Daily Brief

GoldFactory, a Chinese-speaking cybercrime group, has developed sophisticated banking trojans targeting the Asia-Pacific region. Their malware suite includes GoldPickaxe for iOS and Android, GoldDigger, and GoldDiggerPlus, with the latter two designed for Android. Malware distribution involves smishing, phishing, and the use of counterfeit websites, with GoldPickaxe iOS leveraging Apple's TestFlight and MDM profiles. GoldPickaxe bypasses facial recognition security by prompting victims to record a video, later used to create deepfake videos for fraudulent transactions. The malware features capabilities for stealing identities, intercepting SMS, and proxying traffic, with Android variants posing as over 20 applications to steal credentials. GoldDigger targets over 50 Vietnamese finance apps, logging keystrokes and on-screen content, and its variant includes an additional trojan, GoldKefu. GoldKefu masquerades as a messaging app and integrates with the Agora SDK to facilitate fake customer service interactions, convincing users of false fund transfers. Cybersecurity experts advise caution against clicking suspicious links, installing apps from untrusted sources, and reviewing app permissions, especially regarding accessibility services.

Cybercriminals are utilizing advertisement technology to track and enhance the effectiveness of their malware distribution, evading conventional detection methods. HP Wolf Security's Q4 2024 Threat Insights Report indicates that malware operators are applying ad tech to improve social engineering tactics and user-targeting precision. The use of ad networks enables attackers to gather analytics on click-through rates and misuse CAPTCHA defenses, thereby hindering automated malware scans and potentially leading to misclassification of malicious files. The analysis of malware trends in Q4 2023 showed an increase in malware delivery through PDF files, rising from 4 percent in earlier quarters to 11 percent. The WikiLoader and DarkGate campaigns are highlighted as examples where attackers employ fake PDFs, such as a parcel delivery notice or OneDrive error message, to deploy malware like Ursnif and enable backdoor access. Attackers are increasingly leveraging cloud services to host malware, exploiting the inherent trust users have in these platforms, as with the Remcos remote access trojan using Discord and TextBin. HP Wolf Security recommends adhering to zero trust principles to mitigate the risk from sophisticated cyber threats, including isolating risky activities like email attachments and browser downloads.

A new mobile trojan called 'Gold Pickaxe' is being used to steal facial recognition data and ID information from Android and iOS users. The malware is distributed via social engineering through phishing or smishing messages on the LINE app, urging users to install fake government apps. Group-IB, a cybersecurity firm, has observed 'Gold Pickaxe' primarily targeting individuals in the Asia-Pacific region, with a focus on Thailand and Vietnam. For iOS, attackers have used a TestFlight URL and later switched to malicious Mobile Device Management profiles to bypass security. Gold Pickaxe performs functions such as intercepting SMS, manipulating network traffic, and requesting ID scans to commit fraud. The Android version of the trojan can carry out a larger range of malicious activities due to fewer security restrictions on the platform. The collected facial data is suspected to be used for unauthorized bank access, but the malware does not compromise the biometric data encrypted in the devices' secure enclaves.

The European Court of Human Rights (ECHR) ruled that mandatory encryption backdoors and extensive data retention violate human rights. The decision comes from a case involving Russia's demand in 2017 that Telegram assist in decrypting user communications. Russian laws were deemed disproportionate and unnecessary in a democratic society, as they risk weakening encryption for all service users. The ruling affects European countries contemplating similar laws that could weaken encryption, such as the proposed Chat Control legislation. Chat Control, an EU data surveillance initiative, aims to scan digital communications for illegal content, which contradicts the ECHR ruling. European Parliament member Patrick Breyer praised the decision, stating that it proves such surveillance tactics are illegal and incompatible with EU law. The judgment puts pressure on EU governments to reconsider their stance on proposals that undermine secure encryption and mass surveillance.

