Daily Brief

Ukrainian organizations in Finland have been targeted with Remcos RAT, delivered by the IDAT Loader malware. The attack involved innovative use of steganography to conceal and deploy the harmful software. The IDAT Loader is linked with Hijack Loader and has been observed distributing other payloads like DanaBot, SystemBC, and RedLine Stealer. A phishing campaign initially identified by CERT-UA employed war-themed lures to initiate the attack chain leading to Remcos RAT infection. The IDAT Loader hides the RAT within a PNG image using steganography, demonstrating an advanced technique for evasion. In a separate incident, Ukrainian defense forces were targeted with COOKBOX malware via Signal, linked to UAC-0149 group. The PikaBot malware has reemerged with new obfuscation methods and is under active development, indicating a growing sophistication among threat actors.

The EU's NIS2 Directive will become law in October 2024, enhancing cybersecurity for critical infrastructure. More than 160,000 organizations will be impacted, with potential fines up to €10m for non-compliance. The upgraded directive will extend security requirements, cover more organizations and sectors, and enforce stricter measures. The aim is to bolster security of supply chains, streamline reporting obligations, and reinforce sanctions across Europe. Proactive preparation for NIS2 compliance is essential for organizations to avoid penalties. An upcoming webinar hosted by the Register will address the NIS2 details and compliance preparations. Experts from Checkmarx and Cert2Connect will offer insights into the Directive's implications for application security and compliance strategies.

Over 8,000 subdomains from trusted brands and institutions hijacked for a spam operation named SubdoMailing, which began in September 2022. The cybercriminal group ResurrecAds is behind the campaign, abusing digital advertising infrastructure for profit through spam and phishing. Hijacked subdomains from recognizable entities including ACLU, eBay, Lacoste, and UNICEF used to bypass email security measures and distribute millions of spam emails daily. Emails crafted to slip past text-based filters by using images, employ redirects to present targeted ads or phishing sites, and evade standard email authentication checks (SPF, DKIM, DMARC). Threat actors exploit CNAME record aliasing techniques and register abandoned domains to send emails appearing to be from legitimate senders, with one example highlighted from an SMTP server in Kyiv. No evidence found that the hijacked subdomains were used for hosting phishing landing pages, but the potential risk exists. Guardio Labs offers a SubdoMailing Checker for domain administrators to detect possible compromises and advises on countermeasures to dismantle the fraudulent infrastructure.

The "SubdoMailing" campaign is spamming up to five million emails daily using hijacked domains of well-known companies to bypass spam filters. Over 8,000 legitimate domains and 13,000 subdomains have been compromised, affecting brands like MSN, VMware, McAfee, and eBay. Clicks on malicious email links lead to fake giveaways and affiliate scams, generating ad revenue for the fraudsters. Guardio Labs researchers uncovered the campaign, which leverages domain hijacking techniques such as CNAME hijacking and SPF record exploitation. The cybercriminal group, dubbed "ResurrecAds," orchestrates the operation by systematically scanning for and hijacking vulnerable domains. The campaign uses a vast network of nearly 22,000 unique IPs and a thousand residential proxies to maintain operational scale. To help mitigate the issue, Guardio Labs has provided a SubdoMailing checker tool for domain owners to check if their brands are being exploited.

The UK Information Commissioner's Office (ICO) issued an enforcement notice to Serco Leisure for unlawfully processing over 2,000 employees' biometric data at 38 facilities. Serco was found to have used facial recognition and fingerprint scanning to monitor staff attendance and calculate pay without proper consent or opt-out options, creating a power imbalance. Employees felt compelled to surrender biometric data as a condition of employment, which raised significant privacy concerns. The ICO has mandated Serco Leisure to destroy all unlawfully retained biometric data within three months and to reassess the use of biometric technology. The ICO's statement emphasized the risks of biometric data usage, citing the inability to reset one's biometric information as one can with passwords. The enforcement not only impacts Serco and its associated community trusts but also extends to other trusts across various locations in the UK. Following the enforcement, the ICO has published new guidance on the appropriate use of biometric data to aid organizations in mitigating risks and preventing biases.

