Daily Brief

Microsoft, in collaboration with the Justice Department, seized over 240 domains linked to the phishing-as-a-service platform ONNX, targeting users globally. ONNX, also known as Caffeine, was identified as the leading source of Adversary in the Middle (AitM) phishing attacks in the first half of 2024, as per Microsoft's Digital Defense Report. The platform offered phishing kits on a subscription basis through Telegram, costing between $150 to $550 monthly, with capabilities to bypass two-factor authentication. Phishing emails often contained malicious QR codes that redirected victims to fake Microsoft 365 login pages, part of a tactic known as "quashing." The phishing operation leveraged advanced techniques such as encrypted JavaScript for obfuscation and used bulletproof hosting to prolong the life of phishing domains. The exposure and identity reveal of ONNX operator Abanoub Nady in June led to the operation’s halt. Microsoft aims to deter future cybercrime by intercepting malicious infrastructure and raising the cost and complexity of conducting such activities.

Palo Alto Networks devices around 2,000 in number have been hacked due to exploitation of newly revealed security flaws. The infected devices predominantly reside in the U.S. (554) and India (461), with other notable infections in Thailand, Mexico, and other countries. Censys identified 13,324 exposed next-generation firewall management interfaces worldwide, indicating widespread potential vulnerabilities. The exploited vulnerabilities, CVE-2024-0012 and CVE-2024-9474, involve authentication bypass and privilege escalation, allowing attackers to modify configurations and execute malicious code. The campaign, named Operation Lunar Peek by Palo Alto Networks, has seen these vulnerabilities being weaponized to deploy malware such as PHP-based web shells. Palo Alto Networks warns that cyber attacks may increase following the public release of an exploit that combines these vulnerabilities. The company observes both manual and automated scanning activities, stressing the urgent need for users to apply the latest security patches and adhere to best practices, such as restricting management interface access to trusted internal IP addresses.

The Chinese APT group Gelsemium has introduced a novel Linux backdoor named WolfsBane, targeting regions in East and Southeast Asia. Cybersecurity firm ESET detected the WolfsBane backdoor through Linux samples from Taiwan, the Philippines, and Singapore uploaded to VirusTotal in March 2023. WolfsBane is derived from the previously known Windows malware, Gelsevirine, used since 2014, focusing on cyber espionage specifically. An additional implant, FireWood, linked with low confidence to Gelsemium, was identified, possibly shared among various Chinese hacking groups. The primary function of these backdoors is to gather intelligence stealthily by acquiring system data, user credentials, and accessing specific files and directories, while maintaining persistence. Initial access by Gelsemium is suspected to involve exploiting unknown web application vulnerabilities to facilitate remote access and malware deployment. Enhanced tools like the BEURK rootkit and the usbdev.ko kernel driver are used within these operations to hide traces on compromised Linux systems and execute remote commands. This documentation marks Gelsemium's first recorded use of Linux-oriented malware, reflecting a strategic shift towards Linux due to increased email and endpoint security measures.

Qualys discovers five significant vulnerabilities in Ubuntu Server's needrestart utility, initially introduced in April 2014. These vulnerabilities allow unprivileged attackers to gain root access without user interaction, exploiting issues in Python, Ruby, and Perl interpreters. The affected needrestart utility, which determines if a system reset is necessary after updates, contains flaws that could be manipulated to execute arbitrary shell commands. Despite the severity, Qualys has not released the exploit code, citing the high risk and ease of exploitation. All versions of needrestart before 3.8 are vulnerable, with potential millions of Ubuntu Server installations affected worldwide. Although local access is required to exploit these vulnerabilities, the risk remains high due to potential access via remote access tools, malware, or stolen credentials. Enterprises are urged to update to needrestart version 3.8 or later, or adjust configurations to mitigate risks, preventing potential severe impacts on system integrity and business operations.

Fortinet VPN has a design flaw that enables attackers to verify login credentials without detection by stopping the process post-authentication. The FortiClient VPN server logs only failed authentication attempts during the authentication phase, not capturing successful ones unless they proceed to the authorization step. A specialized method developed by Pentera allows the authentication process to be halted post-verification, misleading incident response teams by showing only failed login attempts. Despite visible brute-force attacks, this flaw creates false security perceptions as successful infiltrations remain undocumented, potentially leading to undetected network access. Pentera’s findings indicated that this vulnerability could be exploited to sell verified credentials or facilitate delayed network breaches. Fortinet was informed about the issue, yet they did not acknowledge it as a vulnerability, with no plans to remedy the flaw disclosed. The vulnerability, if exploited, could significantly hamper an organization's ability to respond to and mitigate cyber threats efficiently.

