Daily Brief

Ukrainian police have arrested a 28-year-old Kyiv programmer linked to major Conti and LockBit ransomware attacks across Europe. The suspect, whose identity remains confidential, is accused of developing encryption tools that concealed viruses as harmless files, aiding in the evasion of popular antivirus software. If convicted under the Criminal Code of Ukraine for abusing computer systems, the individual could face up to 15 years in prison. The arrest is part of Operation Endgame, a broader Europol-led initiative aimed at dismantling cybercriminal networks and infrastructure such as malware loaders and botnets. Dutch authorities identified the programmer's involvement in specific ransomware attacks on a multinational corporation in 2021. The arrest occurred on April 18, but details were only recently publicized, highlighting ongoing international efforts to combat ransomware. Ukrainian and other international law enforcement agencies continue to target LockBit affiliates, with recent activities affecting the gang's operations although not completely disabling it.

A new attack named "Sleepy Pickle" has been identified, targeting machine learning (ML) models through the Pickle serialization format. Sleepy Pickle injects malicious payloads into ML model files to manipulate model behavior, such as tampering with model weights or modifying input and output data. The attack utilizes techniques including adversary-in-the-middle attacks, phishing, supply chain vulnerabilities, and exploiting system weaknesses to deliver the payload. Once the malicious pickle file is deserialized, it can change the ML model in real-time, enabling backdoors or data tampering that can generate dangerous or misleading outputs. This represents a significant supply chain threat as the compromised ML model can affect downstream users unknowingly. Trail of Bits warns that such attacks can maintain access and control over ML systems without being detected, as the models are altered when the pickle files are loaded. Recommendations include only loading ML models from trusted sources, using signed commits, or relying on safer serialization formats like TensorFlow or Jax with enhanced security measures.

Multi-factor authentication (MFA) significantly increases security, protecting businesses and individuals from cyber threats. MFA, including two-factor authentication, involves multiple security steps beyond just passwords, such as biometric verification. Authorities like the US Cybersecurity & Infrastructure Agency support MFA, emphasizing its role in preventing unauthorized access even if a password is compromised. The global MFA market is expanding rapidly, projected to double by 2027, with strong adoption due to increasing regulatory requirements. New regulations like PCI-DSS 4.0 and PSD2 in the EU mandate MFA to enhance security in financial transactions and protect sensitive data environments. Despite its strengths, MFA can be compromised through tactics like prompt bombing, exploiting user fatigue from repeated login prompts. Regulatory bodies and organizations are pushing for phishing-resistant MFA to counteract sophisticated cyberattack techniques. Proper implementation and ongoing adaptation of MFA practices are essential for organizations to protect against evolving cyber threats and comply with tightening regulations.

Arid Viper, suspected to be affiliated with Hamas, has launched multiple mobile espionage campaigns using trojanized Android apps. The malware, known as AridSpy, has been embedded into apps that mimic messaging services and job opportunity apps, targeting users primarily in Palestine and Egypt. Trojanized versions of legitimate apps, including variants that replace functionality of apps available on official platforms, deploy AridSpy which then executes multifunctional spy activities. ESET researchers identified that these campaigns are still actively distributing malware through websites specifically crafted for this purpose, including a fake Palestinian Civil Registry site. AridSpy is a multi-stage trojan capable of downloading further malicious payloads from a command-and-control server once the initial breach is accomplished. Data exfiltration techniques include taking front-camera pictures under specific conditions, alongside other data harvesting methods driven by remote commands. Efforts to combat this threat have been hindered by the malware’s ability to continue functioning even after the initial host app is uninstalled, posing significant challenges to detection and removal.

Privacy group noyb filed a GDPR complaint against Google's Privacy Sandbox, alleging it deceives Chrome users by enabling disguised tracking. Introduced in 2023, the Privacy Sandbox API aims to replace third-party cookies with a system where ads are shown based on user interests directly through the browser. Despite claims of enhancing user privacy, the API instead facilitates Google to perform first-party tracking directly within the Chrome browser. Users opting into the feature under the premise of increased privacy were unknowingly consenting to Google's internal ad tracking. Legal concerns revolve around the lack of transparent, informed consent required by GDPR, with noyb accusing Google of outright lying to users. Google defended its consent mechanism, claiming it complies with legal standards under GDPR. The UK's Competition and Markets Authority has also expressed concerns over privacy issues with the Sandbox, prompting a delay in phasing out third-party cookies until 2025.

