Daily Brief

NGate Android malware specifically targets NFC chips to steal payment card data. Attackers use NGate to emulate victims' cards for unauthorized withdrawals and payments. The malware campaign involves phishing via PWAs and WebAPKs that mimic banking apps. NFCGate, an open-source NFC research tool, is repurposed by NGate to capture and relay NFC data. Social engineering techniques are used to acquire victims' PIN codes post-phishing. Detected activity includes unauthorized ATM withdrawals and contactless payments using victims' information. Apart from theft, NGate can also clone NFC access cards and tokens, posing additional security risks. Users are advised to disable NFC when not in use and scrutinize app permissions for security.

Cybersecurity experts have identified a hardware backdoor in FM11RF08S and the older FM11RF08 RFID cards used in hotel and office access systems worldwide. The vulnerability allows unauthorized access to buildings by exploiting a universal secret key embedded in the cards. The flaw, stemming from Shanghai Fudan Microelectronics' design, enables attackers to instantaneously clone RFID cards, significantly compromising security. These cards have been in circulation since at least November 2007, increasing the potential impact of the vulnerability. Attack techniques have been refined to expedite the process of key cracking by five to six times, enhancing the feasibility of attacks. The issue not only affects consumers directly but also poses a significant risk for hotels and offices in the U.S., Europe, and India that broadly use these access systems. The research also mentions previous incidents, such as the vulnerabilities found in Dormakaba’s hotel door locking systems, emphasizing ongoing security challenges in RFID technologies.

Halliburton is currently assessing a significant issue affecting its systems, purportedly due to a cyberattack. The incident has disrupted business operations and affected global networks, including the company's North Houston campus. A company spokesperson confirmed the activation of a preplanned response plan, involving internal teams and external cybersecurity experts. Reports indicate that the cyber incident may have compromised the payroll database and employee devices. Employees received robocalls instructing them not to connect to any company networks while IT works on creating a protected system. The nature of the attack, whether it involves ransomware or another form of malware, has not been officially disclosed. This disruption falls into a broader trend of rising cyberattacks against critical infrastructure sectors, with a notable increase in ransomware incidents reported last year.

SolarWinds recently patched a critical security vulnerability in its Web Help Desk software. The flaw, identified as CVE-2024-28987, has a CVSS score of 9.1, indicating high severity. It permits remote, unauthenticated users to access and modify data through hardcoded credentials. Zach Hanley of Horizon3.ai discovered and reported this vulnerability. Affected systems must upgrade to version 12.8.3 Hotfix 2 with specific earlier versions necessary for application. This update follows another recent critical patch for a separate vulnerability in the same software that saw active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the urgent need to apply these updates. Further details on this vulnerability will be disclosed next month, underscoring the importance of timely software updates.

Chinese-affiliated hackers, known as Velvet Ant, exploited a zero-day flaw in Cisco switches, controlling the system and avoiding detection. The CVE-2024-20399 vulnerability allowed authorized users to execute arbitrary commands and control the underlying Linux OS. Velvet Ant previously targeted organizations in East Asia, utilizing legacy F5 BIG-IP appliances to maintain persistence. Following initial access, the attackers leveraged the compromised devices to deploy custom malware and conduct espionage, underscoring a sophisticated, stealthy operational approach. The attack involved a complex chain that commenced with breaching the Cisco device, followed by lateral movements across the network. Exploited devices facilitated data theft and provided sustained access to the target's network. The detected malware, VELVETSHELL, combined two open-source tools and enabled functionalities such as command execution, data transmission, and network traffic tunneling. Sygnia's report highlights substantial security risks tied to third-party devices and suggests heightened vigilance regarding these potential hidden attack surfaces.

Google released an emergency security update for Chrome to address a zero-day vulnerability exploited in attacks. The vulnerability, identified as CVE-2024-7971, involves a type confusion issue in the V8 JavaScript engine, leading to potential arbitrary code execution. This vulnerability marks the ninth zero-day flaw Google has addressed in Chrome this year, signaling ongoing security challenges. The flaw was reported by the Microsoft Threat Intelligence Center and Microsoft Security Response Center on Monday. Updates to Chrome (versions 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 for Linux) are rolling out to users on the Stable Desktop channel. Chrome users can expedite the update process manually via the browser's menu to ensure protection is applied sooner. Google has restricted details about the exploitation of the vulnerability and will continue to limit information until the majority of users receive the update.

