Daily Brief

GitHub projects, including Exo Labs' repository, targeted by malicious commits aiming to implant backdoors. Attack involved an innocuous-looking pull request that contained hidden malicious code. The code attempted to connect to a non-existent URL to download a payload, indicating a potential smear campaign against a security researcher, Mike Bell. Bell denied involvement, suggesting impersonation; the associated domains and GitHub accounts did not host or serve any real malicious content. Multiple GitHub projects were targeted, with identical pull requests spotted across at least 18 different repositories. Social media and community crowd-sourcing contributed to identifying and addressing the malicious activity. Developers and maintainers cautioned to review code submissions meticulously, utilizing both automated tools and manual scrutiny to prevent similar incidents. Reflects broader concerns about supply chain attacks in open source projects, echoing the severity seen in recent prominent breaches.

Filip Pizlo, a senior director at Epic Games, created Fil-C, a memory-safe version of the C programming language. Fil-C targets full compatibility with C and C++, enabling developers to compile existing code with the new compiler to achieve memory safety. This effort reflects a broader push for memory-safe programming to prevent common vulnerabilities found in many large codebases. While memory-safe languages like Rust are growing in popularity, Fil-C provides an alternative for developers accustomed to C/C++ without requiring a shift to a new language. Currently, Fil-C operates under limitations including slower performance and compatibility only on Linux/x86_64 systems. Despite these drawbacks, Fil-C is open source with components licensed under Apache2 and BSD, potentially facilitating further development and adoption. Pizlo's initiative is part of a larger movement and personal motivation to enhance C and C++ safety without shifting the developer ecosystem to another language like Rust.

Palo Alto Networks confirmed a zero-day vulnerability in PAN-OS firewalls, actively exploited in the wild. The flaw, currently unnumbered, allows for unauthenticated remote command execution with a critical CVSS score of 9.3. Threat actors used the vulnerability to deploy web shells on compromised devices for persistent remote access. While specific exploit details and actor identities remain undisclosed, the exploitation affected a "limited number" of instances. Users are urged to secure firewall management interfaces as patches for the vulnerability have not yet been released. The vulnerability does not affect Prisma Access and Cloud NGFW products but is limited to the PAN-OS web management interface. IP addresses involved in the malicious activities may include third-party VPNs, complicating attribution efforts.

Switzerland's National Cyber Security Centre (NCSC) has issued an alert regarding malware spread via the country's postal service in letters appearing to originate from the Federal Office of Meteorology and Climatology. Citizens are deceived into scanning a QR code to download a counterfeit "Severe Weather Warning App" named "AlertSwiss," which is a spoof on the legitimate Alertswiss app. The fake app, not available on the official Google Play Store but hosted on a third-party website, carries the Coper trojan known for keylogging, intercepting authentication messages, and targeting banking applications. This new form of malware delivery via physical mail has not been previously observed by the NCSC, which adds an unusual twist to the conventional digital channels mostly utilized for such scams. The cost of mailing these deceptive letters is relatively high, suggesting a targeted approach aimed at specific high-value individuals, contrasting the widespread reach but minimal expenses associated with digital methods such as email. The NCSC has only been made aware of a limited number of cases due to the absence of a mandatory universal reporting requirement in Switzerland for such incidents. Using physical mail for delivering malware via QR codes underscores a novel but financially burdensome method, potentially yielding high returns from wealthy targets.

BrazenBamboo exploited an unpatched flaw in Fortinet's FortiClient to steal VPN credentials using malware called DEEPDATA. The zero-day vulnerability allows for the extraction of sensitive user data directly from the memory of the compromised VPN client. DEEPDATA is a comprehensive spying toolkit for Windows, equipped to harvest data from various communication platforms and apps like WhatsApp and Telegram. The malware employs a DLL loader for deploying multiple plugins, including a specific one designed to capture Fortinet VPN client credentials. Despite Volexity reporting the vulnerability to Fortinet in July 2024, the security flaw remains unresolved. DEEPDATA, along with another tool called DEEPPOST, expands BrazenBamboo’s capabilities for cyber espionage, adding to their existing toolkit which previously included LightSpy. The architecture and operational methods of these tools suggest backing by a sophisticated entity, likely for governmental cyber operations.

