Daily Brief

Cisco's merchandise site was taken offline due to a security breach involving malicious JavaScript code used to steal customer data. The attack, identified using CosmicSting vulnerability (CVE-2024-34102), targeted checkouts to siphon off credit card details and login credentials. The malicious script was highly obfuscated and sourced from a recently registered domain, suggesting a premeditated attack. Researchers were able to partially deobfuscate the script and discovered it could collect extensive personal data. Attack possibly facilitated through an exploit in Adobe Commerce (Magento) platform used by Cisco’s e-commerce site. There is a concern that compromised data may include Cisco employees' credentials, potentially leading to further internal breaches. Cisco has not yet publicly responded to inquiries about the incident at the time of the report.

Google has issued its September 2024 Android security updates targeting 34 vulnerabilities, including the actively exploited CVE-2024-32896. This high-severity flaw, initially patched for Pixel devices, is an elevation of privilege vulnerability due to a logic error, exploitable with user interaction. The vulnerability allowed attackers to circumvent protections and elevate privileges without needing additional permissions. The Android update extends the fix to more devices, covering versions Android 12 through 14, following initial patches for Google’s Pixel. Additional updates include patches for Qualcomm-related flaws, CVE-2024-33042 and CVE-2024-33052, involving memory corruption in Wi-Fi components. Alongside Android patches, Google patched six serious issues in Pixel devices, including four critical vulnerabilities linked to device control and firmware. Google emphasizes the importance of updating devices promptly to protect against potential security risks and attacks.

Cicada3301 ransomware, possibly a rebrand of BlackCat, has attacked at least 20 entities since its identification in June. Researchers from Morphisec discovered similarities in code base and techniques between Cicada3301 and BlackCat, both using Rust programming. New customizations in Cicada3301 include embedding compromised user credentials and sophisticated mechanisms to evade detection. Cicada3301 has improved anti-detection capabilities, with some samples showing no initial detection on VirusTotal. Attackers primarily target small to medium-sized businesses in North America and England, seeking Bitcoin and Monero as payment. Cicada3301 also employs tools like EDRSandBlast to interfere with endpoint security products. The malware has been modified to evade detection more effectively, suggesting ongoing development by its creators. Morphisec detected Cicada3301 in a client's environment after it bypassed major endpoint detection and response products.

AI SPERA, a Cyber Threat Intelligence company, has attained the PCI DSS v4.0 certification for its search engine, Criminal IP. This certification update builds on the previous PCI DSS v3.2.1 standard, highlighting advancements in security measures to protect payment information. PCI DSS v4.0 addresses new technological threats and enhances criteria across secure network maintenance, data protection, and vulnerability management. Criminal IP boasts top ratings in all key assessment areas including data protection, access control, and security policy management. AI SPERA offers various subscription plans with Criminal IP, ranging from basic to enterprise-level features tailored to diverse security needs. Key offerings include real-time threat updates, customizable alerts, full-domain scans, and advanced threat analysis. AI SPERA’s partnerships with major tech firms and their presence on platforms like AWS and Microsoft Azure demonstrate a broad and strategic market engagement. With operations in over 150 countries, AI SPERA and its flagship Criminal IP continue to expand worldwide, delivering enterprise-grade security solutions.

Threat actors use "Revival Hijack" to take over names of deleted PyPI packages and inject malicious code. Over 22,000 deleted PyPI packages can potentially be hijacked leading to hundreds of thousands of malicious downloads. The attack exploits PyPI’s policy of making deleted package names available for immediate re-registration. JFrog observed the attack with "pingdomv3", where a new developer used the name to push a Python trojan. JFrog mitigated some risk by registering popular deleted packages under a secure account to prevent misuse. Despite preventative measures, JFrog's safety accounts still saw about 200,000 downloads, indicating high risk of accidental downloads. Organizations advised to use package pinning, verify package integrity, and monitor package ownership changes to mitigate risks.

