Daily Brief

An unnamed South Asian media organization was targeted in November 20233 with a new Go-based backdoor malware named GoGra. Symantec reported that GoGra interfaces with its command-and-control server through the Microsoft Graph API using Microsoft email services. The malware decrypts received commands which are embedded in email messages, executes them, and sends back the encrypted results. GoGra uses sophisticated encryption (AES-256 in CBC mode) for securing communication with the control server. The malware is believed to be developed by a nation-state associated hacking group, dubbed Harvester, known for using similar techniques and tools. Analysis suggests an emerging trend among threat actors to utilize legitimate cloud services to camouflage their operations and enhance the efficacy of their attacks. GoGra shares functional similarities with another malware named Graphon, hinting at a possible shared lineage or development influenced by successful past tools.

CrowdStrike has identified a content validation error in the Falcon Sensor software update as the cause of the recent global outages affecting millions of Windows devices. The issue stemmed from an additional input in the Template Type used for detecting new types of cyber attacks, which was not properly handled in the software, leading to an out-of-bounds memory read and subsequent system crashes. The flaw, tracked as the "Channel File 291" incident, was not detected in initial tests due to reliance on wildcard matching criteria, which failed to accommodate the extra input used in later deployments. As a resolution, CrowdStrike has implemented compile-time validation of input fields and runtime bounds checks to prevent similar issues in the future. The cybersecurity firm also plans to enhance testing protocols and involve third-party reviews to ensure greater reliability and security of its software. Following the disruptions, Delta Air Lines has announced plans to seek damages from CrowdStrike and Microsoft, alleging significant financial losses due to the incident. CrowdStrike asserts that the root issue was confined to their software and was not caused by Microsoft or other external factors, despite criticisms and the impact on client operations like Delta's.

EQT, Europe's largest private equity group, has acquired a majority share in Swiss firm Acronis, specializing in cybersecurity and disaster recovery. The transaction values Acronis at over $3.5 billion, an increase from its last funding round in 2022. Acronis CEO Ezequiel Steiner expressed enthusiasm for EQT's support in the firm's strategic expansion and future growth initiatives. Key investors such as CVC, Springcoast, and BlackRock Private Equity Partners will remain involved with Acronis post-deal. Founders Serg Bell and Stanislav Protassov will retain significant stakes in Acronis, with Bell remaining on the Board of Directors. The deal is expected to close in the first or second quarter of 2025, pending regulatory approvals. This acquisition highlights the trend of private equity investments in technology sectors, echoing EQT's previous buyout of SUSE in 2018.

The UK's Information Commissioner's Office (ICO) plans to impose a £6.09 million ($7.7 million) fine on Advanced Computer Software Group for a 2022 ransomware attack that compromised NHS services. The attack, conducted by the LockBit ransomware group, led to the theft of personal data from nearly 83,000 individuals and disrupted NHS 111 call-handling services. The breach was facilitated by the use of an account lacking multi-factor authentication, allowing attackers to deploy encryption malware after gaining initial access through a Citrix server. In addition to phone numbers, sensitive medical records and details on home access for 890 care recipients were stolen, raising severe privacy and security concerns. Despite not finding evidence of the stolen data being published online, the implications of the breach remain severe, particularly due to the sensitive nature of the information. ICO criticized Advanced for significant security failings, particularly in not implementing multi-factor authentication and other basic security measures across its healthcare systems. The provisional decision to fine Advanced is aimed at encouraging other organizations, especially those handling sensitive health data, to enhance their cybersecurity practices.

The Chameleon Android banking trojan targets users by masquerading as a Customer Relationship Management (CRM) app. Originally observed targeting a Canadian restaurant chain, this campaign has now expanded to include victims in Canada and parts of Europe. The malware is delivered through fake CRM apps which are designed to bypass Android's security measures, specifically on devices running Android 13 and later. Upon installation, users are misled with fake login and error pages to reinstall the app, during which the Chameleon trojan is deployed. The malware has capabilities such as on-device fraud (ODF), funds transfer theft, and harvesting of credentials, contacts, SMS messages, and geolocation data. Threat actors focus on exploiting employees with access to corporate banking, significantly endangering business banking accounts. The CRM-centric approach likely stems from the greater possibility of accessing sensitive business accounts among B2C employees in the hospitality sector.

