Daily Brief

Russian military intelligence, known as GRU, has been linked to cyberattacks on critical infrastructure worldwide, primarily through Unit 29155. These cyberattacks have targeted sectors such as energy, government, and aerospace in NATO members and EU nations, aiming for espionage, data destruction, and reputational damage. GRU hackers utilized data-wiping malware like WhisperGate and established ransomware decoys in their operations. The U.S. State Department has offered a reward of up to $10 million for information on key members of Unit 29155 involved in these malicious activities. Unit 29155 is reported to have collaborated with non-GRU actors, including known cybercriminals, to execute their cyber strategies. Key defensive measures recommended include system updates, vulnerability patches, network segmentation, and phishing-resistant multifactor authentication. Increased vigilance and cybersecurity measures are advised for critical infrastructure sectors, especially with increased risks post-Ukraine attacks using destructive malware. The U.S. is also taking action against Russian disinformation campaigns as the 2024 presidential election approaches.

A critical security flaw in LiteSpeed Cache, a popular WordPress plugin, endangers over 6 million websites. Identified as CVE-2024-44000, this vulnerability allows unauthenticated users to take over accounts by stealing session cookies. The exploit leverages the plugin’s debug logging feature, capturing all HTTP response headers, including session cookies in the debug log file. LiteSpeed Technologies released a patch for the bug in LiteSpeed Cache version 6.5.0.1, moving debug logs to a secure location and removing risky features. Despite the fix, over 5.6 million sites remain at risk, prompting urgent updates and file purges from affected servers. Security incidents involving LiteSpeed Cache have escalated recently, highlighting increased attacks exploiting the plugin’s vulnerabilities. WordPress.org reported significant downloads of the updated plugin in response to vulnerability announcements, signaling community awareness and action against the threat.

North Carolina musician Michael Smith was indicted for collecting over $10 million in fraudulent royalty payments. Smith utilized AI-generated music and bots to manipulate streaming numbers on platforms like Spotify, Amazon Music, Apple Music, and YouTube Music. He acquired AI-generated songs from a coconspirator and uploaded them on streaming platforms, then used bots to artificially inflate stream counts. Bots employed VPNs to avoid detection by the streaming platforms' anti-fraud systems. Smith managed operations involving over 1,000 bots, achieving billions of fake streams over five years and earning millions in royalties. Smith faces charges of wire fraud, wire fraud conspiracy, and money laundering conspiracy, with a potential maximum sentence of 20 years per charge. U.S. Attorney Damien Williams emphasized the theft of royalties from legitimate musicians and rights holders due to Smith's scheme.

Persistent cyberattacks by Tropic Trooper, known as APT23, began targeting Middle Eastern and Malaysian government entities in June 2023. Kaspersky detected the use of an updated China Chopper web shell by Tropic Trooper in June 2024, targeting an open-source CMS platform. The main malware used, Crowdoor, is a variant of the SparrowDoor backdoor and includes capabilities such as data collection, network scanning, and lateral movement. The attacks attempted to exploit vulnerabilities in widely-used applications like Adobe ColdFusion and Microsoft Exchange Server. Despite adverse intentions, the cyberattacks were ultimately unsuccessful in their objectives. The attacks specifically focused on a content management platform disseminating studies on human rights in the context of the Israel-Hamas conflict. This activity signifies a strategic move by the group, emphasizing the targeting of sensitive political content.

Veeam has released updates to correct 18 security vulnerabilities in its products. Five of these security issues are critical and could allow remote code execution. The updates also remedy 13 high-severity vulnerabilities capable of privilege escalation and MFA bypass. Enhanced permissions issues, allowing code execution, are among the problems fixed. Users of Veeam software are encouraged to install the updates immediately to prevent exploitation. The urgency for updates is underscored by the increasing focus of ransomware attacks on Veeam software users.