Google has issued updates for Android, addressing the actively exploited vulnerability CVE-2024-32896. The flaw, rated high-severity with a CVSS score of 7.8, involves privilege escalation in the Android Framework. Originally identified in June 2024, the vulnerability initially appeared to affect only Google Pixel devices. CVE-2024-32896 is linked to the broader Android ecosystem and requires physical access to exploit, disrupting the factory reset process. Exploitation indications suggest targeted, limited scope but no specifics on the methods used are available. Fixes are being coordinated with Android OEM partners, emphasizing urgency and broad application. Google advises all users to promptly install the latest security updates as a best practice to protect against potential threats.

A new technique called Revival Hijack targets removed Python Package Index (PyPI) packages to deploy malicious code. Approximately 22,000 PyPI packages susceptible to this attack, potentially leading to hundreds of thousands of malicious downloads. Attackers re-register removed packages under the same names, and unsuspecting developers download these thinking they're updating to safe versions. JFrog, a software security firm, discovered this method which bypasses typical safeguards against author impersonation and typosquatting in PyPI. Revival Hijack has been actively exploited, as demonstrated by the replacement and subsequent payload update of a package named "pingdomv3" after its removal by the original owner. JFrog intervened by registering removed packages to a "security_holding" user account, preventing misuse by malicious actors and setting the version to a non-functional 0.0.0.1 to alert users. Developers and organizations are advised to review their DevOps practices to ensure they do not utilize potentially compromised packages from the repository.

Zyxel has issued updates for a critical OS command injection flaw in some of its access points and routers. The vulnerability, identified as CVE-2024-7261 with a CVSS score of 9.8, allows execution of unauthorized commands through a crafted cookie. Attackers can exploit the flaw without authentication, potentially taking control of the affected devices. The flaw was discovered by Chengchao Ai from the ROIS team at Fuzhou University. Alongside this critical flaw, Zyxel has also patched seven other vulnerabilities that could lead to OS command execution, DoS attacks, or compromise browser-based information. In related news, D-Link announced it will not patch four vulnerabilities, including two critical ones, in its DIR-846 router due to the product reaching its end-of-life status in February 2020.

Account takeover attacks are a significant threat to cloud-based SaaS environments, exploiting the browser as the primary attack surface. Traditional security measures often fall short in protecting against these attacks due to the unique and shorter kill chain within browser environments. The report highlights the role of the browser in these attacks, pointing out that once a user’s credentials are compromised via the browser, the attacker gains extensive control. Phishing attacks exploit browser functionalities to intercept or forge credentials and are not adequately prevented by standard SSE solutions or firewalls. Malicious browser extensions pose risks by exploiting high browser privileges to access stored credentials, overlooked by conventional endpoint detection and protection platforms. Browser security platforms offer a more robust defense by analyzing and controlling the execution of web pages and extensions, and integrating tightly with Identity Providers (IdPs). A comprehensive browser security platform is crucial for modern enterprises, providing enhanced visibility, risk analysis, and automated prevention mechanisms against account takeover tactics. Security strategies must evolve to include browser-focused solutions in order to adequately protect against advanced account takeover methods and comply with emerging security needs.

The Dutch Data Protection Authority fined Clearview AI €30.5 million for violating the EU's GDPR by maintaining a database with billions of face images. The database compiled by Clearview allegedly contains photos scraped from openly accessible internet sources, paired with a unique biometric code for identification. Clearview AI faces accusations of collecting and storing individuals' facial data without obtaining informed consent, while also failing to adequately inform people about the use of their data. The Dutch authority emphasized the intrusive nature of facial recognition technology and condemned its unregulated application. Dutch entities are now prohibited from using Clearview AI's services as per the ruling; the Dutch DPA is additionally exploring punitive measures against the company's management. Clearview contends that it isn't subject to EU regulations, asserting that it does not have an established operation within the EU, and criticized the fine as "unlawful." Previously, in the U.S., Clearview AI settled an Illinois lawsuit concerning privacy breaches by offering plaintiffs a significant stake in the company rather than a traditional cash settlement.

