Daily Brief

A new cyber espionage group, dubbed TIDRONE, has been identified, targeting Taiwanese drone manufacturers. The campaign, likely linked to Chinese-speaking threat actors, commenced in 2024 and appears focused on military applications. Analysis by Trend Micro reveals the use of custom malware such as CXCLNT and CLNTEND, deployed via remote desktop applications. Common vulnerabilities include identical enterprise resource planning (ERP) software used across victim companies, suggesting a potential supply chain attack. TIDRONE’s tactics involve privilege escalation using UAC bypass, credential dumping, and antivirus disabling to maintain stealth. The strategy includes sideloading rogue DLLs via Microsoft Word, enabling extensive data harvesting capabilities. Newly identified RAT, CLNTEND, supports multiple communication protocols, enhancing its stealth and functionality. Timing and operational details correlate TIDRONE closely with other Chinese espionage activities, although the exact group remains unidentified.

The U.S. government, along with international allies, has attributed significant cyber attacks to the Russian GRU's Cadet Blizzard group, active since 2020. Cadet Blizzard, responsible for deploying WhisperGate malware, primarily targets critical infrastructure sectors across multiple regions including NATO and EU countries. The group focuses on espionage, sabotage, and causing reputational damage, with recent activities aimed at disrupting aid to Ukraine. A coordinated international advisory, Operation Toy Soldier, involved multiple countries and highlighted ongoing global threats from this unit. The U.S. Department of Justice indicted five Russian officers from Unit 29155 for their involvement in these cyber operations, offering a $10 million reward for information leading to their arrest or capture. Attack techniques include exploiting vulnerabilities in widely used server technologies and software, data exfiltration, and the use of malware such as Raspberry Robin for initial access. Organizations are urged to update systems regularly, use network segmentation, and enforce strong multi-factor authentication to mitigate threats.

Insikt Group reports reemergence of Predator spyware in new geographic regions despite US sanctions on its creator, Intellexa. Predator's upgrades increase its stealth, complicating tracking efforts and mitigation by cybersecurity professionals. The spyware enables extensive user surveillance capabilities, including location tracking and interception of communications. Insikt Group advises stringent cybersecurity practices to counter Predator's threats, highlighting the use of regular device updates and mobile device management systems. Separate report highlights a new arbitrary code execution vulnerability in Kingsoft WPS Office, urging users to update affected versions. Fog ransomware variant shifts focus from educational to financial sectors, utilizing sophisticated intrusion tactics. Security incident at Tewkesbury Borough Council prompts shutdown of IT systems, with GCHQ assistance called in. Hijacking of PyPI packages poses significant risk, with over 22,000 packages potentially vulnerable to "revival hijack" attacks.

Progress Software has released an emergency patch for a critical vulnerability in LoadMaster products, rated 10/10 in severity. The vulnerability, identified as CVE-2024-7591, allows unauthenticated remote attackers to execute arbitrary system commands via a specially crafted HTTP request. This security issue stems from improper input validation in the device's management interface, which lacked proper sanitization. Affected products include LoadMaster version 7.2.60.0 and prior, as well as MT Hypervisor version 7.1.35.11 and earlier. The vulnerability impacts not only standard versions but also long-term support variants, although free versions remain vulnerable as no patch is applicable. Despite no current reports of exploitation, Progress Software advises all users to apply the emergency patch and follow recommended security practices. LoadMaster is widely used in large organizations for application performance optimization, load balancing, and network traffic management.

A new variant of sextortion scam is leveraging the emotional trigger of infidelity, accusing recipients' spouses of cheating and providing falsified "proof." Scammers are utilizing detailed personal information, such as uncommonly used names and pet names, sourced possibly from sites like wedding planning platform The Knot. Victims are asked to pay between $500 and $5,000 to prevent the distribution of the alleged proofs to family and friends. Unclear sources of private information used in the emails have raised concerns among those targeted, with some speculating a data breach on The Knot, although this remains unconfirmed. The emails often originate from unfamiliar domains and instruct recipients to visit a linked site, which may host malware or phishing attempts. Despite the distressing nature of the messages, many recipients identified the communication as a scam and chose to delete the emails. It’s advised to ignore such emails and refrain from clicking on any links provided as they are known to be deceptive and potentially harmful.