Privileged Access Management (PAM) crucially enhances security by enforcing strict access protocols. PAM strategies include enforcing least privilege, automating just-in-time access, and managing third-party access, significantly reducing cybersecurity risks. Comprehensive monitoring of privileged user activities allows for the early detection of unusual actions, thereby preventing potential security breaches. Automated password management and systematic rotation through PAM mitigate risks of reused or weak passwords, combating credential-based attacks. PAM supports secure remote access via controlled permissions and multi-factor authentication, ensuring safety in hybrid work models. Enhanced incident response capabilities through PAM integration with SIEM systems improves reaction times and effectiveness in managing security incidents. PAM assists in maintaining compliance with critical cybersecurity laws and regulations by producing detailed audits and controlling access to sensitive data and systems.

North Korean actors have been impersonating U.S. IT companies to bypass international sanctions and fund missile and WMD programs. The scheme involves using front companies primarily based in China, Russia, Southeast Asia, and Africa to obscure the true identity of North Korean IT workers. These workers obtain jobs under fake identities in the U.S. and other countries, channeling most of their earnings back to North Korea. In October 2023, the U.S. seized 17 websites used by these front companies to facilitate this fraud, with operations linked to companies in China and Russia. Analysis by SentinelOne identified several new DPRK front companies using copied content from legitimate businesses to appear genuine. U.S. researchers urge businesses to enhance vetting processes to prevent inadvertently supporting North Korea’s illicit activities. The global network of DPRK IT workers not only focuses on financial fraud but is also connected to malware distribution targeting various sectors.

Automated Security Validation (ASV) tools provide continuous, real-time evaluation of an organization's cybersecurity measures, unlike basic vulnerability scanners that do not relay combinations of vulnerabilities. ASV is necessary to ensure that patched cybersecurity gaps are truly secure, avoiding the cybersecurity equivalent of "crying wolf" the frequent false alarms that desensitize response to real threats. The article uses the fable of "The Boy Who Cried Wolf" to illustrate the danger of false negatives in cybersecurity, where actual threats go unnoticed amidst frequent false alerts. The story segues into a modern analogy where a system administrator believes defenses are secure against a wolf (cyber threat), only to find that the measures in place were inadequate. Name resolution poisoning attacks highlight real-world risks in cybersecurity, exacerbated by outdated or improperly configured DNS settings. The article stresses the importance of not just setting up defenses but also rigorously testing them using ASV tools to confirm the effectiveness against sophisticated cyber-attacks. ASV tools function by emulating real attack techniques to validate the security setup continuously, aiming to catch and remediate vulnerabilities that a standard approach might miss.

Over 145,000 Industrial Control Systems (ICS) are currently exposed online globally, with substantial concentrations in the U.S., Europe, and Asia. The findings, by Censys, show a vast distribution with 38% in North America and 35.4% in Europe; the U.S. alone houses more than 48,000 exposed devices. Commonly used ICS protocols such as Modbus, IEC 60870-5-104, and CODESYS heighten the risk profile of these systems. Recent cyber incidents include the use of malware, like FrostyGoop, to target ICS in energy sectors, particularly following heightened threats post-Russo-Ukrainian conflict. Exposed systems are widely diverse, ranging from water and wastewater management to agriculture; vulnerabilities mainly arise from outdated security practices. Majority of exposed ICS interfaces, notably HMIs, are hosted on mobile or business-grade ISPs, complicating owner identification and remediation efforts. The research underscores the critical need for increased security measures, including updating default credentials and stringent network monitoring to prevent potential cyberattacks. Cooperation from telecommunications providers and continuous improvement in security protocols are essential to tackle the identified vulnerabilities efficiently.

The UK government has introduced the Online Safety Act to control online platforms and eliminate online harms. The Act emphasizes proactive steps by platforms to reduce illegal activities such as terrorism, child exploitation, and illegal content that affects specific demographics. Technology Secretary Peter Kyle emphasized the government's priority to protect children online and adapt regulations as technology evolves. Regulator Ofcom is empowered with information gathering, audit, enforcement, and penalty abilities to ensure compliance with online safety standards. The government seeks to foster a culture of transparency, where platforms cooperate with Ofcom to mitigate risks and address systemic issues. The Act encourages the development of safety technologies and increasing platform accountability. Controversially, Section 122 of the Act involves "accredited technology" for law enforcement to access online content, raising concerns about potential encryption backdoors. Despite assurances, concerns persist about privacy and the integrity of encryption, with significant pushback from stakeholders like Signal CEO Meredith Whittaker.

