Daily Brief

Two British-Nigerian men, Oludayo Kolawole John Adeagbo and Donald Ikenna Echeazu, were sentenced in the US for orchestrating extensive business email compromise (BEC) schemes. The fraudsters successfully extracted $1.9 million from a North Carolina university during a construction project by mimicking legitimate company emails and directing payments to their accounts. Over the course of multiple schemes from 2016 to 2018, they amassed over $3 million by targeting construction firms, local government entities, and a college in Texas and North Carolina. Tactics included registering domain names similar to those of legitimate entities to trick staff into making payments to fraudulent accounts. Adeagbo received a seven-year prison sentence and must repay $942,655.03 in restitution, while Echeazu was sentenced to 18 months and ordered to pay $655,408.87. The FBI emphasized the sophistication and the growing threat of BEC scams, highlighting the importance of international cooperation in tackling such cybercrimes. Both defendants have additional sentences; Adeagbo will serve one year of supervised release after his prison term.

A new variant of MedusaLocker ransomware called "BabyLockerKZ" has been actively compromising over 100 organizations globally each month. This campaign, led by an attacker known as "PaidMemes," has been operational since at least 2022 and has heavily targeted small to medium-sized businesses. The attacks, which initially concentrated on European countries, shifted focus to Central and South America in 2023, with Brazil emerging as the primary target. PaidMemes utilizes a variety of tools, including network scanners and credential dumpers like Mimikatz, to facilitate unauthorized access and lateral movement within networks. The ransom demanded from these businesses typically ranges from $30,000 to $50,000. Cisco Talos, the discovering body, has identified that the threat actor uses opportunistic attack methods rather than targeting specific industries or entities. Protection against such ransomware variants remains a challenge for small and medium-sized enterprises, which often lack sufficient resources for robust cybersecurity measures like MFA and SSO.

Fewer than 20% of Britons are satisfied with how big tech companies manage their personal data. Over 60% of respondents from a government survey actively reject optional cookies, though many still exhibit general data privacy apathy. Approximately half delete their browser cookies, and roughly 44% adjust privacy settings on platforms. About 32% of users read terms and conditions, indicating a low but significant engagement with service details. A notable segment, especially among older demographics, cites lack of knowledge as a barrier to proactive data management. Younger individuals often do not optimize privacy settings either due to satisfaction with current security (26.8%) or perceived high effort required (22.7%). General indifference and a growing lax attitude toward data sharing have been noted, contrary to the alarm raised by various data breaches and privacy scandals. This comportment suggests a need for more accessible and obvious ways to manage personal data privacy effectively.

INTERPOL has orchestrated the arrest of eight individuals in Côte d'Ivoire and Nigeria for involved in phishing and romance scams. Operation Contender 2.0 aims to combat the rising cyber-enabled crimes in West Africa. The criminals executed a sophisticated phishing operation targeting Swiss citizens, accruing over $1.4 million in financial losses. Scammers used fake QR codes on advertising sites to redirect victims to fraudulent payment sites, stealing personal data and credit card information. A main suspect in Côte d'Ivoire confessed to gaining around $1.9 million from the scams, with additional arrests at the same location. In Nigeria, two people were caught regarding a romance scam after Finnish authorities reported substantial financial losses by a victim. INTERPOL emphasizes the need for continued international cooperation to tackle rising cybercrime effectively. The arrests are part of broader global efforts, including cooperative measures by the DoJ and Meta with U.K. banks to fight such cyber offenses.

International law enforcement actions have resulted in four arrests and the seizure of nine servers associated with the LockBit ransomware operation. A suspected LockBit developer was arrested in France, with additional arrests in the U.K. and Spain linked to ransomware support and hosting services. Russian national Aleksandr Ryzhenkov, identified as a high-ranking member of the Evil Corp cybercrime group, was implicated as a LockBit affiliate. The U.S. Treasury announced sanctions against seven individuals and two entities tied to Evil Corp's criminal activities. Operation Cronos marks ongoing efforts after the earlier seizure of LockBit's online infrastructure and prior sanctions against key members. Evil Corp, known for deploying Dridex malware and involved in financial theft since 2014, has tried to circumvent previous sanctions by using ransomware like LockBit. Several connections have been outlined between Evil Corp members and the Russian government, providing them protection against international law enforcement.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe flaw in Ivanti Endpoint Manager to its Known Exploited Vulnerabilities catalog. The vulnerability, identified as CVE-2024-29824, has a critical severity rating of 9.6 and allows unauthenticated code execution. Ivanti had initially patched this SQL Injection vulnerability in May 2024, which affects all versions up to 2022 SU5. A proof-of-concept exploit was publicly released by Horizon3.ai in June 2024, detailing the exploit mechanisms. The vulnerability exploits a function in PatchBiz.dll that improperly handles SQL queries, enabling attackers to execute remote commands. There have been confirmed cases of active exploitation among a limited number of Ivanti customers. Federal agencies are required to update their Ivanti EPM systems by October 23, 2024, to defend against this and other recently exploited vulnerabilities in Ivanti products.

