Daily Brief

Hackers are exploiting a vulnerability (CVE-2024-5441) in the Modern Events Calendar WordPress plugin, affecting over 150,000 websites. The vulnerability allows unauthorized file uploads and remote code execution potentially leading to complete site takeover. The high-severity issue arises due to absent validation for file types in the plugin’s image upload function, permitting uploads of executable files like PHP. Any registered user, and even non-members if settings permit, can exploit this vulnerability. Webnus, the plugin's developer, has addressed the issue by releasing an updated version (7.12.0). Wordfence, a security firm, has observed and blocked over 100 exploitation attempts within 24 hours of reporting. Website administrators are urged to immediately upgrade to the latest plugin version or disable it to safeguard against potential cyberattacks.

The City of Philadelphia announced a data breach affecting 35,881 individuals, involving personal and protected health information. The breach occurred between May 26, 2023, and July 28, 2023, with disclosure delayed until October. Compromised data includes names, addresses, Social Security numbers, financial account details, and health information. The City has notified affected individuals and offered free credit monitoring services for 12 months along with advice on protecting against identity theft. Federal law enforcement has been informed of the breach, and the City is enhancing employee training and security measures. Previous related incident in June 2020 involved a HIPAA breach by the City's Department of Behavioral Health impacting email accounts. The methods used by attackers to breach the email accounts and the reason for the delayed disclosure remain unexplained.

Chinese state-sponsored hacking group APT40 has been reported to hijack SOHO routers to launch cyberespionage attacks targeting entities in the US and Australia. Active since at least 2011, APT40 employs a methodology focusing on exploiting vulnerabilities in public-facing infrastructure and networking devices. Recent activities involve exploiting major flaws in software like Log4J, Atlassian Confluence, and Microsoft Exchange as soon as they are openly reported. The joint advisory, authored by Australia's ACSC, detailed two cases from 2022 demonstrating APT40's tactics, including web shells deployment and sensitive data exfiltration. APT40 bypasses direct interaction techniques, instead preferring the use of proxy networks through hijacked routers to mask their activities. Recommendations for mitigation include timely patching of disclosed vulnerabilities, comprehensive logging, using WAFs, applying MFA, and replacing EoL networking gear. Enhanced resilience against such APT groups requires international cooperation, as evidenced by contributions to the advisory from various global cybersecurity bodies.

Elexon, a key player in the UK's wholesale electricity market, faced a service disruption due to an expired TLS certificate on their Insight Solution platform. The expired certificate halted access to vital operational data used for analyzing the balance of fuel types and electricity demand and reserves in the UK. The oversight led to a temporary outage of the platform, which provides both current and historical data crucial for market participants' trading decisions. The issue was discovered by a user when attempting to connect to the data.elexon.co.uk service, which showed that the certificate expired on July 9, despite being valid the day before. Expired certificates can compromise the security of a connection, potentially allowing data to be altered or stolen. After being contacted, Elexon reportedly renewed the certificate during the lunch period, resolving the issue within half a day. The incident highlights the common problem of organizations failing to track and renew digital certificates promptly, which can cause significant operational interruptions.

Evolve Bank & Trust notified 7.6 million Americans of a data breach following a LockBit ransomware attack. The breach was initially misattributed to a U.S. Federal Reserve attack, but was later confirmed to involve Evolve's data. The breach occurred after an employee clicked on a malicious link, allowing hackers access to download files and data. Affected services include fintech companies like Affirm, Wise, and Bilt, reporting impacts on their customers. The breach discovery followed nearly four months of undetected network access by the attackers, from February to May. Evolve is offering two years of credit monitoring and identity protection for U.S. victims, and dark web monitoring for international victims. The type of data exposed has not been specified; affected individuals are urged to monitor their account and credit activity closely. No impact has been reported by other Evolve partners such as Shopify, Plaid, Stripe, and Mercury as of now.

