Daily Brief

Russian threat group Gamaredon developed two Android spyware tools, BoneSpy and PlainGnome, to target primarily Russian-speaking individuals in former Soviet states. BoneSpy, in use since 2021, was derived from the open-source DroidWatcher and used trojanized Telegram apps and fake Samsung Knox apps for deployment. PlainGnome, surfacing in 2024, represents a more advanced, custom-built malware without prior codebase lineage, featuring stealthier two-stage deployment. Both spyware families exhibit capabilities such as extensive data collection, idle device exploitation, and avoidance of direct user interaction during data exfiltration. Lookout's analysis highlighted no current use of code obfuscation, which allowed for simpler identification of the malware's hazardous nature. The malware requests permissions that could compromise SMS, contacts, call logs, and camera access under the guise of a communication tool. Neither BoneSpy nor PlainGnome were found on Google Play, indicating installation through alternative, socially engineered avenues. This evolving tactic underlines Gamaredon's strategic shift to adapt its surveillance to include mobile devices, recognizing their growing importance in daily activities.

A severe vulnerability in OpenWrt's Attended Sysupgrade (ASU) could allow attackers to distribute malicious firmware. Discovered by RyotaK and reported on December 4, 2024, the vulnerability is noted for its high potential impact (CVSS score of 9.3). The flaw involves a combination of command injection and truncated SHA-256 hash collision, facilitating unauthorized command execution during firmware builds. This security gap enables the creation of illegitimate firmware images under the guise of legitimate updates, posing significant threats to users. No authentication is required to exploit this vulnerability, increasing the risk of potential abuse by attackers. OpenWrt has already released a patch (version 920c8a1) to address this vulnerability and recommends users update immediately. It remains uncertain if the vulnerability was exploited in the wild, but its presence in older versions poses past risks.

Germany’s BSI has disrupted an operation involving BadBox malware pre-installed on over 30,000 Android IoT devices. BadBox enables theft of two-factor authentication codes, installation of further malware, and acts as a platform for fake news dissemination. Malware functionality includes ad fraud through background ad clicking and residential proxying, which misuses device bandwidth for illegal traffic routing. German cybersecurity implemented a DNS sinkhole to intercept and cut communication between affected devices and the malware’s command and control servers. Device owners are being alerted by ISPs to disconnect or stop using compromised devices, as the embedded malware is integrated into device firmware. Affected devices were running outdated Android versions, making them vulnerable to such botnet attacks and other similar malware threats. BSI has emphasized the need for manufacturer and consumer vigilance in cybersecurity, particularly in the IoT device market. General advice for consumers includes purchasing devices from reputable manufacturers and keeping firmware updated.

The U.S. Department of Justice has indicted 14 North Korean nationals for orchestrating a complex IT worker fraud scheme, violating sanctions and committing multiple felonies including wire fraud and money laundering. Over six years, this scheme reportedly funneled at least $88 million to the North Korean regime through illicit employment in U.S. firms using stolen and fake identities. Involved North Korean IT workers, employed by DPRK-controlled companies in China and Russia, engaged in information theft and extortion, threatening to leak sensitive data if not paid ransoms. The judiciary has seized 29 fake website domains and $2.26 million linked to this operation, intensifying efforts to dismantle the fraudulent activities. A reward up to $5 million is offered for information leading to further identification of the individuals and front companies involved in these illegal activities. The implicated parties utilized sophisticated tactics to mask their true locations and identities, including laptop farms in the U.S. to simulate local activity. This case is part of a broader strategy by North Korea to use cyber operations, including cryptocurrency heists and IT fraud, to fund its regime and strategic objectives.

Germany's Federal Office for Information Security (BSI) has neutralized the BadBox malware, which was pre-installed on over 30,000 Android IoT devices. Affected devices include digital picture frames, media players, and potentially smartphones and tablets, all running outdated Android firmware. BadBox malware capabilities include stealing two-factor authentication codes, installing further malware, committing ad fraud, and using infected devices as proxies for illegal activities. BSI has implemented a sinkholing operation which redirects DNS queries from the malware to police-controlled servers, blocking the malware’s communication with its command and control servers. Impacted device owners will be notified by their internet service providers and advised to disconnect the affected devices from their networks. Despite current measures, the multitude of Android IoT manufacturers and device iterations suggest many more devices could be compromised. Consumers are advised to purchase devices from reputable manufacturers and to ensure devices have long-term security support to minimize risks of cyber threats.

