Daily Brief

Ransomware groups are shifting from simply encrypting files to stealing data, necessitating the development of custom malware. Cisco Talos' report analyzed 14 major ransomware groups, noting a diversification in their operations and targets. Established groups like BlackByte and LockBit are enhancing their ransomware-as-a-service with bespoke data exfiltration tools. Detailed example includes BlackByte's custom tool, Exbyte, designed for stealth and efficiency in data transfer. LockBit, before its dismantling, utilized StealBit malware which mimics legitimate software functionalities to facilitate data theft. Ransomware criminals typically gain initial entry to networks through social engineering or exploiting weak network security. Infostealer malware is increasingly used to obtain legitimate credentials, which are crucial for initial access and later stages of the attack. Talos highlights a trend in ransomware operations focusing on evasion techniques to avoid detection and prolong unauthorized access.

Google has integrated passkeys into its Advanced Protection Program (APP) to bolster security for high-risk users such as activists, journalists, and political teams. The APP offers the highest level of security against unauthorized access, phishing attacks, malicious apps, and attempts at data theft. Passkeys, which are more secure than traditional passwords, can be used with biometric sensors, PINs, or other hardware security keys, and are device-specific. The implementation of passkeys enables easier and more secure logins, eliminating the need for multiple physical security keys. Users can create and manage passkeys directly from supported devices and must have both a compatible device and browser to use this feature. Google has recently made passkeys the default sign-in method across all its services for personal accounts, enhancing overall account security. The company has also enabled passwordless sign-in options and expanded passkey compatibility to Chrome and Android since October 2022.

A journalist discovered a bug that caused many AI chatbots to crash and reported it, leading to unexpected consequences. Despite initial dismissal from Microsoft's vulnerability team, they revisited the issue after a public article was published about the bug. The prompt causing crashes was tested by various readers and some big tech employees, resulting in behind-the-scenes updates that appeared to fix the issue. Microsoft later characterized the problem as a "performance limitation" and not a security vulnerability, focusing on the prompt's impact on model performance without involving malicious intent. Several questions raised by the journalist on the broader implications of such model deficiencies remain unanswered by Microsoft. The incident reveals a lack of proper bug reporting infrastructure among large language model (LLM) providers, leading to secretive and uncoordinated patch management. Security researchers often face similar issues of transparency and collaboration with big tech companies concerning vulnerability disclosures and fixes.

Cryptocurrency analysts from Elliptic revealed that HuiOne Guarantee facilitated over $11 billion in transactions, predominantly servicing cybercriminals. HuiOne Guarantee, linked to the Cambodian Hun family, is part of a larger conglomerate involved in global money laundering operations through HuiOne International Payments. The platform, posing as a marketplace for legitimate goods like real estate and cars, primarily supports the operations of pig butchering scams. These scams involve enticing individuals to fraudulent job offers in Southeast Asia, leading to coercion into scam activities within controlled "scam compounds." Merchants on HuiOne Guarantee offer a range of services from software for creating fake crypto investment sites to physical products like electronic shackles for use in scam compounds. The network, established in 2021, includes extensive Telegram channels used by merchants to coordinate and execute various aspects of the scams. HuiOne's financial arm claims 500,000 users and lists major companies like Alipay and UnionPay as customers, though primarily it facilitates illicit activities.

ViperSoftX, an infostealer malware first identified in 2020, has resurfaced with enhanced capabilities, now utilizing the .NET runtime to obfuscate malicious PowerShell commands. This latest variant leverages AutoIt, a legitimate freeware, to further conceal its activity by embedding malicious scripts within what appear to be benign scripts and applications. Trellix researchers have discovered that this version of ViperSoftX is distributed through pirated eBooks, indicating a shift towards targeting professionals, particularly those using enterprise environments. The malware is capable of stealing system data, cryptocurrency wallets, clipboard contents, and more, while actively avoiding detection by disabling Windows security features like the Antimalware Scan Interface (AMSI). ViperSoftX utilizes complex obfuscation techniques including burying command sequences in fake JPG files, which install malicious scripts and configure scheduled tasks to diminish system defenses. The techniques employed signify a new wave of sophisticated malware threats aimed at both evading detection and enhancing the effectiveness of their attacks. Trellix has not attributed the development or spread of ViperSoftX to any specific actor or group, indicating the malware's usage is broadly targeted for financial gain.

