Daily Brief

Medusa, an Android banking Trojan, is currently targeting users in seven countries including the US, UK, Canada, France, Italy, Spain, and Turkey. The malware, active since July 2023, utilizes five different botnets for distribution, showing sophisticated coordination among its affiliates. Cybersecurity firm Cleafy noted that the latest versions of Medusa have minimized required permissions and added features like full-screen overlays and remote uninstall capabilities to reduce detection. Initially identified in 2020, Medusa has evolved from primarily targeting Turkish financial institutions to a broader geographical scope, incorporating advanced functionalities like keylogging, SMS reading, and unauthorized financial transactions. The Trojan employs dropper apps disguised as benign updates or utilities, leveraging platforms like Telegram for command-and-control communications, complicating tracking efforts. Recent adaptations include the use of black screen overlays, misleading users about the operational state of their device to facilitate clandestine operations. The trend indicates a deliberate attempt by threat actors to diversify their victim pool and enhance the Trojan’s operational longevity, potentially affecting a larger demographic. Comparisons are drawn with other malware campaigns such as Cerberus and SpyMax, highlighting a persistent rise in sophisticated mobile security threats globally.

Yahoo! Japan will not charge advertisers $189 million due to the detection of fraudulent clicks, acknowledging that these were not from actual human interactions. This decision reflects approximately 1.6% of LY Corporation’s revenue, highlighting significant financial implications for investors. LY Corporation, the parent company formed by the merger of Yahoo! Japan and LINE in 2020, announced improvements in overall ad quality despite the financial hit. Transparency reports revealed a reduction in unapproved advertising materials from over 133.5 million in 2022 to under 97 million in 2023. The number of fraudulent advertiser accounts remained stable, with 7819 detected in 2023 compared to 7893 in the prior year. The challenge of proving that ads are clicked by real humans is a widespread issue in the online advertising industry, affecting major platforms like Google and Reddit. Ad fraud has been a persistent problem, with notable cases and investigations reported dating back to 2004.

Google has blocked ads on sites using Polyfill.io after a supply chain attack post acquisition by a Chinese CDN company. Over 110,000 websites using the JavaScript library from Polyfill.io are redirecting users to malicious sites. Original creator Andrew Betts warned users against using the library, stressing that modern browsers already support needed features. Alternative solutions have been provided by companies like Cloudflare and Fastly following the security concerns. The domain cdn.polyfill.io has been modified to inject malware, redirecting traffic to unwanted sites selectively. Attack avoids detection by not executing in the presence of web analytics and admin users. The attack introduces a broader security concern with potential remote code execution when combined with other exploits like CVE-2024-2961. Continuous risk mitigation efforts are necessary, as highlighted by ongoing threats and vulnerabilities in web security infrastructure.

An Australian study, Project Hakea, conducted by the Crime Commission in New South Wales, has uncovered widespread misuse of tracking devices by organized crime groups and individuals involved in domestic violence. The top 100 buyers of tracking devices, including GPS trackers and Bluetooth trackers like Apple AirTags, were found to be significantly more likely to have a history of violence or connections to organized crime. The study linked these devices to over 20 serious criminal activities since 2016, including murders, kidnappings, and drive-by shootings, highlighting their role in facilitating organized crime. Notably, misuse of tracking devices in domestic violence cases was also a significant finding, with a large percentage of offenders informing victims about the trackers to intimidate or control them. The Crime Commission’s report suggested stricter regulations on the sale of tracking devices and the promotion of their illegal uses to help curb their role in criminal activities. Anti-stalking features in smartphones and calls for more manufacturers to support these protections were also emphasized as necessary steps to mitigate unauthorized tracking. The connection between criminal use of trackers and domestic violence suggests a disturbing trend of technology misuse that necessitates immediate legal and regulatory actions.

Geisinger, a major U.S. healthcare provider, announced that over a million patient records were likely stolen due to a security breach at Microsoft-owned Nuance Communications. The breach was pinpointed to unauthorized access by a former Nuance employee who wasn't promptly deactivated from the system after termination. Sensitive data involved included birth dates, addresses, hospital records, and demographic details; financial information was not reported as stolen. The incident was detected on November 29, and Nuance cut off the ex-employee's access immediately after being alerted by Geisinger. Law enforcement delayed the notification to patients to not compromise the ongoing investigation, resulting in a delay in public disclosure. The accused ex-employee has been arrested and is facing federal charges, although specific charges have not been detailed. This breach is part of a concerning pattern with Nuance, referencing a similar incident in 2018, and raises questions about Microsoft’s overarching security measures given recent related criticisms.

