Daily Brief

APT28, a Russian nation-state threat actor, exploited a vulnerability in Microsoft Windows Print Spooler to deploy the GooseEgg malware. The security flaw, known as CVE-2022-38028 with a CVSS score of 7.8, was patched by Microsoft in October 2022 following NSA's identification. GooseEgg allows for privilege escalation and the execution of commands with SYSTEM-level permissions, targeting entities in Ukraine, Western Europe, and North America. The malware primarily affected government, NGO, education, and transportation sectors, serving as a tool for intelligence collection aligned with Russian foreign policy. GooseEgg is capable of launching applications that facilitate further exploits such as remote code execution, installing backdoors, and lateral movement within networks. APT28, also known as Fancy Bear and Forest Blizzard, has been leveraging multiple other public exploits, demonstrating their rapid adaptation of new vulnerabilities. This disclosure coincides with IBM X-Force's revelation of new phishing attacks by related Russian actor Gamaredon, indicating increased tempo and sophistication in Russian cyber operations.

Russian cyberespionage group, Fancy Bear, uses "GooseEgg" malware to exploit a dated Windows print spooler vulnerability. Microsoft Threat Intelligence uncovered the activity, which involves stealing credentials and elevating privileges on compromised networks. This vulnerability, known as CVE-2022-38028, was patched by Microsoft in October 2022, but exploitation dates back to as early as April 2019. The hackers gain access through modified JavaScript files, executing them with SYSTEM-level permissions to drop additional payloads. Targeted sectors include government, education, transportation, and NGO in regions such as Ukraine, Western Europe, and North America. Microsoft advises patching affected systems immediately and disabling the print spooler service on domain controllers to prevent misuse. Detailed threat hunting queries and indicators of compromise have been released by Microsoft to help organizations detect potential breaches.

Russian APT28 threat group exploiting Windows Print Spooler vulnerability, CVE-2022-38028, initially reported by the NSA. Microsoft detected the use of a tool called GooseEgg by APT28 to escalate privileges and execute commands with SYSTEM-level access. The exploitations have been ongoing since at least June 2020, with indications of activity as early as April 2019. GooseEgg used to deploy additional malware, facilitate backdoor installation, and enable lateral movement within networks. Targets include government, non-governmental, educational, and transportation sectors across Ukraine, Western Europe, and North America. Microsoft patched the vulnerability in October 2022 but had not flagged it as actively exploited in its advisory. APT28, also known as Fancy Bear, has a history of high-profile cyberattacks, including breaches on the German Federal Parliament and the DNC. Microsoft's findings underscore the ongoing threat posed by nation-state actors in cyber espionage and sabotage.

The U.S. Senate voted 60-34 to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), permitting warrantless surveillance for another two years. President Biden quickly signed the Reforming Intelligence and Securing America Act (RISAA), which also expands the entities required to cooperate with U.S. intelligence. The Senate rejected six amendments aiming to limit the scope of surveillance and require warrants for accessing U.S. persons' data caught in intelligence sweeps. RISAA broadens the definition of electronic communications service providers, increasing the range of companies and individuals who must assist in intelligence operations. Critics, including Senator Ron Wyden, voiced strong objections to the renewal, highlighting ongoing concerns over privacy violations and insufficient oversight of intelligence activities. FBI Director Christopher Wray defended Section 702 as a vital tool against threats, including cyber activities by foreign entities, notably Chinese hacking groups. Civil liberties organizations like the ACLU expressed disappointment with the bill's passage and vowed to continue advocating for reform and accountability in surveillance practices.

Russian APT28 hacking group exploits a Windows Print Spooler vulnerability, initially reported by the NSA, to escalate privileges and steal data. The group employs a hacking tool known as GooseEgg, designed to exploit CVE-2022-38028, which Microsoft patched in October 2022. GooseEgg allows attackers to run commands with SYSTEM-level privileges, deploy additional malicious tools, and maintain persistence on compromised systems. The exploit also enables the deployment of a malicious DLL that can execute apps with elevated permissions, facilitating the launch of backdoors and lateral movement through networks. Microsoft has observed attacks against Ukrainian, Western European, and North American targets in government, education, and transportation sectors. Historically, APT28 has conducted high-profile cyberattacks, including exploiting Cisco router zero-days and hacking Ubiquiti EdgeRouters. The U.S. and EU have imposed charges and sanctions on APT28 members linked to breaches at the German Federal Parliament and U.S. political organizations.

