Daily Brief

Apple and Google introduced a new feature across iOS and Android platforms to alert users about unauthorized Bluetooth tracking devices. The feature, called "Detecting Unwanted Location Trackers" (DULT), is aimed at enhancing user privacy by preventing the misuse of Bluetooth trackers such as AirTags. Users will receive notifications if any unidentified Bluetooth tracking devices are detected moving with them over time, with options to identify and disable these devices. The initiative also includes guidelines and best practices for manufacturers to integrate similar safety features in their products. This development responds to increasing concerns and legal actions regarding the use of such trackers for malicious purposes like stalking. Additionally, this rollout coincides with Apple’s implementation of security updates, including a backported fix for a critical vulnerability (CVE-2024-23296) affecting kernel memory protections. Both tech giants emphasized the industry-first nature of this cross-platform solution and its design that incorporates community and industry input.

Apple has updated older iPhone and iPad models with security patches to address an exploited iOS Kernel zero-day vulnerability (CVE-2024-23296). The zero-day is a memory corruption issue within Apple's RTKit OS, giving attackers expansive kernel access to bypass memory protections. Originally fixed in March for newer devices, the patches are now backported to models including iPhone 8, iPhone X, and certain iPad generations. Although explicit details of the attacks using this vulnerability are undisclosed, such zero-days are often leveraged in state-sponsored espionage against high-risk individuals. Users of older devices are urged to update immediately to prevent potential exploits. In total, Apple has addressed three zero-days so far in 2024, with additional WebKit vulnerabilities patched earlier in the year. The latest iOS update also introduces alerts to inform users of potentially unwanted Bluetooth device tracking.

A new malicious package on the Python Package Index (PyPI) mimics the popular 'requests' library to deliver the Sliver C2 framework to macOS systems. The package, named 'requests-darwin-lite,' uses steganography in a PNG file to covertly install the Sliver payload, which was designed for red team operations and is increasingly adopted by hackers. The attack checks the system's UUID during installation to ensure the payload is delivered to specific targeted macOS devices. Once confirmed, the malicious PNG file executes, releasing the Sliver framework that then runs in the background of the system. Sliver was essentially used for red team operations but has seen a rise in criminal use for network breaches and ransomware attacks since 2022. Following detection by Phylum, the harmful versions of the package were removed from PyPI, although newer versions appeared clean, suggesting targeted rather than widespread attacks. The use of Sliver and techniques like steganography highlights the growing sophistication of cyber threats targeting various operating systems and platforms.

The FCC has designated "Royal Tiger" as its first official robocall threat actor, striving to enhance tracking and legal action against the group. Royal Tiger operates in multiple countries, including India, the UK, UAE, and the US, and has been involved in robocall scams impersonating government bodies and offering fake services. Led by Prince Jashvantlal Anand and Kaushal Bhavsar, this group controls several entities that manage illegal robocall operations in the US. Royal Tiger routed its calls through Great Choice Telecom in Texas, a firm previously hit with heavy fines and regulatory actions for illegal activities. The group's activities are part of a broader FCC initiative, the 'Consumer Communications Information Services Threat' system, which aims to identify and diminish telecom abuse. Enforcement measures might include cease-and-desist orders, removal from databases, and forfeiture orders, depending on the severity of offenses. The FCC encourages reporting of any violations tied to Royal Tiger through new communication channels to improve regulatory responses. Scams like those propagated by Royal Tiger resulted in massive financial losses, particularly hitting the military personnel and senior citizens hard in impostor scams.

"Salfetka," a cybercriminal, is reportedly selling the INC Ransom source code for $300,000 on prominent hacking forums. INC Ransomware, launched in August 2023, has attacked major organizations including the U.S. division of Xerox Business Solutions and Scotland's National Health Service. The sale includes both Windows and Linux/ESXi versions, with purchase limited to three buyers, according to details from KELA via BleepingComputer. The source code's advanced encryption techniques (AES-128 in CTR mode, Curve25519 Donna) match those in public analyses of INC samples. INC Ransom's operational changes and the establishment of a new data leak site suggest potential shifts in leadership or strategy within the ransomware group. KELA analysts suggest that the new site and victim discrepancies indicate a possible split or leadership change within the INC operation. The new extortion page's design similarity to Hunters International raises questions about affiliations between ransomware operations. Private sale of uncrackable ransomware source code could pose increased threats globally, especially the sophisticated Linux/ESXi version.