Apple announced tighter Gatekeeper controls in the upcoming macOS Sequoia to enhance security. The update prevents users from overriding Gatekeeper via Control-click for non-notarized and incorrectly signed software. Users must now navigate to System Settings > Privacy & Security to allow software to run. This change aims to block stealer malware and backdoors that exploit user permissions to bypass security. Recent incidents involved North Korean actors using an unsigned disk image to distribute malware by mimicking the video call service MiroTalk. The macOS Sequoia update represents Apple's continued focus on securing its ecosystem against evolving cybersecurity threats.

Hunters International suspected of deploying SharpRhino malware, targeting network administrators using a fake Angry IP Scanner tool. Disguised malware identified as "ipscan-3.9.1-setup.exe" discovered by Quorum Cyber, which has been active since mid-June. The malware modifies Windows registry settings to facilitate persistence and communication with command and control servers, allowing broad network infiltration. SharpRhino employs robust encryption, labeled as files ending in .locked, and directs victims to a ransom payment site via Tor. Analysis suggests Hunters International, a Ransomware-as-a-Service gang, is behind the malware, sharing similarities with previous Hive ransomware. Dual-threat strategy: data theft followed by encryption, with threats of public data exposure if ransom is not paid. Hunters International has claimed responsibility for 134 global attacks in seven months, avoiding Russian targets presumably to evade local law enforcement.

Researchers have uncovered a method to bypass Microsoft 365's anti-phishing tool, potentially allowing malicious emails to go undetected. The exploit involves using CSS to hide the "First Contact Safety Tip" warning in Outlook, designed to alert users about emails from new contacts. Attackers can further manipulate the appearance of an email to mimic secure, encrypted messages, increasing the deception for unsuspecting users. Microsoft acknowledges the flaw reported by Certitude analysts but has not prioritized an immediate fix, citing its application mainly in phishing scenarios. There have been no observed active exploits using this technique, and there is no evidence of arbitrary text manipulation within emails. This discovery leaves Microsoft 365 users vulnerable to more sophisticated phishing attacks if the flaws are harnessed by attackers.

Georgia launched a website for citizens to voluntarily cancel voter registrations. A cybersecurity researcher demonstrated potential vulnerabilities, as registration could be canceled with basic information. Temporary exploit bypassed required fields for cancellation by manipulating browser HTML. Georgia Secretary of State's Office claims no real threat, as manual checks prevent invalid submissions. The site initially revealed sensitive information, such as social security and driver’s license numbers upon data entry. Immediate corrective measures were implemented to halt automated data disclosure. Additional backend security measures were introduced to validate submissions after initial client-side checks. Officials emphasize the vulnerability did not lead to unauthorized changes to voter registrations.

Microsoft has denied responsibility for a software outage at Delta Air Lines, calling the accusations false and misleading. Delta has threatened legal action against Microsoft and CrowdStrike, blaming them for a system meltdown on July 19 that reportedly cost $500 million. Microsoft's legal representative revealed that CEO Satya Nadella personally extended recovery assistance to Delta, which the airline did not utilize. Microsoft is investigating why Delta's recovery was slower compared to other airlines, suggesting that Delta's IT infrastructure may be outdated. Despite accusations, Delta maintains its commitment to significant IT investments, emphasizing billions spent since 2016 on enhancing its systems. CrowdStrike also defended itself in a communication, asserting Delta ignored its assistance offers and made suboptimal IT decisions that hampered recovery efforts.

