Daily Brief

Zotac inadvertently made customer return merchandise authorization (RMA) data accessible online due to a misconfiguration of their web folders. The exposed data included sensitive details such as customer names, addresses, contact information, and invoice specifics. The security mishap resulted from inadequate access permissions and the absence of a 'robots.txt' file to prevent search engine indexing. The issue was highlighted by a viewer of the GamersNexus YouTube tech channel, ultimately prompting an investigation into the data exposure. Zotac and GamersNexus have taken steps to notify affected partners and have started securing the exposed data, although some information may still be retrievable via Google Search. To mitigate further risk, Zotac disabled the document upload function on their RMA portal, requesting customers to instead email necessary documents. Customers who have used Zotac's RMA service should assume their personal information may have been exposed and take appropriate precautions.

Hackers known as 'Sp1derHunters' released almost 39,000 print-at-home Ticketmaster tickets for upcoming concerts including major artists like Pearl Jam and Foo Fighters. The leaked data originated from a data theft at Snowflake, where Ticketmaster's data was compromised. The theft involved databases of 165 organizations due to stolen credentials facilitated by malware. Ticketmaster was extorted by hackers demanding up to $2 million to prevent further leaks; however, they asserted that their SafeTix technology nullifies the risk by frequently updating barcode information. Despite Ticketmaster's claims, Sp1derHunters pointed out that the barcodes for print-at-home tickets cannot be refreshed, thus challenging Ticketmaster's security measures. The leaked data includes detailed information needed to create valid tickets, raising concerns over potential fraudulent entry into events. The incident highlights ongoing vulnerabilities in digital ticketing processes and challenges in securing large databases, potentially affecting customer trust and corporate reputation. Response from Ticketmaster regarding future actions for the affected tickets remains unconfirmed.

Neiman Marcus experienced a significant data breach in May 2024, with more than 31 million customer email addresses exposed. Data security expert Troy Hunt confirmed the authenticity of the exposed data, which includes names, contact info, transaction data, and sensitive financial and personal data. Initially, Neiman Marcus reported to the Maine Attorney General that only 64,472 were affected, but further analysis revealed millions affected. The breach was part of the broader Snowflake data theft attacks, targeting multiple companies due to weak multi-factor authentication. Data put up for sale included millions of gift card numbers and detailed transaction records, with hackers initially demanding a ransom. A joint investigation by Snowflake, Mandiant, and CrowdStrike identified the financially motivated threat actor UNC5537, which exploited security vulnerabilities targeting multiple organizations.

Avast has identified a cryptographic vulnerability in the DoNex ransomware family, enabling the creation of a free file decryptor. This tool counters several variants of DoNex, previously known as DarkRace and Muse, which earlier masqueraded under the Lockbit 3.0 name. The decryptor has been discreetly provided to affected entities in collaboration with law enforcement since March 2024 to avoid alerting cybercriminals. Following the public revelation of the cryptographic flaw at the Recon 2024 conference, Avast released the decryptor tool publicly. DoNex's recent activities primarily targeted the United States, Italy, and Belgium but maintained a global presence. The ransomware employs a ChaCha20 symmetric key for encrypting files, which when exploited due to its crypto flaws, can aid in file recovery without a ransom. Avast recommends users to use the 64-bit version of the decryptor and to execute it with admin rights, needing a pair of encrypted and original files to function. Caution is advised to back up encrypted files before decryption to prevent potential data loss.

A remote code execution (RCE) vulnerability in Ghostscript is actively being exploited, affecting many Linux-based systems. Ghostscript is integral to document conversion tools like ImageMagick, LibreOffice, and CUPS, and is pre-installed on numerous Linux distributions. Identified as CVE-2024-29510, the flaw bypasses the -dSAFER sandbox, allowing unauthorized command execution and file operations. Attackers exploit this vulnerability by disguising malicious EPS files as harmless JPG images to gain shell access to systems. Despite a patch being available since May, many systems remain vulnerable; updating to Ghostscript v10.03.1 or applying vendor-supplied patches is critical. The vulnerability's exploitation poses a significant risk to web applications and other services that incorporate document conversion features using Ghostscript. Security professionals can use a provided Postscript file to check system vulnerability to these specific attacks.

