Daily Brief

Earth Lusca, a Chinese-speaking threat group, employed a new backdoor malware called KTLVdoor in a cyberattack on a Chinese trading company. KTLVdoor is cross-platform, affecting both Windows and Linux systems, and is capable of file manipulation, command execution, and remote scanning. The malware disguises itself as common system utilities such as sshd, Java, and SQLite to avoid detection. Over 50 command-and-control (C&C) servers associated with KTLVdoor were found hosted by Alibaba, suggesting potential collaboration or testing among Chinese threat actors. KTLVdoor uses a marker "KTLV" in its configuration to connect to C&C servers and execute commands like downloading/uploading files and initiating scans. The exact distribution method of KTLVdoor is not fully understood, and its usage could be part of an early testing phase for new cyber tools. Trend Micro researchers highlighted the malware's high level of obfuscation and possible connections to other well-known intrusion groups like APT27 and RedHotel.

Cisco has issued updates for two critical vulnerabilities in its Smart Licensing Utility that could allow remote, unauthenticated attackers to gain elevated privileges or access sensitive data. These vulnerabilities affect only those instances where the Smart Licensing Utility is actively running and initiated by a user. The affected versions include Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0, with an update to version 2.3.0 recommended. Additionally, Cisco has patched a command injection vulnerability in its Identity Services Engine (ISE) that could allow attackers with administrative access to execute arbitrary commands at root level. This vulnerability, identified as CVE-2024-20469, is characterized by a CVSS score of 6.0 and requires an attacker to have valid administrator privileges for exploitation. There is existing proof-of-concept exploit code for this vulnerability, although no active exploitations have been reported so far. These findings were disclosed internally, signifying the company's proactive stance in maintaining the security integrity of its software solutions.

Verkada, a physical security firm, has agreed to pay $2.95 million after the FTC’s investigation, mainly addressing spam violations. The settlement relates to improper email marketing practices under the CAN-SPAM Act, missing options to unsubscribe and no listed physical address. Separate from the spam issue, Verkada faced severe security lapses in 2021, where hackers accessed around 150,000 CCTV cameras due to exposed admin credentials. Cameras compromised included those in sensitive locations such as Tesla factories and Cloudflare offices, raising significant security concerns. Despite the hefty fine for spamming, the settlement does not resolve accusations regarding previous security failings and potential HIPAA violations. The agreement mandates Verkada to enhance its security measures, including establishing a robust information security program and annual staff training on security best practices. Verkada must also implement multi-factor authentication and undergo regular audits by a third party to ensure compliance with upgraded security protocols. The FTC emphasized the critical nature of data security, especially for firms within the security industry, indicating ongoing scrutiny and accountability for data protection.

The White House seized 32 websites and issued criminal charges against two Russian nationals linked to election interference efforts. The operation targeted a Russian-backed influence campaign, known as Doppelgänger, using deepfakes, fake news, and social media to spread Kremlin agendas since 2017. Websites such as washingtonpost.pm were used in a typo-squatting scheme to disseminate pro-Kremlin content, misleading viewers into thinking they were legitimate sources. The Justice Department charged the individuals under the Foreign Agents Registration Act and for money laundering, related to fabricating content to influence U.S. public opinion. The Treasury Department sanctioned these individuals and related entities, and the State Department imposed visa restrictions to curb Kremlin-supported media operations in the U.S. An affidavit revealed detailed Russian strategies aiming to support specific U.S. political parties and candidates to benefit Moscow's policies, especially in opposition to U.S. actions in Ukraine. The FBI director emphasized the significance of these operations, framing them as attacks on U.S. democracy, while a U.S. program offers a $10 million reward for information on foreign election interference efforts.

The FBI has issued a warning about North Korean operatives launching sophisticated social engineering attacks aimed at cryptocurrency companies. These state-sponsored attacks are focused on deceiving employees of decentralized finance (DeFi) organizations to steal cryptocurrency. North Korean hackers are employing highly refined tactics to conduct research and choose targets involved with cryptocurrency exchange-traded funds. The social engineering methods include posing as known contacts or potential employers on networking platforms like LinkedIn, making the attacks hard to detect. Victims might not realize they've been compromised until significant damage has occurred, highlighting the stealth and effectiveness of these campaigns. North Korea’s motivation includes circumventing international sanctions that restrict its access to the global financial system, utilizing cryptocurrency to boost its economy. The FBI emphasizes the persistent risk and advises vigilance even from those well-acquainted with cybersecurity, suggesting regular updates and thorough checks for potential red flags. General advice includes avoiding downloads from unverified sources on networks like LinkedIn and reporting suspicious activities immediately to authorities.

