Daily Brief

A novel attack method, named GrimResource, leverages MSC files and a longstanding, unpatched Windows XSS vulnerability to execute arbitrary code via Microsoft Management Console. The shift to using MSC files for phishing attacks followed Microsoft’s mitigation strategies against macros in Office and security enhancements in handling ISO and ZIP files. Researchers from Elastic discovered this technique by analyzing a sample uploaded as 'sccm-updater.msc' to VirusTotal which was not detected by antivirus engines. The actual flaw exploited is a DOM-based XSS vulnerability in the 'apds.dll' library that has not been patched since its report in 2018. The deployment mechanism involves JavaScript handling within MMC, using a technique called DotNetToJScript, to execute .NET code and eventually deliver a Cobalt Strike payload. No official response from Microsoft about whether this XSS flaw has been patched as of the latest updates to Windows 11. System administrators are urged to monitor and apply defense strategies against suspicious MSC file activities as outlined in Elastic Security’s GitHub repository containing GrimResource indicators and YARA rules.

A new malware technique named GrimResource utilizes MSC files and an unpatched Windows XSS flaw for command execution. Attackers turned to MSC files following Microsoft's previous security enhancements on other file types, showcasing adaptive threat tactics. The GrimResource technique specifically abuses the 'apds.dll' cross-site scripting vulnerability, unaddressed since 2018, to execute JavaScript via Microsoft Management Console. A recent malicious file using this technique was found on VirusTotal in June 2024, deploying the Cobalt Strike toolkit without being detected by antivirus software. Microsoft has not yet patched the XSS vulnerability in the latest Windows 11 version, as confirmed by recent investigations. The attack works by embedding malicious JavaScript in MSC files that, when executed, exploit the XSS flaw to run arbitrary .NET code through the DotNetToJScript. System administrators are alerted to watch for suspicious MSC activity and implement detection tools provided by security researchers for proactive defense.

CDK Global, a prominent software provider for nearly 15,000 U.S. car dealerships, suffered a significant cyber incident, causing disruption in managing sales, accounting, and inventory systems. The incident led to multiple companies filing Form 8-Ks with the SEC, signifying major disruptions and activating their incident response protocols. Affected dealerships experienced disruptions, with some resorting to manual operations; the impact varied, with some reporting substantial disruptions particularly affecting sales in North America. Recovery timelines are uncertain, with CDK suggesting a restoration timeframe of days instead of weeks, amidst ongoing recovery efforts. Rumors indicate CDK may pay a ransom to an Eastern European cybercrime gang, with the demanded amount possibly reaching tens of millions of dollars. The situation remains dynamic, with CDK partnering with third-party experts to mitigate the impact and restore normal operations, keeping stakeholders informed through continuous updates.

Four members of the cybercrime group FIN9, all Vietnamese nationals, have been federally indicted in the U.S. for orchestrating extensive cyberattacks that resulted in over $71 million in losses. The individuals conducted their criminal activities from May 2018 to October 2021, engaging in sophisticated phishing, malware attacks, and exploiting third-party network vulnerabilities. Their operations included targeting individuals within companies to steal credentials and accessing vendor systems critical to the victims' operations to facilitate network breaches. Once inside the networks, the hackers exfiltrated sensitive information such as financial details, employee data, and credit card information which they monetarily exploited through crypto transactions and other means. Notably, in one incident, they infiltrated a company's employee benefits system to issue thousands of gift cards valued at about $1 million to controlled email accounts. The potential legal consequences for the indicted individuals include several decades of imprisonment, with charges encompassing conspiracy to commit fraud, wire fraud, and identity theft, among others. DOJ's investigation underscores the extensive measures taken by authorities to trace and prosecute cybercriminals, demonstrating neither technological barriers nor international borders effectively shield perpetrators from U.S. legal action.

Google has unveiled Project Naptime, a new AI framework designed to improve how vulnerabilities are discovered and analyzed. Project Naptime leverages a large language model (LLM) to mimic the processes used by human security researchers in recognizing and demonstrating security vulnerabilities. Key features include a Code Browser for code navigation, a sandboxed Python tool for script execution, a Debugger for behavior observation, and a Reporter for progress monitoring. The system allows for more continuous operations, affording human researchers the ability to "take regular naps" while the AI conducts its analyses. Project Naptime's architecture is built to support multiple models and backends, enhancing its versatility and effectiveness in identifying complex security issues like buffer overflow and advanced memory corruption. According to benchmarks from CYBERSECEVAL 2, Project Naptime achieved significantly higher scores in reproducing and exploiting security flaws compared to previous AI models like OpenAI GPT-4 Turbo. This initiative reflects Google's broader commitment to integrating advanced AI capabilities within cybersecurity practices.

