Daily Brief

EDRSilencer, an open-source tool employed in red-team operations, is being used maliciously to evade cybersecurity detection by muting alerts from Endpoint Detection and Response (EDR) tools to their management consoles. The tool can identify and block processes from 16 modern EDR tools by leveraging Windows Filtering Platform to disrupt communications. Even though EDRSilencer effectively prevents some security tools from sending reports, certain EDR tools may still transmit limited data if their executables are not listed in the tool’s hardcoded process list. Attackers can also customize EDRSilencer to target additional security processes by inputting specific file paths, enhancing the tool’s capability to mute various security systems. Trend Micro tested EDRSilencer and confirmed its effectiveness in blocking reporting, thus increasing the potential for undetected malign activities. To counteract EDRSilencer, Trend Micro suggests detecting the tool as malware and recommends enterprises enhance their security measures by applying a multi-layered strategy and maintaining vigilant monitoring for indicators of compromise.

Microsoft's latest Digital Defense Report highlights a 2.75-fold increase in ransomware incidents compared to the previous year, yet improvements in defense mechanisms have led to a threefold reduction in successful encryption by attackers. Automatic detection and disruption systems are credited with effectively preventing ransomware attacks from reaching the critical encryption phase, showcasing enhanced security measures. Despite advancements, 90% of attacks that progress to the ransom stage exploit unmanaged devices within networks to initiate or execute remote encryption. The Akira strain emerged as the predominant ransomware variant over the past year, accounting for 17% of attacks, followed by LockBit, Play, ALPHV/BlackCat, and Black Basta. Social engineering continues to be the primary method for initial access in ransomware campaigns, underscoring persistent challenges in human-related security weaknesses. Microsoft noted a 146% increase in adversary-in-the-middle attacks, particularly effective against multi-factor authentication (MFA) methods, highlighting the need for stronger operational security and awareness. The report also discusses the evolving threat landscape in cloud environments, with increasing attacks targeting cloud identities and exploitation of federated identity providers. Microsoft advocates for widespread adoption of passwordless systems and reinforces the importance of strict access management to minimize vulnerabilities in both software and cloud platforms.

TrickMo, an Android banking trojan first detected in 2019, has evolved with new capabilities to capture device unlock patterns or PINs, enhancing its threat potential. The malware, associated with the TrickBot cybercrime group, allows for remote control over infected devices and can intercept SMS-based one-time passwords (OTPs). Recent updates include mechanisms that evade detection and grant additional malicious permissions to facilitate financial fraud by executing unauthorized transactions. TrickMo now deceives victims with a fraudulent User Interface (UI) mimicking the device’s actual unlock screen to harvest unlock patterns or PINs secretly. Captured data, including unique device identifiers, are sent to an attacker-controlled server, compromising not only banking details but also corporate resource access credentials. Analysis of the command and control servers revealed storage of data from approximately 13,000 unique IP addresses located mainly in Canada, the UAE, Turkey, and Germany. These enhancements underscore the importance of protecting mobile devices as they represent primary entry points for cyberattacks targeting a broad range of applications across multiple sectors. This development is part of a larger trend of increasing mobile banking attacks, with a significant rise noted from June 2023 to April 2024, particularly targeting India as the most affected country.

Cybersecurity experts have identified a new malware campaign using the PureCrypter loader to deliver the DarkVision RAT, a tool with a wide range of malicious capabilities. The DarkVision RAT facilitates keylogging, password theft, audio recording, screen captures, and communicates via a custom protocol with its C2 server. PureCrypter, an off-the-shelf malware loader sold on a subscription basis since 2022, enables the distribution of various malicious software including RATs and information stealers. The delivery mechanism for DarkVision RAT includes a multi-stage process involving .NET executables, the Donut loader, and techniques to achieve persistence on the infected system. DarkVision, available from a clearnet site at a low cost, targets Windows systems and is packed with features such as remote shell capabilities, process injection, and recovery of browser cookies and passwords. The RAT also has the capability to avoid detection by adding its process names and file paths to the exclusions list of Microsoft Defender Antivirus. DarkVision's low cost, ease of availability, and broad functionality make it an increasingly popular choice among cybercriminals and novice attackers alike.

