Daily Brief

Cybersecurity firm Wiz reports a cryptojacking campaign exploiting misconfigured Kubernetes clusters to mine Dero cryptocurrency. The term "cryptojacking" refers to the unauthorized use of someone else's computer processing power to mine cryptocurrency. Attackers are using Docker Hub to host malicious container images, with some accumulating over 10,000 pulls. These images bypass initial security setups by targeting Kubernetes API servers set to allow anonymous access. The new cryptojacking variant uses misleading names like "k8s-device-plugin" and "pytorch-container" for DaemonSets to deploy mining operations across cluster nodes. The involved DERO miner is a UPX-packed, open-source Go binary with built-in cryptocurrency wallet addresses and mining pool URLs to facilitate undetected operations. Security analysts also discovered additional malicious tools, including a Windows DERO miner and scripts intended to disrupt competing mining processes. The actor’s tactics include using innocuously named domains to camouflage malicious traffic and blend with legitimate web activities.

Police in Ukraine have arrested a 28-year-old Russian expert linked to the Conti and LockBit ransomware groups. The individual specialized in developing crypters to make malware payloads undetectable by antivirus software. His arrest was part of Operation Endgame, which targeted botnets used by ransomware operators for network breaches. Information from the Dutch police, following an attack on a multinational company, was crucial in tracking down the suspect. At least one direct involvement in a ransomware attack using a Conti payload was confirmed by the authorities. Searches in Kyiv and Kharkiv led to the seizure of computer equipment, mobile phones, and handwritten notes. The man faces charges for unauthorized interference in electronic systems and could be sentenced to up to 15 years in prison. The ongoing investigation aims to detail his exact contributions to the cyber attacks orchestrated by these ransomware groups.

Last week, ShinyHunters targeted Ticketmaster, compromising 1.3 terabytes of data from 560 million users, sparking global concern. Live Nation confirmed the breach via a SEC filing, identifying unauthorized activity in their third-party cloud database hosted by Snowflake, but anticipates no significant impact on operations. Santander also experienced a data breach affecting customers and employees, linked to a third-party provider's database hosted by Snowflake. Snowflake issued security alerts advising users to inspect logs and strengthen access controls, as the attackers leveraged single-factor authentication. Recommendations included enforcing multi-factor authentication, setting network policies, and resetting and rotating credentials to enhance security. Mitiga's research suggested the incidents were part of a broader campaign utilizing stolen credentials, primarily targeting environments lacking multi-factor authentication. The breaches underscore the need for robust cybersecurity practices including mandatory multi-factor authentication, single sign-on enforcement, and proactive password management policies. The situation highlights the vulnerability of cloud environments and the critical importance of implementing comprehensive security measures to protect sensitive data.

Black Basta ransomware actors potentially exploited a Microsoft Windows privilege escalation flaw (CVE-2024-26169) before it was patched in March 2024. Symantec's analysis suggests the exploit tool may have been in use as a zero-day, possibly compiled prior to Microsoft's fix. Threat actors known as Cardinal, Storm-1811, and UNC4393 have been using legitimate Microsoft tools (e.g., Teams, Quick Assist) to facilitate attacks, including credential theft and persistent access. These attacks include misuse of Microsoft Teams and Quick Assist for initial access, followed by the deployment of credential theft tools and batch scripts for further exploitation. The exploit involves manipulation of the werkernel.sys security descriptor to gain administrative privileges via registry key changes. Although an attempt to deploy ransomware using this exploit was unsuccessful, the presence of the tool in the wild indicates active exploitation. The ransomware threat landscape has intensified, with a significant rise in ransom payments to attackers and the emergence of new ransomware families like DORRA.

Black Basta ransomware group suspected of using a Windows zero-day vulnerability (CVE-2024-26169) for privilege escalation in ransomware attacks. The vulnerability, located in the Windows Error Reporting Service, was patched by Microsoft in their March 12, 2024 Patch Tuesday update. Symantec's investigation links the exploit to Black Basta following their detection of specific tool deployment post-initial DarkGate loader infection. Attack technique involved altering registry keys through an exploited weakness in werkernel.sys file handling, enabling execution with SYSTEM privileges. Evidence suggests Black Basta had developed an operational exploit tool weeks to months before Microsoft issued a patch. Security analysts highlight the importance of timely system updates and adherence to CISA's security guidelines to mitigate potential threats from such vulnerabilities. Black Basta has been previously connected to the defunct Conti group and has reportedly amassed over $100 million through ransom operations since April 2022.

