Daily Brief

A Taiwanese computing research group, linked to the government, suffered a cyberattack attributed to Chinese state-linked APT41 hackers. The attack, dating from mid-July 2023, exploited vulnerabilities using tools such as ShadowPad and Cobalt Strike to deploy backdoors. Entry methods included outdated Microsoft Office IME binaries and web shells for persistent access and delivery of malicious payloads. Detected abnormal PowerShell activities in August 2023 by Cisco Talos led to the discovery of the breach and document exfiltration from three compromised hosts. Malware deployment techniques included DLL side-loading for ShadowPad and anti-AV techniques to avoid detection with Cobalt Strike. The attackers employed Mimikatz for credential harvesting and executed various commands to survey the network and directory structures. APT41 also used remote code execution vulnerabilities for privilege escalation, ensuring payloads bypass initial security measures. Efforts to evade detection included ceasing operations when other users were detected and removing traces of initial access methods post-attack.

A Russia-linked threat actor, APT28, has launched a new cyberattack campaign using a car sale phishing lure to deploy the HeadLace malware. The phishing campaign targets diplomats and started as early as March 2024, with a medium to high level of attribution confidence by Palo Alto Networks’ Unit 42. This tactic of using car-for-sale lures was previously utilized by another Russian group, APT29, suggesting a tactic repurposing by APT28. The HeadLace malware is delivered through a deceptive email offering a ZIP archive, which checks the operating system of the target, only deploying on Windows systems. The malware includes a trojanized Windows calculator executable, a DLL, and a batch script which together facilitate the installation of the backdoor. Once installed, the malware fetches additional commands from a controlled URL, executes them, and then removes evidence of the malicious activity. The consistent use of webhook[.]site and similar services in APT28 campaigns highlights their operational reliance on freely available web services for malicious activities.

Indonesia has blocked the privacy-focused search engine DuckDuckGo following complaints about pornographic and gambling content in search results. The government's decision aligns with cultural and religious norms in the predominantly Muslim country, where pornography and gambling are prohibited. Alongside DuckDuckGo, Indonesia has previously restricted access to platforms like Reddit, Vimeo, and imposed occasional bans on Tumblr, Telegram, and others. Despite the block, Google Search remains active, possibly due to more robust self-censorship mechanisms or its significant impact on internet usability in Indonesia. Indonesian citizens are increasingly using VPNs to circumvent these governmental restrictions, although the government plans to soon restrict free VPN services to prevent access to gambling sites and other blocked content. The Minister of Communication and Information has emphasized the government's intent to curb online gambling, describing it as a negative aspect of digitalization. There are additional concerns about the safety and reliability of free VPN services, including risks like personal data theft and malware infections.

Anand Oswal, Sr. VP at Palo Alto Networks, highlights the widespread use of generative AI applications by employees, often without IT oversight. The rise of AI-powered business solutions is expected to surge, involving large volumes of unstructured data across various sectors like DevOps and marketing. This increase in AI applications poses significant risks by expanding attack surfaces and introducing vulnerabilities within extensive supply chains. Oswal emphasizes the critical need for securing AI applications to protect sensitive data against potential threats and breaches in the workplace. Palo Alto Networks' AI Access Security platform offers comprehensive visibility and automated security policy recommendations to safeguard data privacy. The platform applies runtime security during the development stage to improve the discoverability of applications and secure the data utilized. Testimonials from major companies such as Costco and Dell illustrate the implementation of AI-enabled apps requiring stringent security measures to protect proprietary information within corporate networks. The video further discusses these aspects and showcases how organizations can enhance their data security strategies with Palo Alto Networks' solutions.

An unnamed Fortune 50 company paid a record $75 million in ransom to the Dark Angels ransomware group to prevent the leak of stolen data. Dark Angels operates by targeting high-value enterprises individually without using affiliates, focusing on companies likely to pay large sums. In a previous attack, Dark Angels used RagnarLocker ransomware against Johnson Controls, demanding $51 million after stealing 27TB of data. The gang avoids detection and interference by maintaining a low profile, not engaging with partners or targeting critical infrastructure. Dark Angels determines ransom amounts by investigating a company's insurance policy limits, ensuring their demands align with possible insurance payouts. Recent surge in ransomware attacks, with the US seeing a doubling of incidents and the UK experiencing a 50% increase. The gang avoids attacks in Russia, benefiting from a lack of enforcement from Russian authorities against local cyber criminals. Zscaler notes a lack of significant use of AI in ransomware attacks but warns against complacency given potential future developments in AI-enhanced social engineering scams.

