Daily Brief

The Canadian government is considering a ban on the Flipper Zero, a device they claim is used by thieves to steal cars. Flipper Zero is a multi-functional device capable of interacting with various hardware and digital systems such as RFID and Bluetooth. Online videos show the Flipper Zero being used in replay attacks, cloning digital keys, and unlocking cars, raising security concerns. The ban announcement aligns with a national summit on auto theft and alarming statistics showing 90,000 vehicles are stolen yearly in Canada. Canadian authorities assert the ban on devices like Flipper Zero could remove hacking tools from the market and reduce vehicle thefts. Flipper Devices, the maker of Flipper Zero, refutes claims of the device's capability to hijack modern cars and emphasizes its purpose for responsible security testing. Amazon has ceased sales of the Flipper Zero, following Brazilian authorities' actions against the device for its alleged use in criminal activities.

Raspberry Robin malware operators are employing new one-day exploits to facilitate local privilege escalation and complicate detection. The malware acts as a primary access vector for distributing additional malicious payloads, including ransomware, and is connected to multiple e-crime groups. Threat actors have incorporated fresh anti-analysis and obfuscation tactics to hinder analytical efforts by cybersecurity researchers. Exploits for vulnerabilities such as CVE-2023-36802 and CVE-2023-29360 were utilized before public disclosure, indicating a potential purchase of exploits from dark web sources. The increase in sophistication indicates a substantial threat as attackers exploit vulnerabilities quicker than many organizations can patch them. Discord is exploited as a new initial access vector, wherein malicious RAR files containing the malware are being distributed. Lateral movement within target networks has also evolved, with Raspberry Robin opting for PAExec.exe over PsExec.exe, and implementing a more randomized approach to C2 communications.

RustDoor, a macOS malware camouflaged as a Visual Studio update, is written in Rust and delivers backdoor access capabilities to hackers targeting systems running on Intel and ARM architectures. Detected by cybersecurity firm Bitdefender, the malware campaign began in November 2023 and has continuously distributed evolving variants; some infrastructural elements suggest links to the ALPHV/BlackCat ransomware group. The analysis revealed RustDoor's association with four command and control (C2) servers, three of which have ties to activities potentially connected to ransomware operators. While conclusive evidence is lacking, shared server use among cybercriminals suggests possible connections between RustDoor and ransomware groups like BlackBasta and ALPHV/BlackCat. RustDoor is disguised under various names and avoids conventional distribution channels like Application Bundles or Disk Images, which helps it evade detection by security tools. Once installed, RustDoor can persist through system reboots and blend in with legitimate applications by modifying system files and employing scheduled tasks. Bitdefender has identified at least three RustDoor variants with increasing sophistication and has published a list of indicators of compromise for organizations to detect potential breaches.

Americans reported a staggering $10 billion lost to various scams in 2023, a 14% rise from the previous year. Investment scams topped the charts with $4.6 billion in reported losses, followed by nearly $2.7 billion lost to imposter scams. The FTC received 2.6 million consumer fraud reports and 1.1 million reports of identity theft. Payment methods resulting in most losses were bank transfers and cryptocurrencies, outstripping other methods. Despite the high volume of reports, this likely represents only a portion of actual fraud, as many incidents go unreported. FTC's Sentinel database aids law enforcement in tracking and combatting fraudulent activity by analyzing trends. Victims are encouraged to report fraud and identity theft through designated FTC platforms for support and to aid in data collection and prevention efforts.

Critical vulnerability in FortiOS's SSL VPN, CVE-24-21762, allows remote code execution and may have already been exploited as a zero-day. Affected FortiOS versions require immediate patching; unsupported versions need upgrading, with disabling SSL VPN as the only current workaround. Fortinet mishandled the disclosure of two severe vulnerabilities, CVE-2024-23108 and CVE-2024-23109, initially claiming they were errors, then confirming their validity. The vulnerabilities were inadvertently linked to a previous advisory, and Fortinet received criticism for a delayed and confusing response to the media. A bizarre claim of a malware-laden toothbrush participating in a DDoS attack was reported and then attributed to a "translation problem" by Fortinet, which led to further public relations challenges. Fortinet's communication issues came amid reports of Chinese cyberspies exploiting FortiGate vulnerabilities with custom malware. The company is set to refocus on timely and transparent communication with customers as part of its security incident response efforts.