CoinStats, a cryptocurrency portfolio management app, reported a security breach affecting 1,590 of its hosted wallets, which is about 1.3% of all such wallets on their platform. The breach, suspected to be executed by North Korean hackers, potentially linked to the notorious Lazarus Group, did not affect the externally connected wallets or centralized exchanges. Users whose wallets were hosted directly on CoinStats and appeared on the compromised list were advised to immediately transfer remaining funds to external wallets. Despite sharing a list of compromised wallets, there are reports from users indicating unauthorized withdrawals from wallets not included in the initial list, hinting at a possibly larger impact. Scammers are exploiting the situation by promoting fake refund programs through social media, aiming to deceive users into giving away access to their cryptocurrencies. CoinStats has currently shut down its website and app as it continues to investigate and address the security breach.

Critical vulnerabilities in end-of-life Zyxel NAS devices are being exploited by a Mirai-like botnet. Shadowserver Foundation detected active remote command execution attempts, signaling imminent threat to unpatched NAS devices. CVE-2024-29973, a command injection flaw, alongside two other severe vulnerabilities, were disclosed in early June with a severity rating of 9.8. Owners are urged to either apply patches immediately or replace outdated hardware to mitigate risks. Mirai botnet resurgence spotted with new exploits targeting IoT devices including Zyxel, highlighting the ongoing cybersecurity challenges. Botnet activities like these capitalize on minimal security defenses typical in older NAS devices. Patch details such as V5.21(AAZF.17)C0 for NAS326 and V5.21(ABAG.14)C0 for NAS542 provided, with recommendations for prompt application.

Cybersecurity vendors must prioritize robust security throughout the product lifecycle and continuously innovate and make improvements. Vendors' responses to discovered errors can range from public disclosure to silent fixes, which may leave users at risk or inadequately prepared. Organizations are encouraged to engage with vendors that demonstrate a commitment to responsible development and standardized ethical disclosure practices. Critical for vendors to conduct thorough internal and external testing to detect vulnerabilities before they can be exploited by malicious entities. The ratio of internally versus externally discovered vulnerabilities can indicate a vendor’s diligence and effectiveness in proactive security testing. Responsible disclosure practices are essential for cybersecurity, allowing efficient remediation of vulnerabilities and preemptive protective measures for users. Vendors should maintain transparent and documented processes for vulnerability disclosure to foster trust and ensure client security. Assessing a vendor's adherence to industry best practices and policies, like CISA’s Secure-by-Design, is crucial when choosing a cybersecurity provider.

A severe remote code execution (RCE) vulnerability, designated CVE-2024-37032, was discovered in the Ollama open-source AI infrastructure platform. The vulnerability, named Probllama, allows for path traversal attacks through inadequate input validation, enabling attackers to overwrite arbitrary files. Successful exploitation requires sending specially crafted HTTP requests to the Ollama API server, specifically targeting the "/api/pull" endpoint. Researchers identified that the lack of authentication and API server configuration in Docker deployments exacerbated the risk, facilitating remote exploitation. The issue was responsibly disclosed to the developers by the security firm Wiz on May 5, 2024, and patched two days later in version 0.1.34. Over 1,000 unprotected Ollama instances were reportedly exposed online, potentially offering attackers access to multiple AI models and self-hosted AI servers. The disclosure highlights ongoing security vulnerabilities in modern AI infrastructure, despite advancements in programming and deployment practices. The broader context includes 60 additional security defects found across various open-source AI/ML tools by AI security company Protect AI, underscoring the growing concerns in AI cybersecurity.

Rafel RAT, an Android malware, is being utilized in over 120 campaigns by various cybercriminals including known actors like APT-C-35. Major targets include outdated Android devices, particularly those running versions 11 and earlier, which are no longer supported with security updates. High-profile organizations in government and military sectors across the US, China, and Indonesia have been compromised. The malware spreads through deceptive tactics, mimicking popular apps like Instagram and WhatsApp to facilitate the download of malicious APKs. Rafel RAT requests invasive permissions during installation, allowing it to run persistently in the background and evade battery optimization measures. The ransomware module of Rafel RAT can encrypt files, change lock screen passwords, and display a custom ransom message, urging victims to contact via Telegram. In one example, an attack from Iran involved preliminary reconnaissance before executing the ransomware that altered device functionalities and demanded a ransom. Recommendations to mitigate the risk include avoiding downloads from untrusted sources, cautious engagement with unsolicited links in messages, and using Play Protect for app verification.

