Daily Brief

A significant vulnerability in OpenWrt's Attended Sysupgrade feature could enable the distribution of malicious firmware. OpenWrt, a Linux-based operating system for network devices, offers advanced features and supports multiple device brands. The flaw, identified by security researcher RyotaK, involved command injection and hash truncation vulnerabilities, rated CVE-2024-54143 with a CVSS v4 score of 9.3. Attackers could exploit these vulnerabilities to inject commands or brute force hash collisions, creating malicious firmware builds. The OpenWrt team fixed the issue within hours after it was reported, taking the affected sysupgrade.openwrt.org service offline briefly to apply necessary fixes. Despite prompt repairs, users are advised to update their firmware to ensure no compromised software is in use, as prior affected images and logs cannot be fully reviewed due to automatic cleanups. The probability of exploitation is considered very low, but updates are recommended for all users and those hosting their own instances of the Attended Sysupgrade service.

North Korean threat actors, identified as Citrine Sleet or UNC4736, are responsible for a $50 million heist at Radiant Capital, a decentralized finance platform. The cyberattack, which took place on October 16, 2024, involved sophisticated malware targeting Radiant’s systems and was traced back to a malicious Telegram message sent on September 11, 2024. The malware, named 'InletDrift,' created a backdoor on compromised devices, allowing the attackers to manipulate transactions and bypass multiple security layers including hardware wallet security. The stolen funds were extracted from Ethereum blockchain and Binance Smart Chain by exploiting the multi-signature transaction process, indicating a high level of sophistication in the attack. Cybersecurity firm Mandiant, assisting in the investigation, confirmed with high confidence the involvement of the North Korean group, which also exploited a Chrome zero-day earlier in the year. Despite rigorous security measures and transaction simulations by Radiant, the attackers successfully masked illicit activities, making the fraudulent transactions appear normal. Radiant is currently working with U.S. law enforcement and cybersecurity firm zeroShadow to recover the stolen funds, stressing the need for enhanced device-level security measures.

Anne Neuberger, White House cybersecurity advisor, disclosed that the Chinese espionage operation, dubbed Salt Typhoon, targeted calls of top US political figures. Neuberger reported at the Manama Dialogue in Bahrain that Salt Typhoon was a focused espionage effort aimed specifically at senior political leaders. The operation compromised eight US telecom providers and organizations worldwide, indicating a broad and systematic surveillance effort. FBI and CISA have verified the theft of large volumes of records and metadata by Chinese government-backed spies, along with private communications from selected individuals in government and politics. The espionage also extended to wiretapping systems used by law enforcement, though this was not the primary focus of the operation. Neuberger emphasized that Salt Typhoon represents a targeted segment of a larger Chinese initiative focusing on key government and corporate intellectual property. The issue will be a major topic at the upcoming US Senate Commerce subcommittee hearing, which will examine risks associated with foreign infiltration into American telecom networks.

Black Basta ransomware operators have innovated their attack methods, incorporating email bombing, QR codes, and sophisticated social engineering. The group initially engages victims via Microsoft Teams, posing as IT support to gain trust and persuade them to install remote access tools like AnyDesk or Microsoft's Quick Assist. Through remote access, attackers deploy additional malware payloads, including a credential harvester, Zbot, and DarkGate, setting the stage for further exploitative actions. Attackers exploit various vectors for credential theft, aiming to steal VPN configurations and bypass multi-factor authentication to access corporate networks directly. The evolution of Black Basta illustrates a shift from reliance on botnets to a combination of bespoke malware and social engineering, demonstrating a strategic adaptation in their cyber warfare tactics. The malware landscape sees concurrent developments, with other cybercriminal groups similarly updating their methods and malware, such as the Rust variant of Akira ransomware and the Mimic variant called Elpaco.

Eight members of a cybercrime network were arrested in Belgium and the Netherlands, involved in stealing millions of Euros. These criminals operated out of Airbnb rentals, transforming them into makeshift call centers to orchestrate phishing scams across Europe. Victims were contacted through email, SMS, or WhatsApp and deceived by posing as bank employees or fraud prevention agents, leading them to phishing sites that mimicked banking interfaces. Personal data obtained from the phishing sites enabled the criminals to access and drain the victims’ bank accounts. Luxury items, large sums of cash, and evidence of an extravagant lifestyle funded by the cybercrime activities were seized during police searches. Europol coordinated the operation, which involved 17 simultaneous property searches in the two countries, based on investigations that began in 2022. The suspects face charges including phishing, online fraud, bank helpdesk fraud, money laundering, and participation in a criminal organization. Recommendations include treating unsolicited banking communication with skepticism and verifying through official bank contacts to prevent similar scams.

