Daily Brief

A Chinese APT group, dubbed Earth Baxia, targeted government organizations in Taiwan and potentially other APAC countries by exploiting a critical flaw in OSGeo GeoServer GeoTools. The cyberattack involved spear-phishing and GeoServer vulnerability exploitation to deploy Cobalt Strike and a new backdoor named EAGLEDOOR for data exfiltration and payload delivery. Affected sectors include government agencies, telecommunications, and the energy industry across the Philippines, South Korea, Vietnam, Taiwan, and Thailand. There’s evidence suggesting minor impacts within China. The multi-stage intrusion set leverages dual techniques involving GrimResource and AppDomainManager injections to download malware and decrease defenses. Eagle.dll, the deployed backdoor supports multiple communication methods (DNS, HTTP, TCP, and Telegram) for interaction with command-and-control servers and facilitating further malicious activities. The operation's sophistication is highlighted by the use of DNS queries, HTTP requests, and Telegram Bot API to manage communication and data exfiltration securely. The overlapping use of C2 domains emulating major cloud services indicates possible related activities between this campaign and another set targeting similar sectors in the region.

macOS Sequoia, also known as macOS 15, released last week, is causing issues with security software and network connections. Notable vendors like CrowdStrike and Microsoft have reported that their products are impacted, affecting network functionality and security operations. Patrick Wardle, a macOS security expert from Objective-See, highlighted that Apple was informed of these issues pre-release but proceeded with the launch. Microsoft advised customers against upgrading to Sequoia due to changes in the network stack that disrupt normal operations. Fixes vary by vendor; for instance, ESET issues are managed by reconfiguring network filters, whereas Microsoft's problems are resolved by adjusting firewall settings. Apple has acknowledged the issues and is reportedly working on fixes, but has not issued public comments or detailed responses. Criticism points out that such issues undermine the trust in Apple's commitment to security, marking a repeat occurrence of software updates breaking functionality.

A wide-reaching infostealer malware operation named "Marko Polo" has been uncovered, targeting crypto enthusiasts, gamers, and software developers. Utilizing techniques like malvertising, spearphishing, and brand impersonation across multiple platforms, the malware spreads across systems to steal valuable data and assets. Recorded Future's Insikt Group reports that the operation has possibly caused financial losses running into millions and compromised tens of thousands of devices globally. Malware payloads employed include AMOS, Stealc, and Rhadamanthys, impacting users by extracting browser data, crypto wallet info, and even diverting crypto transactions. The campaign uses fake brands, as well as masquerading as legitimate entities like Fortnite and Zoom, to bait victims into downloading malicious applications. Marko Polo not only affects Windows users but also macOS platforms, employing tools like Atomic ('AMOS') to exploit the system and steal sensitive encrypted data. Protective measures highlighted include avoiding downloads from unofficial sources and ensuring antivirus software is up to date to mitigate malware threats.

Twelve, a hacktivist group, focuses on damaging Russian entities using cyber attacks that permanently destroy data and infrastructure. Formed in April 2023 after the Russo-Ukrainian conflict began, Twelve employs public hacking tools to debilitate and disrupt networks. It conducts hack-and-leak operations, sharing exfiltrated information via its Telegram channel, indicating hacktivist motivations. Kaspersky analysis reveals tactical similarities between Twelve and the ransomware group DARKSTAR, hinting at potential collaboration or shared origins. Twelve's attack methodology involves exploiting system vulnerabilities, using tools like Cobalt Strike and Mimikatz for lateral movements and credential theft. The group uses PHP web shells for executing commands and PowerShell scripts to disable security software, avoiding detection. Deployed malicious software includes modified versions of ransomware like LockBit 3.0 and wipers similar to Shamoon malware, targeting system recovery prevention. Despite using readily available tools, Twelve's attacks are sophisticated, leveraging detailed knowledge of network systems and vulnerabilities.

The UK Information Commissioner's Office (ICO) has influenced LinkedIn to pause its AI data processing operations in the UK to address privacy concerns. LinkedIn used UK user data to train its AI models without obtaining explicit consent, which led to scrutiny from the ICO. The suspension is part of a broader engagement with regulatory bodies to ensure proper data protection and privacy of UK users. Other tech companies, including Microsoft, are also being closely monitored by the ICO for their AI practices and data handling. LinkedIn declared they would not resume training AI with EU, UK, or Swiss data until further regulatory clarifications and consent are obtained. The company has implemented an opt-out mechanism for users outside of Europe, allowing them to prevent their data from being used for AI model training. This suspension comes as part of larger discussions and concerns about the ethical use of personal data in AI model training, highlighted by activities from other major tech companies like Meta and recent actions by the US FTC criticizing data privacy practices across tech industries.