CrowdStrike has engaged external security firms to audit the Falcon sensor code after a coding error caused a major global IT outage. The fault, traced back to a February update, led to incorrect implementation in the IPC Template, causing system crashes when mismatched input fields were processed. The coding mishap passed unnoticed through various levels of testing, resulting in the deployment of the defective update to Falcon users, which eventually bricked 8.5 million Windows machines. CrowdStrike has developed a fix to prevent input validation mismatches and added runtime input array bounds checks to its Content Interpreter. These amendments and fixes are being integrated back into all compatible Windows sensor versions and will be generally available soon. Additionally, the security provider is enhancing its update deployment processes, including staged rollouts and enhanced validation checks to prevent similar incidents. Despite the efforts to correct the flaws, details about the third-party firms conducting the code review remain undisclosed.

INTERPOL's I-GRIP program successfully recovered over $40 million stolen from a Singaporean company in a BEC attack. The scam involved cybercriminals using a slightly misspelled email address to impersonate a legitimate supplier and divert a large payment. Authorities in Timor Leste assisted in recovering the funds and arrested seven suspects linked to the crime. This incident represents the largest single recovery of funds stolen through a BEC scam, as noted by INTERPOL. The 2023 FBI IC3 Report highlighted substantial losses of $2.9 billion from 21,489 BEC complaints. INTERPOL's I-GRIP has been instrumental in recovering over $500 million in stolen funds since its inception in 2022. Recent global police operation "Operation First Light" led to the arrests of 3,950 individuals involved in various cybercrimes.

Google has released a security update addressing a critical Android kernel bug, CVE-2024-36971, which has been actively exploited in the wild. The vulnerability, a use-after-free flaw in the networking stack, allows for remote code execution and could enable attackers to gain full control over affected devices. This flaw has been pinpointed as potentially used by state-sponsored entities and commercial surveillance operators, indicating a higher risk of targeted spyware attacks. The August security patch includes 46 fixes, with a particular emphasis on this severe vulnerability rated 7.8 on the CVSS scale. Other notable fixes in the update include a critical Qualcomm component vulnerability, CVE-2024-23350, that could lead to a permanent denial of service. Google's Threat Analysis Group, which tracks commercial surveillance vendors like NSO Group, identified the exploit, reflecting its potential use in highly targeted operations. Android users are urged to update their devices immediately to safeguard against this and other vulnerabilities patched in the August security update. This release precedes the major August Patch Tuesday event from Microsoft, indicating a busy period for cybersecurity professionals managing device and network integrity.

Samsung has initiated the "Important Scenario Vulnerability Program" targeting critical vulnerabilities in its devices, with rewards up to $1,000,000. The program specifically focuses on arbitrary code execution, device unlocking, data extraction, arbitrary application installation, and bypass of security protections. The highest reward of $1,000,000 is offered for demonstrating remote code execution (RCE) on the device's Knox Vault, which is used to secure sensitive information. Additional significant payouts include $400,000 for local code execution on TEEGRIS OS and up to $400,000 for RCE on the same, reflecting its high security relevance. Other notable rewards include $400,000 for unlocking a device combined with full user data extraction and $100,000 for remote arbitrary app installation from non-official sources. Participants must provide a buildable and consistent exploit on the latest security patch of flagship models to qualify for the highest monetary rewards. In 2023 alone, Samsung paid $827,925 to 113 security researchers through its separate Mobile Security Rewards Program, indicating a strong ongoing investment in cybersecurity.

Sonic Automotive reported a $30 million loss due to a ransomware attack on CDK Global's software in June. Despite the cyber incident, Sonic’s share prices increased by over 12% following strong performance in other areas. The ransomware incident affected not only Sonic but also other major U.S. car dealerships like Ashbury Automotive Group, AutoNation, and Group 1 Automotive. Sonic's Q2 earnings per share dropped by $0.64, heavily impacting its projected earnings of $1.18 EPS. The cyberattack on CDK Global resulted in operational disruptions affecting customer lead and inventory management applications. Sonic's EchoPark subsidiary reported significant growth, showing a 91% increase in YoY gross profit and a 123% rise in adjusted EBITDA. Anderson Economic Group estimated that the continuing disruption could cost CDK customers hundreds of millions per week. Sonic's earnings for Q3 might still be affected as they continue to handle disruptions from the cyberattack.