Small and medium-sized businesses (SMBs) face significant cyber threats, similar to large corporations but often lack adequate resources. Managed service providers (MSPs) are overwhelmed by increasing demand for effective cybersecurity measures. Many SMBs currently struggle with complex and costly cybersecurity setups involving multiple vendors and tools. The webinar introduces an All-in-One Cybersecurity Platform, designed to centralize protection through a single, user-friendly interface. The platform includes a comprehensive suite of security features coupled with round-the-clock support, aimed specifically at simplifying cybersecurity for MSPs and SMBs. Attending the webinar is highly recommended for SMBs looking to enhance their cybersecurity efficiency and return on investment. Registration is necessary to participate in the event and secure a spot.

The SANS Internet Storm Center reported that Mirai botnet variations are targeting Apache's OFBiz ERP framework through a directory traversal vulnerability. Apache’s OFBiz, a less prevalent open-source framework, patched a critical directory traversal flaw in May which affected versions before 18.12.13. Directory traversal vulnerabilities, illustrated via the use of semicolons in URLs, allow unauthorized access to restricted directories and potential remote command execution. CISA and FBI focus on directory traversal under their "Secure by Design" initiative, tracking 55 known exploited vulnerabilities of this type. After the public release of the vulnerability details, significant exploit attempts were detected, particularly involving URLs that facilitate arbitrary command execution. Two IP addresses identified in the exploitation attempts were previously involved in exploiting IoT devices, hinting at their association with Mirai botnet activities. This exploitation demonstrates the persistent risks and broad impacts even minor components in ERP systems can represent.

The UK National Cyber Security Centre (NCSC) is developing a new iteration of its Active Cyber Defence (ACD) program, termed ACD 2.0, aimed at updating and enhancing its cyber defense services. NCSC plans to introduce services that fill unique gaps in the market and divest them to other government bodies or industry partners within three years. Existing services from the initial ACD launched in 2016, such as Logging Made Easy and Protective DNS, succeeded with external partnership management from agencies like CISA and Cloudflare. NCSC is seeking feedback from across government, industry, and academia to identify what new capabilities should be developed under ACD 2.0. Early stages of ACD 2.0 involve experimental six-month projects with industry partners to evaluate existing market solutions for attack surface management. The goal is to mitigate common cyber threats effectively by enhancing organizational awareness of their attack surface and relevant vulnerabilities. The NCSC's Early Warning service continues to actively provide alerts for potential cyber threats to UK organizations, with significant alerts issued over the past year. The overall strategy remains focused on protecting against high-volume commodity cyber attacks while keeping an opening for addressing more sophisticated threats.

Cybersecurity professionals uncovered a new Windows backdoor named BITSLOTH which exploits the Background Intelligent Transfer Service (BITS) for covert operations. BITSLOTH was discovered by Elastic Security Labs on June 25, 2024, during a cyber attack on a South American Foreign Ministry. The malware includes capabilities like keylogging, screen capture, encryption, and command execution using BITS as a command-and-control channel. The threat actors, potentially Chinese based on source code analysis, use this tool primarily for data gathering and espionage. The malware uses advanced techniques like DLL side-loading and memory execution to evade detection. A variety of scheduling and operational features within BITSLOTH allow it to operate undetected, executing commands at designated times. Researchers highlighted the challenge organizations face in monitoring BITS traffic, which aids the malware in remaining undetected. The presence of related tools and techniques linked to known Chinese cyber espionage groups point towards a sophisticated, state-linked actor.

U.S. and allies engage in a historic prisoner swap involving multiple countries including Russia, Belarus, Germany, Norway, and Slovenia. Two notorious Russian cybercriminals, Roman Valerevich Seleznev and Vladislav Klyushin, were repatriated to Russia as part of the exchange. Released individuals include 16 detainees from varying nations, among them four Americans, five Germans, and seven Russians. High-profile figures such as former U.S. Marine Paul Whelan and Wall Street Journal reporter Evan Gershkovich were also freed from Russian custody. Roman Seleznev, alias Track2, caused substantial financial damage through payment card fraud and cyber fraud schemes. Vladislav Klyushin used his firm for insider trading, illegally obtaining $93 million from U.S. Companies. Parallel cybercrime operation uncovered by U.K. National Crime Agency involved a fraudulent platform facilitating over 1.3 million anonymous calls mimicking authoritative entities. President Joe Biden and National Security Adviser Jake Sullivan emphasized the diplomatic significance and unprecedented scale of this international cooperative effort.

