Daily Brief

Mustang Panda, a China-linked threat actor, has utilized an advanced form of PlugX malware, called DOPLUGS, to target multiple Asian countries. The DOPLUGS variant is designed primarily as a downloader for the full-feature backdoor and has been actively used against Taiwan, Vietnam, and other Asian regions. The cyber espionage group carries out spear-phishing campaigns to deploy their custom malware and has a history of creating specialized PlugX versions. Researchers identified a new strain of the DOPLUGS malware that uses the Nim programming language and its own RC4 decryption method instead of standard Windows libraries. DOPLUGS was first identified by Secureworks in September 2022 and includes backdoor commands that enable further malicious downloads and control by Mustang Panda. Trend Micro discovered that DOPLUGS also hosts the KillSomeOne module, which is adept at spreading via USB drives and conducting document theft and information collection. The continual refinement of their tools indicates that Mustang Panda remains highly active and poses a persistent threat, especially in Europe and Asia.

SaaS identity governance is a challenging task for IT teams due to the need to manage numerous applications and their individual security settings and controls. Nudge Security offers a SaaS security and governance solution to simplify this process, involving automated workflows and engagement with application owners. The tool helps to discover and categorize all SaaS apps within an organization, providing security profiles and allowing IT teams to greenlight or reject apps through automated notifications. It facilitates the creation and sharing of an approved app directory among employees, streamlining the process of requesting and granting access while maintaining centralized governance. Nudge Security automates the determination of each app's likely technical contact and periodically verifies ownership, reducing administrative overhead. The solution allows for the automation of user access reviews, ensuring compliance with various standards and generating reports for auditors. Unused and abandoned SaaS accounts can be easily identified and purged, providing cost savings and keeping account statuses up-to-date with visually appealing analytics. Nudge Security ensures thorough offboarding of employees by identifying all accounts associated with their organization's email, managing OAuth grants, and revoking access to minimize security risks. The company offers a free 14-day trial, coupled with a free risk assessment from Vanta to assess security and compliance posture and uncover shadow IT.

Thanksgiving Day 2023 saw a ransomware attack on U.S. hospitals, with systems failing and ambulances diverted, resulting in compromised patient care. Cybercriminals are increasingly targeting small to mid-sized healthcare organizations to steal sensitive data and extort ransoms, resulting in impaired healthcare delivery. The U.S. Department of Health and Human Services (HHS) has documented a 93% increase in large data breaches from 2018 to 2022, with ransomware breaches going up by 278%. Phishing attacks, particularly via email, have become the leading method of compromising healthcare systems, with over 90% of cyberattacks on these organizations stemming from such scams. Smallto mid-sized businesses (SMBs) often lack dedicated cybersecurity experts due to budget constraints, and healthcare organizations spend less than 6% of their IT budgets on cybersecurity, making them easier targets. The article stresses the importance of adopting a defense-in-depth approach to cybersecurity in healthcare, advocating for multi-factor authentication (MFA), security awareness training (SAT), and managed endpoint detection and response (EDR) as protective measures. Huntress is offered as a solution for healthcare cybersecurity, providing a managed EDR service monitored by a Security Operations Center 24/7, able to prevent, detect, and remediate cyber threats.

The EU's updated NIS2 Directive addresses the rising threat levels and increased cyberattacks, strengthening cybersecurity requirements. NIS2 is set to become law in October 2024, imposing stricter measures on over 160,000 companies, with penalties up to €10 million for non-compliance. The directive expands the scope of organizations and sectors covered, intending to safeguard the security of supply chains and critical infrastructure. Reporting obligations have been streamlined under NIS2, aiming to facilitate a more effective cybersecurity regime across member states. A webinar is scheduled on February 28 to discuss the directive's details, relevant articles, and compliance strategies, featuring cyber security experts Dr. Carsten Huth and Reinier Landsman. Early preparation for the NIS2 Directive is essential for organizations to avoid sanctions and enhance their cybersecurity practices in line with EU regulations. The webinar is supported by Checkmarx, an application security testing firm, encouraging interested parties to sign up for insights into NIS2 compliance.

IBM X-Force and CrowdStrike reports indicate a sharp rise in cyber attacks utilizing valid credentials, with IBM noting a 71% increase in such attacks. Compromised valid accounts are now the most common initial access point for cybercriminals, constituting 30% of incidents X-Force responded to in 2023. Cloud account credentials are highly sought after in dark web markets, making up 90% of for-sale cloud assets. Even though phishing remains a prevalent threat, the overall volume has decreased by 44% from the previous year, partially due to attackers favoring legitimate credential use. Attackers are increasingly exploiting API keys, session cookies, OTPs, and Kerberos tickets, blending into the environment by utilizing legitimate tools and identities. The infamous group Scattered Spider has conducted sophisticated extortion attacks, using techniques like SIM swapping and social engineering to breach high-profile targets. Nation-state linked attackers, including Cozy Bear, continue to engage in identity-based attacks, often circumventing multi-factor authentication and leveraging leaked or stolen credentials.

