Daily Brief

US Congress is considering a bill that could ban TikTok unless its Chinese parent company, ByteDance, divests it. The bill, which has passed the House, stipulates that ByteDance would have 180 days to sell TikTok after enactment. Former White House CIO Theresa Payton suggests that tech companies should prepare for a worst-case scenario ban. If the bill is signed into law, US internet service providers, app stores, and social networks might face new restrictions related to TikTok. Payton warns of potential diplomatic tensions, with China possibly retaliating against American companies operating there. Advocates for a US national privacy law, arguing it could alter the context of issues surrounding foreign ownership of app data. The absence of such a federal privacy law in the US creates additional challenges in managing international data access.

AT&T verified the authenticity of a dark web data dump impacting over 73 million current and former customers. The telco company acknowledged the leaked data may include names, addresses, social security numbers, account details, and passcodes. Initial assessments suggest that the compromised data primarily dates back to 2019 or earlier, with investigations ongoing to determine the source. While there is currently no evidence of unauthorized system access, the origin of the data remains unclear, with potential ties to AT&T or its vendors. The incident resembles the data ShinyHunters cybercrime group claimed to have in 2021 and offered for sale, though AT&T previously denied ownership. AT&T has not confirmed if the 2021 and 2023 data sets are identical, raising concerns about the potential exposure of additional customer records. Questions have been posed to AT&T to provide further clarity on the breach, with updates pending.

Organizations continue to face significant threats from ransomware and other malware, impacting the economy and national security. Underfunded IT departments in small and mid-sized businesses struggle to combat malware due to complex and expensive enterprise security solutions. EventSentry offers more robust visibility into network activities by validating audit settings and monitoring endpoints, thereby improving malware detection capabilities. The article emphasizes the necessity of a layered defense strategy, integrating prevention, detection, and discovery to effectively combat malware. EventSentry aids in every stage of a malware attack by providing extensive inventory monitoring, managing patch levels, and validating settings for increased endpoint security. The solution's validation scripts run over 150 checks on endpoints, enhancing security by identifying suspicious settings that may indicate a malware infection. EventSentry's feature set encourages the consolidation of monitoring tools, leading to better integration and higher return on investment for organizations. The article concludes that comprehensive monitoring tools such as EventSentry are crucial for safeguarding complex Windows-based network infrastructures against advanced threats.

Android apps on Google Play turned into residential proxies by malicious actors, unbeknownst to users. Security team HUMAN's Satori has named this operation PROXYLIB, with 29 discovered apps now removed by Google. Residential IP addresses from infected phones were sold for nefarious activities, masking attackers' origins. Threat actors trick users into installing seemingly legitimate VPN apps, creating a botnet for profit. Inclusion of a Golang library and LumiApps SDK between May and October 2023 enabled infected devices to join the proxy network. LumiApps SDK offered to developers for app monetization, unknowingly enrolling apps into a botnet. The threat actor behind PROXYLIB may be selling proxy network access; botnet's SDK widely promoted on social media and forums. The issue aligns with similar botnet activities on outdated SOHO routers and IoT devices as disclosed by Lumen Black Lotus Labs.

The notorious Vultur Android banking trojan has returned with new capabilities, including improved remote control functions and evasion techniques. Cybersecurity researchers at NCC Group report that Vultur now encrypts Command and Control (C2) communications and masquerades as legitimate apps to avoid detection. Originally discovered in early 2021, Vultur exploits Android’s accessibility services to carry out its attacks, and while primarily distributed through the Google Play Store, it now also uses SMS and phone calls. The malware leverages a dropper-as-a-service operation named Brunhilda and a technique known as telephone-oriented attack delivery (TOAD) to distribute an updated version disguised as a McAfee Security app. It employs three payloads that secure permissions, facilitate remote access via AlphaVNC and ngrok, and execute commands from the C2 server for extensive device control. Advanced features of Vultur allow it to perform clicks, scrolls, swipe gestures, and file management; it can block apps, display custom notifications, and disable lock screen security. Parallel findings highlight the conversion of the Octo (Coper) Android banking trojan into a malware-as-a-service operation with capabilities of keylogging, intercepting messages, and remote device control, affecting 45,000 devices worldwide. Additional campaigns in India have been identified distributing malicious APKs related to online services as part of a malware-as-a-service offering targeting confidential banking and personal information.