Europol, along with European police chiefs, has released a declaration urging tech companies to not fully implement end-to-end encryption (E2EE) to preserve lawful access to communications for law enforcement purposes. The declaration emphasizes the threat of serious crimes such as terrorism, human trafficking, and child exploitation becoming undetectable due to E2EE, which prevents scanning of direct messages. The statement critiques the concept of completely private communication spaces as dangerous and unprecedented in society, advocating for balanced user privacy that still allows for crime prevention and intervention. Europol's stance reflects similar concerns raised by other international organizations and aligns with the UK's National Crime Agency's views expressed in joint cooperation. The issue particularly targets Meta (formerly Facebook), which has been progressively implementing E2EE across its messaging platforms. Meta has resisted pressures from law enforcement, citing the potential compromise in user trust and privacy, emphasizing that their encryption methods do not obstruct their ability to monitor and report harmful activities. Meta continues to develop alternative methods to detect illicit activities without reverting from its encryption stance, aiming to balance both security and privacy.

Germany has arrested three individuals for allegedly attempting to transfer military technology to China, breaching export regulations. The suspects are accused of working on behalf of China's Ministry of State Security, with one potentially directly employed by the agency. Involved in the scandal is a Düsseldorf-based company with deep ties to the German scientific community, purportedly used to facilitate the technology transfer. The technology involved includes dual-use items, which could serve both civilian and military applications, specifically components potentially used in military ship engines. Alleged illicit activities include an arrangement with a German university to conduct ostensibly civilian research for a Chinese firm, hiding the military intentions. The trio is also accused of sending a dual-use regulated laser to China, which could have military purposes. This case underscores ongoing concerns about China’s efforts to acquire western dual-use technology for its military advancement.

Synlab Italia, part of the global Synlab group, was forced to shut down its IT systems following a ransomware attack on April 18. The attack led to the suspension of all diagnostic and testing services across its 380 labs and medical centers in Italy, impacting 35 million annual analyses. All IT systems were taken offline as a precautionary measure to contain the breach, following set IT security protocols. Although not confirmed, there is a possibility that sensitive medical data was compromised during the incident. Customer service operations have moved to phone communications as email services are disrupted; the company advises re-submission of samples if system recovery is prolonged. Synlab has begun partially restoring services such as outpatient visits and physiotherapy while continuously monitoring its IT infrastructure to ensure the malware is eradicated. No specific timeline for a full service restoration has been provided, and updates are being communicated through Synlab's website and social media.

Russian hacker group ToddyCat uses sophisticated tools to conduct data theft on an industrial scale, primarily targeting governmental and defense organizations in the Asia-Pacific region. Security firm Kaspersky reports that ToddyCat automates data harvesting and maintains multiple methods for persistent access and system monitoring since at least December 2020. The group employs a passive backdoor known as Samurai, allowing remote access to compromised systems, alongside other tools like LoFiSe and Pcexter for data extraction and uploading to cloud services. ToddyCat was first identified in June 2022 following a series of cyberattacks on European and Asian government and military entities. New findings reveal the use of advanced tunneling and data-gathering software post-initial breach, aiming to sustain access to privileged accounts and hide their activities within the infected systems. Kaspersky advises enhancing security by blacklisting IPs and resources associated with traffic tunneling and enforcing stricter password management policies among users to prevent sensitive information access.

The security flaw at both GitHub and GitLab allows threat actors to distribute malware through URLs that mimic credible repositories. Threat actors exploit a design flaw where files attached to comments in GitHub and GitLab appear as though hosted officially, creating effective deceits. Malicious files, appearing to be from reputable sources like Microsoft, remain on the CDN even if the corresponding comment is never posted or later deleted. This exploitation method impacts major companies as virtually every software firm uses these platforms, increasing the lure’s credibility. Uploaded files retain links that appear affiliated with project repositories, misleading users into downloading harmful software disguised as updates or new drivers. Despite the potential for significant misuse, current platform settings do not allow repo administrators to manage or remove malicious files linked to their projects. Both GitHub and GitLab have been notified of the issue, with ongoing questions about when and how it will be addressed to curb abuse.

