Daily Brief

Zergeca, a new botnet written in Golang, is designed for DDoS attacks and features advanced network capabilities. The botnet utilizes multiple attack methods, including proxying, scanning, self-upgrading, and collecting sensitive device information. DNS-over-HTTPS is being used for C2 communication concealment, with enhanced techniques like modified UPX packing and XOR encryption for evasion. Researchers identified the C2 IP previously associated with the Mirai botnet, suggesting experienced actors behind Zergeca. Zergeca employs a modular structure with distinct functionality for persistence, proxying, security evasion, and device control exclusively on x86-64 CPU architecture. Since its discovery, Zergeca has targeted multiple countries including Canada, Germany, and the U.S., with significant DDoS attack impacts reported in mid-2023. Continuous development and feature integration are suggested by updates in command capabilities and botnet behavior.

Ethereum's mailing list provider was compromised, affecting over 35,000 email addresses. Victims received phishing emails linking to a fake site offering high returns on Ethereum staking. The phishing attack was designed to siphon funds from users' cryptocurrency wallets through a crypto drainer. Ethereum swiftly responded by investigating the breach, blocking further malicious emails, and issuing public alerts. Prominent Web3 wallet providers and Cloudflare blocked the fraudulent link after Ethereum's report. On-chain analysis indicated that no recipients of the phishing email succumbed to the scheme. Ethereum is taking preventive steps by shifting some email services to different providers to enhance security.

Hackers are exploiting a critical vulnerability, CVE-2024-23692, in older versions of HTTP File Server (HFS) to install malware and Monero mining software. The affected versions are up to and including 2.3m, which is notably popular among individuals, small teams, and educational institutions. The CVE-2024-23692 vulnerability allows attackers to execute arbitrary commands remotely without authentication through specially crafted HTTP requests. Post-exploitation activities include collecting system information, installing backdoors, and adding new users to administrator groups to facilitate unauthorized access. ASEC has observed incidents where attackers deployed the XMRig mining tool to mine Monero in at least four distinct cases, with one attributed to the LemonDuck threat group. Other malicious payloads delivered during the attacks have been observed, highlighting the diversity and severity of the threat. Rejetto, the software developer, warns against using versions 2.3m to 2.4 and recommends upgrading to version 0.52.x, which includes enhanced security features like HTTPS support and dynamic DNS. AhnLab released indicators of compromise, including malware hashes and IP addresses for the attackers' command and control servers, to help organizations identify and mitigate threats.

Microsoft has discovered two significant security vulnerabilities in Rockwell Automation PanelView Plus that could allow hackers remote access without authentication. These vulnerabilities can enable attackers to execute arbitrary code or cause a denial-of-service (DoS) condition by abusing specific custom classes in the system. The first vulnerability, labeled CVE-2023-2071, affects FactoryTalk View Machine Edition and allows remote code execution and data leakage. The second, CVE-2023-29464, impacts FactoryTalk Linx and primarily facilitates conditions for a denial-of-service attack. Rockwell Automation issued advisories on these vulnerabilities on September 12 and October 12, 2023, while CISA followed with alerts shortly after each advisory. These disclosures coincide with reports of active exploitation of other critical vulnerabilities, such as CVE-2024-23692 in HTTP File Server, by attackers deploying cryptocurrency miners and trojans. These events underscore the importance of continuous vigilance and updating security protocols to protect against evolving cyber threats.

Europol, with various international partners, successfully disrupted illegal Cobalt Strike operations by dismantling nearly 600 IP addresses. Operation Morpheus, initiated by Europol with significant contributions from the private sector, was aimed at combating cybercriminals exploiting cracked versions of the Fortra's red-teaming tool, Cobalt Strike. The operation, led by the UK National Crime Agency, involved law enforcement from several countries including Australia, Canada, Germany, and the US, spanning from June 24 to 28. More than 730 pieces of threat intelligence and nearly 1.2 million indicators of compromise were shared among partners using Europol’s Malware Information Sharing Platform. Despite comprehensive efforts, data shows a significant presence of Cobalt Strike resources in China, indicating persistent challenges. The operation marks over two and a half years of international collaborative efforts in curbing the misuse of Cobalt Strike which has facilitated ransomware and malware attacks globally. Law enforcement acknowledges Fortra's efforts in preventing misuse while highlighting the need for ongoing and intensified collaborative measures to combat such cyber threats effectively.