Cynet achieved 100% Detection Visibility and 100% Protection in the 2024 MITRE ATT&CK Evaluation, effectively detecting and blocking all tested cyber threats. The evaluation confirmed Cynet's efficient performance with no false positives, and without the need for any configuration changes during testing. This achievement follows Cynet's historic performance in the 2023 evaluation, where it also reached full visibility and analytic coverage. MITRE's evaluation process uses controlled lab simulations to mirror real-world attack scenarios, ensuring unbiased and consistent testing across vendors. The results showcase Cynet's All-in-One Cybersecurity Platform as a leading solution for small-to-medium enterprises (SMEs) and managed service providers (MSPs). The MITRE ATT&CK Evaluation is highly regarded for its fair and thorough assessment of cybersecurity solutions, focusing on real threat group techniques. Cynet's success in the evaluation highlights its capability to provide effective and affordable cybersecurity protections, setting a high standard in the industry.

Iran-affiliated hackers have developed IOCONTROL, a new malware targeting Internet of Things (IoT) and Operational Technology (OT) environments in the U.S. and Israel. The malware is designed to infiltrate a wide variety of devices, including IP cameras, routers, and SCADA devices, by exploiting their Linux-based systems. Claroty cybersecurity researchers discovered the malware in compromised Gasboy fuel management systems, which indicated potential for both operational disruption and credit card data theft. IOCONTROL can execute automatically upon device restart and uses MQTT protocol for stealth communication, masking its traffic within legitimate IoT device communications. The malware conceals its command and control (C2) communications using DNS-over-HTTPS (DoH), a method also used by Russian and Chinese state actors to avoid detection. Commands supported by IOCONTROL include executing arbitrary system commands, self-deletion, and initiating port scans for further network penetration. This malware represents the tenth major malware family aimed at Industrial Control Systems (ICS), following others like Stuxnet and Triton.

Tom Power from The University of British Columbia developed an automated workflow to generate CrowdStrike RFM reports, reducing weekly manual reporting time. The workflow leverages Tines' AI-driven automation to streamline the creation of reports on Falcon Sensor's Reduced Functionality Mode (RFM) across hosts. Before automation, SecOps teams spent approximately 30 minutes weekly manually generating these reports, totaling over 25 hours annually. The automated process retrieves, processes, and reports data in minutes, delivering actionable insights via email with detailed summaries and CSV attachments. This automation supports proactive system health management and faster decision-making by enabling regular monitoring of RFM occurrences. The use of Tines' platform eliminates the manual effort and reduces the risk of errors, providing consistent and up-to-date reporting. Users interested in similar automation can test the workflow using Tines' Community Edition platform, which offers pre-built workflows and AI functionalities.

Cybersecurity experts have identified a new Linux rootkit named PUMAKIT that uses complex methods to hide its activity and maintain unauthorized control. PUMAKIT operates as a sophisticated loadable kernel module (LKM) with additional userland components, employing advanced mechanisms to stay undetected. The rootkit's functionality includes privilege escalation, file and directory hiding, and evasion of standard system detection tools using syscall hooking. It features a multi-stage deployment architecture designed to activate under specific conditions, ensuring it evades detection mechanisms like secure boot. PUMAKIT utilizes the Linux function tracer to hook into critical system calls and kernel functions, modifying core system behaviors to achieve its malicious objectives. Communication with command-and-control servers is maintained covertly, with the malware using encrypted channels and unique command interactions. Despite its complexity and potential impact, PUMAKIT has not yet been linked to any known cybercriminal or cyberespionage groups. This discovery underscores the evolving threat landscape for Linux systems, highlighting the need for advanced defensive measures against such hidden threats.

Non-Human Identities (NHIs), outnumbering humans 100 to 1 in enterprises, heighten the challenge of managing multiple secret vaults. The proliferation of NHIs and secrets introduces new security vulnerabilities by increasing attack vectors. Traditional secret management tools like HashiCorp Vault and AWS Secrets Manager are insufficient alone due to their isolated operation across various teams. GitGuardian introduces integrations with major secret management platforms to offer centralized control and visibility. Key features include automated detection of obsolete secrets, incident resolution across multiple vaults, and simplified migration and policy enforcement. This solution is timely, addressing growing complexities and security risks associated with the increased use of machine identities and their secrets. Benefits of GitGuardian’s updated platform include reduced operational costs, improved security posture, and enhanced compliance reporting.

