Daily Brief

FIN7, an e-crime group known for its sophistication, has been advertising a tool called AvNeutralizer on underground criminal forums. This tool, developed by FIN7, enables security bypass and has been adopted by various ransomware groups, including Black Basta. FIN7 has a longstanding reputation for malware innovation and has previously targeted companies via phishing and malvertising tactics to distribute their ransomware. The group has evolved from primarily targeting point-of-sale systems to using ransomware and tools such as AvNeutralizer as part of a Ransomware-as-a-Service (RaaS) offering. AvNeutralizer employs anti-analysis techniques and leverages a Windows built-in driver to evade security solutions, a tactic also noted in other sophisticated cyber threats. The tool's sale not only highlights FIN7’s shift in operation tactics but also suggests a strategy to diversify and enhance their revenue streams through tool commercialization. Despite previous member arrests, FIN7 continues to function and innovate within the cybercriminal landscape,significantly impacting cybersecurity defenses through technological advancements and strategic market manipulation.

China-linked APT17 targeted Italian companies and government entities with spear-phishing attacks using 9002 RAT malware on June 24 and July 2, 2024. The attacks involved deceptive emails that prompted the installation of a seemingly legitimate Skype for Business application via fraudulent government-like domains. The malware was delivered through a downloadable MSI file that secretly executed a Java archive file, deploying the 9002 RAT while also installing genuine chat software. 9002 RAT, known for its role in Operation Aurora and other major cyber attacks, is a sophisticated modular trojan capable of network monitoring, screenshot capture, file management, process management, and executing remote commands. TG Soft analysis highlights the malware's continuous updates and modular nature, which help in avoiding detection and enhancing persistence on infected systems. APT17, also known as multiple other names including Bronze Keystone and Hidden Lynx, has historical ties to espionage operations exploiting critical vulnerabilities.

Scattered Spider, a sophisticated cybercrime group, has incorporated RansomHub and Qilin ransomware into its operations, as reported by Microsoft. The group is known for advanced social engineering, targeting VMWare ESXi servers, and previously using BlackCat ransomware. RansomHub, identified as a rebrand of the Knight ransomware strain, is becoming a prevalent tool among various cybercriminal groups. Microsoft has also noted that RansomHub was deployed by Manatee Tempest following initial access facilitated by Mustard Tempest through FakeUpdates infections. Connections have been made between these activities and notorious groups like Evil Corp, emphasizing the collaborative and overlapping nature of modern cybercriminal enterprises. The arrest of a prominent member of Scattered Spider in Spain last month highlights ongoing efforts to combat such cybercrime networks. The rise of new ransomware families such as FakePenny, Fog, and ShadowRoot signals an expanding and evolving threat landscape. Microsoft advises adherence to security best practices like credential hygiene, least privilege principle, and Zero Trust framework to combat these threats.

A critical vulnerability in Apache HugeGraph-Server, identified as CVE-2024-27348, is actively being exploited, posing a severe risk of remote code execution. This flaw affects all software versions prior to 1.3.0 and is found in the Gremlin graph traversal language API with a high CVSS score of 9.8. The Apache Software Foundation has advised users to upgrade to HugeGraph version 1.3.0 with Java11 and to enable the Auth system to mitigate the risk. Additionally, implementing a 'Whitelist-IP/port' feature is recommended to bolster RESTful-API execution security. SecureLayer7 revealed more technical details about the vulnerability, highlighting how attackers can bypass sandbox protections to execute code and gain full server control. The Shadowserver Foundation has observed active exploitation attempts in the wild, stressing the urgency for users to update their systems. Information regarding the exploitation of this vulnerability and similar ones in other Apache projects underscores their attractiveness as targets for both nation-state and financially driven cyber attackers.

MuddyWater, an Iranian cyber espionage group, has intensified attacks on Israeli organizations using a custom backdoor named BugSleep, following recent geopolitical tensions. The campaign employs phishing methods, sending emails from compromised corporate accounts that lure victims with webinar and class invitations, impacting multiple economic sectors in Israel. Over 50 phishing emails have been documented since February by Check Point Research, targeting various sectors including municipalities, airlines, and journalists across countries like Turkey, Saudi Arabia, India, and Portugal. BugSleep, the deployed malware, enhances MuddyWater's tactics by replacing some of its use of legitimate remote monitoring tools and includes features to evade detection like modifying system policies to block non-Microsoft signed processes. The malware operates by creating scheduled tasks for persistence, sending stolen data to command-and-control servers, and employing encryption to conceal its configurations. The broadened phishing strategy aids MuddyWater in launching higher-volume attacks while continuing to focus on specific industry sectors, posing a significant threat to international cybersecurity.

