Daily Brief

Cisco Talos has identified a new campaign utilizing a remote access trojan named MoonPeak, attributed to North Korean-backed hacking group UAT-5394. MoonPeak is an evolved form of the publicly available Xeno RAT, featuring capabilities like process manipulation, plugin loading, and C2 communications. The campaign shows tactical overlaps with Kimsuky, suggesting possible connections between UAT-5394 and the known North Korean nation-state actor. The malware retrieves payloads from new infrastructure set up by the actors, including C2 servers and payload-hosting sites, moving away from using legitimate cloud services. Ongoing development and deployment of MoonPeak are linked with the continual setup of new support infrastructure, indicating a shift to more controlled environments. Each version of MoonPeak introduces enhanced obfuscation techniques and specific C2 communication changes to secure exclusive interaction between malware and server variants. The exact targets of this new cyber campaign remain unknown, highlighting the covert nature of this state-sponsored activity.

Russia’s Ministry of Internal Affairs has recommended residents in Bryansk, Kursk, and Belgorod to turn off home surveillance systems and abstain from using dating apps to prevent Ukrainian espionage. The warning arises as Ukraine reportedly utilizes these platforms for gathering intelligence and identifying strategic locations and personnel in Russia amidst ongoing military conflict. The advisories were particularly addressed to protect high-value individuals, including military and law enforcement personnel, and workers in sensitive sectors like nuclear energy, from potential information leakage. Following the Ukrainian offensive that allowed them to capture significant territory in Kursk Oblast, nearly 200,000 residents of the mentioned regions have been evacuated. Russian authorities are also taking heightened precautions against potential cyber threats by advising military personnel to open links only from trusted, official sources and to minimize device usage containing sensitive data. Additional security measures include moderating online chats, deleting compromised accounts, disabling location features on messenger apps, and eliminating geotagged images from social media posts to obscure troop locations and movements. The precautions highlight the broader cybersecurity and information warfare being waged alongside physical military engagements in the region.

A critical vulnerability (CVE-2024-6800) has been identified in GitHub Enterprise Server (GHES) that allows authentication bypass, granting administrator privileges. Affected versions of GHES include multiple releases prior to the update addressing this issue. The flaw, scoring a 9.5 severity rating, involves an XML signature wrapping issue with SAML authentication. Over 36,500 GHES instances globally are accessible online, with the majority located in the U.S., exposing a significant number of systems to potential unauthorized access. GitHub has released patches for the affected versions, specifically versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. Alongside the critical flaw, the update also rectifies two medium severity vulnerabilities. GitHub advises checking the 'Known issues' section post-update due to potential service errors and other operational issues noted in the updates. All vulnerabilities were discovered and reported through GitHub's Bug Bounty program on HackerOne.

The creator of Styx Stealer inadvertently leaked sensitive data including client lists, profit details, and contact information due to an OPSEC lapse. Styx Stealer emerged in April 2024, deriving from Phemedrone Stealer and enhanced with features such as auto-start, crypto-clipper, and advanced evasion techniques. The malware is marketed on a dedicated platform, with pricing set for various subscription models and requires communication through a specified Telegram account. The associated threat actor, known as STY1X and based in Turkey, displayed operational ties with a Nigerian entity linked to the Agent Tesla malware attacks in Asia and the UAE. The cybersecurity firm, Check Point, traced this breach back to a mistake where the criminal used their personal Telegram bot token during debugging, compromising many operational details. The use of Telegram Bot API for data exfiltration by the malware introduces significant risks, as decrypting the malware can reveal this token, thereby exposing all transmitted data. The disclosure of Styx Stealer's details occurs amidst a broader context of various new and known stealer malware campaigns targeting diverse international industries.

SaaS applications have become essential in modern business operations but have increased vulnerability to cyber-attacks. The complexity of permissions and dependencies in SaaS environments often leaves IT and security teams unaware of the full scope of integrated applications and their access levels. The rise in third-party application attacks highlights the critical need for robust SaaS security measures, with a 68% increase in attacks noted in 2023. Shadow IT exacerbates security risks as employees bypass standard IT approval processes, compromising data security through unauthorized app usage. Constant monitoring and understanding of all SaaS applications and permissions are required to secure data and maintain regulatory compliance. High-profile breaches like those involving cloud storage vendor Snowflake underscore the dangers of inadequate security practices and the importance of multi-factor authentication (MFA). Mapping out all connected applications and associated identities is a foundational step in securing a SaaS ecosystem and limiting data breaches. The article emphasizes the urgency of prioritizing security adaptations to keep pace with the evolving SaaS landscape and prevent future breaches.

