Daily Brief

Account takeover (ATO) attacks start with compromised credentials, posing severe risks to organization's operational integrity. Once inside a system, attackers use legitimate user credentials to blend in, making unauthorized access hard to detect and increasing potential damage. Such attacks can allow hackers to access sensitive information like financial data, intellectual property, or personally identifiable information. A specific example is mentioned, where a U.S. State Government breach occurred due to an ex-employee’s leaked credentials, leading to further network compromise. Weak password security practices, such as using simple passwords or repeating passwords across multiple sites, substantially increase the risk of ATOs. The article emphasizes the importance of stronger password policies and the implementation of multi-factor authentication (MFA) to enhance security. Specops Password Policy is promoted as a tool to detect and force the reset of compromised passwords within an organization's Active Space.

Microsoft’s new tool, Recall, has been criticized for potential privacy risks as it continuously logs user activities and captures screenshots. Jaime Teevan, Microsoft Research’s chief scientist, dismissed privacy concerns related to Recall at a conference, emphasizing the significance and utility of data in AI. Erik Brynjolfsson, director of the Stanford Digital Economy Lab, queried about the security implications of storing such data locally rather than in the cloud. Teevan reassured that Recall data is stored locally and not uploaded to the cloud, highlighting Microsoft's focus on data protection. Security researcher Alex Hagenah revealed a tool, Total Recall, that can access Recall's unencrypted SQLite database, aggravating privacy concerns. Critics argue that Recall could make Windows PCs targets for legal investigations and raise issues with GDPR compliance due to retained user data. The feature will potentially expose sensitive conversations and activities, posing a threat to sectors like healthcare that require confidentiality. The backlash continues as security experts and analysts advise against the rollout of the controversial feature, scheduled for later this month.

Google plans to store Maps Timeline data locally on devices starting December 1, 2024, enhancing user privacy. This change coincides with defaults set for Location History auto-delete after three months, reduced from 18 months. Maps Timeline, which records routes and locations visited, will no longer be accessible via web but only on the user's device. Users are encouraged to enable device backups to save an encrypted version of the Timeline data on Google's servers. These updates are in response to prior criticisms and legal actions alleging Google misled users about tracking with Location History disabled. The modified privacy practices follow a $62 million settlement with several U.S. states over misleading consumer practices related to location tracking. The Texas lawsuit regarding similar issues related to user privacy and data handling is still ongoing.

Cybersecurity experts uncovered a malicious package named "crytic-compilers" on Python Package Index (PyPI), designed to mimic the legitimate "crytic-compile" library. The counterfeit package, downloaded 441 times before removal, attempted to deceive users by aligning version numbers with the legitimate library, suggesting it was a newer version. The rogue package employed tactics such as installing the actual library in some versions to appear genuine while delivering malware in others. The latest version targeted Windows systems, executing an information stealer malware known as Lumma (LummaC2) when run. Lumma Stealer has also been distributed via other channels, such as trojanized software and fake browser updates, under a malware-as-a-service (MaaS) model. This incident highlights a growing trend where seasoned threat actors exploit open-source registries to disseminate potent data theft tools targeting developers.

Researchers have identified a new Linux variant of the TargetCompany ransomware, also known as Mallox, FARGO, and Tohnichi, targeting VMware ESXi environments. This variant employs a custom shell script to gain administrative privileges, deliver, and execute the ransomware payload, and potentially exfiltrate data. The malware checks for VMware ESXi systems specifically, encrypts files related to VM operations with a ".locked" extension, and drops a ransom note with payment instructions. The new variant marks an evolution from previous attacks predominantly focused on Windows systems and database environments in Asia. Cybersecurity firm Trend Micro traced the attacks to an affiliate named "vampire" and linked payload delivery to an ISP provider in China, though the exact origin remains unconfirmed. After execution, the script deletes the ransomware payload to eliminate forensic evidence, complicating post-incident analysis. Trend Micro has issued recommendations including enabling multifactor authentication (MFA), regular backups, and system updates, alongside a list of indicators of compromise for detection and prevention.