Palo Alto Networks has purchased IBM's QRadar SaaS for $500 million, integrating it into their AI-driven Cortex platform. This acquisition is part of a strategic partnership aimed at improving threat protection and response, utilizing Cortex XSIAM and IBM’s watsonx. IBM promises a "seamless and cost-free migration" for its customers to the Cortex system, with over 1,000 consultants trained to facilitate the transition. The Cortex platform offers comprehensive security solutions including SIEM, SOAR, ASM, and XDR, focusing on AI to expedite issue resolution. Palo Alto’s CEO Nikesh Arora emphasizes the deal’s alignment with their mission to transform security operations using advanced, AI-powered platforms. The acquisition not only includes technology but also sees a significant shift of IBM’s workforce, with 250,000 employees transitioning to use Palo Alto’s Prisma SASE 3.0 security software. IBM will continue to focus its efforts on securing hybrid cloud environments and enhancing data security and identity management technologies.

Microchip Technology confirmed employee information theft in an August cyberattack by Play ransomware gang. The cyberattack impacted operations across multiple manufacturing sites, disrupting order fulfillment and leading to system shutdowns to contain the breach. Despite significant operational disruptions, critical IT systems are now online, and customer orders have resumed. There is currently no evidence that customer or supplier data was compromised, although investigations continue. Play ransomware gang has partially leaked stolen data and threatens further leaks unless the company responds. External cybersecurity experts are assisting in evaluating the full extent of the breach and preventing future incidents. Notably, the FBI had previously warned that the Play ransomware group had affected around 300 organizations globally as of October 2023.

Microsoft has issued a Transparency Note for Copilot for Microsoft 365, emphasizing the importance of correctly managing user access rights. The service, priced at $30 per user per month, leverages large language models and integrates with Microsoft Graph and Microsoft 365 apps for data processing and content generation. Concerns about data governance and user access management have delayed the deployment of Copilot in some businesses. The tool processes input from apps like Word, using post-processing techniques including AI checks and compliance reviews to generate output. Microsoft warns of legal and compliance issues, particularly in regulated industries, suggesting continuous improvement to meet regulatory requirements. Enterprises are advised to consider extending Microsoft Graph with external data sources, which could improve service quality but also requires a thorough review of governance structures. Recent feedback highlights that some larger corporations have paused Copilot deployments due to potential unauthorized access to sensitive information like employee salaries. Microsoft recommends caution and proper judgment when using Copilot outputs, balancing the touted productivity benefits against potential data governance risks.

Planned Parenthood of Montana suffered a cyber-attack, with the ransomware group RansomHub claiming responsibility and threatening to publish the stolen data. The nonprofit detected the network intrusion on August 28 and immediately took portions of its network offline as a preventive security measure. Approximately 93 GB of data was reportedly stolen by RansomHub, which demands a ransom to prevent the publication of this data within seven days. The organization has engaged federal law enforcement and cybersecurity experts to investigate the breach and restore the integrity of their IT systems. The CEO, Martha Fuller, acknowledged the severity of the threat and confirmed cooperation with law enforcement in the ongoing investigation. This cyber-attack comes amid warnings from U.S. authorities, including the FBI and CISA, about RansomHub's recent aggressive targeting of various critical sectors, including healthcare.

MacroPack, originally designed for Red Team exercises, is being exploited to deploy dangerous payloads including Havoc, Brute Ratel, and PhatomCore. Security team at Cisco Talos discovered various malicious documents on VirusTotal linked to this abuse, coming from countries like the USA, Russia, China, and Pakistan. These documents showcased diverse lures and sophisticated infection tactics, indicating usage by several threat actors. MacroPack offers features for evading malware detection, such as code obfuscation and advanced anti-reversing techniques. It was developed by French developer Emeric Nasi. Indicators of MacroPack's use include specialized VBA subroutines and techniques to reduce detection during static analysis. Opening infected Microsoft Office documents leads to execution of VBA code which loads a malicious DLL, connecting to the attacker’s C2 server. This tool has seen a varied application, including by ransomware groups using cracked versions to circumvent endpoint detection and response systems (EDRs) and antivirus software.

