP-Link routers as default to their home user customers. Microsoft has identified a botnet, predominantly composed of TP-Link routers, which is linked to Chinese cyber threat actors using it for malicious activities. TP-Link supports engagement with U.S. authorities to assure compliance with security standards and address national security concerns. The ongoing scrutiny over TP-Link coincides with broader U.S. actions against Chinese companies, including the recent ban on China Telecom's operations due to security threats.

The U.S. government is contemplating a ban on TP-Link routers due to national security risks related to cyberattacks. Three federal departments—Commerce, Defense, and Justice—are investigating TP-Link's involvement in cybersecurity threats. TP-Link commands about 65% of the American market for home and small business routers. Microsoft reported that Chinese government-backed hackers used TP-Link routers in password-spray attacks targeting North American and European entities. Attacks by Chinese operatives also involved compromised Cisco and Netgear devices to infiltrate U.S. critical infrastructure. TP-Link devices are utilized both in the Department of Defense and other federal agencies. The potential ban on TP-Link products aligns with previous actions against Huawei and broader U.S. strategies to counteract Chinese cyber activities. Recent political statements indicate a shift toward more aggressive cyber strategies against nation-state actors like China.

A phishing campaign exploited HubSpot's Free Form Builder to attack automotive, chemical, and industrial companies in Germany and the UK. Phishers redirected victims to fake Microsoft Azure login pages, leading to around 20,000 compromised accounts. The attacks utilized deceptive forms and mimicked DocuSign PDFs to harvest credentials from targeted company employees. Legitimate URLs from HubSpot helped bypass typical email security checks, increasing the success rate of the phishing attempts. Palo Alto Networks' Unit 42 discovered the campaign, noting its activity from June to September 2024. Post-compromise tactics included using VPNs to impersonate legitimate user locations and engaging in access-control battles with IT teams. The campaign also featured unique technical indicators like an Autonomous System Number (ASN) and unusual user-agent strings used in the phishing infrastructure.

CISA has advised senior U.S. officials to switch to encrypted messaging apps like Signal following serious telecom breaches linked to the Chinese-backed Salt Typhoon group. A series of breaches affected numerous telecom carriers globally, including major U.S. companies such as T-Mobile, AT&T, Verizon, and Lumen Technologies. Salt Typhoon, also known under multiple aliases, has been active since 2019, compromising telecom and government entities across Southeast Asia and now in the U.S. The advisory aims to protect sensitive communications from interception by hackers who have infiltrated mobile carriers' systems. CISA's guidance stresses the importance of adopting end-to-end encrypted messaging apps, using hardware-based multicriteria authentication (MFA), and avoiding SMS-based MFA. Recommendations further include enabling advanced protective features like Google's Advanced Protection or Apple's Lockdown Mode, using password managers, and setting up a telco PIN or passcode. Regular software updates, switching to the latest hardware, and steering clear of personal VPNs were also advised to reduce security vulnerabilities and potential attacks.

CISA has urged U.S. government and political officials to use encrypted messaging apps like Signal after telecom breaches involving Chinese-backed Salt Typhoon. The breaches, confirmed by the FBI and CISA, affected major U.S. telecom companies such as T-Mobile, AT&T, Verizon, and Lumen Technologies. Salt Typhoon, also known as Ghost Emperor and other aliases, has been active since 2019 targeting telecommunications and government entities mainly in Southeast Asia. The attacks reportedly granted the hackers access for "months or longer," highlighting severe vulnerabilities in telecom security. New guidelines strongly recommend using end-to-end encrypted messaging applications, particularly Signal, to safeguard communications across various mobile and desktop platforms. CISA has also suggested using hardware-based multifactor authentication (MFA) and other robust security measures like the Google Advanced Protection program and Apple’s Lockdown Mode to prevent account hijacking and phishing attacks. Officials warned against using SMS-based MFA and personal VPNs, advising instead to use regular software updates and stronger telco PINs or passcodes to enhance security. Following the cybersecurity breaches, CISA and the FBI have been actively issuing alerts and guidance to help telecom system admins better secure their networks against these sophisticated threats.

Malicious Visual Studio Code (VSCode) extensions designed to target developers and cryptocurrency projects were found on the VSCode marketplace. These extensions download heavily obfuscated PowerShell payloads, potentially part of a supply chain attack, first detected in October 2024. The same campaign also released compromised packages on NPM aimed at the cryptocurrency community. In total, 18 malicious extensions and multiple NPM packages, including 'etherscancontacthandler,' were part of this campaign, with installations seemingly inflated by fake reviews. Downloaded payloads are heavily obfuscated CMD files that trigger hidden PowerShell commands, decrypting further payloads that are executed on compromised systems. Detected malicious payloads include files like %temp%\MLANG.DLL, identified as harmful by multiple antivirus engines. Security researchers have listed the SHA1 hashes of malicious packages and extensions to aid in recognition and mitigation of these threats. Developers are advised to stringently verify the legitimacy and security of third-party code and extensions to avert potential supply chain attacks.

