Daily Brief

OpenAI identified and disabled accounts involved in "Storm-2035," an Iranian influence operation utilizing ChatGPT to generate political content. The operation produced content in English and Spanish discussing U.S. presidential candidates, international conflicts, and other political issues, which was disseminated through social media and bogus news websites. Despite efforts, the content generated by this operation achieved minimal social media engagement and showed no significant sharing of articles across platforms. The content appeared on websites posing as both conservative and progressive media outlets, aiming to target a broad U.S. audience. Microsoft highlighted this activity as part of increased foreign influence targeting U.S. elections, also noting similar activities from Russian networks. Phony sites involved, including EvenPolitics and Savannah Time, utilized AI tools for content creation and occasionally plagiarized from legitimate U.S. sources. Google disrupted related Iranian-backed spear-phishing attempts targeting personal accounts in the U.S. and Israel, linked to the same operation. Meta, addressing similar issues, noted an increase in disguised influence efforts, with tactics evolving to include non-political content and redirection techniques to evade detection.

Nearly 3 billion personal records, including sensitive information such as Social Security numbers, were leaked from National Public Data (NPD), a data broker based in Florida. The compromised data comprises names, addresses, phone numbers, email addresses, and detailed connection histories back 30 years, affecting individuals in the U.S., Canada, and the UK. The leaked information, gathered by NPD from various public records between 2019 and 2024, was initially offered for sale on a cyber-crime forum before being distributed for free on the dark web. This data breach was confirmed by NPD after the stolen data began appearing publicly, following initial leaks traced back to December 2023. NPD has recognized the breach in "cagey" language, suggesting unauthorized access by third-party bad actors and subsequent unauthorized data disclosures. In response to the breach, NPD committed to improved IT security measures and cooperated with law enforcement and government bodies to manage the fallout. The firm also advised affected individuals to place fraud alerts on their credit files to detect and prevent potential misuse of their compromised data. Not all data was accurate or current within the leaked records, featuring numerous inaccuracies and repetitious entries.

Unicoin, a cryptocurrency venture linked to Unicorn Hunters, faced a severe G-Suite compromise on August 9, leading to a temporary loss of access for all employees. The attacker gained administrator privileges and altered all user passwords, effectively locking staff out of emails and other Google Workspace services until August 13. Initial SEC filings reveal unauthorized access to emails and possible personal data discrepancies in corporate accounts, primarily affecting the accounting department. Investigations point to potential identity forgery, resulting in the termination of a contractor’s contract with Unicoin. While no losses in cash or cryptocurrency assets have been reported, the full impact of the breach on Unicoin’s financials remains unclear. The security lapse is under thorough investigation to understand the breach's nature and the extent of data exposure, including how the attack circumvented multi-factor authentication controls.

Microsoft has announced mandatory multi-factor authentication (MFA) for Azure account admin portals starting October 15 as part of the Secure Future Initiative (SFI). The initiative, aimed at reducing phishing and account hijacking, will require all Entra global admins to activate MFA or risk losing access to administrative features. Admins may request a postponement of the MFA requirement until April 15, 2025, between August 15 and October 15, though delay poses additional security risks. Notice of this enforcement will be communicated through emails and Azure Service Health Notifications, with 60-day advance warning provided to all relevant administrators. Enforcing MFA will begin in early 2025 for Azure sign-ins via different interfaces like Azure CLI, PowerShell, mobile app, and Infrastructure as Code (IaC) tools. Microsoft emphasizes the effectiveness of MFA in thwarting cyberattacks, stating that it blocks 99.99% of unauthorized access attempts on MFA-enabled accounts.

National Public Data confirmed a data breach revealing sensitive personal information including Social Security numbers, names, and addresses. Hackers leaked a stolen database affecting potentially billions of records, with millions of individual Social Security numbers exposed. This breach was linked to a hacking attempt in late December 2023, with subsequent data leaks occurring in April and Summer 2024. Investigation and cooperation with law enforcement are ongoing, with ongoing reviews of potentially affected records. BleepingComputer reported that parts of the database contained outdated or inaccurate information, complicating the use of the data. The breach has already prompted a class action lawsuit against Jerico Pictures, the operator of National Public Data. Individuals affected by the breach are advised to monitor their financial accounts and beware of phishing attempts using their leaked information.