Electrica Group, a major Romanian electricity distributor, is currently managing a ransomware attack. Over 3.8 million customers across Transilvania and Muntenia could potentially be affected by disruptions due to security measures. The company emphasized that critical systems remain secure and the attack has not impacted Electrica's SCADA systems responsible for network control. Electrica is working closely with national cybersecurity authorities to mitigate the situation and ensure system security. The attack was confirmed as ransomware by Romania's Ministry of Energy though full details and the extent of the breach remain under investigation. Electrica's response includes a collaboration with technical and security teams to eliminate any risks related to the cyberattack. This incident follows a recent disclosure of significant cyberattacks aimed at Romania's election infrastructure, emphasizing a heightened need for cybersecurity readiness in the region.

Security researchers Noam Rotem and Ran Locar discovered an ongoing heist targeting AWS customers due to misconfigurations on public websites. The attackers stole AWS credentials, source code, and various types of keys and secrets, affecting an unknown large number of AWS customers since March. The stolen data, over 2 TB in size, was stored in an openly accessible misconfigured AWS S3 bucket used by the criminals. The operation used tools linked to cybercrime groups Nemesis and ShinyHunters, suggesting professional and organized cybercriminal involvement. AWS's response stressed that the stolen credentials resulted from customer-side misconfigurations and recommended the use of AWS Secrets Manager for better security. Rotem and Locar reported their findings to both the Israeli Cyber Directorate and AWS Security; AWS completed its own investigation of the incident. Misconfigured S3 buckets continue to be a significant security issue, underscoring the shared responsibility model in cloud services.

OpenWrt has urged users to update their router firmware following a potential supply chain attack involving two critical vulnerabilities. The vulnerabilities were discovered by Ry0taK, a security researcher at Japanese firm Flatt Security, and involve command injection and weak hash issues in OpenWrt's attended sysupgrade server (ASU). The first vulnerability allows an attacker to inject malicious code into the firmware images, while the second involves using a truncated SHA-256 hash that could allow hash collisions. These security gaps could enable attackers to replace legitimate firmware with compromised versions, potentially impacting user security and privacy. The affected ASU instances are hosted separately from critical infrastructure, ensuring that sensitive data like SSH keys or signing certificates were not compromised. OpenWrt conducted a review of build logs and found no evidence of compromise in the official and recent custom images; however, older versions were not reviewed due to automatic cleanup procedures. Users hosting public, self-hosted ASU instances are advised to apply updates or specific commits to mitigate the risks highlighted. This announcement coincides with the release of OpenWrt One, a new hardware platform that promises enhanced repairability and security features.

Russia-linked Turla hackers infiltrated the infrastructure of Pakistani hacking team Storm-0156, leveraging their servers since December 2022. Turla's actions enabled espionage on government and military targets in Afghanistan and India, complicating attribution and increasing operational secrecy. The hijacking of another group's resources represents a strategic approach to obfuscate Turla's activities and mask their digital footprint. This incident highlights a complex layer of threats where nation-state actors exploit lesser-equipped or rival groups to enhance their capabilities or mislead identification efforts. Entity Turla has a historical pattern of commandeering other groups' operations to conduct their targeted cyber espionage campaigns effectively. Major software vulnerabilities in systems like Microsoft Windows and Google Chrome emphasize the persistent risk of cybersecurity breaches across various platforms. Cybersecurity tips include proactive system updates, deception techniques like creating malware "no-go" zones on PCs, and strategic network controls to detect and mitigate risks.

Researchers have uncovered significant vulnerabilities in the DeepSeek and Claude AI systems, linked to prompt injection attacks that could lead to user account takeovers. Security expert Johann Rehberger identified that specific inputs in DeepSeek’s chat could execute JavaScript code, leading to unauthorized actions such as session hijacking. An exploited flaw in DeepSeek allowed attackers to gain access to the user's session token, effectively enabling them to impersonate the user. Rehberger also demonstrated that Claude AI’s Computer Use could be manipulated to run malicious commands autonomously, potentially downloading and executing malware. The discovered attack, termed ZombAIs, uses prompt injections to compel Claude AI to interact with a command-and-control server. Terminal DiLLMa, another named attack, targets command-line tools integrated with large language models to hijack system terminals via ANSI escape code outputs. Additional findings by academics show vulnerabilities in OpenAI's ChatGPT, where external image links or unauthorized plugins can be triggered via prompt injections. The research highlights a critical need for developers to scrutinize the contexts in which AI outputs are integrated, treating them as untrusted sources.