Novel "RAMBO" side-channel attack utilizes electromagnetic radiation from RAM to steal data from isolated, air-gapped computers. Typically secure environments like governmental or nuclear facilities are at risk, despite no direct internet connections. Malware is often introduced by insider threats or through sophisticated state-sponsored supply chain attacks. Attack functions by modulating memory access patterns in RAM, emitting controlled electromagnetic signals undetected by standard security systems. Data transmission, captured via inexpensive software-defined radio devices, allows sensitive information like passwords and keys to be exfiltrated. The RAMBO attack can transmit up to 1,000 bits per second, effective for stealing small critical data such as keystrokes. Mitigation strategies include implementing strict physical zone restrictions, RAM jamming techniques, and using Faraday enclosures to shield emissions. Although countermeasures exist, they introduce significant operational overheads and require careful implementation.

The White House is developing stronger cybersecurity regulations for the water sector after prior standards were rejected following lawsuits from various states. Several nation-states including China, Russia, and Iran have been implicated in cyberattacks on US water systems, exploiting vulnerabilities in operational technology (OT). The reliability of older OT systems poses significant security challenges due to their internet connectivity and outdated cybersecurity measures. There has been no significant damage reported from these intrusions so far, but officials warn that future breaches could disrupt critical water supply and treatment facilities. The diversity of water systems, mostly small and locally managed, complicates consistent funding and the implementation of robust cybersecurity measures. There is a growing need for federal support through grants and loans, especially for rural water utilities that lack the resources to enhance security. CISA recommends changes like updating default passwords and securing remote access to mitigate the risk of unauthorized access to water system controls.

North Korean threat actors are targeting developers using LinkedIn to deliver COVERTCATCH malware through fake job recruiting scams. Initial infection vectors include coding tests disguised as legitimate job-related challenges which, when opened, launch malware onto macOS systems. The malware campaign is part of a broader strategy that includes Operation Dream Job and Contagious Interview, employing job-themed lures to infect targets. Other malware like RustBucket, delivered via deceptive PDF job descriptions, can commandeer system processes and harvest data. These attacks focus on the cryptocurrency sector, specifically targeting Web3 organizations, and involve stealing credentials and internal data to access cloud-hosted financial assets. The FBI has issued warnings about these highly sophisticated social engineering campaigns, emphasizing their threat to international financial security and crypto assets. Personalized tactics employed in these campaigns include exploiting personal and professional connections to entrap victims, extending well beyond generic phishing attempts.

The FBI has indicted Alex Khodyrev and Pavel Kublitskii, nationals of Kazakhstan and Russia respectively, for running a dark web marketplace involved in selling stolen sensitive information. Their platform, WWH Club, along with its sister sites, was used for trading personal identifying information, credit card details, bank account info, and computer passwords. WWH Club also provided forums for cybercriminal discussions and online courses training new cybercriminals in fraud and theft tactics. Payment for these courses was made in cryptocurrencies, highlighting the use of digital currencies in facilitating criminal activities on the dark web. Despite law enforcement efforts, WWH Club reportedly remains operational, and other administrators are trying to dissociate themselves from Khodyrev and Kublitskii. Both accused were residing in Miami and secretly managing the criminal network even while under FBI surveillance. If convicted, Khodyrev and Kublitskii could face up to 20 years in federal prison, underscoring the severe penalties associated with cybercrime.

Google has rewritten the firmware of protected virtual machines within its Android Virtualization Framework using Rust, promoting broader adoption. Android engineers highlight Rust's ability to improve security by replacing traditional C and C++ code in firmware, reducing common vulnerabilities like buffer overflows. Despite Rust's benefits in memory safety and performance, transitioning seasoned C/C++ developers to Rust remains challenging due to its steep learning curve. Resistance from developers, particularly highlighted in the Linux community, underscores the broader challenge of integrating Rust into existing projects. The U.S. government and various tech leaders support moving to memory-safe languages like Rust to mitigate security risks in software development. Google's continued investment in Rust includes expanding its use in key projects like Android and Chromium and working closely with the Rust community to foster adoption. Google claims Rust developers show double the productivity compared to their C++ counterparts, emphasizing Rust's strategic importance in developing secure and reliable software.