Larry Dean Harmon, operator of the Helix cryptocurrency mixer, has been sentenced to three years in prison for his role in laundering over 354,468 bitcoins, valued at around $311 million at the time of the transactions. Harmon operated Helix in association with the Grams dark-web search engine, which was specifically designed to obscure the origins of bitcoin transactions, often linked to criminal activities. His involvement escalated when he partnered with Alphabay, a major illegal goods marketplace on the dark web, which was shut down by law enforcement in July 2017. Harmon was arrested in February 2020 and faced multiple charges including money laundering and operating without a license; he pleaded guilty in August 2021, agreeing to forfeit over 4,400 bitcoins and other assets. His assets seized included cryptocurrencies, real estate, and a monetary sum exceeding $311 million, along with a $60 million fine imposed by the US Treasury’s Financial Crimes Enforcement Network. The case highlighted the risks and illegal activities associated with cryptocurrency mixers and influenced proposed regulatory changes by FinCEN to increase oversight on such services. Harmon’s younger brother, Gary, was also sentenced to over four years in prison for accessing and stealing additional bitcoins from a seized cryptocurrency storage device.

Researchers have identified significant vulnerabilities in robots controlled by large language models (LLMs), which can be exploited to perform unauthorized actions. Robot maker Boston Dynamics' integration of ChatGPT with its Spot robot has demonstrated potential security risks, as LLMs can be manipulated via jailbreaking. An academic team from the University of Pennsylvania devised a technique called RoboPAIR, proving that robots equipped with LLMs can be commandeered to execute dangerous tasks. Various types of attacks such as black-box, gray-box, and white-box have been successful in manipulating robotic actions, raising concerns about the security measures needed for robotic LLM applications. The researchers highlighted the need for urgent development of defensive mechanisms that prevent robots from conducting harmful physical actions. These findings contribute to ongoing discussions about ethical AI usage and the potential risks associated with AI in autonomous physical systems. A related incident involved a robo-taxi company, Cruise, being fined for misreporting an accident, underscores further concerns regarding automated systems and public safety.

NSO Group utilized undisclosed zero-day exploits, including one named "Erised," to infiltrate WhatsApp and deploy Pegasus spyware on user devices. The exploitation facilitated surveillance operations enabling clients to monitor and extract information from compromised mobile devices through zero-click attacks. WhatsApp countered by issuing security patches in 2018 and 2019, which initially disrupted NSO's access but failed to prevent subsequent exploits such as "Eden." NSO Group admitted to developing and selling spyware that leveraged WhatsApp vulnerabilities against approximately 1,400 devices primarily through the "Eden" zero-click install vector. Despite a lawsuit filed by WhatsApp in October 2019, NSO continued to deploy and refine Pegasus installations vectors, with new exploits being developed post the lawsuit. WhatsApp implemented additional changes by May 2020 that further restricted NSO's access, following the acknowledgment of the "Erised" exploit. NSO's operations involved minimal client interaction, as the spyware's installation and data extraction processes were entirely managed by NSO's systems. The use of NSO's spyware has had international repercussions, including surveillance of government officials, journalists, and activists, leading to sanctions and additional lawsuits against NSO for misuse of their technology.

A zero-day vulnerability in Palo Alto Networks' firewall management interface allows remote code execution without user interaction. Currently unpatched, the flaw has a CVSSv4.0 rating of 9.3 and requires immediate mitigation by restricting management interface access. Attackers can potentially take control of affected firewalls, gaining deeper network access if they can reach the management interfaces. Palo Alto Networks advises customers to limit management interface access to trusted, internal IPs and avoid exposing it to the open internet. An official fix and threat prevention signatures are in preparation, with immediate security hardening recommended until patches are available. Other unrelated vulnerabilities in Palo Alto Networks products were recently added to the CISA Known Exploited Vulnerabilities Catalog, highlighting ongoing security challenges. Customers are urged to verify that all network devices are correctly configured and regularly check the Palo Alto customer support portal for updates on vulnerability status.

A malware botnet is exploiting a zero-day vulnerability (CVE-2024-11120) in GeoVision devices, which are end-of-life and unsupported. The critical security flaw allows unauthenticated remote attackers to execute arbitrary system commands on the devices. Approximately 17,000 GeoVision devices are currently exposed online and vulnerable, with nearly 9,100 in the U.S. alone. The exploited vulnerability is leading to devices being co-opted into botnets for DDoS attacks or cryptomining activities. The Shadowserver Foundation, a threat monitoring entity, identified and reported the ongoing exploitation of this flaw. There are no expected vendor updates for these devices due to their end-of-life status, leaving them permanently at risk. Recommended immediate actions include resetting devices, changing default passwords, disabling remote access, and isolating the devices on secure networks.

