Daily Brief

The U.S. Attorney's Office in Massachusetts has seized over 350 internet domains used by Chinese entities to sell illegal gun conversion kits to U.S. residents. These kits, including switches and silencers, convert semiautomatic guns into automatic weapons and are banned under the National Firearms Act. Undercover operations starting in August last year involved purchasing these devices to verify their authenticity; many transactions were facilitated through WhatsApp or Telegram. The illegal items were inaccurately labeled as harmless products like toys or necklaces to evade U.S. customs. A subpoena revealed many seized domains were registered under the same entity, highlighting organized criminal activity. Results of the ongoing investigations include the confiscation of 700 conversion devices, 87 silencers, 59 handguns, and 36 long rifles. The seized domains now display notifications of their confiscation by authorities, warning potential visitors. The Department of Justice has called on the 3D printing industry to help prevent the manufacturing of illicit gun conversion devices.

Newly identified Vo1d malware has infected over 1.3 million Android TV streaming boxes globally. The infections are most prevalent in countries including Brazil, Morocco, and Russia among others. Vo1d malware allows attackers to control devices, modify system files, launch on boot, and execute commands remotely. The malware modifies essential startup scripts like install-recovery.sh and daemonsu for persistence. Dr.Web's study suggests that outdated software vulnerabilities and unofficial firmware may be the main infection vectors. Google emphasizes that the compromised devices are using the Android Open Source Project and are not Play Protect certified. Users are advised to update firmware regularly, disconnect internet on susceptible devices, and avoid third-party APK installations to mitigate risks.

Fortinet acknowledged that unauthorized access was gained to a secure cloud-based file drive, impacting customer data. Less than 0.3 percent of Fortinet's customers were affected by this breach. No Fortinet operations, products, or services have been compromised, and there's no evidence of further unauthorized access. The company has deactivated the intruder's access, contacted law enforcement, and informed relevant cybersecurity agencies. A user on a dark web forum claimed responsibility for the data breach, attempting to extort Fortinet by threatening data release. Fortinet believes the incident will not materially affect its financial condition or operating results, opting not to file an SEC form 8-K. This data breach adds to Fortinet’s string of security issues this year, potentially damaging its reputation further in the cybersecurity community.

An unknown attacker is exploiting weak passwords on Oracle WebLogic servers to deploy Hadooken, a new Linux malware. Attack incidents have been observed over the past few weeks, with Aqua’s security team detecting multiple attacks using a honeypot. Key functionalities of Hadooken include crypto mining, credential theft, and inclusion of the Tsunami backdoor, which could enable full remote control and support DDoS attacks. Although the primary payloads are currently active, there is potential for future ransomware attacks, linked to RHOMBUS and NoEscape strains. The malware maintains persistence on infected servers through multiple cronjobs and can move laterally within networks to compromise additional systems. Investigations trace back the malware downloads to two IP addresses, one associated with a UK hosting company previously used by known cybercrime groups. Researchers posit potential widescale targeting of both Linux and Windows systems, focusing on large organizations for maximum impact.

Over 1.3 million Android TV streaming boxes globally have been infected with the Vo1d backdoor malware. Brazil, Morocco, Pakistan, and several other countries report the highest number of infections. The Vo1d malware modifies key system scripts for persistence and launches malicious processes on the device startup. Infected devices may exhibit unauthorized downloading and execution of executables under the command of a central control server. The malware affects various versions of the Android TV firmware, exploiting their vulnerabilities. Potential infection vectors include attacks exploiting system vulnerabilities or installations from unofficial firmware versions. Dr. Web advises frequent firmware updates, limiting APK downloads from third-party sites, and disconnecting infected devices from the internet to mitigate risks. A list of Indicators of Compromise (IOCs) related to the Vo1d malware campaign is available on Dr. Web's GitHub page for further reference and action.

