Daily Brief

North Korea's Lazarus Group has deployed a new remote access trojan, Kaolin RAT, using fabricated job offer lures as part of their Operation Dream Job campaign. Kaolin RAT is capable of changing file timestamps and loading DLL binaries from its command-and-control (C2) server, serving as a precursor to deliver the FudModule rootkit. The malware utilizes a patched exploit, CVE-2024-21338, to manipulate kernel operations and bypass security settings, enhancing its stealth and persistence capabilities. Initial infection is achieved through tricking targets into running a malicious ISO file pretending to contain a VNC client for Amazon, which instead loads additional malware payloads. The malware's sophisticated multi-stage infection process involves the use of RollFling and RollSling loaders to retrieve further malicious components stored in memory to avoid detection. The ultimate goal of the attack chain is comprehensive control over the victim's system, involving file manipulation, process control, and executing remote commands. Researchers at Avast highlight the technical complexity and significant resources invested by Lazarus Group in continuously evolving their methods to circumvent advanced security measures.

Over 1,400 online-exposed CrushFTP servers are vulnerable to a critical server-side template injection (SSTI) vulnerability, CVE-2024-4040, enabling unauthenticated remote code execution (RCE). The vulnerability allows attackers to bypass authentication, access administrator accounts, and execute arbitrary file reads as root. Security firms including CrowdStrike identified the exploitation of this vulnerability in politically motivated intelligence-gathering attacks targeting U.S. organizations. Rapid7 confirmed the bug as "fully unauthenticated and trivially exploitable," urging immediate updates for affected systems. The majority of the vulnerable servers are located in the United States, Germany, and Canada. CrushFTP has issued a patch and advises customers to update their software to prevent exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. federal agencies to patch their vulnerable servers by May 1st in response to the active exploitation of this flaw.

Hackers exploit a high severity vulnerability in the WP Automatic plugin on WordPress to create admin accounts and plant backdoors. Over 5.5 million attack attempts have been made since the vulnerability, identified as CVE-2024-27956, was disclosed on March 13. The vulnerability allows attackers to bypass user authentication and execute SQL queries to gain administrative access. WPScan observed most attack attempts on March 31st, highlighting the urgency and widespread nature of the exploits. Once access is secured, attackers establish persistence by creating backdoors and renaming files to obfuscate their activities and prevent detection. Compromised sites show specific indicators of compromise, such as admin accounts starting with "xtw" and certain backdoor file names like web.php and index.php. WPScan advises updating the WP Automatic plugin to version 3.92.1 or later and regularly backing up website data to mitigate and recover from breaches.

Russia and Iran identified as the primary threats to the 2024 U.S. and UK elections, employing sophisticated cyber tactics. Mandiant report highlights the "four Ds" of election interference: DDoS attacks, data theft, disinformation, and deepfakes. Potential for hybrid attacks combining multiple tactics to influence voter perceptions and outcomes. Deepfake technology becoming more convincing, used to fabricate endorsements or criticisms by well-known figures. Disinformation campaigns expected to leverage both stolen data and fabricated content to sow discord and manipulate public opinion. Cyber defense agencies need to prepare for a variety of threats, from data theft to complex disinformation operations. The effectiveness of these interference efforts remains uncertain due to improved defensive measures and increased public awareness.

The article demonstrates a simulated network attack in six stages from initial access to data exfiltration, based on real-world tactics. It highlights the use of simple, commonly available tools by attackers, rather than sophisticated or advanced technologies. The attack starts with a spear-phishing email containing a malicious attachment that exploits a vulnerability in Microsoft Office. After gaining initial access, attackers deploy commonly used administrative tools maliciously for tasks like credential dumping and lateral movements within the network. The importance of a defense-in-depth strategy is emphasized, suggesting multiple security layers at different points to detect and mitigate such attacks. It underlines the necessity for security teams to simulate attacks to test systems, enhance network defenses, and demonstrate the importance of security investments to leadership. The article concludes by advocating for holistic security measures as crucial for effectively protecting against network breaches.

