Daily Brief

BreachForums v1's member data from November 2022 was leaked, revealing personal details of 212,414 users. The data was initially sold by the forum's creator, Conor Fitzpatrick, and later leaked by a threat actor named Emo. BreachForums was established by Fitzpatrick after the seizure of RaidForums by the FBI and has seen multiple versions and admin changes. Fitzpatrick was arrested in January 2024 for allegedly attempting to sell the database while on bail, violating pretrial conditions. The leaked data includes user IDs, usernames, email addresses, registration IPs, and last access IPs, important for tracking threat actor activities. Notably, the data was provided to the Have I Been Pwned service to alert affected users of the breach. This incident highlights ongoing risks associated with participation in hacking forums and the importance of robust digital identity protection measures.

FrostyGoop, a malware targeting industrial control systems, was used in a cyberattack in Lviv, Ukraine, disrupting heating for over 600 buildings. The attack occurred during extreme winter conditions, leaving residents without heat for nearly two days. Russian-linked threat actors used the Modbus TCP communication protocol to manipulate heating systems. Investigation revealed that attackers had breached the network nearly a year prior, exploiting vulnerabilities in an Internet-exposed router. Dragos, a cybersecurity firm, identified and analyzed the malware, linking it to previous attacks by Russian groups. The incident highlights significant vulnerabilities in critical infrastructure systems and the increasing specificity of cyberattacks. Recommendations for industrial organizations include implementing the SANS 5 Critical Controls for enhanced cybersecurity in operational technology.

A recent CrowdStrike update caused widespread system crashes globally, with Windows systems entering Blue Screen of Death boot loops due to a signature file update. Administrators were caught off guard as they believed their update policies of running one or two versions behind (N-1 or N-2) would prevent such incidents; however, this policy did not apply to the signature files. The signature file that caused the disruption was pushed universally on July 18th, overriding the staged deployment settings of many CrowdStrike customers. Users reported a lack of clarity and communication from CrowdStrike, with vital information being slow to release and primarily available to major partners or behind a login-walled portal. The incident highlights a key dilemma in cybersecurity: the need to quickly update malware definitions versus the risk of new updates causing system instability. Sharon Martin, CEO of Managed Nerds, expressed severe dissatisfaction with CrowdStrike, stating a preference for facing ransomware rather than using CrowdStrike if it were the only option left. Cybersecurity experts and analysts stress the importance of having effective staging and disaster planning for updates, especially when different components of a system, like software and signature files, are updated on different schedules.

Representatives from Intel, DETASAD, Juniper Networks, and Arqit will discuss AI cybersecurity in an upcoming webinar on July 30. The discussion will focus on the crucial need for robust security frameworks as AI technologies become essential across various sectors such as finance, telecom, and smart cities. Experts will address the variety and increasing frequency of cyber threats that specifically target AI systems. Key topics will include understanding industry-specific susceptibility to AI threats, and how disparities in awareness affect security measures. The webinar will also cover best practices, regulatory updates, and recommended security measures from leading technology vendors. Participants will learn practical strategies to protect AI systems by using secure data storage, comprehensive encryption, and continuous monitoring techniques. Insights from high-profile case studies on data poisoning, adversarial attacks, and model theft will be shared to illustrate the real-world impact of these threats.

Verizon Communications agrees to a $16 million settlement with the FCC due to three data breaches at its subsidiary, TracFone Wireless, following its acquisition in 2021. The breaches occurred over two years, with the initial incident self-reported by TracFone in January 2022, where unauthorized access had begun a year prior. Attackers exploited authentication vulnerabilities, gaining access to sensitive customer data including personally identifiable information and customer proprietary network information. Subsequent breaches involved TracFone's order websites, where threat actors accessed order information by exploiting a website vulnerability using two different methods. Part of the settlement includes a mandate for TracFone to implement enhanced data security measures by February 28, 2025, to prevent future incidents. Details on the number of affected customers and the specific nature of data accessed remain undisclosed as certain details were censored in the public consent decree.

