Daily Brief

Scammers are exploiting the Ukraine war and Japanese earthquake warnings to create enticing clickbait on social media platforms. Posts initially appear to contain pornographic videos but redirect users to fraudulent adult websites and other scam sites. Fake posts include sensational claims about Ukrainian forces or emergency alerts about significant earthquakes to attract clicks. Clicking on these deceptive content warnings leads to URLs that route through multiple domains before landing on scam platforms. These scams also involve malicious browser extensions and tech support scams in addition to adult sites. Social media mechanisms are manipulated, using Twitter cards HTML metadata to display misleading images and descriptions. The technique has been known since 2019, and has also been used for cryptocurrency scams, showcasing its persistent effectiveness. Users are advised to be cautious when interacting with sensational or emergency-related content on social media.

Nearly 2.7 billion personal records involving U.S. residents were leaked, including Social Security numbers, full names, and addresses. The leaked data, originally stolen from National Public Data, was intended for use in background checks and investigations. The comprehensive leak, distributed for free by a hacker named "Fenice", included plaintext records from a larger 2.9 billion record set initially offered for $3.5 million by "USDoD". Multiple threat actors have since disseminated parts of the data, varying in content and completeness, with the latest release comprising the most complete dataset. No encryption was used on the data, and some records inaccurately linked Social Security numbers to unrelated individuals. The data's age and inaccuracy were highlighted by missing or outdated personal details, such as current addresses. Due to the breach's extent, several class action lawsuits have been initiated against Jerico Pictures, believed to operate as National Public Data. Affected individuals have been advised to monitor their credit reports and remain vigilant for phishing attempts.

Cybersecurity experts uncovered a malicious package on PyPI pretending to be part of the Solana blockchain platform. The rogue "solana-py" library, meant to mimic the legitimate "solana" library, was designed to steal blockchain wallet keys. Over 1,100 downloads were recorded before the package's removal from PyPI. The malware hid its malicious intent by mirroring version numbers and code of the official Solana API but added harmful scripts to extract wallet keys and send them to a controlled domain. Developers referencing legitimate packages like "solders" may have inadvertently recommended the harmful "solana-py", thus widening the exposure to the malware. This incident represents a significant supply chain threat, where developers and users of applications can unintentionally introduce and propagate security breaches. Relatedly, significant spamming issues involving npm packages and the abuse of the Tea protocol were highlighted, with ongoing efforts to address these security concerns.

Researchers at SafeBreach Labs discovered 10 security vulnerabilities in Google's Quick Share, affecting both Android and Windows platforms. These flaws could potentially enable sophisticated remote code execution (RCE) attacks, dubbed "QuickShell," on affected devices. Vulnerabilities identified range from remote denial-of-service (DoS) attacks, unauthorized file writings, a directory traversal issue, to forced Wi-Fi connections. The most severe vulnerability sequence can compel a device to connect to a malicious Wi-Fi network and execute unauthorized code. Google has patched these issues in Quick Share version 1.0.1724.0, and users are advised to update to this version or later. The findings were shared publicly at the DEF CON 32 security conference, highlighting the risks of complex communication protocols in file transfer utilities. The study emphasizes the importance of analyzing and securing proprietary protocols to prevent chaining of low-risk vulnerabilities into significant threats.

Microsoft disclosed a high-severity vulnerability in Office, affecting versions including Office 2016 and Microsoft 365 Apps for Enterprise. The flaw, tracked as CVE-2024-38200, exposes NTLM hashes, potentially allowing attackers to access user credentials. Exploitation requires deceiving a user into clicking a link and opening a malicious file hosted on a compromised website. Microsoft initially assessed the exploitability as less likely, but an update has provided a mitigation through Feature Flighting as of July 30, 2024. Full security updates are scheduled for release on August 13, 2024, which will offer a final version of the fix. Users are advised to implement mitigations such as blocking outbound NTLM traffic to prevent unauthorized NTLM connection attempts. More details on CVE-2024-38200 and other NTLM vulnerabilities will be shared during an upcoming Defcon talk by security consultant Jim Rush.

