Daily Brief

New research by ETH Zürich demonstrates continuing vulnerability of modern AMD and Intel processors to speculative execution attacks. Despite mitigation efforts, a microcode bug in Intel and implementation issues in AMD allow bypassing the Indirect Branch Predictor Barrier (IBPB). Speculative execution attacks exploit CPU performance features to access sensitive data via mispredicted branches, potentially leading to privacy breaches. Intel has released a microcode patch (CVE-2023-38575) to address this vulnerability, while AMD tracks it as CVE-2022-23824, urging users to update their systems. The vulnerability, termed an "end-to-end cross-process Spectre leak," highlights persistent security challenges in protecting CPUs from speculative execution flaws. The study also touches on new RowHammer attack techniques that could derive system utilization and ambient temperature, posing additional security and privacy risks. These findings emphasize the ongoing need for robust, effective defenses against hardware-level security exploits in frequently-updated environments.

A cybersecurity researcher named Alexander Hagenah released a tool that bypasses Google Chrome's App-Bound encryption, intended to enhance cookie security. The tool, "Chrome-App-Bound-Encryption-Decryption," allows extraction of credentials saved in Chrome by exploiting encryption vulnerabilities. Initially, Google implemented App-Bound encryption to shield users from infostealer malware, which requires SYSTEM privileges to decrypt cookies. Despite Google's efforts, infostealers rapidly adapted, continuing to threaten the theft of sensitive data from Chrome users. The tool's availability on GitHub makes it accessible for both educational purposes and potential misuse, increasing the risk landscape for Chrome users. Google remains committed to collaborating with OS and AV vendors to detect and mitigate such threats more reliably while continuing to strengthen defenses. Expert analysis indicates that, while Google has raised the barriers for attackers, the sophistication of attack methods means user data could be still vulnerable.

JPMorgan Chase is suing individuals and entities for exploiting a technical glitch in their ATM systems which allowed false check deposits and subsequent large cash withdrawals. The scam, popularized on social media platforms like X and TikTok, involved depositing counterfeit checks and withdrawing funds before the checks were identified as fraudulent. Legal actions have been initiated in federal courts across Texas, Florida, and California against several parties accused of stealing significant amounts from the bank. One notable lawsuit in Texas involves a man who allegedly used a fake check to illicitly withdraw over $290,000. Chase spokesperson emphasized that fraud undermines trust in the banking system and asserted the bank's commitment to working with law enforcement to hold fraudsters accountable. The total amounts claimed in the lawsuits range between $80,000 to nearly $300,000 for the different defendants involved.

U.S. federal agencies are probing cyber-espionage activities linked to the Chinese government by a group known as Salt Typhoon, suspected of infiltrating American telecom giants. Salt Typhoon is also accused of targeting the communication devices of key U.S. political figures, including Democratic presidential candidate Kamala Harris and Republican Donald Trump, along with his running mate JD Vance. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have notified and are assisting the affected companies to bolster defenses against further cyber attacks. Major telecom providers like Verizon, AT&T, and Lumen Technologies have been identified in media reports as victims of these breaches, specifically targeting their wiretapping systems, but have yet to publicly comment on the breaches. U.S. lawmakers are pushing for these telecom companies to disclose details of the breach discovery and their subsequent actions to secure their networks against future spying activities. The espionage operations by Salt Typhoon are considered a significant escalation in cyber aggression from China, with several pending investigations into the depth of data compromised. The U.S. government, alongside industry partners, is actively working to mitigate threats and enhance cybersecurity across the national communications infrastructure. The broader context includes continuing allegations by the U.S. against China for multiple cyberattacks and the deployment of disruptive technologies, which China denies, attributing such claims to geopolitical tension.

Russian threat group UNC5812 launched an espionage and influence campaign targeting Ukrainian military recruits using both Windows and Android malware. Under the guise of a "Civil Defense" persona, the campaign distributed a malicious app called "Sunspinner" to avoid recruitment, which was a facade for installing malware. The malware targets included Pronsis Loader on Windows for installing additional malicious payloads and CraxsRAT on Android for extensive spying capabilities. Google discovered the Trojan campaign and has implemented several protective measures, including updating Google Play Protect and adding malicious domains and files to its Safe Browsing feature on Chrome. The fake Civil Defense persona managed to accumulate 80,000 followers on Telegram and used a website to promote anti-recruitment narratives among Ukrainian citizens. The Android app deceived users into disabling Google Play Protect and granting extensive permissions to enhance malware functionality. The campaign did not yet support iOS or macOS but indicated future plans to target Apple platforms.

