Daily Brief

Huione Guarantee, an online marketplace, has been identified as a major facilitator for laundering money generated from online scams, specifically "pig butchering" investment fraud. An investigation by Elliptic blockchain analytics revealed that merchants on Huione Guarantee have conducted transactions amounting to at least $11 billion, which are linked to various cybercrimes such as investment fraud, personal data sales, and money laundering. The platform, launched in 2021 and owned by the Cambodian conglomerate Huione Group, operates with limited oversight on the legality of the transactions conducted, despite offering an escrow system through Huione Pay to ensure transaction safety. The lack of moderation and a robust payment system on Huione Guarantee have made it comparable to darknet markets, attracting cybercriminals looking to buy and sell illegal items and services, including involvement of its staff in laundering operations. A particular instance highlighted involved a Huione International Payments representative agreeing to launder $2 million from a scam for a 10.5% fee. The platform is becoming a central figure in enabling scam operators in Southeast Asia, with its payment system playing a crucial role in the global laundering of scam proceeds. Elliptical has gathered hundreds of cryptocurrency addresses associated with Huione companies and merchants, which could assist crypto exchanges and law enforcement in tracking and blocking illicit financial flows on the platform.

GitLab announced a critical security vulnerability in its Community and Enterprise editions, potentially allowing attackers to execute pipeline jobs as other users. The issue affects GitLab versions 15.8 through 17.1.2 and has a high severity rating of 9.6 on the CVSS scale. Immediate patches released for versions 17.1.2, 17.0.4, and 16.11.6, with GitLab urging all users to update their installations as soon as possible. Mitigated versions are already deployed on GitLab.com and GitLab Dedicated, securing these platforms against the vulnerability. This flaw follows closely after other serious GitLab vulnerabilities, including an account takeover bug and another that could allow pipeline impersonation, highlighting ongoing security challenges. The exploitation of such vulnerabilities can lead to significant consequences, such as unauthorized access to sensitive corporate data and potential supply chain attacks. GitLab is a critical infrastructure for many Fortune 100 companies, making it a high-value target for cyberattacks.

ViperSoftX malware uses CLR implementation to run PowerShell within AutoIt scripts, bypassing typical security detections. The malware has been updated to increase its evasion capabilities, including using modified offensive scripts. Distributed through torrent sites, ViperSoftX disguises itself in ebook downloads containing malicious files and deceptive .LNK files. On execution, the malware configures Task Scheduler to maintain persistence, running every five minutes after user login. Uses Base64 obfuscation and AES encryption within PowerShell scripts to hide its commands. Modifies memory of the Antimalware Scan Interface (AMSI) to bypass security checks. Employs deceptive network communication strategies to stay under the radar and steal user data. Cybersecurity experts emphasize a comprehensive defense strategy to counter the sophisticated threat posed by ViperSoftX.

CISA and the FBI issued a joint advisory urging software developers to address and mitigate OS command injection vulnerabilities in their products. Recent attacks by the state-sponsored Chinese group Velvet Ant exploited these vulnerabilities to compromise network devices from Cisco, Palo Alto, and Ivanti. The agencies highlighted that these vulnerabilities allow execution of malicious commands due to inadequate validation and sanitation of user inputs. The advisory recommends practical steps for developers, including the use of secure coding practices and rigorous testing to ensure the security of software products. Technical and executive leadership in tech companies are encouraged to be proactive in reviewing and improving the security measures in their development processes. The vulnerabilities are ranked fifth in MITRE's top 25 most dangerous software weaknesses, illustrating the critical need for improved security practices in software development. Past advisories have also addressed related security issues such as path traversal and SQL injection vulnerabilities as part of ongoing efforts to promote software security by design.

Japan's JPCERT/CC has warned of targeted cyberattacks by the North Korean hacker group Kimsuky. These attacks involve phishing and deploying custom malware aimed at espionage and data theft. Kimsuky used phishing emails with malicious ZIP attachments to infiltrate networks, disguising executables to evade detection. The malware deployed collects crucial information such as network details, user data, and keylogs, transmitting this data to remote servers. A recent variant discovered aims to execute further harm via keylogging and credential theft, indicating an evolution in Kimsuky’s methodologies. Compiled HTML Help (CHM) malware strains have been newly deployed in Korea by Kimsuky, featuring enhanced obfuscation tactics. ASEC's reports and shared IoCs have played a critical role in identifying and attributing these attacks to Kimsuky.