Evolve Bank & Trust announced a significant data breach, with personal data of over 7.6 million customers stolen by the LockBit ransomware group. The breach was detected in May 2024 after abnormal system behavior, initially mistaken for a hardware issue, was identified as unauthorized activity. Affected data includes names, addresses, Social Security numbers, and banking details from customers and staff. Evolve has conducted an investigation with cybersecurity experts and has notified law enforcement; ongoing investigations suggest further notifications may be forthcoming. Customers affected by the breach are offered 24 months of credit monitoring, with enrollment instructions pending. The cyber incident occurred amidst criticism from the US Federal Reserve for "unsafe and unsound banking practices" and inadequate risk management at Evolve. Evolve and its partners, including international firms Wise and Affirm, continue to assess and mitigate the breach's impact, although the full extent is not yet disclosed.

A severe vulnerability named BlastRADIUS has been identified in the RADIUS authentication protocol, posing risks for MitM attacks. Researchers reveal the exploit could allow attackers to bypass integrity checks and alter authentication and authorization data in network access. The vulnerability exploits weak spots in the MD5 hash function used in RADIUS, making possible chosen prefix attacks to modify packets. Though the use of TLS and proper message authentication can mitigate risks, RADIUS traffic over the internet remains highly susceptible. The vulnerability affects all standards-compliant RADIUS clients and servers, necessitating immediate updates by ISPs and affected organizations. Particularly vulnerable are methods such as PAP, CHAP, and MS-CHAPv2, with MAC address authentication and administrative logins also at risk. Organizations transmitting RADIUS/UDP over the internet face the highest threat from this vulnerability, which has a severe CVSS score of 9.0. There is currently no evidence of the vulnerability being actively exploited, but the potential for future attacks remains a significant concern.

Researchers discovered attackers exploiting misconfigured Jenkins Script Consoles for cryptocurrency mining. Jenkins, a CI/CD platform, allows execution of arbitrary scripts which can lead to remote code execution when misconfigured. The Jenkins documentation warns that such configurations can grant administrative-like access, exposing sensitive information and control. Attackers used a misconfigured Jenkins Groovy plugin to execute a script for deploying a cryptocurrency miner, enhancing its efficiency by killing other high-resource processes. Trend Micro highlights the necessity of proper authentication settings, configuration audits, and restricting public internet exposure of Jenkins servers. The increase in cryptocurrency theft via such exploits surged in the first half of 2024, with major incidents making up 70% of the stolen amounts. Key vulnerabilities include private key compromises and smart contract exploits, alongside these misconfiguration issues.

The internet is categorized into the Clear Web, Deep Web, and Dark Web, with increasing levels of anonymity and security in lower layers. Criminals increasingly use the Tor network for its strong anonymity, which complicates tracking by law enforcement. Dark Web forums are commercial ecosystems where criminals trade services and goods, including malware and stolen data. Various stages of malware attacks culminate in ransomware deployment and data extortion, often sold in Dark Web auctions. Human Intelligence (HUMINT) is vital for understanding and engaging with cybercriminal communities to prevent cybercrimes. Automated tools, combined with HUMINT, create a robust defense against the sophisticated economic ecosystem of the Dark Web. Law enforcement agents actively engage with online criminal forums to gather actionable, reliable, and timely intelligence. Examples include undercover operations where officers mimic cybercriminals to gather essential data on ongoing cyber threats.

Houthi rebels have created a surveillance malware called GuardZoo, which operates similarly to the notorious Pegasus spyware but is considerably less sophisticated. Despite its basic design and reliance on social engineering for distribution, GuardZoo can extract sensitive data such as photos, documents, and device configuration details. GuardZoo has been primarily identified on devices within Yemen and surrounding regions, particularly targeting military personnel based on the malware's geolocation data extraction including KMZ, WPT, and TRK files. It employs a specific command and control (C2) backend and can stealthily update itself using .dex files, indicating a level of technical adaptation from its creators. Lookout's research highlights that while GuardZoo is not as advanced as state-sponsored tools like Pegasus, it reflects a growing trend of lesser-known, yet effective surveillance tools used by non-state actors. The malware has shown limited activity outside the Middle East, suggesting focused regional use rather than global ambitions. Experts advise maintaining vigilance with patches and security practices due to the increasing prevalence and effectiveness of similar surveillance malware globally.