Free, France’s second-largest ISP, confirmed a data breach occurred, compromising customer personal data. The breach exposed data for approximately 19.2 million customers, including over 5.11 million IBAN numbers. Data stolen includes subscriber information from both mobile and fixed services, auctioned on BreachForums. Free has notified relevant authorities including CNIL and ANSSI and has taken steps to secure its systems. Affected customers are being informed by email, and no operational impact on services has been reported. Stolen data includes IBANs but not passwords, bank card details, or communication content like emails or messages. The ISP advises customers to monitor for unauthorized transactions and be cautious of phishing attempts. A criminal complaint has been filed, and investigations are ongoing with more updates forthcoming.

Evasive Panda, a China-linked cyber espionage group, targeted entities in Taiwan using a new toolset called CloudScout. CloudScout is designed to steal session cookies and access data from cloud services like Google Drive, Gmail, and Outlook. The toolset works through a plugin that integrates with MgBot, Evasive Panda’s primary malware framework, involving 10 different modules. Detected activities occurred from May 2022 to February 2023, with CloudScout written in C# and deployed via MgBot plugins programmed in C++. CloudScout's capabilities extend to compressing stolen data into ZIP archives for exfiltration, underscoring its sophisticated data theft strategies. Despite Evasive Panda's reliance on cookie theft, advancements like Google's Device Bound Session Credentials (DBSC) may soon render such tactics ineffective. Evasive Panda is known for its diverse attack vectors, including exploiting new security vulnerabilities and DNS poisoning to infiltrate networks. The incidents align with broader, state-sponsored reconnaissance efforts by China, targeting a wide range of governmental and non-governmental entities globally.

The FBI and CISA disclosed breaches by Chinese hackers targeting U.S. telecommunications providers. Affected companies were immediately notified for rapid response and technical support. Investigations reveal ties to a Chinese group known as Salt Typhoon, implicating espionage motives. Hackers accessed systems used for lawful interception of communications, hinting at significant security implications. U.S. authorities are urging potentially compromised entities to report incidents and bolster defenses. Similar cyber espionage activities were also identified targeting Canada, focusing on broad network scans. The U.S. and Canada are enhancing cybersecurity measures and collaboration to counteract the threats. Ongoing investigations into the breaches are part of broader efforts to secure communications infrastructure ahead of the U.S. presidential elections.

Brazen criminals are openly selling stolen credit card details and other sensitive personal information on Meta's new platform, Threads. Researchers at SpyCloud unearthed at least 15 accounts with over 12,000 followers actively involved in this illicit trade, sharing complete credit card data, social security numbers, and other PII. Meta claims to be addressing the issue by taking action against violating accounts, but security experts argue the efforts are insufficient and not effectively moderated. The advertisements also appeared on Instagram, suggesting Meta's algorithms may be inadvertently promoting such criminal activities. Some criminals use Meta's platforms to initially showcase partial data, then redirect potential buyers to encrypted messaging apps like Telegram to complete transactions. Despite Telegram's crackdown on criminal activities following legal pressures, these threat actors are finding alternative advertising methods but still close sales through Telegram. The misuse of Threads' polling feature to verify the usability of stolen credit card numbers points to an innovative yet disturbing evolution of cybercrime tactics.

Delta Air Lines has filed a lawsuit against cybersecurity firm CrowdStrike, seeking to recover approximately $500 million in losses due to a major IT outage. The outage occurred in July, resulting in around 7,000 flight cancellations and affecting over 1.3 million customers, sparking several class-action lawsuits. Delta claims CrowdStrike's Falcon sensor update was not adequately tested, leading to widespread system failures. CrowdStrike counters Delta's allegations, arguing that the airline's outdated IT infrastructure was the primary reason for the prolonged recovery time. Microsoft also refuted claims linking it to the outage, criticizing Delta's outdated systems and dismissing allegations of Windows causing the outage as "false." CrowdStrike offered Delta on-site support post-outage, which Delta contends came too late to be effective. The U.S. Transportation Department is investigating the incident and Delta's slow recovery, which was deemed "unacceptable" by Transportation Secretary Peter Buttigieg. Delta faces additional pressures from public complaints and the burden of recovering its operational stability and customer trust.

