Daily Brief

Europol's Operation Morpheus led to the takedown of 593 Cobalt Strike servers during a coordinated effort from June 24 to June 28. The operation targeted outdated, unlicensed versions of Cobalt Strike, a tool initially intended for legitimate cybersecurity testing but repurposed by criminal groups. A total of 690 IP addresses related to criminal activities were identified across 27 countries, significantly disrupting cybercriminal infrastructure. The collaborative action involved law enforcement from multiple countries, including the UK, USA, Australia, Canada, Germany, Poland, and the Netherlands, along with support from private industry experts such as BAE Systems Digital Intelligence and The Shadowserver Foundation. The crackdown was part of a broader, three-year-long investigation that yielded over 730 pieces of threat intelligence and nearly 1.2 million indicators of compromise. Europol's European Cybercrime Centre (EC3) facilitated over 40 coordination meetings and established a virtual command post to synchronize the international law enforcement efforts. Cobalt Strike is widely used in ransomware attacks and cyberespionage, with various hacking groups and state-backed actors exploiting cracked versions of the software.

The Office of the Director of National Intelligence (ODNI) has promoted open-source intelligence (OSINT) as the "INT of first resort," recognizing its rising importance. Open-source intelligence entails collecting and analyzing data from publicly accessible sources like the media, social platforms, and government reports, excluding covert methods. Traditional OSINT techniques are becoming insufficient due to the vast amount of digital data being generated, creating challenges in processing and analysis. Artificial Intelligence (AI) and Machine Learning (ML) technologies are significantly enhancing the efficiency of OSINT by automating data collection and analysis processes. Implementing AI in OSINT allows analysts to focus on higher-level tasks, thereby improving productivity and job satisfaction. SANS Network Security provides practical courses on OSINT utilizing AI, illustrating both the enhanced capabilities and practical application of this technology in intelligence gathering. The article underscores the dynamic and evolving nature of OSINT, highlighting ongoing advancements and educational opportunities within the field.

Proton, a Swiss-based company known for its robust privacy services, has rolled out 'Docs in Proton Drive', a free open-source document editing tool. This new tool offers end-to-encryption, aiming to provide a secure alternative to mainstream platforms like Google Docs. The launch aligns with Proton's transition to a non-profit status, emphasizing its commitment to privacy over profitability. The development of Proton Docs was expedited by the recent acquisition of the encrypted notes app, 'Standard Notes'. Major features of Proton Docs include integration within the Proton ecosystem and secure collaboration, requiring collaborators to have a Proton account. Proton’s approach addresses growing concerns about privacy violations and data mishandling by larger tech corporations. According to Anant Vijay Singh, Product Lead for Proton Drive, Proton Docs simplifies secure and private document collaboration without user burdens.

An unknown group has exploited the CVE-2021-40444 flaw in Microsoft MSHTML to distribute MerkSpy spyware, targeting entities in Canada, India, Poland, and the U.S. The attack begins with a compromised Microsoft Word document, seemingly a job description, which triggers the exploit and subsequent malicious activities without user interaction. The spyware, termed MerkSpy, is designed to stealthily monitor user activities, collect sensitive data, and ensure its persistence on infected systems. A sequence involving the download of a malicious HTML file ("olerender.html") leads to the execution of a shellcode that facilitates the downloading and activation of further payloads from a remote server. The shellcode downloads a deceptively named "GoogleUpdate" file which injects MerkSpy into system memory, evading detection and establishing system persistence via Windows Registry modifications. MerkSpy's capabilities include capturing screenshots, keystrokes, and login credentials, particularly from Google Chrome and the MetaMask browser extension, sending collected data to an external server. This incident highlights severe threats posed by exploiting a previously known and patched security vulnerability in widely used software.

The FakeBat loader malware, also known as EugenLoader and PaykLoader, is extensively distributed through drive-by download attacks facilitated by deceptive techniques like SEO poisoning and malvertising. A Russian-speaking threat actor offers FakeBat as a Loader-as-a-Service (LaaS) on underground forums, with it seeing significant adoption due to its ability to mimic legitimate software installers. Recent updates to FakeBat include switching to the MSIX packaging format and adding digital signatures to bypass Microsoft SmartScreen, enhancing its evasion capabilities. Pricing for FakeBat varies depending on the service package, costing up to $5,000 per month for advanced options including combined MSI and signature packages. Sekoia's analysis identified that the FakeBat campaign uses social engineering, fake software updates, and malicious advertisements to distribute the malware effectively. Command-and-control servers for FakeBat likely use sophisticated filtering based on user-agent data, IP, and location to target specific victims. The loader is primarily used to download and execute secondary payloads like IcedID, Lumma, and RedLine, among others, signifying its role in broader cybercrime campaigns. Other similar malware campaigns include DBatLoader and Hijack Loader, also leveraging deceptive tactics to deliver various payloads, emphasizing a trend in the complexity and sophistication of malware distribution strategies.

