Daily Brief

Over 15 free VPN apps on Google Play leveraged a malicious SDK to turn Android phones into residential proxies for potentially illicit activities. Residential proxies disguise internet traffic, but in this case, they were likely used for cybercrime purposes such as ad fraud, phishing, and credential stuffing. The proxy services were involuntarily installed on devices, risking users' bandwidth and legal implication for the activities conducted through their devices. A report by HUMAN's Satori team identified 28 apps using the "Proxylib" library from LumiApps SDK to create a proxy network, with links to the Russian proxy provider 'Asocks'. Google has since removed the malicious apps from the Play Store following the report, and Google Play Protect has been updated to detect the LumiApp libraries. Despite the cleanup, some of the previously targeted apps have reappeared on Google Play, raising concerns about their safety and potential misuse. Users are advised to uninstall the affected apps or update to the latest version that does not include the harmful SDK; paid VPN services are recommended over free ones to avoid similar risks.

New "TheMoon" malware variant targets and infects outdated ASUS routers, branching out to IoT devices in 88 countries. Infections link to "Faceless" proxy service, which anonymizes cybercriminal activities by routing traffic through compromised devices. "Black Lotus Labs" observed over 6,000 ASUS router infections within 72 hours of the malware campaign's start in early March 2024. Researchers note that the compromised routers are primarily end-of-life models likely breached through known vulnerabilities or weak credentials. Malware evades detection and secures communication with a command and control server by establishing specific iptables rules and reaching out to hardcoded IP addresses. The "Faceless" service, which operates without KYC measures, uses some of these infected devices as proxies, with transactions in cryptocurrencies. Sustained infections suggest some compromises go unnoticed for extended periods, whereas others are resolved quickly, possibly due to active monitoring. Enhanced cybersecurity practices for router owners include using strong passwords, updating firmware, and replacing end-of-life (EoL) devices. Signs of infection include connectivity issues, device overheating, and unauthorized setting changes.

DARPA enhances its Artificial Intelligence Cyber Challenge (AIxCC) by collaborating with ARPA-H to secure critical healthcare infrastructure against ransomware. ARPA-H adds $20M in rewards for AI-based tools that can autonomously secure code in medical devices, biotech, and hospital IT systems. The increased targeting of healthcare by ransomware attacks poses significant risks to patient safety and care delivery. US Senator Mark Warner expresses concern over the potential for attacks that directly affect patient care, following a disruptive ransomware incident at Change Healthcare. In 2023, the critical infrastructure sector, particularly healthcare, saw a significant rise in ransomware, with losses exceeding $59.6M according to FBI data. The AIxCC competition focuses on addressing software vulnerabilities in critical systems, with a recent example being the Linux kernel challenge involving CVE-2021-43267. With a large percentage of medical devices running on Linux, successes in the competition are expected to translate into safer healthcare environments.

The U.S. Department of Justice has indicted seven Chinese nationals for conspiring in a cyber espionage operation spanning approximately 14 years. The hacking group, known as APT31, targeted U.S. and international critics, journalists, political figures, and businesses to further China's economic and intelligence agendas. Two of the accused are linked to Wuhan Xiaoruizhi Science and Technology Company, Limited, suspected to be a front for China's Ministry of State Security. APT31 utilized sophisticated techniques, including personalized spear-phishing campaigns, zero-day exploits, and custom malware, to compromise networks and steal sensitive information. The cyber espionage activities included monitoring of U.S. government officials and personnel from various departments, as well as political dissidents globally. The U.S. is offering up to $10 million for information on individuals associated with APT31, with sanctions also imposed by the U.K. and the U.S. against implicated persons and entities. The U.K. government has previously accused APT31 of unauthorized access to voter data from its Electoral Commission, affecting approximately 40 million people. China denies the allegations, labeling them as "completely fabricated" and criticizing the imposition of sanctions, maintaining their opposition to cyberattacks and unilateral sanctions.

Minecraft servers are facing increasing risks from Distributed Denial-of-Service (DDoS) attacks, which can disrupt gameplay and cause financial and reputational damage. Despite their prevalence, many DDoS attacks on Minecraft servers go unreported; therefore, awareness and protection are often lacking. During a DDoS attack, players may struggle with logging in, loading worlds, and the server may experience lags, disconnections, or crashes. Server owners and operators should be vigilant for signs of DDoS attacks and take immediate action by consulting with ISPs or hosting providers. The community impact of DDoS attacks can extend beyond gameplay disruption to emotional and financial consequences, such as players missing out on tournament earnings. Basic protective measures include staying informed about DDoS tactics, fostering a strong community, and involving law enforcement in serious threats. Advanced protective measures, like Gcore DDoS Protection, offer real-time, tailored defense mechanisms to protect against attacks of any scale. The gaming industry is highly targeted for DDoS attacks, with significant potential losses, highlighting the importance of specialized DDoS mitigation services like Gcore.

