Daily Brief

Threat actors have set up fake sites imitating Zoom, Skype, and Google Meet to distribute malware. The Zscaler ThreatLabz team identified that these sites are pushing Remote Access Trojans (RATs) such as SpyNote for Android and NjRAT and DCRat for Windows. The fraud involves typosquatting, where the spoofed sites' domains closely mimic legitimate ones to deceive users into downloading harmful files. The malicious Android app downloads as an APK file, while the Windows option downloads a batch script leading to a PowerShell script that installs the RAT. iOS users are redirected to the legitimate Apple App Store, suggesting they are not targeted by this specific attack. A new malware, WogRAT, which is hosted on a free online notepad platform and targets Windows and Linux systems, has been active in several Asian countries. A cybercriminal group known as TA4903 has intensified phishing campaigns to steal corporate credentials and potentially engage in business email compromise (BEC) attacks since mid-2023. TA4903 uses multiple methods, including QR codes and the EvilProxy phishing kit, to bypass two-factor authentication and engage in invoice fraud and other malicious activities following email compromise.

US legislators introduced a bill demanding ByteDance to sell TikTok or face a US ban, aiming to protect national security and user data from potential foreign influence. The "Protecting Americans from Foreign Adversary Controlled Applications Act" targets apps deemed controlled by foreign adversaries, with severe consequences for non-compliance. TikTok's user base in the US has reached 170 million monthly active users, indicating significant impact and potential data exposure risks. The House Select Committee on the CCP insists the move seeks divestment, not censorship, offering ByteDance a chance to sell TikTok to continue its US operations. The bill also empowers the US president to designate other foreign adversary-controlled social media applications as national security risks, extending the potential scope beyond TikTok. Top intelligence officials have voiced concerns over domestic and foreign election interference through social media platforms. The proposed ban has caused dissent from various groups, including the Freedom of the Press Foundation and the ACLU, which argue that it infringes on First Amendment rights.

Google is accused in a class action lawsuit of profiting from scams involving Google Play gift cards. The lawsuit claims that Google has retained millions from fraudulent transactions over nearly a decade. Google allegedly earns commission from fraudulently obtained gift cards used in the Play Store. Previous similar accusations led to an Apple settlement regarding iTunes gift card abuse. FTC data indicates significant losses from gift card fraud between January 2018 and September 2021, with Google Play involved in 20% of those. Google's policy states that gift cards are non-refundable, but the lawsuit argues this discourages victims from seeking recovery. Scammers exploit the one-time use of gift cards to purchase digital goods or sell the codes, with Google benefitting from the associated fees. The legal complaint criticizes Google for not adequately warning consumers or assisting in fund recovery when scams are reported.

Linwei Ding, a former Google employee, is charged with stealing trade secrets and leaking them to two Chinese companies. Ding defeated Google's security protocols, exfiltrating over 500 confidential documents between May 2022 and May 2023. The documents contained sensitive information on Google's data center technologies, including the architecture and functionality of GPU and TPU chips and systems. While at Google, Ding moonlighted for a Chinese AI startup and later founded his own company in China, pitching it as capable of competing with Google’s AI infrastructure. Google's data loss prevention systems failed to detect the unauthorized transfers, and Ding managed to work remotely from China without detection for six months. Ding was arrested in Newark, California, and now faces four charges of theft of trade secrets, with the U.S. Department of Justice emphasizing its commitment to protecting American technology. Google asserts it has strict safeguards against theft and has cooperated with law enforcement following the incident, though questions remain about the efficacy of its security measures.

PetSmart has alerted its customers of an ongoing credential stuffing attack targeting their accounts. The retailer has taken precautions by resetting passwords for any accounts accessed during the attack. PetSmart assures there's no indication that their systems have been breached; the measure is a proactive security step. Customers affected by the password reset will need to use the "forgot password" link to regain access to their accounts. Credential stuffing is a widespread cyber attack where stolen credentials are used to access accounts across various platforms. Previous victims of similar attacks include PayPal, Spotify, Xfinity, and Chick-fil-A; large sums were stolen from betting sites FanDuel and DraftKings. PetSmart is the largest pet retailer in the U.S., with over 60 million customers and 1,600 stores nationwide.