A cyber-criminal claims to have infiltrated Capgemini's networks and stolen 20GB of highly sensitive data, including source code, credentials, and T-Mobile's VM logs. The stolen data reportedly contains databases, API keys, project details, employee information, and other confidential materials. Screenshots of the breach shared online depict customer information and Capgemini's internal configurations for cloud infrastructure. The perpetrator, identified only by the username "grep," shared the data on BreachForums and provided samples to users, which include details on Capgemini’s operations and client services. Capgemini, a major global consulting and IT firm with over €22 billion in annual revenue, has not commented on the breach allegations as of yet. This incident raises significant concerns regarding client and employee privacy, as well as the security of critical IT infrastructures managed by Capgemini.

Mastercard finalized the acquisition of Recorded Future, a major player in threat intelligence, for $2.65 billion. Recorded Future is popularity utilized by government agencies in 45 countries and over half of the Fortune 100 companies. The acquisition is a part of Mastercard's strategy to enhance its security services, including fraud prevention and cybersecurity. Recorded Future was initially funded by In-Q-Tel, the venture capital arm of the CIA, and incorporates advanced AI in its security analysis. Recorded Future promises to maintain its role as an independent intelligence platform even under new ownership. Mastercard and Recorded Future have collaborated on AI solutions to detect fraudulent credit card activities, significantly improving fraud detection efficiency. This acquisition is part of Mastercard's larger investment in security, including prior purchases like identity management firm Ekata and crypto fraud company CipherTrace. The acquisition deal is expected to complete by the first quarter of 2025, pending regulatory approvals.

Adobe patched a critical remote code execution vulnerability in Acrobat, identified as CVE-2024-41869. The vulnerability, reported in June by researcher Haifei Li, did not include mention of its zero-day status or the existence of a proof-of-concept exploit. Although rated critical, the CVSS score suggests a high-severity issue, potentially downplaying the urgency for system administrators. Expmon, the platform that detected the bug, indicated that Adobe acknowledged the need for an additional fix to fully address the problem. There are concerns that once the PoC sample PDF is released, it could lead to active exploitation by malicious parties. Adobe's communication did not initially clarify the PoC or zero-day nature, increasing risk due to possible delays in priority patching. Further details about the vulnerability are expected to be published soon in a collaboration between Expmon and Check Point Research.

The Deeper Connect VPN router allows users to access geo-restricted content from streaming services worldwide. This hardware solution provides a lifetime of service without the recurring costs associated with traditional digital VPN subscriptions. Promotion available: purchase the VPN router at a significantly reduced price of $159, using the promo code CONNECT at checkout, with free shipping until September 29. The device supports up to five connections simultaneously, compatible with various devices including iPhones, PCs, and smart TVs. The router not only bypasses geo-restrictions but also blocks ads on platforms such as Netflix Canada and YouTube, enhancing streaming experiences. It features military-grade encryption and a decentralized VPN architecture, ensuring robust protection against cyber threats while browsing or streaming. The offer ends on September 29 at 11:59 PM Pacific, and prices are subject to change as per the partnership agreement between StackCommerce and BleepingComputer.com.

In 2023, cryptocurrency fraud losses surged to a record $5.6 billion, a 45% increase from the previous year, according to the FBI. Nearly 70,000 incidents were reported through the FBI's Internet Crime Complaint Center (IC3). Investment scams were the predominant type of fraud, constituting 71% of all crypto-related losses. Significant losses were predominantly suffered in the U.S., with U.S. citizens accounting for $4.8 billion of the total losses. California experienced the highest financial damage among states, with losses over $1.15 billion. Fraud trends included "pig butchering" schemes through dating and professional networking platforms, liquidity mining scams, blockchain-based fake gaming apps, and cryptocurrency recovery scams. The FBI advises cryptocurrency holders to exercise caution due to the irreversible nature of transactions and the anonymity provided by the technology.

