Daily Brief

An international law enforcement effort led to the arrest of 37 individuals connected to the phishing service LabHost. LabHost, a Phishing-as-a-Service (PhaaS) platform, provided over 170 fake websites, allowing global cybercriminals to harvest personal information. The service was particularly notorious in Canada, the U.S., and the U.K., targeting banking and several other sectors. LabHost users were implicated in generating phishing links sent through email and SMS, designed to mimic reputable organizations to steal credentials and 2FA codes. Agencies from 19 countries collaborated in the operation, leading to the seizure of LabHost’s infrastructure and domain. The immediate disruption of LabHost prevented potential fraud, as the platform hosted nearly 40,000 domains involved in criminal activities. Over 94,000 victims in Australia and approximately 70,000 in the U.K. were identified as having entered their details into these phishing sites.

International police operation led by the UK's Metropolitan Police Service (MPS) has successfully dismantled LabHost, a notorious phishing platform. LabHost provided cybercriminals with sophisticated phishing kits mimicking over 170 well-known global brands, contributing to widespread identity theft and fraud. The crackdown involved coordination from law enforcement in 17 countries, resulting in the seizure of LabHost’s domains and the arrest of 35 individuals. Phishing kits sold via LabHost enabled quick deployment of fake brand websites for harvesting victims’ data, with tools like "LabRat" enhancing the illicit data collection process. Operation stemmed from a prior initiative named “Elaborate,” which targeted similar cybercriminal activities and infrastructure. Police utilized innovative outreach methods, including crafting messages in the style of Spotify Wrapped, to inform LabHost users of the platform’s compromise. Authorities are intent on deterring cybercriminals by demonstrating the increasing risk and consequences of engaging in such illegal activities. Additional measures are being taken to support the victims, including direct communications and resources available through the MPS’s victim support package.

LabHost, a phishing-as-a-service (PhaaS) platform, was dismantled following a year-long international law enforcement operation, resulting in 37 arrests. The platform, operational since 2021, offered cybercriminals phishing kits targeting banks in North America, along with infrastructure support for launching phishing attacks. LabHost attracted around 10,000 users globally, providing services that included hosting phishing pages and automating email phishing attacks. Europol's investigation revealed over 40,000 phishing domains connected to LabHost with a total estimated revenue of $1,173,000 from user subscriptions. The platform featured a tool named LabRat, which allowed cybercriminals to bypass two-factor authentication and capture sensitive information such as 2FA tokens. Police carried out raids at 70 locations between April 14 and 17, 2024, seizing 207 servers hosting phishing websites and sending warnings to 800 users about impending investigations. LabHost's operators were implicated in the theft of approximately 480,000 credit cards, 64,000 PINs, and one million passwords. Despite a significant outage in October, which sparked rumors of an exit scam, LabHost resumed full operations by December 6, 2023, before its final takedown.

Cisco has introduced Hypershield, a new network security method incorporating the use of "enforcement points" to combat threats dynamically. Enforcement points act as mini firewalls within servers or networking hardware to monitor software behavior and block malicious traffic. These points use artificial intelligence to stay updated with the latest attack vectors and to administer automatic updates without manual intervention. Cisco’s Hypershield architecture is expected to incentivize new hardware purchases by integrating security at every refresh cycle of networking gear. The solution will be licensed per workload, utilizing Cisco's custom metric, with management controlled via a cloud-based application. Primarily, Hypershield functionalities are intended to roll out starting August with the eBPF version, followed by other implementations over time. The innovative use of DPUs and enhanced network switches underlines Cisco's strategy to synergize network performance and security, emphasizing its commitment to a software-centric but hardware-integrated security approach.

Hackers are exploiting critical vulnerabilities in the OpenMetadata platform to access Kubernetes workloads for cryptocurrency mining. Microsoft Threat Intelligence discovered that these vulnerabilities have been actively weaponized since April 2024. These security flaws allow the attackers to bypass authentication and achieve remote code execution on systems. After gaining initial access, hackers perform extensive reconnaissance to gather intelligence about the system’s configuration and user activity. The attackers ensure their network connectivity to control infrastructure silently using domains associated with Interactsh, aiding in stealthy operations. The end game for the attackers involves deploying crypto-mining malware from a server in China and establishing persistence through scheduled tasks. To cover their tracks, the perpetrators clear initial payloads and establish a reverse shell for ongoing control. OpenMetadata users are urgently advised to use strong authentication, avoid default settings, and update their systems to prevent similar attacks.