The FIDO Alliance released a draft for new specifications aimed at secure cross-platform passkey transfers. Passkeys, leveraging public-key cryptography, speed up sign-ins by 75% and improve success rates by 20% compared to traditional passwords. Current limitations include the inability to securely transfer passkeys across different platforms, causing user inconvenience and security vulnerabilities. The new specifications include the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), enhancing security during data transit and ensuring interoperability. The drafts, containing crucial input from tech industry stalwarts like Google, Apple, and Microsoft, are presented in encrypted JSON within ZIP files for security. General public and stakeholders are encouraged to review and provide feedback on the drafts via GitHub to refine the proposals. These standards, if adopted, could significantly improve the usability and security of passkeys, currently used to protect over 12 billion online accounts.

North Korean hackers have deployed a new Linux variant of FASTCash malware targeting ATM payment switches. The malware manipulates transaction messages to enable unauthorized cash withdrawals from ATMs. FASTCash schemes, active since at least 2016, were previously geared towards Windows and IBM AIX systems. The malware approves declined transactions by modifying the ISO 8583 messages involving insufficient funds. Fraudulent transactions in Turkish Lira range between $350 and $875 per transaction. The Linux variant was first detected on VirusTotal in June 2023 and targets systems using Ubuntu Linux 20.04. Security concerns are elevated due to inadequate detection capabilities on Linux servers.

Over 200 malicious applications were identified on Google Play between June 2023 and April 2024, accounting for nearly eight million downloads. Zscaler, a threat intelligence research firm, reported these findings, highlighting continued challenges in Android app security. Malware variants like Necro and Goldoson were distributed through Google Play, affecting millions of users with downloads reaching up to 100 million for some apps. The Zscaler ThreatLabz also detected a significant spike in spyware infections, with notable malware families including SpyLoan, SpinOK, and SpyNote. Most malware-infected apps fell under categories such as tools, personalization, and productivity, with several being able to bypass Google's security measures. India and the United States were the countries most affected by mobile malware, especially targeting the education and services sectors. Zscaler's analysis period ended with an average of 1.7 million malware blocks per month, showing a descending trend in malware activity. The report advises users to carefully review app permissions and check user reviews to mitigate risks of downloading malicious apps on Google Play.

Zero-day vulnerabilities, unknown to software vendors at discovery, are being exploited by cybercriminals before defenses can be updated. Recent incidents like CVE-2024-0519 in Google Chrome and a significant breach at Rackspace underline the growing cyber threat. Traditional security tools like SIEM, IDS, and EDR are faltering against zero-day attacks due to reliance on known signatures and historical data. Attackers utilize sophisticated techniques such as obfuscation and polymorphism, rendering standard detection mechanisms ineffective. Network Detection and Response (NDR) systems, utilizing machine learning and anomaly detection, offer a promising proactive security approach. NDR identifies unusual network behaviors and potential command and control channels even in encrypted traffic, offering early detection of zero-day exploits. Advanced NDR capabilities include monitoring unusual traffic patterns, recognizing non-standard DNS queries, and detecting new or rare external IPs. As cyber threats evolve, adopting sophisticated NDR solutions is essential for organizations to protect their critical infrastructure and sensitive data.

China accuses the U.S. of creating the Volt Typhoon narrative as a cover for its own cyber espionage activities against China and globally. The Chinese National Computer Virus Emergency Response Center alleges there's conclusive evidence of U.S. involvement in false flag cyber operations. U.S. accused of pre-positioning backdoors in internet products and establishing a comprehensive global surveillance network. A July report from the same Chinese agency described Volt Typhoon as a disinformation campaign by U.S. intelligence to deflect its culpability. Recent cybersecurity findings attributed to Chinese-linked groups show a trend of utilizing edge devices like routers and cameras to conduct covert operations. China points out the usage of a tool called Marble by U.S. agencies since 2015, used for obfuscating the origins of cyber attacks and misattributing them to other nations. The report denounces the naming conventions by Western cybersecurity firms for malware linked to China and other countries as politically motivated. China seeks greater international collaboration in cybersecurity to counteract biased narratives and enhance global digital security infrastructure.

Researchers at HarfangLab uncovered a new malware campaign using Hijack Loader artifacts signed with stolen legitimate code-signing certificates. The Hijack Loader malware, also referred to as DOILoader, IDAT Loader, or SHADOWLADDER, was first identified in September 2023. Attack vectors for the malware include tricking users into downloading malicious binaries disguised as pirated software or movies, often using fake CAPTCHA pages that deliver a PowerShell command leading to malware download. Recent adaptations of the campaign have shown a shift in delivery mechanisms in October 2024, from DLL side-loading to employing signed binaries, in efforts to evade antivirus detection. HarfangLab identified that the threat actors may have obtained or produced code-signing certificates, exploited due to automated verification processes by certificate authorities using just a company registration number and a contact person. These observations highlight the limitation of relying solely on code signatures as indicators of software trustworthiness. Despite revocation of compromised certificates, the case raises significant concerns about systemic weaknesses in digital certificate issuance and management processes.

