Daily Brief

DARPA, alongside ARPA-H, has allocated $14 million for seven AIxCC semifinalists, aiming to enhance security in open source software which supports critical infrastructure. Each chosen semifinalist team is awarded $2 million and must advance their AI models to open source, managed by the Open Source Security Foundation. The contest at DEF CON revealed AI's potential in identifying and fixing security vulnerabilities within crucial software frameworks like Jenkins and the Linux kernel. A total of 22 synthetic vulnerabilities were identified across the challenges, with 15 being patched, showcasing significant progress in automated cybersecurity measures. Finalists are set for a substantial financial incentive with a total of $29.5 million offered in prizes, with conditions on open source commitments post-competition. Specific terms regarding the open source transitions and stewardship by OpenSSF will be determined at next year's finals. AIxCC's goal: Transform AI capabilities into practical tools for strengthening cybersecurity in vital infrastructure.

RansomHub ransomware operators are using a novel malware, EDRKillShifter, to disable Endpoint Detection and Response (EDR) systems in attacks. EDRKillShifter exploits vulnerable drivers to escalate privileges and disrupt system security, allowing for further malicious actions by attackers. Sophos researchers discovered the malware during a May 2024 ransomware incident, observing unsuccessful attempts to disable Sophos protection and execute ransomware. The malware impacts systems by loading a vulnerable driver, starting a new service, and terminating processes listed in a hardcoded target list. Sophos identified two variants of EDRKillShifter, each using different drivers but similarly exploiting vulnerabilities documented on GitHub. The malware, compiled in a Russian localization environment, reflects diverse deployment across financially motivated and state-backed groups. Sophos recommends enabling tamper protection, maintaining strict user/admin privilege separation, and updating systems to mitigate risks from such malware. Similar malware, AuKill, was previously detected exploiting different drivers in various ransomware campaigns, illustrating a pattern of evolving malware techniques targeting EDR systems.

Google's Threat Analysis Group revealed an uptick in cyber attacks by Iran's APT42 targeting political and defense officials. APT42, linked with the Islamic Revolutionary Guard Corps, used sophisticated spear-phishing tactics, including impersonating NGOs and spoofing email services. Notable targets included teams associated with US President Joe Biden, former President Donald Trump, and a range of US and Israeli officials. Phishing strategies of APT42 featured the use of fake Google Meet and charity sites, leveraging false credentials requests to steal login information. Google identified and blocked numerous attempts, including logging activities and email interference linked to APT42. The attackers employed social engineering enhanced by initial benign interactions and progressed to deploying credential-harvesting tools. APT42 has shown continuous improvement in its phishing tools, incorporating features to bypass standard security measures like MFA. Google cited a surge in similar malicious activities against Israeli targets, fluctuating in intensity alongside geopolitical tensions.

Google's Threat Analysis Group (TAG) identified Iran's APT42, linked to the IRGC, as the perpetrator behind recent targeted spear-phishing attacks. The attacks aim at prominent US and Israeli political, defense, and academic figures, including ongoing attempts against US politicians involved in current and upcoming elections. APT42 employs sophisticated phishing methods, like fake NGOS and Google Meet redirects, to steal credentials and compromise email accounts. Notable uptick in phishing activities noted since May, targeting personal emails of individuals affiliated with significant US political campaigns and leaders. The group utilizes advanced credential-harvesting tools and social engineering tactics to enhance the success of their phishing attacks. Regular peaks in attack frequency correlated with geopolitical tensions, particularly against Israeli targets, with elaborate traps themed around current conflicts. Google has taken actions to block many of these attempts, employing stringent measures such as revoking compromised application-specific passwords to protect users.

Microsoft recently disabled a security update meant to fix a BitLocker bypass vulnerability (CVE-2024-38058) due to causing firmware incompatibility issues. Users reported that applying the BitLocker fix forced devices into recovery mode, prompting Microsoft to retract the fix in the August 2024 security release. The vulnerability allows attackers with physical access to bypass the BitLocker Device Encryption feature and access encrypted data. Microsoft recommends a 4-stage manual mitigation procedure, which includes restarting the impacted devices eight times, as an alternative to the disabled fix. Once the suggested mitigation is implemented on devices using Secure Boot, it cannot be reversed, even if the disk is reformatted. Microsoft warns users of the irreversible nature of the mitigation and advises extensive testing before applying. During the same month, Microsoft fixed another issue related to a previous update that also caused devices to boot into BitLocker recovery mode, although it was not directly linked to CVE-2024-38058.

