Daily Brief

Amazon Web Services (AWS) announced mandatory multi-factor authentication (MFA) for privileged account users starting in 2024, with a phased implementation beginning in July for standalone account root users. The new security measure will initially target management account root users within AWS Organizations, a change ongoing since May this year. Users affected by this change will have a 30-day grace period to enable MFA, after which access will be denied until MFA is activated. AWS supports using FIDO2 passkeys, allowing authentication via biometrics or device PINs across multiple devices through systems such as Apple Touch ID and Windows Hello. The initiative responds to an observed increase in credential-based attacks, including credential stuffing, credential spraying, and brute-force attacks, where MFA could significantly reduce vulnerabilities. Instances of major security breaches in companies like Pure Storage, Ticketmaster, and Santander Bank, which failed to implement MFA, underscore the importance of this security step. AWS's implementation of MFA and support for FIDO2 passkeys are part of broader efforts by major tech companies to enhance product security over the next year.

A cybersecurity researcher discovered that UK health club chain Total Fitness exposed over 474,000 images of members and staff due to an unsecured database. The unprotected 47.7GB database contained not only images but also sensitive information including identity documents, bank details, and immigration records. Total Fitness, which operates 15 clubs across northern England and Wales, admitted the exposed data was used for legitimate business purposes but contained more personal information than initially claimed. The company has since locked down the database, conducted a thorough review of the images and removed those that included identifiable data, ensuring member images are not linked to other identifying data. Despite Total Fitness claims, the database was left unsecured for an extended period, potentially since March 2021, exposing members to risks associated with identity theft and digital impersonation. The company reported the incident to the UK's Information Commissioner's Office (ICO) and is supporting ongoing investigations. The incident highlights the larger issue of AI and deepfake technology misusing personal images, raising concerns over digital identity security and privacy in online environments.

UNC3944, previously involved in ransomware, has shifted focus to data theft extortion without using ransomware. The group employs social engineering and fearmongering, including threats of doxxing and physical harm, to manipulate help desk staff into resetting credentials. They exploit SaaS applications like VMware vCenter, CyberArk, Salesforce, and Office 365 to gain access and create virtual machines. These virtual environments within victim infrastructures enable persistent operations and are used to exfiltrate data. Mandiant's report emphasizes the usage of tools like Airbyte and Fivetran by UNC3944 to transfer stolen data into cloud storage they control. Increased vigilance and monitoring are suggested, particularly around SaaS applications and MFA re-registration processes. Mandiant advises centralizing logs and enhancing logging capabilities for detecting malicious activities in SaaS environments.

Legitimate websites, including those based on WordPress, have been compromised to distribute a Windows backdoor known as BadSpace, using deceptive browser update notifications. The malware deployment involves a multi-stage attack sequence initiated by visiting a compromised website, which leads to the execution of a JScript downloader and installation of the backdoor. During a victim's first visit to the compromised site, the site's embedded code collects device data such as IP address and location, and sends it to a malicious domain. A fake Google Chrome update pop-up is then used to either drop the malware directly or download further malicious components. BadSpace is linked to a known malware called SocGholish or FakeUpdates, which also spreads through similar fake update prompts. Features of BadSpace include anti-sandboxing techniques, data theft, the ability to execute commands and take screenshots, and maintaining persistence on the infected system through scheduled tasks. Security firms eSentire and Sucuri have issued warnings regarding ongoing campaigns that employ fake browser updates to implant malware.

Threat actors are using NiceRAT malware to create a botnet, primarily targeting South Korean users. The malware spreads through cracked software downloads, including fake Microsoft Windows and Microsoft Office license verification tools. NiceRAT disguises its distribution by instructing users on disabling anti-malware solutions, making its detection challenging. In addition to direct downloads, NiceRAT also spreads through NanoCore RAT-infected zombie computers, previously used for distributing different malware. NiceRAT, a Python-based open-source RAT and stealer, employs Discord Webhook for its command-and-control operations. Since its initial release on April 17, 2024, NiceRAT has been actively developed and is offered in both free and premium versions under a malware-as-a-service model. Concurrently, the resurgence of the Bondnet cryptocurrency mining botnet has been observed, utilizing high-performance bots as command-and-control servers.