Typosquatting domains have surged following the recent CrowdStrike outage, targeting IT administrators with extortion and phishing schemes. Security firm SentinelOne reports a daily increase in these malicious domains, which are used to exploit users by mimicking trusted sites with small typographical errors in the domain names. Among the tactics observed are the sales of fraudulent fixes for CrowdStrike issues, with hefty price tags, and phishing attempts to deliver malware like remote access trojans disguised as software patches. Despite the high prices and questionable domain names, the attacks continue, suggesting that some users are falling for these scams. CrowdStrike has issued warnings and guidance to its clients urging them to use official channels for communication and follow only verified technical advice. The company continues to update its remediation methods and has set up a dedicated web page for official recovery guidance.

Alphabet's $23 billion acquisition offer for cybersecurity firm Wiz was declined as Wiz aims for an IPO and $1 billion in annual recurring revenue. Wiz CEO Assaf Rappaport stated the decision was difficult but emphasized confidence in the company's exceptional team. The acquisition could have faced regulatory hurdles, considering Alphabet's existing antitrust scrutiny, particularly in its dominant search business. The decision parallels a broader trend where big tech acquisitions are scrutinized or abandoned due to regulatory pressures, as seen with Adobe's dropped Figma takeover. Wiz has undergone significant growth, relocating its headquarters to New York and was valued at $12 billion in May after raising $1 billion. The company also acquired Gem Security earlier this year, aligning with its strategy of strengthening its market position through acquisitions rather than merging with larger entities like Alphabet. This move might signal a broader year of consolidation in the cybersecurity sector as predicted by Wiz’s CEO earlier in the year.

CrowdStrike's recent Falcon update caused major IT outages globally, prompting the emergence of malicious actors exploiting the situation. Fraudulent phishing emails are circulating, offering a fake Windows recovery tool that purportedly addresses the Falcon-induced issues but actually installs the Daolpu malware. The Daolpu malware is designed to harvest sensitive data such as account credentials, browser history, and authentication cookies from browsers like Chrome, Edge, Firefox, and Cốc Cốc. The malware operates by using macros in a document that mimic a legitimate Microsoft support bulletin to download and execute a malicious DLL file. This new info-stealing threat targets data primarily from web browsers, temporarily storing stolen data before sending it to a command-and-control server. CrowdStrike has issued a warning and provided detection tools and guidelines to help users identify and mitigate the threat. This incident underscores an ongoing trend where cybercriminals rapidly leverage current events and vulnerabilities for widespread phishing and malware distribution campaigns.

Beijing-affiliated hacker group Daggerfly targeted organizations in Taiwan and a U.S.-based NGO in China using sophisticated malware tools. Daggerfly exploited an Apache HTTP server vulnerability to deliver MgBot malware, highlighting the group's ongoing espionage efforts. The hacking group, operational since 2012, has updated its toolset following exposure to continue its intelligence activities with minimal disruption. The attacks featured new malware families, including an improved Apple macOS malware, MACMA, which harvests sensitive information and executes commands. MACMA, linked to Daggerfly through source code similarities with MgBot, was initially reported by Google TAG addressing Hong Kong Safari browser security flaws. Another malware called Nightdoor uses Google Drive API for command and control, targeting Tibetan users through watering hole attacks. Symantec's findings underscore Daggerfly's capability to create malware targeting a variety of operating systems, including Android and Solaris. The episode occurs amid accusations by China's CVERC against U.S. intelligence, claiming the fabrication of the China-nexus espionage group Volt Typhoon as part of a misinformation campaign.

FrostyGoop, a new ICS malware, targeted a Ukrainian energy company, causing significant service disruption in Lviv. Identified by Dragos in April 2024, FrostyGoop uses Modbus TCP to directly impact OT networks. The malware primarily targets Windows systems connected to ENCO controllers via TCP port 502. FrostyGoop’s capabilities include reading, writing, and modifying data in ICS device holding registers. It utilizes JSON configuration files for target specification and logs actions in JSON format for review. The attack in January left over 600 apartment buildings without heating for nearly 48 hours. The initial breach was likely through a vulnerability in Mikrotik routers exploited in April 2023. Dragos stresses the importance of enhancing cybersecurity frameworks to protect critical infrastructure from such risks.

