Daily Brief

The UK Electoral Commission experienced a data breach in August 2021, linked to unpatched Microsoft Exchange Server vulnerabilities. The breach resulted from exploitation of the ProxyShell vulnerabilities, identified as CVEs 2021-34473, 2021-34523, and 2021-31207. Attackers gained access to the personal data of approximately 40 million people, including sensitive details not publicly available. The Information Commissioner's Office (ICO) criticized the Electoral Commission for inadequate security measures and weak password policies. Despite patch availability from Microsoft in May 2021, the Commission failed to update their systems, leading to vulnerability. The ICO issued a reprimand but found no evidence of misuse of the accessed data up to now. This breach coincided with similar global attacks linked to Chinese state-sponsored groups, suggesting a pattern or related campaign.

RMM tools allow IT professionals to manage networks remotely but can be exploited by attackers to gain unauthorized access and control. Cybercriminals use sophisticated methods like "Living off the Land" to stealthily maneuver within networks using legitimate IT tools. Real-world example showed how an RMM tool named "KiTTY", a modified version of PuTTY, allowed attackers to establish reverse tunnels, exposing internal servers. Varonis’ investigation highlighted the breach methods and security gaps, providing insights into defensive strategies against RMM tool exploitation. Suggested strategies include enforcing application control policies, continuous monitoring of RMM activity, and extensive user training and awareness programs. Continuous advancements in technology pose both opportunities and threats; robust security measures are essential in protecting critical data and systems. Varonis offers a free Data Risk Assessment to help organizations evaluate their security stance and implement effective remediation strategies.

CVE-2024-37085, a critical vulnerability in VMware ESXi, enables admin control via AD group manipulation, used actively by major ransomware gangs. The flaw allows attackers with certain AD privileges to achieve full control over ESXi hypervisors, facilitating data theft, lateral movement, and system disruption. Highlighted exploitation methods include creating or renaming AD groups to "ESX Admins," instantly granting administrative access to the hypervisor. Despite the risks, many organizations integrate ESXi with Active Directory for management convenience, increasing vulnerability. Broadcom issued patches for the vulnerability, but the approach and delayed updates attracted criticism regarding their commitment to security. Microsoft detected several ransomware variants exploiting this vulnerability, suggesting that ESXi has become a significant target for financial cybercrime. Microsoft urges all ESXi users to apply patches and improve credential security to mitigate risks and counter undetected exploitation by attackers.

Cybersecurity experts have observed extensive phishing attacks on small and medium-sized businesses in Poland during May 2024, involving malware such as Agent Tesla, Formbook, and Remcos RAT. These campaigns also affected other European countries like Italy and Romania, with attackers leveraging compromised email accounts and company servers for distributing malicious emails and hosting malware. A key feature of these attacks is the use of a malware loader called DBatLoader to distribute the final malware payloads, shifting from previously used cryptors-as-a-service like AceCryptor. The attacks typically began with phishing emails that contained malware-laced RAR or ISO attachments, which upon execution initiated the download and installation of the trojan. DBatLoader, a Delphi-based downloader, is utilized predominantly to fetch and execute subsequent stage malware from sources such as Microsoft OneDrive or servers of legitimate entities. The deployed malware variants—Agent Tesla, Formbook, and Remcos RAT—are designed to extract sensitive information, setting the stage for further malicious activities. The increasing focus on SMBs by cybercriminals is attributed to their generally weaker cybersecurity postures and limited resources, which make them attractive targets.

Cybersixgill's annual "State of the Underground 2024" report details emerging trends in cybercrime and threat actor behaviors observed within the deep and dark web during 2023. The report focuses on providing insights into the tactics, techniques, and technologies used by cybercriminals globally, highlighting the need for deep and dark web threat intelligence in preventing attacks. Cybercriminals utilize the deep and dark web to exchange tools, information, and services, making this knowledge crucial for organizations aiming to enhance their security measures. Accessing these underground sites is difficult, as they are not indexed and require specific URLs, often hosting illicit materials including compromised data and malicious programs. The webinar titled "Inside the mind of a hacker" explains the psychological and technical strategies used by hackers, using the Cyber Kill Chain framework to map successful cyber attack stages. The research also reveals the role of Wholesale Access Markets (WAMs) that sell access to compromised systems for as low as $10, potentially leading to significant security vulnerabilities for enterprises. Analysis by Cybersixgill shows that such platforms can also provide clues to enterprise vulnerabilities, with systems logged onto enterprise software being particularly revealing. By understanding and monitoring these underground activities, organizations can proactively defend against potential cybersecurity threats.