PetSmart issued warnings to certain customers about a credential stuffing attack targeting their accounts. The pet retail giant has reset passwords for accounts accessed during the attack due to the inability to confirm the legitimacy of the logins. Email notifications sent to customers state there is no evidence of a breach on PetSmart's systems but increased password guessing attempts were detected. Customers affected by the precautionary password reset need to use the "forgot password" function to regain access to their accounts on the company's website. Credential stuffing involves using leaked login details from other breaches to gain unauthorized access to accounts on different services. Successful attacks can lead to fraudulent purchases, spam, or other malicious activities; compromised accounts often end up for sale on the dark web. Past victims of similar attacks include significant businesses like PayPal, Spotify, and FanDuel, the latter having $600,000 stolen from breached accounts.

Critical vulnerability CVE-2024-27198 in TeamCity On-Premises allows for authentication bypass and has been actively exploited. The vulnerability, fixed by JetBrains, has been used to create hundreds of admin accounts on unpatched servers. More than 1,440 out of 1,700 exposed TeamCity instances have been compromised, according to LeakIX. Instances mainly host production servers, raising concerns for potential supply-chain attacks through build and deployment systems. Cybersecurity firm Rapid7 detailed the vulnerability and warned of full control over TeamCity projects and artifacts being granted to attackers. The vulnerability affects all TeamCity On-Premises releases up to 2023.11.4, with urgent updates recommended by JetBrains to mitigate the risk.

Hackers are exploiting WordPress sites to inject scripts that enlist visitors' browsers in bruteforce password attacks on third-party sites. Sucuri, a cybersecurity firm, detected an increase in scripts designed to steal cryptocurrency by deceiving users into connecting their wallets. Attackers have shifted strategies from crypto wallet drainers to deploying scripts that use visitors' browsers to bruteforce attack other sites. The script from 'dynamic-linx[.]com/chx.js' directs visitors' browsers to obtain bruteforce tasks from the threat actor's server, attempting to crack account credentials. Over 1,700 sites have been found compromised with this script, significantly expanding the attackers' capability to bruteforce credentials unknowingly aided by site visitors. One notable casualty is the website of Ecuador's Association of Private Banks, which was turned into a trap for unsuspecting visitors. Sucuri researchers suggest this strategy allows hackers to operate more stealthily while accruing a larger arsenal of compromised sites for future, potentially more profitable attacks.

The FBI's Internet Crime Complaint Center (IC3) registered 880,418 cybercrime complaints in 2023, with losses potentially exceeding $12.5 billion. Ransomware attacks escalated, with critical infrastructure sectors significantly affected—249 incidents in healthcare alone. Ransomware-related losses surpassed $59.6 million, with an 18% increase in network intrusions and a 74% rise in financial damage. Critical infrastructure saw a 37% increase in ransomware complaints, with 14 out of 16 sectors experiencing attacks. Prominent ransomware variants attacking these sectors included LockBit, ALPHV/Blackcat, Akira, Royal, and Black Basta. Despite international law enforcement efforts and takedowns, cybercriminal groups remain persistent, as seen with ALPHV/BlackCat's continued activity. Investment scams were the most costly in terms of losses in 2023, netting criminals over $4.57 billion, with cryptocurrency-related scams up by 53%. Business email compromise (BEC) schemes also remained highly profitable, with losses from reported cases totaling more than $2.9 billion.

TA4903 hacker group specializes in business email compromise (BEC) and has been imitating U.S. government entities. The entities impersonated include the U.S. Department of Transportation, Agriculture, and Small Business Administration. Proofpoint reports that TA4903's activities ramped up since mid-2023, with the recent use of QR codes in PDFs leading to phishing sites. PDF attachments contain consistent design and metadata suggesting Nigerian origins; QR codes redirect to sites that mimic official U.S. government agency portals. The group has used tactics like bypassing multi-factor authentication (MFA) in the past, but not observed this year. TA4903's motives are financial, targeting organizations through large-scale email campaigns, and recently shifted focus from government to small businesses. The complexity of their attacks offers multiple detection opportunities, and a multi-layered security strategy is recommended for defense.

Nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information is feared compromised due to a cybersecurity incident involving Infosys. Infosys, which experienced a ransomware attack attributed to the LockBit group, handles IT systems for Fidelity, resulting in data exposure. Exposed data includes names, Social Security numbers, bank account details, credit/debit card numbers, and security codes—potentially allowing for financial fraud and identity theft. The incident occurred between October 20 and November 2, affecting Infosys' service to both Fidelity and Bank of America, with over 85,000 individuals' information potentially stolen. Fidelity has been working with Infosys McCamish Systems (IMS) to investigate the breach, contain its consequences, and restore secure services. LockBit's involvement was claimed shortly after Infosys publicly disclosed the incident, although some of the gang's infrastructure has been shut down by law enforcement. Fidelity and Bank of America have both notified affected customers and are investigating the full extent of the data breach's impact.

Duvel Moortgat Brewery, known for its range of popular Belgian beers, was hit by a ransomware attack that stopped its beer production. The company's automated threat detection systems identified the attack, which occurred late at night, prompting an immediate pause in production. Duvel's communications manager reported that while the restart date for production is uncertain, there should be no impact on beer distribution due to ample stock. Beer enthusiasts online reacted with humor but also expressed concerns over a potential increase in beer prices if the disruption is prolonged. The extent of the attack on other company facilities is unclear, and no ransomware group has yet claimed responsibility for the cyber incident. BleepingComputer reached out to Duvel for further information, but no immediate response was provided. There's currently no information available about whether the attack has led to data theft or the possibility of extortion, only that brewing operations are affected.

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) experienced a cyber incident that led to preemptive offline measures for its corporate systems. FINTRAC assured that no intelligence or classified systems were breached, maintaining the security of sensitive information. Immediate actions included collaborating with federal partners to restore operations and strengthen future cybersecurity defenses. The nature of the cyberattack and the identity of threat actors involved have not been disclosed, with no claims of responsibility observed. This cyber incident is part of a recent wave of security breaches affecting various Canadian institutions, including the RCMP, TNPI, Toronto Zoo, and MUN. The consistent occurrence of cyberattacks highlights a period of heightened cybersecurity challenges for Canada.

Apple has patched four vulnerabilities in iOS and iPadOS, including two zero-days that were reportedly exploited in the wild. The patched zero-days, identified as CVE-2024-23225 and CVE-2024-23296, could allow attackers with kernel read and write access to bypass memory protections. Fixes have been implemented for the current iOS and iPadOS 17.4, as well as a dedicated update for older 16.x devices no longer supported by the latest OS releases. Details regarding the attacks involving the exploited zero-days and the severity of the vulnerabilities remain undisclosed, with the National Vulnerability Database still evaluating them. Apple has also addressed two lesser vulnerabilities: CVE-2024-23243 discovered by a student, threatening location data privacy, and CVE-2024-23256 related to Safari's locked private browsing tabs feature. The recent updates go beyond security fixes, including features mandated by the EU's Digital Markets Act, such as offering users a choice of browser engines and app download sources.

Hackers are exploiting misconfigured servers, including Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis, to mine cryptocurrency and establish remote access. Targets are selected using masscan or pnscan to detect vulnerable services, followed by automation tools delivering Golang payload exploits. Once compromised, attackers install rootkits and the Platypus reverse shell utility to conceal their presence and continue operations. The 'Spinning YARN' campaign is linked to known hacker groups like TeamTNT and WatchDog, and exhibits advanced understanding of cloud vulnerabilities. Uptycs identified similar attacks by the 8220 Gang, focusing on cloud infrastructure via known Apache Log4j and Atlassian Confluence Server flaws. These sophisticated attacks involve a range of evasive maneuvers, including disabling security features and modifying firewall rules to remain undetected. Cryptocurrency mining is a notable motive, but attackers are also engaging in diverse threats, including ransomware attacks on cloud and Linux infrastructure. The cloud security landscape requires heightened vigilance due to increased targeting of cloud services and the technical sophistication of threat actors.