Microsoft, together with the Institute of Science and Technology Australia and ETH Zurich, is sponsoring a hacking challenge with a $10,000 prize pool. The challenge, named LLMail-Inject, involves breaking into a simulated LLM-operated email client through a prompt injection attack. Contestants are tasked with tricking the LLMail service into performing unintended actions like data leaks by manipulating the AI’s response processing. A realistic but not real email service utilizing a large language model to interact and execute user commands provides the platform for the challenge. The service includes multiple built-in defenses against prompt injection attacks, requiring participants to creatively bypass these measures. Microsoft’s previous issues with AI chatbot security breaches, such as vulnerabilities in Copilot, underscore the significance of this challenge. Top teams in the challenge will receive prizes, with $4,000 going to the first-place finishers. The competition opens on December 9 and concludes on January 20.

PrivX Zero Trust Suite integrates seamlessly with IAM solutions like Microsoft Entra ID to enhance identity security for privileged access. The solution includes features for real-time synchronization of identity changes, role-based access control, and revocation of access upon user status changes. Special attention is paid to SSH key management to prevent security bypasses commonly missed by traditional PAM systems. Promotes a passwordless and keyless environment, eliminating reliance on stored credentials, thereby increasing security and operational efficiency. Enables secure, scalable management of machine and application interconnections that traditional IAM and PAM solutions struggle with. Provides comprehensive auditing capabilities, ensuring detailed records of user activities for compliance and security monitoring. Supports quantum-safe connections, making it future-proof against emerging threats from quantum computing. Offers an extension to Microsoft Entra ID capabilities, specifically targeting the high-security needs of high-impact users and sensitive sessions.

A malicious botnet named Socks5Systemz is operating a proxy service called PROXY.AM, exposing over 85,000 devices. The malware turns compromised systems into proxy exit nodes to help cybercriminals conceal the origins of their attacks. Initially spotted in 2013, Socks5Systemz has been linked to distributing other malicious payloads like PrivateLoader and SmokeLoader. The botnet experienced considerable growth, reaching an estimated presence on 250,000 devices daily but has since declined to between 85,000 and 100,000. A significant compromise in December 2023 forced the threat actors to create a new version of the botnet with different command-and-control infrastructure. PROXY.AM offers various proxy services priced between $126 and $700 per month, appealing to users desiring anonymity. Connected malware efforts, including the Gafgyt botnet's misuse of Docker Remote APIs for DDoS attacks, indicate a broader scope of weaponizing legitimate technology. Enhanced system management and oversight are essential to mitigate risks associated with such widespread and adaptable malware threats.

The Termite ransomware gang has claimed responsibility for an attack on Blue Yonder, a supply chain SaaS provider, stealing 680GB of data including sensitive documents and email lists. The stolen email lists are intended for use in future attacks, increasing the risk of subsequent compromises for Blue Yonder's business partners and clients. Blue Yonder's customers, which include Starbucks and major UK grocery chains like Morrisons and Sainsbury's, experienced significant operational disruptions necessitating alternative supply chain solutions. In response to the attack, Blue Yonder has engaged external cybersecurity firms to bolster their defenses and forensic capabilities while assisting impacted customers throughout the restoration process. The cybersecurity company Broadcom reported that Termite likely utilized a modified version of Babuk ransomware and employs generic tactics such as phishing and exploiting vulnerabilities for network access. Several other significant security incidents reported include a critical vulnerability affecting multiple systems, the exposure of millions of records by Safelinking, and international cybersecurity concerns involving Chinese hackers and Polish use of Pegasus spyware. A Nigerian scammer responsible for a major business email compromise scheme was sentenced to eight years in U.S. prison, emphasizing ongoing global cybersecurity threats.

Chinese insiders, including tech company employees and government workers, are illicitly selling sensitive data. This insider theft exploits data collected for state surveillance, intended originally for censorship and monitoring purposes. There exists a lucrative black market where vast amounts of personal data, including habits and personal details, are traded. Data brokers actively recruit insiders with promises of high pay, further intensifying the breach of privacy. Researchers from Cyberwarcon highlighted the involvement of insiders in compromising even high-profile individuals, including government officials. The stolen data is utilized not only for frauds and scams but also morally gray areas like targeted advertising. Western cybersecurity research underestimates the scope and influence of Chinese-speaking cybercriminal networks, according to the security experts.