SolarWinds has issued a patch for a critical vulnerability (CVE-2024-28986) in its Web Help Desk software, allowing remote code execution. The flaw, identified as a deserialization issue with a CVSS score of 9.8, potentially lets attackers run commands on the host machine. SolarWinds initially reported the vulnerability as unauthenticated but later confirmed that exploitation requires authentication. All versions of Web Help Desk up to 12.8.3 are affected, with a fix provided in hotfix version 12.8.3 HF 1. In parallel, Palo Alto Networks fixed a high-severity command injection vulnerability (CVE-2024-5914) in its Cortex XSOAR platform, impacting all versions of CommonScripts before 1.12.33. The issue in Palo Alto’s software, rated with a CVSS score of 7.0, allows unauthenticated command execution within integration containers. Users are urged to update Cortex XSOAR and review and reset all configured secrets, passwords, and tokens in PAN-OS firewalls as a preemptive security measure.

Russian national Georgy Kavzharadze, 27, has been sentenced to 40 months in U.S. prison for trading stolen login credentials on the dark web marketplace Slilpp. Kavzharadze sold over 297,300 stolen credentials and listed more than 626,000 on Slilpp between July 2016 and May 2021. Slilpp, operating for nearly a decade, was taken down in 2021 by international law enforcement, resulting in extensive data seizure including transactions, payment information, and user details. Kavzharadze facilitated fraudulent transactions worth originally over $5 million, now adjusted to $1.2 million in restitution. The credentials sold included those for various banks and were used in crimes like identity theft and illegal money transfers. Over $200,000 in Bitcoin linked to Kavzharadze was traced, equating to more than $450,000 at current exchange rates. Slilpp has been likened to commercial platforms like Amazon and eBay, hosting credentials for over 1,400 different account providers and causing estimated damages exceeding $200 million.

Russian and Belarusian NGOs, independent Russian media, and international NGOs in Eastern Europe have been targeted by two distinct spear-phishing campaigns. COLDRIVER, linked to Russia's FSB, and a new cluster named COLDWASTREL, are identified as the orchestrators of these phishing attacks. The campaigns have also targeted Russian opposition figures abroad, U.S. think tank officials, academics, and a former U.S. ambassador to Ukraine. Attackers utilized highly tailored emails, impersonating familiar contacts with Proton Mail accounts, and often included a deceptive PDF link for credential harvesting. The attacks, which started in March 2023, involved sophisticated social engineering tactics to increase credibility and reduce detection risks. Differences between COLDRIVER and COLDWASTREL tactics include variations in PDF content, metadata, and the use of look-alike domains for credential theft. The ongoing use of phishing highlights its effectiveness and low discovery cost, allowing perpetrators to pursue global targets without exposing advanced techniques.

Identity Threat Detection and Response (ITDR) has become vital for addressing identity-based attacks in various technological environments. ITDR solutions are crucial for organizations to detect suspicious activities affecting both human and non-human identities such as employees, contractors, bots, and service accounts. Effective ITDR strategies cover multiple environments (IaaS, SaaS, PaaS) ensuring comprehensive security rather than fragmented, layer-specific security. Essential ITDR capabilities include identity inventory management, risk assessment, anomaly detection, and incident response. ITDR also enables detailed activity monitoring and change tracking across different technology stacks within an organization. Advanced ITDR solutions help in identifying and managing access patterns, authentication methods, and ensuring broad enforcement of Multi-Factor Authentication (MFA). Organizations are encouraged to adopt ITDR solutions that can correlate incidents and implement appropriate responses to mitigate threats effectively.

RansomHub, linked to Knight ransomware, utilizes a new tool, EDRKillShifter, to disable endpoint detection and response (EDR) systems. Sophos identified the tool during a thwarted ransomware attack in May 2024, highlighting its functionality as a loader for exploit-ready drivers. The tool, indicative of evolving cybercrime tactics, can deliver various driver payloads based on the requirements of the attack. The executable uses command-line inputs for operation, decrypting and executing payloads that target EDR solutions by exploiting vulnerable drivers. Microsoft reports that Scattered Spider, a major e-crime group, has adopted RansomHub among other ransomware strains. The malware displays properties suggesting Russian origins, complicating geopolitical and cyber defense landscapes. Recommended defenses include regular system updates, enabling EDR tamper protection, and stringent admin/user privilege separation to mitigate such threats.

