Daily Brief

A former Google software engineer, Linwei Ding, was arrested for allegedly stealing AI technology secrets to benefit companies in China. Over 500 confidential files pertaining to Google's AI supercomputing systems were illicitly transferred to Ding's personal account. Ding is accused of providing an unfair competitive advantage to two Chinese tech companies by sharing Google's trade secrets. While working for Google, Ding secretly held positions, including CEO and CTO, at the Chinese companies involved in the AI tech sector. Methods to hide his theft included using the Apple Notes app to convert proprietary Google source files to PDFs before uploading them to his personal cloud. The indictment highlights Ding's deceitful practices, such as allowing another employee to use his Google access badge to fake his presence in the U.S. while he was actually in China. Ding faces up to 10 years in prison and a $250,000 fine per count of theft of trade secrets if convicted. This case emerges amidst another recent event where a U.S. Air Force civilian employee was indicted for transferring classified information to a supposed female acquaintance on a foreign online dating platform.

A new Python-based malware named "Snake" is spreading through Facebook messages, designed to steal sensitive user credentials. The Snake info stealer captures data and exfiltrates it through Discord, GitHub, and Telegram communication platforms. Victims receive RAR or ZIP archive files in messages which, when opened, initiate the malware's infection process involving downloaders from a GitLab repository. Cybereason researchers have identified three variants of Snake, one developed using PyInstaller, targeting web browsers specifically popular within the Vietnamese community. The malware focuses on hijacking Facebook accounts by exfiltrating cookies, possibly for further malicious activities. The campaign's Vietnamese link is supported by the targeted Cốc Cốc Browser, naming conventions in repositories, and language references in the source code. This incident coincides with increased scrutiny on Meta for its handling of account takeover incidents and calls for better response mechanisms to protect users. Parallel research by OALABS highlights a GitHub vulnerability exploitation to spread Lua malware through cloned game cheat websites and SEO poisoning.

VMware issued an urgent security advisory disclosing four significant vulnerabilities in its hypervisor products, impacting ESXi, Workstation, and Fusion. The most severe flaws, CVE-2024-22252 and CVE-2024-22253, received high-risk scores due to their potential to allow malicious code execution outside of guest virtual machines. An attacker with local admin privileges could exploit these vulnerabilities to execute code on the host system or escape the VMX process that encapsulates guest VMs. VMware classified these issues as an "emergency change" and has provided workarounds, including the removal of virtual USB controllers, though this may not always be practical at scale. Additional vulnerability, CVE-2024-2225, related to virtual USB controllers, suggests users remove unneeded devices to mitigate risks aligning with VMware's security hardening guidelines. Another vulnerability, CVE-2024-22254, could lead to an out-of-bounds write and potential sandbox escape, although it does not enable attackers to take full control of the hypervisor. Some vulnerabilities were discovered by Chinese researchers participating in the Tianfu Cup Pwn Contest, highlighting the importance of such events in finding and addressing security flaws.

Group-IB, a Singapore-based threat intelligence firm, discovered 225,000 logs with ChatGPT credentials on the dark web. The logs, which were collected between January and October 2023, signify a potential widespread misuse of credentials. A significant increase of 36% was observed in the accumulation of these logs from June to October 2023, compared to the first five months of the year. With ChatGPT often used for work optimization, compromised logins could reveal sensitive data and present considerable business security risks. Group-IB had previously detected over 100,000 stealer logs containing ChatGPT credentials between June 2022 and May 2023, indicating a consistent rise in theft. The increase in stolen credentials is attributed to a rise in hosts infected by information stealers, which cybercriminals then sell on underground markets. Ransomware groups are increasingly using infostealers as an entry point into victim networks, and ChatGPT data logs possess valuable information for these adversaries. The report suggests users should implement multifactor authentication and regularly update passwords, particularly for business-related usage of ChatGPT.

