Daily Brief

Lenovo, a major global PC supplier, has joined the US Cybersecurity and Infrastructure Security Agency's (CISA) Joint Cyber Defense Collaborative (JCDC) to help protect critical US infrastructure. Despite Lenovo's Chinese origins and the US's increasing wariness of Chinese technology firms citing security risks, its involvement raises questions about potential national security implications. Lenovo, originally founded in Beijing and now headquartered in Hong Kong, bought IBM's PC division and x86 server business, enhancing its market presence. US Congressional concerns have been voiced regarding Lenovo's alleged ties to the Chinese government and military, claims Lenovo denies fiercely. CISA has not publicly clarified the rationale behind Lenovo's inclusion in the JCDC, amidst ongoing critiques and security concerns mentioned by various stakeholders. Lenovo claims commitment to "Secure by Design" principles, seeking to demonstrate its dedication to cybersecurity amidst scrutiny. Industry experts argue that Lenovo's international corporate structure and leadership diversification contribute to its trustworthiness compared to other Chinese companies. The situationunderlines geopolitical tensions affecting the global tech industry, with significant implications for international cybersecurity collaboration.

DDoS attacks increased by 46% in the first half of 2024 compared to the same period in 2023, reaching nearly 445,000 incidents. The most powerful DDoS attack recorded in this period was 1.7 Tbps, slightly higher than the previous year's 1.6 Tbps. The gaming and gambling industries were the most targeted, accounting for 49% of the total DDoS attacks. There was a notable rise in attacks against the technology sector, which doubled to represent 15% of total attacks. Financial services, telecoms, and e-commerce were also significantly affected, with respective contributions to the total number of attacks being 12%, 10%, and 7%. Application-layer attacks predominantly affected industries that depend on transaction processing and content delivery like financial services and e-commerce. The nature and tactics of DDoS attacks are becoming increasingly personalized, urging the need for advanced, tailored defensive measures. Despite the brief duration of most attacks, some lasted as long as 16 hours, intensifying the importance of robust and responsive mitigation strategies.

India's Telecom Regulatory Authority (TRAI) has directed telcos to ban unregistered telemarketers from using networks for up to two years to combat spam calls. Telemarketers not registered with the regulatory authority will have their access to network services terminated if they break TRAI’s anti-spam rules. All information regarding banned telemarketers will be shared among telcos using a blockchain-enabled distributed ledger technology platform within 24 hours to prevent service hopping. Telcos are required to submit compliance reports within a week of the directive and provide bi-monthly updates on their progress in banning spammers. Previously, unregistered telemarketers were given three chances before a complete ban, with penalties escalating from warnings to service restrictions. Despite measures taken previously, TRAI has received over 1.2 million complaints in 2023 and nearly 790,000 in the first half of 2024, indicating persistent issues with spam. The introduction of blockchain for managing the registry of telemarketers has seen a reduction in complaints by 60% between early 2021 and late 2022, though problems with registration and one-time login codes persist. In response to inadequate results from past efforts, TRAI plans to implement AI to enhance spam and scam prevention, though the results of this AI integration have not yet been disclosed.

Microsoft released updates addressing 90 security vulnerabilities, 10 of which are zero-day exploits. Six of these zero-days are actively being exploited, prompting immediate security responses. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has required federal agencies to apply these patches by September 3, 2024. Significant exploits include a SmartScreen bypass and a privilege escalation flaw in the Print Spooler component. Additional vulnerabilities include exposure of NTLM hashes and potential downgrade attacks on Windows files. Microsoft noted two flaws, CVE-2024-38202 and CVE-2024-21302, that have yet to be patched. A reported DoS issue leading to system crashes was deemed non-critical by Microsoft, with future updates pending. Other vendors also released security updates recently, indicating a broader focus on cybersecurity across the industry.

Ivanti has issued updates fixing a critical vulnerability in Virtual Traffic Manager (vTM) that could allow authentication bypass and rogue admin creation. The flaw, identified as CVE-2024-7593, is severe with a CVSS score of 9.8 and affects several versions of vTM. Attackers could exploit the vulnerability to gain unauthorized access to the admin panel without authentication. Temporary mitigations include limiting management interface access to trusted IPs. Although not yet exploited in the wild, a proof of concept is publicly available, heightening the risk. Ivanti also patched additional vulnerabilities in Neurons for ITSM and Avalanche, addressing information disclosure and potential DoS attacks. Users are urged to apply these security patches immediately to safeguard their systems from potential threats.

