Daily Brief

South Korean media outlet accuses KT, a local telecom company, of deliberately infecting users' P2P systems with malware. Allegedly, 600,000 users affected; malware designed to hide files within the P2P service, leading to service disruptions. Malicious activities started in May 2020, conducted internally from KT's datacenter for nearly five months. Police have raided KT's headquarters and datacenter, seizing evidence under potential violations of local communication and information network laws. Investigation reveals a specialized KT team responsible for interfering with file transfers, including roles in malware development, distribution, and wiretapping. Thirteen employees from KT and its partners have been identified and referred for possible prosecution. KT defends actions by labeling the web hard drive P2P service itself as malicious, necessitating control measures. Actions are part of broader issues with network usage in South Korea, highlighted by disputes over network operation costs with major streaming services like Netflix.

The U.S. Department of Justice has indicted Amin Timovich Stigal, a 22-year-old Russian, for cyberattacks targeting Ukrainian government systems. Stigal is alleged to have collaborated with Russian military intelligence (GRU) to deploy the WhisperGate malware, targeting critical Ukrainian infrastructure just before Russia's invasion. In January 2022, the attacks affected vital sectors including government, military, and emergency services among others, using malware designed to mimic ransomware but actually intended to delete data. The U.S. State Department is offering a $10 million reward for information leading to Stigal's capture, emphasizing the severity of the cyber espionage activities. The indictment accuses the attackers of defacing websites, stealing personal data, and sowing distrust among Ukrainian citizens regarding the security of their personal and governmental data. The WhisperGate attacks were later attributed to Russian military by the U.S. and allies, with Microsoft’s intelligence unit linking the group to Cadet Blizzard, associated with the GRU. Additional activities by the group include attacks on infrastructure in a Central European country and probing of U.S. government systems, with efforts to conceal their Russian affiliation using fake identities and U.S.-based infrastructure.

The U.S. government has announced a $5 million bounty for information leading to the arrest or conviction of Ruja Ignatova, also known as "CryptoQueen." Ignatova co-founded OneCoin in 2014, which was promoted as a major digital currency but was later revealed to be a $4 billion Ponzi scheme. She was indicted on multiple charges including wire fraud and money laundering in 2017, and additional charges of securities fraud were added in 2018. Ignatova evaded capture by fleeing from Bulgaria to Greece in October 2017 and may be living under a new identity following possible plastic surgery. OneCoin was falsely advertised with lavish global events and celebrity-endorsed parties to attract investors. Ignatova's current whereabouts are unknown, with the FBI seeking tips via various communication channels and through U.S. Embassies worldwide. Her brother, Konstantin, and co-founder Karl Sebastian Greenwood have been arrested and charged, with Greenwood pleading guilty in 2022.

Remy St Felix led a gang involved in violent home invasions across the U.S., targeting wealthy cryptocurrency investors. The criminal activities occurred between September 2022 and July 2023, including assaults, kidnappings, and robberies. Victims were often physically restrained and threatened with further violence to coerce access to their crypto wallets. The gang successfully stole hundreds of millions in cryptocurrency, utilizing tech-savvy methods and remote software for account access. In one instance, over $150,000 was stolen from a single couple in North Carolina through remote exploitation of their crypto accounts. St Felix was arrested in July 2023 and has been convicted of multiple charges including conspiracy, kidnapping, and wire fraud. The criminals attempted to launder the illicit gains using privacy-focused cryptocurrencies and platforms lacking rigorous compliance checks. St Felix faces a sentencing range from seven years to life in prison; his case highlights the intersection of physical violence and cybercrime in crypto theft.

Julian Assange, founder of WikiLeaks, pleaded guilty to a single charge of conspiracy to obtain and disclose national defense information in the US District Court for the Northern Mariana Islands. Assange's plea was part of a deal that allowed him to admit guilt to one charge instead of the original 18, leading to his release as he had already served the sentence's duration in the UK. The court session marked the close of years of complex legal battles, including potential extradition from Sweden and later from the UK after refuge in the Ecuadorian embassy. Australian Prime Minister Anthony Albanese highlighted ongoing diplomatic efforts to resolve Assange's case, stressing it had been too prolonged and unproductive to continue. Assange left the court free and headed back to Australia on a privately chartered jet funded by a crowdfunding campaign initiated by his wife. His case has raised numerous discussions about journalism's limits, espionage, and legal ethics, particularly concerning the use of the US Espionage Act against journalists. The resolution of Assange's case suggests a potential new era of increased secrecy and challenges in journalistic freedom, setting a significant legal precedent.