Google has reported significant productivity gains using Rust compared to C++ and Go languages, especially in rewrites of existing code. Lars Bergstrom from Google highlighted the switch to Rust for better memory safety, which aligns with recent government concerns about software in critical infrastructure. Despite skepticism about Rust’s safety and practicality, the language is gaining traction due to its potential to reduce memory-related security vulnerabilities. High-profile tech companies like Microsoft are also advocating for Rust, moving away from C++ and other non-memory safe languages to bolster software security. Critics of the move towards Rust, such as C++ creator Bjarne Stroustrup, argue that with appropriate tools, C++ can achieve comparable memory safety at a lower cost. Institutions like the Carnegie Mellon Software Engineering Institute have pointed out that while memory safety is important, it is not the sole factor in software security, and language choice should be based on fitness for purpose. Internal Google surveys reveal that developers find Rust code easier to review and express high confidence in its correctness, offering strong internal support for the transition.

DinodasRAT, primarily targeting Red Hat and Ubuntu Linux servers, has been implicated in an espionage campaign possibly since 2022. ESET had previously discovered the malware attacking Windows in 'Operation Jacana,' aiming at governmental bodies. Kaspersky's report indicates that DinodasRAT for Linux creates a hidden mutex file, establishes persistence, and communicates with C2 servers securely using TEA in CBC mode. The malware's functionality includes monitoring, controlling, and data exfiltration from infected systems, granting attackers full control over compromised servers. While the initial infection vectors are unclear, Kaspersky observed infections in regions like China, Taiwan, Turkey, and Uzbekistan since October 2023. Trend Micro has linked the malware to a Chinese APT group 'Earth Krahang,' which has compromised both Windows and Linux systems at government targets worldwide.

AT&T has acknowledged a significant data breach impacting 73 million current and former customers, with data dating back to 2019 or earlier. The leaked dataset contains customer names, addresses, phone numbers, and for many, social security numbers, and birth dates, but not financial info or call history. Shiny Hunters were the first to claim the sale of the stolen AT&T data in 2021; AT&T had initially denied the breach at that time. Subsequent analysis and customer validation have confirmed the leaked data's authenticity, as unique AT&T account-related email addresses were part of the dataset. DirectTV referred queries back to AT&T since the data leak predates their spinoff; AT&T has reset compromised passcodes and is reaching out to affected customers. The breach has not impacted personal financial information; AT&T will be notifying all affected parties and providing guidance on securing their information. Customers can check if their information was part of the breach using the Have I Been Pwned service.

A sophisticated version of the Vultur banking trojan targets Android devices, now disguised as the McAfee Security app. Security experts from ThreatFabric and Fox-IT have uncovered the new variant with improved evasion techniques and remote control capabilities. Vultur employs a hybrid attack strategy involving smishing and phone calls to dupe victims into downloading the malicious app. Once installed, the malware deploys multiple payloads to gain control over the device's Accessibility Services, enabling real-time monitoring and interference. The latest Vultur iteration features encrypted command and control communications, multiple layered payloads, and the use of native code for payload decryption, complicating detection and reverse engineering efforts. The malware authors have enhanced remote control options, adding gestures and blocking functionality for heightened stealth and device manipulation. Recommendations for Android users include downloading apps solely from trusted sources like the Google Play Store and being vigilant about app permissions during installation.

Cybersecurity researchers at Jamf Threat Labs have identified an ongoing campaign targeting macOS users, utilizing malicious ads and fake websites to distribute two types of stealer malware. Victims searching for Arc Browser are lured by bogus ads on search engines to malicious sites that cannot be accessed directly, indicating tactics to avoid detection. The downloaded disk image files prompt users to enter their system passwords, which facilitate the theft of sensitive information. One of the malware disguises itself as a free group meeting scheduling software on a phony site named meethub[.]gg, aiming to extract credentials from keychains, browsers, and cryptocurrency wallets. Attackers engage potential victims with job or podcast interview propositions and direct them to download an application for a video conference, specifically targeting individuals in the cryptocurrency industry. Additional threats include malicious DMG files spreading stealer malware with obfuscated AppleScript and payloads from a Russian IP address, designed to circumvent macOS Gatekeeper security. MacPaw's Moonlock Lab warns of threat actors using sophisticated anti-virtualization techniques and self-destruct mechanisms in stealer attacks to escape detection. These reports underscore the increasing threats to macOS users and the importance of heightened awareness and security measures.