An ongoing malware campaign is distributing trojan-based rogue extensions for Chrome and Edge browsers, affecting over 300,000 users. Fake websites mimicking popular software downloads deliver trojans that install malicious browser extensions capable of data theft and command execution. The campaign uses malvertising techniques to guide users to these lookalike download sites for programs such as Roblox FPS Unlocker and KeePass. Once trojans are downloaded, they execute a PowerShell script that fetches further malware from a remote server, modifying system settings to force-install harmful extensions. Affected browser extensions are designed to hijack and redirect search queries through attacker-controlled servers, affecting major search engines like Google and Bing. Users cannot disable these malicious extensions, even using browser Developer Mode, and newer versions of the script can also disable browser updates. Extensions also intercept web requests, funneling them through C2 servers where data can be stolen or manipulated. This malware activity bears similarities to past campaigns, including a December 2023 case involving torrent-delivered trojans that disguised as VPN apps to perpetuate fraud.

Microsoft has revealed an unpatched vulnerability in its Office software, identified as CVE-2024-38200 with a CVSS score of 7.5, posing a risk of unauthorized data exposure. The flaw, a spoofing vulnerability affecting several Office versions, can lead to sensitive information disclosure if maliciously exploited through specially crafted files hosted on websites. Attackers cannot force users to visit these malicious websites; instead, they rely on social engineering methods such as enticing emails or instant messages to lure users into clicking links. While a formal patch is scheduled for release on August 13, Microsoft has implemented an interim fix via Feature Flighting, effective from July 30, 2024. Microsoft urges all users to install the forthcoming official patch, despite current protection being available for all supported versions of Microsoft Office and Microsoft 365. The company has also introduced three mitigation strategies and rated the potential for exploitation of this vulnerability as "less likely." This announcement coincides with proactive measures by Microsoft addressing additional zero-day vulnerabilities that could potentially "unpatch" up-to-date Windows systems. Separate research from Elastic Security Labs highlights ongoing challenges with malicious apps bypassing Windows security features using methods like LNK stomping, in use for over six years.

Intel has implemented a new 0x129 microcode to limit the Raptor Lake processors' voltage to a maximum of 1.55 volts, aiming to avoid potential CPU damage due to excessive voltage. The voltage cap is considered high for a desktop CPU in 2024, with previous generations like Alder Lake peaking at around 1.4 to 1.45 volts and comparable AMD Ryzen 7000 CPUs at similar levels. Despite the voltage limitation, Intel reports that the performance of Raptor Lake CPUs remains largely unaffected according to their internal testing, although final assessments may depend on external hardware benchmarking results. Intel's motherboard partners have started releasing BIOS updates containing the new microcode for LGA 1700 motherboards, with commitments from major players like MSI, ASRock, ASUS, and Gigabyte to complete updates by specific deadlines. Dell and potentially other OEMs are working on validating and implementing the BIOS update for systems already in customer use. The update situation for pre-built systems from OEMs such as HP remains unclear, as not all details about the dissemination of the BIOS updates are available. In a secondary note, competitor AMD issued security advisories for a few vulnerabilities affecting their processors, emphasizing ongoing security challenges in the industry.

Russia's telecommunications watchdog, Roskomnadzor, has restricted access to the Signal messaging service, alleging violations of anti-terrorism laws. Signal users in Russia began reporting issues with accessing the service, confirmed by IT experts as a blockage. Signal has advised users to enable a censorship circumvention feature within the app's settings to bypass restrictions. The company is developing more robust censorship circumvention tools and urges major companies to adopt secure protocols like Encrypted Client Hello (ECH). This restriction follows a broader pattern where Russia has banned several foreign messaging apps and leading VPN services in recent years. The actions are part of Russia’s ongoing efforts to control and monitor internet use within the country, citing national security concerns. The ban on other platforms, like YouTube and various VPN apps, indicates a comprehensive strategy to limit access to foreign digital tools and services.

Microsoft disclosed four medium-severity vulnerabilities in OpenVPN that could lead to remote code execution (RCE) and local privilege escalation (LPE). These vulnerabilities impact all versions of OpenVPN prior to version 2.6.10 and 2.5.10. The flaws are primarily located in the openvpnserv component and the Windows TAP driver. Attackers can exploit these vulnerabilities using chained combinations of CVE codes once they have access to OpenVPN credentials. Potential attack avenues for credential acquisition include the purchase of stolen credentials, use of stealer malware, or network sniffing for NTLMv2 hashes and cracking them. Successful exploitation could allow attackers to gain full control over targeted systems, leading to data breaches and unauthorized access to sensitive information. Attackers could further exploit these vulnerabilities by disabling or bypassing security measures like Microsoft Defender, leading to more persistent and undetected attacks.