Ukraine has prohibited government officials, military personnel, and workers in defense and critical infrastructure from using the Telegram messaging app due to national security risks. The ban, announced by the National Coordination Centre for Cybersecurity, aims to prevent the Russian military from exploiting the platform to conduct cyber attacks, spread malware, and gather intelligence. The National Security and Defense Council of Ukraine reported that the enemy has leveraged Telegram to track locations and target Ukrainian facilities with drones and missiles. While the ban restricts use on official devices, it does not apply to personal phones or instances where the app is used for official duties. Telegram denies providing personal data to any country, including Russia, and maintains that it securely deletes messages. This decision follows the arrest and subsequent bail release of Telegram's CEO in France related to charges of facilitating child pornography, drug trafficking, and fraud via the platform. The move underscores growing concerns globally about the security implications of widely used messaging applications in geopolitical conflicts.

Microsoft has introduced Hotpatching for Windows Server 2025, enabling security updates without necessitating server restarts. The new feature promises quicker installations, reduced resource consumption, and minimal disruption to ongoing workloads due to decreased frequency of reboots. Hotpatching operates by updating the in-memory code of running processes, enhancing security by reducing exposure time to vulnerabilities. The traditional 12 annual reboots will be replaced with only quarterly reboots, greatly decreasing downtime and operational impacts. Initially implemented in Windows Server 2022 Datacenter: Azure Edition, Hotpatching now extends to both physical servers and virtual machines in various environments. Hotpatching availability is contingent on the use of Azure Arc, Windows Server 2025 Datacenter evaluation, and compliance with specific security updates. The service aims to simplify change management, streamline the patch process, and potentially improve work-life balance for IT personnel.

The Walt Disney Company will cease using Slack due to a substantial data breach in July, where over 1TB of confidential information was exposed. A hacker known as 'NullBulge' compromised Disney's Slack server, accessing files and messages from around 10,000 channels, which included sensitive project and financial details. Disney has initiated a transition to other enterprise-wide collaboration tools, with full migration expected by the end of the next fiscal quarter. The breach in July was not isolated; another incident in June saw 2.5GB of data from Club Penguin and corporate information leaked on 4chan. The exact future communication platforms to replace Slack have not been disclosed, raising questions about whether Disney will adopt established software like Microsoft Teams or develop a proprietary system. Entities like Slack are becoming increasingly popular targets for hackers, engaging in theft of massive datasets used to pressure or taunt victim organizations.

Ukraine’s National Coordination Centre for Cybersecurity has banned Telegram on government and military devices due to national security threats. The decision, announced in a meeting led by Oleksandr Lytvynenko, focuses on the app’s vulnerabilities amidst the ongoing conflict with Russia. Kyrylo Budanov, head of Ukraine's Defence Intelligence, highlighted risks of Russian intelligence accessing sensitive data through Telegram. Officials revealed that Russia uses Telegram for cyberattacks, coordination of missile strikes, and spreading malware. The ban targets devices within government, military, and critical infrastructure sectors, excluding personnel requiring the app for official duties. Despite the prohibition on official devices, Telegram will continue being used broadly by civilians for communication and receiving updates on the conflict. Ukrainian leaders, including President Zelenskyy, will keep using Telegram for public communication due to its wide reach. Telegram's founder Pavel Durov, who opposes Russian government censorship, is currently under investigation in France for various allegations against the platform.

Two individuals, Malone Lam and Jeandiel Serrano, have been indicted for stealing over $230 million in cryptocurrency through a sophisticated social engineering scam. The theft involved more than 4,100 Bitcoins from a single victim based in Washington, D.C., using direct contact methods to execute the crime. The stolen funds were laundered through various exchanges and mixers using techniques that obscured the funds' origins and complicated the tracking process. Transactions used in the laundering process included numerous small transfers through different exchanges and the conversion into other cryptocurrencies and sometimes fiat currency. The suspects used the illicit gains to purchase luxury items like high-end cars, designer goods, and for international travel and entertainment expenses. This case highlights the pervasive and sophisticated nature of cryptocurrency-related crimes and the significant challenges they pose to both victims and regulatory agencies. The investigation and prosecution are being handled by the US Attorney’s Office, the FBI, and the IRS, emphasizing the serious criminal nature of the offense.