American Neighborhood Mortgage Acceptance Company, known as AnnieMac Home Mortgage, reported a data breach impacting 171,000 customers. The breach occurred between August 21 and 23, with intruders viewing and potentially copying customer names and Social Security numbers. AnnieMac has not found any evidence of the compromised data being misused on the dark web or elsewhere. The company has implemented additional security measures and reported the incident to state and federal regulators. Affected customers have been offered 12 months of credit monitoring and identity theft protection. AnnieMac offers a range of mortgage products across the U.S., including specialized programs for lower-income or less creditworthy buyers. The breach involved less sensitive information compared to a previous industry incident but still poses significant risks such as potential credit damage. AnnieMac emphasizes the confidentiality, privacy, and security of personal information as a top priority and has taken steps to enhance protections against future incidents.

The U.S. Federal Trade Commission announced a more than 50% drop in consumer complaints about unwanted telemarketing calls since 2021. In 2024, the FTC received 1.1 million robocall complaints, a decrease from the over 3.4 million reports logged in 2021. Most complaints in 2024 focused on unsolicited calls regarding medical and prescription issues, with over 170,000 cases reported. Other common complaints included issues related to imposters, debt reduction, energy and utilities, and home improvement. The reduction in complaints correlates with the FTC's ongoing efforts to enforce the National Do Not Call (DNC) Registry, which now includes 254 million active registrations. The FTC has launched Operation Stop Scam Calls and issued new rules against telemarketing fraud, including government or business impersonation and expanding protections under the Telemarketing Sales Rule. Ongoing initiatives also address AI-driven telemarketing scams, including a challenge to mitigate the use of AI for voice cloning and deepfakes.

Iranian state-backed group, known as Cotton Sandstorm, uses WezRat malware to target Israeli organizations. Cybersecurity firm Check Point identifies WezRat as capable of stealing data, keylogging, and executing remote commands. WezRat distributed via phishing emails with fake security updates, masquerading as communications from the Israeli National Cyber Directorate. Attack utilizes trojanized Google Chrome installers that install malware alongside the legitimate browser. Malware connects to command-and-control servers to receive further malicious instructions and updates. Check Point's analysis reveals ongoing development and refinement of WezRat, indicating a significant investment in cyber espionage capabilities. WezRat’s features have evolved from basic remote access capabilities to complex functionalities including screenshot capturing and modular keylogging. The activities of Emennet Pasargad pose a broader security threat across the U.S., Europe, and the Middle East.

Ilya Lichtenstein was sentenced to five years in prison for stealing 119,754 Bitcoin from Bitfinex in 2016, valued at $3.6 billion at the time of recovery. Arrested in Manhattan in February 2022, Lichtenstein faced money laundering charges involving complex schemes such as using fictitious identities and transaction-automating tools. The FBI, IRS, and HSI led the investigation, successfully recovering approximately 94,000 Bitcoin, around 80% of the stolen assets. The hacking involved exploiting a vulnerability in Bitfinex's multi-signature withdrawal system, allowing unauthorized transactions and theft of user credentials. Following the hack, Lichtenstein meticulously attempted to obscure his activities by deleting key log files and dispersing the stolen funds across various accounts and darknet platforms. His operation grew by 2019, utilizing thousands of intermediary addresses and mixing services to launder the money. Lichtenstein's sentencing includes three years of supervised release post-prison; his wife, Heather Morgan, also implicated, will be sentenced in November 2024. Affected parties have an opportunity to claim restitution for the seized assets, including various cryptocurrencies and gold coins, under Federal Rules of Criminal Procedure.

Experts from Kaseya will host a webinar to discuss streamlining endpoint security across diverse devices, from laptops to IoT devices. The session, scheduled for November 20th, aims to show how using a unified platform can reduce the complexity and time involved in managing endpoint security. Sam Duckett and Tim Phillips will explore the advantages of integrating multiple security tools into one platform, enhancing overall protection and efficiency. Key webinar topics will include simplification of endpoint management, automation of security and backup processes, and leveraging integrated solutions for improved security outcomes. Attendance will provide insights into transforming your organization's security posture while minimizing operational challenges. Registration is required to attend the webinar, which is sponsored by Kaseya.