Brazil's ANPD has temporarily banned Meta from using personal data to train AI algorithms, citing privacy violations. The decision was influenced by Meta's updates to its terms, allowing AI training with public content from Facebook, Messenger, and Instagram. Human Rights Watch reported that the LAION-5B dataset used by Meta includes identifiable photos of Brazilian children, posing risk of exploitation. Brazil, a major market with over 102 million active users, sees Meta's actions as a breach of its General Personal Data Protection Law. Meta faces a potential fine of about $8,808 per day if it does not comply with the ANPD’s order within five working days. Meta argues that its policies comply with Brazilian laws and claims the ruling hinders AI innovation and competition. The company has faced similar regulatory challenges in the European Union concerning data usage for AI without explicit user consent.

Brain Cipher, a ransomware group, attacked Indonesia's Temporary National Data Center, disrupting national services. Initially demanding a ransom of 131 billion Rupiah ($8 million), the group later apologized and provided the decryption key without receiving the payment. The decryption key, a 54 kb ESXi file, was released freely with the effectiveness yet to be confirmed. In a statement, Brain Cipher claimed they acted as penetration testers, and released the key to highlight the need for better financing and recruitment in cybersecurity. Despite returning the decryption key, Brain Cipher hinted that other victims might not receive the same treatment and even requested public donations for their "service." The attack exposed significant vulnerabilities in the Indonesian cybersecurity infrastructure, leading to President Joko Widodo ordering an audit of government data centers. Public outcry intensified, resulting in a widespread demand for the resignation of the communications and informatics minister, evidenced by a petition with over 18,000 signatures.

A global law enforcement operation named MORPHEUS has successfully dismantled nearly 600 servers used for cybercrimes linked to the Cobalt Strike toolkit. The operation, orchestrated by the UK National Crime Agency and supported by multiple countries including the US, Germany, and Australia, targeted unlicensed versions of the advanced red teaming framework. Out of 690 flagged IP addresses, 590 have been deactivated, hindering their use in criminal activities, notably sophisticated ransomware and malware deployment. Cobalt Strike, a legitimate software developed by Fortra, has been misused by cybercriminals using cracked versions to carry out attacks with minimal technical expertise, resulting in significant financial losses. Additionally, recent police actions in Spain and Portugal resulted in the arrest of 54 individuals manipulating elderly citizens into providing sensitive information for financial fraud. The crackdown forms part of broader international efforts to combat various online crimes, including human trafficking and online financial scams, with significant asset seizures and arrests across different continents.

Twilio disclosed an unauthorized access incident in its Authy app, revealing that attackers harvested millions of user phone numbers. This security breach centers on an unauthenticated endpoint within Authy that attackers used to extract specific account data. The incident follows a claim by an online entity, ShinyHunters, on the BreachForums that they possess a database containing 33 million numbers from Authy. Twilio has since fortified the app's security, modifying the Authy endpoint to reject unauthenticated requests. Despite the breach, Twile denied any evidence of penetration into their internal systems or theft of other sensitive data. Twilio recommends that all Authy users promptly update their apps to the latest versions for enhanced security. Users are also advised to be vigilant about potential phishing and smishing threats leveraging the exposed phone numbers. Twilio continues to emphasize the importance of ongoing surveillance and proactive security measures in response to the incident.

HealthEquity reported a data breach involving protected health information due to a compromised partner's account. The breach was detected after observing anomalous behavior from a partner’s personal device, prompting an immediate investigation. Hackers gained unauthorized access via the compromised account, leading to exfiltration of sensitive information, including personally identifiable and protected health information. The affected data was transferred off the Partner's systems, impacting an undisclosed number of HealthEquity's customers. HealthEquity, a leading provider of health savings accounts and other consumer-directed benefits, has begun notifying affected individuals and offering credit monitoring and identity restoration services. No malware was found in the company's systems, and there have been no interruptions to HealthEquity’s operations. HealthEquity is assessing the financial impact of the incident but does not expect it to materially affect its business outcomes.