Data443 is initiating a free spam domain and IP blocklist service aimed at former users of the now-defunct SORBS service, which officially ceased operations on June 5. The new service from Data443 will utilize data from their existing Cyren platform, providing a time-lagged version of their commercial offerings specifically for domain/IP blocklists. SORBS, which was operated by security vendor Proofpoint until its closure, served over 200,000 organizations with a DNS-based block list containing 12 million records for servers linked to spam and scams. In cybersecurity enforcement news, a Georgia woman has been charged with cyberstalking and making interstate threats related to an online adoption scam, facing up to 15 years if convicted. Klaus Pflugbeil, a Canadian battery executive residing in China, has pled guilty to stealing Tesla’s proprietary battery charging technology and is now facing a potential 10-year prison sentence. It remains unclear if Data443 intends to acquire the actual SORBS codebase, as they have not made any definite statements regarding this matter.

Japan's Aerospace Exploration Agency (JAXA) and Astroscale have successfully demonstrated a satellite, ADRAS-J, that can approach and monitor space debris, specifically a defunct rocket stage. India's government has appointed a new tech minister, maintaining continuity while aiming to bolster its technology governance. A former NCS employee from India has been jailed for deleting virtual machines after his dismissal, highlighting risks of remote access post-employment. Hong Kong trials a robodog capable of detecting pollution, potentially replacing human inspectors in hazardous environments. Forrester forecasts a significant 6.4% increase in APAC tech spending for 2024, with India expected to see the highest regional growth rate. Australia's bipartisan support emerges for imposing a minimum age requirement of 16 for social media usage, amid broader efforts to combat online financial scams. Environmental and technological advancements across Asia-Pacific signal robust growth and innovation, alongside ongoing regulatory adaptations to new challenges.

A speculative execution attack, named "TIKTAG," has been identified targeting ARM's Memory Tagging Extension (MTE), affecting Google Chrome and Linux systems. The attack exploits ARM's security feature designed to prevent memory corruption by leaking MTE memory tags with over a 95% chance of success. Researchers from Samsung, Seoul National University, and the Georgia Institute of Technology co-authored the study demonstrating the vulnerability. TIKTAG utilizes two specific code gadgets, TIKTAG-v1 and TIKTAG-v2, to manipulate speculative execution paths and infer memory tags from cache states. While leaking MTE tags does not expose direct sensitive data like passwords or encryption keys, it potentially allows attackers to bypass MTE protections and facilitate more severe memory corruption attacks. No immediate fixes have been implemented, though ARM and Google's Chrome security teams have been informed; ARM does not consider this a compromise of the architecture's principles according to their bulletin. Mitigations and potential long-term solutions are still under discussion among the tech community and concerned entities.

U.K. national, linked to the cybercrime group Scattered Spider, was arrested in Palma de Mallorca, Spain. The arrest is a collaboration between the FBI and Spanish Police, targeting the individual as he attempted to leave for Italy. Identified as Tyler Buchanan, known online as "tylerb," specialized in SIM-swapping and associated with multiple ransomware attacks. This arrest follows the earlier capture of another group member, charged with wire fraud and aggravated identity theft in the U.S. Scattered Spider has evolved from SIM swapping and credential harvesting to sophisticated ransomware and data extortion schemes. The group uses phishing, privilege escalation, and data theft from SaaS platforms, increasingly targeting the finance and insurance sectors. Mandiant and other security firms note the group's use of fear-mongering and Okta permissions abuse in their operations.

A new Linux malware, named 'DISGOMOJI', uses emojis for command execution, uniquely controlled via Discord. DISGOMOJI primarily targets a custom Linux distribution used by Indian government agencies, discovered by Volexity linked to Pakistan-based threat actor UTA0137. This malware enables remote operations like command execution, file theft, and additional malware payload deployments, with espionage objectives. Commands to the malware are issued through emojis sent on a Discord server, allowing it to potentially bypass text-command detection systems used by security software. The distribution method likely involves phishing, with the malware initially presented in an executable within a ZIP archive that simulates a PDF document. Upon execution, the malware exfiltrates essential system information and awaits emoji commands for further actions. DISGOMOJI's method of maintaining persistence involves reboot cron commands and other mechanisms, facilitating long-term access and data theft. Researchers uncovered attempts by attackers to spread laterally within networks, aiming to steal credentials and gather extensive intelligence from targeted systems.