A Russian spy operation named UNC5812 uses Telegram and a website to spread malware aimed at the Ukrainian military and influence public perception. The malware provided includes Windows and Android-specific versions, using a deceptive map app called SUNSPINNER to lure users. For Android devices, the malware can control the device and gather information only if Google Play Protect is disabled. The operation attempts to undermine Ukrainian military recruitment by posing as a civilian defense resource and promoting anti-Ukrainian narratives. A PHP-based loader called Pronsis and an Android RAT named CraxsRAT are among the malicious tools disseminated. UNC5812's tactics showcase Russia’s use of cyber tools for cognitive warfare, emphasizing the strategic role of messaging apps in malware distribution. The discovery and public exposure of the malware led to a temporary halt and sale of the threat actor’s assets and operations to another actor.

Three npm packages identified in September 2024 containing BeaverTail malware, linked to North Korea's Contagious Interview campaign. Malware principally operates as a JavaScript downloader and information stealer, targeting the software supply chain and individual developers. Previous incidents reported by Phylum and Stacklok reveal a pattern of exploiting the npm registry to distribute similar malware, focusing on the cryptocurrency sector. The campaign utilizes social engineering by disguising malware distribution through job-related applications and developer tools. Datadog Security Research monitors these activities under the designation Tenacious Pungsan. Increased misuse of the open-source ecosystem demonstrates ongoing risk to software supply chains and downstream users. Security experts emphasize that copying and backdooring legitimate npm packages is a prevalent strategy among threat actors targeting developers.

Dutch National Police, collaborating with the FBI and global partners, have dismantled the network infrastructure of two major infostealer malware operations, Redline and Meta, under "Operation Magnus." Operation Magnus was announced through a dedicated website, revealing ongoing legal actions derived from the seized data of these malware operations. Redline has been active since 2020, and Meta since 2022, both being tools for cybercriminals to steal sensitive data such as passwords, authentication cookies, and cryptocurrency wallets. The authorities’ successful operation involved international cooperation including the FBI, NCIS, Eurojust, U.S. DOJ, and police from Portugal and Belgium, highlighting strong global law enforcement collaboration. Seized data includes user account credentials, IP addresses, timestamps, and more, providing law enforcement with evidence that can be used to track and prosecute the criminals involved. Additional seized items include the source code, license servers, and Telegram bots for both malware types, indicating the likelihood of ongoing legal action and potential arrests. Official confirmations by Europol and the NCA reinforce the legitimacy of the operation, with more details expected to be released imminently. The collaborative international effort warns cybercriminals of the increasing capabilities and cross-nation collaborations of law enforcement against cybercrime.

Cybercriminals are increasingly using Webflow, a website builder tool, to create deceptive phishing pages. These phishing attacks aim to steal sensitive login credentials for crypto wallets and corporate platforms including Microsoft 365. From April to September 2024, there was a tenfold increase in traffic to these malicious sites, impacting over 120 organizations worldwide, primarily in the financial, banking, and tech sectors in North America and Asia. Webflow’s appeal lies in its feature allowing the creation of custom subdomains, making phishing sites less suspicious than those with random alphanumeric subdomains. Attackers design these pages to closely mimic legitimate login pages, tricking users into providing their credentials, which are sometimes redirected to another server. Netskope also uncovered Webflow-based crypto scam sites that use legitimate wallet homepage screenshots to mislead users. The final objective of these phishing schemes is to obtain users' cryptocurrency seed phrases, enabling attackers to take over and empty their crypto wallets. It's recommended that users access sensitive sites directly through the browser's URL bar rather than using links found via search engines or other sources.

Dutch police have successfully dismantled the infrastructure of Redline and Meta infostealers, which were heavily used in cybercriminal activities. Operation Magnus, conducted by the Politie with international law enforcement collaboration, led to the full access of all servers related to these malware tools. Law enforcement accessed crucial data including usernames, passwords, IP addresses and more, alongside all source code for the infostealers. A video announcement mockingly declared all users of Redline and Meta as 'VIPs' – very important to the police, hinting at potential impending legal actions against them. The operation also released a list of individuals who purchased and likely utilized the malware, similar to an earlier operation against the LockBit ransomware group. Price points for these malware-as-a-service (MaaS) products were relatively low, making them accessible to a wide range of cyber criminals. Despite their popularity, the disruption of these specific tools is unlikely to significantly impact the broader cybercrime landscape due to the ongoing availability of alternative tools.