Daily Brief

Anand Oswal, Sr. VP at Palo Alto Networks, highlights the widespread use of generative AI applications by employees, often without IT oversight. The rise of AI-powered business solutions is expected to surge, involving large volumes of unstructured data across various sectors like DevOps and marketing. This increase in AI applications poses significant risks by expanding attack surfaces and introducing vulnerabilities within extensive supply chains. Oswal emphasizes the critical need for securing AI applications to protect sensitive data against potential threats and breaches in the workplace. Palo Alto Networks' AI Access Security platform offers comprehensive visibility and automated security policy recommendations to safeguard data privacy. The platform applies runtime security during the development stage to improve the discoverability of applications and secure the data utilized. Testimonials from major companies such as Costco and Dell illustrate the implementation of AI-enabled apps requiring stringent security measures to protect proprietary information within corporate networks. The video further discusses these aspects and showcases how organizations can enhance their data security strategies with Palo Alto Networks' solutions.

An unnamed Fortune 50 company paid a record $75 million in ransom to the Dark Angels ransomware group to prevent the leak of stolen data. Dark Angels operates by targeting high-value enterprises individually without using affiliates, focusing on companies likely to pay large sums. In a previous attack, Dark Angels used RagnarLocker ransomware against Johnson Controls, demanding $51 million after stealing 27TB of data. The gang avoids detection and interference by maintaining a low profile, not engaging with partners or targeting critical infrastructure. Dark Angels determines ransom amounts by investigating a company's insurance policy limits, ensuring their demands align with possible insurance payouts. Recent surge in ransomware attacks, with the US seeing a doubling of incidents and the UK experiencing a 50% increase. The gang avoids attacks in Russia, benefiting from a lack of enforcement from Russian authorities against local cyber criminals. Zscaler notes a lack of significant use of AI in ransomware attacks but warns against complacency given potential future developments in AI-enhanced social engineering scams.

Small and medium-sized businesses (SMBs) face significant cyber threats, similar to large corporations but often lack adequate resources. Managed service providers (MSPs) are overwhelmed by increasing demand for effective cybersecurity measures. Many SMBs currently struggle with complex and costly cybersecurity setups involving multiple vendors and tools. The webinar introduces an All-in-One Cybersecurity Platform, designed to centralize protection through a single, user-friendly interface. The platform includes a comprehensive suite of security features coupled with round-the-clock support, aimed specifically at simplifying cybersecurity for MSPs and SMBs. Attending the webinar is highly recommended for SMBs looking to enhance their cybersecurity efficiency and return on investment. Registration is necessary to participate in the event and secure a spot.

The SANS Internet Storm Center reported that Mirai botnet variations are targeting Apache's OFBiz ERP framework through a directory traversal vulnerability. Apache’s OFBiz, a less prevalent open-source framework, patched a critical directory traversal flaw in May which affected versions before 18.12.13. Directory traversal vulnerabilities, illustrated via the use of semicolons in URLs, allow unauthorized access to restricted directories and potential remote command execution. CISA and FBI focus on directory traversal under their "Secure by Design" initiative, tracking 55 known exploited vulnerabilities of this type. After the public release of the vulnerability details, significant exploit attempts were detected, particularly involving URLs that facilitate arbitrary command execution. Two IP addresses identified in the exploitation attempts were previously involved in exploiting IoT devices, hinting at their association with Mirai botnet activities. This exploitation demonstrates the persistent risks and broad impacts even minor components in ERP systems can represent.

The UK National Cyber Security Centre (NCSC) is developing a new iteration of its Active Cyber Defence (ACD) program, termed ACD 2.0, aimed at updating and enhancing its cyber defense services. NCSC plans to introduce services that fill unique gaps in the market and divest them to other government bodies or industry partners within three years. Existing services from the initial ACD launched in 2016, such as Logging Made Easy and Protective DNS, succeeded with external partnership management from agencies like CISA and Cloudflare. NCSC is seeking feedback from across government, industry, and academia to identify what new capabilities should be developed under ACD 2.0. Early stages of ACD 2.0 involve experimental six-month projects with industry partners to evaluate existing market solutions for attack surface management. The goal is to mitigate common cyber threats effectively by enhancing organizational awareness of their attack surface and relevant vulnerabilities. The NCSC's Early Warning service continues to actively provide alerts for potential cyber threats to UK organizations, with significant alerts issued over the past year. The overall strategy remains focused on protecting against high-volume commodity cyber attacks while keeping an opening for addressing more sophisticated threats.

