Daily Brief

CosmicSting vulnerability, CVE-2024-34102, exploited in Adobe Commerce and Magento software affects big brands including Ray-Ban and National Geographic. Attackers installed malicious JavaScript on checkout pages to steal payment card information during transactions. Over 4,275 merchants using Adobe Commerce and Magento were compromised this summer, impacting five percent of all such online stores. At least seven distinct cybercrime groups are actively exploiting the vulnerability, leading to issues of multiple groups contesting for control over compromised sites. Adobe addressed the vulnerability with a patch on June 11, but automated attacks exploiting the flaw had already commenced. Sansec's ongoing surveillance projects further breaches, having already identified various attack indicators and data-stealing methods unique to different cyber gangs. No customer credentials were compromised in a related attack on Cisco's Magento-based merchandise site, according to a spokesperson.

A newly identified bug in the Common Unix Printing System (CUPS) allows for the potential for high amplification DDoS attacks. Researchers from Akamai discovered that a specific vulnerability (CVE-2024-47176) in the CUPS system can be exploited to force servers to send massive amounts of data to a target system. These attacks exploit older, unpatched versions of CUPS, potentially turning approximately 58,000 servers into botnets for conducting distributed denial-of-service (DDoS) operations. The flaw is triggered by a single malicious UDP packet, which then causes the CUPS server to repeatedly send large IPP/HTTP requests to the targeted device, significantly consuming the targeted device's bandwidth and CPU resources. In certain scenarios, affected devices entered an infinite loop of sending requests, exacerbating the attack impact. Akamai's findings emphasize the importance of patching the CVE-2024-47176 vulnerability or disabling the cups-browsed service entirely to mitigate this threat. Meanwhile, Cloudflare reported defending against a record-breaking DDoS attack, underscoring the growing scale and intensity of DDoS threats.

"Pig butchering" scam apps were identified on Google Play and Apple's App Store, using fake trading platforms to deceive users. These apps accumulated thousands of downloads before being discovered and removed by cybersecurity researchers from Group-IB. Fraudsters used these apps to display false high investment returns, tricking victims into continuously depositing funds without the ability to withdraw. The malicious apps were part of the "UniShadowTrade" malware family and mimicked legitimate trading and cryptocurrency platforms. Victims were often first contacted via social engineering on dating apps, then directed to the scam apps where they were asked to upload sensitive documents, like IDs. Even after the removal from official app stores, the distribution of scam apps continues through phishing websites. Researchers advise potential investors to verify the legitimacy of investment platforms through background checks and regulatory status to avoid similar scams.

Dutch national police attribute a recent data breach to a likely state actor who compromised officer contact details, including names, emails, and phone numbers. The breach involved unauthorized access to a police account, leading to the theft of work-related contact information of multiple officers. Investigations are underway to determine the extent and impact of the data leak, with findings yet to be disclosed publicly. New security measures, including more frequent two-factor authentication requirements for police employees, have been implemented. Continuous monitoring of systems for unusual activity is in place, with IT staff prepared to respond immediately to potential threats. Although the exact number of affected personnel is undisclosed, all police officers’ work-related contact details are reported as stolen. Additional details on the breach are withheld to avoid jeopardizing ongoing investigations but will be released when deemed appropriate.

Microsoft and the U.S. Justice Department successfully seized over 100 domains used by the Russian ColdRiver hacking group, affiliated with the FSB, targeting U.S. government and nonprofit entities. ColdRiver, also known as Star Blizzard, Callisto Group, and Seaborgium, has been active since at least 2017, focusing on spear-phishing campaigns to extract sensitive information. The group’s targets included U.S.-based companies, U.S. Intelligence Community members, and employees from the Department of Defense, State, and Energy, as well as U.S. military defense contractors. From January 2023 to August 2024, the hackers targeted more than 30 civil organizations worldwide, including journalists and NGOs crucial for maintaining democratic processes. The seized domains were part of a broader strategy to dismantle the cyber-espionage infrastructure employed by ColdRiver to conduct attacks against U.S. and international targets. U.S. and Five Eyes allies had previously warned about ColdRiver’s activities, expanding to include more significant attacks on the defense-industry and Department of Energy facilities post-2022. The State Department has sanctioned and the DOJ has indicted members of ColdRiver, including an FSB officer, with rewards offered for information leading to the identification of other group members.

