Daily Brief

Duvel Moortgat Brewery, known for its range of popular Belgian beers, was hit by a ransomware attack that stopped its beer production. The company's automated threat detection systems identified the attack, which occurred late at night, prompting an immediate pause in production. Duvel's communications manager reported that while the restart date for production is uncertain, there should be no impact on beer distribution due to ample stock. Beer enthusiasts online reacted with humor but also expressed concerns over a potential increase in beer prices if the disruption is prolonged. The extent of the attack on other company facilities is unclear, and no ransomware group has yet claimed responsibility for the cyber incident. BleepingComputer reached out to Duvel for further information, but no immediate response was provided. There's currently no information available about whether the attack has led to data theft or the possibility of extortion, only that brewing operations are affected.

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) experienced a cyber incident that led to preemptive offline measures for its corporate systems. FINTRAC assured that no intelligence or classified systems were breached, maintaining the security of sensitive information. Immediate actions included collaborating with federal partners to restore operations and strengthen future cybersecurity defenses. The nature of the cyberattack and the identity of threat actors involved have not been disclosed, with no claims of responsibility observed. This cyber incident is part of a recent wave of security breaches affecting various Canadian institutions, including the RCMP, TNPI, Toronto Zoo, and MUN. The consistent occurrence of cyberattacks highlights a period of heightened cybersecurity challenges for Canada.

Apple has patched four vulnerabilities in iOS and iPadOS, including two zero-days that were reportedly exploited in the wild. The patched zero-days, identified as CVE-2024-23225 and CVE-2024-23296, could allow attackers with kernel read and write access to bypass memory protections. Fixes have been implemented for the current iOS and iPadOS 17.4, as well as a dedicated update for older 16.x devices no longer supported by the latest OS releases. Details regarding the attacks involving the exploited zero-days and the severity of the vulnerabilities remain undisclosed, with the National Vulnerability Database still evaluating them. Apple has also addressed two lesser vulnerabilities: CVE-2024-23243 discovered by a student, threatening location data privacy, and CVE-2024-23256 related to Safari's locked private browsing tabs feature. The recent updates go beyond security fixes, including features mandated by the EU's Digital Markets Act, such as offering users a choice of browser engines and app download sources.

Hackers are exploiting misconfigured servers, including Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis, to mine cryptocurrency and establish remote access. Targets are selected using masscan or pnscan to detect vulnerable services, followed by automation tools delivering Golang payload exploits. Once compromised, attackers install rootkits and the Platypus reverse shell utility to conceal their presence and continue operations. The 'Spinning YARN' campaign is linked to known hacker groups like TeamTNT and WatchDog, and exhibits advanced understanding of cloud vulnerabilities. Uptycs identified similar attacks by the 8220 Gang, focusing on cloud infrastructure via known Apache Log4j and Atlassian Confluence Server flaws. These sophisticated attacks involve a range of evasive maneuvers, including disabling security features and modifying firewall rules to remain undetected. Cryptocurrency mining is a notable motive, but attackers are also engaging in diverse threats, including ransomware attacks on cloud and Linux infrastructure. The cloud security landscape requires heightened vigilance due to increased targeting of cloud services and the technical sophistication of threat actors.

VMware has patched critical vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation that could allow attackers to escape virtual machine sandboxes. The flaws, with scores up to 9.3, could enable unauthorized access to the host system and other virtual machines, undermining security isolation. CVE identifiers assigned to the vulnerabilities range from CVE-2024-22252 to CVE-2024-22255, exposing users to potential cyber-attacks. Workarounds include removing USB controllers from VMs, which might affect peripheral connectivity, while patches are also available for older versions. VMware stresses the importance of quick patch deployment, despite no reports of active exploitation, and advises admins to subscribe to their mailing list for updates. The company has released a FAQ to guide users through fixing or mitigating vulnerabilities for various product configurations.