Cybersecurity professionals uncovered a new Windows backdoor named BITSLOTH which exploits the Background Intelligent Transfer Service (BITS) for covert operations. BITSLOTH was discovered by Elastic Security Labs on June 25, 2024, during a cyber attack on a South American Foreign Ministry. The malware includes capabilities like keylogging, screen capture, encryption, and command execution using BITS as a command-and-control channel. The threat actors, potentially Chinese based on source code analysis, use this tool primarily for data gathering and espionage. The malware uses advanced techniques like DLL side-loading and memory execution to evade detection. A variety of scheduling and operational features within BITSLOTH allow it to operate undetected, executing commands at designated times. Researchers highlighted the challenge organizations face in monitoring BITS traffic, which aids the malware in remaining undetected. The presence of related tools and techniques linked to known Chinese cyber espionage groups point towards a sophisticated, state-linked actor.

U.S. and allies engage in a historic prisoner swap involving multiple countries including Russia, Belarus, Germany, Norway, and Slovenia. Two notorious Russian cybercriminals, Roman Valerevich Seleznev and Vladislav Klyushin, were repatriated to Russia as part of the exchange. Released individuals include 16 detainees from varying nations, among them four Americans, five Germans, and seven Russians. High-profile figures such as former U.S. Marine Paul Whelan and Wall Street Journal reporter Evan Gershkovich were also freed from Russian custody. Roman Seleznev, alias Track2, caused substantial financial damage through payment card fraud and cyber fraud schemes. Vladislav Klyushin used his firm for insider trading, illegally obtaining $93 million from U.S. Companies. Parallel cybercrime operation uncovered by U.K. National Crime Agency involved a fraudulent platform facilitating over 1.3 million anonymous calls mimicking authoritative entities. President Joe Biden and National Security Adviser Jake Sullivan emphasized the diplomatic significance and unprecedented scale of this international cooperative effort.

Cybersecurity firms eSentire and Proofpoint have reported a surge in the misuse of Cloudflare's TryCloudflare service by cybercriminals to distribute malware. Attackers are leveraging this service to create temporary tunnels that help bypass security detection by proxying traffic through Cloudflare, concealing their malicious operations. The attackers distribute phishing emails with ZIP archives containing malicious URL shortcut files that connect to a WebDAV server proxied by TryCloudflare. Malware varieties observed include AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm, delivered through complex multi-stage attack chains. These attacks also involve tactics like displaying decoy PDFs to distract victims while deploying malicious payloads and using direct system calls to evade security software. The phishing campaigns are multilingual and target global organizations with themes ranging from invoices to tax documents. The campaign's operators appear to be financially motivated and employ Cloudflare tunnels to scale their operations flexibly and evade traditional blocklist-based defenses. Cloudflare's service exploitation highlights a growing trend of attackers leveraging trusted services to enhance their operations' stealth and efficacy.

The UK's National Crime Agency (NCA) successfully shut down a call-spoofing service named Russian Coms, arresting four suspects involved. Russian Coms operated internationally, impacting over 170,000 individuals primarily in the UK, with activities spanning more than 100 countries. This fraudulent service allowed criminals to mimic legitimate organizations, facilitating the theft of money and personal information through deceptive calls. Suspects included the service's developers and a courier responsible for distributing modified smartphones essential for the operation. These devices were equipped with features to avoid detection, such as VPN apps, a burn app to erase data, and spoofed caller IDs. The service was monetized through subscriptions, costing up to £1,400 for six months, with additional features like encrypted calls and international reach. Over 1.3 million calls were made to half a million unique UK phone numbers, causing significant financial losses averaging over £9,400 per reported victim. The NCA has announced plans to continue efforts to apprehend users of the service across the globe, highlighting the increasing intersection of technology and crime.

Japan's government mandates a new app to verify My Number Cards to combat forgery and enhance security. The My Number system, linking social security and other services, has faced issues such as data breaches and malfunctioning equipment. Public adoption of the My Number Card has been low due to trust issues and technical problems. The new app uses smartphone cameras to cross-check card information without needing the user's PIN. All verification records, including the date and time, are stored by the app, but it does not retain any personal user data. Scheduled for a general release in late August, the app is currently undergoing final testing and verification. The app's introduction is part of broader efforts to increase My Number Card adoption, crucial for replacing health insurance cards and other functionalities.