A growing reliance on AI technologies has amplified potential cyber threats and vulnerabilities. Many organizations may be unaware of AI usage, which increases due to ease of deployment and affordability. Cybercriminals are finding new ways to exploit AI models and applications, raising security concerns. Cloudflare is hosting a webinar to educate on protecting AI applications from cyber risks. The webinar will cover unexpected ways AI consumption and deployment can expand an organization's attack surface. Industry experts will discuss tools, techniques, and services to mitigate AI-related vulnerabilities. Attendees will learn practical steps to secure their AI applications in the ever-evolving cyber landscape.

A new variant of the MoqHao Android malware has been discovered with the capability to auto-execute upon installation. This malware affects Android users in various countries such as France, Germany, India, Japan, and South Korea and is linked to a Chinese cybercrime group. The infection begins with SMS phishing that deploys malware on Android devices, while iPhone users are redirected to a fake iCloud login page. The latest MoqHao variant obtains permissions and starts malicious activities without the need for the user to launch the app. The malware is distributed through SMS messages containing links shortened by URL shorteners and content sourced from fake Pinterest profiles. MoqHao can stealthily acquire sensitive data, silently call numbers, and manipulate Wi-Fi settings, among other capabilities. Google has been notified and is reportedly working on mitigating the auto-execution mechanism in future Android versions. In a separate report, a cybercrime syndicate named Bigpanzi has been linked to the creation of a botnet using compromised Android smart TVs and boxes in Brazil for DDoS attacks and illegal streaming.

Myrror Security's platform addresses modern software supply chain threats by going beyond traditional Static Code Analysis (SCA) tools, which often provide irrelevant vulnerability scores without considering organizational-specific context. Traditional SCA tools fail to adequately detect and prioritize real-world supply chain attacks like code injection and CI/CD attacks, leading to prioritization of less critical issues. Myrror's approach involves binary-to-source analysis for every third-party package and a proprietary reachability vulnerability analysis algorithm to accurately prioritize issues based on their actual exploitability in production. The platform streamlines the AppSec process by allowing organizations to actively scan repositories, take inventory of open-source dependencies, and generate prioritized risk overviews with actionable insights. Myrror's dashboards and issues screens provide detailed analytics on security issues impacting the codebase, including reachability and exploit confirmations, to target the most critical vulnerabilities. The solution also offers a remediation plan generator that helps teams understand the implications of patching, including new vulnerabilities that may be introduced and issues that will remain after fixes. By addressing alert fatigue and offering a clear strategy against undiscovered supply chain attacks, Myrror’s platform aids organizations in effectively managing and defending against sophisticated security risks in the software supply chain.

A new banking trojan named Coyote targets 61 Brazilian banks, using advanced techniques for distribution and infection. Coyote exploits the Squirrel installer, Node.js, and the Nim programming language, enhancing complexity and evading detection. The malware deploys a multi-stage attack chain, with a Squirrel installer initiating a Node.js application that eventually executes the Nim-based loader. The Coyote trojan waits for specific banking applications or websites to open before fetching instructions from a command-and-control server. It can perform various malicious actions, such as logging keystrokes, displaying fake overlays, moving the mouse cursor, and even shutting down the victim's machine. This new threat emerges as Brazilian authorities crack down on the Grandoreiro operation, signalling increased efforts to combat cybercrime. An unrelated Python-based information stealer linked to Vietnamese hackers is also reported, indicating a broader landscape of escalating cyber threats.

Cloud computing offers benefits like scalability and cost-efficiency, but introduces cybersecurity risks. Wazuh is an open-source cybersecurity platform providing XDR and SIEM capabilities for on-premises and cloud environments. With the adoption of cloud services, organizations face challenges such as knowledge gaps, reliability issues, and security threats. Wazuh integrates with various cloud platforms including AWS, Azure, GitHub, and GCP for real-time threat detection and incident response. Cybersecurity strategies must evolve to address the unique challenges of securing cloud infrastructures. Wazuh's flexible architecture helps protect against emerging threats and enhances security posture within dynamic cloud ecosystems. By leveraging Wazuh, organizations can maintain robust security, detect threats in real-time, and safeguard their applications and data.

