Daily Brief

Halliburton experienced a cyberattack on August 21, 2024, leading to the shutdown of some systems to contain the breach. The attack was first noted in a SEC filing where the company disclosed unauthorized access to its systems. Upon discovering the breach, Halliburton activated its cybersecurity response plan and began an investigation with external advisors. The nature of the cyberattack remains undisclosed; the Department of Energy confirms details are still unknown. Halliburton has notified law enforcement and is working towards system restoration and damage assessment. The company is keeping customers and stakeholders informed as part of its crisis management procedure. Halliburton employs over 40,000 people worldwide and reported significant financial results for Q2 2024. This incident highlights ongoing cybersecurity threats facing major infrastructure and energy providers.

Cybersecurity experts have discovered a novel malware dropper named PEAKLIGHT targeting Windows systems through malicious movie downloads. PEAKLIGHT operates as a memory-only dropper that uses PowerShell to download and execute subsequent stages of malware aimed at stealing information. The malware is delivered via Windows shortcut files disguised as pirated movies within ZIP archives, initiating the infection when downloaded. Various malware strains like Lumma Stealer, Hijack Loader, and CryptBot, all sold as malware-as-a-service, are distributed using PEAKLIGHT. The dropper executes a PowerShell script to contact a command-and-control server for further malicious payloads while deceiving users with a legitimate movie trailer. Techniques used include obfuscating JavaScript droppers and employing encoded PowerShell payloads to discreetly run malicious code. Recent similar threats noted by Malwarebytes include a malvertising campaign using fake Slack ads to deliver a remote access trojan, SectopRAT.

The US government is suing Georgia Institute of Technology and its research arm, alleging failures to meet DoD cybersecurity standards for handling controlled unclassified information (CUI). Whistleblowers Christopher Craig and Kyle Koza reported these discrepancies, with some flaws identified as early as 2018. Allegations include the failure of the Astrolavos Lab at Georgia Tech to develop a compliant cybersecurity plan and refusal to implement anti-malware across its network. The lawsuit claims Georgia Tech falsely submitted a high cybersecurity assessment score (98) in December 2020, which was later deemed fraudulent. This legal action is a part of the Civil Cyber-Fraud Initiative (CCFI), aimed at addressing entities that compromise US IT system safety. Georgia Tech is accused of rendering DoD's security controls ineffective through incorrect NIST standard compliance interpretations. The case also touches on Georgia Tech's controversial partnership with Tianjin University in China, linked to military endeavors and technology theft. This ongoing investigation emphasizes the severe national security implications of inadequate cybersecurity practices in defense contracting.

Argentine federal police arrested a 29-year-old Russian accused of laundering cryptocurrency for North Korean hackers. The suspect was involved in obscuring the origins of large crypto sums, including those stolen by the Lazarus group. Investigations were aided by blockchain analysis firm TRM Labs, revealing complex transactions across multiple blockchains. The Russian laundered money through crypto exchanges and tumblers, converting the assets to fiat currency. He is tied to the laundering of $100 million from major cyber heists, including the Harmony Horizon and Ronin Network thefts. Operating from a Buenos Aires apartment, the suspect conducted frequent transactions, amounting to over $20 million. Authorities seized electronic devices and cryptocurrency wallets totaling over $15 million from his apartment. The Lazarus group is now using a new crypto tumbler service named YoMix to continue laundering funds.

Greasy Opal has been a significant player in the cybercrime-as-a-service industry for nearly 20 years, developing tools that bypass security measures like CAPTCHA. Their CAPTCHA solver tool, which utilizes sophisticated OCR and machine learning technology, has enabled the automation of large-scale fraudulent activities across numerous platforms. The tool targets a wide range of entities, from technology companies like Amazon and Apple to governmental services in the US, Russia, and Brazil. Despite its criminal applications, Greasy Opal operates under the guise of a legitimate business, complete with tax payments, and markets its tools openly on the clear web. The toolkit is designed to be accessible, with basic versions starting at $70 and a comprehensive bundle priced at $190, plus a monthly subscription fee. Arkose Labs estimates Greasy Opal's revenue at least $1.7 million last year, highlighting the lucrative nature of supplying tools for cybercriminal activities. Microsoft's recent disruption of the Storm-1152 group, a user of Greasy Opal's tools, spotlighted the ongoing challenge of combating cybercrime tools designed for mass attacks.