Cybersecurity company Fortinet acknowledged a data breach involving 440GB of files stolen from its Microsoft Sharepoint server. A hacker publicly claimed the theft and attempted to extort Fortinet by threatening to release the stolen data unless a ransom was paid. The stolen data was stored in an S3 bucket, with credentials shared on a hacking forum for others to download. The breach was confirmed to have occurred on a third-party cloud-based shared file drive, compromising limited data relating to some Fortinet customers. Fortinet has directly communicated with the affected customers, although specific details on the number of customers or nature of the stolen data were not disclosed. There is no confirmation if BleepingComputer has verified the content of the S3 bucket to be the stolen files as claimed. This incident follows a recent breach in May 2023, where Fortinet's acquisition, Panopta, had its GitHub repositories hacked and data leaked.

A 17-year-old male was arrested in Walsall by the UK's National Crime Agency due to suspected involvement in a cyberattack on Transport for London (TfL). The attack occurred on September 1, impacting TfL's internal systems and customer-facing services but not the city’s transportation operations. Subsequent investigations revealed the theft of customer data, including names, contact details, and banking information for approximately 5,000 customers. The arrested teenager was also linked to a previous cybersecurity incident involving the MGM Resorts ransomware attack linked to the Scattered Spider collective and BlackCat ransomware gang. The National Crime Agency is spearheading the investigation, collaborating with the National Cyber Security Centre and TfL to manage the incident’s aftermath. The teenager has been released on bail after questioning, with ongoing inquiries potentially connecting him to multiple cyber incidents.

Hackers have been exploiting two critical SQL injection vulnerabilities in WhatsUp Gold, identified as CVE-2024-6670 and CVE-2024-6671, that could allow encrypted password retrieval without authentication. Despite patches released by Progress Software on August 16, delayed updates by many organizations have allowed continued exploitation. The initial vulnerabilities were reported by researcher Sina Kheirkhah to the Zero Day Initiative on May 22, with proof-of-concept (PoC) exploits published on August 30. Trend Micro reported active exploitation starting just hours after the PoC code was made public, with attackers leveraging WhatsUp Gold’s functionalities to install various Remote Access Tools (RATs) like Atera Agent, Radmin, and Splashtop Remote. The attackers used poisoned PowerShell scripts and legitimate Windows utilities to execute code and persist on the compromised systems. No specific threat group has been identified, but the sophisticated use of multiple RATs suggests the involvement of ransomware actors. This incident marks another significant exploit of WhatsUp Gold vulnerabilities, following earlier reported exploits of other critical flaws earlier in the year.

Newly identified Android malware, Ajina.Banker, targets bank customers in Central Asia to steal financial information and intercept 2FA messages. The malware spreads via Telegram channels that disguise as legitimate apps for banking, payment systems, and government services. Targets of the ongoing campaign include Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. Ajina.Banker can gather SIM card details, installed financial applications, SMS messages, and phishes for banking credentials. The distribution method uses automated tools that post malicious links in local Telegram chats, pretending to be promotions or giveaways. Features of the malware also prevent uninstallation and grant it additional permissions by abusing Android's accessibility services. The development and support of Ajina.Banker involve a network of affiliates, indicating a well-coordinated campaign aimed at financial gain. Links have been found between this campaign and other malware families, suggesting a broader coordinated effort by the same threat actors.

Google has updated Chrome's Safety Check feature to autonomously revoke unneeded permissions and unsubscribe from abusive notifications. Safety Check, introduced in 2020, now runs automatically in the background, enhancing user safety without compromising battery life on mobile devices. The update includes automated handling of browser notifications, actively cancelling those deemed deceptive by Google's Safe Browsing service. On Chrome for desktop, the feature notifies users about risky extensions and provides controls for their removal. Pixel device users, with upcoming expansion to other Android devices, can directly unsubscribe from unwanted notifications, reducing notification volume by 30%. The new version of Chrome for mobile includes notifications about security actions taken and reminders for unresolved security issues. Google's implementation of one-time permissions in Chrome 116 ensures sensitive permissions are not needlessly retained, boosting privacy and security. The browser’s proactive features aim to diminish user interaction in managing security settings while maintaining or improving security levels.