A new vulnerability named 'ALBeast' targets AWS Application Load Balancers, affecting up to 15,000 applications. Identified by Israeli cybersecurity firm Miggo, the issue arises from a configuration flaw that allows circumvention of access controls. Attackers can exploit the vulnerability by creating a malicious ALB instance and using forged tokens to bypass authentication and authorization. The exploitation involves AWS signing a token under an attacker's control, permitting unauthorized access to applications. Amazon has responded by updating authentication documentation and introducing new validation codes following responsible disclosure protocols. Security enhancements recommended by Amazon include verifying token signatures and restricting target traffic exclusively to the designated load balancer. The security issue was disclosed responsibly in April 2024, prompting swift corrective action from Amazon.

SolarWinds issued a hotfix for a severe vulnerability in Web Help Desk that allowed unauthorized login using hardcoded credentials. The flaw, identified as CVE-2024-28987, could let attackers access and alter data on devices without authentication. Web Help Desk is employed by various sectors including government, healthcare, and education for managing IT tasks. No advisory has yet been published on SolarWinds' Trust Center regarding this specific vulnerability. The hotfix also addresses another critical remote code execution vulnerability (CVE-2024-28986), previously exploited in attacks. SolarWinds recommends updating to the latest versions and creating backups before applying the hotfixes. CISA has mandated federal agencies to fix all vulnerabilities in WHD servers by a set deadline due to the potential risks.

A Latvian national, Deniss Zolotarjovs, associated with the Karakurt ransomware group, was arrested in Georgia and extradited to the U.S. Zolotarjovs is charged with money laundering, wire fraud, and extortion for his role in negotiating ransom payments in "cold case" situations. The FBI linked him to at least six extortion instances impacting U.S. organizations, with one company paying over $1.3 million in ransom. Karakurt, known for stealing and threatening to leak or sell data, does not deploy encryption tools, focusing solely on data exfiltration. Investigations utilized cryptocurrency tracing, communication analysis, and search warrants to confirm Zolotarjovs’s involvement in these crimes. Previously, Karakurt was identified as a data extortion arm of the dismantled cybercrime syndicate, Conti. The U.S. authorities had warned against paying ransoms to Karakurt, citing that the group likely sells the data regardless of payment. Zolotarjovs faces up to 20 years in prison for each charge, highlighting significant risks and consequences for cybercriminal activities.

Ransomware attacks persistently targeted critical industries with 125 of 395 incidents in July focusing on this sector, marking a continuing trend since 2021. Critical industries are seen as valuable targets due to their necessity in maintaining operational continuity, prompting ransomware groups to exploit this dependency for payments. Law enforcement takedowns of major ransomware groups like LockBit and ALPHV inadvertently stimulated other groups, such as Medusa, to increase their activity. Despite the shutdowns of key ransomware operators and the increase in law enforcement action, the overall number of ransomware victims has recently shown a decline. The integration of infostealer malware has escalated, aiding ransomware attacks by harvesting valid credentials, which are then exploited for further malicious activities. Initial Access Brokers (IABs) play a crucial role in the ransomware chain by selling credentials and facilitating easier access to corporate networks for ransomware attacks. There's a trend toward increased usage of infostealers in corporate environments through tactics such as malvertising, posing significant risks for subsequent targeted attacks.

The University of California Santa Cruz (UCSC) conducted a simulated phishing exercise using a fake emergency alert about an Ebola virus case, which was intended as a cybersecurity training tool. The message claimed a staff member had contracted Ebola after returning from South Africa and included a link for recipients to log in for more information, mirroring tactics used by actual phishing attacks. The exercise received backlash for causing undue panic and potentially damaging public trust in health communications. UCSC’s Chief Information Security Officer, Brian Hall, issued an apology acknowledging the simulation's inappropriate content and its unintended effects on public sensitivity. The incident has sparked a broader conversation in the cybersecurity community about the ethics and effectiveness of simulated phishing attacks as training tools. Experts, including cybersecurity researcher Marcus Hutchins and Google security engineer Matt Linton, have criticized such simulations for possibly breeding mistrust between employees and security teams. Following the backlash, UCSC is revising its approach to cybersecurity training to prevent similar incidents and focus on educating staff without using alarming or deceptive content.