BlueSky, a decentralized microblogging platform, has surpassed 20 million users, attracting attention from cryptocurrency scammers. Scammers are exploiting the platform's growth by posting deceptive content, including a post featuring an AI-generated image of Mark Zuckerberg to promote fake crypto products. Cryptocurrency scams on BlueSky include bogus giveaways and fraudulent trading platforms that imitate legitimate branding and websites. BlueSky's safety team reported receiving over 42,000 complaints in a single day, with a record rate of 3,000 reports per hour due to spam, scams, and trolling. The decentralized nature of BlueSky allows for the creation of third-party instances that can operate independently, posing challenges for content moderation and scam prevention. BlueSky promises to increase moderation efforts and encourages user participation in reporting suspicious activities to manage the influx of scams and undesirable content. The platform's decentralized setup presents unique operational challenges, as third-party instances can boost scam engagement and visibility through SEO tactics.

Five members of the Scattered Spider cybercrime group were indicted in the U.S. for orchestrating a sophisticated phishing operation to steal sensitive data and cryptocurrency. The group targeted employees at large companies using social engineering tactics to obtain login credentials and unauthorized access to corporate and crypto accounts. The accused face charges including conspiracy to commit wire fraud, conspiracy, and aggravated identity theft, with potential prison sentences totaling up to 27 years. The FBI and U.S. Department of Justice describe the operation as part of a larger trend of increasingly sophisticated phishing attacks leading to substantial financial losses. The cybercriminals employed tactics like sending deceptive SMS messages to employees, falsely alerting them of account deactivations to phish for credentials. Once they gained access, the gang extracted non-public data and personal identifying information, successfully stealing at least $11 million in cryptocurrency. Over 45 companies in the U.S. and other countries, including Canada, India, and the U.K., were targeted in this scheme. The case highlights the pervasive issue of phishing and its potential to enable other forms of cybercrime such as SIM-swapping and identity theft.

Google's OSS-Fuzz, an AI-powered fuzzing tool, has identified 26 vulnerabilities across various open-source projects. OSS-Fuzz's AI implementation led to the discovery of an OpenSSL bug with a CVSS score of 4.3, potentially in the codebase for two decades. The OpenSSL vulnerability, noted as CVE-2024-9143, could result in application crashes or remote code execution and has been subsequently patched. AI-generated fuzz targets by OSS-Fuzz have increased code coverage significantly, facilitating the discovery of hidden flaws. Google utilized large language models (LLMs) to enhance the fuzzing process, replicating developer workflows and improving automation in vulnerability detection. Along with AI advancements, Google is also transitioning to memory-safe languages like Rust and implementing hardened libc++ to enhance security in its C++ projects. These improvements aim to minimize the occurrence of spatial memory safety vulnerabilities and ensure more secure and reliable software.

NodeStealer malware, targeting Facebook Ads Manager accounts, can now harvest credit card data from browsers. Developed by Vietnamese actors, the malware evolved from JavaScript to Python, enhancing its data extraction capabilities. Techniques include unlocking browser database files with Windows Restart Manager and using batch scripts for dynamic Python script execution. Malware specifically avoids infecting systems in Vietnam to evade law enforcement, suggesting targeted operations. Compromised accounts could be used in malvertising campaigns, utilizing Facebook to spread further infections. NodeStealer also employs Telegram for data exfiltration, highlighting the continued use of the platform by cybercriminals. Recent campaigns impersonating trusted brands on Facebook highlight the platform's vulnerability to such attacks. The broader context includes phishing threats and RAT distributions through creative techniques like ClickFix, enhancing the arsenal of threat actors.

Japan's National Consumer Affairs Center encourages citizens to undertake "digital end of life planning." This initiative helps prevent difficulties in managing subscriptions and other digital services after a person's death. Issues arise when relatives are unable to cancel services due to not knowing the deceased’s digital credentials. The Center provides a four-step guide to simplify the management of digital legacies. Digital legacies are becoming more problematic with the increase in smartphone and online service usage. The concern is that the deceased's ongoing expenses will continue, charging credit cards for unused services. Opportunities have emerged for entrepreneurs with services like "Dead Man's Switch" apps and Meta's "legacy contact" nomination.