Microsoft has confirmed that a newly identified critical security flaw in Exchange Server, tracked as CVE-2024-21410, is actively being exploited. CVE-2024-21410 is a privilege escalation issue with a CVSS score of 9.8, enabling attackers to use leaked NTLM credentials to gain privileges on the Exchange Server. The exploitation allows attackers to authenticate as the user on the Exchange Server by relaying the user's leaked Net-NTLMv2 hash. Microsoft has updated the Exchange Server 2019 with Cumulative Update 14 (CU14) to enable Extended Protection for Authentication (EPA) by default to address the vulnerability. Specifics about the nature of the exploitation or the identity of the attackers remain undisclosed, although similar tactics have been used by Russian state-affiliated groups like APT28. Apart from CVE-2024-21410, Microsoft addresses other actively exploited vulnerabilities during its Patch Tuesday update, including CVE-2024-21351 and CVE-2024-21412, the latter exploited by the Water Hydra APT group. CVE-2024-21413 is also patched, a critical flaw in Outlook that allows for remote code execution and can bypass security measures such as Protected View by exploiting the incorrect parsing of hyperlinks.

North Korea is allegedly operating a revenue-generating scheme that involves selling gambling websites pre-loaded with malware. The operation is linked to the North Korean IT organization Gyeongheung, associated with the secretive "Office 39" of the ruling Workers Party of Korea. South Korean cybercriminal groups have reportedly purchased these websites, which cost around $5,000 monthly, with an additional $3,000 for technical support. The malicious code embedded in the websites' automatic betting features is designed to steal personal information from gamblers for subsequent sale. The cyber operation was profitable, potentially earning billions for its operators, while also offering tech support and bonuses for collecting banking details of Chinese nationals. To avoid UN sanctions, the North Korean IT workers posed as Chinese, using forged IDs and stolen professional credentials, and they laundered money through Chinese-named bank accounts. Some clients did business with the sanctioned North Korean operators, enticed by low costs and language commonalities. This activity not only compromises cybersecurity but also functions as a financial resource for North Korea, circumventing international sanctions.

OpenAI identified and shut down five accounts associated with government agents from China, Iran, Russia, and North Korea, aimed at creating phishing emails and malicious software. The terminated accounts include two China-affiliated threat actors Charcoal Typhoon and Salmon Typhoon, the Iran-affiliated Crimson Sandstorm, the North Korea-affiliated Emerald Sleet, and the Russia-affiliated Forest Blizzard. These threat actors were allegedly using OpenAI's services for activities such as language translation, finding coding errors, and generating code, which could support cyberattacks and phishing campaigns. OpenAI collaborated with Microsoft to detect and disable these malicious accounts and stressed the limited capabilities of GPT-4 in performing malicious cybersecurity tasks. Microsoft’s Threat Intelligence provided additional details on the specific nature of activities conducted by these groups, such as translating technical papers and researching cybersecurity. OpenAI emphasized that their systems are designed to prevent misuse and filter out requests for harmful information and malicious code, suggesting that their AI models are not particularly effective in aiding cybercrime.

Microsoft confirmed that a critical vulnerability in Exchange Server was exploited as a zero-day before a patch was issued on Patch Tuesday. The vulnerability, identified as CVE-2024-21410, allows remote, unauthenticated attackers to escalate privileges via NTLM relay attacks. NTLM relay attacks involve attackers coercing network devices to authenticate against a server they control, enabling privilege escalation and impersonation. Exchange Server 2019 Cumulative Update 14 (CU14) mitigates this issue by enabling NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA). EPA is an enhancement to Windows Server authentication designed to combat relay and man-in-the-middle attacks. Extended Protection (EP) will automatically be enabled on all Exchange servers with the latest CU14 update, but admins can also manually enable it on older versions. Microsoft advises administrators to review the potential impact on their environments, referencing documentation for the ExchangeExtendedProtectionManagement PowerShell script, to avoid functional disruptions. An unrelated critical remote code execution (RCE) vulnerability in Outlook was incorrectly reported as being exploited but has since been patched.

The LockBit ransomware group has claimed responsibility for a cyberattack on Fulton County, Georgia. Fulton County's IT systems, including phone, court, and tax services, were disrupted during the last weekend of January. Nearly three weeks post-incident, services remain impacted, with property tax systems still offline and phone lines only partially restored. Fulton County officials report no confirmed sensitive data theft as of now but acknowledge the breach did occur. LockBit has threatened to publish confidential documents, including citizens' personal data, unless a ransom is paid by February 16. The county is considering using insurance to recover its systems, which suggests they may not pay the ransom to LockBit. Despite service disruptions, penalties for delayed water bill payments will be waived for residents.

