Daily Brief

Security researchers discovered a SQL injection flaw in FlyCASS, a system used by airlines to manage employee security checks. This vulnerability could allow unauthorized individuals to bypass security screenings and access aircraft cockpits. Researchers were able to create a fictitious employee with access privileges, demonstrating the potential security risk. The Department of Homeland Security was notified, and FlyCASS was disconnected from the Known Crewmember and Cockpit Access Security System as a precaution. The Transportation Security Administration (TSA) downplayed the vulnerability's impact and quietly adjusted public information on their website. Subsequent to the fix, FlyCASS reportedly suffered a ransomware attack, raising questions about overall cybersecurity measures. The TSA maintained that their identity verification procedures for crewmembers are sufficient to prevent unauthorized access despite the database vulnerability.

A new malware, named "Voldemort," is impersonating tax agencies to breach organizations globally, utilizing a backdoor to conduct espionage. Over 20,000 phishing emails were sent out, targeting 70 organizations primarily within insurance, aerospace, transportation, and education sectors. The malware uses deceptive emails tailored to the victim’s location, claiming to provide tax updates, which then leads them to malicious links. Non-Windows users face fewer risks, as they are redirected to a harmless Google Drive URL, while Windows users are baited into executing a Python script via a disguised file. Voldemort operates by leveraging Google Sheets as a command and control server and storing stolen data within the sheets, maneuvering under typical network detection radars. The malware exploits legitimate software (Cisco WebEx) via DLL side-loading, making its detection and mitigation challenging. Proofpoint advises limiting use of external file-sharing services and increasing monitoring for unusual network and software activities to combat this specific threat.

North Korean hackers, identified as Citrine Sleet, have exploited a Google Chrome zero-day vulnerability (CVE-2024-7971) to install the FudModule rootkit. The exploit aims at cryptocurrency sectors, leveraging both financial motives and strategic targeting. Citrine Sleet and other related groups (such as AppleJeus and UNC4736) are known entities backed by North Korea, engaging in sophisticated cyber espionage. The attack involved redirecting victims to a malicious website, allowing code execution and sandbox escape through the Chrome browser. Microsoft and Google's security teams provided analyses, linking the exploit to known North Korean tactics and attributing it to several high-profile threats. The rootkit provides deep system access, enabling attackers to bypass kernel security measures, which further complicates detection and mitigation. This incident is part of a broader pattern of North Korean state-backed cyber activities targeting financial institutions and cryptocurrency operations globally.

Columbus, Ohio, experienced a ransomware attack on July 18, 2024, disrupting various municipal services. Ransomware group Rhysida leaked 3.1 TB of data from the City, including sensitive information like police and prosecutor databases. Researcher David Leroy Ross (Connor Goodwolf) publicly challenged official claims by showing the data included unencrypted personal details. The City's lawsuit claims Ross's actions were illegal and caused public concern by distributing sensitive info accessed via the dark web. Columbus is seeking legal injunctions to prevent Ross from further sharing the data and aims for damages exceeding $25,000. The City asserts that the lawsuit targets prohibited data dissemination without infringing on free speech.

Cybersecurity researchers Ian Carroll and Sam Curry discovered a SQL injection vulnerability in the Known Crewmember (KCM) and Cockpit Access Security System (CASS), which could allow unauthorized cockpit access and skipping of security lines at airports. The vulnerability was specifically found in a third-party service provider, FlyCASS, used by smaller airlines to manage KCM and CASS requests, potentially excluding larger airlines that handle their requests internally. The researchers successfully bypassed login credentials on FlyCASS’s system and created approved pilots in the program without proper authorization or checks. After disclosing the security issues to ARINC, the FAA, and the DHS, action was taken, and FlyCASS was disconnected from both the KCM and CASS programs. Despite efforts to coordinate the disclosure of the findings, the researchers faced challenges, including lack of response from the DHS and allegedly misleading statements from the TSA. In addition to the SQL injection issue, FlyCASS also seemed to have been affected by a ransomware attack earlier in the year, attributed to the L54 strain, increasing concerns regarding their cybersecurity measures. The shortcomings in security protocols at FlyCASS highlight a significant risk to aviation safety and the efficacy of current cybersecurity measures in place for national security infrastructure.