The FBI has acquired over 7,000 LockBit ransomware decryption keys following an international law enforcement operation. FBI Cyber Division Assistant Director Bryan Vorndran announced at the 2024 Boston Conference on Cyber Security that these keys can assist victims in recovering their encrypted data free of charge. The international operation, named "Operation Cronos," dismantled LockBit's infrastructure in February 2024, during which authorities seized 34 servers. The operation resulted in the discovery of approximately 2,500 decryption keys, aiding the creation of the free LockBit 3.0 Black Ransomware decryptor. Despite significant disruptions, LockBit remains active, continuing global targeting and leaking sensitive data on dark web platforms. The group has managed to accumulate roughly $1 billion in ransoms from about 7,000 attacks between June 2022 and February 2024. Recent activities include a cyberattack on Canadian pharmacy chain London Drugs in April 2024, subsequent to another law enforcement sting operation. The U.S. State Department is offering a reward of up to $10 million for information leading to the arrest or conviction of the LockBit leadership.

Threat actors are selling 3TB of data stolen from Advance Auto Parts through a breach of their Snowflake account. Data includes sensitive records of 358,000 employees, though current staff count is approximately 68,000, suggesting inclusion of former employee data. BleepingComputer confirmed the legitimacy of a substantial number of customer records involved in the breach. Advance Auto Parts has not yet publicly acknowledged the breach nor reported it to the U.S. Securities and Exchange Commission. The stolen data is being offered for $1.5 million on a cybercrime forum. The breach is part of broader attacks on various Snowflake customers. Snowflake and security firms like Mandiant and CrowdStrike are involved in investigations, suggesting no inherent vulnerabilities in Snowflake's product but rather an exploit of compromised credentials. Other major companies, including Santander and Ticketmaster, have also suffered breaches linked to compromised Snowflake accounts.

TikTok confirmed a cyberattack where CNN and other notable accounts were hijacked via a zero-day vulnerability in the app. The attack involved a unique zero-click malware transmitted through TikTok's private chat function, requiring no user interaction beyond opening a direct message. TikTok's security team has resolved the issue, enhancing security measures and collaborating with affected users to restore and secure their accounts. Although initial reports included other high-profile compromises like Paris Hilton's and Sony’s accounts, these were either denied or remained unverified. Past security incidents at TikTok include a significant vulnerability in August 2022 found by Microsoft, and another vulnerability spotted by Imperva's red team one year ago. These recurring security concerns add to existing apprehensions around TikTok's data practices and the influence of its parent company, ByteDance, located in China. American lawmakers continue to scrutinize ByteDance, concerned about potential espionage and misinformation due to its Chinese roots amidst ongoing legal challenges to TikTok’s operation in the U.S.

A security flaw in Ariane Systems self-check-in terminals, used by 3,000 hotels globally, allows bypassing kiosk mode to access personal guest information. Security researcher Martin Schobert discovered the vulnerability, which could lead to unauthorized access to the Windows desktop underlying the kiosk system. The exposed information includes guest reservation details, personally identifiable information (PII), invoices, and the ability to provision RFID room keys. Despite reporting the issue to Ariane Systems in March, there remains unclear communication regarding the resolution and the specific firmware update. The vulnerability also poses a potential risk of broader network attacks within affected hotels, escalating the impact of the breach. Hotels are advised to isolate self-check-in terminals from core hotel IT systems and verify the security status of their installed terminals with the vendor. The issue highlights ongoing security challenges in hospitality technology, impacting both privacy and operational security in small to medium-sized hotel establishments.

Club Penguin enthusiasts hacked into a Disney Confluence server, initially aiming to find game-specific data. The breach resulted in the unauthorized access and download of 2.5 GB of sensitive corporate Disney data. Data compromised includes internal corporate strategies, advertising plans, Disney+, and details on internal developer tools. The stolen data encompassed various business, software, and IT project documentation not intended for public release. Included within the data were credentials and API endpoints for crucial Disney operational tools and infrastructure. The theft emerged following a post on 4Chan sharing outdated Club Penguin data and subsequently revealed broader data theft on Disney servers. The newer documents contain current information dated up to June 2024, signifying recent unauthorized access to Disney's systems. Disney has not publicly responded to inquiries about the breach, highlighting potential ongoing internal investigations or containment efforts.

