Daily Brief

Slim CD, a Florida-based payment services provider, detected a data breach almost a year after the event took place, affecting approximately 1.7 million individuals. The breach compromised sensitive data including credit card numbers, expiry dates, and possibly cardholder names and addresses. No misuse of the data has been reported by Slim CD, but the breach raises concerns about potential financial fraud. Upon discovering the breach, Slim CD undertook a thorough investigation, improved its security measures, and reported the incident to federal law enforcement and regulatory authorities. Emails were sent out starting September 6, 2024, to inform potentially affected customers about the breach. The company encouraged impacted individuals to remain vigilant by monitoring their accounts and ordering a free credit report. The exact cause and full details of the breach remain unclear as Slim CD continues to review what was accessed and possibly siphoned by the attackers during the period of undetected access.

Infinidat will host a webinar on September 16th discussing advanced protection strategies for enterprise storage systems in response to sophisticated cyber threats like ransomware and malware. The webinar will explore methods to strengthen storage infrastructure against evolving cyber threats, emphasizing the importance of building robust and resilient systems. Key topics include reducing the threat window through strategies that limit the time available for attackers to cause damage. The role of immutable storage in safeguarding critical data from unauthorized alterations will be covered. Participants will learn about ensuring swift recovery from cyber attacks with clear service level agreements (SLAs), aimed at minimizing downtime and operational impact. The session aims to provide participants with essential knowledge on maintaining operational continuity and enhancing data protection in the age of frequent cyber disruptions. Registration is encouraged to gain insights into cutting-edge solutions for improving enterprise storage security against ransomware and malware threats.

Payment processing provider Slim CD disclosed a data breach impacting approximately 1.7 million credit card owners. Unauthorized access to Slim CD’s network was detected, lasting from August 17, 2023, to June 15, 2024. The breach was first identified due to suspicious activity observed on June 15, 2024. Hackers potentially accessed client names, card numbers, and expiration dates, although CVVs were not exposed. Despite limited data access, there remains an increased risk of credit card fraud and identity theft. Slim CD has since implemented enhanced security measures to prevent future breaches. The company has advised affected users to monitor their accounts for fraudulent activity. No identity theft protection services were offered to the impacted individuals by Slim CD.

Scammers have launched a new sextortion scam variant targeting individuals with claims that their spouse is cheating, complete with links to alleged "proof." These fraudulent emails include personal details such as full names and lesser-known last names, raising concerns about how scammers obtained this private information. Victims have speculated that the data may have been sourced from wedding planning websites, with some specifically mentioning The Knot, though no data breach has been confirmed. Recipients of these emails are instructed to visit a website where they're asked to log in, leading to suspicions of malware distribution as part of the scam. Despite the alarming nature of the accusations in these emails, most recipients recognized them as scams and deleted them, though the experience was still distressing. Sextortion emails first rose to prominence in 2018, proving highly profitable for scammers and have since evolved into various forms, including threats of violence and fabricated legal troubles.

Brute force attacks relentlessly try various password combinations to breach systems, compensating for their lack of subtlety with persistence. Effective defense against these attacks depends significantly on the strength of the targeted passwords and the implemented security measures. A notable real-world example includes a severe cybersecurity breach at Dell, where an attacker compromised the data of approximately 49 million customers through brute force techniques. Implementing robust password policies, such as requiring passwords with at least 15 characters including a variety of symbols and cases, is critical. Multi-factor authentication (MFA) proves highly effective, blocking 99.9% of automated attacks and adding a necessary layer of security. Regular security audits and monitoring login attempts are essential practices in recognizing and responding to potential vulnerabilities. Educating end-users about strong password practices and the risks of poor password management is vital in fortifying security. Advanced tools like Specops Password Policy enhance protection by addressing complex aspects of password security and user authentication.