Cybersecurity firms eSentire and Proofpoint have reported a surge in the misuse of Cloudflare's TryCloudflare service by cybercriminals to distribute malware. Attackers are leveraging this service to create temporary tunnels that help bypass security detection by proxying traffic through Cloudflare, concealing their malicious operations. The attackers distribute phishing emails with ZIP archives containing malicious URL shortcut files that connect to a WebDAV server proxied by TryCloudflare. Malware varieties observed include AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm, delivered through complex multi-stage attack chains. These attacks also involve tactics like displaying decoy PDFs to distract victims while deploying malicious payloads and using direct system calls to evade security software. The phishing campaigns are multilingual and target global organizations with themes ranging from invoices to tax documents. The campaign's operators appear to be financially motivated and employ Cloudflare tunnels to scale their operations flexibly and evade traditional blocklist-based defenses. Cloudflare's service exploitation highlights a growing trend of attackers leveraging trusted services to enhance their operations' stealth and efficacy.

The UK's National Crime Agency (NCA) successfully shut down a call-spoofing service named Russian Coms, arresting four suspects involved. Russian Coms operated internationally, impacting over 170,000 individuals primarily in the UK, with activities spanning more than 100 countries. This fraudulent service allowed criminals to mimic legitimate organizations, facilitating the theft of money and personal information through deceptive calls. Suspects included the service's developers and a courier responsible for distributing modified smartphones essential for the operation. These devices were equipped with features to avoid detection, such as VPN apps, a burn app to erase data, and spoofed caller IDs. The service was monetized through subscriptions, costing up to £1,400 for six months, with additional features like encrypted calls and international reach. Over 1.3 million calls were made to half a million unique UK phone numbers, causing significant financial losses averaging over £9,400 per reported victim. The NCA has announced plans to continue efforts to apprehend users of the service across the globe, highlighting the increasing intersection of technology and crime.

Japan's government mandates a new app to verify My Number Cards to combat forgery and enhance security. The My Number system, linking social security and other services, has faced issues such as data breaches and malfunctioning equipment. Public adoption of the My Number Card has been low due to trust issues and technical problems. The new app uses smartphone cameras to cross-check card information without needing the user's PIN. All verification records, including the date and time, are stored by the app, but it does not retain any personal user data. Scheduled for a general release in late August, the app is currently undergoing final testing and verification. The app's introduction is part of broader efforts to increase My Number Card adoption, crucial for replacing health insurance cards and other functionalities.

The Reserve Bank of India (RBI) has recommended implementing dynamic two-factor authentication (2FA) for most digital payment systems. Currently, one-time passwords (OTPs) sent via SMS are predominantly used across India's digital payment sector. The RBI aims to transition beyond SMS-based OTPs. The RBI's proposal includes exploring various authentication methods such as biometrics, PINs, passphrases, and hardware or software tokens. Dynamic 2FA requires that each authentication factor be generated uniquely at the time of transaction and can be used only once, enhancing security. Certain low-value and specific transaction types like offline digital transactions and recurring payments may be exempt from this new dynamic 2FA requirement. The RBI has called for public feedback on this draft framework by September 15, with a directive for compliance expected within three months from the issuance date. This move is part of the RBI's ongoing efforts to strengthen the security of digital payments in response to evolving technological advancements.

The US and Russia conducted a prisoner exchange, releasing at least two notable Russian cybercriminals along with other detainees. Roman Seleznev, convicted of orchestrating a massive credit card fraud, and Vladislav Klyushin, involved in a $93 million insider-trading scheme, were among those exchanged. Seleznev had been serving a 27-year sentence and Klyushin a nine-year sentence in the US prior to the swap. The exchange also secured the release of a Wall Street Journal reporter and other Americans detained in Russia. Newly freed prisoners, including Seleznev and Klyushin, were seen greeting President Putin upon their return to Russia. President Biden highlighted the multinational effort involving Germany, Poland, Slovenia, Norway, and Turkey to negotiate the release of a total of 16 detainees. The swap aimed to address cases of "unjust" detention, with all involved parties enduring significant hardships during their captivity.