The Dutch Data Protection Authority advises against using Facebook for official communications due to privacy concerns. The decision follows the Dutch government's hesitation on a proposed ban of the platform's use due to uncertainty about how Facebook handles personal data. The Authority stresses the importance of clear understanding and guarantees of data privacy when government bodies use social platforms. Meta disputes the Authority's claims, asserting compliance with regional laws and misunderstanding of their product operations. The ongoing debate emphasizes the complex balance between effective public communication and protecting citizen privacy on social platforms. Concerns are also highlighted about Meta’s subscription model which may compel users to sacrifice privacy to access information.

Criminal IP has formed a strategic partnership with Sumo Logic to integrate threat intelligence into Sumo Logic's products. The integration involves Sumo Logic’s Cloud SIEM, Cloud SOAR, and Threat Intelligence platforms, enriching them with detailed data on IP addresses and domains from Criminal IP. This collaboration allows Sumo Logic users to access real-time threat intelligence and perform deep analysis on potential security threats within their SIEM environment. Features include IP query capabilities and domain scanning directly within Sumo Logic’s platforms, enhancing the contextual understanding of security events. The partnership is expected to provide Sumo Logic's users with advanced tools for better decision-making and insight into cybersecurity risks. Future collaborative efforts include joint marketing initiatives like co-webinars and collaborative reports to further enhance user understanding and application of the integrated tools. The partnership builds on AI SPERA’s track record of collaborations with other major tech and cybersecurity entities.

The US House of Representatives approved a bill that mandates TikTok's sale of its US operations or face a national ban within a year. This decision aims to counter security concerns over TikTok's Chinese ownership and potential influence on US public opinions. The legislation, which passed the House with a vote of 360 to 58, will now move to the Senate and could be voted on as early as this week. Bipartisan support reflects widespread unease about TikTok's potential to access information on US users and spread Chinese propaganda. ByteDance, TikTok's parent company, plans to legally challenge the decision, escalating the ongoing US-China technology conflict. Concerns have been raised about the bill's impact on free speech and its potential to extensively affect small businesses that utilize the platform. Additional complications could arise from Chinese export control laws, which might prevent the sale of TikTok's US operations. This legislative move is part of broader tension between the US and China regarding internet governance and digital sovereignty.

Russian hacker group Sandworm, also known as BlackEnergy and APT44, targeted approximately 20 critical infrastructure facilities across Ukraine. The cyberattacks aimed to disrupt operations within the energy, water, and heating sectors in 10 different regions. The hackers infiltrated networks by compromising software supply chains and exploiting maintenance access. New malware tools, BIASBOAT and LOADGRIP, were utilized to access and navigate through the targeted networks. Poor cybersecurity practices at the targeted facilities, such as lack of network segmentation, facilitated the breaches. From March 7 to March 15, 2024, Ukrainian CERT-UA conducted counter-cyberattack operations to mitigate the damage. The attackers used additional open-source malicious tools for persistence and privilege elevation. CERT-UA links these attacks to broader strategic objectives, correlating them with physical missile strikes to amplify their impact.

Over half of the surveyed enterprises experienced a cybersecurity breach in the past two years, despite deploying an average of 53 security solutions. High-profile breaches have driven broader executive engagement, with over 50% of CISOs now regularly reporting pentest results to boards. A considerable gap exists between the frequent changes in IT environments and the cadence of security testing, highlighting a vulnerability in current security strategies. Enterprises average a significant investment of $164,400 annually on manual pentesting, yet only 40% conduct these tests at a frequency matching their quarterly IT changes. The rise in cloud intrusions, with a reported 75% increase year over year, signals the cloud as a major point of vulnerability as more organizations migrate to cloud services. Breaches typically result in substantial operational disruptions like unplanned downtime and financial losses, indicating the extensive impact of these incidents. The survey emphasizes the critical need for continuous pentesting to enhance IT infrastructure resilience and keep pace with evolving cybersecurity threats.