Daily Brief

Interbank, a major Peruvian financial institution, has confirmed a significant data breach after a hacker leaked sensitive customer data online. The breach affects personal and financial information of numerous customers including full names, account IDs, birthdates, and more critical data like credit card numbers and credentials. The hacker, using the alias "kzoldyck," claims responsibility, stating they had stolen over 3 million customers' information totaling more than 3.7 TB in data. In response to the breach, Interbank implemented enhanced security measures and reassured customers of the safety of their deposits and other financial products. Despite restoring most operational channels, some services were disrupted throughout the day and in a previous outage reported two weeks ago. The hacker also attempted to extort the bank, but negotiations failed leading to the public data leak. The exact number of affected customers has not been disclosed, but ongoing investigations and security reviews are underway to fully address the breach.

A zero-day vulnerability in Windows Themes allows NTLM credential theft. Acros Security has released a free micropatch to address the issue before Microsoft issues an official fix. The vulnerability relates to authentication protocol NTLM, used within Microsoft environments. Despite a patch for a similar issue earlier this year, researchers discovered a method to bypass the fix by manipulating theme files without opening them. Microsoft has acknowledged the problem and stated they are working to protect users. The new variant of the bug affects all fully updated Windows versions, including the latest Windows 11 24H2. Users can mitigate the risk by applying Acros Security's micropatch immediately, which is effective for both legacy and currently supported Windows versions.

QNAP has patched a critical SQL injection vulnerability identified during the recent Pwn2Own contest. The security flaw, designated CVE-2024-50387, was present in QNAP's SMB Service, with patches now available for versions 4.15.002 and later. The vulnerability was exploited by researchers from YingMuo, allowing them to gain unauthorized root access to a QNAP TS-464 NAS device. This update follows the recent patch of another zero-day exploited by the Viettel Cyber Security team, which also targeted QNAP NAS devices during the same event. Team Viettel emerged winners of the Pwn2Own Ireland 2024, showcasing over 70 new zero-day exploits, with total prizes topping $1 million. QNAP advises users to promptly update their NAS device software via the App Center in the QuTS hero or QTS admin panels. Rapid patching is crucial for QNAP devices, which are frequent targets for cyberattacks ranging from ransomware to data theft due to their role in data backup and storage.

North Korean state-sponsored group, Andariel, linked to Play ransomware attacks, possibly as affiliates or initial access brokers. Andariel, known for cyber espionage and financially motivated attacks, has operated under North Korea's military intelligence. The group established its presence on targeted networks months before deploying ransomware, involving credential theft and control tactics. U.S. offers $10 million for information on Andariel member, linked to earlier Maui ransomware attacks affecting critical infrastructure in multiple countries. Connection between Andariel's network compromise and Play ransomware deployment suggested by similar malicious activities observed by Unit 42. North Korean hackers engaging with ransomware operations to circumvent international sanctions, a tactic also noted in Russian and Iranian cyber activities.

North Korean threat actor, Jumpy Pisces, implicated in deploying Play ransomware between May and September 2024. This marks the first collaboration between North Korea's state-sponsored hackers and a ransomware network, as reported by Palo Alto Networks Unit 42. The Play ransomware has affected around 300 organizations up to October 2023 and operates outside a ransomware-as-a-service model. Symantec observed attacks by the same North Korean group on three US organizations in August 2024, focusing on financial gains without actual ransomware deployment. Initial access was obtained via a compromised user account, followed by the use of Sliver C2 framework and Dtrack backdoor for lateral movements and persistence. Pre-ransomware behavior included credential harvesting, privilege escalation, and disabling endpoint detection and response (EDR) sensors. The end of the communication with the control server was noted a day before the ransomware was deployed, suggesting coordinated attack timelines. Uncertainty remains whether Jumpy Pisces has become a Play ransomware affiliate or merely facilitated the initial network access.