Snowflake is implementing a mandatory multi-factor authentication (MFA) option for administrators to enforce across all user accounts, aiming to bolster security post-data breaches. This decision follows recommendations by Mandiant in response to several data thefts linked to Snowflake account intrusions, noting the absence of MFA in breached accounts. Snowflake's new policy can be applied to all users, including those using single sign-on (SSO) or on a user-by-user basis, with special recommendations for service accounts. Alongside the mandatory MFA, Snowflake has launched the Snowflake Trust Center to help customers monitor compliance and enhance security measures, including MFA and network policies. The Security Essentials scanner and the CIS Benchmarks scanner packages, included in the Snowflake Trust Center, are now generally available to audit customer accounts against best security practices. Snowflake’s interface, Snowsight, nudges users to adopt MFA by repeatedly prompting those without it to enable the configuration every three days. This enforcement comes after third-party researchers linked intrusions in Ticketmaster and Santander accounts to Snowflake, though Snowflake denies the breaches originated from their systems, attributing some to a former employee’s compromised credentials. Snowflake continues to deny any direct fault for the incidents at Santander and Ticketmaster, facing ongoing legal and reputational challenges.

Researchers at QuoIntelligence have identified a large fraud operation using 708 domains to sell fake tickets to events like the Paris Summer Olympics. Named "Ticket Heist," this scheme predominantly targets Russian-speaking users, with most websites only available in Russian, and uses inflated ticket prices to lure potential buyers. The scam involves sophisticated website designs that mimic legitimate ticketing services, convincing users of their authenticity. Payment for these fake tickets is processed through Stripe, with the scam's goal being direct financial theft rather than data breach. The fraudulent operation also includes fake offers for major concerts and the UEFA European Championship, extending its target audience. VIP Events Team LLC, a company linked to the operation, appears to be a front, with registrations in both New York and Tbilizian, none of which have any online presence beyond the scam sites. The French National Gendarmerie and cybersecurity firm Proofpoint have previously warned about similar fraudulent activities aimed at scamming ticket buyers.

Microsoft addressed a critical MSHTML spoofing vulnerability, CVE-2024-38112, in its July 2024 Patch Tuesday updates. Discovered by Haifei Li of Check Point Research, the zero-day has been leveraged in attacks since January 2023 to deploy password-stealing malware. Attackers exploited the ability of Internet Explorer to process MHTML files, circumventing security measures to execute malicious .HTA files disguised as .PDFs. By tweaking Internet Shortcut File configurations and using hidden Unicode characters, these malicious files appeared legitimate and bypassed browser security warnings. Once the disguised HTA file was opened, it could execute without adequate security warnings, allowing malware installation such as the Atlantida Stealer, which harvests sensitive information including passwords and crypto wallet data. The vulnerability mirrors the characteristics of CVE-2021-40444, previously exploited by North Korean hackers, revealing a pattern of utilizing MHTML flaws for cyber attacks. Microsoft's fix involves unregistering the mhtml: URI to force these links to open in the more secure Microsoft Edge, enhancing user protection against similar exploitation tactics.

Even inactive or test accounts require strong, secure passwords to protect your organization's data and prevent unauthorized access. Hackers exploit forgotten accounts, including test environments, which can store genuine customer data or provide access to more sensitive accounts. A recent incident highlighted this threat when Russian state hackers compromised Microsoft by using a simple password spray attack on an inactive test account. Multi-factor authentication (MFA) and strong password policies are essential defenses against cyber attacks, preventing easy exploitation by hackers. Specops Software provides tools like Password Auditor and Password Policy to help organizations detect and fix vulnerabilities, ensuring all user accounts, even inactive ones, are secured. Organizations should regularly audit their Active Directory for inactive accounts and either secure them with strong passwords or delete them entirely.

Fujitsu Japan experienced a significant data theft due to a sophisticated malware attack, which was confirmed in March. The malware, described as "not ransomware," was capable of worm-like behavior, spreading to 48 business computers within the internal network. The attack was challenging to detect due to the malware's advanced techniques, including various disguising methods. While initial assessments downplayed the risk, an in-depth investigation revealed the execution of copying commands indicative of data exfiltration. Affected individuals and customers with potentially compromised data have been directly notified in compliance with Japanese data protection laws. Comprehensive measures, including isolation of infected machines and enhanced monitoring protocols, were implemented to contain and mitigate the attack. External experts were brought in to assist in the investigation, focusing on analyzing communication and operation logs to trace the activities of the malware. Fujisto is committed to bolstering its cybersecurity framework to prevent future incidents and protect sensitive data.