Cybersecurity experts have identified a sophisticated malware campaign exploiting Google Sheets for command-and-control. The malware, dubbed Voldemort, impersonates tax authorities, targeting organizations in diverse sectors such as aerospace, finance, and healthcare. Over 20,000 phishing emails have been dispatched globally, prompting users to download a misleading PDF that launches the malware. The malware collects system data and sends it back to the attackers while presenting a decoy PDF to the victim. Voldemort can load additional harmful payloads and utilizes legitimate software for DLL side-loading to evade detection. Although the tactics are reminiscent of cybercrime, the purpose and high level of execution suggest a primary motive of espionage. Proofpoint researchers have yet to attribute this campaign to a known threat actor, indicating it could be a complex and heterogeneous group. The campaign also aligns with emerging trends in malware distribution and control, complicating defense and response strategies for cybersecurity teams.

Iranian hackers, identified as GreenCharlie, have established new network infrastructures targeting U.S. political campaigns. Recorded Future's Insikt Group links GreenCharlie to several well-known cyber threat groups, including APT42 and Charming Kitten. The group uses dynamically registered domains with deceptive names related to cloud services to execute phishing attacks aimed at stealing sensitive information. The domains primarily use the .info top-level domain, shifting from previous preferences like .xyz and .online. Attackers utilize malware such as POWERSTAR and GORBLE, employing social engineering and phishing to gain initial access and eventually exfiltrate data or deliver further malicious payloads. Recent activities have been linked to Iranian IP addresses, indicating ongoing operations and command-and-control communication between July and August 2024. These operations are believed to be partially obfuscated using services like Proton VPN or Proton Mail, complicating tracking attempts. The increased malicious cyber activities from Iranian groups also target sectors in the U.S. and U.A.E., with campaigns spotted by Microsoft and U.S. government agencies.

Cybersecurity experts revealed a malware campaign targeting Middle East users by posing as Palo Alto Networks GlobalProtect VPN. The malware enables remote execution of PowerShell commands, file exfiltration, and secure communication encryption, posing a significant threat to impacted organizations. It operates via a two-stage process, initially spreading through a setup.exe file, which installs a backdoor named GlobalProtect.exe. This backdoor initiates a beaconing process, informing attackers of the installation status, and further downloads two configuration files to gather and send system information to a command-and-control (C2) server. The malware uses evasion techniques to avoid detection by sandboxing environments, enhancing its stealth within targeted systems. Attack vectors suspected include phishing approaches that deceive users into installing what they believe is a legitimate VPN client software. The specific threat actors behind this campaign have not yet been identified, and no attribution to any known groups has been made. The malware also uses a deceptive URL resembling a legitimate U.A.E.-based company VPN portal, aiding in its evasion and operational disguise within expected network traffic areas.

Active Directory Certificate Services (AD CS) is crucial for PKI certificates in secure communications within modern Windows environments. AD CS vulnerabilities pose significant risks due to their core role in authentication and authorization frameworks, similar to past issues seen with Kerberos. These vulnerabilities are often overlooked by Microsoft's patching strategy, leaving repair and security responsibilities to the users. There are four major classes of AD CS vulnerabilities; the most threatening are those allowing privilege escalation (ESC). Specific misconfiguration like ESC2 can let low privileged users impersonate domain administrators, leading to potential full domain compromise. Tools like Certipy and the PowerShell framework PSPKIAudit are recommended for identifying and mitigating these vulnerabilities. vPenTest by Vonahi Security automates penetration testing, specifically detecting and exploiting AD CS vulnerabilities to demonstrate their impact.

North Korean threat actors have been deploying malicious npm packages targeting developers to steal cryptocurrency and implant malware. Phylum identified a campaign involving packages like temp-etherscan-api and helmet-validate, linked to the North Korean operation known as "Contagious Interview." Contagious Interview campaign tricks developers into downloading bogus packages or software, purportedly for job interviews, to implant a Python payload named InvisibleFerret. InvisibleFerret payload can exfiltrate data from cryptocurrency wallets and enable persistent access using legitimate tools like AnyDesk. Newly discovered npm package helmet-validate executes malicious JavaScript hosted remotely, linked to the same IP previously used in related attacks. Another related package, sass-notification, uses obfuscated JavaScript to execute harmful scripts and clean up traces, maintaining the appearance of benign functionality. CrowdStrike has linked the threat group behind these attacks, Famous Chollima, to broader insider threat operations in US-based companies. Famous Chollima's strategy involves posing as legitimate employees, leveraging stolen or fake identities to infiltrate corporations and access sensitive data.