Cybersecurity experts have identified a new macOS malware, TodoSwift, linked to North Korean hacking groups. TodoSwift shares characteristics with other DPRK-associated malware such as KANDYKORN and RustBucket. The malware leverages a multi-stage infection process, initially presenting as a benign PDF but subsequently executing a malicious binary. Both TodoSwift and the earlier DPRK malware utilize the same command-and-control (C2) infrastructure hosted on specific domains. Common functionalities of these malware include data extraction, termination of processes, and command execution on the compromised systems. The Lazarus Group, particularly its sub-cluster BlueNoroff, are believed to be behind these coordinated attacks, primarily targeting the cryptocurrency sector. Current investigations focus on unraveling the intricacies of TodoSwift’s second-stage binary and its full capabilities.

Jesse Kipf, 39, was sentenced to 81 months in jail for computer fraud and identity theft. Kipf hacked into Hawaii’s Death Registry System using a physician's credentials to illicitly mark himself as deceased. He altered official records to evade child support, using a falsified death certificate confirmed with a doctor’s stolen digital signature. His scheme extended beyond faking his own death; he accessed and attempted to sell other networks and databases. Investigations revealed Kipf’s internet searches on procedures to stop child support payments posthumously. Post-incarceration, Kipf will face a financial restitution exceeding $195,000 for child support arrears and damages to hacked systems. Kipf has a prior criminal record, including convictions for possession of unauthorized financial devices and credit card fraud.

The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted to a new series of phishing attacks aimed at distributing malware. The attacks are connected with a threat group tracked as UAC-0020, also referred to as Vermin, linked to Luhansk People's Republic's security agencies. Phishing emails entice recipients to download a ZIP file by showcasing images supposedly of prisoners of war from Kursk, which contains malicious software. The malicious ZIP file carries a Microsoft Compiled HTML Help (CHM) file embedding a JavaScript which triggers an obfuscated PowerShell script. When the CHM file is opened, it installs the SPECTR spyware and a new malware, FIRMACHAGENT, designed to retrieve and transmit stolen data to a remote server. SPECTR spyware, known since 2019, can gather extensive data, including files, screenshots, credentials, and information from various communication platforms like Skype and Telegram. Earlier campaigns by these actors targeted Ukrainian defense forces using similar tools and methods.

A severe vulnerability has been discovered in the GiveWP WordPress plugin affecting more than 100,000 websites, potentially allowing remote code execution. This security flaw, identified as CVE-2024-5932 with a CVSS rating of 10.0, affects all versions up to 3.14.1. The issue was resolved in version 3.14.2 released on August 7, 2024. The vulnerability allows unauthenticated attackers to inject a PHP Object via deserialization due to untrusted input from the 'give_title' parameter. Exploitation of this flaw could enable attackers to execute malicious code or delete arbitrary files on the affected server. Additional WordPress plugin vulnerabilities were also reported, including critical flaws in InPost PL, InPost for WooCommerce, and JS Help Desk, emphasizing a broader issue of security within third-party WordPress plugins. Security firm Sucuri highlighted the dangers of using nulled plugins and themes, which can introduce malware and compromise web security. Users of affected plugins are urged to update to the latest patched versions immediately to prevent potential exploits and secure their websites.

Microchip Technology detected suspicious IT activity on August 17, confirming unauthorized access by August 19. The cyber attack disrupted server use and various business operations, inhibiting some manufacturing processes. As a direct impact of the incident, certain Microchip manufacturing facilities are operating below normal capacity and the company's ability to fulfill orders has been compromised. Immediate response actions included system isolation and shutdowns, with external cybersecurity advisors drafted for mitigation. There is no current information on whether ransomware was involved or the full extent of the disruption. The cyber attack's timing is critical as Microchip recently received $162 million from the Biden administration to expand production, crucial for U.S. automotive, defense, and aerospace sectors. The company emphasized its ongoing efforts to restore full operational capabilities swiftly. An industry-wide concern, similar cyberattacks have also targeted other semiconductor firms like TSMC, Nexperia, and AMD, and previously Nvidia in 2022 with a ransomware incident.