North Korean-linked hackers have targeted developers by publishing malicious npm packages in the Node.js repository. Fake packages were designed to steal cryptocurrency and credentials by masquerading as legitimate libraries, one being a variant of the popular "execution-time" library. The campaign, recognized as a software supply chain attack, involved concealment of malicious code within test files fetching further payloads to compromise web browser credentials. A GitHub profile was connected to the malicious activity, with repositories containing Python scripts that communicated with identified IP addresses. A series of accounts related to the hackers actively forked repositories, with efforts made to circumvent GitHub's defensive actions. Connections to a known North Korean malware campaign, 'Contagious Interview,' have been established, with similarities noted in the obfuscated JavaScript used. A developer confirmed the guile tactics used by attackers who shared the malicious repository posing as a part of a live coding interview test, though the targeted developer did not install it. The incident underlines the need for heightened vigilance in the software development community regarding open-source code security.

Florida journalist Tim Burke was arrested on charges related to unauthorized access to Fox News' computer systems. Burke's legal team argues that his actions constituted journalistic investigation, not hacking, as he accessed video streams via a link without using credentials. Among the accessed footage were unaired comments by Kanye West, which Burke then altered to conceal their origin. The Electronic Frontier Foundation (EFF) has called for the US Department of Justice to clarify how Burke's actions violate the Computer Fraud and Abuse Act (CFAA), emphasizing the law's vagueness. Separately, Apple's App Store approval process is questioned again after a fake cryptocurrency wallet app led to user losses, underscoring the ongoing challenge of app store security. The UK Office for Product Safety and Standards (OPSS) instructed EV charger manufacturer Wallbox to halt sales of a model failing to meet cybersecurity standards, which could pose a grid security risk. Wallbox was given a temporary waiver to sell their product but will stop in June due to hardware and operating system limitations that prevent full cybersecurity compliance.

Large Language Models (LLMs) like Github's Copilot have been shown to inadvertently reveal secrets such as passwords and API keys from their training data. Researchers from the University of Hong Kong developed an algorithm that prompted Copilot to disclose over 2,700 valid secrets. OWASP's Top 10 for LLMs includes "prompt injection" as a primary risk, where LLMs may output sensitive data if manipulated with crafted prompts. Tips to prevent accidental secrets disclosure include regularly rotating secrets, cleaning training data of sensitive information, and patching systems and limiting privileges. Rotating secrets involves reviewing and updating them regularly to ensure leaked data is obsolete, and using tools to check if secrets have been compromised. Sanitizing training data for LLMs is crucial to prevent the unintentional sharing of sensitive information. Open-source tools and services can help scan and remove secrets. Patching software and applying the principle of least privilege to app and LLM infrastructure can mitigate the risk of arbitrary code execution and sensitive data leaks. Large language models hold transformative potential but require cautious implementation and robust security measures to prevent misuse or accidental data exposure.

Cybersecurity researchers have reported increased phishing campaigns delivering banking trojans via Google Cloud Run to users in Latin America and Europe. Observed since September 2023, these campaigns utilize malicious Microsoft Installers as droppers for malware payloads, namely Astaroth, Mekotio, and Ousaban. The operations leverage Google's trusted platform to bypass organizational security measures and distribute the malware through the same Google Cloud storage bucket. Phishing emails, mostly originating from Brazil, mimic government tax agency communications or invoices and contain malicious links that lead to malware downloads. Geofencing measures are in place to redirect users from certain geographies to legitimate websites to evade detection. Beyond current tactics, there is an increase in phishing attacks using QR codes to direct users towards fake login pages, leveraging users' mobile devices that often lack stringent security. Other malicious activities include targeting the oil and gas industry with Rhadamanthys info stealer and abusing legitimate services like SendGrid for enhanced phishing credibility. Phishing kit availability on platforms like Telegram, such as the Tycoon Group's phishing-as-a-service, underscores the evolving threat landscape and the low barrier to entry for attackers.

LockBit ransomware group back online with new dark web infrastructure, showing 12 new victims, after recent server seizure by law enforcement. The group's administrator admitted to a security lapse due to not updating PHP, potentially leading to law enforcement infiltration via a known PHP vulnerability. The LockBit operator suggests the FBI targeted them following a ransomware attack containing sensitive documents relating to Donald Trump's court cases. LockBit vows to enhance security measures for its operations, eliminating automatic trial decrypts and moving to manual processes to prevent future law enforcement access to decryptors. Russian law enforcement has arrested three members of the SugarLocker ransomware group, which operated under a legitimate IT company facade and offered its malware as part of a ransomware-as-a-service model. The arrest of Aleksandr Nenadkevichite Ermakov from SugarLocker follows international sanctions for his alleged involvement in the 2022 ransomware attack on Medibank, compromising sensitive health information of 9.7 million customers.