A new extortion group named Mad Liberator has been identified by Sophos X-Ops, engaging in ransom operations without encrypting data. Mad Liberator exploits the remote-access tool Anydesk to infiltrate organizations, exfiltrate data, then demands ransom to prevent data leakage. Despite being recognized as a ransomware group, initial attacks involved data theft rather than encryption, but subsequent reports suggest file encryption is used. The group employs double-extortion tactics, threatening to leak stolen files if ransom demands are not met, along with operating a leak site to expose victims. Victims are typically unsuspecting employees tricked into granting access via Anydesk, a legitimate tool commonly used for remote device management. Anydesk's unique ID system, which assigns a 10-digit address to each device, adds a layer of complexity in preventing unauthorized access. After system infiltration, the extortionists deploy deceptive binaries and utilize tools like Anydesk FileTransfer and Advanced IP Scanner to further compromise security. The extortion incident can last several hours, ending with the attacker relinquishing device control after executing non-automated ransomware scripts.

A previously unidentified threat actor, dubbed Actor240524, has launched targeted cyberattacks against diplomats from Azerbaijan and Israel to steal sensitive information. The campaign was detected by cyber security firm NSFOCUS on July 1, 2024, and utilized spear-phishing emails with malicious Microsoft Word attachments to deliver malware. The malware initiates by encouraging recipients to enable macros which in turn execute a loader payload called ABCloader, advancing to deploy subsequent malware stages. Once activated, ABCloader downloads and installs another malware called ABCsync from a remote server, enabling the attackers to execute commands and exfiltrate data. ABCsync is equipped with capabilities for anti-sandbox and anti-analysis to avoid detection while carrying out its operations. Techniques such as string encryption are employed by both ABCloader and ABCsync to conceal critical information from security tools. The end goal appears to be gathering intelligence on diplomatic communications and operations related to Azerbaijan and Israel, likely due to their significant political and economic ties.

GitHub Actions artifacts, known as ArtiPACKED, can be exploited for repository takeovers and unauthorized cloud environment access. Security flaws and misconfigurations cause leakage of vital tokens, such as GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN, which are available to anyone with repository read access. Attackers can manipulate the source code and trigger its deployment through CI/CD workflows by acquiring these tokens. Artifacts facilitate data sharing across workflow jobs and persist for 90 days, posing risks if misused, especially in open-source projects. An undocumented variable, ACTIONS_RUNTIME_TOKEN, allows malicious artifact substitution within its six-hour lifespan, enabling remote code execution. Attack scenarios include downloading an artifact during a workflow run to exploit token-related race conditions, allowing code insertion into repositories. Major open-source repositories impacted include those linked to providers like Amazon Web Services, Google, and Microsoft. GitHub has declared the issue as informational, prompting users to independently secure their artifacts and assess their usage critically.

Over 40 million users' data from Kakao Pay was illegally shared with Alipay without user consent, according to Korea's Financial Supervisory Service (FSS). The shared data included Kakao Account ID, mobile phone numbers, email addresses, subscription histories, and transaction details. Kakao Pay argued the data sharing was part of a business collaboration with Alipay to facilitate payments overseas and claimed all data was encrypted. FSS found the partnership agreement did not specify Alipay as a data processor, and Kakao's customer agreements did not disclose the use of a data processing service. FSS highlighted that the excessive data shared was not necessary just to enable payment processing and violated Korea's Credit Information Use and Protection Act. The regulator expressed concerns about the potential use of the shared data for marketing strategies in competition against Korean firms. Following the scandal, Kakao Pay's stock value plummeted, adding financial strain to the company amid other legal challenges faced by Kakao's founder. FSS plans to conduct further inspections and a thorough legal review concerning similar data misuse cases.

Cybersecurity experts have unveiled a new variant of the Gafgyt botnet, which targets systems with weak SSH passwords to mine cryptocurrency. This botnet variant hijacks GPU resources in cloud-native servers to increase its crypto mining efficiency. Historically, Gafgyt has used compromised IoT devices like routers and DVRs to facilitate distributed denial-of-service (DDoS) attacks. The latest version incorporates features that terminate existing malware and scan the internet for vulnerable servers to spread further. The attackers employ the XMRig tool for mining Monero, using advanced flags to exploit GPU power effectively. Evidence suggests that the Gafgyt and Necro botnets are managed by the Keksec group, previously known as Kek Security and FreakOut. Over 30 million publicly accessible SSH servers are vulnerable, indicating the potential scale of this threat. The discovery emphasizes the need for robust security measures to protect against brute-force attacks and unauthorized access.