Microsoft Outlook has a critical vulnerability, CVE-2024-21413, that allows for remote code execution (RCE) and circumvents Protected View. Discovered by Check Point, attackers can exploit the bug by sending emails with malicious links that open harmful Office files in editing mode, not just read-only. The Preview Pane in Outlook can trigger the exploit without needing to open the email, as it previews maliciously crafted Office documents. No user interaction is necessary for the exploitation, which can be done remotely and without authentication. Successful exploitation allows attackers to gain high privileges for reading, writing, and deleting, stealing NTLM credentials, and executing arbitrary code. The vulnerability affects Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Microsoft has retracted an initial statement that the issue was being exploited in the wild, stating it was an error to report active exploitation. Users are strongly urged to apply the official patch immediately to protect against potential attacks exploiting this vulnerability.

Chinese government-associated group Volt Typhoon has compromised a major US city's emergency network and probed telecom providers. Dragos, an industrial cybersecurity firm, reports that the espionage efforts have been focused on American electric companies and have targeted their strategic assets. The activities of Volt Typhoon involve strategic reconnaissance, with the group's interest in regions extending beyond the US to include electric companies in Africa. The pace of network penetration by Volt Typhoon is increasing, with one American electric company's IT network breached for over 300 days. Although the operational technology (OT) network was not breached, the spies did obtain valuable geographic information system data. Volt Typhoon exploited vulnerabilities in various IT infrastructures, such as routers and VPNs, using legitimate tools and stolen credentials for lateral movement within networks.

A critical privilege escalation vulnerability was found in Zoom's Windows applications. The flaw could potentially allow unauthenticated attackers to gain elevated privileges on a user's system. The vulnerability, marked CVE-2024-24691, was discovered by Zoom's own offensive security team, with a high severity score of 9.6. Affected Zoom products include the desktop client, VDI client, and Meeting SDK for Windows. The software, widely used for video conferencing, became even more popular during the COVID-19 pandemic, peaking at 300 million daily participants. User interaction such as clicking a link or opening an attachment is required to exploit the vulnerability. Zoom has released a security update (version 5.17.7) to patch this and six other vulnerabilities, urging users to update immediately.

Microsoft has issued a security advisory about a critical remote code execution (RCE) vulnerability in Outlook that has been exploited as a zero-day. The vulnerability, identified as CVE-2024-21413, was uncovered by Check Point and can be triggered by simply opening an email containing a malicious link. Attackers can bypass Outlook's Protected View, enabling the opening of harmful Office files in editing mode and leading to potential NTLM credential theft and RCE. The Preview Pane in Windows Explorer is also susceptible, making it possible for attacks to succeed without any direct user interaction with the email. The vulnerability affects various Microsoft Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and older versions of Outlook still under extended support. The exploitation technique involves using a 'file://' protocol with an added exclamation mark to bypass security restrictions in Outlook. Given that the critical vulnerability lies in the core Windows/COM APIs, other software using the same APIs could potentially be at risk. Microsoft strongly recommends that all Outlook users apply the available patch to protect against this security flaw.

The US Air Force is reinstating warrant officer ranks, focusing on luring tech talent for the cyber and IT fields. Warrant officers have technical expertise and hold ranks above enlisted members but have limited command duties. This initiative is part of a strategy to enhance capabilities against advanced threats from nations like China and Russia. The reintroduction of warrant officer ranks aims to attract individuals who are skilled in areas like coding and network attacks. Commissioned officers and enlisted airmen will also see the addition of new technical career paths. The Air Force's 16th Air Force group will be elevated to a separate service component command, and a new Information Dominance Systems Center will be established. Specific implementation plans and roles are still under development, with urgency emphasized to be ready for potential conflicts.

Microsoft is implementing Extended Protection (EP) by default through the latest Cumulative Update (CU14) for Exchange Server 2019. The EP feature strengthens authentication mechanisms to thwart authentication relay and Man-in-the-Middle (MitM) attacks. Administrators are advised to review their server environments for compatibility issues before enabling EP, as certain configurations may cause disruptions. Microsoft provides an ExchangeExtendedProtectionManagement PowerShell script to manage EP settings, including the option to disable the feature if necessary. Extended Protection support, introduced in August 2022, was Microsoft's response to address critical vulnerabilities allowing for privilege escalation attacks. Systems running the August 2022 security update or later already support EP, while older systems without the update are considered persistently vulnerable. Microsoft emphasizes the importance of keeping on-premises Exchange servers updated to deploy security patches promptly and maintain optimal protection.