The UK Ministry of Defence has reportedly spent £174 million on external advice for the Morpheus radio system project. The Morpheus project, intended to replace the aging Bowman radio system, has been fraught with delays and has already cost £766 million. Originally set for deployment in 2025, the introduction of the Morpheus system is now postponed until after 2031 due to ongoing issues. A significant contract with General Dynamics, worth £395 million, was terminated in December after failing to meet project expectations. The Financial Times highlights concerns about the MoD's procurement strategy, citing excessive spending and lack of timely progress on key military technology projects. Despite setbacks, the MoD asserts that the Bowman system remains secure and capable, receiving updates to bridge the gap until Morpheus is ready.

Cybersecurity professionals are overstretched, handling larger workloads with limited resources and are considering career changes due to heightened stress levels. The effective utilization of Cyber Threat Intelligence (CTI) is hindered by various challenges, including interoperability issues, funding shortages, and a global skills gap of approximately 4 million cybersecurity positions. A significant portion of cybersecurity teams' time is consumed in producing detailed reports for stakeholders, mainly driven by media reports on emerging threats. The Cybersixgill IQ Report Generator attempts to alleviate these burdens by automating the generation of comprehensive CTI reports using generative AI technology. The tool customizes reports to meet specific needs, catering to different audiences from board members to technical teams, which enhances understanding and accelerates decision-making. Automation in report generation allows cybersecurity teams to dedicate more resources towards proactive cybersecurity measures and better manage existing skill shortages. Cybersixgill's tool ultimately seeks to empower security teams by efficiently communicating risk and required actions, thereby improving organizational cybersecurity posture.

Levi's disclosed a data breach affecting over 72,000 customers due to a credential stuffing attack, exposing personal and partial payment information. Financial Business and Consumer Solutions (FBCS) revised their breach impact up to 3.435 million people, including Social Security numbers and account info. LivaNova, a medical device manufacturer, reported a data breach affecting 129,219 individuals with sensitive personal and medical information stolen. All affected companies have notified victims and offered credit monitoring services in response to the breaches. Levi’s confirmed its systems were not compromised but were victim to stolen credentials from an external source. FBCS has made multiple notifications to state attorneys general as the extent of their breach expanded. LivaNova was targeted in a ransomware attack by the LockBit group; however, they did not directly use the term "ransomware" in public disclosures.

Meta complies with EU regulations to exclude European social media data from AI training, raising concerns about language processing and potential biases in AI models. Approximately 20% of Microsoft SQL Server instances are beyond their support end date, posing significant security risks due to lack of updates and patches. Outdated databases, crucial for holding sensitive and critical data, remain neglected, increasing the risk of data breaches and ransomware attacks. The article draws parallels between regulatory enforcement in food safety and the potential for similar approaches in software and services to ensure cyber hygiene. The lack of rigorous enforcement and regulation in cyber standards leads to significant vulnerabilities, much like lapses in food safety standards result in health risks. The insurance industry could play a role in enforcing cybersecurity measures by adjusting coverage based on software compliance status. Calls for a systematic application of risk control and evidence-based regulation in software to balance innovation with security.

RedJuliett, a state-sponsored cyber espionage group believed to be based in China, has targeted 75 Taiwanese organizations along with entities in several other countries including the U.S., South Korea, and Kenya. The campaign, active between November 2023 and April 2024, primarily hit government, academic, technology, and diplomacy sectors. The group employs techniques such as exploiting internet-facing devices, using SQL injections and directory traversal exploits, and utilizing SoftEther software for tunneling malicious traffic. Recorded Future’s Insikt Group identifies deployment tactics like the China Chopper web shell to maintain persistence in compromised networks and occasional use of Linux vulnerabilities such as DirtyCow. The espionage efforts are thought to be in service of Beijing’s intelligence collection aimed at gathering economic and diplomatic intelligence from Taiwan. RedJuliett leverages both threat actor-controlled servers and compromised infrastructure, including systems from Taiwanese universities, to orchestrate their attacks. The group's methodology includes a focus on internet-facing devices, leveraging their vulnerabilities due to typically weaker security measures which facilitates easier scaling of initial access.