The FreeBSD Foundation has announced Beacon Awards which reward safer software initiatives, especially those working on CHERI-enabled hardware and the CheriBSD operating system. CHERI, standing for Capability Hardware Enhanced RISC Instructions, is aimed at enhancing security by prize safety over speed in hardware and software designs. The Beacon Awards is part of the UK government's Digital Security by Design initiative which has been funding security R&D for over six years. One of the grand prize winners is the Mojo JVM project, developing a memory-secure Java runtime that is compatible with existing Java applications with little to no code changes. Another grand prize went to Intravisor, offering innovative virtualization host technology for cloud software with improved isolation capabilities on CHERI-enabled hardware. Capabilities Limited received a grand prize for refactoring over 1.7 million lines of C++ web services software for CheriBSD and Morello hardware. The article emphasizes the importance of balancing performance with security, suggesting that despite a potential decrease in speed, the enhanced security provided by CHERI research is a valuable trade-off.

The UK Deputy Prime Minister Oliver Dowden asserts that Chinese cyber interference has not undermined UK elections. Formal accusations have been made by the UK and US against China for cyberattacks on the UK Electoral Commission and MPs in 2021. In 2021, China's state-sponsored actors were linked to the exposure of 40 million UK voters' data through the ProxyNotShell exploit in Microsoft Exchange servers. The National Cyber Security Centre (NCSC) of the UK believes the stolen data may be used by Chinese intelligence for espionage and suppressing dissidents. UK parliamentarians, particularly critics of Beijing and members of the Inter-Parliamentary Alliance on China (IPAC), were targeted by Chinese state-linked group APT31 in reconnaissance efforts. The NCSC has updated its Defending Democracy guidance to help political organizations protect against state-aligned cyberattacks. UK and US sanctions have been imposed on two Chinese nationals and one front organization linked to APT31 for their involvement in cyber espionage. Ongoing vigilance is maintained against nation state cyber threats, with China remaining one of the primary adversaries in cyberspace for both the UK and US.

The U.S. Treasury's OFAC has sanctioned three cryptocurrency exchanges for helping Russia evade sanctions imposed due to its invasion of Ukraine. The sanctions focus on individuals and entities in the Russian financial services and technology sectors that facilitate transactions for other sanctioned entities. Bitpapa, AWEX, and TOEP specifically are accused of enabling significant transactions with Russian entities like Hydra Market, Garantex, and notable Russian banks. Companies like B-Crypto, Masterchain, and Laitkhaus, partnered with Russian banks, are among the newly sanctioned for cryptocurrency-related services. All property and interests in the U.S. relating to the designated persons and entities are now frozen, affecting any entities that they own 50% or more of. The U.S. Treasury reaffirms its commitment to disrupting financial networks that allow Russian financial institutions to connect with the global financial system.

Two DNSSEC vulnerabilities—KeyTrap (CVE-2023-50387) and NSEC3-encloser (CVE-2023-50868)—were reported with identical severity scores but vary widely in impact. KeyTrap is considered extremely severe and can exhaust CPU resources, potentially disabling large internet segments. NSEC3-encloser, on the other hand, has been deemed by researchers to have a much lower impact on CPU resources and does not pose a similar threat. Both vulnerabilities share a severity rating of 7.5 out of 10 based on the Common Vulnerability Scoring System (CVSS), raising questions about the accuracy of such assessments. ATHENE's research indicates an incongruity between the perceived threat levels of the two flaws, with experiments showing no denial of service through CPU exhaustion is achievable with the NSEC3-encloser. MITRE, the organization assigning CVE scores, and NIST, which runs the National Vulnerability Database, have come under scrutiny for the discrepancy in the portrayal of the vulnerabilities' severity. Concerns have been raised about MITRE's and other information security entities' neutrality and precision in the evaluation of vulnerabilities, emphasizing the importance of relying on detailed analyses rather than varying perspectives.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. Flaws in Fortinet, Ivanti, and Nice products are flagged as serious enough that federal agencies are mandated to patch them by April 15, 2024. Fortinet's FortiClient EMS vulnerability allows unauthenticated attackers to execute unauthorized code via crafted requests, with confirmed in-the-wild exploitation. Ivanti Endpoint Manager Cloud Service Appliance has a code injection vulnerability, which may stem from an intentional backdoor in a discontinued open-source project. Nice Linear eMerge E3-Series access controllers have been vulnerable since at least May 2019, with a remote code execution exploit observed as of February 2020. CISA and the FBI are also warning software manufacturers about the persistent threat from SQL injection vulnerabilities, highlighted by a recent exploitation by the Cl0p ransomware gang. The alerts demonstrate the agencies' commitment to urging organizations to improve cybersecurity by addressing known vulnerabilities promptly.