The SideWinder nation-state threat actor is targeting maritime facilities in the Indian Ocean and Mediterranean regions. Spear-phishing campaigns are being carried out against multiple countries including Pakistan, Egypt, and Sri Lanka, among others. The attacker, believed to be affiliated with India, utilizes email spear-phishing, document exploitation, and DLL side-loading to deliver malware. Lures involve emotionally charged topics like sexual harassment and salary cuts to entice victims to open malicious Microsoft Word documents. Malware exploits older vulnerabilities in Microsoft Office to execute shellcode for JavaScript attack delivery. The primary motive behind these attacks is speculated to be intelligence gathering based on SideWinder's previous operations. BlackBerry's analysis suggests that SideWinder is continuously upgrading its infrastructure and methods, indicating ongoing and future threats.

Cybersecurity researchers have identified a phishing campaign named OneDrive Pastejacking aimed at Microsoft OneDrive users. The attack involves an HTML email attachment that mimics a OneDrive error message, instructing users to manually update their DNS cache. Clicking "How to fix" on the email prompts users to launch PowerShell and execute a Base64-encoded command, leading to the download and execution of malicious files. The campaign has affected users across multiple countries, including the U.S., South Korea, Germany, and the U.K., suggesting widespread targeting. Attack techniques include creating fake error messages, mimicking legitimate troubleshooting pages, and leveraging social engineering to trick users into initiating attacks themselves. Related findings from multiple cybersecurity firms indicate an increase in similar phishing tactics, affecting various secure email gateways and platforms. Threat actors are continually refining methods to bypass security measures and deliver malware more effectively, underscoring the need for heightened alertness and robust cybersecurity defenses.

An extensive phishing campaign breached Proofpoint's email filtering systems, sending out three million spoofed emails daily from entities like Disney and IBM. The emails appeared legitimate, displaying correct Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures, misleading recipients about their authenticity. Victims were tricked into visiting malicious sites and entering credit card information under the pretense of renewing subscriptions at discounted rates, subsequently facing exorbitant charges. At its peak, the campaign distributed up to 14 million fraudulent emails in a single day, exploiting a vulnerability related to the email routing feature in Proofpoint systems. Guardio Security identified the exploit, dubbed "EchoSpoofing," and collaborated with Proofpoint for mitigation; the issue was tied to insecure Microsoft 365 integrations within Proofpoint’s service. No Proofpoint customer data was exposed, and no data loss occurred, despite the abuse of customer Microsoft 365 accounts to facilitate the spam. Proofpoint has since revised their systems to allow only authorized Microsoft 365 tenants to relay messages, aiming to prevent similar security breaches in the future. Proofpoint and Guardio are continuing efforts to block the abused Microsoft tenant accounts, some of which remain active.

Multiple ransomware groups are exploiting a flaw in VMware ESXi hypervisors, CVE-2024-37085, to gain administrator privileges and deploy malware. The vulnerability involves an Active Directory authentication bypass, allowing attackers to escalate privileges by manipulating AD group configurations. Recent attacks noted include those by ransomware groups like Storm-0506, Octo Tempest, and Manatee Tempest deploying different strains such as Akira and Black Basta. Initial access in one documented attack was gained via a QakBot infection, followed by the exploitation of another Windows vulnerability (CVE-2023-28252) to escalate privileges. Attackers employed tactics such as deploying Cobalt Strike, using Mimikatz to steal credentials, and establishing persistence via SystemBC, to move laterally across networks. Methods like RDP brute-forcing and tampering with Microsoft Defender Antivirus were also observed, indicating advanced efforts to maintain access and evade detection. Increased adaptation by ransomware operators to utilize new techniques highlights the evolving threat landscape and the necessity for robust cybersecurity defenses. In response, businesses are urged to patch vulnerabilities promptly, enforce strong credential and authentication practices, and employ comprehensive monitoring and backup strategies.