The U.S. Justice Department has seized 32 web domains linked to the Doppelgänger Russian disinformation network, believed to be controlled by entities tied to the Russian Presidential Administration. The confiscated domains were used to spread false narratives and Russian propaganda, aimed at influencing U.S. voter preferences and diminishing international support for Ukraine. The operation involved tactics such as using cybersquatting to mimic legitimate news sites, creating fake social media profiles and influencers, and leveraging AI to generate content. The Department of Justice has indicted Russian nationals Konstantin Kalashnikov and Elena Afanasyeva for managing a $10 million disinformation campaign that reached over 16 million views on YouTube. The Treasury's Office of Foreign Assets Control has sanctioned RT executives, including efforts to recruit American influencers covertly to spread Russian-funded propaganda. The FBI reassures that despite foreign cyber threats, the integrity and security of the 2024 U.S. election processes will be upheld.

Cisco has patched a command injection vulnerability, designated as CVE-2024-20469, in its Identity Services Engine (ISE) software. The vulnerability allows local attackers, who already have Administrator privileges, to escalate their rights to root without needing user interaction. The flaw lies in the insufficient validation of user-supplied input in specific CLI commands, leading to potential command injection attacks. Although exploit code is publicly available, there have been no reported instances of this vulnerability being exploited in the wild. Cisco has also addressed other security issues recently, including a backdoor account in its Smart Licensing Utility and vulnerabilities in Integrated Management Controller (IMC) and Security Email Gateway (SEG) systems. The company continues to urge customers to apply the latest patches to protect against these vulnerabilities and prevent potential attacks.

A newly discovered vulnerability named "EUCLEAK" affects FIDO devices utilizing the Infineon SLE78 security microcontroller, notably including Yubico's YubiKey 5 Series. The flaw allows sophisticated attackers to extract and clone ECDSA keys from impacted devices through a method that requires significant physical access and highly specialized equipment. Although EUCLEAK proposes a significant threat in theory, it is largely rated as a moderate risk (CVSS 4.9) due to the requirement for physical access and complex extraction methods. Affected devices include not only YubiKeys but also Infineon TPMs, Feitian A22 JavaCards, certain older smart devices, and potentially e-passports and cryptocurrency hardware wallets. Yubico has issued advisories noting that fully exploiting the flaw would also necessitate bypassing additional security measures such as user PINs or biometric data. YubiKey users with firmware versions below 5.7.0 are encouraged to switch from elliptic curve signature keys to RSA keys and reduce session durations for added security.

Cisco has eliminated a critical vulnerability in its Smart Licensing Utility by removing a backdoor account, which allowed unauthorized administrative access. The security flaw, identified as CVE-2024-20439, enabled unauthenticated attackers to log into systems remotely via an undocumented static user credential. Cisco also addressed another critical vulnerability (CVE-2024-20440) that could let attackers access sensitive data from log files through specially crafted HTTP requests. The mentioned vulnerabilities mainly affect systems with specific vulnerable releases of the Cisco Smart Licensing Utility, which must be running to be exploitable. Cisco’s updates come after detecting multiple vulnerabilities across their products in recent years, including previously identified hardcoded credentials in other Cisco software. There has been no sign yet of public exploits or evidence of these vulnerabilities being actively exploited, according to Cisco’s PSIRT. Cisco has previously issued patches for other significant vulnerabilities, including those exploited by state-sponsored groups and other severe security lapses in its network equipment.

North Korean hackers, identified as Famous Chollima, are targeting job seekers using a fake video conferencing app that impersonates FreeConference.com. The deceptive app installs malware, specifically a cross-platform Python backdoor named InvisibleFerret, which allows for keylogging, remote control, and data theft. The campaign, known as Contagious Interview and tracked as DEV#POPPER, is linked to North Korea's Lazarus Group and uses social engineering via job interview offers to distribute malware. Recent modifications show that the malware can also steal data from cryptocurrency wallets and employs a new set of Python scripts for advanced data harvesting. The attackers use various platforms, including LinkedIn, Upwork, and Telegram, to contact and deceive potential victims, with recent activities extending into 2024. The FBI has issued warnings about the increasing threat from North Korean actors, particularly in the cryptocurrency sector, highlighting their use of sophisticated social engineering tactics. The campaign is notable for its continuing evolution, with new tools and techniques being developed to avoid detection and improve effectiveness.