Cybercriminals designed a fake OnlyFans account checker tool, which instead distributes the Lumma information-stealing malware. The operation, unearthed by Veriti Research, illustrates the competitive and treacherous nature of the cybercrime ecosystem. The deceptive tool targets hackers looking to hijack OnlyFans accounts by promising credential verification and other services. Once executed, the fake tool installs malware capable of stealing two-factor authentication codes, cryptocurrency wallets, and other sensitive data. The malware, fetched from a GitHub repository under a deceptive account name, also serves as a loader for additional malicious payloads. Veriti's investigation revealed that the malware communicates with command and control servers registered under ".shop" domains. This campaign reflects a broader trend where cybercriminals target their own kind with malicious tools and backdoored software.

Quantum computing poses a significant threat to current encryption methods by potentially breaking them in seconds, as opposed to millennia with classical computing. Current quantum computers achieve up to a few hundred qubits; however, around 10,000 qubits are needed to break most modern encryption, a capability nation states could already possess or achieve soon. The concern is not only about current capabilities but also about future potential, as attackers might collect encrypted data now to decrypt later when quantum capabilities are enhanced, termed as 'harvest now, decrypt later'. The U.S. National Institute of Standards and Technology (NIST) has been proactive, having initiated the development of post-quantum encryption standards since 2016, with implementations underway in various sectors. Organizations are advised to have "crypto agility" which enables a swift switch between algorithms if one is found compromised and emphasizes the ongoing management and automation of encryption standards. DigiCert, a digital trust provider, is collaborating with NIST and offering tools like the Trust Lifecycle Manager for automating updates and managing policies related to quantum-safe algorithms. Public awareness and readiness vary by industry, with sectors like finance and manufacturing actively transitioning to quantum-safe practices, while others lag behind.

Over a third of chief security officers surveyed reported flat or reduced security budgets in the current year, contrasting the rapid increases seen in previous years. Despite stagnant individual budgets, security spending still exhibits an 8% growth in 2024, signifying a slowdown from the significant 16% and 17% increases recorded in 2021 and 2022. Security's share of the overall IT budget has risen from 8.6% in 2020 to 13.2% in 2024, indicating a growing prioritization within IT expenditures. Hiring challenges persist amidst a talent shortage, with staffing growth rates dropping to less than half those observed in 2022, and over a third of CISOs not increasing their teams. Corporate concerns over liability from third-party supplier hacks and SEC regulations on security incident reporting are driving a better understanding and cautious approach towards security spending among C-suite executives. The cyber insurance market continues to grow, although checks on the terms and conditions of such policies are crucial to ensure adequate coverage during security breaches. Overall, despite economic pressures and a shift towards cost-efficiency, the importance of and investment in cybersecurity within organizations continue to rise.

Veeam has released updates addressing 18 critical and high-severity flaws. The most significant vulnerability, CVE-2024-40711, affects Veeam Backup & Replication and allows unauthenticated remote code execution. Veeam Backup & Replication is critical for enterprise data protection and a prime target for ransomware attacks. Past instances have shown ransomware groups exploiting Veeam vulnerabilities for double-extortion tactics. The flaw impacts versions up to 12.1.2.172, with users urged to upgrade to version 12.2.0.334 immediately. Other critical vulnerabilities in Veeam Service Provider Console and Veeam ONE also rectified in the latest security patch. Users are strongly advised to install these security updates to protect against potential ransomware attacks and unauthorized access.

The U.S. Department of Justice (DoJ) seized 32 domains used for spreading pro-Russian propaganda under a campaign named Doppelganger. The seized domains were part of an operation aimed at undermining international support for Ukraine and influencing U.S. and foreign elections. Companies like Social Design Agency and Structura National Technology, directed by the Russian Presidential Administration, used tactics like cybersquatting and AI-generated narratives. The U.S. Treasury also sanctioned individuals and entities, including RT executives, for their roles in covertly influencing the U.S. electoral process. The DoJ indicted two Russian nationals for orchestrating disinformation tactics which resulted in videos that garnered millions of views, designed to sow discord in America. Alongside these enforcement actions, new visa restrictions and foreign mission designations were applied to Russian media entities to curb clandestine activities. These measures are part of a broader effort to combat foreign interference in the upcoming general election, amidst increasing online influence operations by other nations such as China.