CloudSorcerer, an APT group, primarily targets Russian government entities using cloud-based command-and-control. This newly identified cyber espionage campaign leverages services like Microsoft Graph, Yandex Cloud, and Dropbox for stealth monitoring and data exfiltration. Kaspersky discovered these cyberattacks in May 2024, noting the innovative use of malware with features similar yet distinct from the earlier known CloudWizard. The malware employs various evasion tactics, adjusting its behavior dynamically based on its host process to avoid detection. Initial intrusion techniques remain unclear, but post-access strategies include utilizing a C-based executable for backdoor access, data collection, and further malicious activities. CloudSorcerer makes initial contact with C2 servers via GitHub, using it as a dead drop resolver before moving to more direct cloud service communications. Sophistication in inter-process communications via Windows pipes suggests high levels of technical sophistication in avoiding common cybersecurity defenses.

The group named CloudSorcerer executes cyberespionage against Russian government entities by exploiting public cloud services. Discovered by Kaspersky in May 2024, this advanced persistent threat (APT) employs custom malware leveraging legitimate cloud platforms for control and data storage. The unique malware uses different tactics depending on the host application, such as "mspaint.exe" or "msiexec.exe," to manage command and control (C2) communications or execute malicious activities. Initial contact by the malware is through a GitHub repository, which facilitates further C2 operations through various cloud services like Microsoft Graph, Yandex Cloud, or Dropbox. The malware ensures stealth and efficacy by using Windows pipes for inter-process communications, adapting to the specific environment of the infected machine. CloudSorcerer can conduct extensive reconnaissance on the infected system, gathering data like computer name, username, and system details. Kaspersky emphasizes the sophistication of the attacks due to the malware's ability to dynamically adapt and obfuscate data transmission. Detection signatures and methods (IoCs and Yara rules) have been made available by Kaspersky for identifying and mitigating CloudSorcerer threats.

Recorded Future's analysis revealed 3,300 users linked to child sexual abuse material (CSAM) sites through malware logs published on the dark web. Approximately 4.2% of these users had credentials for multiple CSAM sources, highlighting extensive criminal behavior. Malware variants such as Kematian Stealer, Neptune Stealer, and others increasingly target sensitive information like credentials and payment data, often ending up for sale on the dark web. The malware distribution channels include phishing, spam, cracked software, fake updates, SEO poisoning, and malvertising. The investigation utilized stolen credentials to identify and unmask individuals accessing known CSAM domains, leading to the identification of three major offenders. Recorded Future noted significant user counts from countries like Brazil, India, and the U.S., attributing high figures possibly to dataset sourcing biases. Insights from malware logs are shared with law enforcement to aid in tracking and investigating dark web child exploitation networks.

Microsoft SwiftKey's support site certificate expired on June 10, leading to security warnings for users. SwiftKey, a predictive keyboard app bought by Microsoft in 2016, still has a significant user base despite competing improvements by Apple and Google. The certificate expiry resulted in browser warnings that deterred users from accessing the support site, displaying concerns about the site’s security. The recent attempt to rebrand SwiftKey with "Copilot" features in February highlights ongoing development, despite this oversight. Microsoft's history of certificate management issues is noted, with similar problems occurring recently with Microsoft 365. Microsoft did not include a solution for the expired certificate in the most recent update on June 14, focused only on general improvements. The lapse in certificate renewal has raised questions regarding Microsoft's commitment to maintaining support infrastructure for its products.

Roblox reported a data breach affecting attendees of its Developer Conferences spanning 2022 to 2024. The breach originated from FNTech, a third-party vendor responsible for conference registration, where unauthorized access to data was gained. Exposed data includes full names, email addresses, and IP addresses of conference participants. The Have I Been Pwned database has verified and added 10,386 affected email addresses, 63% of which were not previously compromised. Prior data leaks related to Roblox in 2023 involve nearly 4,000 developer accounts from a 2021 incident, underscoring ongoing security challenges. The exposure does not pose immediate threats but increases the potential for targeted phishing attacks against developers. Roblox assures enhancements in their security protocols to prevent such occurrences in the future.