Earth Baku, a China-backed cyber threat group, has extended its operations to Europe, the Middle East, and Africa as of late 2022. The newly targeted countries include Italy, Germany, the UAE, Qatar, with potential activities in Georgia and Romania. Key sectors targeted by Earth Baku encompass governments, media, telecoms, technology, healthcare, and education. This group utilizes sophisticated entry tactics via public-facing applications like IIS servers and deploys advanced malware such as StealthReacher and SneakCross. Recent reports link Earth Baku to previous campaigns using malware families including DodgeBox and MoonWalk, identified under new names by different cybersecurity firms. Attack methods include using the Godzilla web shell for initial intrusion, followed by deploying various post-exploitation tools like iox, Rakshasa, and Tailscale. Earth Baku employs tools for stealthy operations and data exfiltration, extensively using the MEGA cloud service through the MEGAcmd command-line utility. These findings are part of comprehensive analyses by cybersecurity researchers from companies like Trend Micro, Zscaler, and Mandiant.

NIST has officially released three post-quantum cryptographic standards to secure electronic information against potential future quantum computer threats. The standards include algorithms for general encryption and digital signatures, with a fourth digital signature algorithm expected to be finalized later this year. Experts predict quantum computing capabilities that could compromise current encryption might emerge within the next decade. System administrators are urged to start adopting these new standards immediately to ensure sufficient time for full integration. NIST is also evaluating additional algorithms that might serve as backup standards, planning to select finalists by the end of 2024. Concerns persist about nations like Russia and China investing heavily in quantum computing, potentially to decrypt sensitive data and disrupt critical infrastructure. IBM has recognized the publication of these algorithms as crucial to protecting encrypted data from future cyber threats and highlights its involvement in their development.

Microsoft disclosed 90 vulnerabilities in its latest Patch Tuesday, with six actively exploited and four publicly known. Critical vulnerabilities include remote code execution and elevation of privilege across multiple Microsoft products. Adobe fixed 71 vulnerabilities across various products including Illustrator and Acrobat, with no current exploits reported. SAP released 25 security patches addressing several high-priority vulnerabilities, including a critical denial of service issue. Intel corrected 43 security issues in its hardware and software, with nine high-severity flaws noted. Microsoft's actively exploited vulnerabilities require specific conditions or user interactions for exploitation. Industry collaboration noted in the discovery and reporting of several vulnerabilities, emphasizing community vigilance and responsiveness.

Microsoft patched a Mark of the Web security bypass vulnerability (CVE-2024-38213) exploited as a zero-day since March, used to circumvent Windows SmartScreen protections. The flaw required user interaction and was exploitable in low-complexity remote attacks, allowing attackers to deploy malicious files undetected. In March, Trend Micro discovered the vulnerability being actively exploited by DarkGate malware operators to distribute payloads disguised as legitimate applications. The exploited vulnerability, previously known as CVE-2024-21412, was linked to earlier attacks involving SmartScreen bypasses, including other zero-days. Microsoft issued the patch during the June 2024 Patch Tuesday but initially failed to include this in the advisory updates for that month and July. The vulnerability was part of broader issues involving Windows Smart App Control and SmartScreen, with some flaws dating back exploited since 2018. This series of cybersecurity breaches highlights ongoing challenges in defending against sophisticated malware campaigns strategically exploiting system design flaws.

SAP's August 2024 security update addresses 17 vulnerabilities, including critical issues. A severe flaw, CVE-2024-41730, affects SAP BusinessObjects Business Intelligence Platform and could allow system compromises. The critical vulnerability, with a CVSS v3.1 rating of 9.8, enables unauthorized users to exploit single sign-on settings to obtain access tokens. Another significant flaw, CVE-2024-29415, involves server-side request forgery in SAP Build Apps, stemming from an IP address validation error. CVE-2024-29415, rated at 9.1 by CVSS v3.1 scores, followed an incomplete fix of an earlier issue, making certain applications still vulnerable to attacks. The updates also include fixes for four high-severity vulnerabilities rated between 7.4 and 8.2. SAP software is crucial for many global corporations, and the patched flaws were critical to preventing potential data theft, ransomware attacks, and operational disruptions. Historical data shows threat actors have actively exploited such vulnerabilities, with over 300 corporate network infiltrations noted in less than a year.