Attackers exploited exposed .env files containing sensitive credentials for cloud and social media services in a significant extortion campaign. The malicious operations were carried out using the victims' Amazon Web Services (AWS) environments to scan and extract data from over 230 million targets. The campaign, identified by Palo Alto Networks' Unit 42, did not encrypt data but rather exfiltrated it to leverage for ransom. Threat actors manipulated AWS IAM access keys to escalate privileges, create roles, and execute automated scanning of potential victims' domains. Over 90,000 unique variables were extracted and collected from compromised .env files, impacting thousands of cloud services and social media accounts. The attack chain concluded with the threat actors deleting sensitive data from victim's buckets and issuing ransom demands, threatening the sale of data on the dark web. Two IP addresses involved in the campaign were traced to Ukraine and Morocco, using VPNs and the TOR network to mask their activities. The campaign showcased sophisticated use of automation and advanced understanding of cloud architecture by the attackers.

CISA issued a warning about active exploitation of a critical vulnerability in SolarWinds' Web Help Desk software. The flaw, identified as CVE-2024-28986, enables attackers to execute code remotely on affected systems. Despite the recent hotfix, reports indicate continued risk, with mandatory patching required for federal agencies by September 5. SolarWinds highlighted that the vulnerability was initially reported as unauthenticated, but subsequent tests needed authentication for exploitation. SolarWinds already delivered a hotfix and detailed instructions for applying the update, advising backups to prevent issues if the update process fails. The affected software, WHD version 12.8.3, should not receive Hotfix 1 if using SAML Single Sign-On due to additional problems. Earlier breaches in SolarWinds software were noted, with other RCE vulnerabilities patched this year in its Access Rights Manager product. Cybersecurity context added as SolarWinds' products have over 300,000 global customers, underlining the significant impact and reach of this security issue.

Cloudflare is scheduled to host a webinar on August 20th to address the latest trends in cybersecurity. The 2024 Global Security Brief will be discussed, aiming to provide insights essential for protecting organizations. Experts Trey Guinn and Trevor Lyness will explore advanced DDoS tactics, API vulnerabilities, and AI-enhanced phishing. The webinar will also cover the adoption of Zero Trust architecture to bolster cybersecurity measures. Attendees will gain actionable knowledge and practical strategies to tackle current and emerging cyber threats.

A Russian hacker, Georgy Kavzharadze, aged 27, has been sentenced to over three years in jail for circulating stolen financial data on a dark web marketplace. Kavzharadze pleaded guilty to conspiracy to commit bank fraud and wire fraud; he is also mandated to pay restitution amounting to $1,233,521.47. Operating under aliases such as TeRorPP, Torqovec, and PlutuSS, he sold over 297,300 stolen login credentials on the dark web site Slilpp. The stolen credentials facilitated fraudulent transactions worth approximately $1.2 million. Kavzharadze’s Slilpp account listed 240,495 credentials that could potentially be used to access and steal from victims' online bank and payment accounts. The illicit profits from the sale of these credentials are estimated at around $200,000. Slilpp, one of the largest credential marketplaces since 2012, was shut down in June 2021 following a coordinated international law enforcement effort.

Keyboard walk passwords such as 'qwerty' and 'asdfgh' are easily cracked and pose significant security risks. Recent research indicates that these predictable patterns frequently appear in compromised password datasets. Specops Software offers a tool called Specops Password Auditor to identify keyboard walk vulnerabilities within Active Directory environments. Hackers exploit keyboard walk patterns using automated brute force and dictionary attacks, which systematically test predictable sequences. To combat this, organizations should educate users on strong passphrase creation and enforce password policies to block commonly used and predictable passwords. Specops Password Policy assists in enhancing security by blocking weak passwords and scanning for compromised passwords against a database of over 4 billion records. Ensuring rigorous password policies not only boosts cyber resilience but also helps comply with standards like NIST. Organizations are encouraged to take proactive measures by utilizing tools that prevent the use of vulnerable passwords and continuously monitor for potential breaches.