CSC ServiceWorks disclosed a data breach impacting an undisclosed number of individuals due to a cyberattack detected on February 4, 2024. The breach period spanned from September 23, 2023, to February 4, 2024, during which threat actors accessed certain company systems. External cybersecurity experts were enlisted to investigate the breach and assist in securing the network against further incidents. A data review company was employed to analyze the kinds of personal information compromised, which varied depending on the individual affected. Affected individuals are being offered complimentary Experian IdentityWorks membership for credit monitoring and protection against misuse of their information. CSC ServiceWorks has communicated with law enforcement about the cyber incident and continues to address the aftermath by contacting impacted parties. The breach was first noted due to unusual activity in its network, leading to immediate investigative and corrective actions. Prior security concerns were highlighted in May when two researchers reported a vulnerability which was initially overlooked by CSC ServiceWorks.

AMD has disclosed a high-severity vulnerability, named SinkClose, affecting various AMD processors, including EPYC, Ryzen, and Threadripper models. The SinkClose flaw, identified as CVE-2023-31315 with a CVSS score of 7.5, allows elevated privileges from Kernel-level (Ring 0) to System Management Mode (Ring -2), enabling the installation of nearly undetectable malware. System Management Mode (SMM), associated with Ring -2 level, manages critical system operations like power and security features, isolated from the operating system for enhanced security. This vulnerability has reportedly gone undetected for close to 20 years, raising concerns about longstanding security risks in affected AMD chips. Detection and removal of any malware installed via the SinkClose flaw require direct physical access to the CPU's memory using specialized tools like a SPI Flash programmer. Despite AMD's release of mitigations for most affected CPUs, the complexity of exploiting this vulnerability requires initial kernel-level access, which attackers can achieve through sophisticated techniques or exploiting other vulnerabilities. The discovery's implications are significant for organizations using AMD-based systems, especially in contexts where high-level security and system integrity are critical.

Microsoft has reported a high-severity zero-day vulnerability in Office 2016 and later versions, identified as CVE-2024-38200. The vulnerability involves an information disclosure issue that could allow unauthorized access to sensitive data such as system configurations and personal information. This flaw affects both 32-bit and 64-bit versions of Office, including Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. According to Microsoft, the zero-day can be exploited through web-based attacks where users are enticed to click on malicious links and open compromised files. Despite Microsoft assessing the exploitability as "less likely," MITRE deems the likelihood of exploitation as "highly probable." Microsoft is in the process of developing security patches for the vulnerability but has not provided a definitive release date. More detailed disclosures about this and other vulnerabilities are expected at an upcoming Defcon talk by Jim Rush from PrivSec Consulting. Additionally, Microsoft is addressing other critical security issues, including potential methods to reintroduce previously patched vulnerabilities in Windows systems.

An extensive malware campaign has infected over 300,000 browsers, including Google Chrome and Microsoft Edge, with malicious extensions. The malware disguises as legitimate software like Roblox FPS Unlocker and VLC video player, distributed through malvertising on Google search results. ReasonLabs researchers report that the infected browsers have altered executables that redirect homepages, hijack search queries, and steal sensitive data, such as browsing history and login credentials. The threat actors manage continuous control and malware installations via PowerShell scripts, registry modifications, and scheduled tasks, complicating removal. The malware avoids detection from antivirus tools and alters DLL files in browsers to redirect default search engines to malicious portals controlled by the threat actors. To mitigate and remove the threat, affected users must manually navigate their system registry and file system to delete malicious items and possibly reinstall their browsers. Google has yet to comment on the presence of the malicious extensions available for download on the Chrome Web Store.

Cloudflare is hosting a webinar to discuss the latest cybersecurity trends and strategies. The event will feature experts Trey Guinn and Trevor Lyness, focusing on the evolution of cyber threats. Topics include the complexities of DDoS attacks, emerging threats to APIs and networks, and AI-driven phishing techniques. The webinar will also cover Zero Trust security principles, emphasizing robust defenses by assuming no internal security. This session aims to update IT and security professionals with practical approaches to handle sophisticated cyber threats. Registration is open for the webinar scheduled for August 20th at 12pm ET/9am PT.