ASUS has issued a critical firmware update for seven router models due to a severe authentication bypass flaw identified as CVE-2024-3080, with a CVSS score of 9.8. The vulnerability allows unauthenticated, remote attackers to gain control of affected routers without needing login credentials. Affected router owners are urged to update their firmware immediately or strengthen their device security settings if immediate update isn't possible. Recommendations include enforcing strong passwords, disabling internet access to administration panels, and turning off features like port forwarding and VPN server. The update also fixes another high-severity issue, CVE-2024-3079, a buffer overflow vulnerability that can be exploited with admin access. Additionally, ASUS responded to CVE-2024-3913, impacting multiple router models with a critical arbitrary firmware upload flaw. Not all models will receive updates as some have reached end-of-life status, suggesting alternate mitigation options per model. Alongside the router firmware upgrades, a new version of Download Master for ASUS routers has been released to tackle five less severe, but significant, security threats.

Microsoft is set to improve cybersecurity for personal Outlook email accounts by phasing out basic authentication by September 16, 2024. This move is aimed at decreasing vulnerability by replacing basic authentication with token-based authentication and multi-factor authentication (MFA). The change will see the end of support for the 'Mail' and 'Calendar' apps on Windows and the 'light' version of the Outlook Web App due to security concerns. Users of older Outlook versions which rely on basic authentication will need to switch to more recent email clients that support modern authentication methods. Microsoft is ceasing the ability to access Gmail accounts via Outlook.com from June 30, 2024; however, standalone Outlook clients for Windows and Mac will retain this functionality. Enhancements are part of Microsoft's 'Secure Future Initiative' aimed at bolstering user security amid rising email-based cyberattacks. The firm suggests users with Microsoft 365 subscriptions to utilize the Outlook version included, ensuring full compatibility and security.

The Smishing Triad, a threat group possibly Chinese-speaking, has expanded its operations to Pakistan with malicious SMS scams using Pakistan Post's identity. Targets receive fake messages about failed package deliveries and are tricked into entering financial details on fraudulent websites. Google detailed the activities of PINEAPPLE, a threat actor distributing the Astaroth malware in Brazil using spam with tax and finance-themed lures. PINEAPPLE exploits cloud services like Google Cloud, Amazon AWS, and Microsoft Azure to deliver malware across Brazil and LATAM. UNC5176, a Brazil-based cluster, targets sectors like financial services and healthcare with URSA malware, capable of stealing extensive personal data. New threat actor FLUXROOT uses cloud services to host phishing pages and distribute the Grandoreiro banking trojan in Latin America. An additional threat actor, Red Akodon, targets organizations across multiple sectors in Colombia, using phishing emails designed to steal credentials.

A Pakistan-based threat actor, UTA0137, has been targeting Indian government entities using a malware named DISGOMOJI. DISGOMOJI, a Golang-based malware aimed at Linux systems, uses Discord for command and control via emoji-encoded messages. The malware infiltrates systems through spear-phishing campaigns delivering a malicious Golang ELF binary within a ZIP file. Once installed, DISGOMOJI downloads a benign document as a decoy while secretly fetching the malware payload from a remote server. Volexity discovered variations of DISGOMOJI with features for establishing persistence, avoiding duplication, and hiding its real functionality to impede analysis. The attackers also utilize legitimate tools like Nmap, Chisel, and Ligolo for networking tasks, and have exploited the DirtyPipe vulnerability for privilege escalation. In a specific user manipulation tactic, the malware displays a fake Firefox update dialog to trick users into surrendering their passwords. Continuous improvements to DISGOMOJI indicate an evolving threat capability and ongoing espionage activity against the Indian government.

Meta has delayed training its large language models (LLMs) on EU user data following concerns raised by the Irish Data Protection Commission (DPC). The planned data utilization was based on the 'Legitimate Interests' legal ground without explicit consent from users which contradicts the EU's GDPR requirements. The delay affects the use of public Facebook and Instagram content from adult users in the European Union, intended to enhance AI's contextual understanding. Meta argues that the restriction will hinder European competitive edge in AI innovation and adaptability, resulting in a "second-rate experience" in AI applications. Collaboration with both the DPC and the UK’s Information Commissioner's Office (ICO) is ongoing to seek compliance and acceptance for the AI tools. Austrian non-profit organization, noyb, filed a complaint in 11 EU countries alleging that Meta's AI data practices violate GDPR privacy laws. Meta remains "highly confident" that its data handling tactics comply with European laws, despite criticisms and legal challenges from privacy advocates.