Over 785,000 DrayTek routers globally are exposed to remote hijacking due to 14 serious security vulnerabilities. Critical flaws include a remote-code-execution vulnerability rated 10/10 on the CVSS scale, posing significant risks like data theft, ransomware deployment, and DOS attacks. Many of these routers, utilized predominantly by businesses, incorrectly expose their web interfaces to the public internet, against manufacturer advice. Historical neglect: 38% of these devices are still prone to similar issues previously highlighted two years ago by Trellix. DrayTek has released patches for all affected models, including those no longer officially supported, urging users to update and secure their devices. Recommendations for users include disabling unnecessary remote access, utilizing two-factor authentication, and implementing strong passwords coupled with network segmentation. Recent security reports link similar vulnerabilities to nation-state activities, including a large botnet operated by Chinese government spies. Security researchers provided a proof-of-concept exploit demonstrating severe threats, including remote root access capable of facilitating further network compromises.

Two significant security vulnerabilities identified in Optigo’s Spectra Aggregation Switch, affecting version 1.3.7 and earlier, with no current patch available. Remote attackers can exploit these flaws to inject malware into operational technology (OT) network management switches. CISA has issued a warning about these vulnerabilities, particularly highlighting their presence in critical manufacturing settings. The first vulnerability (CVE-2024-41925) allows unauthorized remote file inclusion and code execution through the web-based interface. The second vulnerability (CVE-2024-45367) involves an incomplete authentication process that permits access without a password. Although not currently exploited, the release of this information may prompt imminent abusive actions by malicious entities. Optigo has suggested some temporary workarounds but has not provided a direct response to inquiries about these security issues. Discovered by Claroty's Team82, these vulnerabilities underline the importance of securing network equipment in critical sectors.

The Russian-linked APT group FIN7 has created fake AI deepnude generator sites to distribute malware. These websites falsely offer the ability to create nude images from uploaded photos but deliver malware instead. Visitors are lured into downloading a supposedly generated image, which leads to malware infection, primarily using Lumma Stealer and Redline Stealer. The malware targets credentials and information stored in web browsers, cryptocurrency wallets, and other sensitive data. Silent Push, a cybersecurity firm, identified multiple sites like aiNude[.]ai and easynude[.]website, promoting these malicious downloads. FIN7 is known for its sophisticated social engineering tactics and has ties to multiple ransomware gangs. Beyond deepnude lures, FIN7 has been engaged in selling an EDR killing tool and deploying Cl0p ransomware in targeted attacks. Users who downloaded files from these sites are warned to consider their devices compromised and take appropriate security measures.

Ivanti has confirmed active exploitation of a critical SQL Injection vulnerability, CVE-2024-29824, in its Endpoint Manager (EPM) appliances. The vulnerability allows for remote code execution and was originally patched by Ivanti in May, along with five other RCE issues. Horizon3.ai researchers have released a proof-of-concept exploit, increasing potential for widespread misuse. CISA has now included this flaw in its Known Exploited Vulnerabilities catalog, highlighting it as actively exploited and necessitating urgent patching for federal agencies by October 23. It is recommended that all organizations using affected Ivanti products prioritize immediate patch installation to mitigate risk. Recent months have seen multiple zero-day exploits targeting Ivanti's various appliances, emphasizing persistent cybersecurity threats to their systems. Ivanti is enhancing its vulnerability disclosure protocol and testing procedures in response to these ongoing security challenges.