An Islamic non-profit in Saudi Arabia has been targeted in a sophisticated cyber espionage campaign, deploying an undetected backdoor known as Zardoor. Cisco Talos identified the activity starting from at least March 2021, with continuous surveillance and data exfiltration observed roughly twice a month. Attackers used “living-off-the-land binaries” (LoLBins) to deploy backdoors, establish command-and-control (C2) communications, and maintain discreet long-term access. The initial breach point remains unknown, but it led to Zardoor installation for persistence, and C2 was established using open-source proxy tools. The threat actors utilized Windows Management Instrumentation (WMI) for lateral movement and to spread attacker's tools, including the Zardoor backdoor. Two backdoor modules— "zar32.dll" and "zor32.dll" — were used for C2 communications and ensuring privileged deployment. The backdoor is capable of data exfiltration, remote code execution, C2 IP address updates, and self-deletion to evade detection. The identity and origin of the threat actors are unclear, with no overlap with known groups; nevertheless, they are considered an advanced threat actor.

Fortinet disclosed a critical security flaw in FortiOS SSL VPN, identified as CVE-2024-21762 with a CVSS score of 9.6, which could allow remote, unauthenticated attackers to execute arbitrary code or commands. The vulnerability has been acknowledged as potentially being actively exploited in the wild, though specifics about the exploitation techniques and the identities of the attackers have not been provided. Impacted versions of the software have been identified, and it is noted that FortiOS 7.6 is unaffected by this issue. Fortinet also released patches for other vulnerabilities, specifically CVE-2024-23108 and CVE-2024-23109, relating to FortiSIEM supervisor. The Netherlands government recently reported that Chinese state-sponsored actors exploited known flaws in Fortinet FortiGate devices to deliver the COATHANGER backdoor into military network systems. Fortinet mentioned that its past N-day vulnerabilities are being exploited by several activity clusters targeting various sectors, with earlier instances of Chinese threat actors using zero-day flaws for attacks. The U.S. government warned of a Chinese nation-state group, Volt Typhoon, targeting critical infrastructure using known and zero-day flaws in network appliances from several vendors, including Fortinet. The attacks highlight the increased threat to internet-facing devices due to lack of EDR support, and they illustrate ongoing concerns about cyber espionage and cybercrime activities, particularly those attributed to state-sponsored actors.

The Reserve Bank of India (RBI) intends to make its digital currency, the e-rupee, programmable and usable offline. The current Central Bank Digital Currency (CBDC) retail pilot, launched in late 2022, supports person-to-person and person-to-merchant transactions. Programmability will allow for transactions to be designated for specific purposes, aiding in payment transparency and usage control. Offline functionality aims to cater to areas with limited internet connectivity, which is a significant concern in remote and mountainous regions of India. Future pilot programs will gradually introduce these new features, with potential applications for government payments and business expenses. RBI plans to create a framework for authenticated digital payment transactions, considering additional factors beyond SMS-based OTPs. These initiatives are positioned as part of India's broader economic development strategy, which includes enhancing digital infrastructure and payment technologies. India is also considering revising international agreements to tax digital goods, aiming to gain tariff revenue and improve trade competitiveness.

A crime gang, referred to as "ResumeLooters," executed cyber attacks on Asian job boards and retailer websites, resulting in the theft of over two million personal records. Group-IB, an international cybersecurity company based in Singapore, identified the attacks, which predominantly used SQL injection and Cross-Site Scripting (XSS) to compromise databases. The compromised data includes email addresses, names, phone numbers, dates of birth, and employment histories, with the attacks starting in January of the year and continuing for at least two months. Despite the goal of stealing admin credentials, Group-IB found no evidence that ResumeLooters succeeded in this particular endeavor. The majority of affected victims were located in the APAC region, with India experiencing the highest number of compromised sites. Evidence of penetration testing tools and stolen data was discovered on a malicious server linked to the group, indicating attempts at deeper network penetration and data theft. Group-IB traced the attackers' activity back to two Chinese-language Telegram accounts, suggesting that the threat actors may originate from China.

Ivanti has reported a high-severity authentication bypass vulnerability, designated as CVE-2024-22024, affecting their security products. The vulnerability scores 8.3/10 on the CVSS scale and could allow unrestricted access to certain resources without authentication. Affected products include Ivanti Connect Secure, Policy Secure, and ZTA gateways, specifically in the SAML component due to an XXE issue. The flaw was identified during an ongoing internal review that has unveiled multiple security issues in Ivanti products this year. Ivanti has released patches for various versions of the affected products to address this vulnerability. The company notes there is no current evidence of active exploitation but urges users to update promptly due to recent abuse of other Ivanti vulnerabilities.