Threat actors have set up fake sites imitating Zoom, Skype, and Google Meet to distribute malware. The Zscaler ThreatLabz team identified that these sites are pushing Remote Access Trojans (RATs) such as SpyNote for Android and NjRAT and DCRat for Windows. The fraud involves typosquatting, where the spoofed sites' domains closely mimic legitimate ones to deceive users into downloading harmful files. The malicious Android app downloads as an APK file, while the Windows option downloads a batch script leading to a PowerShell script that installs the RAT. iOS users are redirected to the legitimate Apple App Store, suggesting they are not targeted by this specific attack. A new malware, WogRAT, which is hosted on a free online notepad platform and targets Windows and Linux systems, has been active in several Asian countries. A cybercriminal group known as TA4903 has intensified phishing campaigns to steal corporate credentials and potentially engage in business email compromise (BEC) attacks since mid-2023. TA4903 uses multiple methods, including QR codes and the EvilProxy phishing kit, to bypass two-factor authentication and engage in invoice fraud and other malicious activities following email compromise.

US legislators introduced a bill demanding ByteDance to sell TikTok or face a US ban, aiming to protect national security and user data from potential foreign influence. The "Protecting Americans from Foreign Adversary Controlled Applications Act" targets apps deemed controlled by foreign adversaries, with severe consequences for non-compliance. TikTok's user base in the US has reached 170 million monthly active users, indicating significant impact and potential data exposure risks. The House Select Committee on the CCP insists the move seeks divestment, not censorship, offering ByteDance a chance to sell TikTok to continue its US operations. The bill also empowers the US president to designate other foreign adversary-controlled social media applications as national security risks, extending the potential scope beyond TikTok. Top intelligence officials have voiced concerns over domestic and foreign election interference through social media platforms. The proposed ban has caused dissent from various groups, including the Freedom of the Press Foundation and the ACLU, which argue that it infringes on First Amendment rights.

Google is accused in a class action lawsuit of profiting from scams involving Google Play gift cards. The lawsuit claims that Google has retained millions from fraudulent transactions over nearly a decade. Google allegedly earns commission from fraudulently obtained gift cards used in the Play Store. Previous similar accusations led to an Apple settlement regarding iTunes gift card abuse. FTC data indicates significant losses from gift card fraud between January 2018 and September 2021, with Google Play involved in 20% of those. Google's policy states that gift cards are non-refundable, but the lawsuit argues this discourages victims from seeking recovery. Scammers exploit the one-time use of gift cards to purchase digital goods or sell the codes, with Google benefitting from the associated fees. The legal complaint criticizes Google for not adequately warning consumers or assisting in fund recovery when scams are reported.

Linwei Ding, a former Google employee, is charged with stealing trade secrets and leaking them to two Chinese companies. Ding defeated Google's security protocols, exfiltrating over 500 confidential documents between May 2022 and May 2023. The documents contained sensitive information on Google's data center technologies, including the architecture and functionality of GPU and TPU chips and systems. While at Google, Ding moonlighted for a Chinese AI startup and later founded his own company in China, pitching it as capable of competing with Google’s AI infrastructure. Google's data loss prevention systems failed to detect the unauthorized transfers, and Ding managed to work remotely from China without detection for six months. Ding was arrested in Newark, California, and now faces four charges of theft of trade secrets, with the U.S. Department of Justice emphasizing its commitment to protecting American technology. Google asserts it has strict safeguards against theft and has cooperated with law enforcement following the incident, though questions remain about the efficacy of its security measures.

PetSmart has alerted its customers of an ongoing credential stuffing attack targeting their accounts. The retailer has taken precautions by resetting passwords for any accounts accessed during the attack. PetSmart assures there's no indication that their systems have been breached; the measure is a proactive security step. Customers affected by the password reset will need to use the "forgot password" link to regain access to their accounts. Credential stuffing is a widespread cyber attack where stolen credentials are used to access accounts across various platforms. Previous victims of similar attacks include PayPal, Spotify, Xfinity, and Chick-fil-A; large sums were stolen from betting sites FanDuel and DraftKings. PetSmart is the largest pet retailer in the U.S., with over 60 million customers and 1,600 stores nationwide.

PetSmart issued warnings to certain customers about a credential stuffing attack targeting their accounts. The pet retail giant has reset passwords for accounts accessed during the attack due to the inability to confirm the legitimacy of the logins. Email notifications sent to customers state there is no evidence of a breach on PetSmart's systems but increased password guessing attempts were detected. Customers affected by the precautionary password reset need to use the "forgot password" function to regain access to their accounts on the company's website. Credential stuffing involves using leaked login details from other breaches to gain unauthorized access to accounts on different services. Successful attacks can lead to fraudulent purchases, spam, or other malicious activities; compromised accounts often end up for sale on the dark web. Past victims of similar attacks include significant businesses like PayPal, Spotify, and FanDuel, the latter having $600,000 stolen from breached accounts.