The Free Russia Foundation is investigating a cyberattack linked to the Kremlin-associated group COLDRIVER, following a hack-and-leak incident involving stolen documents and emails. Citizen Lab uncovered two spearphishing campaigns targeting NGOs in Russia and Belarus, with strong indicators pointing to COLDRIVER's involvement in at least one of these campaigns. The phishing attacks utilized highly personalized emails seemingly from known contacts, containing links to credential-harvesting sites disguised as PDF unlock pages. Stolen credentials likely enabled access to sensitive information, potentially exposing NGO staff and activities which could be exploited to falsely label these organizations as foreign agents. COLDRIVER has been known for targeting various entities since 2019, including NGOs, government bodies, and infrastructures, indicative of Russia's broader strategy to suppress dissent and democracy movements. Another lesser-known group, COLDWASTREL, also suspected to be pro-Russia, has been implicated in similar phishing attacks against NGOs, continuing a pattern of cyber threats from entities with a similar modus operandi. Google's Threat Analysis Group recently revealed that COLDRIVER had integrated a custom backdoor named SPICA in their attacks since 2022, hinting at an escalation in the sophistication of their cyber-espionage tools.

Organizations are excessively investing in cybersecurity tools, attempting to create a secure digital fortress. This strategy overlooks the essential issue of the attack surface and inadvertently introduces risks through third-party vendors. Cybersecurity tools have constraints, such as only addressing specific vulnerabilities and generating overwhelming alert volumes. The reliance on numerous, isolated tools contributes to complexity, leading to information silos that hinder effective threat management. The integration of each new tool potentially enlarges the attack surface by adding third-party risks and making systems more vulnerable. Noteworthy examples like the Sisense breach and the CrowdStrike outage highlight the severe consequences of third-party failures and security tool limitations. The ongoing shift towards unified cybersecurity platforms and identity management systems is driven by the need to simplify security operations and reduce complexities. There is a pressing need for organizations to find a balance between minimizing third-party risks and effectively managing their own cybersecurity defenses.

Avis experienced a data breach affecting 299,006 customers, compromising names and sensitive personal information. Unauthorized access to a business application occurred from August 3 to August 6, until the intruder was detected and blocked. Avis notified impacted customers through formal letters and reported the breach to various authorities, including California's and Maine's Attorney Generals. The company has engaged external cybersecurity experts for investigation and remediation, alongside improving security measures and monitoring across its systems. Avis has advised affected customers to remain vigilant for signs of identity theft or fraud and to monitor their account statements and credit history. Affected individuals are offered a one-year free subscription to Equifax’s credit monitoring service. Despite multiple inquiries, Avis Budget Group has yet to release additional details regarding the nature of the stolen data and the specifics of the attack.

Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, is focusing attacks on the Colombian insurance sector. The APT employs phishing emails, purportedly from the Colombian tax authority, to deploy a customized Quasar RAT named BlotchyQuasar. The phishing emails contain malicious links embedded in PDFs or the email body, directing to ZIP archives on a Google Drive with compromised government credentials. These attacks leverage urgency by notifying victims of fictitious tax seizure orders, prompting immediate reaction. The BlotchyQuasar RAT is enhanced for evasion using obfuscation tools such as DeepSea and ConfuserEx, complicating analysis and reverse engineering. RAT functionalities include keystroke logging, shell command execution, data theft from browsers and FTP clients, and monitoring banking interactions in Colombia and Ecuador. Blind Eagle uses Pastebin and Dynamic DNS services for command-and-control communications, protecting its infrastructure with VPNs and compromised routers.

Mustang Panda, a China-linked APT group, has been using Visual Studio Code software to target Southeast Asian government entities. The technique involves using Visual Studio Code’s reverse shell feature to execute arbitrary code and deliver malware, identified as a new approach in cyber espionage. Palo Alto Networks’ Unit 42 details that this attack continues from efforts targeting similar entities in late September 2023. Attackers use a portable or installed version of Visual Studio Code, executing it to initiate a tunnel allowing remote command execution and file management. The campaign was part of broader activities which used tactics like OpenSSH for command execution and network lateral movement. Additionally, evidence of ShadowPad malware usage was found, suggesting either collaboration between Chinese APT groups or layered attacks by different entities. The operations reflect Mustang Panda’s consistent focus on cyber espionage against geopolitical interests in Europe and Asia, emphasizing targets in South China Sea countries.