Experience a live demonstration of an advanced all-in-one cybersecurity platform in an upcoming webinar hosted by Cynet. Discover how to manage multiple cybersecurity tools under a single, unified interface, enhancing efficiency and control. Learn from Cynet's cybersecurity experts, recognized for their high performance in the MITRE ATT&CK evaluations. The webinar includes a real-world cyberattack simulation, showing the effectiveness of integrated cybersecurity solutions. Gain vital knowledge on streamlining your cybersecurity operations and ensuring comprehensive protection against diverse threats. Ideal for professionals seeking actionable insights to reduce complexity and strengthen their organization's security posture. Secure a spot in the webinar to witness the benefits of transitioning to an all-in-one cybersecurity platform.

Exposure management expands traditional attack surface management to include all digital assets, emphasizing continuous evaluation of visibility, accessibility, and vulnerability. The Intruder team advocates for a broad view of vulnerability management, recognizing potential security risks beyond those indexed by CVE numbers, such as SQL injections or misconfigured services. Effective vulnerability prioritization is essential for focusing on high-impact issues rather than on every detected vulnerability, necessitating contextual understanding of asset criticality and threat potential. Recent incidents, like the discovery of a backdoor in xz-utils and a critical zero-day in PAN-OS, underscore the importance of proactive exposure management to preemptively address vulnerabilities. Exposure management enables organizations to strategically allocate resources, improving operational efficiency by concentrating on vulnerabilities that pose significant risks. The approach helps organizations transition from a reactive, piecemeal response to system vulnerabilities to a proactive, strategic management of their digital environment. Intruder emphasizes that thorough exposure management not only enhances security but also preserves team bandwidth for critical security tasks, thereby strengthening overall cybersecurity posture.

The Qilin ransomware attack exploited compromised VPN credentials without multi-factor authentication for initial network access. The attackers edited domain policy to scatter credential-harvesting scripts across compromised endpoints via logon Group Policy Objects. Scripts were designed to collect and exfiltrate user credentials stored within Google Chrome on affected systems. Following credential theft, attackers concealed their tracks and then proceeded to encrypt files and leave ransom notes. Users affected by the Chrome credential theft are required to reset passwords for all third-party sites accessed via Chrome. The overall sophistication and approach suggest a pivot in tactics by ransomware groups to broaden their attack vectors. The number of ransomware attacks, according to NCC Group data, shows fluctuations but a persistent upward trend in severity and ransom amounts. Sophos and other cybersecurity bodies highlighted the growing complexity and targeted nature of ransomware attacks, especially within critical industries.

Cybersecurity researchers have discovered a new malware targeting macOS users, named Cthulhu Stealer, available via a malware-as-a-service model since late 2023. The malware impersonates legitimate software such as CleanMyMac and Adobe GenP to deceive users into installation. Cthulhu Stealer steals a wide range of information including system passwords, iCloud Keychain passwords, web browser cookies, and Telegram account details. The malware utilizes an osascript-based technique for password phishing, similar to earlier malware like Atomic Stealer and Cuckoo. Data harvested by the malware is compressed into a ZIP file and sent to a command-and-control server. The developers of Cthulhu Stealer have reportedly ceased operations due to internal disputes and accusations of an exit scam. macOS users are advised to only download software from trusted sources and to install security updates to protect against such threats. Apple has responded by updating its system settings to prevent users from bypassing Gatekeeper protections easily.

A 33-year-old Latvian national identified as Deniss Zolotarjovs, aka Sforza_cesarini, was arrested in Georgia and has been extradited to the U.S. Zolotarjovs is charged with money laundering, wire fraud, and Hobbs Act extortion, with allegations of stealing and extorting data since August 2021. The U.S. Department of Justice claims Zolotarjovs is part of the Karakurt group, known for ransomware attacks and extortion, demanding payments in cryptocurrency. Karakurt, reportedly a splinter faction from the Conti group, has a pattern of stealing sensitive data and coercing victims through threats of public disclosure. The FBI linked Zolotarjovs to the crimes through cryptocurrency transactions, tracing Bitcoin payments to an account registered under his associated Apple iCloud email. Investigations revealed tactics used by Zolotarjovs, including pressuring victims through research and negotiation strategies, and intimidating them with potential media exposure. Zolotarjovs’s arrest marks significant progress in international law enforcement's effort to combat cybercrime and potentially leads to the unraveling of the broader Karakurt network.