LockBit ransomware group claimed to have attacked the U.S. Federal Reserve, stealing 33 terabytes of sensitive data. It was later revealed that the actual target was Evolve Bank & Trust, not the Federal Reserve. LockBit's initial claim included ongoing negotiations and threats to release the data unless better ransom negotiations were made. Evolve Bank & Trust confirmed a cybersecurity incident involving their data being illegally obtained and released on the dark web. In response, Evolve is offering affected customers credit monitoring and identity theft protection, and they have engaged law enforcement to address the situation. Recent examinations by the Federal Reserve identified significant deficiencies in Evolve’s risk management and compliance, leading to demands for improvement. This incident highlights LockBit's strategy of making exaggerated claims to maintain relevance within the cybercriminal community.

CISA, along with the FBI and cybersecurity organizations from Australia and Canada, reviewed 172 significant open-source projects for memory safety issues. The report found that over half of these projects use memory-unsafe programming languages, increasing the risk of memory-related errors. Prominent examples include Linux, Tor, Chromium, and MySQL Server, all exhibiting high ratios of memory-unsafe code. Memory-unsafe languages like C and C++ are commonly used due to their performance benefits, despite their potential security risks. CISA advises developers to adopt memory-safe languages such as Rust, Java, and Go for new projects and transitioning existing code to reduce vulnerabilities. Recommendations also include following safe coding practices and implementing continuous security testing methods like static and dynamic analysis and fuzz testing. The report emphasizes the ongoing challenge of balancing performance with security in software development, particularly in critical infrastructure environments.

A critical SQL injection vulnerability (CVE-2024-5276) has been discovered in Fortra FileCatalyst Workflow, a web-based platform for large file transfers. This flaw enables remote, unauthenticated attackers to create admin users and alter data within the application’s database, although it does not allow data theft. The vulnerability was publicly disclosed by Tenable researchers who also released a proof-of-concept exploit demonstrating the attack process. FileCatalyst Workflow versions up to 5.1.6 Build 135 are affected, and users are urged to update to Build 139 to mitigate the risk. The exploit capitalizes on unsanitized user inputs in the 'jobID' parameter, which Tenable's script used to create a new admin user and gain unauthorized access. No active exploitations have been reported yet, but the availability of the public exploit significantly increases the risk of misuse by malicious actors. This disclosure comes after the Clop ransomware gang's previous exploitation of a Fortra product vulnerability, highlighting ongoing risks associated with security flaws in widely used platforms.

A critical vulnerability in Progress Software’s MOVEit Transfer is actively being exploited, necessitating immediate patching. Identified as CVE-2024-5806 with a CVSS score of 9.1, the flaw allows for authentication bypass in the SFTP module. Another related vulnerability, CVE-2024-5805, also impacts MOVEit Gateway, potentially allowing unauthorized server access. Security researchers detail the ability to impersonate any user, significantly increasing the risk of this exploit. Approximately 2,700 instances of MOVEit Transfer are online globally, with the majority in the U.S., U.K., and other major countries. A prior vulnerability was exploited in widespread Cl0p ransomware attacks, highlighting the urgency for updates. The U.S. CISA has disclosed a separate security breach involving Ivanti Connect Secure, showing the broader context of current cybersecurity threats. Progress Software urges users to update affected systems immediately to mitigate potential risks and exposures.

Hackers are targeting a new critical vulnerability in Progress MOVEit Transfer, specifically CVE-2024-5806, allowing authentication bypass in the SFTP module. The flaw was disclosed publicly by the vendor less than a day before the first attack attempts were detected by the Shadowserver Foundation. Current estimates show approximately 2,700 MOVEit Transfer instances are exposed online, predominantly in the US, UK, Germany, Canada, and Netherlands. Technical details of the vulnerability were released by security firm watchTowr, along with proof-of-concept exploit code created by researcher Sina Kheirkhah. Organizations are urged to apply updates and mitigations provided by Progress promptly, as the exploit's details are now public, increasing the risk of further exploitation. Separate vulnerabilities discovered on third-party components used in MOVEit Transfer add complexity and potential security risk, requiring additional interim mitigations such as blocking RDP access. Patches for CVE-2024-5806 have been released in specific MOVEit Transfer versions, and MOVEit Cloud customers have already received automatic updates.