Michael Scheuer was arrested under the Computer Fraud and Abuse Act for hacking into Disney's systems to alter restaurant menus. Scheuer, previously fired for misconduct as Disney's menu production manager, used his still-active credentials post-termination. He changed fonts to wingdings, making the menus unreadable and disrupting operations for weeks. Besides font sabotage, Scheuer redirected menu QR codes to a politically charged website and deleted critical allergen information from menus. He is also accused of conducting DoS attacks against former Disney colleagues and possessing personal information about them and their families. Law enforcement tracked Scheuer's activities through IP records linked to Mullvad VPN, which he also used during his employment. Potential deadly ramifications from altered allergen information were avoided as the altered menus were identified and isolated by Disney. Scheuer faces up to 15 years in prison if convicted; he remains in jail awaiting a bond hearing.

Android's FakeCall malware has evolved to hijack outgoing bank calls, redirecting them to attackers' numbers. Originally detected by Kaspersky in 2022, FakeCall now impersonates over 20 financial institutions. The malware tricks users by displaying a fake call interface that mimics real Android dialer screens, showing legitimate bank numbers while connecting to scammers. New versions employ advanced evasion tactics and can capture audio and video, increasing the risks of sensitive data theft. Zimperium's March 2023 analysis reveals that FakeCall uses Android’s Accessibility Service to gain deep control over user interfaces and simulate user actions. Additional functionalities in development include Bluetooth listening and monitoring screen activity, indicating continuous advancement by its operators. The malware operators are continually updating attack mechanisms, making it harder to detect and prevent. Users are advised to avoid sideloading APKs and rely on Google Play for installations to minimize the risk of such infections.

Hackers named “EmeraldWhale” scanned for exposed Git configuration files and stole over 15,000 cloud account credentials. The attackers targeted private Git repositories on platforms such as GitHub, GitLab, and BitBucket using automated scanning tools. Exposed configuration files contained sensitive data like API keys and access tokens, which were then used to access and download other confidential resources. The stolen credentials were used in phishing and spam campaigns and were also sold directly to other cybercriminals. Sysdig, who uncovered the attack, noted that the credentials were exfiltrated to Amazon S3 buckets owned by other unsuspecting victims. This large-scale operation involved scanning approximately 500 million IP addresses and was carried out using basic open-source tools. To prevent further incidents, developers are advised to use secret management tools and configure sensitive settings through environment variables rather than hardcoding them in source files. The simplicity of the operation contrasts with the significant impact, highlighting the need for improved security practices in handling and storing sensitive configuration files.

The FBI has issued a warning about multiple fraud schemes leveraging the upcoming U.S. general election. Scammers impersonate legitimate candidates and political movements to solicit donations or sell merchandise, often not delivering on promises. The schemes primarily aim to steal money and personal data, including personally identifiable information. The fraud types include unsolicited campaign contributions requests and pump-and-dump cryptocurrency scams exploiting political figures. The public is advised to approach unsolicited communications with skepticism, verify political affiliations via official sources, and never treat campaign donations as investments. Reporting fraudulent activities to the Internet Crime Complaint Center (IC3) is essential for stopping scammers and protecting potential victims.

A severe security vulnerability in Opera allowed malicious extensions unrestricted access to private browser APIs. Exploited vulnerabilities enabled screenshots, browser setting alterations, and account hijacking. Researchers published a benign-looking extension on the Chrome Web Store to demonstrate the exploitability via cross-browser store attacks. The flaw affected Opera's privileged subdomains which interact with features like Opera Wallet and Pinboard. Malicious browser extensions could potentially redirect users to malicious websites, enabling adversary-in-the-middle attacks. Opera resolved the issue following a responsible disclosure process, emphasizing the ongoing challenge of balancing productivity and security. Guardio Labs highlighted the need for more robust monitoring and real identity verification for developers in the browser extension ecosystem.

Cybersecurity researchers identified a malvertising campaign utilizing Meta's ad platform to hijack Facebook accounts and disseminate SYS01stealer malware. Attackers used nearly a hundred malicious domains for malware distribution and live command and control operations. The main goal of SYS01stealer is to harvest Facebook ad and business account data along with login credentials, browsing history, and cookies. The malware propagates further through deceptive ads generated from the compromised accounts, targeting primarily men aged 45 and above. Distribution methods include malvertising on major social platforms with ads camouflaged as benign applications such as Windows themes, VPNs, and movie services. Initial infection involves a multi-stage process starting with a benign executable in a ZIP archive, followed by malicious actions to avoid detection and establish persistence. Attackers adapt tactics regularly to evade security measures set by cybersecurity entities, complicating detection and response efforts.