Threat actors used swap files on compromised Magento e-commerce sites to hide and maintain a credit card skimmer. The malicious skimmer captured payment information on the website's checkout page and sent the details to a fake domain resembling Amazon. Sucuri researchers discovered this tactic after noting the skimmer withstood several cleanup efforts due to its stealthy placement in swap files. Swap files were manipulated to load malicious code while maintaining the appearance of unaltered original files, effectively bypassing standard detection. It remains unclear how attackers initially accessed the compromised system, but SSH or similar protocols are suspected entry points. Associated risks highlighted include the ability of such malware to serve as a reinfection vector, using compromised administrator accounts. Security recommendations include restricting protocol use to trusted IPs, maintaining updated systems and plugins, employing 2FA, and implementing strict firewall rules and additional WordPress configurations.

Organizations traditionally share first-day passwords with new employees via email or SMS, exposing them to security risks like interception and misuse. Temporary passwords often remain unchanged by the users, becoming vulnerable targets for attacks, and sometimes lead to large-scale breaches, as illustrated by the SolarWinds incident. The sharing of passwords, whether in plain text or verbally, introduces significant risks of unauthorized access and potential data breaches. Specops Software introduces a First Day Password feature in its uReset tool, eliminating the need to share initial passwords directly and enhancing security. The new system allows employees to set their own passwords via a secure link, ensuring compliance with the organization’s password policies and reducing risks. This solution integrates with Specops' Password Policy and Breached Password Protection, blocking the use of over 4 billion known compromised credentials. By adopting this tool, companies can secure the onboarding process, protect against cyber threats, and ensure a smooth start for new employees.

The European Commission has given Meta a deadline until September 1, 2024, to address concerns about its "pay or consent" model violating consumer protection laws. Utilizing this model, Meta offered users the option to either pay a subscription fee or allow their data to be used for targeted advertising, raising potential coercion concerns. Meta's advertising model could infringe on the EU Digital Markets Act (DMA), which mandates gatekeepers to obtain explicit user consent before data utilization for non-core services. The European Commission criticized Meta for unclear terms and misleading branding which describes the service as "free" while still conditioning on data consent for personalized ads. The Commission emphasized the necessity for transparency in how consumer data is utilized, highlighting it as a fundamental consumer right. This issue with Meta follows recent fines in Nigeria and Turkey for similar data-sharing violations involving users' consent on Facebook and WhatsApp platforms. Meta’s defense references a European Court of Justice ruling that supports charging a fee for services that do not rely on advertising; however, the applicability of this ruling remains uncertain in this context. The situation underscores ongoing global regulatory scrutiny concerning user data privacy and the ethics of consent-based advertising practices.

The Computer Emergency Response Team of Ukraine (CERT-UA) reported a spear-phishing attack targeting a scientific research institution using HATVIBE and CHERRYSPY malware. The attack utilized a compromised email account to distribute macro-enabled DOCX files to multiple recipients. Enabling macros in the document triggers the execution of HATVIBE, establishing persistence through scheduled tasks and leading to the deployment of the CHERRYSPY Python backdoor. CHERRYSPY facilitates remote command execution, increasing the threat actor’s control over compromised systems. The malware exploits a critical vulnerability in HTTP File Server (CVE-2024-23692) for initial access, signifying its high-risk level (CVSS score: 9.8). CERT-UA attributes these attacks to UAC-0063, identified as a Russian nation-state group APT28, with links to Russia's military intelligence. In a related campaign, Ukrainian defense enterprises were targeted with rigged PDFs leading to the deployment of a Lua-based loader, DROPCLUE, via another threat actor cluster, UAC-0180.

The webinar focuses on securing AI technologies against cyber threats in the Middle East. Industry leaders like Intel, DETASAD, Juniper Networks, and Arqit will discuss AI security issues. Key points include exploring AI threat landscapes such as data poisoning and adversarial attacks. The event will cover the importance of regulatory compliance and best security practices. Strategies to build public trust and uphold ethical AI practices will be examined. Attendees will learn about enhancing AI security through measures like encryption and continuous monitoring. The webinar is designed for professionals in sectors such as telecoms, finance, security/defense, and critical national infrastructure. Registration is open for the July 31st event aiming to advance AI security knowledge and implementation.