A newly identified ransomware group, EstateRansomware, has exploited a security flaw in Veeam Backup & Replication software, specifically leveraging CVE-2023-27532. Initial breach was achieved through a Fortinet FortiGate firewall utilizing a dormant account, later advancing through SSL VPN to access critical servers. The attackers employed sophisticated methods including VPN brute-force attempts, persistent backdoors, and remote command execution via a command-and-control server. Tactics included creating a rogue user, conducting network reconnaissance, and disabling Windows Defender to facilitate unchecked lateral movement and payload deployment. The final phase of the attack involved deploying ransomware across the network, preceded by detailed pre-attack preparation and reconnaissance. The revelation of this attack underscores the persistent threat posed by ransomware actors who increasingly utilize public-facing vulnerabilities and sophisticated intrusion techniques. Cisco Talos highlights the evolution of ransomware operations, noting the use of double extortion techniques and a trend towards more targeted, niche attacks by emerging groups.

The "2024 Attack Intelligence Report" by Rapid7 points out the inadequacy of the current patch and put strategies for newly identified vulnerabilities in IoT devices, highlighting the significant delays in patch development and application. The IoTSF's report on IoT and OT devices indicates that modern IoT firmware often composed of open-source components leads to consistent security vulnerabilities due to the interdependent nature of software components. Security teams struggle with creating accurate Software Bills of Materials (SBOMs) and managing the ever-increasing complexity and number of vulnerabilities in IoT firmware. Historical exploits, such as the 2007 malware attack on an electricity generator at Idaho National Laboratory, demonstrate the catastrophic potential of cyberattacks on infrastructure, emphasizing the risks of destructive exploits via simple malware in IoT devices. The article suggests that isolating vulnerable firmware through improved technology like "separation kernels" used in aerospace and automotive industries offers a better solution than traditional patch management. However, typical IoT devices face challenges with these solutions due to their reliance on low-power microcontrollers (MCUs) which only support limited memory management capabilities. A viable solution proposed involves isolated partitioning for Cortex-M based MCUs, enhancing security by physically separating crucial and vulnerable firmware components, ensuring operations continuity even during an attack. Isolated partitioning not only defends against zero-days and unpatched vulnerabilities but also mitigates insider threats and enforces good programming practices, improving overall device and network security.

The article discusses the increasing importance of Identity Threat Detection and Response (ITDR) systems in today's cybersecurity landscape, emphasizing that identity protection is crucial yet often overlooked. ITDR is highlighted as a response to the frequent use of lateral movement techniques in ransomware attacks, exploiting compromised credentials. Existing solutions like XDR, network security, and SIEM are noted for their limitations in blocking attacks that leverage stolen identities. The guide details critical ITDR capabilities necessary for comprehensive protection across all user accounts, resources, and means of access, stressing the need for real-time threat detection. It also emphasizes the importance of multi-dimensional anomaly detection to minimize false positives and improve the accuracy of detecting actual threats. Effective ITDR solutions should not only detect anomalies but also enable integration with other security systems (XDR, SIEM, SOAR) to block malicious access and respond to threats. Silverfort's ITDR capabilities are outlined as an example, noting its integration with multiple identity security controls and platforms for enhanced protection.

Microsoft released patches for 143 security flaws, with five deemed critical, 136 important, and two currently exploited in the wild. The actively exploited vulnerabilities involve deception using retired Internet Explorer to redirect users to malicious URLs and elevation of privilege flaw in Windows Hyper-V. Publicly known vulnerabilities also patched include a side-channel attack and remote code execution in .NET and Visual Studio. The patch includes fixes for multiple remote code execution flaws in SQL Server Native Client OLE DB Provider and security feature bypass issues in Secure Boot. A significant zero-click vulnerability in Microsoft Office, allowing remote code execution without user interaction, was also addressed. Microsoft also announced changes to improve transparency in reporting cloud-related security vulnerabilities. Other software vendors have also released updates to address various vulnerabilities over the past weeks.

Researchers at QuoIntelligence uncovered a large-scale fraud scheme involving over 700 domains, dubbed Ticket Heist, targeting mainly Russian-speaking individuals. The fraudulent websites offer overpriced tickets for the upcoming Summer Olympics in Paris, as well as major sports and music events, with convincing web designs that mimic legitimate platforms. The scammers do not aim to collect credit card information but rather to directly steal money through legitimate payment platform, Stripe. All purchase attempts lead to the discovery of a company named VIP Events Team LLC, which has questionable legitimacy and untraceable public records. The infrastructure analysis revealed that all fake ticket-selling domains share the same IP address linked to previous malicious activities. Despite using high ticket prices as part of their scam to imply scarcity and premium access, 98% of these domains are considered clean of malware. The operation also attempts to capitalize on other large events, such as the UEFA European Championship and concerts in major Russian cities. The ongoing nature of this operation, despite previous warnings by various cybersecurity entities, suggests a persistent threat that continues to exploit public interest in major events.