The malware, named VietCredCare, has been targeting Facebook advertisers in Vietnam since August 2022. Developed by Vietnamese-speaking cybercriminals, it specifically harvests Facebook session cookies and credentials from compromised devices. VietCredCare checks if the Facebook accounts have business profiles and positive Meta ad credit balances for targeted takeovers. The malware is being sold as a service, allowing others to either access a botnet or purchase the source code for their own use. It spreads through fake software links on social media, being disguised as legitimate applications like Microsoft Office or Acrobat Reader. Capabilities include the extraction of browser credentials and the evasion of Windows security features like AMSI and Windows Defender. Several government, educational, financial, and e-commerce institutions in Vietnam have been compromised by this malware. Group-IB warns of the increasing risk of cybercrime due to such stealer-as-a-service models allowing non-technical individuals to perpetrate crimes.

GDPR has led to significant reductions in data storage and processing for European companies due to increased management costs. The cost of GDPR compliance can range from $1.7 million for SMBs to $70 million for large organizations. European firms decreased data storage by 26% and data processing by 15% compared to US firms. GDPR has necessitated measures that, on average, represent a 20% increase in the cost of data for EU firms, with even higher impacts on data-intensive industries. GDPR compliance has also led to higher information production costs, but not as much as data storage or computation costs. The economic study did not assess the benefits of GDPR to consumers, though prior research indicates it generally provides positive privacy benefits.

Signal, the encrypted messaging app, has introduced a feature for creating unique usernames, enhancing user privacy by allowing individuals to communicate without sharing their phone numbers. This measure is a response to privacy concerns, ensuring that a user's phone number will no longer be automatically visible to everyone they chat with. Contacts who already have a user's phone number saved will continue to see it, maintaining convenience for known connections. To further reduce the risk of impersonation, usernames require the inclusion of two or more digits at the end and can be changed multiple times if desired. Signal is making the visibility of phone numbers an opt-in feature, going a step further to conceal them by default from those not saved in a user's contacts list. Additionally, Signal has introduced a privacy setting that allows users to control who can find them by their phone number within the app, restricting unsolicited messages. These updates are part of Signal's ongoing efforts to provide secure, private communication options for its users in an increasingly security-conscious digital landscape.

Russian-aligned hackers have targeted Ukraine with disinformation and attempts to harvest Microsoft login credentials through spam emails and spear-phishing attacks. ESET, a Slovak cybersecurity firm, attributed the attacks to Russian threat actors and codenamed the campaign 'Operation Texonto.' The disinformation spread involved emails with PDF attachments about heating, drug, and food shortages in Ukraine, some pretending to be from Ukrainian ministries. The campaign intensified with a second wave of emails during the holiday season, some suggesting extreme measures to avoid military drafts, and targeted Ukrainian speakers in Europe. Attackers used a domain initially involved in phishing to send spam advertising a fake Canadian pharmacy, possibly as a financial ploy after the phishing campaign was uncovered. Though no specific Russian threat actors were identified, techniques used in Operation Texonto overlapped with those of COLDRIVER, known for credential phishing. The situation reflects the ongoing influence operations amidst the war, alongside the decline of Russian state media's reach on social media platforms due to Western blocks and a strategy shift towards domestic audiences.

VMware has issued an advisory to uninstall their Enhanced Authentication Plugin (EAP) due to a critical security vulnerability. The flaw, with identifier CVE-2024-22245 and CVSS score of 9.6, could allow arbitrary Active Directory Service Principal Names (SPNs) ticket requests and relay by attackers. EAP has been deprecated since March 2021 and was used for direct login to vSphere's management interfaces via web browsers. An additional session hijack flaw, CVE-2024-22250 with CVSS score of 7.8, was also found, allowing potential privilege escalation on Windows systems. VMware will not release a fix; instead, it recommends complete removal of EAP from client systems to mitigate risk. The article also references a separate incident where SonarSource disclosed moderate-severity XSS vulnerabilities (CVE-2024-21726) in Joomla! CMS, which have been patched. Critical vulnerabilities and misconfigurations in Salesforce's Apex programming language were identified, potentially allowing data leakage, corruption, and business function compromise.