The U.S. Department of Justice (DoJ) arrested two co-founders of the cryptocurrency mixer Samourai, Keonne Rodriguez and William Lonergan Hill, on charges related to facilitating illegal transactions and money laundering. Samourai allegedly processed over $2 billion in transactions and laundered more than $100 million from criminal activities, including operations on dark web marketplaces like Silk Road and Hydra. The service utilized features like Whirlpool and Ricochet Send, designed to obscure the origins and destinations of cryptocurrency, reportedly enhancing user privacy and evading financial surveillance. Law enforcement cooperated internationally, involving agencies from Iceland, Portugal, and Europol to apprehend the suspects and dismantle the service’s infrastructure. Rodriguez and Hill face up to 25 years in prison if convicted; they are charged with money laundering and operating an unlicensed money-transmitting business. The case emphasizes the ongoing governmental scrutiny and regulatory actions against platforms that facilitate cryptocurrency-based criminal activities.

Security researchers identified a new Android malware named Brokewell, designed to capture and steal data by controlling device functions. The malware is distributed through a deceptive alert for a Google Chrome update encountered during browsing sessions. Brokewell offers extensive capabilities for data theft and remote control, and it's being actively developed to enhance these functions. The developers behind Brokewell have previously targeted financial services, utilizing the malware to impersonate legitimate applications. The malware leverages a specialized tool called "Brokewell Android Loader" to bypass recent Google security restrictions, enhancing its malicious effectiveness. ThreatFabric, a fraud risk analysis firm, discovered the malware after tracing a fake Chrome update page that deployed the infection. Research indicates that Brokewell may soon be marketed more broadly in cybercriminal circles as a component of malware-as-a-service offerings. Users are advised to download apps exclusively from the Google Play Store and ensure the continuous activation of Play Protect to mitigate risks.

The UK government faced intense criticism in March 2024 for its insufficient response to cyber-attacks by the espionage group APT31. A National Cyber Security Centre review highlighted that the UK's critical infrastructure is underprepared for cyber threats. The critique stems from a broader context of escalating ransomware attacks, data breaches, and cyber extortion affecting global organizations. Upcoming webinar hosted by Rubrik featuring Tim Phillips and CISO Richard Cassidy aims to address strategies for mitigating cyberattacks. The discussion will focus on understanding the evolution and complexities of the cybersecurity crisis to help businesses refine their defensive strategies. The webinar is scheduled for April 29, aiming to equip participants with knowledge to enhance operational resilience and data integrity post-attack.

Google has postponed the deprecation of third-party cookies in Chrome until the second half of 2024, marking the third extension. This decision is due to ongoing discussions with the U.K. Competition and Markets Authority (CMA) to address competition concerns related to Google's Privacy Sandbox. Privacy Sandbox is designed to provide privacy-preserving ad targeting alternatives to traditional cookies and cross-app identifiers. Unlike Google, Apple and Mozilla have already eliminated support for third-party cookies as of 2020. The U.K. regulators, including the ICO, are scrutinizing the Privacy Sandbox to ensure it benefits consumers and does not unduly advantage Google’s advertising technologies. Challenges have been identified in Google's proposed alternatives, potentially allowing advertisers to bypass intended privacy protections. Google continues to engage with various stakeholders and has been asked by the CMA to collect further industry feedback and test results by June's end. Additionally, Google announced enhancements to Google Meet, including support for external participants in encrypted calls.

The Reserve Bank of India (RBI) has imposed a ban on Kotak Mahindra Bank barring new online customer sign-ups due to serious IT management deficiencies. Identified issues include poor management of IT inventory, inadequate patch and change management, flawed user access and vendor risk management, and weak data security measures. Kotak Mahindra Bank, possessing over 41 million customers and $500 billion in assets, has failed consecutive annual assessments on IT risk and information security governance led by RBI. Previous attempts at corrective IT actions by the bank were deemed either inadequate or incorrectly sustained. The bank's rapid introduction of new products, including gaining three million new customers for a credit card product, prompted concerns about operational resilience. RBI's decision aims to protect customers and the broader digital banking ecosystem by forcing Kotak Mahindra to enhance technological infrastructures. The bank pledges to implement new technologies and work rigorously to resolve remaining issues swiftly, though it does not foresee a material impact on overall business. Investor confidence appears stable as reflected by a 1.65 percent increase in stock price following the announcement.