Cybersecurity researchers have uncovered a phishing campaign using job-related themes to deploy a backdoor named WARMCOOKIE. The campaign has been active since late April, using emails from supposed recruitment firms to lure victims into downloading malicious JavaScript files. WARMCOOKIE can fingerprint devices, capture screenshots, and execute additional malicious payloads. The backdoor establishes persistence on the infected machine via scheduled tasks and employs anti-analysis techniques to evade detection. Command-and-control servers for the backdoor are fixed in the malware's code, showing signs of a premeditated and structured attack. Researchers observe similarities in the malware's functionality to a previous campaign targeting industries such as manufacturing and healthcare. The campaign's effectiveness is partially due to the use of compromised infrastructure for hosting phishing and malware deployment sites. The findings coincide with reports from other cybersecurity firms noting an uptick in sophisticated phishing tactics exploiting trusted user interfaces and prompts.

Chinese state-backed hackers exploited a critical flaw in Fortinet FortiGate systems, affecting 20,000 global systems. The attackers were aware of the vulnerability two months before Fortinet disclosed it, utilizing this knowledge to infect 14,000 devices during the zero-day period. The cyber campaign targeted Western governments, international organizations, and defense industry companies. This operation included CVE-2022-42475, allowing remote code execution and resulting in a data breach of the Dutch armed forces' network. Attackers deployed COATHANGER malware to maintain persistent access and control over the compromised devices, which could serve as a launch point for further infections. It remains unclear how many of the 20,000 affected devices received the COATHANGER implant, indicating potential underestimation of the scope. This incident highlights the significant risks associated with edge devices, which are susceptible due to their direct internet connections and lack of robust security measures like EDR solutions.

Microsoft issued security updates to fix 51 vulnerabilities, including a critical remote code execution (RCE) flaw in Microsoft Message Queuing (MSMQ). One vulnerability was categorized as Critical, while the other 50 were rated Important. A publicly known denial-of-service (DoS) vulnerability, tracked as CVE-2023-50868, potentially causes CPU exhaustion in DNSSEC-validating resolvers. The critical MSMQ vulnerability (CVE-2024-30080) allows attackers to execute remote code by sending malicious MSMQ packets. Additional significant updates include patches for RCE bugs in Microsoft Outlook and the Windows Wi-Fi Driver. Windows operating system components, such as the Win32 Kernel Subsystem and Cloud Files Mini Filter Driver, also received patches for numerous privilege escalation vulnerabilities. Other vendors, in addition to Microsoft, also released security updates to counter various vulnerabilities affecting different systems. None of the vulnerabilities patched by Microsoft were reported as actively exploited in the wild at the time of release.

Microsoft’s June Patch Tuesday addressed 49 CVE-tagged flaws, including a critical remote code execution (RCE) vulnerability in Microsoft Message Queuing (MSMQ), rated 9.8 out of 10 for severity. CVE-2024-30078 involves a Wi-Fi driver vulnerability impacting all supported versions of Windows, allowing remote code execution via adjacent Wi-Fi networks. Adobe's patch update remedied 166 CVE vulnerabilities, including a critical uncontrolled search path issue in Creative Cloud Desktop and significant flaws in Adobe Commerce. Active exploits against a critical PHP RCE vulnerability are facilitating the distribution of TellYouThePass ransomware, stressing the urgency of updates. Arm confirmed the exploitation of a flaw in its GPU kernel drivers, CVE-2024-4610, by malicious actors, affecting a range of versions. Apple and Google released patches for security issues in their respective systems, with Apple fixing 21 vulnerabilities in its VisionOS and Google addressing 37 issues in Android. SolarWinds and Fortinet also issued updates this month; SolarWinds patched a directory traversal flaw rated at 8.6 CVSS, and Fortinet resolved buffer overflow vulnerabilities in FortiOS. The reported exploit of a Webex Meetings flaw used to spy on government and military meetings has prompted Cisco to release urgent security updates.

JetBrains has disclosed a significant vulnerability in IntelliJ IDE applications, affecting the security of GitHub access tokens. The flaw, recognized as CVE-2024-37051, influences IntelliJ-based IDEs with versions starting from 2023.1 that employ an enabled JetBrains GitHub plugin. The security issue was discovered when malicious content included in GitHub pull requests was processed by the IDE, leading to the potential exposure of access tokens. JetBrains has responded by releasing updates to mitigate this vulnerability and has removed affected versions of the plugin from their marketplace. Users are urged to update their software and revoke any GitHub tokens used via the flawed plugin to prevent unauthorized access to their GitHub accounts. Despite enhanced security measures, the JetBrains GitHub plugin may not function correctly on older IDE versions due to compatibility and security modifications. JetBrains continues to enhance security, including addressing a previous critical authentication flaw in its TeamCity On-Premises servers earlier in the year.