Researchers at Gen Threat Labs identified a new FakeUpdate campaign distributing WarmCookie malware via fake browser and application updates. The campaign targets users in France, using compromised websites to display fraudulent update prompts for Google Chrome, Mozilla Firefox, Microsoft Edge, Java, and more. Clicking on these deceptive prompts downloads the WarmCookie backdoor, which is capable of stealing data, executing commands, and introducing additional malware payloads. WarmCookie has recently been enhanced with features such as running DLLs from the temp folder, and the capability to transfer and execute EXE and PowerShell files. The malware performs anti-VM checks upon installation to evade detection and analysis, and sends the infected system’s data to a command and control server. FakeUpdate attacks typically involve the use of domains mimicking legitimate update processes, which lure users into downloading and executing malware. Users are reminded that legitimate updates for browsers and other applications are automatic and should not prompt manual downloads, signaling potential cybersecurity threats. Increased vigilance is recommended when encountering update prompts, especially on compromised or unfamiliar websites.

A sophisticated fraud campaign utilized fake trading applications on the Apple App Store and Google Play, duping victims worldwide via a scheme known as "pig butchering." The fake apps, created with the UniApp Framework under the name UniShadowTrade, lured victims with promises of rapid financial gains. Notably, one app bypassed Apple's stringent review process by displaying deceiving content before a specific date, adding a false sense of legitimacy. These applications facilitated a six-step fraud process involving the collection of personal data followed by urging victims to make financial investments supposedly yielding high returns. Victims' investments appeared profitable within the app; however, upon attempting withdrawals, additional fees were demanded, essentially stealing the deposited funds. Cybercriminals also distributed these malicious apps through phishing websites and instructed iOS users to trust an 'Enterprise developer profile' to activate the app. The discovery highlighted that even trusted platforms like the Apple and Google stores can host malware, exploiting user trust in these ecosystems.

CeranaKeeper, an emerging threat actor, has been implicated in numerous data exfiltration incidents across Southeast Asia. Slovak cybersecurity firm ESET linked these activities to China, observing attacks primarily on governmental entities in Thailand since 2023. The threat actor utilizes tools similar to those used by the known group Mustang Panda, including common malware families and novel backdoors. Techniques employed by CeranaKeeper include evading detection through software updates, abusing legitimate cloud services like Dropbox and OneDrive for data extraction, and moving laterally within networks to siphon extensive data. Targets extend beyond Thailand, including Myanmar, the Philippines, Japan, and Taiwan, highlighting a broader regional impact. Initial access routes by CeranaKeeper remain unclear, but once inside a network, the group exploits other systems, using some as proxies or update servers. ESET described CeranaKeeper as aggressive and adaptive, constantly refining their software to facilitate large-scale information theft. The organization's ultimate aim is potent malware creation to harvest valuable data extensively and efficiently.

A spear-phishing campaign is exploiting HR professionals using fake job applications to deliver the More_eggs malware. More_eggs, a JavaScript backdoor, is being sold as malware-as-a-service by a group named Golden Chickens and used by cybercriminal groups like FIN6 and Cobalt. Attack details from Trend Micro include the disguised delivery of malware via a deceptive email containing a link to a bogus resume. The malicious file, once downloaded and executed, deploys the More_eggs backdoor to perform actions like credential theft and system reconnaissance. The recent attacks have evolved to include additional infection vectors such as PowerShell and Visual Basic Script components. Difficulty in attributing the attacks to a specific group arises from the MaaS model, which provides widespread access to the same attack tools. Suspicions suggest FIN6 might be behind these activities due to similarities in tactics, techniques, and procedures (TTPs) used in previous campaigns.

U.S. cybersecurity agency CISA has issued warnings about two critical vulnerabilities in Optigo Networks ONS-S8 Aggregation Switch products. These vulnerabilities allow for both authentication bypass and remote code execution, severely impacting critical infrastructures globally. Identified flaws include a PHP Remote File Inclusion (RFI) and a weak authentication problem, allowing unauthorized access and potential control over the network switches. Exploits for these vulnerabilities are currently feasible with low complexity, increasing the risk of potential breaches or disruptions in critical infrastructure and manufacturing sectors. No existing fixes are available for these vulnerabilities; however, mitigation strategies by the vendor are strongly recommended pending a permanent solution. The vulnerabilities are rated critical with a CVSS v4 score of 9.3 and impact all versions up to and including 1.3.7 of the firmware. CISA advises system administrators to apply mitigation measures and remain vigilant by reporting any suspicious activities related to these devices.