Daily Brief

A technical employee, Hugh, was working on updating scripts at a Florida call center using an Ubuntu system and ViciDial. The call center, described as selling unnecessary items and preventing cancellations, had no test environment, so all changes were made in production. Hugh, during idle time, was browsing adult humor websites and copied some jokes to his clipboard. Mistakenly, the inappropriate jokes were pasted into the live sales scripts, which were then read by 300 sales agents to potential customers. This resulted in an uproar and management demanded an explanation for the inappropriate content in the scripts. Hugh falsely blamed the incident on a technical issue supposedly caused by a previous admin’s negligent file management. Ultimately, Hugh avoided responsibility for the mishap by blaming it on an erroneous update and a former employee's misconduct. The incident inadvertently prevented hundreds of customers from receiving unwanted sales calls.

Multiple cyber espionage groups, including Iranian threat actors, are exploiting an open-source Android RAT named Rafel RAT disguised as popular apps like Instagram and WhatsApp. Rafel RAT enables attackers to perform various malicious tasks including wiping SD cards, deleting call logs, stealing notifications, and acting as ransomware. A significant cyber attack in April 2024 by DoNot Team utilized Rafel RAT, exploiting vulnerabilities in Foxit PDF Reader with military-themed PDF lures. Check Point Research identified around 120 different malicious campaigns using Rafel RAT targeting various international locations like the U.S., Australia, and China. Predominantly, victims with out-of-date Android phones from manufacturers like Samsung, Xiaomi, Vivo, and Huawei were targeted, comprising 87.5% of infected devices. Attack methods include social engineering to persuade victims to grant intrusive permissions, allowing theft of sensitive data such as SMS messages and contact info. Rafel RAT communicates with threat actors via HTTP(S) and Discord APIs, and features a PHP-based control panel for attackers. The surge in Rafel RAT incidents stresses the urgent need for increased vigilance and improved security practices to protect Android devices.

Snowflake's security breach has affected over 165 entities, including significant businesses like Ticketek and Advance Auto Parts. Ticketek recently alerted its customers to a security incident exposing personal details due to the breach. Advance Auto Parts confirmed unauthorized access to employee and applicant information, including SSNs. A hacker from ShinyHunters admitted to breaching Snowflake through third-party vendors, not direct system penetration. Snowflake is enforcing stricter security measures, pushing for mandatory multifactor authentication among its users. Related report highlights ongoing ransomware extortion impacting CDK, affecting their car dealership operations across the US. Global software threats continue, with notable vulnerabilities addressed in Juniper Secure Analytics products. IntelBroker's sale of alleged Apple internal tools turned out to be misinformation, with actual data pertaining only to Apple's SSO integrations for internal use.

Hackers are exploiting a vulnerability in the pkfacebook module for PrestaShop to deploy card skimmers on e-commerce sites. The flaw, identified as CVE-2024-36680, is an SQL injection vulnerability within the module's facebookConnect.php script. Despite claims by Promokit that the vulnerability was previously fixed, there is no supporting evidence and active exploitation is ongoing. The affected pkfacebook add-on, used by PrestaShop operators, allows users to engage via Facebook for comments and communications. Security analysts have exposed active instances where the bug is currently being exploited to steal credit card details from online shoppers. All versions of the module up to 1.0.1 are confirmed vulnerable, with uncertainty around patches as the latest version on Promokit’s website is 1.0.0. The National Vulnerability Database and security groups recommend that all versioning should be assumed vulnerable and advise urgent mitigation. There was a similar incident two years prior when PrestaShop issued warnings and fixes for modules vulnerable to similar SQL injection attacks.

A recent study suggests the prevalence of Security-Noteworthy Extensions (SNEs) in the Chrome Web Store is much higher than Google's reported figures. Researchers identified SNEs as extensions that contain malware, violate store policies, or have vulnerable code, posing significant security threats to users. Over 346 million installations of SNEs were recorded in the past three years, with millions potentially exposed to malware and policy violations. The Chrome Web Store struggles with long-lasting malicious extensions; some remained available for years, with the longest-surviving malicious extension available for 8.5 years. User reviews were found ineffective in identifying malicious or vulnerable extensions, indicating a need for more robust vetting processes by Google. The study calls for better incentives for developers to update and secure extensions, noting that many do not undergo updates, missing crucial security enhancements. Researchers also recommended monitoring for code similarities among extensions to detect vulnerabilities shared across multiple utilities. Although Google has initiated some improvements, including the transition from Manifest V2 to Manifest V3 to enhance security, researchers and users urge more rapid advancements in safety measures.