LockBit 3.0 remains the most active ransomware gang in the first half of 2024, topping the list by claiming 325 victims. Overall, six major ransomware groups accounted for more than 50% of the attacks observed, despite numerous law enforcement takedowns. Notable growth seen in groups such as Play (Fiddling Scorpius) and newcomers like 8base (Squalid Scorpius) rebranding from Phobos. Several high-profile ransomware group disruptions occurred, including a seizure of the ALPHV/BlackCat's websites and leader arrests. Law enforcement actions described as a "whack-a-mole" scenario, with criminal enterprises often rebranding and continuing operations. Unit 42 reports a slight year-over-year increase in ransomware infections, with 1,762 posts on gang leak sites in the first half of 2024. New ransomware strains continue to emerge, such as Brain Cipher in Indonesia, suggesting ongoing adaptations in ransomware tactics. Despite takedowns, new and existing ransomware actors are quickly filling the void, indicating the persistent threat of sophisticated cyber attacks.

Microsoft's August 2024 Patch Tuesday addressed 89 security issues, including nine zero-days, six of which were actively exploited. Updates targeted various vulnerabilities, including critical ones, across several Windows applications and systems. Identified exploits include remote code execution, elevation of privilege, and security feature bypass vulnerabilities. Among the fixed zero-days, vulnerabilities involved issues in the Windows Kernel, Windows Ancillary Function Driver for WinSock, and Microsoft Project. Four additional vulnerabilities were only publicly disclosed but not yet exploited, including ones in Microsoft Office and Windows Line Printer Daemon. Remains of one publicly disclosed zero-day still await a security patch from Microsoft. Other technology companies also released updates and advisories, indicating a widespread focus on improving cybersecurity posture this month.

Maksim Silnikau, identified as an elite Belarusian-Ukrainian cybercriminal, has been extradited from Poland to the U.S. and faces charges in New Jersey and Virginia. Silnikau allegedly used various online aliases including "J.P. Morgan" and is accused of founding the first ransomware-as-a-service group, Reveton. His criminal activities reportedly include distributing malvertising that infected millions of devices with malware and scareware since at least 2013. One major component of Silnikau's operation was distributing the Angler exploit kit, responsible for significant global malware infections until it disappeared in 2016. The UK's National Crime Agency describes Silnikau as one of the most prolific Russian-speaking cybercriminal actors, with investigations tracing back to 2015. In Virginia, he's also charged with leading the Ransom Cartel group, innovating ransomware attacks and fraud practices. Silnikau, along with associates Volodymyr Kadariya and Andrei Tarasov who remain at large, could face extensive prison terms if convicted on multiple counts of wire fraud, computer fraud, and identity theft.

Bamidele Omotosho, a 42-year-old from Nigeria, has been sentenced to 12 years and seven months in prison. He was involved in multiple cyber scams, including identity theft and business email compromise, which collectively caused millions of dollars in losses. Omotosho and his associates laundered money using debit cards, bank accounts opened with stolen personal information, and by purchasing and selling cars in Nigeria. Between 2017 and 2018, they bought stolen credentials from the xDedic dark web marketplace, which was later shut down by authorities in January 2019. Schemes included stealing over $2 million from U.S. citizens, with over $7.5 million in attempted thefts, impacting entities like a pharmaceutical company and the Employees Retirement System of Texas. The group also infiltrated multiple U.S. accounting firms to steal client data and file fraudulent tax returns. Omotosho's arrest is part of broader law enforcement efforts targeting illegal dark web marketplaces and cybercriminal activities.

Federal authorities have successfully taken down the Radar/Dispossessor ransomware coalition, which was involved in cyber extortion and data leaks. Radar and Dispossessor operated as distinct units but collaborated on attacks, with 43 recorded victims, primarily small and medium-sized enterprises across Europe, South America, and additional countries like India, UAE, and Canada. The takedown included seizing numerous servers across the US, UK, and Germany and disabling online domains, significantly disrupting the group's operations. Though this ransomware group was not among the most prolific, its intent to expand into targeting U.S. healthcare organizations raised significant concerns and prompted swift law enforcement action. No arrests have been publicly confirmed, which raises the possibility of this takedown only temporarily hindering the group's activities. However, an arrest warrant has been issued in Germany. The effectiveness of this operation contributes to an ongoing law enforcement strategy to maintain the pressure on ransomware operators and potentially encourage criminals to reconsider their involvement in such activities. The operation did manage to preemptively alert several firms in Germany about imminent ransomware threats, showcasing proactive measures taken by the police to prevent further damage.