Kaspersky is ceasing operations in the U.S. following its addition to the U.S. government's Entity List, citing national security concerns. As part of its exit strategy, Kaspersky is offering U.S. customers six months of free security software and safety tips. The company's decision comes after a prohibition on sales and distribution in the U.S., effective from September 29, enforced by the Department of Commerce. Post-September, U.S. users will not receive automatic updates or antivirus definitions and must manually install such updates if available. Kaspersky plans to shut down its U.S. business on July 20, which involves employee layoffs and winding down operations. Despite the ban in the U.S., Kaspersky products remain in use globally with significant demand for vulnerability disclosures in its products. Pressures are also mounting in Europe, with recommendations to avoid using security products from Russian and Chinese vendors in sensitive sectors. Kaspersky is redirecting its business focus towards markets in Asia and South America following these developments.

CISA has identified the CVE-2024-36401 vulnerability in GeoServer's GeoTools plugin as actively exploited, necessitating immediate patches. The vulnerability, rated at a critical severity of 9.8, allows for remote code execution due to unsafe XPath expression evaluations. GeoServer disclosed this flaw on June 30th, after which researchers released multiple proof of concept exploits demonstrating the potential attacks. Updated patch versions 2.23.6, 2.24.4, and 2.25.2 have been released to address this issue, and users are urged to upgrade immediately. The exploitation of this vulnerability has been confirmed by threat monitoring services like Shadowserver, which observed active attacks starting July 9th. An approximate count of 16,462 GeoServer instances are exposed online, predominantly in the United States, China, Romania, Germany, and France. Federal agencies are required by CISA to patch their servers by August 5th, 2024, but the urgency extends to private organizations due to the severity of the flaw.

Scattered Spider, a major cybercrime group, has switched to using RansomHub and Qilin ransomware tools. This change follows significant disruptions in the cybercrime landscape, including the takedown of previous market leaders ALPHV/BlackCat and LockBit. Microsoft, tracking the group's activities, notes a rising adoption of RansomHub by various cybercriminal entities. RansomHub, emerging from the rebranded Knight ransomware crew, has quickly gained prominence with attacks on major companies. The emergence of new ransomware variants like Fog and FakePenny indicates ongoing evolution and competition among cybercriminal groups. Ransomware-as-a-Service (RaaS) remains a popular business model, with new groups and variants continuously entering the market. Microsoft has tracked less than a year the activity of Moonstone Sleet, a group using the new FakePenny ransomware to generate significant ransom payments.

Over 15 million email addresses from Trello accounts were released on a hacking forum, collected via an unsecured API. The breach was first reported in January when a threat actor named 'emo' sold data on 15,115,516 Trello members. Trello, owned by Atlassian, is used widely by businesses to manage projects and organize tasks. The leaked information mostly consisted of Email addresses and public profile details but also included non-public email addresses. The data was extracted using a REST API that allowed querying of public Trello profile information by inputting any email address, leading to potential misuse. Atlassian has since secured the API to prevent unauthenticated requests for user information, balancing security with user functionality. The exposed email addresses pose risks such as phishing and doxxing, targeting individual users by associating their emails with specific Trello accounts. Previous incidents have seen similar misuse of unsecured APIs, highlighting an ongoing challenge for tech companies to secure public interfaces against exploitation.

DarkGate malware has gained prevalence following the FBI's disruption of the Qbot botnet, exploiting the vacuum in criminal cybersecurity activities. Originally identified in 2018, DarkGate has evolved into a versatile tool capable of keylogging, data theft, credential stealing, and deploying ransomware. Notable for its multifunctionality, DarkGate allows criminals comprehensive control over infected systems with various infection vectors including social engineering, phishing, and compromised websites. Security research firms such as Proofpoint and enSilo noted significant upticks in DarkGate deployment, with over 14,000 documented campaigns targeting more than 1,000 organizations. Enhanced by evasion tactics like encryption and environment scanning, DarkGate effectively avoids detection and analysis by security technologies, presenting attribution challenges for defenders. The malware checks for the presence of 26 anti-malware products, further underscoring its sophistication in evading security measures. Recommendations for corporations include instituting layered security defenses and conducting employee training to recognize and respond to phishing attempts effectively.