Critical vulnerability CVE-2024-27198 in TeamCity On-Premises allows for authentication bypass and has been actively exploited. The vulnerability, fixed by JetBrains, has been used to create hundreds of admin accounts on unpatched servers. More than 1,440 out of 1,700 exposed TeamCity instances have been compromised, according to LeakIX. Instances mainly host production servers, raising concerns for potential supply-chain attacks through build and deployment systems. Cybersecurity firm Rapid7 detailed the vulnerability and warned of full control over TeamCity projects and artifacts being granted to attackers. The vulnerability affects all TeamCity On-Premises releases up to 2023.11.4, with urgent updates recommended by JetBrains to mitigate the risk.

Hackers are exploiting WordPress sites to inject scripts that enlist visitors' browsers in bruteforce password attacks on third-party sites. Sucuri, a cybersecurity firm, detected an increase in scripts designed to steal cryptocurrency by deceiving users into connecting their wallets. Attackers have shifted strategies from crypto wallet drainers to deploying scripts that use visitors' browsers to bruteforce attack other sites. The script from 'dynamic-linx[.]com/chx.js' directs visitors' browsers to obtain bruteforce tasks from the threat actor's server, attempting to crack account credentials. Over 1,700 sites have been found compromised with this script, significantly expanding the attackers' capability to bruteforce credentials unknowingly aided by site visitors. One notable casualty is the website of Ecuador's Association of Private Banks, which was turned into a trap for unsuspecting visitors. Sucuri researchers suggest this strategy allows hackers to operate more stealthily while accruing a larger arsenal of compromised sites for future, potentially more profitable attacks.

The FBI's Internet Crime Complaint Center (IC3) registered 880,418 cybercrime complaints in 2023, with losses potentially exceeding $12.5 billion. Ransomware attacks escalated, with critical infrastructure sectors significantly affected—249 incidents in healthcare alone. Ransomware-related losses surpassed $59.6 million, with an 18% increase in network intrusions and a 74% rise in financial damage. Critical infrastructure saw a 37% increase in ransomware complaints, with 14 out of 16 sectors experiencing attacks. Prominent ransomware variants attacking these sectors included LockBit, ALPHV/Blackcat, Akira, Royal, and Black Basta. Despite international law enforcement efforts and takedowns, cybercriminal groups remain persistent, as seen with ALPHV/BlackCat's continued activity. Investment scams were the most costly in terms of losses in 2023, netting criminals over $4.57 billion, with cryptocurrency-related scams up by 53%. Business email compromise (BEC) schemes also remained highly profitable, with losses from reported cases totaling more than $2.9 billion.

TA4903 hacker group specializes in business email compromise (BEC) and has been imitating U.S. government entities. The entities impersonated include the U.S. Department of Transportation, Agriculture, and Small Business Administration. Proofpoint reports that TA4903's activities ramped up since mid-2023, with the recent use of QR codes in PDFs leading to phishing sites. PDF attachments contain consistent design and metadata suggesting Nigerian origins; QR codes redirect to sites that mimic official U.S. government agency portals. The group has used tactics like bypassing multi-factor authentication (MFA) in the past, but not observed this year. TA4903's motives are financial, targeting organizations through large-scale email campaigns, and recently shifted focus from government to small businesses. The complexity of their attacks offers multiple detection opportunities, and a multi-layered security strategy is recommended for defense.

Nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information is feared compromised due to a cybersecurity incident involving Infosys. Infosys, which experienced a ransomware attack attributed to the LockBit group, handles IT systems for Fidelity, resulting in data exposure. Exposed data includes names, Social Security numbers, bank account details, credit/debit card numbers, and security codes—potentially allowing for financial fraud and identity theft. The incident occurred between October 20 and November 2, affecting Infosys' service to both Fidelity and Bank of America, with over 85,000 individuals' information potentially stolen. Fidelity has been working with Infosys McCamish Systems (IMS) to investigate the breach, contain its consequences, and restore secure services. LockBit's involvement was claimed shortly after Infosys publicly disclosed the incident, although some of the gang's infrastructure has been shut down by law enforcement. Fidelity and Bank of America have both notified affected customers and are investigating the full extent of the data breach's impact.