BlackCat ransomware group has abruptly shut down their operations and potentially executed an exit scam following a purported $22 million ransom payment from a healthcare unit. Security experts have debunked the group's claim of being seized by law enforcement, revealing inconsistencies in the posted seizure notice code. The U.K.'s National Crime Agency confirmed it had no involvement in any disruption of BlackCat's online infrastructure. A disgruntled affiliate accused BlackCat of absconding with the full ransom amount, prompting speculation of an exit scam and possible future rebranding of the group. BlackCat, known for earlier iterations as DarkSide and BlackMatter, had previously regained control of their infrastructure after a seizure in December 2023, highlighting their resilience to law enforcement actions. The group's closure aligns with shifts in ransomware landscape, including LockBit moving activities to a new dark web portal and RA World's continued infiltration into various sectors since April 2023.

Capita has reported a significant net loss of £106.6 million for 2023, impacted by a costly cyberattack. The Black Basta ransomware group's attack in March last year cost Capita an estimated £25.3 million. The company's market value dropped 20% following the announcement of its losses. CEO Adolfo Hernandez announced further cost-cutting measures, targeting savings of £100 million by mid-2025. Despite the cyberattack, Capita continues to secure government contracts, including a £239 million pension scheme management deal. Capita's customer net promoter score dropped due to the cyberattack's impact on its pensions administration business. The company is cooperating with the Information Commissioner's Office and is not expecting a regulatory penalty at the moment. Ongoing dark web monitoring has not indicated further circulation of stolen data from the attack.

Hackers are exploiting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis using sophisticated Golang-based malware. The campaign involves using configuration weaknesses to introduce malware that performs unauthorized cryptocurrency mining and establishes a backdoor. New Golang payloads—h.sh, d.sh, w.sh, c.sh—automate the discovery and exploitation of vulnerable services, attempting to stay under the radar. The payloads exploit old vulnerabilities, such as CVE-2022-26134 in Atlassian Confluence, to execute unauthenticated remote code on the server. Cado Security uncovered the campaign when a Docker API honeypot was compromised, leading to an investigation that revealed the use of a multi-stage attack script. The threat actors use shell scripts and common Linux tactics to install miners, create persistence, and remove traces of the initial access. Despite widespread malware detection, the four new Golang binaries remain mostly undetected by antivirus engines, suggesting a recent onset of the campaign. Technical analysis and indicators of compromise have been shared by Cado Security for better industry awareness and defense against this campaign.

Reflectiz offers a sandbox solution that continuously monitors web applications for security threats, compliance risks, and privacy issues. The platform provides visibility into hidden website elements and third-party web apps that can introduce security risks or regulatory non-compliance. Reflectiz uses automated detection cycles and a proprietary browser to dynamically analyze web page activities, thus identifying immediate risks. The service includes a unique rating system to benchmark website exposure levels to various threats, based on continual monitoring and analysis. A comprehensive inventory system within Reflectiz allows for easy management and immediate action on risky scripts and data items. Reflectiz has introduced a PCI Dashboard add-on to meet the upcoming PCI DSS v4.0 requirements for compliance reporting and real-time script monitoring. The platform enables clients to establish a security baseline and provides alerts for unauthorized changes to website elements, reducing the frequency of false alerts. Reflectiz emphasizes a proactive approach to security, offering a 30-day free trial to demonstrate the platform's capability in enhancing web exposure management.

The article discusses the new Data Protection for Google Drive by Material Security, designed to manage the sharing of sensitive data and permissions within Google Drive. Many Google Workspace administrators struggle with the spread of confidential information being shared in an uncontrolled manner, leading to potential security risks. Correctly identifying and managing these risks is difficult using standard tools provided by Google, such as the Workspace admin dashboard or the Drive API. Material Security offers a powerful data platform that integrates with Google Workspace, enabling detailed inspections of historical and current file contents, metadata, permissions, and sharing settings. The system allows for precise searches and activity-based filtering to uncover risky sharing practices and automatically revokes improper access without disrupting productivity. Automated remediation workflows are sophisticated enough to distinguish between valid and invalid sharing scenarios, helping to maintain a secure yet productive environment. Material Security emphasizes the importance of strong security within productivity suites, considering them to be critical infrastructure for organizations. The article ends with an encouragement to schedule a demo with Material Security for a closer look at their capabilities in protecting Google Drive data.