Christie's auction house website became inaccessible following a "technology security issue" identified last Thursday, days before hosting an auction showcasing $840 million worth of art. The incident, described as a cyberattack, prompted Christie's to redirect visitors to a temporary website while efforts to restore the main site continue. There's currently no evidence that customer data was compromised. Despite the cyberattack, Christie's confirmed that their high-profile art auction would proceed as scheduled using in-person and telephone bidding methods. This cybersecurity issue follows less than a year after Christie's faced criticism for inadvertently exposing location data of high-end art owners through their website. The broader context includes a spike in cyberattacks globally, targeting diverse organizations from Europol to the Ohio Lottery. Such incidents were a significant topic at the recent RSA Conference, emphasizing the need for enhanced product security. US Cybersecurity and Infrastructure Security Agency Director Jen Easterly highlighted the importance of holding technology manufacturers accountable to reduce the frequency and impact of cyberattacks.

A significant LockBit Black ransomware campaign has been initiated through the Phorpiex botnet, dispersing millions of phishing emails. The campaign started in April and utilizes ZIP file attachments that contain malware executables to deliver the LockBit Black payload. These emails are misleadingly titled with common phrases such as "your document" and "photo of you???" sent from aliases like Jenny Brown and Jenny Green, originating from over 1,500 unique IP addresses globally. Upon executing the malware, it attempts to steal sensitive data, terminate various services, and encrypts files which could lead to potential data loss and service disruption. Proofpoint discovered this vast scale attack, noting its uniqueness due to the volume of emails sent and the utilization of ransomware as its primary payload. The Phorpiex botnet, which has facilitated these attacks, has been involved in various cybercriminal activities over a decade, adapting over time to include more sophisticated criminal tools. NJCCIC advises businesses to implement strong ransomware mitigation and endpoint security strategies, including the use of effective email filtering to preclude these phishing attempts.

Since April, millions of phishing emails have been used to distribute LockBit Black ransomware via the Phorpiex botnet. New Jersey's Cybersecurity and Communications Integration Cell (NJCCIC) identified ZIP attachments in emails as the primary method for delivering the ransomware. Attackers used fake sender names and targeted global victims, employing over 1,500 unique IP addresses from multiple countries. The LockBit Black campaign uses a builder leaked in September 2022 and is not affiliated with the official LockBit ransomware operation. The ransomware encrypts and steals data, and terminates services on infected systems upon execution. Proofpoint observed this "spray-and-pray" tactic intensely over a week, noting these were the first observed instances of LockBit Black linked to Phorpiex. Phorpiex botnet, known for over a decade, has evolved significantly, affecting over 1 million devices and recently engaging in cryptocurrency theft. NJCCIC recommends implementing risk mitigation strategies and using endpoint and email filtering solutions to defend against such phishing attacks.

Multiple US security agencies issued advisories on Black Basta after it claimed responsibility for a cyberattack on Ascension. Ascension's operations have been severely disrupted, causing ambulance diversions and reliance on manual systems. The ransomware has targeted over 500 organizations since April 2022, including many within critical infrastructure sectors. The advisories urge healthcare and other critical infrastructure sectors to implement mitigation strategies to reduce the risk of ransomware attacks. Attack vectors for Black Basta include spearphishing, exploiting vulnerabilities, and using initial access brokers to obtain valid credentials. CISA and other agencies recommend implementing multifactor authentication, securing remote access software, and educating staff about phishing. Restoration of Ascension's systems is ongoing, with a focus on safety and a coordinated approach across their care sites. No specifics about ransom demands or negotiations have been disclosed publicly, but historical interactions suggest high-figure demands.

Threat actors utilize DNS tunneling to monitor target interactions with phishing emails and to examine network vulnerabilities. DNS tunneling involves encoding and transferring data through DNS queries, converting the communications network into a secretive channel. Techniques like Base16, Base64, and custom encoding are used for embedding data in DNS queries to bypass firewall and network filtering. Palo Alto Networks’ Unit 42 observed this method in malicious campaigns for tracking victim responses and scanning networks. The "TrkCdn" campaign uses encoded DNS queries to track when recipients interact with phishing content and confirm malicious payload delivery. The "SecShow" campaign employs DNS tunneling to map network infrastructures, identify flaws, and test network responses to DNS queries. Recommendations include implementing DNS monitoring tools and restricting DNS resolvers to essential queries to mitigate misuse.