Following law enforcement's disruption, the LockBit ransomware gang has swiftly revived their operations using new infrastructure with an explicit threat to target government sectors. The group openly admitted that previous negligence in updating their systems had led to the breach during Operation Cronos, which resulted in their infrastructure being taken down by authorities. Despite the setback, LockBit managed to maintain their brand identity, shifting their data leak site to a new .onion address and continuing to list victims with deadlines for releasing stolen information. The relaunch includes changes to their approach, with LockBit promising improved security measures such as decentralized panels for affiliates and manual release of decryptors. LockBit also disclosed that of the 1,000 decryption keys obtained by the police, the compromised keys were from the less secure decryptors meant for lower-level affiliates demanding smaller ransoms. The group's public response and updates to their operation strategy serve as a means of damage control to restore trust among their affiliates after authorities exposed vulnerabilities in their system.

Security is often seen as a feature that must be built into the foundation of internet systems, rather than retrofitted. The early internet had several shortcomings, such as lack of scalability, which have been improved over time with new protocols like DNS and BGP. Security is comparable to other system requirements, such as scalability and availability; all must be consistently maintained at every layer without a single point of failure. Defense-in-depth (DiD) in security is analogous to building reliability in systems, where multiple, overlapping defenses ensure system integrity. Security is difficult because it is a negative goal which is challenging to prove—ensuring that something cannot happen is different from achieving a positive outcome. Cryptographic algorithms are critical to security, but they must be integrated into well-designed systems to be effective. Articulating clear requirements and assumptions is vital in security design, as is the separation of concerns and requirements to achieve clarity and evolve over time. The authors advocate for a systematic approach to discussing and designing secure systems that acknowledges both theoretical and practical aspects of computer networking.

PayPal has applied for a patent for technology to identify and thwart the theft of "super-cookies," which can be used to access accounts without proper authentication. The method proposed by PayPal can detect when cookies containing authentication tokens are stolen, helping to prevent account takeover attacks, even those bypassing 2FA. Super-cookies, different from regular cookies, are Local Shared Objects used for cross-site tracking and are more resistant to detection and deletion. PayPal's system would calculate a fraud risk score by examining expected values of a device's various cookie storage locations and comparing them during an authentication request. The authentication process could involve additional security measures depending on the assessed risk of fraud, based on the cookie values. The proposed method uses public-key cryptographic algorithms to encrypt cookie values retrieved during this process, enhancing security against potential tampering. The patent titled "Super-Cookie Identification for Stolen Cookie Detection" highlights PayPal's efforts to improve security measures for authentication and protect against unauthorized logins using stolen web cookies.

The Royal Canadian Mounted Police (RCMP) is investigating a significant cyber attack on their networks. RCMP confirms that their operations are not currently affected and public safety is not at risk. RCMP's chief security officer has issued a warning for staff to be on alert following the "cyber event". There is no current evidence to suggest that foreign police or intelligence services have been compromised. The RCMP has alerted the Office of the Privacy Commissioner about the cyberattack. RCMP's website is down, displaying a 404 error, and appears to be redirecting to a non-existent install.php page. A separate RCMP domain is partially accessible, but the main website remains offline as the investigation proceeds.

The LockBit ransomware operation has been taken down in a coordinated international effort named Operation Cronos. Authorities claim the admin known as "LockBitSupp" has engaged with law enforcement, potentially creating distrust among the group's affiliates. Over 14,000 accounts linked to LockBit on services like Mega and Protonmail have been closed due to the takedown. Researchers suggest that multiple people could be operating under the LockBit and LockBitSupp accounts; the group increased its bounty for their identification to $20 million. LockBit has created multiple versions since 2019 and was developing a new version, LockBit-NG-Dev, which features a validity period and other updates to prevent reuse and resist analysis. Analysis by PRODAFT identified over 28 LockBit affiliates with connections to other Russian cybercrime groups. The LockBit group, also utilizing a "Ghost Group" operational model, has earned over $120 million from its illegal activities, with a global financial impact in the multi-billions. Following the crackdown, rebuilding LockBit's infrastructure is seen as highly unlikely due to a loss of trust from initial access brokers and the departure of key technical personnel.