Pure Storage confirmed a breach involving a Snowflake data analytics workspace; no customer data was compromised. Mandiant identified a pattern in Snowflake-related breaches: many lacked Multi-Factor Authentication (MFA), contributing to vulnerabilities. Cybersecurity firm Mandiant’s report notes 165 organizations possibly affected by breaches associated with UNC5537, who collected Snowflake credentials. The breached workspace contained telemetry information which includes company names and email addresses, but not passwords or customer data. Pure Storage ensures that its broader infrastructure is secure and continues to monitor for potential threats. No telemetry information from the breach can be used to access customer systems, reinforcing the limited nature of the breach. Pure Storage remains committed to transparency, continuing to update its customers on security developments and responses. A general rise in Snowflake-related security incidents has put the focus on ensuring better credential security and using MFA.

Microsoft released security updates for 51 flaws on June 2024 Patch Tuesday, including 18 Remote Code Execution (RCE) vulnerabilities. The patch includes fixes for a critical RCE flaw in Microsoft Message Queuing (MSMQ) and a publicly disclosed zero-day vulnerability known as 'Keytrap' in the DNS protocol. The zero-day had been disclosed previously without an available fix, potentially impacting DNS integrity and performance. Other notable fixes include multiple Microsoft Office-related RCEs, specifically vulnerabilities in Microsoft Outlook that could be exploited from the preview pane. The update also resolved seven Windows Kernel privilege elevation flaws, which could allow a local attacker to obtain SYSTEM privileges. Alongside Microsoft updates, other vendors have also released patches and advisories, however, SAP now restricts access to their updates behind a customer login. This Patch Tuesday did not address any actively exploited vulnerabilities but focused on previously known issues and enhancing overall system security.

The City of Cleveland has temporarily disabled its citizen-facing services following a cyberattack, impacting public offices and facilities such as Erieview and City Hall. Essential operations continue, with emergency services (911, police, fire), utilities, healthcare, and airport travel not affected by the incident. An ongoing investigation with third-party experts is in place; however, specific details regarding the nature of the abnormal IT activity remain undisclosed to prevent compromising the investigation. Publicly disclosed information assures that taxpayer and custom information has not been accessed during the cyberattack. Public services in non-essential departments have been curtailed, requiring residents in need of critical documents or services to exercise patience. City authorities are actively updating the public via platforms like X and have established a helpline (311) to field inquiries related to the incident. No ransomware groups have officially claimed responsibility for the attack as investigations continue.

Cylance, owned by BlackBerry, reveals a data dump allegedly containing customer and employee information is on sale but asserts it poses no risk to customers. The compromised data, reportedly from a third-party platform used between 2015 and 2018, includes names, emails, and marketing information. BlackBerry asserts ongoing security of Cylance systems and products, with no current evidence suggesting compromise of sensitive customer or operational data. Incident response is active, with BlackBerry's security operations team closely monitoring the situation as part of the commitment to safeguarding customer data. A cybercriminal under the alias "Sp1d3r" claims to sell the data for $750,000, though Cylance denies being a customer of the mentioned breached service, Snowflake. Mandiant's latest report investigates Snowflake breaches, identifying 165 potentially affected organizations without implicating Cylance. Assertions by cybercriminals regarding the scale of data breaches, such as the high-profile claim against Christie's, are frequently disputed or inaccurate.

The Dutch Military Intelligence and Security Service (MIVD) reported a significant escalation in a Chinese cyber-espionage operation, affecting over 20,000 global FortiGate systems. Chinese hackers exploited the FortiOS/FortiProxy vulnerability (CVE-2022-42475) between 2022 and 2023, targeting governments, international bodies, and defense industry firms. The operation deployed the Coathanger RAT, enabling persistent access to infected devices, even after system updates and firmware upgrades. The malware was detected on a Dutch Ministry of Defence network, but attackers were contained due to network segmentation. The Chinese state-sponsored group leveraged this access for political espionage, focusing on the Netherlands and its allies. Despite security patches, the stealthy nature of the Coathanger malware means many systems likely remain compromised. The Dutch intelligence service highlighted similarities with another Chinese campaign targeting SonicWall appliances, underscording a broader strategy of leveraging firmware-resilient malware in espionage.