Daily Brief

Google's Threat Analysis Group reported new activities by the Russian-linked hacker group COLDRIVER, involving the use of custom malware. COLDRIVER has been known for phishing campaigns but has recently developed a malware called SPICA, written in Rust. The malware is disguised within PDFs that, once interacted with, prompts victims to download a fake decryption tool leading to system compromise. Targets are primarily in defense, governmental sectors, and energy facilities in the U.K., U.S., and other NATO and neighboring Russian countries. SPICA malware allows command execution, theft of browser cookies, file manipulation, and establishes persistence on the infected machine via scheduled tasks. The campaign's infrastructure, including phishing domains and servers linked to indicted Russian operatives, has been added to Google's Safe Browsing blocklists to mitigate risks.

Google's Threat Analysis Group (TAG) has uncovered a custom backdoor malware, known as SPICA, associated with Kremlin cyber spies. The cyber espionage group, identified as COLDRIVER by TAG, has been actively targeting military, government, and academic institutions in the US, UK, NATO countries, and Ukraine. COLDRIVER, also known as Star Blizzard, UNC4057, and Callisto, previously focused on credential phishing but has since advanced their techniques to include malware distribution. The SPICA malware, written in Rust, is capable of executing shell commands, stealing browser cookies, and transferring files, with TAG noting its use as early as September 2023 but with roots tracing back to at least November 2022. The deployment of SPICA involves sophisticated social engineering, where the attackers impersonate known contacts of the target via email and use personal email accounts to circumvent stronger governmental security measures. Google TAG has released indicators of compromise to help organizations identify potential breaches by this backdoor and has observed very targeted campaigns involving the malware. Government agencies and companies like Microsoft have reported on COLDRIVER's evolving phishing tactics and heightened evasion techniques, highlighting the increased threat level from this group.

Google's Threat Analysis Group discovered a new backdoor malware, named Spica, used by Russian-backed hackers. The ColdRiver group, linked to Russia's FSB, used phishing emails with encrypted PDF lures to distribute the Spica backdoor. The PDF documents were seemingly encrypted, with recipients directed to download a fake PDF decryptor that installed Spica. The Spica malware allows attackers to run shell commands, steal browser cookies, transfer files, and exfiltrate documents from infected devices. The malware establishes persistence on targeted systems by creating a scheduled task named 'CalendarChecker.' Google has alerted all compromised Gmail and Workspace users of the government-backed attack and bolstered Safe Browsing protections with relevant domains. ColdRiver, also known as Callisto Group, Seaborgium, and Star Blizzard, has been active since 2015 and is known for sophisticated OSINT and social engineering tactics. The U.S. State Department is offering rewards up to $10 million for information leading to ColdRiver threat actors, emphasizing the severity of their activities.

Critical CI/CD misconfigurations were found in the open-source machine learning framework TensorFlow, which could have allowed supply chain attacks. Attackers could have compromised TensorFlow’s GitHub and PyPi releases or gained remote code execution abilities via a malicious pull request. An external attacker had the potential to gain access to a GitHub Personal Access Token (PAT) and upload malicious code to the TensorFlow repository. The security flaw was due to the use of self-hosted GitHub runners with public repositories, which can execute arbitrary code from a pull request without explicit approval. Security researchers from Praetorian identified non-ephemeral self-hosted runners and overly permissive GITHUB_TOKEN's, leading to extensive privilege escalation possibilities. Among the risks was the ability to push malicious code updates or poison the Python package registry with a tainted .whl file. TensorFlow maintainers have fixed the vulnerabilities by introducing approval requirements for fork pull requests and setting read-only permissions for GITHUB_TOKEN in self-hosted runner workflows. The incident highlights a growing trend of similar CI/CD-related cyber threats, with AI/ML companies at particular risk due to heavy reliance on self-hosted runners for their resource-intensive workflows.

Multi-factor authentication (MFA) is being targeted by cybercriminals using a technique called MFA spamming or MFA fatigue to bypass security. MFA spamming involves bombarding a user with multiple MFA prompts in hopes they will accidentally approve an unauthorized login. Attackers first need the victim's username and password to trigger MFA prompts, which can be acquired through phishing, credential stuffing, or the dark web. To combat MFA spamming, enforcing strong password policies and blocking known breached passwords is essential. Regularly training users to recognize and respond appropriately to suspicious MFA requests can prevent unauthorized account access. Implementing rate limiting on authentication requests and monitoring for unusual MFA activity is recommended to curtail MFA spamming attacks. Organizations are encouraged to adopt Specops Password Policy with Breached Password Protection and use tools like Specops uReset for swift password resets to enhance security measures against these attacks.