Geisinger, a major US healthcare provider, announced that over a million patient records may have been stolen following a security breach tied to Microsoft-owned Nuance Communications. The breach was attributed to a former Nuance employee who retained access to sensitive files after being terminated, leading to unauthorized data extraction two days post-dismissal. The compromised data included birth dates, addresses, hospital admission and discharge records, and other personal medical details, although no financial information was reportedly taken. Nuance and Geisinger collaborated with law enforcement, leading to the arrest of the ex-employee facing federal charges, although specific charges are still not disclosed. This incident surfaces amid previous accusations against Nuance for similar security failings, including an incident in 2018 involving the San Francisco Department of Public Health. Jonathan Friesen, Geisinger's chief privacy officer, expressed regret over the incident and reassured ongoing cooperation with authorities to address the data breach. The incident casts a negative light on Microsoft, reflecting broader criticisms regarding its subsidiary's lax security measures and raising concerns about national security implications.

More than 100,000 websites are affected by malware due to a takeover of the polyfill.io domain by Chinese CDN operator Funnull. Security experts urge immediate removal of all scripts sourced from polyfill.io to prevent further malicious attacks. Google has started blocking ads on affected websites to minimize victim count and has notified site owners of the security risks. The domain was originally intended to offer JavaScript polyfills for enhancing functionality on older browsers, but now serves malicious code. Funnull's acquisition of the polyfill.io domain and its GitHub account in February has led to a substantial web supply chain attack. Websites like JSTor, Intuit, and the World Economic Forum, which used this service, may be compromised. Alternative CDN links from providers like Fastly and Cloudflare have been created to replace the compromised service without risks. Malware injection is dynamic, based on HTTP headers sent by user devices, resulting in various potential attack vectors.

Neiman Marcus's customer data stolen from their Snowflake storage and offered for sale for $150,000 on the dark web. An intruder accessed the personal information of 64,472 customers including names, contact details, birth dates, and gift card numbers. Multi-factor authentication (MFA) may not have been enabled, a common oversight in recent Snowflake breaches. Upon discovery, Neiman Marcus disabled the compromised database access, initiated a cybersecurity investigation, and informed law enforcement. The spokesperson confirmed the data did not include credit card details but included some Social Security number digits and extensive customer transaction data. Neiman Marcus vows to enhance security measures following the breach. The breach is part of a larger pattern, with at least 165 organizations affected by similar Snowpike-linked data thefts.

Plugins on WordPress.org were modified to include backdoors as part of a supply chain attack, compromising at least five plugins. Malicious PHP scripts were injected to create unauthorized admin accounts and inject SEO spam. The attack was detected by Wordfence who promptly notified plugin developers; Most affected products have since been patched. Over 35,000 websites could be affected, with immediate malware scans recommended for sites with suspicious admin accounts or network traffic. The compromised plugins were identified between June 21 and June 22, though the exact method of the breach remains under investigation. The specific backdoor allows attackers to create admin accounts named "Options" and "PluginAuth" and send data to an attacker-controlled IP. Some impacted plugins were temporarily removed from WordPress.org, potentially leading to user warnings even on updated and secured versions.

The FBI reported that crypto scammers stole approximately $10 million by posing as attorneys who could help recover lost cryptocurrencies. Between February 2023 and 2024, these criminals targeted U.S. victims already impacted by previous scams, offering fraudulent recovery services for a fee. Fake law firms contacted victims through social media and messaging platforms, falsely claiming authority to conduct fraud investigations and sometimes impersonating government agencies. Scammers required victims to pay initial fees for services, taxes, and other charges, often ceasing communication after payments were received. The FBI's Internet Crime Complaint Center (IC3) specifically warns against these types of fraud, advising to verify any such recovery service and confirm any claimed affiliations with legitimate agencies. Consumers and businesses are advised to be cautious and refrain from sharing personal or financial information with unverified parties. The Department of Financial Protection and Innovation provides resources like a crypto scam tracker to help the public identify known scams. This scam is part of a larger trend where crypto-related crimes have resulted in substantial financial losses, exceeding those caused by ransomware in terms of damage to the U.S. economy.