CannonDesign, a top architecture and engineering firm in the U.S., reported a data breach affecting over 13,000 clients due to a ransomware attack by Avos Locker in early 2023. Hackers accessed and extracted sensitive data, including names, social security numbers, and driver's license numbers, during the breach that occurred between January 19-25, 2023. Although the breach was detected on January 25, 2023, the full investigation was not completed until May 3, 2024, with further delays in public notification. Victims of the breach were offered 24 months of free credit monitoring through Experian, though there was a significant delay in this offering. The Avos Locker ransomware group claimed they had stolen 5.7 TB of data from CannonDesign, later passing some of it to Dunghill Leaks, which published 2 TB of the data. No misuse of the stolen data has been reported, although it has been circulated multiple times on various online platforms including dark web forums and torrent sites. The leaked data included comprehensive project details, client information, and internal documents, causing potential reputational and operational risks for CannonDesign.

American chipmaker Microchip Technology Incorporated experienced a significant cyberattack that disrupted its operations. The attack, detected on August 17, 2024, led to operational disruptions at multiple manufacturing facilities, causing them to run at reduced capacity. The company initiated immediate response measures, including shutting down certain systems and isolating others to contain the breach. Microchip Technology is engaged with external cybersecurity experts to assess, contain, and remediate the unauthorized activity. The extent, nature, and overall impact of the attack are currently under investigation, with details still emerging regarding potential financial repercussions. The incident possibly involved ransomware, although no group has yet claimed responsibility for the attack. The company's ability to fulfill orders has been impacted, affecting its service across various sectors including industrial, automotive, and defense.

CloudTrail is essential for tracking API activity and detecting unauthorized access, such as stolen API keys, within AWS environments. Key indicators of compromise include sudden spikes in API requests, use of root accounts, unauthorized creation of access keys, and unusual role assumption patterns. Monitoring for abnormal access to S3 buckets and data exfiltration attempts is crucial for identifying security breaches. It is vital to observe unexpected changes in security group configurations which could expose AWS resources to further attacks. Recommended mitigation strategies encompass enforcing the principle of least privilege, implementing MFA, regularly auditing and rotating access keys, and ensuring CloudTrail and GuardDuty are properly monitored. AWS Config should be utilized for compliance monitoring to prevent vulnerabilities caused by misconfigurations. Maintaining a proactive stance in monitoring and quickly responding to unusual activities within CloudTrail logs is essential for protecting sensitive data and the integrity of AWS infrastructure.

A new phishing campaign is targeting Czech mobile users, aiming to steal banking credentials using a Progressive Web Application (PWA). Affected banks include Československá obchodní banka, OTP Bank of Hungary, and TBC Bank of Georgia. The campaign employs PWAs that mimic legitimate banking apps almost perfectly, deceiving users on both iOS and Android platforms. On Android, installing WebAPK from third-party sites circumvents the usual browser security alerts about "installing unknown apps." For iOS users, the phishing websites instruct them to add the deceptive PWA to their home screens. The phishing URLs are distributed through automated voice calls, SMS, and malvertising on social platforms like Facebook and Instagram. Once installed, these PWAs capture banking credentials and send them to attacker-controlled servers or Telegram group chats. ESET detected the first instance of this phishing method in November 2023, with additional waves noted in March and May 2024.

Unknown attackers targeted a Taiwanese university, leveraging a PHP remote code execution vulnerability (CVE-2024-4577) to install Msupedge malware on Windows systems. The malware was delivered via two dynamic link libraries, utilizing the Apache server process to initiate a backdoor. Msupedge features DNS tunneling to communicate with its C&C server, a technique not commonly seen in the wild. It supports various commands through DNS queries which include creating processes, downloading files, and handling temporary files. The PHP vulnerability exploited was recently patched, highlighting the speed at which attackers can utilize newly disclosed vulnerabilities. Security firms have observed several groups actively scanning for systems vulnerable to this PHP flaw. The Msupedge campaign’s origin and objectives remain unclear, as security researchers have yet to attribute it to specific threat actors or motives. Proof-of-concept exploit code was released just a day after the PHP vulnerability patches, sparking immediate exploitation attempts, including by ransomware groups.