OVHcloud, a major European cloud service provider, recently faced a massive DDoS attack reaching 840 million packets per second, setting new global records. The attack, primarily executed via compromised MikroTik routers, exploited vulnerabilities in outdated firmware vulnerable to high packet rate DDoS attempts. In particular, the attacks utilized MikroTik’s RouterOS “Bandwidth Test” feature, magnifying their destructive impact by exploiting high-performance network functions. OVHcloud’s observations indicate a worrying trend of increasingly frequent attacks, with numerous incidents surpassing 1 Tbps, a scale becoming almost daily in 2024. Investigations identified nearly 100,000 MikroTik devices exposed online with potential for exploitation, suggesting a vast attack surface for malicious actors. The most intense attacks, including the record-setting one, were conducted using advanced tactics that amplified traffic through few Points of Presence, complicating mitigation efforts. OVHcloud has notified MikroTik about the vulnerabilities, though no response has been received by the time of reporting. The continuing vulnerability of many MikroTik devices, despite warnings to update their systems, underscores the persistent risk and potential for future large-scale DDoS attacks.

Hackers exploited an insecure API endpoint at Twilio, affecting millions of Authy users. A threat actor known as ShinyHunters leaked a CSV file with 33 million phone numbers linked to Authy accounts. Leaked data included account IDs, phone numbers, account status, and device count without accessing more sensitive data directly. The breach exposes users to increased risks of SMS phishing (smishing) and SIM swapping attacks. Twilio has since secured the API and updated Authy’s security features to prevent further unauthorized access. Users are urged to update their Authy app to the latest version and remain vigilant against potential phishing attempts. Twilio advises users to configure additional security protections to safeguard against unauthorized number transfers.

Security consultant Nick Cerne from Bishop Fox identified critical vulnerabilities in Traeger grills with Wi-Fi capabilities. Vulnerabilities could allow remote attackers to manipulate grill temperatures or shut it down entirely, potentially ruining long cooking processes. The primary vulnerability, with a high severity score of 7.1, revolves around insufficient authorization controls that could be exploited by knowing the grill's unique 48-bit identifier. Attackers could potentially obtain the identifier by capturing network traffic during app pairing or by physically accessing a QR code on the grill. Bishop Fox demonstrated the exploit by remotely shutting down a grill and drastically altering its temperature to burn food. A second, less critical vulnerability could expose details of all registered grills, though Traeger has since disabled this function. Traeger has already issued firmware updates to address these vulnerabilities, requiring no action from grill owners.

Recorded Future's Insikt Group used leaked malware logs to identify 3,324 individuals involved in downloading and distributing child sexual abuse material (CSAM). The group leveraged data from various malware-infected systems to link illicit CSAM site accounts to legitimate online platforms used by the suspects. The analyzed data included credentials, IP addresses, system information, and various other digital artifacts gathered via information-stealing malware. Techniques involved cross-referencing details obtained from the malware with those registered on known CSAM domains to pinpoint unique users. Information stealer logs facilitated the process, originating from command and control servers of malware like Redline, Raccoon, and Vidar. The comprehensive data collected from these malware operations were extensively used in law enforcement efforts, assisting in unmasking the identities of suspected pedophiles. Logs normally used for cybercrimes provided an unusual but effective means to contribute positively towards law enforcement objectives, ultimately leading to several arrests.

The Fédération Internationale de l'Automobile (FIA) experienced a data breach due to a phishing attack that compromised several email accounts. Personal data was accessed without authorization from two specific FIA email accounts. The FIA reported the breach to the Swiss and French data protection regulators and has taken measures to enhance security and prevent future incidents. The breach's extent, including the number of affected individuals and the specific data compromised, has not yet been disclosed. FIA has expressed regret over the incident and reassures its commitment to stringent data protection and security practices in response to evolving cyber threats.