CDK Global, a major SaaS provider for car dealerships, suffered a significant IT outage due to a ransomware attack by the BlackSuit gang. The disruption forced CDK Global to shut down their IT systems, affecting car sales and service operations across North America. Major car dealership corporations such as Penske Automotive Group and Sonic Automotive were also impacted, resorting to manual operations due to the system outages. CDK Global is actively negotiating with the BlackSuit ransomware gang to obtain a decryptor and prevent the leak of stolen data. The BlackSuit ransomware, believed to be a continuation of the Royal ransomware operation linked to the Conti cybercrime syndicate, started its activities under this new name in 2023. Both the FBI and CISA have issued warnings about the BlackSuit/Royal ransomware, highlighting its attacks on over 350 organizations and accruing over $275 million in ransom demands since 2022.

Ratel RAT, an open-source Android malware, attacks primarily outdated Android devices demanding ransoms via a Telegram module. Over 120 campaigns deploying Ratel RAT have been identified, with significant activity traced back to Iran, Pakistan, and known groups like APT-C-35. The malware has successfully infiltrated high-profile targets, including government and military organisations predominantly in the US, China, and Indonesia. Victims predominantly use Android 11 or older versions, which represent 87.5% of cases, making them vulnerable due to lack of security updates. Malicious APKs masquerading as legitimate apps from brands like Instagram and WhatsApp are the primary method of spreading Ratel RAT. The malware gains extensive permissions during installation, allowing it to run persistently in the background and execute various malicious activities. Key commands include ransomware execution, where the malware can encrypt files, change lock screens, and even control device functions if admin rights are obtained. Protection recommendations include avoiding untrusted APK downloads, refraining from clicking suspicious links, and using Play Protect for app scans.

ExCobalt, a cybercrime group, has been actively targeting Russian organizations using a novel Golang-based backdoor named GoRed. Originating from the remnants of the infamous Cobalt Gang, ExCobalt engages primarily in cyber espionage activities and has been operational since at least 2016. The attack strategy focuses on multiple sectors including government, IT, metallurgy, mining, software development, and telecommunications. Initial infiltration often leverages a compromised contractor or a supply chain attack, where malware-infected components are embedded in legitimate software. ExCobalt employs a variety of tools for executing commands and extracting sensitive information, utilizing exploits for Linux privilege escalation and other sophisticated techniques. GoRed facilitates remote execution, credential access, and data harvesting, communicating via the RPC protocol with its command-and-control server. The cyber gang has demonstrated continuous development and refinement of their tools and tactics to evade detection and adapt to enhanced security measures.

A new adware campaign misleads users into downloading a malicious Meta Quest app clone, inflicting devices with AdsExhaust adware. AdsExhaust is capable of capturing screenshots, simulating keystrokes, and interacting with browsers to generate ad revenue through fraudulent clicks and redirects. The infection initiates from a website shown in Google search results due to SEO poisoning, prompting downloads of a malicious ZIP file that installs the adware. Once installed, AdsExhaust performs actions when Microsoft Edge is idle, including opening new tabs, clicking on ads, and navigating to specific URLs. It employs various techniques to remain stealth, such as creating overlays to conceal actions, detecting user interaction to close browsers, and specifically targeting ads labeled "Sponsored". Additionally, it can fetch keywords from a server, using them to perform Google searches to inflate ad interactions further. Related malware threats and tactics are emerging, such as Hijack Loader leading to Vidar Stealer infections, highlighting increased sophistication and prevalence of cyber threats.

The US government has issued a ban on the sale of Kaspersky Lab products in America starting late July. From October, Kaspersky will also be prohibited from issuing updates and malware signatures. Top executives at Kaspersky Lab, except CEO Eugene Kaspersky, have been sanctioned by the US. The sanctions and product bans are part of escalating cybersecurity concerns involving the Russian-based company. These developments were discussed by cybersecurity experts and journalists in a recent video and podcast session. The session included various viewpoints on the implications of the ban and its potential impacts on cybersecurity practices. Kaspersky Lab has faced scrutiny due to allegations of ties with Russian national interests, influencing these US government decisions.