Highly targeted cyberattack campaign discovered against various Israeli entities using Donut and Sliver frameworks. Attackers leveraged custom WordPress sites for payload delivery, involving a diverse range of unrelated sectors. Initial attack stage involves a rudimentary downloader written in Nim, fetching further malicious payloads from a specifically crafted virtual hard disk (VHD) file. Second-stage payload involves deploying Sliver, an alternative to Cobalt Strike, using Donut, a shellcode generation tool. Campaign potentially simulated a penetration test, raising concerns about transparency and the impersonation of official Israeli bodies. Additional threats include multi-stage trojans distributed through corrupted Excel files, utilizing Dropbox and Google Docs for payload updates. These incidents highlight ongoing risks and the advanced nature of cyber threats facing governmental and other critical entities.

An unnamed South Korean ERP vendor's update server was hacked, distributing Go-based backdoor Xctdoor. AhnLab Security Intelligence Center discovered the breach in May 2024, noting tactics similar to North Korea's Lazarus Group. The malware, found in a tampered executable, harvests keystrokes, screenshots, and clipboard data. Xctdoor employs HTTP for communication with C2 servers, using encryption through Mersenne Twister and Base64 algorithms. The attack also involved XcLoader, which injects Xctdoor into legitimate processes to evade detection. Related malware activities linked to North Korean groups were observed, including HappyDoor backdoor used since July 2021. The findings highlight ongoing cyber espionage efforts targeting South Korean entities, with email phishing as a common attack vector.

Google has introduced kvmCTF, a new vulnerability reward program emphasizing security improvements in the Kernel-based Virtual Machine (KVM) hypervisor, with rewards up to $250,000 for uncovering zero-day vulnerabilities. The initiative, first announced in October 2023, is designed for developing robust security safeguards, particularly for systems powering Android and Google Cloud platforms where KVM plays a critical role. The focus of kvmCTF is on VM-reachable bugs that enable successful guest-to-host attacks; other vulnerabilities like QEMU or host-to-KVM will not qualify for rewards. Participants in kvmCTF will operate within a controlled Google's Bare Metal Solution (BMS) environment, which is set up to facilitate and secure testing processes. Unlike other programs, kvmCTF specifically targets zero-day vulnerabilities, providing high rewards for newly discovered and previously unreported vulnerabilities instead of known issues. Successful exploits leading to guest-to-host system breaches will be rewarded based on severity, with a structured reward tier system guiding the potential bounty amounts. Submitted zero-day flaws will be shared with the open-source community only after the relevant patches have been released, ensuring responsible vulnerability disclosure and enhancing overall community security.

Patelco Credit Union experienced a ransomware attack on June 29, 2024, leading to the shutdown of its banking systems. The attack prompted the proactive closure of multiple customer-facing services to mitigate the incident's effects. Despite the operational impact, ATM withdrawals remain available for Patelco members. Patelco has enlisted the help of third-party cybersecurity specialists to help manage the crisis and facilitate system recovery. No current timeframe exists for when services will be fully restored, and customers are advised to expect delays in support. There has been no claim of responsibility from any ransomware groups yet, and the identity of the attackers remains unknown. The credit union has not confirmed if there was any data breach or customer information leakage following the attack. Customers are urged to monitor their accounts closely and be wary of unsolicited requests for personal information.

Affirm, a fintech firm offering alternative credit options, reports a data breach at Evolve Bank & Trust affecting its cardholders. Evolve Bank, providing services like payment processing and banking-as-a-service, confirmed a cybersecurity incident linked to a known criminal group. The breach resulted in unauthorized access to sensitive data including SSNs, bank account numbers, and contact details. Evolve responded by resetting passwords, reconstructing identity management components, and implementing network hardening measures. Other fintech firms such as Wise and Bilt, partners of Evolve, also reported potential exposure of their customer data. Wise and Bilt advised customers to remain vigilant for phishing attempts while maintaining that their platforms were secure. An ongoing investigation aims to define the full scope and impact of the breach, with further updates expected.