The U.S. Department of Justice announced the closure of Rydox, an illicit marketplace selling stolen personal information and cybercrime tools. Three Kosovo nationals, administrators of Rydox, were arrested; two are awaiting extradition to the U.S., while the third faces charges in Albania. Rydox conducted over 7,600 sales, generating at least $230,000 by offering stolen data and cybercrime tools to over 18,000 users. An undercover FBI operation contributed to the arrest; agents infiltrated Rydox, made purchases, and traced cryptocurrency transactions. During the coordinated law enforcement action, servers in Kuala Lumpur were seized and taken offline, along with approximately $225,000 in cryptocurrency. The arrested individuals face multiple charges, including identity theft and money laundering, with potential penalties up to 37 years in prison. Separate related cases include a Nigerian national extradited to the U.S. for a BEC scheme defrauding businesses of over $6 million.

North Korea's fraudulent IT worker scheme successfully siphoned off approximately $88 million over six years by infiltrating companies with disguised tech workers. The U.S. Department of Justice has identified key individuals and companies, located in China and Russia, that facilitated these schemes, including the employment of over 130 fake IT personnel. These "IT warriors" disguised their locations using sophisticated means, securing remote jobs in the U.S. and diverting funds and information back to Pyongyang. In addition to stealing money, these workers gained unauthorized access to sensitive corporate data, engaging in extortion by threatening to release this information unless paid hefty ransoms in cryptocurrency. The FBI and the U.S. State Department are enhancing measures to combat these activities, including a reward of $5 million for information leading to the disruption of these financial networks. Despite significant progress in the investigation, U.S. authorities warned of ongoing threats, as North Korea continues to deploy these tactics extensively against U.S. businesses.

A new Linux rootkit named Pumakit, featuring advanced concealment and privilege escalation, has been detected by Elastic Security. Pumakit comprises a dropper, memory-resident payloads, a kernel module rootkit (LKM), and a userland rootkit, facilitating multifaceted system infiltration and control. Detected in a 'cron' binary on VirusTotal dated September 4, 2024, Pumakit targets Linux systems running kernels older than version 5.7. The rootkit employs multiple stealth techniques, including environment checks, kernel manipulation, syscall interception, and process credential manipulation to gain root privileges. It can also hide its own presence, specific files, and processes from system tools, kernel logs, antivirus programs, and administrators. The userland Kitsune SO module complements the LKM by intercepting system calls at the user level, hiding files and network connections, and managing communication with the C2 server. Additionally, a YARA rule has been published to assist with the detection of Pumakit attacks on vulnerable Linux systems.

Albanian and Kosovo authorities seized the Rydox cybercrime marketplace and arrested three administrators. The U.S. has indicted Ardit Kutleshi and Jetmir Kutleshi, key players in Rydox, on multiple charges including identity theft and money laundering. Rydox facilitated over 7,600 transactions of stolen personal information and access to more than 321,000 cybercrime tools. U.S. authorities have also seized the Rydox domain and approximately $225,000 in cryptocurrency linked to the marketplace. The FBI worked with international partners, including police in Malaysia, to take down the hosting servers and offline the marketplace. The operation highlights significant international cooperation in tackling cybercrime that affects thousands of U.S. citizens. The closure of Rydox follows a series of similar shutdowns of other major cybercrime markets in Europe.

Iranian threat actors are deploying IOCONTROL malware, targeting IoT and OT/SCADA systems in critical infrastructure sectors in Israel and the U.S. The malware infects a variety of devices critical to infrastructure, including routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems. IOCONTROL is modular, affecting devices across different manufacturers, enhancing its potential to cause widespread disruption in targeted regions. The malware uses encrypted communication and a persistence mechanism, ensuring continued control over compromised devices even after reboots. Attacks have reportedly compromised 200 gas stations across Israel and the U.S., according to claims made by the threat group on Telegram. Active since late 2023, IOCONTROL has been involved in various campaigns, with ongoing activities observed as recent as mid-2024. Claroty's Team82, which analyzed the malware, has not yet observed any detection by antivirus engines listed on VirusTotal as of December 10, 2024.