The Reserve Bank of India (RBI) has recommended implementing dynamic two-factor authentication (2FA) for most digital payment systems. Currently, one-time passwords (OTPs) sent via SMS are predominantly used across India's digital payment sector. The RBI aims to transition beyond SMS-based OTPs. The RBI's proposal includes exploring various authentication methods such as biometrics, PINs, passphrases, and hardware or software tokens. Dynamic 2FA requires that each authentication factor be generated uniquely at the time of transaction and can be used only once, enhancing security. Certain low-value and specific transaction types like offline digital transactions and recurring payments may be exempt from this new dynamic 2FA requirement. The RBI has called for public feedback on this draft framework by September 15, with a directive for compliance expected within three months from the issuance date. This move is part of the RBI's ongoing efforts to strengthen the security of digital payments in response to evolving technological advancements.

The US and Russia conducted a prisoner exchange, releasing at least two notable Russian cybercriminals along with other detainees. Roman Seleznev, convicted of orchestrating a massive credit card fraud, and Vladislav Klyushin, involved in a $93 million insider-trading scheme, were among those exchanged. Seleznev had been serving a 27-year sentence and Klyushin a nine-year sentence in the US prior to the swap. The exchange also secured the release of a Wall Street Journal reporter and other Americans detained in Russia. Newly freed prisoners, including Seleznev and Klyushin, were seen greeting President Putin upon their return to Russia. President Biden highlighted the multinational effort involving Germany, Poland, Slovenia, Norway, and Turkey to negotiate the release of a total of 16 detainees. The swap aimed to address cases of "unjust" detention, with all involved parties enduring significant hardships during their captivity.

Twilio announced the end-of-life for Authy for Desktop, planning discontinuation by August 2024. After March 19, 2024, despite continued functionality, users were alerted to migrate to mobile versions. Recently, Twilio forcibly logged out all users from the Authy desktop application, preventing re-login. Users not synced with mobile devices lost access to their 2FA accounts; some face issues with token synchronization. In June, an exposed Authy API allowed hackers to validate phone numbers, resulting in a leak of 33 million profiles. Twilio secured the API and updated the mobile app to counteract the security flaw. There's speculation that desktop users are locked out due to no updates incorporating the API security fix. BleepingComputer has reached out to Twilio for comments but has yet to receive a response.

Threat actors used StackExchange to promote malware-infected Python packages designed to steal sensitive information, including cryptocurrency wallet details and browser data. The malicious packages, named ‘spl-types,’ ‘raydium,’ ‘sol-structs,’ ‘sol-instruct,’ and ‘raydium-sdk,’ were initially safe but received a malicious component via an update on July 3. Upon installation, the malware could exfiltrate files, take screenshots, and send the gathered data to a specific Telegram channel. Over 2,000 downloads were reported before the packages were removed from the PyPI repository. The attackers targeted users involved in the Raydium and Solana blockchain projects, exploiting the fact that Raydium lacks an official Python library. Victims were lured by high-quality answers on StackExchange, making the malicious packages appear credible and relevant. Notable cases reported include severe losses, such as the draining of a Solana cryptocurrency wallet and capture of screenshots compromising MFA protections.

The Plymouth County Retirement Association has filed a lawsuit against CrowdStrike and its top executives for making misleading statements about the effectiveness of their Falcon endpoint defense software. CrowdStrike failed to conduct adequate testing on updates before deploying them to all customers, resulting in a significant software failure that impacted millions of Microsoft Windows systems worldwide. The lawsuit accuses CrowdStrike of causing substantial reputational harm and legal risk by not using a phased rollout strategy, leading to a global outage. Following the incident, CrowdStrike has pledged to implement a canary deployment strategy for software updates, which involves gradual deployment to assess impacts before wide release. The company's preliminary response to the incident declared a commitment to improving software testing and deployment procedures. CrowdStrike's stock plummeted over 11% after the incident, with further declines following congressional inquiries and analyst downgrades, impacting investors including the suing pension fund. Delta Air Lines is also considering legal action against CrowdStrike and Microsoft, potentially seeking damages up to $500 million due to the disruptions caused by the faulty update.