Evolve Bank & Trust suffered a LockBit ransomware attack in late May, leading to a significant data breach. The breach has affected several fintech companies including Wise and Affirm, which acknowledged the theft of customer data. Affirm, a buy-now-pay-later company, reported to the SEC that the personal data of Affirm Card holders might be compromised due to their partnership with Evolve. Affirm has initiated an independent investigation and ongoing remediation efforts, stating its other operations remain unaffected. Wise, having ended its partnership with Evolve in 2023, revealed that personal information of some users may have been involved, committing to direct notifications to affected customers. Evolve communicated to partners that the cybersecurity incident has been contained, though the full impact and scope of data accessed are still under assessment. The incident coincided with scrutiny from the US Federal Reserve Board and the Arkansas State Bank Department over deficiencies in Evolve’s risk management and compliance practices.

Researchers at Qualys identified a regression vulnerability, CVE-2024-6387, in OpenSSH affecting approximately 700,000 internet-facing Linux systems capable of granting root-level access to attackers. The vulnerability emerged as a regression from a previously patched issue and affects systems running glibc with OpenSSH versions prior to 9.8. The flaw, named regreSSHion, potentially allows unauthenticated remote code execution through exploiting a race condition in the SSHD server's signal-handling mechanism. Exploiting this bug is challenging and time-consuming, requiring several hours and multiple attempts to overcome protections like Address Space Layout Randomization (ASLR). OpenSSH versions from 8.5p1 up to but not including 9.8p1 are vulnerable unless patched for both CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not affected due to a security modification implemented back in 2001 that utilizes a safer version of the syslog() call. Organizations are urged to upgrade to the latest OpenSSH version and implement network-based controls and system monitoring to mitigate the risk of exploitation. Despite the severity of this vulnerability, the OpenSSH project was praised for its overall robust security practices and preventative design measures.

A South Korean ERP vendor's update server was compromised to distribute malicious software. Security firm AhnLab identified the tactics as similar to those used by the North Korea-linked Andariel group, known for its malware deployment methods. The malware, named Xctdoor, was installed via modified update files and can steal system information and execute remote commands. Xctdoor is a backdoor capable of transmitting user and computer identifiers to a command and control server and performing actions like screenshot capture, keylogging, and clipboard logging. This recent cyber attack targeted primarily the defense sector but follows recent attacks on manufacturing and other industries. ASEC emphasized the need for heightened vigilance regarding email attachments and downloaded executables, alongside improved monitoring and patching of vulnerabilities in asset management programs.

CocoaPods, an open-source dependency manager, used in over three million iOS and macOS applications, exposed thousands of packages due to unclaimed Pods left vulnerable for nearly a decade. Security firm EVA Information Security uncovered three significant vulnerabilities (CVE-2024-38368, CVE-2024-38366, CVE-2024-38367) affecting CocoaPods, potentially impacting millions of applications including those from major tech companies. CVE-2024-38368 allowed unauthorized claim and alteration of orphaned Pods without ownership verification, leading to possible insertion of malicious code. CVE-2024-38366 enabled remote code execution due to a flaw in mail exchange validation which allowed execution of arbitrary commands through specially crafted email addresses. CVE-2024-38367 exploited email scanning software to hijack session validation tokens automatically, facilitating unauthorized access without user interaction. These vulnerabilities, though patched, highlighted the serious implications of reliance on open-source components and third-party dependencies in software development. EVA Information Security recommends thorough review and validation of dependencies, and updating CocoaPods installations to safeguard against potential supply chain attacks.

The European Commission accuses Meta of breaching EU competition rules with its 'pay or consent' advertising model. Meta's model gives users a choice between allowing personal data usage for personalized ads or paying for an ad-free experience. This approach allegedly fails to provide a less personalized but equivalent service option for users who do not consent to data sharing. Meta introduced its ad-free subscription in response to stringent EU privacy regulations and a European Court ruling. Critics argue that Meta's model forces users into an unfair choice between privacy and payment, suggesting the cost is prohibitably high. Preliminary findings by the EU could lead to a fine of up to 10% of Meta’s worldwide turnover, increasing to 20% for systematic rule breaches. Meta insists its subscription model complies with the Digital Markets Act (DMA) and plans to engage in dialogue with the Commission. A Norwegian court recently fined the Grindr app for GDPR violations, highlighting ongoing privacy concerns in the EU.