A medical student caused a data breach by improperly disposing of confidential NHS documents in household waste. The breached data, including sensitive patient information, was found scattered in a back alley in Jesmond, Newcastle. The incident involved personal details from at least two patients' records marked "Private and Confidential." The Cumbria, Northumberland, Tyne and Wear NHS Trust has recovered the documents and contacted the affected individuals. A full investigation has confirmed that all compromised data was retrieved, and measures are being taken to prevent future occurrences. The NHS provides training on information governance to all medical students, emphasizing the importance of data confidentiality. The trust is using the incident as a learning opportunity to enhance their policies on data protection and handling. The trust did not comment on any disciplinary actions against the student responsible for the data breach.

Recent increases in cyber-attacks on supply chains are driving stricter cybersecurity laws, notably within the finance sector, with expectations for similar regulatory adoption across additional industries. Many organizations lack effective ways to handle the urgent security and compliance demands associated with SaaS and AI technologies, even though free tools offer basic help for managing SaaS sprawl and shadow IT. Emerging regulations demand extended SaaS risk lifecycle management from discovery to incident reporting, which must happen within strict deadlines (e.g., 72 hours for reporting supply chain incidents). Effective SaaS security encompasses identifying all third-party services, assessing risks, setting clear usage policies, enforced continuously due to rapid application turnover. There's a focused effort on reducing the attack surface by limiting approved SaaS providers and improving security configurations, evidenced by implementing tougher measures like multi-factor authentication. Incident detection and response readiness is critical, with regulatory requirements pushing for rapid reporting of third-party breaches. Tools like Wing Security's new tiered offerings help organizations incrementally build their SaaS security capabilities, from basic risk assessments to comprehensive policy enforcement, suitable for various business sizes and maturity levels.

Threat actors associated with Pakistan have been actively conducting a malware campaign known as Operation Celestial Force, targeting platforms including Windows, Android, and macOS. The campaign, operational since at least 2018, utilizes a growing suite of malware tools such as GravityRAT and HeavyLift, managed by a standalone tool called GravityAdmin. GravityRAT, first identified in 2018 targeting Indian entities, has evolved from a Windows malware to a multi-platform tool also functioning on Android and macOS. Recent findings tie continuous use of the Android version of GravityRAT in attempts to compromise military personnel in India, disguised as various legitimate applications. The overarching operations are managed by Cosmic Leopard, leveraging spear-phishing and social engineering tactics to distribute malware through malicious links. GravityAdmin, documented since August 2021, facilitates orchestration of the malware attacks, interacting with command-and-control servers to manage infected systems. The newly identified HeavyLift malware, targeting Windows and macOS, focuses on extracting system metadata and receiving commands from a central server, indicating persistent and evolving cyber espionage activities linked to nation-state interests.

The SSLoad malware is distributed using PhantomLoader, a new type of loader that employs binary patching and self-modifying code to evade detection in legitimate software. Researchers identified that PhantomLoader compromises systems by masquerading as a DLL file for antivirus products, specifically 360 Total Security. SSLoad is utilized in phishing campaigns to perform initial reconnaissance and subsequently download additional malware payloads. The malware operates under a Malware-as-a-Service model, suggesting it is available for use by various threat actors. SSLoad has capabilities for system fingerprinting and sending gathered data to a command-and-control server, which then further instructs the malware to deploy more malicious content. The use of a Telegram channel as a dead drop resolver highlights advanced tactics for remote command and control communication. SSLoad incorporates sophisticated evasion techniques including dynamic string decryption and anti-debugging measures, indicating a high level of complexity and adaptability in its operations. Aside from SSLoad, other types of malware like JScript RAT and Remcos RAT have also been noted as part of phishing efforts aiming for long-term access and control over compromised systems.

Ukrainian Cyber Police arrested a 28-year-old man suspected of developing encryption tools for LockBit and Conti ransomware groups. The suspect from Kharkiv allegedly created crypters to evade detection by security software, subsequently used in ransomware attacks in the Netherlands and Belgium. During raids in Kyiv and Kharkiv, authorities seized computers, mobiles, and notebooks; the man faces up to 15 years imprisonment if convicted. The arrest was part of Operation Endgame, an international effort among law enforcement agencies aimed at dismantling cybercriminal infrastructure. Recent global law enforcement activities included the arrest of a Taiwanese national running a dark web narcotics market and a blockchain analysis website. The crackdown signifies intensified international cooperation to combat cybercrime, addressing botnets and ransomware distribution networks. Cybercrime tactics involve using social engineering and credential theft for lateral movement and account takeovers, highlighting the need for enhanced verification processes.