State-sponsored hackers employed two zero-day vulnerabilities in Cisco hardware to launch a malware campaign named ArcaneDoor, aimed at covert data espionage. Cisco Talos identified the threat actor as UAT4356, also known as Storm-1849, deploying two backdoors, Line Runner and Line Dancer, for actions like data exfiltration and network traffic capture. The two exploited Cisco vulnerabilities allowed root-level and administrative-level code execution, enabling the persistence and operation of the malware across reboots. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to apply the fixes provided by Cisco by May 1, 2024, to mitigate the vulnerabilities. The initial access pathway to the Cisco devices by the hackers remains unclear, although preparations by UAT4356 traced back to July 2023. Attackers demonstrated advanced tactics to avoid detection and maintain persistence, indicating deep knowledge of the Cisco appliances and typical forensic examinations. The scope of customer impact by these exploits remains undisclosed by Cisco Talos; however, the emphasis was on the need for regular updates, monitoring, and security of perimeter network devices.

Australia's top intelligence and police authorities are pressing for "accountable encryption" to support law enforcement in accessing encrypted communications during investigations. The Australian Security and Intelligence Organisation (ASIO) director highlighted the challenging balance between privacy protected by encryption and the secure zones it creates for extremists. Authorities are concerned about the delay and difficulty in intercepting potential threats due to current encryption technologies, despite existing laws. While not advocating for an end to end-to-end encryption, they urge tech companies to comply more effectively with lawful intercepts as permitted by court warrants. The discussion is in line with global law enforcement bodies, including European police chiefs, who argue that encryption complicates investigations into serious crimes like terrorism and child exploitation. Officials are also worried about the dual-use nature of AI technology, which is being exploited by extremists for malicious purposes, such as attack planning and weapon building. ASIO already employs AI to enhance their data analysis capabilities but faces challenges with encrypted data obstructing swift threat assessment.

A sophisticated nation-state actor exploited vulnerabilities in Cisco security appliances starting in November 2023 for espionage. The cyberattacks, named “ArcaneDoor,” were discovered in January and targeted VPN services key to government and critical infrastructure globally. Joint advisories by cybersecurity agencies from Canada, Australia, and the UK highlighted the focus on espionage using bespoke malware tools. Two specific vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco devices were exploited, with patches released recently. The intruders deployed two custom malwares, Line Dancer and Line Runner, enabling them to control and extract data from the compromised systems. The actors also showed interest in other vendor devices, including those from Microsoft, signaling a broader threat landscape. Cisco encouraged customers to urgently update affected systems and check for signs of compromise, as suggested in the Cisco Talos blog and security advisories.

Keonne Rodriguez and William Lonergan Hill are charged by the U.S. DOJ for laundering over $100 million through their cryptocurrency mixer, Samourai. Samourai's services, Whirlpool and Ricochet, allegedly processed over $2 billion in illicit funds, helping mask the origins of transactions linked to criminal activities. The founders reportedly earned approximately $4.5 million in fees from these money laundering services. Samourai Wallet app, downloaded over 100,000 times, facilitated private and anonymous cryptocurrency transactions. Icelandic authorities have seized Samourai's domains and servers, and Google Play has removed the app following legal actions. Rodriguez has been arrested in the U.S., while Hill was detained in Portugal, with the U.S. seeking his extradition for trial. Both founders face heavy charges including money laundering with up to a 20-year sentence and operating an unlicensed money-transmitting business with up to a 5-year sentence. The indictment highlights extensive use of Samourai mixer for laundering proceeds from dark web markets, wire fraud, and schemes defrauding decentralized finance protocols.

Proof-of-concept exploit code has been released for a critical vulnerability in Progress Flowmon, a network performance monitoring tool used globally by over 1,500 companies. The vulnerability, identified as CVE-2024-2389, allows remote, unauthenticated attackers to execute arbitrary commands via a specially crafted API request. Progress Software, the developer of Flowmon, has released patches for affected versions and urged customers to update to v12.3.4 or 11.1.14 immediately. Researchers from Rhino Security Labs demonstrated the exploit, which could enable attackers to plant a webshell and escalate privileges to root access on the network system. There are about 500 Flowmon servers exposed on the public internet, increasing the risk of exploitation. Italy's CSIRT had previously warned about the availability of this exploit in the public domain, confirming its active circulation among cybersecurity communities. Although no active exploitations have been reported, the presence of the exploit code in public forums like X places an urgent emphasis on updating affected systems promptly.