Microsoft has aggressively promoted the adoption of passkeys to replace traditional passwords, refusing customer options to opt out of enrollment notifications. The company credits its user experience design, employing frequent "nudges," for the increase in passkey usage, which has soared by 987%. Despite the aggressive onboarding strategy, Microsoft has not disclosed the exact number of users who have switched to passkeys. The adoption of passkeys correlates with a 10% decrease in conventional password usage across Microsoft's user base. Passkeys are based on public key cryptography, storing private keys on the user’s device and not requiring passwords or two-factor authentication on the server. Microsoft, among other tech giants like Apple and Google, supports the move to passkeys, which are seen as a more secure and efficient method of authentication. The introduction and promotion of passkeys align with industry-wide efforts led by the FIDO Alliance to eliminate passwords, which are often susceptible to security breaches. Challenges remain, including device compromise and the need for better passkey portability and recovery solutions if a user loses access to their device.

Recorded Future, a leading U.S.-based threat intelligence firm, has been declared an "undesirable" organization by Russia, effectively banning its operations in the country. This designation is part of Russia's broader strategy to label Western entities that it claims support anti-Russian propaganda and cyber operations. The Russian Prosecutor General’s Office accuses Recorded Future of supporting Western propaganda campaigns and providing intelligence support to the CIA and other nations’ intelligence services. Additionally, Recorded Future is charged with supplying Ukraine with data on Russian military movements and the tools to conduct cyberattacks against Russian targets. Christopher Ahlberg, CEO of Recorded Future, responded to the designation by suggesting that being recognized as undesirable by Russia is an ironic compliment. Despite the ban, Recorded Future remains a significant player in the global cybersecurity landscape, recently announcing its acquisition by Mastercard for $2.65 billion.

Interpol encourages a change in vocabulary from "Pig Butchering" to "Romance Baiting" for online relationship and investment scams. The term "Pig Butchering" is seen as dehumanizing and shaming to victims, potentially deterring them from seeking help. Scammers engage victims through social media, building trust with fabricated friendships or romantic relationships to coax money for fraudulent investments. Victims suffer significant financial and psychological damage, with some cases leading to suicide due to the betrayal. Investment fraud scams have experienced a significant increase, rising 38% to $4.57 billion in 2023. The new term "Romance Baiting" emphasizes the fraudsters' manipulative tactics and shifts blame away from victims. This terminology shift is part of broader efforts to support victims and improve their cooperation with law enforcement and authorities. While recovery of stolen funds is often not possible, reporting can help prevent further scams and aid in tracking down perpetrators.

Researchers at North Carolina State University have successfully reverse-engineered AI models from Google Edge Tensor Processing Units (TPUs) by observing electromagnetic emissions during the model's inference phase. The attack method involves capturing electromagnetic intensity data and allows for the extraction of model hyperparameters with high precision. Hyperparameters, like learning rate and batch size, are crucial for AI model training and typically set before training begins, unlike internal model parameters learned during the process. Dubbed "TPUXtract," this framework marks the first comprehensive hyperparameter extraction attack, specifically targeting Google Edge TPUs used in devices like Google Pixel phones. The technique achieved up to 99.91% accuracy in recreating models, considerably reducing the cost and effort required for adversaries to replicate sophisticated AI systems. The research highlights significant security vulnerabilities in commercial AI accelerators, raising concerns about the potential for such technologies to be exploited in real-world scenarios. Google is aware of the vulnerability but has not publicly commented on the potential implications or measures to mitigate such attacks.

Researchers at Palo Alto Networks Unit 42 identified a phishing campaign called HubPhish, leveraging HubSpot tools to target users in Europe. The cyberattack targeted credential theft aimed at gaining access to victims' Microsoft Azure cloud infrastructure, focusing on the automotive, chemical, and industrial sectors. Attack methods included phishing emails styled as Docusign communications, leading recipients to malicious links housed in HubSpot's Free Form Builder. Over 17 HubSpot-generated forms were used to redirect victims to various malicious domains, many under the ".buzz" domain. The phishing operations peaked in June 2024, using infrasctructure like Bulletproof VPS to mask the cybercriminals’ activities. Upon obtaining credentials, the threat actors added new devices under their control to the victims' accounts, ensuring persistence and lateral movement to Microsoft Azure instances. The campaign also highlights a growing trend of phishing schemes that exploit trusted services like Google and spoof reputable security provider brands to bypass corporate defenses. Users are advised to adjust settings in services like Google Calendar to defend against these sophisticated impersonation and phishing tactics.