Adobe Commerce and Magento online stores are falling victim to CosmicSting, an attack exploiting critical vulnerabilities, notably CVE-2024-32102 and CVE-2024-2961, enabling remote code execution. Sansec has monitored these attacks since June 2024, identifying breaches in 4,275 stores, including major brands like Cisco, Whirlpool, and Ray-Ban, among others. Researchers warn that 75% of Adobe Commerce & Magento installations remain unpatched, posing ongoing risks to the e-commerce ecosystem, with automated scanning for secret encryption keys exacerbating the issue. Seven distinct threat groups are exploiting the vulnerability to steal credit card details and customer information, leading to a significant increase in e-commerce fraud. Attacks involve the injection of payment skimmers on checkout webpages, and the malicious scripts often mimic known JavaScript libraries or analytics packages to avoid detection. Despite numerous warnings and advisories, affected companies including Ray-Ban, Whirlpool, and National Geographic have been slow to respond or communicate about security fixes. Sansec offers a vulnerability checking tool and an emergency hotfix to mitigate some of the impacts of CosmicSting, urging website administrators to update vulnerable systems immediately.

Google's latest Pixel devices feature enhanced security measures to protect against baseband security attacks prevalent in modems handling connectivity. Baseband processors are susceptible to attacks from untrusted sources, including false base stations that manipulate network packets remotely. A 2023 Black Hat presentation by Google engineers highlighted the significance of the modem as a critical component vulnerable to remote code execution. The Android 14 update allows IT administrators to disable 2G to prevent downgrade attacks, adding protections against baseband exploits used to deliver spyware. Clang sanitizers (IntSan and BoundSan) have been employed to strengthen the security of cellular baseband in Android. Google is collaborating with partners to alert users to unencrypted network connections and potential surveillance threats. New defenses in the Pixel 9 devices include stack canaries, control-flow integrity (CFI), and auto-initialization of stack variables to better shield against unauthorized code execution. Measures are also in place to combat SMS Blaster fraud, which uses simulated networks to bypass carrier-based anti-spam and anti-fraud systems.

Two Chinese individuals were sentenced for defrauding Apple, leading to losses over $2.5 million by exploiting device replacement policies. Over 6,000 counterfeit iPhones were exchanged for genuine Apple phones between July 2017 and December 2019. The scam involved using fake iPhones with altered IMEIs and serial numbers, which were submitted for replacement through Apple’s repair services. The fraudsters used their real university IDs and driver's licenses to open mailboxes at UPS stores to facilitate the shipments. After receiving genuine replacements, the iPhones were shipped back to Hong Kong, sold, and proceeds were distributed among the co-conspirators. Apple’s customer-friendly return policy allows replacing faulty phones within one year, which was manipulated to perpetrate the fraud. Sentences included a 57-month and a 54-month prison term for the two main defendants, alongside substantial fines and supervised release terms.

The largest DDoS attack ever publicly reported targeted sectors like financial services, internet, and telecommunications, reaching 3.8 terabits per second. Cloudflare's mitigation efforts successfully repelled more than 100 hyper-volumetric attacks over a month-long campaign. The attacks, mainly involving volumetric tactics, aimed to overwhelm the target's bandwidth and system resources. Devices compromised in the attack included Asus home routers, Mikrotik systems, DVRs, and web servers located primarily in Russia, Vietnam, the U.S., Brazil, and Spain. The malicious network relied on UDP traffic via a fixed port, enabling rapid data transmission without establishing a reliable connection. During this incident, Cloudflare autonomously handled the DDoS events, including one notable attack that lasted 65 seconds but peaked at 3.8 Tbps. Akamai's report noted vulnerabilities in Linux’s CUPS system, which could be exploited to enhance DDoS capabilities, with 58,000 systems susceptible worldwide.

The US Department of Justice, together with Microsoft, seized 107 domains operated by the Russian hacking group Callisto (aka Star Blizzard), affiliated with Russia's FSB. These domains were used in sophisticated phishing campaigns targeting US government agencies, defense contractors, and think tanks to steal sensitive and classified information. The seized domains were part of a long-term espionage effort implicating high-profile US and NATO officials along with various civil organizations. Court-approved actions disrupted ongoing operations that were integral to Russia’s attempts to interfere in US democratic processes and gather intelligence. The operation also relates to criminal charges against two Russians, identified as FSB affiliated agents, involved in broader schemes attacking networks in the US, UK, NATO countries, and Ukraine. Recent alerts by international government agencies highlighted Callisto’s phishing methods and their political impacts, including manipulating leaked information. The seizure is expected to significantly impact the Callisto group’s capabilities, although Microsoft acknowledges the group's likely persistence in establishing new infrastructure.