A UK-based privacy organization, Open Rights Group (ORG), has filed a complaint with the Information Commissioner's Office (ICO) concerning Meta's updated privacy policy. Meta's revised policy allows for the scraping of personal data from Facebook and Instagram users to develop AI models. This policy update was communicated to users in late May with an impending policy effective date of June 26. ORG argues that Meta's data usage under the guise of 'legitimate interests' could violate the UK's GDPR rules, particularly regarding user consent and data usage for AI training. Previously, Meta faced similar pushback in the EU, which led to a temporary halt in its AI development plans involving user data. Despite Meta's assertions of legal compliance and transparency, concerns persist about the non-binding nature of user objections to data usage and lack of clarity in consent mechanisms. The ICO has yet to formally respond to the complaint as the regulatory and legal review process unfolds.

The 2024 Cisco Cybersecurity Readiness Index report details insights from over 8,000 business and cybersecurity leaders across 30 international markets. Only 3% of surveyed organizations possess 'Mature' cybersecurity defenses, with the bulk categorized as 'Formative' or 'Beginner'. A majority of respondents, 73%, predict cybersecurity incidents could disrupt their business within the next one to two years. Despite potential threats, 80% of leaders express moderate to high confidence in their resilience capabilities. The report uses five criteria for evaluating readiness: Identify Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and AI Fortification. Cisco offers solutions like the Secure Firewall and AI-enabled Extended Detection and Response (XDR) to enhance security measures. There is also a focus on improving safeguards with third-party cloud services through the Multicloud Defense platform.

Cybersecurity researchers found two malicious npm packages that used image files to hide backdoor code. Identified packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, imitated a legitimate npm library. These packages harbored altered code that could execute malicious commands from a remote server. Specifically, they leveraged the logo images of Intel, Microsoft, and AMD to enable code execution. Image associated with Microsoft's logo was used to extract and activate the hidden malicious content. Upon installation, the malicious code would register the new client with a command-and-control server and execute commands every five seconds. The findings underscore the increasing sophistication in attacks targeting open source software ecosystems. The npm security team has taken down the compromised packages after being alerted.

Identity-based threats are prevalent in SaaS environments, with 90% of cyberattacks starting with phishing. Effective Identity Threat Detection and Response (ITDR) systems are vital for detecting and countering these threats. Recent breaches have demonstrated the consequences of weak ITDR measures, such as the Snowflake incident where 560 million customer records were compromised. Multi-factor authentication (MFA) and single sign-on (SSO) are essential tools in reducing identity-based risks. Organizations often fail to fully utilize identity management safeguards, turning off MFA and lacking continuous monitoring of user activities. Proactive steps include deprovisioning access for former employees, monitoring external user accounts, and applying the principle of least privilege (PoLP) to limit user access rights. Regular monitoring and real-time data analysis across multiple SaaS applications enable ITDR systems to quickly identify and mitigate unauthorized access and potential data breaches. Prioritizing identity security and enhancing ITDR capabilities are crucial for protecting sensitive corporate information from cyber threats.

"Konfety," a massive ad fraud operation, uses over 250 decoy apps on Google Play, pairing them with malicious "evil twin" apps. Threat actors utilize a dual-app system to obfuscate malicious activity, making fraudulent traffic appear legitimate. Evil twin apps mimic their harmless counterparts’ app IDs and ad publisher IDs to disguise their malvertising activities. These malicious apps facilitate ad fraud, monitor user web searches, install unauthorized browser extensions, and sideload APKs. The campaign is underpinned by the Russia-based CaramelAds network, manipulating their SDK for ad fraud purposes. At its operational peak, the Konfety scheme generated 10 billion ad requests per day. Users are tricked into downloading evil twin apps through links on various platforms, including compromised sites and social media. Once installed, these apps hide their icons, display intrusive ads, and can modify device settings to further exploit users.