Russia's SVR, identified by Microsoft as the Midnight Blizzard group, has launched a mass phishing campaign using a novel method involving Remote Desktop Protocol (RDP) configuration files. This campaign targets thousands from over 100 organizations including governments, academia, NGOs, and defense sectors, marking a deviation from the usual highly-targeted phishing attempts. The RDP files attached in the phishing emails, once executed, establish a connection to a Midnight Blizzard-controlled system allowing significant data and resource access from the victim’s system. Microsoft's analysis revealed that the RDP configuration permits extensive data exposure including access to hard disks, clipboard, printers, and authentication features, potentially allowing malware installation and sustained unauthorized access. The phishing campaign was first detected on October 22 and involves emails in Ukrainian, targeting primarily entities in the UK, Europe, Australia, and Japan. The infrastructure used in these attacks suggests planning since at least August, with some phishing attempts mimicking major tech providers like Microsoft to increase perceived legitimacy. No specific details on the success of the attacks, types of malware possibly installed, or the exact nature of the data targeted have been disclosed by Microsoft, Amazon, or CERT-UA.

Cybersecurity professionals identified a harmful Python package, "CryptoAITools", designed to look like a cryptocurrency trading assistance but aimed at stealing data and cryptocurrency assets. The malicious program, downloaded over 1,300 times from PyPI and dishonest GitHub repositories, infects systems by masking its intents with a fake graphical user interface (GUI). Operating system detection occurs upon installation with malicious activities running covertly, driven by code in the "__init__.py" file of the package. It initiates a complex multi-stage infection process, including downloading additional payloads from a fraudulent website made to appear legitimate, expanding the malicious capabilities dynamically. The malware specifically harvests extensive amounts of personal and sensitive information including credentials from crypto wallets, browsing histories, and locally stored files on multiple operating systems. After collecting data, it uploads all stolen information to a file transfer site, gofile.io, then removes the local copy, reducing traces of its activity. The threat extends on GitHub with another repository named "Meme Token Hunter Bot," which also pushes the same stealers showing the multi-platform attack strategy to extend reach and exploit different user bases. The impact spans beyond individual users to the greater cryptocurrency community, posing severe threats to data security and asset safety.

Intruder streamlines compliance for frameworks like ISO 27001, SOC 2, and GDPR through automated vulnerability scanning. The platform primarily simplifies security management by supporting continuous scanning across applications, cloud, and network environments. Automated reporting features ensure audit-ready reports, reducing administrative burden and time involved in complying with necessary frameworks. Continuous monitoring by Intruder detects new threats shortly after they emerge and adjusts protection based on network changes, enhancing overall security posture. Integrations with tools like Drata and Vanta aid in the automation of evidence collection, further easing the compliance process. Intruder addresses the specifics of major compliance frameworks, offering tailored support that ensures customers meet regulatory requirements efficiently. This proactive approach to compliance and vulnerability management by Intruder helps organisations safeguard customer data more effectively.

China's Ministry of State Security has alleged foreign entities are using underwater devices for espionage in Chinese maritime areas. These devices reportedly function as "secret sentinels" and "underwater lighthouses", collecting data and guiding foreign submarines. The ministry claimed to have seized various espionage devices from the sea floor and has accused these devices of threatening national security. Similar accusations of maritime espionage by China surfaced in May, focusing on jeopardizing national security through covert operations. China asserts sovereignty over nearly the entire South China Sea, leading to conflicts with neighboring countries over territorial rights. The report also highlights China’s rapidly growing navy and its potential implications for regional power dynamics and U.S. influence. Previous incidents, including the sighting of a spy balloon over the U.S., and China's military exercises around Taiwan, underscore ongoing tensions. The ministry has vowed to defend China's sovereignty, security, and development interests against such espionage activities.