The City of Helsinki disclosed a data breach impacting its educational services, affecting over 80,000 students and personnel. An attacker exploited an unpatched vulnerability in a remote access server to access a network drive containing millions of files. The breach involved a variety of sensitive data including personal IDs, email addresses, and details about children's education and welfare. Authorities confirmed that a security update was available prior to the breach but was not applied to the vulnerable system. The breach's full scope is still under investigation, and comprehensive assessments and recovery efforts are ongoing. Helsinki has alerted the Data Protection Ombudsman and the National Cyber Security Centre, and advice has been issued to those possibly affected. No group has claimed responsibility for the breach, leaving the identity of the perpetrators unknown at this stage.

MITRE Corporation has released a new threat-modeling framework named EMB3D, targeting embedded device manufacturers. EMB3D was developed in collaboration with industry experts to provide a comprehensive view of cyber threats and mitigation strategies specifically for embedded devices. The framework is designed as a "living framework," similar to the ATT&CK model, and will continuously update as new threats and solutions emerge. EMB3D aims to foster a secure-by-design approach, enabling manufacturers to integrate security early in the device design process, which could decrease the need for additional security measures post-production. This initiative could lead to devices being less vulnerable at the time of release, with secure configurations as the default setting. Nozomi Networks’ research highlights that industrial environments, including OT and IoT devices, are increasingly targeted by cyberattacks exploiting various vulnerabilities. EMB3D offers a unified platform to aid ICS manufacturers in understanding and mitigating threats early, potentially leading to more secure infrastructure and lower security costs.

IBM's X-Force Red team, utilizing AI-enhanced tools, successfully infiltrated the world's largest manufacturer of a crucial computer component within just eight hours. The penetration test, originally scheduled for three weeks, aimed to identify and exploit security vulnerabilities across the manufacturer’s network. The AI tools employed enabled rapid data analysis, identification of attack paths, and exploitation of flaws, remarkably accelerating the red teaming process. During the operation, X-Force exploited a vulnerability in the company’s HR portal, gaining unobserved access which allowed for further network penetration and escalation of privileges. The team utilized a rootkit to remain undetected, ultimately mapping the internal network and accessing designs of significant technological components. The effectiveness of AI tools in offensive security practices highlights potential applications for both legitimate cyber defenses and malicious activities by criminals and nation-state actors. The discussion at an AI security event during the RSA Conference included insights from US Cyber Command and the NSA, emphasizing rapid advancements in AI security and its implications for national and global cybersecurity.

Criminal IP, an Asian-based Cyber Threat Intelligence (CTI) search engine, has partnered with Quad9 to share and utilize threat intelligence data effectively. This alliance marks Criminal IP as the first in Asia to provide domain and IP-based threat data to enhance Quad9's DNS-based blocking service. Test results demonstrated that 99.1% of the malicious domains identified by Criminal IP were unique, enhancing the efficacy of Quad9's blocklist against malware, phishing, spyware, and botnets. Quad9, a non-profit DNS service, incorporates various TI data sources, including IBM and F-Secure, alongside Criminal IP's intelligence to offer robust cybersecurity while adhering to Swiss Data Protection and GDPR. Criminal IP's database updates daily, enhancing the detection and prevention capabilities of connected cyber systems through their specialized APIs integrated into corporate security systems like SOAR and SIEM. This collaboration not only aims to protect Quad9’s global user base but also improve the precision and relevance of Criminal IP's threat data. The service is easily accessible to end users by setting their DNS to Quad9’s server address (9.9.9.9), providing immediate protection enhancements.

The 2024 Browser Security Report indicates browsers are major enterprise security risks due to increasing cyber attacks. Cyber attackers use browsers to commit account takeovers, deploy malicious extensions, and conduct phishing attacks, aiming to access sensitive data and systems. Security leaders are provided with essential data on browser-based threats, aiding in the planning and strengthening of security architectures. The report outlines the most critical vulnerabilities and prevailing attack vectors that jeopardize enterprise security. It serves as a benchmark for decision-makers to evaluate and improve their current security strategies against browser-based threats. Recommendations include a comprehensive, multifaceted approach to mitigate these risks and enhance browser security. The full report provides detailed examples and insights not covered in the article, offering further guidance for security professionals looking to deepen their understanding of browser threats.