Polyfill.io service, essential for enabling modern JavaScript functionality on older browsers, was corrupted after acquisition by Chinese company Funnull. Sansec cybersecurity warned the domain and associated Github account were purchased by Funnull, which then modified the script to inject malicious code. The malicious script redirects users to scam sites, such as fake Sportsbook sites, via a deceptive Google analytics domain and specific URL redirects. Cloudflare and Fastly have established trusted mirrors of the Polyfill.io service to mitigate risks and ensure continuity for users depending on its functionality. Original Polyfills service developer indicated that most modern web platforms swiftly adopt new features, reducing the need for such polyfills. Google has started notifying advertisers of the potential risks posed by these redirects, which may affect landing page traffic and integrity. The security research community has found it challenging to fully analyze the script due to its protection against reverse engineering and targeted activation criteria.

Medusa banking trojan, also known as TangleBot, actively targets Android users in France, Italy, the US, Canada, Spain, the UK, and Turkey with sophisticated malware variants. Recent activity since May shows the malware requires fewer permissions but includes advanced features such as full-screen overlays and screenshot capabilities to facilitate fraudulent transactions. The malware distribution is associated with five different botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) and uses phishing techniques through SMS to install malicious dropper apps. Dropper apps masquerade as legitimate applications like Chrome browser, 5G apps, and a streaming app named 4K Sports, especially exploiting the UEFA EURO 2024 as bait. Medusa’s infrastructure leverages public social media profiles to dynamically fetch command and control server URLs, centralizing campaign coordination. Enhanced Medusa variants have minimized their footprint on devices while retaining essential permissions to exploit Android's Accessibility Services, crucial for executing malicious tasks undetected. Recent improvements include the removal of 17 commands from the malware, supplemented by five new ones, increasing the malware’s stealth and functionality. Although not yet observed on Google Play, the broadening participation in the malware-as-a-service (MaaS) indicates increasing threat levels and sophisticated distribution methods.

Neiman Marcus confirmed a data breach impacting 64,472 individuals due to unauthorized access to their Snowflake database platform. Hackers accessed personal information including names, contact details, dates of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers. The breach discovery followed an online attempt to sell the stolen data, with the data thief associated with the recent wide-scale Snowflake data thefts. Despite the exposure of gift card numbers, the data breach did not expose gift card PINs, preserving the usability of the cards. Neiman Marcus disabled access to the compromised database and collaborated with cybersecurity experts and law enforcement in their response. The incident is linked to UNC553337, a financially motivated threat actor known for using stolen credentials to breach accounts and extort organizations. Multi-factor authentication absence in impacted accounts facilitated the unauthorized access, highlighting the importance of stronger security measures.

Neiman Marcus confirmed a data breach impacting 64,472 individuals, following attempts by hackers to sell the stolen data. Unauthorized access to a database was gained between April and May 2024 by a third party, exposing personal details such as names, contact information, dates of birth, and gift card numbers. The breach is connected to a larger series of data thefts involving Snowflake database platforms, with a threat actor named "Sp1d3r" attempting to sell the data. Although gift card numbers were exposed, the PINs were not compromised, ensuring the gift cards remain valid. Neiman Marcus has responded by disabling the affected database platform, conducting an investigation with cybersecurity experts, and contacting law enforcement. "Sp1d3r", the involved threat actor, reportedly tried to extort Neiman Marcus before offering the data on a hacking forum, which was later removed possibly due to negotiation talks. A broader investigation involving Snowflake, Mandiant, and CrowdStrike has linked the so-called UNC5537 threat actor to breaches affecting at least 165 organizations.

The FBI has issued a warning against cybercriminals pretending to be law firms offering cryptocurrency recovery services to victims of investment scams. Scammers have fooled victims into believing their legitimacy by falsely claiming associations with legitimate government agencies like the FBI and financial institutions. Fraudulent outfits often ask for personal information and payment, falsely promising to recover lost digital assets. From February 2023 to February 2024, victims have paid over $9 million to these fake recovery services, according to IC3 data. Government and state-level authorities can actually track and potentially recover stolen cryptocurrency, but they do not charge fees or proactively contact victims for personal information. The public is advised to thoroughly investigate any service claiming they can recover cryptocurrency and report any suspicious interactions to the IC3. No private company is authorized to issue seizure orders for digital assets, indicating that many social media and internet ads are scams targeting new victims.