Attackers are breaching vulnerable Docker services to deploy an XMRig miner and the 9hits viewer app, which abuses system resources for profit. The compromised Docker hosts facilitate a traffic exchange on the 9hits platform, where members can mutually drive website traffic. This is the first recorded instance of malware introducing the 9hits application, signaling a new method of cyber exploitation trending among hackers. Attackers likely use network scanning tools to find and exploit vulnerable servers, deploying containers via the Docker API from legitimate sources like Dockerhub. The 9hits container operates with a session token, allowing attackers to accrue credits by visiting websites without the risk of being banned. The XMRig miner exploits cloud resources to mine Monero cryptocurrency, while the 9hits viewer consumes significant bandwidth, memory, and CPU power. The illicit use of cloud computing resources results in resource exhaustion, rendering legitimate workloads on infected servers less effective. Cloud computing stakeholders must adopt comprehensive security strategies, including zero-trust models, CWPP, and CSPM, to safeguard against resource exploitation and unauthorized access.

An eight-year-old cybercrime syndicate known as Bigpanzi is behind a massive botnet infecting smart TVs to conduct DDoS attacks and spread political propaganda. The botnet, at its peak, operated with over 170,000 bots every day by compromising Android-based smart TVs and streaming devices through pirated apps and firmware updates. Infection occurs when users are tricked into downloading malicious apps onto their TVs, resulting in the devices being used for cybercrimes, including streaming hijackings, which recently disrupted broadcasts in the UAE. This sophisticated operation has connections to the infamous Mirai botnet, with the pandoraspear malware enhancing its DDoS capabilities. Researchers from Qianxin have narrowed down the identity of the perpetrators to a single company but have not publicly disclosed it. The criminals have adapted by shifting their DDoS activities to a separate botnet and retaliated against security researchers probing into their operations. Although the scale of the infection is significant, the true extent is not fully understood due to the limited data captured by researchers, who only accessed two of the nine C2 domains. The cybersecurity community is encouraged to collaborate in efforts to trace and counter the activities of the Bigpanzi group.

Organizations are transitioning from legacy point-based cloud security to integrated platforms for improved efficiency and security. Integrated platforms like Trend Vision One are favored for operational efficiencies, tool consolidation, and streamlined compliance. Such platforms offer comprehensive, automated protection across various cloud environments, including hybrid setups. Trend Vision One Cloud Security caters to organizations at any stage of cloud maturity and supports a wide array of deployment models. The solution includes CNAPP capabilities, protecting virtual machines, containers, serverless functions, and other components across application lifecycles. Flexible deployment options allow organizations to set up the service in minutes, adapting to different security needs. Trend Cloud Security is also accessible through AWS Marketplace for a 30-day free trial. This integrated approach signifies a move towards cohesive cloud security strategies that could simplify management and enhance threat response.

Security flaws branded as PixieFail found in the open-source reference implementation of the UEFI specification widely used in computers. Nine vulnerabilities in TianoCore EFI Development Kit II (EDK II) could lead to remote code execution, denial-of-service attacks, DNS cache poisoning, and data leaks. UEFI firmware from major manufacturers like AMI, Intel, Insyde, and Phoenix Technologies could be compromised due to these issues. The flaws exist in the EDK II's NetworkPkg, affecting both IPv4 and IPv6, enabling potential attacks even before the operating system boots. Quarkslab identified security weaknesses spanning from overflow bugs to weak pseudorandom number generation that could facilitate information theft and network exploits. The CERT Coordination Center has issued advisories regarding these vulnerabilities, stating that local or remote attackers could exploit them under certain conditions. Implications for the security community include the need for patching and updating firmware to prevent exploitation of these vulnerabilities.

A sophisticated Iranian cyber espionage group, known as Mint Sandstorm, targets academics and experts on Middle Eastern affairs across several countries. Microsoft Threat Intelligence identifies the group's new tactics, including the use of a previously unknown backdoor, MediaPl. Attacks focus on individuals with knowledge on the Israel-Hamas conflict, using social engineering with phishing emails posing as journalists. Mint Sandstorm is linked to Iran's Islamic Revolutionary Guard Corps (IRGC) and employs advanced post-intrusion techniques. The group uses legitimate but compromised email accounts to build trust before delivering malware-rich links and files. Two types of custom malware, MischiefTut and MediaPl, are used for system reconnaissance and encrypted communication with command-and-control servers. Microsoft warns of the group's growing sophistication in evading detection and maintaining persistent access to compromised systems. The article also references the historical use of cyber tactics in the context of Stuxnet, a malware reportedly deployed against an Iranian nuclear facility.