GenAI tools are instrumental for productivity in various departments but pose significant data leak risks. One in three employees using GenAI tools inadvertently share sensitive data such as IP and customer information. Traditional security approaches of either completely allowing or blocking GenAI tools have proven to be ineffective. The suggested strategy involves identifying and classifying sensitive data that should not be shared externally. Companies should implement restrictions based on the sensitivity of the data, ranging from warnings to complete blocks. Utilization of GenAI-specific Data Loss Prevention (DLP) tools can help monitor and control data sharing. The upcoming LayerX webinar will offer in-depth insights into managing GenAI data risks and maintaining compliance. Security professionals are encouraged to register for the webinar to learn how to balance security and productivity.

Wing Security has introduced SaaS Pulse, a free tool for ongoing SaaS risk management. SaaS Pulse offers real-time security assessments, prioritized risks, and actionable insights without the need for complex setups or integrations. It aims to transform SaaS risk management into a continuous process rather than an occasional audit. The tool provides a real-time "health" score for security, along with an inventory of the organization's apps and contextual threat insights. SaaS Pulse is especially designed for dynamic environments where SaaS apps and permissions frequently change, posing new security challenges. The system directly integrates with core applications like Google Workspace and Microsoft 365, delivering a comprehensive security posture snapshot quickly. By continuously monitoring and updating the security status, SaaS Pulse helps prevent potential data breaches and leaks through automated, ongoing oversight. For organizations requiring deeper security analysis and advanced features, Wing Security offers an enterprise solution with enhanced capabilities.

Progress Software has issued security updates for a significant vulnerability in LoadMaster and MT hypervisor, rated CVSS 10.0. The flaw, identified as CVE-2024-7591, involves improper input validation allowing OS command injection by unauthenticated users. Attackers could execute arbitrary system commands remotely via the management interface by sending a specially crafted HTTP request. The company has mitigated this vulnerability by sanitizing user input to prevent arbitrary command execution. Florian Grunow, a security researcher, discovered and reported the vulnerability, emphasizing its severity. No current evidence suggests that the vulnerability has been exploited in the wild, according to Progress Software. Users are urged to download the latest patch immediately and follow recommended security hardening guidelines to protect their systems.

SANS announces a webinar to detail updates on NIS2, DORA, and Tiber-EU cybersecurity regulations. The webinar, scheduled for September 16, 2024, will feature Chris Dale, a principal instructor at SANS. These legislations require significant strategic modifications for IT security management in businesses. The session will cover integral aspects of NIS2, DORA, and Tiber-EU, offering strategic insights and best practices. Participants will learn how to enhance cyber resilience and address regulatory challenges effectively. The webinar aims to help cybersecurity professionals stay informed about critical changes and advancements in global IT security mandates. Exclusive survey results regarding organizational defense against cyber threats will also be shared.

A new malware campaign named SpyAgent targets Android users primarily in South Korea and the U.K., deceiving them with trojanized apps that imitate legitimate banking and government applications. The malware spreads via SMS containing links to download malicious APK files that fake the appearance of authentic apps. Once installed, SpyAgent requests extensive permissions to harvest a wide range of personal data from the devices, including contacts, SMS messages, photos, and other sensitive information. SpyAgent utilizes innovative OCR (optical character recognition) technology to extract mnemonic keys from images stored on the device, which are critical for accessing cryptocurrency wallets. The extracted data, including stolen cryptocurrency wallet keys, is sent to a poorly secured command-and-control server, allowing unauthorized access to the stolen information and facilitating remote control of infected devices. Additionally, the malware has evolved to use WebSocket connections to communicate with its command server, enhancing its ability to evade traditional network monitoring tools designed to detect HTTP traffic. McAfee Labs discovered security flaws in the malware's command infrastructure, highlighting potential threats to both Android and potentially iOS users, taking into account an iOS device found in the malware's control panel.