A new malware campaign targets users by spoofing Palo Alto Networks' GlobalProtect VPN software to distribute the WikiLoader malware. The campaign, observed in June 2024, uses SEO poisoning to misdirect search engine users to malicious download pages mimicking legitimate software. Unlike previous distribution methods involving direct phishing, this method uses Google ads to lead victims to cloned websites with malware-infected downloads. The MSI installer from these sites installs a fake GlobalProtect app (renamed from a legitimate trading app) that sideloads the WikiLoader malware. The malware introduces anti-analysis features, like checking for virtual environments, and has a fake error message to enhance its credibility among victims. Researchers believe this shift from phishing to SEO poisoning may indicate new actors or tactical changes in existing groups after public disclosures of earlier tactics. The WikiLoader loader, linked to threat actor TA544, has been previously used to deploy other malware like Danabot and Ursnif via email attacks. Continuous adaptation of WikiLoader involves leveraging both compromised and legitimate infrastructure, enhancing the malware's evasive capabilities.

Telegram has apologized to South Korea and removed 25 videos depicting sex crimes following cooperation with local authorities. This action comes amidst broader concerns about digital sex crimes in South Korea, highlighted by the government as a deepfake crisis. South Korea's Communications Standards Commission has expressed optimism about forming a productive relationship with Telegram, including a new rapid response takedown system. The removals and Telegram's cooperation might indicate a shift in policy, especially following the detention of Telegram's CEO Pavel Durov by French authorities over similar issues. South Korean President Yoon Suk Yeol has initiated government action against deepfake content, particularly targeting a Telegram group with over 220,000 members. Human Rights Watch criticizes South Korean efforts as delayed and insufficient, noting a long-standing issue of digital sex crimes in the country. There is no indication from Telegram’s public communications whether this cooperative stance in South Korea will apply globally.

Linda Sun, a former senior New York State official, has been charged with multiple offenses, including acting as an agent for the Chinese government without disclosure. Alongside her husband, Chris Huy, Sun is accused of engaging in visa fraud, alien smuggling, and laundering millions of dollars. The Department of Justice alleges Sun accepted gifts, cash, and other benefits from Chinese officials to advance their interests discreetly while employed at the New York State Executive Chamber. The couple reportedly used the illicit gains to purchase luxury real estate and high-end vehicles, including a Ferrari, a Range Rover, and a Mercedes. Sun's activities reportedly included hindering Taiwan representatives from meeting with New York State officials and issuing unauthorized invitations to Chinese officials. The indictment highlights suspicious wire transfers and acquisitions, which were flagged due to their inconsistency with the couple's declared income sources. Sun admitted to some charges in an interview with New York State's Office of the Inspector General in 2022; she and her husband were arrested and are awaiting trial.

The White House aims to strengthen the security of internet routing protocols, specifically the Border Gateway Protocol (BGP). BGP, critical for directing web traffic between autonomous systems, lacks built-in security features, making it vulnerable to route hijacking and other security threats. Notable incidents include Pakistan's interference with YouTube in 2008 and Russia manipulating BGP to impact Twitter during its Ukraine invasion in 2022. The ONCD's "Roadmap to Enhancing Internet Routing Security" suggests urgent improvements are needed due to increased national security risks. Current security measures like RPKI, ROV, and ROA are underutilized, with only 39% adoption in the U.S., compared to 70% in Europe. The U.S. Justice and Defense Departments have supported strengthening BGP security following incidents involving China Telecom Americas misrouting traffic. The White House is encouraging rapid implementation of BGP security measures across U.S. government agencies and the private sector.

Three men in the UK have pleaded guilty to running a criminal enterprise that enabled the bypassing of multifactor authentication (MFA), impacting thousands of victims. The operation, known as OTP.agency, profited close to £7.9 million ($10.3 million) by selling tools that facilitated unauthorized access to bank accounts and other secure systems. OTP.agency offered services to cybercriminals starting at £30 per week, with advanced plans that provided capabilities to manipulate Visa and Mastercard verification processes. Operating since September 2019, the group claimed they could intercept one-time passwords from Apple Pay and over 30 other platforms. The National Crime Agency (NCA) had been investigating the group since June 2020, leading to their arrest in March 2021, shortly after publicity from a cybersecurity journalist. The accused face significant prison sentences, with charges including conspiracy to commit fraud and money laundering. The NCA underscores the conviction as a deterrent, emphasizing their commitment to combatting cybercrime and protecting public financial security.