ViperSoftX malware is being distributed as disguised eBooks on torrent platforms, utilizing advanced stealth tactics. Researchers highlight its use of the Common Language Runtime (CLR) to dynamically run PowerShell scripts, enhancing its ability to evade detection by traditional security measures. Originally identified in 2020, ViperSoftX has evolved with complex anti-analysis techniques including byte remapping and communication blocks to web browsers. Recent malicious campaigns have used ViperSoftX to deliver other threats like Quasar RAT and TesseractStealer. Infectious tactics include deceptive eBook files that trigger a multi-stage infection process, using a hidden folder and a malevolent Windows shortcut to execute harmful scripts. ViperSoftX is capable of harvesting system data, scanning for cryptocurrency wallets, and can dynamically interact with a remote server for further malicious activities. Its use of self-deletion mechanisms poses significant challenges for detection and analysis, emphasizing its sophistication and the continuous innovation of cyber threats.

A new vulnerability in OpenSSH versions 8.7p1 and 8.8p1, found in Red Hat Enterprise Linux 9, allows potential remote code execution. Identified as CVE-2024-6409 with a CVSS score of 7.0, this vulnerability differs from the recently disclosed CVE-2024-6387. The bug was discovered by security researcher Alexander Peslyak and occurs due to a race condition in signal handling when the privsep child process is active. The condition enables remote attackers to exploit unprivileged child processes of the sshd server due to unsafe signal handling during the cleanup_exit() function. CVE-2024-6387, related but distinct, is currently exploited in the wild, primarily targeting servers in China. Veriti has reported the active exploit, tracing back to an IP with tools for exploiting SSH vulnerabilities. Administrators are urged to update affected systems to mitigate the risk from both CVE-2024-6409 and CVE-2024-6387 vulnerabilities.

A major vulnerability in the RADIUS protocol, potentially allowing unauthorized network access, has been identified by cybersecurity teams from Cloudflare, Microsoft, and other institutions. Termed Blast RADIUS, this exploit leverages a flaw in the MD5 hashing function, facilitating man-in-the-middle attacks to bypass authentication processes. Attackers can manipulate network traffic to forge authentication approvals, gaining access without legitimate credentials, primarily impacting client-server communications reliant on RADIUS. While exploiting this vulnerability is complex and requires existing network presence, the overall CVSS severity rating is marked at 7.5, indicating considerable risk. Network operators, particularly within enterprise environments, are encouraged to urgently apply firmware updates to mitigate the risk and consider transitioning to RADIUS over TLS (RadSec) for enhanced security. All major RADIUS implementations have reportedly updated their software to address the issue, incorporating stronger authentication measures advised by upcoming RADIUS RFCs.

Microsoft's July Patch Tuesday addresses 139 CVEs, including actively exploited vulnerabilities in Hyper-V and MSHTML. Two severe vulnerabilities under active attack: a privilege elevation flaw in Windows Hyper-V and a spoofing vulnerability in MSHTML, requiring user-triggered file execution. Other highlighted patches include three critical 9.8-rated RCE vulnerabilities in Windows Remote Desktop Licensing Service, deemed exploitable by sending a malicious message. Adobe’s update resolves seven CVEs, with six critical bugs in Premiere Pro and InDesign potentially allowing arbitrary code execution. SAP and Fortinet also released patches, targeting vulnerabilities such as unauthorized data access in SAP Product Design Cost Estimating and XSS attacks in FortiOS. Additionally, Citrix addressed two 8.5-rated privilege escalation flaws in Windows Virtual Delivery Agent and Citrix Workspace app. Google’s latest Android patches address 27 CVEs, including a critical privilege escalation flaw in the Framework component, requiring no special permissions for exploitation.

The FBI, along with cybersecurity agencies from Canada and the Netherlands, shut down a Russian-controlled Twitter bot farm of nearly 1,000 accounts. RT News, a state-run Russian media outlet, reportedly operated the bot farm using generative AI to spread disinformation in the US and other countries. Two web domains and 968 Twitter accounts were seized in the operation, which aimed to sow discord and distrust among communities. The operation included collaboration with Twitter to suspend the misinformation-linked accounts, and the Feds identified key individuals, including RT's deputy editor-in-chief, allegedly responsible for the bot farm's setup. Generative AI technology was used to create “authentic” appearing personas and propagate misinformation, designed to affect public opinion and exacerbate societal discord. The bot farm employed various evasion techniques, including using proxy IP addresses and interacting with large and ideologically aligned accounts to avoid detection. The initiative represents a concerted effort by multiple nations to tackle state-sponsored disinformation campaigns and protect public discourse from foreign interference.