Cisco's online merchandise store was compromised by a Magecart attack instigated by suspected Russia-based hackers, who exploited a critical vulnerability in Adobe's Magento platform. The Magento flaw, rated 9.8 critical, allows for potential credit card theft and sensitive data breaches during checkout processes. Despite the vulnerability being patched by Adobe in June, the attack occurred due to Cisco's store operating on unpatched Magento 2.4 software. A third-party supplier administrating the Cisco-branded merchandise website addressed and resolved the security issue, affecting a limited user base. All affected consumers have been notified, and Cisco has confirmed that no user credentials were compromised in the breach. Cybersecurity researchers linked the attack to scripts hosted on a recently registered Russia-based IP address, indicative of a potentially quick, opportunistic exploit. Monitoring firm Sansec reported inadequate software update adoption across e-commerce sites, with only 25% having implemented Adobe's security patch shortly after release.

Transport for London (TfL) suffered a cyberattack restricting staff access to systems and emails. TfL reported this incident to governmental agencies, including the National Cyber Security Centre and the National Crime Agency. There is no evidence found yet that customer information was compromised during the attack. Due to the attack, refunds for journeys, access to live travel data, and online services like the journey history for Oyster card users are currently disrupted. TfL has had to suspend new applications for services like Oyster photocards amid ongoing recovery efforts. Although in-station and journey planning services are still operational, certain online functionalities remain unavailable. TfL's Chief Technology Officer emphasized the importance of security and mentioned that the transport services are operating normally despite the setbacks.

Avis experienced a data breach in one of its business applications, with unauthorized access occurring from August 3 to August 6. Personal information, including names and other sensitive data of some customers, was stolen by the attackers. The company promptly responded by stopping the unauthorized access and initiating an investigation with external cybersecurity experts. Avis has informed the relevant authorities and the affected customers, and has filed notification letters with California's Office of the Attorney General. Post-incident, Avis has implemented stronger security measures for the breached application and increased overall system safeguards. Customers affected by the breach have been offered a one-year free membership for Equifax's credit monitoring service. Avis advises all customers to remain vigilant for signs of identity theft or fraud by monitoring their account statements and credit history.

Microsoft will disable ActiveX controls by default in its upcoming Office 2024 suite, impacting Word, Excel, PowerPoint, and Visio apps. The disabling of ActiveX controls is set to begin in October 2024 for Win32 Office desktop applications, with a planned extension to Microsoft 365 apps in April 2025. ActiveX, introduced in 1996, has historically facilitated interactive object embedding in documents but is fraught with security issues including zero-day vulnerabilities. Once the change is effective, ActiveX controls will render as static images, disabling user interaction in the Office suite, though users can manually revert to previous settings if necessary. North Korean hackers have previously exploited ActiveX zero-day vulnerabilities to deploy malware and infiltrate networks. Microsoft's broader security strategy includes disabling other risky features like Excel 4.0 macros, blocking VBA Office macros by default, and soon phasing out VBScript.

SonicWall has reported a critical flaw in SonicOS, potentially under active exploitation. The vulnerability, with an identifier CVE-2024-40766, has a high severity score of 9.3. The issue affects SonicWall's firewall management access and SSLVPN, leading to possible unauthorized access and system crashes. SonicWall has issued patches for this vulnerability and advises immediate application of these fixes. Until the patches are applied, it is advised to restrict firewall management to trusted sources or disable WAN management from the Internet. Recommendations for SSLVPN include limiting access to trusted sources and enabling multi-factor authentication using one-time passwords. The vulnerability has been addressed in recent updates, but specifics on how it has been exploited remain undisclosed. Historical context implies similar exploits were used by Chinese threat actors on unpatched SonicWall SMA 100 appliances for persistent access.