Daily Brief

Ransomware victims paid a total of $459.8 million in the first half of 2024, surpassing previous records. If the current trend continues, 2024 could set a new annual record for ransomware payments, potentially exceeding $1.1 billion recorded in 2023. Ransomware gangs have shifted their focus to fewer, but larger-scale attacks targeting major organizations, resulting in higher individual payments. The largest single ransomware payment reported this year was $75 million, paid to the Dark Angels group by a Fortune 50 company. Median ransom payments have increased significantly, from $199,000 in early 2023 to $1.5 million by mid-2024. Despite the increase in ransom amounts, the total number of ransom payments has decreased by 27.27% year-over-year as fewer organizations choose to pay. The overall volume of illegal cryptocurrency transactions doubled year-over-year, reaching $1.58 billion, mainly targeting centralized exchanges. Legitimate cryptocurrency usage has grown, outpacing illicit activities, which have dropped by 20% compared to 2023.

OpenAI has banned several ChatGPT accounts linked to an Iranian group suspected of circulating disinformation about the US presidential election. The Iranian group, identified as Storm-2035 and backed by Tehran, used ChatGPT to create content targeting both Democratic and Republican candidates, but failed to garner significant engagement. Microsoft had previously flagged this group for ongoing election interference efforts. Concurrently, Google reported an increase in Iranian cyber activities, including data leaks from the Trump campaign. The disinformation spanned various topics, including US politics and the conflict in Gaza, spread across both progressive and conservative fake news websites. The content was distributed in multiple languages, including English, Spanish, Arabic, and French, through at least five fake news domains managed by Storm-2035. Despite attempts to influence through articles and social media posts, the content had minimal impact with little evidence of widespread sharing or engagement, scoring only 2 on the Brookings' Breakout Scale. Earlier actions by OpenAI to mitigate similar threats included shutting down accounts used by other nation-state backed groups from China, Russia, and North Korea involved in phishing and malicious software activities.

CISA has issued warnings about a critical vulnerability in Jenkins, an open-source automation server commonly used in software development for continuous integration and delivery. The vulnerability, identified as CVE-2024-23897, allows for remote code execution and has been actively exploited in ransomware attacks. This security flaw stems from a vulnerability in the args4j command parser, which enables unauthenticated attackers to read arbitrary files on the Jenkins controller through the CLI. Despite the release of security patches on January 24, numerous proof-of-concept (PoC) exploits appeared online shortly thereafter, with active exploitation observed. Currently, over 28,000 Jenkins servers are exposed to this vulnerability, predominantly in China and the U.S., although the number of unpatched servers has decreased from initially over 45,000. Notably, Groups like RansomEXX have leveraged this bug to infiltrate and disrupt systems of significant tech service providers, including those serving Indian banks. CISA has included this vulnerability in its Known Exploited Vulnerabilities catalog, urging both federal agencies and private entities to patch their systems by September 9 to prevent further incidents. This directive and warning underscore the high risks and widespread implications for security within federal infrastructure and beyond, according to CISA's advisories.

Cisco Talos identified eight vulnerabilities in Microsoft's macOS applications such as Excel, OneNote, Outlook, PowerPoint, Teams, and Word, which could allow unauthorized access to user data and escalate privileges. Microsoft has declined to fix these vulnerabilities, classifying them as low-risk despite the potential for attackers to exploit these apps to record audio and video, access sensitive data, or log keystrokes. The vulnerabilities revolve around improper utilization of Apple’s security frameworks, including entitlements and permissions, which need explicit user consent to access device resources. Some of Microsoft’s apps have disabled security features like library validation, which are part of Apple’s hardened runtime that protects against malicious code injection. This issue highlights the balance between functionality and security, as Microsoft claims some features, such as plugin support, require loading of unsigned libraries. Despite Microsoft’s stance, the firm has updated its Teams and OneNote applications, removing the entitlement that allowed library injection, mitigating the risk for these apps. The researcher, Francesco Benvenuto of Talos, noted that while some applications mitigate these risks through sandboxing and hardened runtimes, certain conditions and specific entitlements could still allow these programs to be exploited. The investigation serves as a reminder of the challenges in securing software applications on macOS, suggesting that users cannot always rely on the security of apps as vetted by trusted vendors.