Progress Software unveiled new vulnerabilities in MOVEit Transfer and MOVEit Gateway, both critical in nature. CVE-2024-5805 and CVE-2024-5806 pose a severe threat with a critical 9.1 severity rating, enabling authentication bypass. Researchers at watchTowr detailed how CVE-2024-5806 facilitates two significant types of attacks, affecting file handling and system security. The less severe vulnerability allows forced SMB authentication, potentially affecting systems beyond MOVEit when using similar SSH library configurations. The more severe exploit grants attackers the ability to masquerade as SFTP users, escalating privileges to manipulate files. Attackers can leverage these vulnerabilities for a file-less attack, leaving minimal traces of unauthorized activities. An immediate increase in exploit attempts was observed soon after the public release of these vulnerabilities by watchTowr. Users are urged to apply patches immediately, especially since successful breaches using similar vulnerabilities historically impacted thousands of organizations.

Snowblind malware exploits the 'seccomp' Linux kernel feature in Android to interfere with application security checks and prevent detection. This novel malware technique was uncovered by the mobile app security company Promon, which received a malware sample affecting a Southeast Asian client of i-Sprint. The malware injects a native library to load before the target app's anti-tampering code, using seccomp filters to block and manipulate system calls during security checks. Such manipulation allows the malware to redirect checks to an unmodified version of the application package, thus bypassing security measures like file integrity verification. The technique observed in Snowblind attacks is not widely known or guarded against in the mobile application industry, making it a significant threat. Researchers demonstrated that this type of attack is completely invisible to users and could lead to unauthorized actions such as the leakage of login credentials. Despite the potential severity, the operational footprint and performance impact of Snowblind attacks are minimal, making them hard to detect during usual app operations. Promon suggests that other adversaries could adopt this bypass technique, posing a broad security risk to Android apps handling sensitive data.

Suspected Chinese and North Korean hackers used ransomware in cyberattacks on global government and infrastructure entities from 2021 to 2023. The clusters of cyberattacks have been linked to groups known as ChamelGang and activities associated with state-sponsored entities. Targets included high-profile organizations such as the All India Institute of Medical Sciences and the Presidency of Brazil, leveraging CatB ransomware. Ransomware attacks served multiple purposes: financial gain, operational sabotage, distraction, and evidence destruction. ChamelGang, identified since 2021 and believed to operate from China, uses tools like BeaconLoader, Cobalt Strike, and multiple backdoors for sophisticated attacks. The 2023 incidents involved updated tools for deeper reconnaissance and data exfiltration, indicating evolving tactics and tools. Another set of attacks used encryption tools like Jetico BestCrypt and Microsoft BitLocker, primarily targeting the manufacturing sector in the Americas and Europe. Cybersecurity experts suggest these ransomware operations offer plausible deniability for state actors, blurring lines between pure cybercrime and state-sponsored espionage.

Regulatory pressures are increasing for organizations to secure their software supply chains amidst rising attack risks. The Log4j breach highlighted vulnerabilities in open-source components used widely in software development. Gartner predicts nearly half of all enterprises will face a software supply chain attack by 2025. Security is complex due to global development teams and extensive open source usage. Embracing DevSecOps and applying comprehensive security controls across code repositories, CI/CD pipelines, and infrastructure are key strategies. Generating and managing software bill of materials (SBOMs) are critical for addressing zero-days and vulnerabilities. Policy-as-code and SLSA framework are essential for governance and ensuring the trustworthiness of software artifacts. Continuous discovery and testing are recommended to mitigate risks and secure software supply chains effectively.

Apple has issued a firmware update for AirPods to address a CVE-2024-27867 authentication vulnerability that allowed unauthorized Bluetooth access. The flaw was found across multiple Apple audio products including various AirPods versions, Powerbeats Pro, and Beats Fit Pro. An attacker within Bluetooth range could impersonate a previously paired device, gaining illicit access to eavesdrop on conversations. The vulnerability has been patched through improved state management in the latest firmware updates. Security researcher Jonas Dreßler discovered and reported the flaw, now mitigated in the recent software releases. Additionally, Apple recently fixed a separate issue, categorised as CVE-2024-27812 in visionOS, concerning a DoS logic flaw in the WebKit processing. Ryan Pickren, another researcher, detailed an exploit that could force-render 3D objects in users' environments through ARKit without user interaction, which has also been addressed.