A critical vulnerability was discovered in the Jetpack WordPress plugin, affecting an estimated 27 million sites. The flaw, identified during an internal security audit, could allow logged-in users unauthorized access to submitted contact forms. The vulnerability has been present in multiple versions of the plugin since its release in 2016. The WordPress.org Security Team collaborated with Jetpack to automatically deploy a patch across vulnerable sites. The update addresses the issue in 101 versions of Jetpack, ranging from 3.9.10 to 13.9.1. There is no evidence that the vulnerability has been exploited in the wild; however, the risk persists following public disclosure. The resolution aligns with WordPress's ongoing effort to secure plugins, as evidenced by similar actions against other plugins like the ACF, creating a secure fork called Secure Custom Fields. WordPress underscores its commitment to security by enforcing updates and controlling plugin management without developer consent if required for public safety.

RBI Governor Shri Shaktikanta Das voiced concerns about artificial intelligence (AI) amplifying systemic risk in the financial sector during a keynote address at the RBI@90 High-Level Conference. Das highlighted the dual role of AI in providing new business opportunities and introducing financial stability risks due to potential market concentration and increasing operational vulnerabilities. He underscored the lack of transparency in AI algorithms, which makes them hard to audit and could lead to unpredictable market consequences. The governor stressed the importance of financial institutions implementing robust risk mitigation strategies to cope with the challenges posed by AI and big tech. Das also discussed the potential for improving cross-border payments via India’s Unified Payment Interface and enhancing interoperability among central bank digital currencies. The spread of rumors and misinformation on social media and its potential to cause liquidity issues was another significant concern mentioned by Das. He advised banks to be vigilant in monitoring social media and to strengthen their liquidity buffers to safeguard against possible threats.

Cisco confirms investigation into a potential data breach after reports surfaced of data being sold on a hacking forum. Alleged stolen data includes Github, Gitlab projects, source code, hard-coded credentials, certificates, and more. The data was reportedly breached on June 10, 2024, by a threat actor known as "IntelBroker" and accomplices. IntelBroker shared samples of the stolen data, which encompass customer information and various internal Cisco documents. The breach could be linked to a wider June cyberattack on several major companies, possibly through a third-party managed services provider. Cisco has not yet confirmed the specifics of how their data was accessed or fully detailed the extent of the breach. No confirmation yet from the third-party service provider suspected of being the attack vector in the Cisco and other related data compromises.

China has issued a document denying the existence of the hacker group Volt Typhoon, labeling it a fabrication by the US to discredit Beijing. The publication criticizes US cybersecurity firms and intelligence agencies for attributing cyber espionage to China without sufficient evidence. It discusses past US surveillance programs revealed by Edward Snowden in 2013, suggesting the US engages in the types of activities attributed to Volt Typhoon. Chinese authorities have cited feedback from over 50 cybersecurity experts who question the evidence provided by the US and firms like Microsoft. The document condemns the use of racially and geographically charged names for hacker groups, arguing this reflects a bias in cybersecurity reporting. The report by China's National Computer Virus Emergency Response Center calls for more international cooperation in cybersecurity and improved security technology and services. The unfolding narrative is part of a broader dispute over cyberespionage accusations between China and the US, with implications for global cybersecurity and geopolitics.

North Korean hackers introduced a Linux variant of the FASTCash malware to infiltrate financial institution payment systems. Originally designed for Windows and IBM AIX platforms, the malware now targets Ubuntu 22.04 LTS distributions. CISA first identified the FASTCash scheme in 2018, connecting it to the North Korean group 'Hidden Cobra' that has orchestrated widespread ATM cash-out attacks since 2016. The U.S. Cyber Command has linked these attacks to Lazarus Group, aka APT38, highlighting ongoing threats. This malware variant alters ISO8583 transaction messages to change "decline" responses due to insufficient funds to "approve," enabling unauthorized cash withdrawals. The manipulated transactions request random amounts between 12,000 and 30,000 Turkish Lira, tricking banks into completing transactions without proper funds. Discovered in June 2023, this Linux version of FASTCash initially showed no detection on VirusTotal, indicating its sophistication and low detectability. Continued advancements in both Linux and Windows variants of FASTCash suggest ongoing development and risk of future financial cyberattacks.