The Transport for London (TfL) is experiencing a prolonged cyber incident, entering its third day with ongoing investigations. TfL has not provided specific details about the incident but confirmed that there's currently no evidence of customer data compromise or significant impact on its services. The breach might have originated through a compromised Cisco VPN appliance, used widely within the organization. TfL's response to the incident includes severe restrictions on internet access, cutting most outbound and restricting inbound connections, to facilitate remote work and secure internal networks. Public-facing services like the contactless and Oyster card login pages have been taken offline for "maintenance," affecting passenger accessibility. The incident's nature points to potential ransomware or data exfiltration attempts, causing TfL to implement emergency containment measures. The UK Information Commissioner’s Office (ICO) has been notified, and they are currently assessing the details of the incident as provided by TfL.

NIST Cybersecurity Framework (CSF) has evolved over the last decade, initially designed for critical infrastructure but adapted for broader use in 2018. The newly released CSF 2.0 further refines its adaptability and focus on continuous improvement, adding a "Govern" step and emphasizing integration with broader enterprise risk management. CSF breakdown includes five core functions: Identify, Protect, Detect, Respond, and Recover, which guide organizations in managing cybersecurity risks effectively. The Continuous Threat Exposure Management (CTEM), introduced by Gartner in 2022, complements CSF by focusing on continuous monitoring and threat assessment. CTEM moves away from periodic assessments to a continuous approach, aiming to proactively identify and mitigate vulnerabilities, aligning closely with CSF’s goals. Organizations using CTEM alongside CSF can see enhanced compliance and improved cybersecurity postures through a dynamic and continuous approach to managing cyber threats. The synergy between CSF and CTEM forms a comprehensive strategy for organizations to defend against cyber threats effectively and continuously.

Hackers are using a fake OnlyFans account checker tool that, instead of helping to steal credentials, installs the Lumma information-stealing malware. The operation was uncovered by Veriti Research, highlighting the irony and deception rampant among cybercriminals themselves. Lumma, a malware-as-a-service rented since 2022, steals 2FA codes, cryptocurrency wallets, and stores other sensitive information from compromised systems. The malicious "brtjgjsefd.exe" payload, sourced from a GitHub repository, also introduces additional malicious payloads and executes PowerShell scripts. Upon activation, the Lumma payload connects with another GitHub account "UserBesty", which hosts various other malware distribution tools. Researchers discovered command and control servers with ".shop" domains directing the malware's activities and handling data exfiltration. This incident is part of a broader trend where cybercriminals target other cybercriminals with deceptive tools promising enhancements or capabilities in cyberattacks.

Cisco Talos has reported that threat actors are misusing MacroPack, a tool originally developed for red teaming, to deliver malware. Malicious documents used for this purpose included harmful payloads such as Havoc, Brute Ratel, and a new variant of the PhantomCore RAT. Artifacts analyzed were found on VirusTotal, originating from various countries including China, Pakistan, Russia, and the U.S. These documents were crafted to trick users into enabling macros, with some even mimicking military organization communications to appear legitimate. Researchers highlighted the use of non-obfuscated VBA subroutines common across all malicious samples, which were unique to these attacks and not previously seen in other malware campaigns. Attackers leveraged advanced features of MacroPack to evade anti-malware solutions, utilizing techniques like Markov chains for obfuscation. The attack process involved a three-step sequence: sending a MacroPack-embedded Office document, decoding a next-stage payload, and executing the final malware. This latest finding shows an evolution in threat actor tactics, focusing on more complex methods to avoid detection and enhance the success of their attacks.

Planned Parenthood of Montana experienced a significant cybersecurity incident impacting its IT infrastructure. The attack was confirmed to have taken place in late August 2024, leading to parts of the organization's network being taken offline. RansomHub ransomware group claimed responsibility for the attack, threatening to release 93GB of potentially stolen data. Confidential documents were published by the attackers on a dark web extortion portal as purported evidence. Federal agencies including the FBI, CISA, MS-ISAC, and HHS have been notified and are involved in the ongoing investigation. This incident is part of a larger trend noted by federal authorities where healthcare organizations are increasingly targeted by ransomware groups. There are severe potential privacy implications for patients due to the nature of services Planned Parenthood provides. The organization had previously faced a similar ransomware attack in 2021, impacting 400,000 patient records.