Cloudflare announces "Immerse," a major conference scheduled to take place in Singapore, Bangkok, and Kuala Lumpur on various dates in August and September. This conference aims to provide insights into network and security transformation by bridging the gap between technology experts and business leaders. Immerse builds upon Cloudflare's "Connect" event, focusing on the use of Cloud connectivity solutions to enhance organizational control over data and apps. The event will feature interactive sessions with technology experts from Fortune 1000 companies, focusing on cybersecurity, technology adoption, and cloud solutions. Attendees will include top industry leaders, technology partners, and stakeholders within Cloudflare’s ecosystem, offering networking opportunities and strategic collaboration. The conference offers demonstrations, peer learning, and in-depth discussions on future technological innovations and strategic directions. Cloudflare’s leadership will provide insights into the company's strategic direction for 2024, aligning with the interests and challenges faced by attendee organizations.

SolarWinds' Web Help Desk product was found to contain hardcoded credentials, allowing unauthenticated remote access. The vulnerability, identified as CVE-2024-28987, has a high severity rating of 9.1 and affects versions up to 12.8.3 HF1. The flaw could enable attackers to modify sensitive data and access internal functionalities of the Web Help Desk. SolarWinds has released a manual hotfix, version 12.8.3 HF2, to rectify this critical security issue. The affected software is used by a diverse range of sectors including government, healthcare, and telecommunications. The discovery was made by Zach Hanley of Horizon3.ai, who disclosed it promptly to SolarWinds. The urgency of applying the hotfix is stressed due to the potential risk of a significant breach reminiscent of the previous SolarWinds incident involving Orion software. Another recent vulnerability, CVE-2024-28986, was added to CISA’s Known Exploited Vulnerabilities catalog, signaling ongoing security challenges for SolarWinds.

Hackers are exploiting a critical vulnerability (CVE-2024-28000) in the LiteSpeed Cache WordPress plugin, affecting over 5 million websites. The vulnerability allows unauthorized privilege escalation through a weak hash check, enabling attackers to create rogue admin accounts. Attackers can brute-force the security hash to access and control website functions, install malicious plugins, and redirect traffic. WordPress security firm Wordfence has blocked over 48,500 attacks in 24 hours, indicating intense exploitation of the vulnerability. Only about 30% of LiteSpeed Cache users have updated to a non-vulnerable version, leaving millions of sites at risk. Rafie Muhammad of Patchstack detailed the exploit process, emphasizing the ease of gaining unauthorized site access through hash brute-forcing. This is the second major attack on LiteSpeed Cache in 2023, following a cross-site scripting attack earlier in the year. Users are urged to update to the latest plugin version, 6.4.1, or uninstall it to secure their websites from potential attacks.

The Qilin ransomware group has developed a new technique to steal credentials from Google Chrome, escalating concerns in cybersecurity. Initially gaining access via compromised VPN credentials without MFA, Qilin exhibited a quiet period of 18 days, likely for reconnaissance and mapping the network. The intrusion escalated as attackers manipulated Group Policy Objects to deploy a PowerShell script that harvested Google Chrome credentials on every user login. Stolen credentials were sent to Qilin's C2 server and then erased locally along with related event logs to hide traces of the breach. The extensive credential theft sets a complex stage for potential follow-up attacks, extensive breaches, and challenging recovery and response efforts. The final stage of the attack involved deploying ransomware across the network, magnifying the potential damage and disruption. Recommended defense strategies include forbidding browser-based credential storage, implementing multi-factor authentication, and network segmentation to curb the spread and impact of such attacks.

CrowdStrike experienced a cloud service performance issue that slowed boot times and affected system performance for some European customers. The issue, which occurred on a Thursday and was resolved the same day, was not related to a previous major outage in July. Affected users reported delays and slow performance on the same day of the incident, but it did not result in a system crash or "blue screen of death." The problem was identified and resolved promptly, with CrowdStrike confirming that all protective services remained functional throughout the incident. This incident follows a major disruption in July, known as the Channel File 291 incident, which caused significant problems worldwide and has led to ongoing legal actions against the company. CrowdStrike president Michael Sentonas acknowledged past failures publicly, following severe criticisms and legal challenges due to the previous outage.