David Koh, head of Singapore's Cyber Security Administration, highlighted the potential challenges of a tech split between China and Western countries, impacting interoperability and trade. Speaking at Black Hat Asia, Koh emphasized Singapore's historical success as a trade hub, benefiting from an open economy and extensive global connections. The geopolitical standoffs, notably between the US and China, risk creating incompatible technology stacks, reminiscent of past technological incompatibilities experienced globally. Koh noted that while certain sectors, like national security, might not require interoperability, the general momentum towards separate tech ecosystems could hinder Singapore's role and influence in global trade. Singapore’s agility in cyber security governance is an asset, allowing swift decision-making in a small but innovative digital landscape. However, Koh admitted that Singapore's relatively small market size limits its influence on global standards, particularly around security features in technology products. The CSA chief advocated for continuous dialogue with the tech industry to ensure that the needs and security expectations of markets like Singapore are understood and considered.

A new malicious Google Ads campaign is spreading a sophisticated backdoor named MadMxShell using domains that mimic legitimate IP scanner software. The campaign uses typosquatting to create look-alike websites and leverages these sites atop Google search results through targeted keyword advertising. Up to 45 fake domains were registered between November 2023 and March 2024, presenting themselves as legitimate tools like Advanced IP Scanner and Angry IP Scanner. Users downloading from these fraudulent sites receive a ZIP file containing a malicious DLL and an executable file designed for infecting systems via DLL side-loading and process hollowing techniques. The backdoor enables system information collection, command execution, and file manipulation, and uses DNS MX queries for covert command and control operations. Advanced evasion techniques, such as anti-dumping and DNS tunneling, are employed to avoid detection by endpoint security and network monitoring tools. The operators of the malware have been active in underground forums and use specific techniques to exploit Google Ads without immediate financial cost.

Zhejiang Dahua Technology, a Chinese camera manufacturer, sold its US subsidiary to Taiwan's Central Motion Picture Corporation for $15 million. Dahua was placed on the US entity list in October 2019 due to its involvement in the mass surveillance of Uyghurs. The sale included all of Dahua's remaining US operations, following further restrictions from the US, including an FCC freeze on new equipment authorizations. The sale agreement, finalized on January 3, 2024, was initially communicated to distributors under different company names, raising questions about the transparency of the deal. Central Motion Picture Corporation, a major Taiwanese film studio, has expanded its business scope by acquiring the technology company. The transaction also included $1 million worth of Dahua's inventory, adding assets to the Taiwanese company's acquisition. Further clarity on the acquisition's impact and how Dahua will be integrated into CMPC is awaited from official sources.

The US Senate is set to vote on enhancing Section 702 of the Foreign Intelligence Surveillance Act (FISA), potentially broadening warrantless surveillance powers. The House of Representatives already passed the Reforming Intelligence and Securing America Act (RISAA), which renews and possibly expands Section 702. Section 702 allows US intelligence to monitor communications of foreigners outside the US but also inadvertently collects data from Americans without a warrant. A controversial amendment in RISAA could redefine "electronic communications service provider" to include virtually any entity handling data communications, compelling them to assist in surveillance. Senator Ron Wyden and organizations like the ACLU and the Electronic Frontier Foundation have expressed strong opposition, citing privacy concerns and potential abuses. Major technology firms and their lobby groups, like the Information Technology Industry Council, have warned that broadening surveillance authority could harm the competitiveness of US tech companies internationally. The proposed changes could lead to widespread mandatory government spying, converting ordinary citizens and workers into unwilling surveillance agents. The final decision on the bill, including key amendments, is imminent, with the White House urging rapid passage before existing authorities expire.

SoumniBot, a new Android banking malware, utilizes unique obfuscation techniques exploiting Android manifest parsing vulnerabilities to bypass security protocols. Kaspersky researchers identified methods including manipulation of compression values and file sizes within APK manifests to deceive Android's security checks. The malware tricks the Android APK parser through invalid compression values, making the parser treat the data as uncompressed and bypass established security checks. Additional evasion tactics include misreporting manifest file sizes and using overly long strings for XML namespaces, complicating automated analysis tools. Once active, SoumniBot communicates with a hardcoded server to fetch configuration, steal sensitive data such as contact lists, account details, and banking credentials, and receives commands via an MQTT server. The malware conceals its presence by hiding its application icon post-installation, making it difficult to detect and remove. Kaspersky has alerted Google about the issues with the Android APK Analyzer's ability to handle files manipulated by these evasion techniques. The research includes details of indicators of compromise for detection, such as malware hashes and command and control server domains.