Google has identified a high-severity zero-day exploit, CVE-2024-32896, affecting Pixel Firmware. This vulnerability involves an elevation of privilege issue now under targeted, limited exploitation. June 2024 security update for Pixel devices fixes this issue among 50 other vulnerabilities. Several Qualcomm chipset components are also addressed in this update, covering DoS and information disclosure issues. Supported Pixel models receiving the update range from Pixel 5a with 5G to Pixel Fold. Similar security breaches were previously patched in April involving bootloader and firmware components. Arm also reported an exploited memory-related vulnerability in GPU kernel drivers last week. Google's ongoing measures include implementing advanced security testing techniques like ASM, Pentesting, and Red Teaming.

A new type of cross-platform malware, Noodle RAT, has been actively used for espionage and cybercrime by Chinese-speaking threat actors since at least July 2016. Trend Micro research indicates Noodle RAT is not a variant but a distinct malware type, previously misclassified as related to Gh0st RAT. The malware operates on both Windows and Linux platforms, utilizing different tactics to deploy tools for remote access and control. Known attack vectors for Windows include file manipulation and proxy functions, while the Linux version employs reverse shells and file scheduling. Attacks have specifically targeted Thailand and India, exploiting public-facing application vulnerabilities to install web shells on Linux servers. Shared code and command-and-control infrastructure suggest a high degree of sophistication and common origins, likely backed by Chinese state interests. Evidence suggests Noodle RAT is part of a complex supply chain within China, possibly developed and sold for espionage purposes by commercial entities tied to state-sponsored activities.

Recent vulnerabilities in VPN services have exposed ASEAN organizations to increased cyber threats, prompting a reevaluation of security strategies. A notable cyber attack, linked to nation-state hackers, targeted weaknesses in a widely-used VPN service, highlighting the need for enhanced security measures. In response to the attacks, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for users to apply critical updates to Ivanti's networking products. The surge in remote and hybrid work models across Singapore, Malaysia, Thailand, Indonesia, Philippines, and Vietnam has introduced new cybersecurity vulnerabilities. Current perimeter-based security solutions like VPNs are deemed insufficient due to their limited network visibility and the complex nature of modern distributed environments. Cloudflare advocates for the adoption of a Zero Trust Security model, which assumes no inherent trust and strictly controls access to networks and resources. Cloudflare's Zero Trust approach integrates a suite of programmable, cloud-native services designed to enhance security across the Internet and corporate networks. Cloudflare offers a 90-day free trial of its Zero Trust Enterprise solution to help organizations protect their networks and user data efficiently.

Life360, producer of Tile Bluetooth trackers, faced a criminal extortion attempt linked to stolen customer data. Attackers claimed possession of data from the Tile customer support platform, accessing names, addresses, emails, phone numbers, and device IDs. The hacked platform did not contain particularly sensitive information like passwords, credit card details, or location data. Life360 CEO Chris Hulls disclosed the breach, stating that the core service platform was unaffected and not breached. The company was contacted by perpetrators demanding a ransom, though details of the payment or the amount demanded remain undisclosed. Life360 has engaged law enforcement and boosted security measures, with no additional details provided as investigation progresses. The breach poses further concerns as Tile faces a lawsuit for allegedly enabling stalking and compromising user safety.

A new phishing campaign uses HTML attachments to exploit the Windows search protocol to trigger downloads of malicious scripts. Attackers are utilizing the search-ms URI, which lets applications open Windows Explorer for searches, to access files on remote servers. Originally exposed in academic research by Prof. Dr. Martin Johns, this technique has been actively deployed by cybercriminals to deliver malware. The phishing emails disguise these HTML attachments as invoices within ZIP archives to bypass antivirus scanners. If a recipient opens the HTML file, it automatically directs the browser to a malicious URL via a meta-refresh tag. If this fails, a clickable link acts as a fallback. Upon clicking an innocuous-looking file link shown in the search, a batch script from the remote server is executed, the specifics of which were unknown as the server was offline during analysis. Trustwave SpiderLabs suggests disabling the search-ms/search URI protocol in the registry to mitigate risks, but advises caution as it could affect legitimate applications.