China's censorship system is extensive but suffers from bureaucracy overlap, inconsistent development, and underfunding, a USCC-commissioned report by Exovera reveals. Key censorship agencies in China, like the Central Propaganda Department and Cyberspace Administration, have overlapping functions, leading to inefficiencies. Local censorship efforts are disorganized, with regional governments relying on ad hoc channels for information control, often criticized for being "careless" in their approach. The lack of skilled staff at local levels means censorship duties sometimes fall to part-time workers or volunteers, creating potential for information control gaps that may incite social unrest. Despite varying resources—some regional bodies operate with limited budgets and human resources—uniform results are expected in the implementation of censorship. Chinese internet service providers and technology giants contribute to the censorship efforts with dedicated in-house or outsourced teams. Recommendations for the US include promoting alternative views in China through methods like satellite broadband, and developing tools to defend against China's propaganda and botnet attacks. The think tank urges the US to study Chinese tactics in influencing foreign companies and to consider sanctions on technology that supports China's AI-powered censorship.

The Monetary Authority of Singapore (MAS) has recommended that financial institutions prepare for quantum computing threats, suggesting the adoption of post-quantum cryptography (PQC) and quantum key distribution (QKD). MAS highlights that quantum computing could compromise current encryption and digital signature algorithms, posing significant cybersecurity risks within the coming decade. Financial institutions should monitor quantum computing advancements and ensure they can update cryptographic measures without disrupting current systems. MAS emphasizes the importance of awareness within institutions, especially among third-party providers and management, in understanding and mitigating quantum risks. Upgrading systems to be quantum-resistant is advised, along with implementing personnel training, setting standards, and preparing contingency plans. The advisory is likely to influence financial services across Asia, given Singapore's growing status as a regional financial hub. Industry experts support MAS's advisory, noting recent developments that show cryptographically relevant quantum computers may be nearer than expected. Cybersecurity professionals recommend early action to guard against potential "capture now decrypt later" attacks, highlighting the longevity of sensitive data's relevance.

VMware issued a warning for admins to remove a vulnerable authentication plugin, the Enhanced Authentication Plug-in (EAP), susceptible to attacks. Two unpatched security vulnerabilities, CVE-2024-22245 and CVE-2024-22250, enable authentication relay and session hijack attacks in Windows domain environments. The deprecated EAP allows seamless logins to VMware's management interfaces but has been outmoded since vCenter Server 7.0 Update 2 in March 2021. There are no current indications that the vulnerabilities have been exploited in the wild; however, VMware provides guidelines for removing or disabling the plugin. The deprecated plugin must be manually installed, and VMware recommends using alternative authentication methods like Active Directory over LDAPS or ADFS. VMware disclosed that a critical vCenter Server vulnerability patched in October was actively exploited by the UNC3886 Chinese cyber espionage group for over two years.

A new set of attacks, named 'VoltSchemer,' can manipulate a smartphone's voice assistant and cause physical damage through wireless chargers. Academic researchers from the University of Florida and CertiK demonstrate that the magnetic field from wireless chargers can be interfered with to induce harmful effects on smartphones. Electromagnetic interference is used to manipulate the charger’s behavior without physically altering the charging station or smartphone. Attack methods include overheating the phone to dangerous levels, bypassing safety standards to transfer energy to unintended items, and injecting voice commands. Experiments reveal that a smartphone can overheat to the point of emergency shutdown, while nearby metallic objects can reach temperatures high enough to cause fires or damage. In one scenario, voice commands were covertly transmitted to a phone's voice assistant, including initiating calls or launching apps. The risks exposed underscore the need for improved security designs in wireless charging technology to prevent potential misuse. The research team has informed wireless charger manufacturers of their findings to discuss potential countermeasures against such attacks.

Security researchers have uncovered a malware campaign targeting Redis servers for cryptocurrency mining using a malware called 'Migo'. Attackers exploit unprotected Redis servers on Linux hosts, deploying system-weakening commands to disable security features and facilitate prolonged cryptojacking activities. The campaign was identified by Cado Security through their honeypots, revealing the use of command-line instructions to deactivate protective configurations and exploit the server's resources. Once the Redis server is compromised, attackers establish a cron job to download and execute the primary payload, a UPX-packed ELF binary compiled in Go named Migo, from a file-sharing service. Migo’s primary purpose is to download, install, and execute a modified version of the XMRig Monero miner, establishing persistence through a systemd service. The malware includes a user-mode rootkit that hides its processes and files by intercepting system tools, complicating detection and removal. Attackers conclude the campaign by setting up firewall rules, disabling SELinux, neutralizing competing miners, and manipulating '/etc/hosts' to obstruct communications with cloud services. While the cryptojacking does not pose an immediate threat of data disruption or corruption, the access gained could potentially be leveraged to deploy more harmful payloads.