Attackers exploit critical vulnerabilities in OpenMetadata workloads within Kubernetes environments, targeting unpatched systems for cryptomining. Microsoft identified the campaign, noting that the breaches began in early April using previously patched security flaws CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254. Once access is established, attackers download cryptomining malware from a server based in China, then use tools like Netcat for remote management, establishing a persistent threat within compromised systems. Affected systems were manipulated to run cronjobs, which facilitate scheduled execution of malicious tasks ensuring persistence of the malware. The attackers also request donations in Monero cryptocurrency, claiming they need funds to purchase a car or suite in China. Microsoft and other security experts urge users to patch affected OpenMetadata workloads and change default credentials to mitigate risks. This incident underscores the importance of regular updates and stringent security practices in managing containerized software environments.

FIN7, a financially motivated threat group, targeted a major U.S. car manufacturer's IT department with spear-phishing emails. Attack involved sending emails with links to a malicious website impersonating the Advanced IP Scanner tool to deploy the Anunak backdoor. The attack leveraged living-off-the-land binaries and scripts, focusing on employees with high-level privileges. BlackBerry researchers linked the attack to FIN7 through unique PowerShell scripts and tactics seen in previous campaigns. The malware setup included multiple stages leading to the installation of the Anunak backdoor, using tools like DLL, WAV files, and shellcode execution. Additional security measures like OpenSSH were installed for potential persistent access, though lateral movement was not observed in this instance. The assault was contained before it could progress beyond the initially infected system. BlackBerry underscores the importance of strengthening phishing defenses and implementing MFA to mitigate such threats.

The Russian military intelligence group, Sandworm, identified as APT44, is implicated in recent cyberattacks on US and European water facilities. Google’s Mandiant linked these cyber incidents to Sandworm, with severe consequences including a water tank overflow in the US. The attacks primarily utilized remote management software vulnerabilities to disrupt operations in water and hydroelectric plants. Sandworm has expanded its cyber operations beyond Ukraine, targeting Western critical infrastructure as part of Russia’s broader military objectives. A notable incident involved compromised human machine interfaces at Polish and US water utilities, as publicly claimed by the affiliated Telegram channel, CyberArmyofRussia_Reborn. This group also claimed responsibility for interfering with the control technology at a French hydroelectric plant, impacting electricity generation. Mandiant anticipates that Sandworm's activities will continue to evolve based on Western political dynamics and Russian strategic interests.

Moldovan citizen Alexander Lefterov was indicted by the U.S. Justice Department for operating a large-scale botnet, impacting thousands of U.S.-based computers. Under aliases like Alipako and Uptime, Lefterov faced charges including aggravated identity theft and conspiracy to commit wire fraud. The botnet controlled by Lefterov was used to steal financial and personal credentials from infected devices which facilitated unauthorized money transfers. The infected computers had a hidden hVNC server, allowing direct and unnoticed access to victim’s online accounts, presenting a trusted connection to platforms. Lefterov’s botnet also served other criminals to deploy additional malware, including ransomware, across compromised networks. Lefterov allegedly profited by leasing access to the botnet and stolen credentials to other cybercriminals. Potential penalties for the charged crimes range from 2 to 10 years in prison, with actual sentencing influenced by the crime severity and Lefterov’s prior criminal record. The FBI emphasizes a rigorous pursuit of cybercriminals targeting Americans, ensuring ongoing investigations into malware and cyber-attacks.

Cisco has patched a critical vulnerability in its Integrated Management Controller (IMC) that allowed privilege escalation to root access. The flaw, designated CVE-2024-20295, stemmed from insufficient input validation in the CLI, permitting command injection attacks. Public exploit code for the vulnerability is accessible, though there have been no reported incidents of exploitation by threat actors. Affected devices include UCS C-Series Rack and UCS S-Series Storage servers utilizing vulnerable IMC versions in their default setups. Cisco's Product Security Incident Response Team (PSIRT) highlighted the availability of the exploit code in their recent advisory. The company urges users with access rights ranging from read-only upwards on implicated devices to apply the patches immediately. Historical context includes recent Cisco advisories on zero-day vulnerabilities exploited to attack over 50,000 devices and ongoing brute-force campaigns targeting network devices.