Secret backdoor discovered in XZ Utils library, affects major Linux distributions. RedHat issued an urgent security alert for a supply chain compromise in versions 5.6.0 and 5.6.1 of XZ Utils, with a CVSS score of 10.0. The malicious code in the compromised library intercepts data interactions, potentially impacting sshd daemon and systemd, facilitating unauthorized remote system access. Microsoft security researcher Andres Freund identified the sophisticated obfuscation and reported the hidden malicious code. The GitHub repository for XZ Utils has been disabled after a series of suspicious commits linked to a user named JiaT75. While there's no evidence of active exploitation, users of Fedora Linux 40 are advised to downgrade XZ Utils to avoid potential security risks. CISA has issued an alert recommending downgrading to a secure XZ Utils version, impacting distributions including Fedora 41 and Fedora Rawhide; Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise, and Leap remain unaffected.

Red Hat issued a warning about a backdoor in the xz data compression library, potentially affecting Fedora Linux versions and the Fedora Rawhide developer distribution. The backdoor, rating 10/10 in severity, could allow remote unauthorized access and has been assigned CVE-2024-3094. Versions 5.6.0 and 5.6.1 of xz contain malicious code which became part of Fedora Linux 40 and may affect Fedora Linux 41 as well as Fedora Rawhide. Users are strongly urged to cease using Fedora Rawhide instances until a safe reversion to xz-5.4.x is completed. Red Hat confirms that Red Hat Enterprise Linux (RHEL) is not compromised by this issue. The backdoor, which was sophisticatedly obfuscated, interferes with SSH authentication, potentially enabling attackers to gain remote system access. Details surrounding the commits of the malicious code have led to the possibility of the involvement of a sophisticated attacker, even nation-state affiliated. The US Cybersecurity and Infrastructure Security Agency (CISA) has been notified of the security breach.

A new Linux kernel vulnerability, CVE-2024-1086, allows for easy privilege escalation to root access, affecting kernels from version 5.14 to 6.6.14. The exploit, which boasts a 99.4% success rate on kernel 6.4.16, impacts major Linux distributions such as Debian, Ubuntu, Red Hat, and Fedora. The flaw, a double-free bug in the kernel's netfilter component, was patched at the end of January, with updates being rolled out since. Security researcher Notselwyn detailed a new exploit method, termed Dirty Pagedirectory, for gaining control over a system's memory and operation. The exploit necessitates the default-enabled 'unprivileged-user namespaces' option for access to nf_tables in Linux distributions. To leverage the exploit, attackers must trigger a double-free, find the kernel base address to circumvent KASLR, and gain read/write to the modprobe_path kernel variable, ultimately leading to a root shell. Administrators are urged to apply the latest patches to prevent potential exploitation of this critical security flaw.

An infostealer malware campaign has claimed millions of gaming-related account logins. The database was discovered by Phantom Overlay cheat developer who noted it's the largest campaign targeting gamers and cheaters. Discord, with 14 million affected entries, is the most impacted domain in the database. Some of the stolen credentials, including those from a gaming forum, are confirmed to be valid and are not duplicated in other databases. Activision Blizzard advises the gaming community to secure accounts with two-factor authentication (2FA), ensuring their servers are secure. Cybersecurity researchers encourage users to change passwords and enable 2FA to guard against unauthorized access. The extent of account validity or duplication within the stolen data is currently uncertain.

Red Hat issued an urgent warning to halt the use of Fedora development versions due to a backdoor found in XZ Utils. The compromise affects XZ versions 5.6.x built for Debian unstable, but no stable versions of Debian are impacted. The malicious code has the potential to interfere with sshd authentication, potentially allowing unauthorized remote system access. Security expert Andres Freund uncovered the issue during a performance analysis and noted the code's purpose isn't fully understood yet. Red Hat has reverted Fedora to safe XZ versions, moving back to 5.4.x in response to the security vulnerability tracked as CVE-2024-3094. CISA released an advisory for developers and users to downgrade to a secure version of XZ and to monitor systems for any signs of compromise.