RansomHub, a recent cyber-criminal group, is likely a rebranded version of the Knight ransomware gang, involved in data theft from entities like Christie's. Symantec places RansomHub as the fourth most active ransomware group, engaging in sophisticated cyber-attacks and using auctioning victim’s data as a methodology. The group utilizes critical vulnerabilities such as ZeroLogon for gaining unauthorized access into corporate networks, followed by deploying legitimate remote tools for movement and gathering intel. Once in the network, RansomHub deploys ransomware that encrypts and exfiltrates data, threatening to leak or sell the data if ransoms are not paid. Symantec's analysis reveals substantial code similarities between RansomHub and Knight, suggesting the use of previously developed ransomware code, likely purchased and modified for new operations. Connections to former ALPHV affiliate “Notchy” and usage of tools linked to another ALPHV affiliate "Scattered Spider" suggest a complex web of affiliations contributing to RansomHub’s operations and success post-ALPHV disruption. Despite challenges, the adaptability of law enforcement is underscored, aiming to disrupt cybercriminal activities and sow discord among different groups.

Chinese state-sponsored hackers have been engaging in an extensive cyberespionage campaign against a Southeast Asian government since at least March 2023, as identified in Sophos' Crimson Palace report. The campaign features three distinct clusters (Alpha, Bravo, Charlie), showcasing specialized roles such as malware deployment, lateral movement, and reconnaissance, all believed to be directed by a central Chinese authority. Cluster Alpha focused on mapping network subnets and admin accounts, deploying malware like EAGERBEE, and using techniques like DLL side-loading to evade detection. Cluster Bravo was operational for three weeks, emphasizing credential dumping and obfuscating its malware deployment through renamed binaries and memory manipulation to avoid security detection. Cluster Charlie conducted mass credential harvesting and endpoint mapping, maintaining persistence in the network through advanced malware like PocoProxy and techniques like injecting a Cobalt Strike Beacon. The timing of the attacks, including activity spikes on holidays, suggests strategic planning to exploit periods of reduced security vigilance. Sophos has managed to block some of the command and control communications from the threat actors, but continuous monitoring indicates ongoing attempts to penetrate the network.

A ransomware attack by Qilin targeted Synnovis, disrupting multiple NHS hospitals in London. Synnovis, a provider of pathology services, faced system lockouts causing significant service disruptions at major medical facilities. The incident affected Guy's and St Thomas' NHS Foundation Trust, King's College Hospital NHS Foundation Trust, and primary care providers in southeast London. Emergency services remain operational, but some non-emergency procedures and pathology services have been postponed or redirected. NHS England's cyber incident response team is actively assessing the scope and potential data implications of the attack. Ransom demands observed in similar attacks range from $25,000 to several million dollars. Qilin has been linked to over 130 companies on its dark web leak site since its inception in 2022. The gang employs a double-extortion tactic by stealing sensitive data before deploying ransomware encryptors, targeting primarily VMware ESXi virtual machines.

Zyxel issued emergency security patches for two end-of-life NAS models, NAS326 and NAS542, due to critical vulnerabilities. Timothy Hjort, a vulnerability research intern, identified five critical flaws allowing remote code execution among other issues. The discovered vulnerabilities were reported in March and have CVSSv3 scores of 9.8, indicating high severity. CVE-2024-29972, one notable vulnerability, involves a backdoor named "NsaRescueAngel" which was supposed to be removed but is still active. Exploits for these vulnerabilities, detailed in Hjort’s report, increase the urgency for affected users to apply patches. Additional vulnerabilities uncovered include a Python code injection flaw and a persistent remote code execution bug. Zyxel has released updates for both impacted NAS models, urging customers with extended support to update immediately.

Kali Linux version 2024.2 has been launched as the first update of the year, featuring new tools and significant bug fixes. This release includes 18 new tools enhancing the capabilities for cybersecurity professionals and ethical hackers. Updates have been made to address the Y2038 issue, shifting critical systems to 64-bit time_t to avoid overflow errors after January 2038. Although the Linux Kernel 6.8 was not included in this update, it is scheduled for integration in the next release, version 2024.3. Visual updates in Kali Linux 2024.2 consist of new wallpapers, a refreshed boot menu, and an improved login display interface. The release supports new versions of desktop environments such as Gnome 46 and Xfce, with updated themes and stability enhancements. Users can upgrade their existing Kali installation or access new ISO images for full installs or live distributions. For WSL users, an upgrade to WSL2 is recommended.