IGEL’s DISRUPT Munich event, occurring on 16-17 September at the INFINITY Hotel and Conference Resort, focuses on the latest in end user computing (EUC) technologies. The event will cover key topics including endpoint security, Zero Trust environments, digital workspaces, and cloud infrastructures. Keynote speakers include former Citrix CEO Mark Templeton, IGEL CEO Klaus Oestermann, and CTO Matthias Haas, discussing current and future EUC trends. Participants can attend over 30 breakout sessions by sponsors like Citrix, HP, Lenovo, LG, Microsoft, and others, focusing on sectors such as healthcare, security, and financial services. Featured discussions will tackle subject areas from FIPS certification for Zero Trust to implementing IGEL OS in non-VDI environments. Exclusive panels and customer roundtables will explore transformative IT strategies in the healthcare and science sectors. Attendees will receive practical advice on enhancing Citrix deployments, configuring Microsoft Azure Virtual Desktop, and optimizing IT infrastructure with Desktop-as-a-Service (DaaS).

Continuous Attack Surface Penetration Testing (CASPT) integrates with the software development lifecycle for real-time security vulnerability assessments. CASPT goes beyond traditional penetration testing by providing continuous, automated testing to quickly identify and resolve security vulnerabilities. It enhances organizational security by working in conjunction with Attack Surface Management (ASM) and red teaming to pinpoint and mitigate potential threats more effectively. CASPT is ideal for dynamic environments, compliance-heavy industries, and high-value targets due to its ability to continuously update and secure systems. The integration of CASPT with modern security practices like DevSecOps and incident response improves visibility and risk management, matching the pace of rapid technological developments and cyber threats. CASPT supports regulatory compliance by delivering ongoing evidence of proactive security measures and vulnerability management. Continuous Penetration Testing is positioned as a necessary evolution from the traditional annual penetration tests, which can't keep pace with the rapidly evolving cyber threat landscape.

Cisco has raised significant concerns about the UN's proposed cybercrime convention, urging a revision to better protect human rights and free speech. The convention, shaped significantly by Russia, has been criticized for its broad definition of cybercrime, which could potentially target free speech and suppress legitimate security research. Human rights organizations like Human Rights Watch and the Electronic Frontier Foundation have also criticized the convention, emphasizing its potential misuse and the lack of safeguards for targeted individuals. The convention includes provisions that could allow countries to gather data from service providers without informing the impacted individuals, raising concerns about privacy and transparency. Cisco's senior director, Eric Wenger, has advocated for a focus on actual cybercrimes such as hacking instead of broadly targeting the dissemination of information. Despite Cisco's call for amendments, the UN and the Biden administration appear to favor passing the convention in its current form later this year. Cisco, having withdrawn from Russia in 2022, underscores its stance that while a UN cybercrime convention is necessary, it must not compromise fundamental human rights or the rule of law.

Google has deployed security updates for a high-severity type confusion vulnerability in Chrome, identified as CVE-2024-7971. The vulnerability affects the V8 JavaScript and WebAssembly engine in versions prior to Chrome 128.0.6613.84. CVE-2024-7971 enables remote attackers to exploit heap corruption through a crafted HTML page, posing significant security risks. The flaw was discovered and reported by the Microsoft Threat Intelligence Center and Microsoft Security Response Center on August 19, 2024. Google confirms the exploit’s existence in the wild but has not disclosed details about the attackers or the nature of the attacks to prioritize widespread user updates. This flaw is one of three type confusion vulnerabilities fixed in V8 during the year and one of nine zero-days addressed in Chrome since 2024 began. Upgrading to the latest Chrome versions—128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux—is strongly recommended. Users of other Chromium-based browsers are advised to update their software to prevent exploitation risks.