Dell has confirmed an ongoing investigation into claims of a data breach that reportedly exposed over 10,000 employees' sensitive information. The breach was allegedly conducted by a hacker known as "grep," who disclosed the incident publicly on a hacking forum. Detailed data exposed includes employees' unique identifiers, full names, employment status, and internal identification strings for both Dell and its partners. A small sample of the data was shared for free on the forum, with a full database accessible for a nominal fee of one BreachForums credit. Dell's security team is actively working to verify the authenticity of the claims and assess the impact of the alleged breach. This incident follows another significant claim by the same hacker regarding a data breach at French IT firm Capgemini, involving 20 GB of sensitive data. The response from the affected companies and potential implications are under close observation by industry professionals and cybersecurity entities.

macOS 15 'Sequoia' reported to cause network connection errors with certain VPN and EDR solutions. Users described issues with tools like CrowdStrike Falcon, ESET Endpoint Security, and some firewall configurations. Apple hasn't formally responded, but changes in the firewall settings within macOS 15 seem to trigger these issues. Both CrowdStrike and SentinelOne advised customers against upgrading to macOS 15 due to interoperability concerns. ESET issued guidelines to resolve connectivity issues by adjusting network settings in the new OS. Security professionals offered temporary fixes for DNS failures due to problematic handling of UDP traffic by the firewall. Mullvad VPN acknowledged the problems faced by macOS users and is exploring solutions. Experts recommend delaying macOS 15 upgrade for users reliant on EDR products, VPNs, or strict firewall settings.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical path traversal flaw in Ivanti's Cloud Services Appliance to its Known Exploited Vulnerability catalog due to its potential for severe exploitation. The vulnerability, identified as CVE-2024-8963, has a critical severity rating of 9.4 and affects the end-of-life product Ivanti Cloud Services Appliance 4.6, with a final backported patch now available. Attackers can exploit this flaw to access restricted functions or execute commands with administrative privileges, especially if combined with another recently patched command injection flaw (CVE-2024-8190). Ivanti advises customers to check for unauthorized changes to administrative users and review Endpoint Detection and Response (EDR) alerts for signs of compromise. CISA continues to press IT vendors towards adopting secure-by-design (SBD) principles to preemptively address common vulnerabilities and enhance product security. Ivanti's CEO announced a commitment to secure-by-design development practices amid multiple security challenges faced earlier in the year. The status of whether this vulnerability has been used in ransomware attacks remains unknown, adding importance to timely application of the provided patch.

A UK-based app called Prograd launched guerrilla marketing posters implying infidelity to captivate the audience and redirect them to their side hustle comparison site. The posters, featuring scandalous messages targeted at individuals named Emily, contain QR codes that lead to Prograd’s website, using shock value to grab attention. This marketing campaign is specifically designed to appeal to college students and youths, engaging them with ads that play on emotions like anxiety and excitement. Prograd employs UTM codes in its campaign URLs to analyze the effectiveness of their unconventional advertising methods. Initially sparking concern, the QR code ultimately directs users to a harmless, promotional web page, albeit leaving some viewers disappointed and others relieved. Prograd claims significant engagement from the campaign, noting high rates of click-throughs and sign-ups since its inception. Such QR code usage raises general security concerns, reminding the public of the risks associated with scanning unknown QR codes in public places, which can potentially lead to scams or malware. Despite being a playful prank, these tactics highlight underlying issues of misinformation and potential breaches of trust in advertising.

International law enforcement including Europol and judicial agencies from multiple countries collaborated to dismantle a phishing-as-a-service platform, iServer, responsible for unlocking stolen mobile phones. Operation Kaerb led to the arrest of an Argentinian who developed and managed iServer since 2018, contributing to 17 arrests, 28 searches, and seizure of 921 items including phones and weapons. iServer exploited a web interface allowing criminals to access mobile device credentials and bypass security features like Lost Mode, affecting over 483,000 victims globally. Additionally, an encrypted communication service, Ghost, used for coordinating illegal activities, was disrupted by Europol and the Australian Federal Police, resulting in 51 arrests. Germany's action coincided with the shutdown of 47 cryptocurrency exchange services lacking proper KYC and anti-money laundering measures, facilitating cybercrime monetization. The U.S. Department of Justice charged two individuals involved in a $230 million cryptocurrency scam, emphasizing sophisticated laundering techniques through digital platforms. These actions underline the increasing global efforts by law enforcement to tackle cybercrime and enhance cybersecurity across international borders.