Russian-speaking cyber criminals are utilizing fake brand sites to spread DanaBot and StealC malware through sophisticated phishing schemes. The campaign, named 'Tusk', impersonates legitimate online platforms using bogus sites and social media accounts to trick victims into downloading malware. Tusk consists of 19 sub-campaigns, with three currently active, where malware is distributed using Dropbox-hosted initial downloaders. Victims are deceived into downloading a downloader, often posing as legitimate software, which then secretly downloads additional malicious payloads. Malicious software harvested includes personal and financial information which is then sold on the dark web or used to hijack cryptocurrency wallets and gaming accounts. One sub-campaign mimics a popular peer communication platform, while another creates a fake MMO gaming site, both aimed to deploy similar malware payloads. The use of social engineering, multi-stage malware delivery, and exploitation of trust in known platforms underline the sophisticated nature and high threat level of the attackers.

Chinese-speaking users are being targeted by an advanced malware, ValleyRAT, featuring multi-stage attack capabilities and heavy usage of in-memory execution to reduce detection. The malware impersonates legitimate applications and uses shellcode for its deployment, heavily obfuscating its presence on the system. Post-infection, ValleyRAT achieves persistence and admin privileges, bypassing User Account Control (UAC) and disabling antivirus measures to operate unimpeded. The command-and-control server coordinates the downloading of further malicious components, such as RuntimeBroker and RemoteShellcode, to perpetuate the malware's presence and control. Specific evasion tactics include checking for virtual machine environments, and scanning for security software to terminate, ensuring the malware's survival. ValleyRAT mainly targets systems associated with Chinese corporations, potentially affecting apps like Tencent WeChat and Alibaba DingTalk. The ongoing campaign also attempts to exploit older vulnerabilities like CVE-2017-0199 in Microsoft Office for remote code execution, potentially linked to other malware dispersal methods. The threat is linked to a group identified as Silver Fox, underlining the organized and targeted nature of these attacks.

SaaS applications are crucial for organizational productivity but pose inherent security risks. Proper due diligence of SaaS apps is vital to uncover and mitigate security gaps, protecting sensitive data. Lack of thorough due diligence can result in severe consequences like data breaches and compliance issues. AppOmni's Due Diligence Questionnaire (DDQ) and SaaS Event Maturity Matrix (EMM) are designed to streamline and improve the due diligence process. These tools facilitate the systematic assessment and monitoring of audit logs, crucial for detecting and addressing security issues. Using the DDQ and EMM can enhance an organization's ability to detect threats and react appropriately, thus increasing overall security posture.

Cybersecurity researchers have identified a new malware known as Banshee Stealer, which targets Apple macOS systems to steal data. Banshee Stealer is specialized in extracting information from various browsers, cryptocurrency wallets, and about 100 specific browser extensions. The malware is being sold in cybercrime forums for $3,000 per month and includes capabilities to run on both x86_64 and ARM64 macOS architectures. Among other functionalities, it can harvest data from the iCloud Keychain, passwords, Notes, and various document types, then sends this data to a remote server. Banshee includes sophisticated evasion techniques, such as checks to avoid running on systems with Russian as the primary language and mechanisms to determine if it's being analyzed in a virtual environment. The malware also employs deceptive tactics such as displaying a fake password prompt to trick users into providing their system passwords for further privileges. This discovery highlights the increasing focus of cybercriminals on macOS users, a trend accompanied by parallel developments in other types of macOS and Windows-based stealer malware.

Google Pixel devices since September 2017 shipped with a pre-installed app called "Verizon Retail Demo Mode," posing security risks. The app, developed by Smith Micro and not by Google, has extensive system privileges that could allow code execution and package installation. It retrieves its configuration over an unsecured HTTP connection, making it susceptible to alterations during transmission (AitM attacks). The app is embedded in the Android firmware as required by Verizon, raising concerns over third-party software inclusion in the operating system. Although not enabled by default and requiring physical device access and developer mode activation to be exploited, its high privilege level prevents user-level uninstallation. No active exploitations were reported, yet its potential risk has prompted Google to plan its removal via an upcoming software update. The announced update to remove the app will affect all supported in-market Pixel devices, excluding the new Pixel 9 series.