Nearly a thousand Twitter accounts linked to a bot farm controlled by Russia Today (RT) and an FSB officer were recently dismantled. The operation was led by the U.S. Department of Justice with international support, targeting bots spreading Russian propaganda globally. Utilizing AI software called Meliorator, the bot farm created realistic social media personas to distribute false narratives and amplify Russian influence. This disinformation campaign aimed to disrupt public opinion in various countries, including the U.S., Germany, and Ukraine. FBI Director Christopher Wray emphasized this as a pioneering effort to impede Russian AI-generated foreign disinformation efforts. The domains used for bot registration were seized, and 968 social media profiles were taken down in the operation. A joint advisory was issued by the FBI, CNMF, AIVD, and other agencies, detailing the technical aspects of Meliorator and the bot farm activities.

The U.S. Justice Department, in coordination with international partners, dismantled a major bot farm operated by Russian state media and FSB. Nearly 1000 Twitter accounts and associated domains used to register bots spreading Russian propaganda were seized. The bot farm utilized AI software “Meliorator” to generate realistic social media profiles that disseminated false narratives globally. The operation targeted Russian influence operations, which attempted to disrupt international discourse and skew public opinion. RT (Russia Today) aimed to extend its informational influence beyond traditional media, using the bot farm to reach global audiences on social media platforms. The FBI highlighted this as the first major disruption of a Russian-sponsored AI-enhanced social media bot operation. Future threats indicate possible expansion of bot technologies to other social media platforms beyond Twitter. Global intelligence and cybersecurity agencies, including agencies from Canada and the Netherlands, collaborated in this effort, providing further technical insights on the operations of the bot farm.

The recently discovered Blast-RADIUS attack targets the RADIUS/UDP protocol, used for various authentication needs across enterprise and telecom networks. Threat actors can manipulate RADIUS server responses by performing an MD5 collision attack, allowing unauthorized admin access without needing actual credentials. This vulnerability affects a vast number of devices including routers, switches, and network infrastructures that utilize RADIUS for critical functions like Wi-Fi authentication, 5G network access, and VPN connections. Although exploiting this attack currently takes between 3 to 6 minutes, optimization techniques could significantly speed up this process, making the attack more feasible in real-world scenarios. The exploit involves a sophisticated 'chosen-prefix' MD5 collision, which was previously deemed unfeasible in RADIUS contexts but has now been proven possible. To mitigate the risk, network operators are advised to use upgraded protocols like RADSEC and implement network-design best practices such as multihop deployments and isolated RADIUS traffic. Since end-users' credentials are not compromised by this attack, protective measures predominantly involve system administrator and vendor intervention.

Fujitsu announced a data breach affecting customer and individual information due to a malware attack detected in March. The breach stemmed from malware that spread across 49 computers in the company, starting from a single point of infection. The malware used advanced techniques to evade detection and facilitate the unauthorized copying of sensitive data. While not ransomware, the malware allowed the exfiltration of personal and business-related information from Fujitsu's network. The company has completed its investigation with external experts and has isolated affected systems to contain the breach. Fujitsu has implemented enhanced security measures and updated their malware detection systems to prevent future incidents. No misuse of the compromised data has been reported as of the company's latest updates.

Microsoft's July 2024 Patch Tuesday addressed 142 security vulnerabilities, including 4 zero-day flaws, two of which were actively exploited. Among the fixed vulnerabilities, five were classified as critical and capable of allowing remote code execution. The two zero-days actively exploited include vulnerabilities in Windows Hyper-V and the Windows MSHTML Platform. The actively exploited Hyper-V flaw allowed elevation of privileges, giving attackers SYSTEM access, while the MSHTML flaw involved a spoofing vulnerability. Two publicly disclosed zero-days addressed involve a .NET and Visual Studio remote code execution flaw and a FetchBench side-channel attack on ARM architectures. Microsoft has provided fixes without revealing specific details on the exploitation scenarios or the identities of the attackers. Other vendors also released updates and advisories, reflecting a broader industry response to ongoing security challenges in the digital space.