A highly organized cyberattack campaign, titled SLOW#TEMPEST, is targeting Chinese-speaking users, primarily targeting businesses and possibly government sectors. The attack employs phishing emails that distribute malicious ZIP files containing a Windows shortcut disguised as a doc file, initiating a chain of malware infections. Manipulation involves DLL side-loading using a legitimate Microsoft binary to deploy Cobalt Strike payloads, allowing persistent and stealthy remote access. The attackers have maintained presence and conducted hands-on operations within compromised systems for over two weeks without detection. Attack techniques include employing a built-in, typically disabled Guest user account upgraded to administer privileges for further concealment. Extensive lateral movement across the network has been observed, using tools like Remote Desktop Protocol (RDP) and Mimikatz for credential theft. Sophisticated tools including BloodHound were used for active directory reconnaissance and exfiltration of data to command-and-control servers hosted in China. The complexity of the attack, persistence methods, and use of advanced tools suggest the involvement of an experienced threat actor.

The SANS Institute has published a new strategy guide focused on the security of Industrial Control Systems (ICS) and Operational Technology (OT). Authored by Dean Parsons, the guide addresses the 50% increase in ransomware attacks on ICS observed in 2023. It emphasizes the necessity of specialized security measures to protect critical infrastructure from growing cyber threats. The guide provides detailed steps for organizations to enhance their defense mechanisms to ensure operational safety and reliability. Aimed at decision-makers like CSOs and engineering executives, it stresses the importance of immediate action to mitigate risks. SANS Institute encourages all entities with ICS/OT environments to implement the recommended security practices promptly. The guide, titled "ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024," is available for download at the SANS website.

Threat actors are exploiting a critical flaw in Atlassian Confluence Data Center and Server, identified as CVE-2023-22527, for illicit cryptocurrency mining operations. This vulnerability, enabling remote code execution, was patched by Atlassian in mid-January 2024 but continues to be exploited on unpatched systems. The exploits observed by Trend Micro mostly involved the deployment of shell scripts and XMRig mining software, aiming to generate cryptocurrency by utilizing the resources of the compromised servers. Techniques used include targeting SSH endpoints, shutting down competing mining operations, and establishing persistence through cron jobs. A significant number of attack attempts were recorded between mid-June and the end of July 2024, indicating ongoing interest and activity from cybercriminals. At least three separate threat groups are believed to be involved in these activities, leveraging the security gap to install cryptocurrency mining tools on vulnerable systems. To mitigate the risks, it's crucial for administrators to update to the latest versions of Confluence Data Center and Server promptly.

Iranian government-backed actors created fake job websites and social media accounts to identify and potentially compromise individuals suspected of opposing the regime. The deceptive campaign, ongoing since at least 2017, specifically aimed at Farsi-speaking individuals linked to or supportive of Israel. Google's Mandiant team identified the operation, indicating high confidence that it was conducted on behalf of Iran's government, with links to APT42 and IRGC. The fake sites, offering attractive job opportunities, collected personal and professional details from applicants, posing significant data privacy and safety risks. Over 35 deceptive recruitment platforms lured targets with Israeli symbols and high salary promises, extracting sensitive information like addresses and work history. Mandiant report raises concerns about the use of the collected data in potential future operations including physical threats against the identified individuals. This exposure coincides with increased cyber activity by other Iran-affiliated groups targeting various global sectors, including ransomware attacks and data theft.

The US has indicted Thomasz Szabo from Romania and Nemanja Radovanovic from Serbia for executing nearly 120 false emergency reports targeting politicians and high-profile officials. These false reports, known as swatting, aimed to deploy SWAT teams and could potentially provoke deadly force responses. Swatting incidents orchestrated by the accused included bomb threats to organizations and serious harassment of both state and federal officials. Victims of these swatting calls included high-ranking members like the head of the Cybersecurity and Infrastructure Security Agency, emphasizing the severe nature of the threats. The charges against Szabo and Radovanovic comprise one count of conspiracy, 29 counts related to explosive threats, and four counts of transmitting threats across state and international lines. US Attorney Matthew Graves emphasized the danger and resource waste caused by swatting, pledging rigorous prosecution to address these crimes.