The traditional perimeter-based approach to enterprise security is now outdated due to the shift to distributed cloud environments. Non-human identities (NHIs), such as servers, apps, and processes, present a significant and growing security vulnerability as they often manage more privileges than human users. The mismanagement of machine identities and secrets sprawl has been identified as the root cause of most security incidents affecting businesses today. High-profile breaches, including incidents at companies like Dropbox and Microsoft in 2024, were linked to compromised NHIs, highlighting extensive financial and reputational damages. An estimated 80% of organizations have experienced identity-related security breaches, with identity and credential compromise being the top vector for cyberattacks in 2024. Immediate action is needed to address the risks associated with NHIs through comprehensive secrets security measures. GitGuardian has emerged as a leader in this area, offering solutions for continuous visibility, streamlined remediation, and integration with existing identity management systems. Organizations are encouraged to adopt a proactive and robust approach to managing NHIs to mitigate potential threats effectively.

A Linux malware named "perfctl" has been infecting Linux servers for three years, largely evading detection due to its sophisticated evasion tactics and use of rootkits. Researchers at Aqua Nautilus identify perfctl as primarily used for cryptomining Monero, with potential capabilities for more damaging activities. The malware exploits system misconfigurations and vulnerabilities such as CVE-2023-33246 in Apache RocketMQ and CVE-2021-4034 in Polkit for server access. Upon infection, perfctl deploys additional rootkits that modify system functions and replace certain utilities to hide its presence and activities. Perfctl establishes encrypted communications via TOR for data exchange and operates a Monero miner that also utilizes TOR to mask the mining activity. The infection is hard to detect directly; however, users often notice excessive CPU usage, which is a tell-tale sign of the cryptomining process. It includes tactics like stopping mining activities when a user logs in, resuming only when the server is idle again. Aqua Nautilus suggests system monitoring, network traffic analysis, and robust patching strategies to detect and mitigate risks associated with perfctl.

Linux malware named "perfctl" has been exploiting servers for crypto-mining, mainly mining Monero. The malware has evaded detection using sophisticated mechanisms and has infected thousands of Linux systems over three years. Perfctl achieves initial access through system misconfigurations or vulnerabilities such as CVE-2023-33246 and CVE-2021-4034. Once installed, perfctl uses rootkits to intercept system functions and evade detection, making it harder to diagnose and eliminate. The malware employs a cryptominer that operates only when the systems are idle to avoid raising suspicion during active use. Evasion techniques include using the TOR network for communications and mining, further anonymizing the activities. Significant CPU usage spike to 100% when the server is idle, alerts users to the possibility of an infection. Recommendations for detection and prevention include updating software vulnerabilities, disabling unnecessary services, and active system monitoring.

The "perfctl" malware specifically targets Linux servers, engaging in cryptocurrency mining and proxyjacking. Perfctl employs sophisticated evasion techniques, halting activities when new users log on and resuming once the system is idle. The malware exploits a vulnerability in Polkit (CVE-2021-4043) to achieve root access and deploy a miner named "perfcc." During the attack, it copies itself to various system locations, using innocuous names to remain undetected, and subsequently deletes its original binary. Besides mining, some instances of the malware also include deploying proxyjacking software. Remediation strategies emphasize updating systems, restricting file executions, disabling unnecessary services, applying network segmentation, and using RBAC. Detection of the perfctl malware could be signaled by unexpected spikes in CPU usage or system slowdowns, indicative of crypto mining or rootkit deployment.

A survey of nearly 700 CISOs in the US and Canada reveals an average salary of $565,000, with a median of $403,000. Top 10% of CISOs earn over $1 million; salary increases mainly achieved by switching jobs or receiving counter offers, which can boost compensation by 31%. Annual raises without job switching typically yield only a 6.3% salary increase. The tech sector leads in compensation when bonuses and equity are included, averaging $721,000 compared to $495,000 in financial services. A return to office work, even part-time, tends to result in higher compensation increases than remote work. Significant income disparities noted, with the top 10% of earners seeing over 20% salary increases and the bottom 25% experiencing minimal or no increases. Geographic location plays a crucial role in compensation, with California and the North East offering the highest salaries, often including equity components. Canadian CISOs generally report lower earnings compared to their American counterparts.