Italian police have arrested four individuals suspected of stealing $14 million worth of cryptocurrency from the blockchain firm Holograph. The suspects exploited a smart contract flaw in Holograph's platform, allowing them to mint and steal 1 billion HLG tokens. The cybercriminals were living lavishly in a luxury villa in Salerno, Italy, before their arrest. The arrests were made possible through cooperation between Italian and French national police forces, leading to European arrest warrants. Police seized cryptocurrency wallet private keys and other electronic devices, which could help in recovering some of the stolen funds. Holograph previously identified a former technical contractor as being involved in the heist. Following the arrests, the value of HLG tokens has seen significant recovery, though still below pre-heist levels.

FlightAware, a global flight tracking platform, experienced a data security incident due to a configuration error, leaving user data vulnerable since January 1, 2021. The configuration error was identified on July 25, 2024, exposing sensitive information such as user IDs, passwords, and email addresses for over three years. It remains uncertain whether any of the exposed user data was actually accessed or misused by unauthorized parties. Affected users are being instructed to reset their passwords, and they are prompted to do so upon next login. FlightAware has addressed the configuration flaw and assures users that the issue has been remediated. All users receiving the notification about the data breach are offered two years of free identity protection from Equifax. The company advises users to change similar login credentials on other sites to prevent potential credential stuffing attacks. FlightAware has not confirmed the total number of users impacted but has expressed commitment to updating the public as more information becomes available.

National Public Data (NPD), based in Florida, confirmed a data breach affecting 1.3 million individuals in a filing with Maine's Attorney General. Initial claims suggested a significantly higher number of affected individuals, with some estimates reaching billions of lines of data. The data intrusion occurred in December 2023, but leaks began in April 2023 and continued through the summer, linked to a criminal known as USDoD. Noted security expert Troy Hunt found 134 million unique email addresses in the database, raising doubts about the accuracy of the reported figure of 1.3 million affected. NPD's communication to affected parties included potential exposure of names, email addresses, phone numbers, Social Security numbers, and mailing addresses. Additional findings revealed the presence of 70 million criminal records and 272 million unique Social Security numbers in the stolen database. NPD has undertaken additional security measures and cooperated with law enforcement to mitigate the effects of the breach and prevent future incidents.

A new malware named UULoader is targeting East Asian users by masquerading as legitimate application installers. UULoader distributes dangerous payloads including Gh0st RAT and Mimikatz, targeting Korean and Chinese speakers. The malware employs DLL side-loading for execution, using .cab files and a manipulated executable susceptible to this exploit. The installation triggers a decoy operation, such as a fake Chrome update, while secretly deploying malware in the background. UULoader hints at Chinese origins, indicated by the use of Chinese language strings in its program files. Beyond individual user targeting, broader phishing and fraudulent campaigns have been noted, leveraging fake cryptocurrency sites and government impersonation to siphon data. These scams abuse legitimate services like Microsoft’s Dynamics 365 and Google’s Chrome installers to evade security measures and extend the attack surface. Additionally, generative AI popularity is exploited by creating scam domains, involving keywords related to AI to attract traffic and conduct nefarious activities.

Cybersecurity experts at Mandiant have detected increased activity in malvertising that distributes FakeBat, a malware loader. FakeBat, also known as EugenLoader or PaykLoader, exploits users' searches for popular business software tools to spread. The malware uses trojanized MSIX installers that mimic legitimate software like Brave, KeePass, Notion, Steam, and Zoom, hosting them on fake websites. These installers activate a PowerShell script that fetches additional payloads, including notorious malware like IcedID, RedLine Stealer, and Carbanak. The malware operation, tagged as NUMOZYLOD by Google-owned researchers, is attributed to the threat actor group UNC4536. UNC4536's operations include collecting system information such as operating system, domain, and antivirus details, and sending it to its command and control center. The threat group also utilizes persistent techniques by creating shortcuts in the StartUp folder, enabling the malware to automatically execute upon system reboot.

Malicious use of Xeon Sender tool enables large-scale SMS phishing via legitimate cloud service APIs. Tool distributed through Telegram and hacking forums, with features that simplify SMS spam campaigns. Xeon allows attackers to send bulk messages through multiple SaaS providers using acquired valid credentials. Used services include Amazon SNS, Nexmo, Twilio, among others, to distribute phishing messages on a grand scale. Recent updates to the tool have enhanced user accessibility, catering to less technical cybercriminals. Xeon Sender also includes capabilities for validating service credentials, generating phone numbers, and verifying their legitimacy. Security professionals face challenges in detecting abuse due to the use of provider-specific libraries for crafting API requests. Organizations advised to monitor SMS permissions and changes to recipient lists to mitigate risks associated with such tools.