Over 450 Middle Eastern military personnel have been targeted by the GuardZoo malware, a surveillance tool designed to collect data from Android devices. The GuardZoo campaign is linked to a Houthi-aligned threat actor and utilizes Android remote access trojan features originally found in the Dendroid RAT. The majority of infections have occurred in Yemen, although military personnel from Egypt, Oman, Qatar, Saudi Arabia, Turkey, and the U.A.E. are also affected. The malware, available initially in 2014 for $300, has evolved to include functionalities such as recording audio, capturing photos, and executing HTTP flood attacks. GuardZoo's distribution utilizes WhatsApp and direct browser downloads, leveraging military and religious-themed applications as lures. The updated malware supports over 60 commands, enabling complex operations like file uploading, dynamic C2 address changes, and self-updation or deletion on compromised devices. Since its inception in October 2019, GuardZoo has been consistently using dynamic DNS for C2 operations linked to IP addresses registered to YemenNet.

Microsoft China instructs employees to cease using Android devices due to login and authentication challenges. The company opts for providing Apple devices to its staff, leveraging iOS's ability to host necessary authentication apps. Google Mobile Services' unavailability in China cited as a key reason for the inability to use Android effectively in Microsoft's operations. Microsoft avoids using local Android app stores or sideloading apps, possibly due to security concerns. The decision reflects a broader reluctance from Microsoft to engage deeply with China's mobile ecosystem and local app market. This strategic shift comes amidst broader tensions, including accusations against China of unauthorized access to U.S. officials' emails. Microsoft's move away from Android in China potentially signifies larger geopolitical and tech industry ramifications.

The Australian Competition and Consumer Commission (ACCC) has issued a warning about scammers targeting previous scam victims with fraudulent recovery offers. Scammers exploit databases containing details of previous scam victims, using this information to pose as trusted entities like government agencies or legal firms. Victims are approached with offers to recover their lost funds for an upfront fee, a percentage of the recovered amount, or a purported tax. Personal information and remote access to devices are often requested under the guise of verifying identity or setting up digital wallets for cryptocurrency recovery. People over the age of 65 are particularly vulnerable to these scams, with reported losses totaling AU$2.9 million, not including unreported incidents. Tactics include fake testimonials, social media advertisements, and the creation of authentic-looking websites to lure victims. The ACCC emphasizes the difficulty of recovering money as scammers typically move funds offshore quickly. A mandatory code for banks and telecoms is under development in Australia to detect, prevent, and possibly compensate for such scams.

A multinational cybersecurity advisory warns about the China-linked espionage group, APT40, which rapidly exploits vulnerabilities in widely used software. APT40, active since at least 2013, has a history of cyber-attacks primarily in the Asia-Pacific, and is assessed to be part of China's Ministry of State Security. The group adapts quickly to exploit newly disclosed security flaws, including major vulnerabilities in Log4j, Atlassian Confluence, and Microsoft Exchange. Noteworthy techniques used by APT40 include using web shells for persistence, deploying outdated devices in their infrastructure to reroute traffic and avoid detection, and leveraging Australian websites for command and control operations. The group conducts in-depth reconnaissance on potential targets, operationalizing unpatched, end-of-life devices to exploit vulnerabilities swiftly. Mitigation recommendations include employing strong logging, enforcing multi-factor authentication, implementing a robust patch management strategy, and network segmentation to shield sensitive data against unauthorized access.

Unknown threat actors have implemented a supply chain attack by distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr. Phylum's analysis highlights the sophisticated nature of the attack, where malware was hidden in the less utilized 'end' function of jQuery. A total of 68 malicious packages, named creatively to resemble legitimate ones, were introduced onto the npm registry from May 26 to June 23, 2024. The attackers manually assembled and published these packages, indicated by diverse naming conventions and inconsistent publishing time frames. Phylum discovered that the compromised 'end' function is designed to steal data entered in website forms and send it to a hacker-controlled remote URL. The trojanized jQuery has been found in a GitHub repository under the user "indexsc," which also hosts additional JavaScript files that utilize the malicious library. jsDelivr's automatic URL handling from GitHub to CDN is thought to be exploited by attackers to grant the malware higher legitimacy and easier passage through security frameworks. This event coincides with similar malicious activities detected on the Python Package Index (PyPI), which involve downloading malware based on the system's CPU architecture.