Security researcher discovers a misconfigured server at Toyota Tsusho Insurance Broker India, leading to over 650,000 emails being exposed. The vulnerability was first reported privately to TTIBI five months prior to public disclosure, yet the firm had not changed the compromised password. The issue stemmed from a buggy API in an Android app developed by Eicher Motors, which included a client-side email sending mechanism. The exposed API allowed sending emails with any subject and body from a genuine Eicher email address, and server errors revealed the Base64-encoded Office 365 account password. The noreply account used for automated customer emails also granted access to all the emails sent, including sensitive customer information and password reset links. Despite the API being fixed to add an authentication check, as of the researcher's last check, the password for the email account at risk had not been changed. There has been no immediate response from TTIBI or Eicher Motors regarding the disclosed security lapse and access to customers' personal data.

A security vulnerability in GPUs from Apple, Qualcomm, AMD, and possibly Imagination allows unauthorized access to data on shared systems. The flaw, named CVE-2023-4969 or LeftoverLocals, permits attackers to spy on machine-learning models, including language processing, by exploiting memory isolation failures. Attackers on shared servers can observe and potentially steal sensitive data used by machine-learning applications, with around 5.5 MB leakable per GPU invocation. The exploit requires access to run code on the shared GPU and is a concern for cloud-based AI systems due to the volume of sensitive data processed. The Trail of Bits research team has disclosed the vulnerability to vendors and CERT Coordination Center since September 2023, and mitigations are being rolled out. AMD is releasing driver updates with mitigations starting March, while Google has patched ChromeOS devices affected by the flaw, and Apple has fixes for certain processors. Unlike Apple, Qualcomm, AMD, and Imagination, Nvidia and Arm GPUs are not affected by this particular security issue.

Have I Been Pwned has added nearly 71 million email addresses from the compromised Naz.API dataset to its breach notification service. The Naz.API dataset, unrelated to NAS devices, comprises over 1 billion stolen credentials from credential stuffing and information-stealing malware. Credential stuffing lists contain pilfered login details reused to access other sites, while information-stealing malware targets a variety of data from infected computers. Illicit.services, an OSINT platform, had utilized the Naz.API dataset and was initially shut down due to abuse but later reopened. The collected data includes various personal details and is traded, used for cyberattacks, or given away to build a hacker's reputation. Troy Hunt of Have I Been Pwned received the dataset from a tech company addressing a bug bounty submission, which contained his own outdated password. Users are advised to change passwords for all accounts storing sensitive information and move cryptocurrency to new wallets due to potential exposure.

Iranian state-backed hackers, linked to the APT35 group, have launched spearphishing attacks on researchers and university staff in Europe and the US to deploy new MediaPl malware. Microsoft has identified this subgroup of APT35, also known as Charming Kitten or Phosphorus, as using sophisticated phishing emails to socially engineer targets. The MediaPl backdoor malware is designed to resemble Windows Media Player, using encrypted communication to avoid detection while interfacing with its command-and-control server. Additionally, MischiefTut, another PowerShell-based malware, assists in dropping tools and performing reconnaissance on infected systems. The campaign focuses on stealing sensitive information from high-value targets and appears to be particularly interested in individuals with insights into Middle Eastern affairs. APT35 has a history of backdooring various companies using previously unknown Sponsor malware and targeting macOS systems with NokNok malware. Another Iranian group, known as APT33, has been targeting defense organizations and contractors globally with password spray attacks and new FalseFont malware since February 2023.

Bigpanzi, an undercover cybercrime syndicate, has infected 170,000 Android TV and eCos set-top boxes, turning them into bots since at least 2015. The botnet, primarily affecting Brazil, utilizes malware through fake firmware updates and backdoored apps, according to Qianxin Xlabs. Bigpanzi monetizes the botnet by engaging in illegal streaming, traffic proxying, DDoS attacks, and providing over-the-top (OTT) content. The malware, pandoraspear, functions as a backdoor trojan enabling DNS hijacking, command execution, and communication with a command and control server. Another malware tool, pcdn, creates a P2P Content Distribution Network (CDN) with DDoS capabilities, adding another attack vector. Xlabs, after hijacking two C2 domains, observed 170,000 daily active bots and over 1.3 million unique IPs since August, indicating a potentially larger network. The vast operations of Bigpanzi suggest only a fraction of its activities and scale have been uncovered, with cybersecurity analysts continuing investigations. Artifacts linked to a suspicious YouTube channel were found, but no specific attributions have been publicly disclosed, with details likely reserved for law enforcement.