North Korea's Lazarus Group exploited a newly patched zero-day vulnerability in Microsoft Windows, identified as CVE-2024-38193 with a CVSS score of 7.8. The vulnerability allowed for a privilege escalation in the Windows Ancillary Function Driver for WinSock, providing SYSTEM privileges to attackers. Microsoft addressed the vulnerability during its Patch Tuesday update, based on findings by Gen Digital researchers Luigino Camastra and Milánek. The exploit involved the use of a rootkit named FudModule, designed to evade detection and provide unauthorized system access. This particular attack mirrors a previous incident wherein Lazarus used a similar method with CVE-2024-21338 to deploy FudModule via the AppLocker driver. These attacks represent an advanced tactic of exploiting existing Windows drivers rather than deploying external, vulnerable drivers to bypass security. The rootkit delivery was associated with a remote access trojan called Kaolin RAT, used selectively under specific conditions by Lazarus Group.

Cybersecurity researchers have identified new infrastructure utilized by the cybercrime group FIN7. The discovery includes two distinct clusters of activity, involving IP addresses from companies in Russia and Estonia. Team Cymru led the investigation, noting that these IP addresses had communications directed towards FIN7-linked infrastructure. The infrastructure was possibly obtained through reseller programs of Stark Industries' IP services. Findings indicate both proactive and reactive measures were undertaken, including the suspension of services following the responsible disclosure. The investigation underscores the ongoing efforts of cybersecurity partnerships in tracking and mitigating cybercrime threats. Additional details from metadata analyses affirmed the existence of established connections related to FIN7 activities.

Sophos analysts identified a threatening new malware, EDRKillShifter, which neutralizes EDR (Endpoint Detection and Response) systems using vulnerable Windows drivers to facilitate ransomware attacks. The malware, tied to the rapidly spreading RansomHub tool, leverages publicly known vulnerabilities and requires heightened privileges to operate, suggesting robust Windows security practices can mitigate risks. Upon execution, EDRKillShifter embeds into memory and starts multiple obfuscated processes aimed at perpetually disabling targeted EDR systems. Prevention strategies include enforcing strict user access controls, ensuring EDR has tamper protection, and regularly updating systems and drivers. Another significant threat highlighted is a critical web-based vulnerability in SolarWinds, with vendors recommending immediate updates despite authentication uncertainties. Public NetSuite sites were found vulnerable, with potential for unauthenticated users to access and leak customer personally identifiable information (PII). Ransomware continues to be a significant threat as evidenced by an attack on an Australian gold mining company, underscoring the importance of proactive cybersecurity defenses. Attacks on healthcare systems remain notable, with a breach in Idaho resulting in the theft of nearly half a million patient records by a ransomware gang, emphasizing the need for constant vigilance in system security.

Mad Liberator, a new extortion group, targets users of AnyDesk, a popular remote desktop software. The gang displays a fake Windows update screen to distract victims while stealthily exfiltrating data. Attackers gain access by making unsolicited AnyDesk connections; victims inadvertently accept these. During the faux update, the victims' keyboards are disabled, preventing them from stopping the data theft. Data stolen includes files from OneDrive, network shares, and local storage, without encrypting them. Although no data encryption occurred post-extraction, ransom notes were left in shared directories. The group threatens breached companies with publication of stolen data unless ransom demands are met. If firms do not engage within set timeframes, their data is publicly disclosed on Mad Liberator's darknet site.

Several Microsoft Azure and OVH cloud subdomains, along with Google search, are being misused in a sophisticated disinformation and malware campaign. Android users targeted by Google search notifications lead to misleading and harmful infotainment sites. Fake articles about celebrities, such as Harry Connick Jr., spur misleading health rumors, driving traffic to scam websites. Disinformation exploits Google's algorithms, which notify users of "new info" causing polluted search results. Dangerous links within these articles redirect users to sites that distribute malware, spam, and counterfeit software. Particular attention is needed for ads and scripts embedded in these sites, some of which falsely alert about viruses. BleepingComputer highlights the need for caution when encountering sensational claims in search results.