A new Ransomware-as-a-Service (RaaS), Eldorado, targets both Windows and Linux platforms, offering double-extortion capabilities. Launched through an advertisement on the RAMP ransomware forum on March 16, 2024, Eldorado has already impacted 16 entities across the U.S., Italy, and Croatia, hitting diverse industry sectors such as healthcare, real estate, and manufacturing. Developed using Golang for cross-platform operation, Eldorado utilizes Chacha20 and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for encryption. The ransomware can encrypt files on shared networks through Server Message Block (SMB) protocol and attempts to evade detection by cleaning its tracks post-encryption. Research from Group-IB highlighted that Eldorado does not share code with previously leaked ransomware strains, indicating a newly developed malware. Increased global ransomware attacks noted, with significant incidents in May 2024 involving other ransomware groups such as LockBit, Play, and Medusa. Law enforcement and cybersecurity firms continue to develop strategies and tools against these threats, with decryption tools being silently provided to victims in some cases.

Avast covertly supplied decryptors to DoNex ransomware victims since March after identifying flaws in the group's encryption method. The cybersecurity company made the decryptor publicly available after confirming that DoNex is no longer a significant threat, following the shutdown of its dark web operations in April. The announcement was formally made at Canada's Recon conference, highlighting Avast's findings and the availability of the free decryption tool. Avast criticized for not disclosing specific details about the cryptographic flaw exploited in DoNex's ransomware, limiting shared technical insights. DoNex ransomware has undergone several rebrands since its inception in April 2022, with the most recent being in March 2023, indicating its short lifespan and low development effort. Avast's decryptor is designed for user-friendly operation, requiring administrative privileges and a recommendation for using a 63-bit system for efficiency. DoNex targeted various countries, including Italy, the US, Belgium, the Netherlands, and uncommonly, Russia, with a ransom note similar to previous incarnations.

CISOs face persistent challenges in presenting cybersecurity risks in terms understandable by company boards to secure necessary support and resources. Recent studies reveal a significant communication gap between CISOs and CEOs, with only 5% of CISOs reporting directly to the CEO, and about 37% of organizations believe they effectively use their CISO's expertise. Effective risk communication requires ditching technical jargon and framing cybersecurity discussions in financial and business terms. A CISO's strategic communication to the board should quantify potential financial losses from breaches and highlight the ROI on security investments. Building a culture of cybersecurity awareness across all departments, including IT, HR, and Legal, strengthens a company’s overall security posture. Prioritizing significant threats and aligning them with business objectives helps CISOs focus resources effectively and optimize their organization’s security strategy. Encouraging board-level engagement through dedicated cybersecurity committees and direct reporting structures can enhance understanding and decision-making about cybersecurity initiatives.

Trend Micro reports a significant increase in cyber attacks by the Mekotio banking trojan, predominantly affecting Latin America. First identified by ESET in 2020, Mekotio has targeted countries including Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials. Mekotio operates by leveraging tax-themed phishing emails to trick users into downloading malicious installers, which then deploy malware scripts to execute the trojan. The malware gathers system information, connects to a command-and-control server for further actions, and displays fake banking pop-ups to capture credentials. It can also perform actions like keystroke logging, screenshot capturing, clipboard data stealing, and establishing persistent access via scheduled tasks. The infected systems allow threat actors to perform fraudulent transactions and unauthorized access to bank accounts. Recent arrests in Spain impacted the network responsible for spreading Mekotio, indicating some law enforcement success against related cybercrime activities.

The European Union is transitioning from eIDAS 1.0 to eIDAS 2.0 to streamline digital identities across member states, aiming to enhance cross-border transactions and digital services. eIDAS 2.0 introduces the EU digital identity wallet (EUDI wallet), allowing individuals and businesses to securely store and manage their electronic ID and credentials for use across the EU. Each EU member state must implement national digital identity schemes by the end of 2026, fostering wider acceptance and integration into both public and private sectors. Despite the push for a unified digital identity, Europe's digital identity landscape remains fragmented, influenced by varying national cultural, political, and technological factors. Countries like Finland and Denmark have established regulated digital identity systems, whereas countries like Germany and Spain show uneven adoption and integration across sectors. The EU Commission supports the development of EUDI wallet through substantial funding and pilot programs, involving key industry players like Signicat. Organizations in the EU must prepare to support multiple forms of electronic IDs and develop comprehensive digital identity strategies to embrace future changes effectively.