Malaysia’s Law and Institutional Reform Minister announced plans to introduce legislation for an internet "kill switch" to Parliament in October, aimed at enhancing digital security. The proposed law will set guidelines on when and how the government can block internet access, though specific scenarios remain undefined. The government is also pushing for social media providers and messaging services to take greater responsibility for preventing online crimes, including fraud and cyberbullying. Controversially, starting January 2025, social media platforms and online messaging platforms must secure a license if they have over eight million Malaysian users to operate legally. The Malaysian Communications and Multimedia Commission claims the licensing requirement will help create a safer online environment, particularly for children and families. International human rights groups, including Article 19, have criticized the licensing requirement as an overreach of power and a threat to public participation in democracy. The country will host a conference in September with global academics and industry experts to discuss online harms and regulatory strategies.

Mandrake, a sophisticated Android spyware, was found in five apps on Google Play, downloaded 32,000 times mainly from countries like Canada, Germany, Italy, and the UK. Initial malware deployment utilizes a native library to evade detection before decrypting additional payloads that facilitate further malware activities. The spyware requests permissions under pretenses, enabling activities from data collection to simulating user interactions. Communication with the command and control server is secured, and only suitable devices receive the spyware's core component. Threat actors also used deceptive notifications mimicking Google Play to entice users into installing further malicious files. Mandrake is capable of avoiding detection from security tools and checks device integrity to tailor its operation. After the discovery, the apps carrying Mandrake were removed from Google Play, though the threat of reemergence with new, stealthier apps remains a concern. Recommendations for Android users include installing apps only from trusted publishers, scrutinizing permissions, and ensuring Play Protect is active.

Microsoft Outlook can be transformed into a command and control (C2) beacon for remote code execution through the Specula framework, exploiting the CVE-2017-11774 vulnerability. This Outlook security feature bypass vulnerability, patched in October 2017, still allows attackers to set up malicious home pages using registry values. Specula operates by modifying Outlook's WebView registry entries to direct to an attacker-controlled site that serves VBscript capable of arbitrary command execution. TrustedSec has successfully used this method for initial access and persistence on hundreds of client systems, effectively bypassing existing security measures. Despite being patched, attackers still exploit the vulnerability to establish persistence and laterally move across systems using registry modifications. The exploited vulnerability and technique were also previously used by Iranian-sponsored APT groups to target U.S. government agencies, as reported by FireEye and other cybersecurity firms.

Meta's Prompt-Guard-86M AI model, created to detect and neutralize prompt injection attacks in large language models (LLMs), is compromised by adding spaces between letters. The model was engineered to support Meta's Llama 3.1 generative model by mitigating risks from unsafe or misleading prompts that might expose sensitive data. A security researcher discovered that merely spacing out letters in a command, makes this sophisticated detection mechanism fail. This vulnerability presents a significant risk, as demonstrated when a dealership's chatbot was manipulated to agree to an unrealistic sale price due to a similar exploit. Despite being a robust AI line of defense against manipulative inputs, the Prompt-Guard's effectiveness against altered prompts is virtually negligible. This issue sheds light on the challenges and potential vulnerabilities in deploying AI systems in critical real-world applications. Meta is reportedly aware of the flaw and is working towards a resolution, though immediate comments were not provided by the company.

A federal judge in New York has ruled that US border agents must obtain a warrant to search electronic devices. The ruling by Judge Nina Morrison states that warrantless searches of phones and devices at borders infringe on Fourth and Fifth Amendment rights. The decision emerged from a case involving Kurbonali Sultanov, whose phone was searched without a warrant at JFK Airport. Although the initial search was deemed unconstitutional, subsequent evidence will remain as the search warrant was issued in good faith. The Knight First Amendment Institute and the Reporters Committee for Freedom of the Press supported the need for warrants to protect journalistic sources and personal privacy. This ruling currently impacts only the Eastern and Southern Districts of New York, with similar cases under consideration in other jurisdictions. The government has not yet indicated whether it will appeal the decision, which could potentially ascend to the Supreme Court due to the national relevance and conflicting lower court decisions.

Acronis has reported a critical vulnerability, CVE-2023-45249, in its Cyber Infrastructure product. The flaw, rated 9.8 on the CVSS scale, allows remote code execution due to default passwords. Affected versions include ACI 5.4 update 4.2, and other specified updates, patched in late October 2023. Active exploitation of this vulnerability has been confirmed, though details of the attackers remain unclear. Users are urged to update their software immediately to mitigate potential cybersecurity threats.