SEMI, an industry association for chip vendors, has opposed the EU’s plan to impose export controls on China. The group emphasizes that these controls should be a "last resort" for national security purposes. SEMI warns that the European Commission's proposed measures could deter foreign investment and disrupt complex semiconductor supply chains. The European Chips Act could be jeopardized by excessive foreign investment screening, according to SEMI. SEMI suggests that rather than restricting outbound investments, the EU should focus on economic security and technology leakage prevention. The association argues for a balanced approach to economic opportunities and global market access for EU companies. SEMI's stance comes amid US restrictions on investments in China, highlighting the importance of investment in advancing semiconductor capabilities.

The U.S. Treasury Department sanctioned individuals and entities linked to Intellexa Alliance for distributing harmful spyware. Intellexa's software, including Predator, was used against U.S. officials, journalists, and policy experts by unnamed foreign actors. OFAC highlighted the security risks and human rights concerns stemming from the misuse of commercial spyware, citing its use to repress dissidents worldwide. The Intellexa Alliance and related companies have been previously placed on the U.S. Entity List, restricting their business operations. Predator spyware can infiltrate mobile devices without user interaction, allowing operators to collect sensitive information and conduct surveillance. The U.S.'s recent policy allows for visa restrictions on foreign individuals involved in commercial spyware misuse. The Treasury Department emphasizes the importance of responsible development and use of surveillance technologies to protect human rights and civil liberties.

VMware has issued security updates for critical use-after-free vulnerabilities in ESXi, Workstation, and Fusion software. The flaws, identified as CVE-2024-22252 and CVE-2024-22253, could enable code execution on affected systems. These vulnerabilities have a high severity rating, with CVSS scores of up to 9.3 and could allow attackers with local access to compromise the host system. Patches have been released for versions of VMware software, including those that are end-of-life (EoL) due to the severity of these issues. Security researchers from Ant Group Light-Year Security Lab and QiAnXin discovered and reported the critical vulnerabilities. As a temporary measure, VMware has recommended that customers remove all USB controllers from virtual machines to mitigate potential exploitation risks. The default keyboard and mouse input devices are unaffected as they do not use USB protocol within the virtual machines.

GhostSec, in collaboration with Stormous ransomware group, has initiated widespread double extortion ransomware attacks across over 15 countries. The ransomware-as-a-service (RaaS) program named STMX_GhostLocker has been launched, offering both free and paid services to affiliates. Key business sectors targeted by these attacks include technology, education, manufacturing, government, and energy, among others. The Five Families coalition, which includes GhostSec, is strengthening underworld Internet connections to expand its operations. GhostLocker 2.0, advertised for its fast encryption capabilities, has introduced a new ransom note and a web panel for affiliates to manage their attacks. Talos researchers uncovered two additional tools used by GhostSec: a deep website scanning toolset and GhostPresser, designed to compromise WordPress sites. The group’s activities illustrate a broadening toolkit and increased sophistication in attacking and exploiting vulnerabilities in legitimate websites and services.

A new advanced persistent threat (APT) group, dubbed Lotus Bane, has been identified targeting a financial entity in Vietnam. The Singapore-based cybersecurity firm Group-IB revealed Lotus Bane has been operational since at least 2022, employing tactics such as DLL side-loading and utilizing named pipes for malicious communication. Lotus Bane's modus operandi shares similarities with known Vietnamese APT group OceanLotus (APT32), especially with the use of PIPEDANCE malware. Although the full scope of Lotus Bane's activities is not yet clear, the sophistication of their attacks suggests the potential for broader operations across the Asia-Pacific (APAC) region, mainly within the banking sector. The discovery underscores the ongoing threat of APT groups targeting financial institutions in APAC, Europe, Latin America, and North America, including other groups like UNC1945 attacking ATM systems. The presence of threat actors like Lotus Bane and UNC1945 emphasizes the complexity of cyber-threats and the importance of robust cybersecurity measures in protecting the financial industry.