New Zealand's attorney-general disclosed that China state-sponsored group APT40 was behind a cyberattack on its parliamentary agencies in 2021. The cyberattack targeted the Parliamentary Counsel Office and the Parliamentary Service, both crucial for government operations. The National Cyber Security Center (NCSC) responded swiftly to the intrusion, containing the threat and ridding the network of malicious actors. Following the cyberattack, New Zealand has reportedly enhanced its cybersecurity measures to prevent similar future intrusions. This revelation came in the wake of similar accusations from the UK and US against Chinese state-backed cyber activities. Australia joined international condemnation, expressing concerns over Chinese cyber threats to democratic institutions. China regularly rebuffs foreign cyberattack claims, with few details disclosed on incidents beyond those reported by Edward Snowden. The US has taken measures against Chinese influence through social media platforms, underscoring geopolitical cyber tensions.

Panera Bread is facing a nationwide IT outage since Saturday, impacting online ordering, POS systems, phones, and other internal systems. All Panera Bread stores remain open but are only accepting cash transactions; loyalty reward redemptions are suspended due to the downtime. In-store kiosks, employee work schedules, and shift details are currently inaccessible. The company's website and mobile app have been down since the incident began, citing "essential system maintenance and enhancements." The customer service phone line is also out of service; Panera Bread has yet to release an official statement regarding the cause of the outage. The widespread impact and timing of the incident point toward a potential cyberattack, particularly as cybercriminals often strike on weekends when businesses have reduced monitoring. As a food chain giant, Panera Bread operates 2,160 bakery cafes in the U.S. and Ontario, Canada, and is part of the Panera Brands family, which includes Caribou Coffee and Einstein Bros Bagels.

The US charged seven Chinese individuals, allegedly linked to APT31, with cyber espionage against multiple targets, including infrastructure and political figures. APT31, believed to be operated by China's Ministry of State Security, is the same group the UK accuses of attempting to compromise politicians' emails in 2021. Both the UK and the US imposed sanctions on the individuals and a company suspected of being an MSS front, Wuhan Xiaoruizhi Science and Technology. The UK also claims China's agents breached its Electoral Commission and stole data between 2021 and 2022. The US offers a $10 million reward for information leading to the suspects, emphasizing their interest in cybersecurity. The indictment reveals the scope of APT31's alleged activities, targeting thousands globally, stealing sensitive data and intellectual property amounting to billions in losses for the US. A report by the Foundation for Defense of Democracies calls for a US Cyber Force, recognizing the growing cyber threat from nation-states like China and Russia.

The U.S. Treasury has sanctioned two crypto exchanges, Bitpapa and Crypto Explorer, for transactions with Russian entities. Bitpapa facilitated trades with Hydra Market, the largest darknet market, and Garantex, both OFAC-designated. Hydra Market, before its seizure, had substantial global reach with a large number of seller accounts and customers. Crypto Explorer provided services in Russia and UAE, including cash services linked to sanctioned Russian banks. The sanctions are part of efforts to prevent Russia from circumventing U.S. sanctions amid the Ukraine conflict. Designated entities' assets in the U.S. will be frozen and transactions with them are prohibited without OFAC authorization. Previous actions by OFAC include the sanctioning of Garantex and cryptocurrency mixing services used for money laundering by hacker groups.

The U.S. Treasury has sanctioned two cryptocurrency exchanges, Bitpapa and Crypto Explorer, for supporting Russian dark web activities. These exchanges enabled transactions with Hydra Market, the largest darknet market known for drug sales and money laundering, with over $1.35 billion in turnover in 2020. German police seized Hydra Market's servers and bitcoins worth approximately $38.5 million in April 2022. Crypto Explorer also provided financial services facilitating currency conversions and cash services in Moscow and Dubai. Sanctions include freezing of U.S. assets and prohibition of transactions with the sanctioned entities and individuals and aim to impede Russia's evasion of sanctions related to the conflict with Ukraine. Other Russian fintech firms and their owners were also sanctioned for collaborating with blocked Russian banks to help evade sanctions. Entities with at least 50% ownership by blocked persons are subjected to asset freezing, increasing risks for financial institutions engaging with the sanctioned parties.