The U.S. Treasury's Office of Foreign Assets Control (OFAC) has sanctioned 12 executives from Kaspersky Lab following a recent Commerce Department ban. These sanctions are part of efforts to protect the integrity of the U.S. cyber domain and guard against malicious cyber threats. Sanctioned individuals are from the executive and senior leadership teams but do not include Kaspersky Lab as a whole or its CEO, Eugene Kaspersky. The Commerce Department previously announced that Kaspersky software and related services are banned in the U.S., citing national security risks. Kaspersky Lab is also added to the U.S. Entity List, further restricting its business operations within the United States. Russia criticizes the U.S. move as an attempt to suppress foreign competition in favor of American products. Kaspersky denies any affiliations with the Russian government, amidst ongoing cybersecurity concerns.

Change Healthcare has begun formal notifications to hospitals and pharmacies regarding a ransomware attack in February that resulted in the theft of patient data. The data breach could potentially affect a "substantial proportion" of the U.S. population, with stolen data including names, birth dates, phone numbers, and email addresses; however, full medical histories have not been confirmed as compromised. The healthcare provider continues to work on identifying all affected individuals but faces challenges due to incomplete address information, delaying the notification process to late July. The breach originated from compromised credentials used by ransomware criminals to access a Citrix-based management platform without multi-factor authentication. The attack led to significant operational disruptions, including delayed prescription fulfillments and medical services, with a recovery and system restoration process stretching over several weeks. Change Healthcare incurred costs nearing $1 billion due to the attack, and a ransom of $22 million was paid to the attackers to prevent further data leaks. This incident highlights the ongoing vulnerability of the healthcare sector to cyberattacks, with similar disruptive ransomware incidents occurring in other healthcare facilities globally.

The Los Angeles Unified School District (LAUSD) confirmed a data breach involving stolen student and employee information from their Snowflake account. Data sold by hacker "Sp1d3r" for $150,000 includes comprehensive details like student demographics, grades, financials, and parent information. Two cyber threats involved; "Sp1d3r" sold data stolen from Snowflake, while "Satanic" independently sold different LAUSD data. Hackers exploited accounts that lacked multi-factor authentication, accessing and downloading sensitive data, then attempting extortion. An investigation involving SnowFlake, Mandiant, and CrowdStrike traced the breach to threat actor UNC5537 using stolen customer credentials. LAUSD, alongside the FBI and CISA, is still investigating the extent of the data compromise and working to secure their systems. The ongoing security incident highlights the critical need for robust data protection practices, including the implementation of multi-factor authentication.

The U.S. has issued sanctions against 12 senior executives of Kaspersky Lab, excluding CEO Eugene Kaspersky. Sanctions prevent U.S. persons and businesses from engaging with the named individuals and put non-U.S. financial entities at risk of similar sanctions. The actions are part of broader measures, including product bans and the inclusion of Kaspersky operations in sanctioned lists, citing national security threats. The Treasury has not designated Kaspersky Lab itself or its CEO but targets individuals within the company's executive circle. The sanctions are in alignment with Executive Order 14024, which addresses operations in sectors critical to the Russian economy. Previous U.S. administration actions have also targeted Kaspersky products, barring them from U.S. government networks over concerns of potential Kremlin-backed espionage. The U.S. Treasury emphasized the commitment to protecting the integrity of the cyber domain and safeguarding U.S. citizens from cyber threats.

The US Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on twelve Kaspersky Lab executives linked to the Russian technology sector. These sanctions are part of broader measures taken by the Biden administration, which include a ban initiated in July on sales and software updates of Kaspersky antivirus products in the US. The Department of Commerce has added AO Kaspersky Lab, OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (UK) to the Entity List, effectively barring US firms from transacting with these entities. The sanctions are in accordance with Executive Order 14024, targeting individuals operating within significant sectors of the Russian economy, including technology and defense. The specific individuals targeted hold leadership roles at Kaspersky Lab and are being sanctioned without affecting the company’s CEO or its broader corporate structure. Sanctioned individuals have their assets in the US frozen and are barred from accessing them. BleepingComputer has reached out to Kaspersky for comment regarding the sanctions and potential further implications.