Daily Brief

Kaspersky has reported the emergence of a new crypter and loader malware, ASMCrypt, that loads malware payloads without being detected by antivirus or endpoint detection and response tools. ASMCrypt, described as an evolved version of another loader malware called DoubleFinger, was previously used to propagate a cryptocurrency stealer named GreetingGhoul across Europe, the U.S., and Latin America. Crypters and loaders are becoming a popular tool for threat actors, used for initial network access for conducting ransomware attacks and data theft. Other similar malware includes Bumblebee, CustomerLoader, and GuLoader. CustomerLoader may work as a "loader-as-a-service," used by multiple threat actors. Bumblebee has been utilized in a new distribution campaign using Web Distributed Authoring and Versioning (WebDAV) servers after a brief hiatus. Establishing a growing trend in the cybercrime economy, groups originally believed to be separate have teamed up, shown by a "dark alliance" seen between GuLoader and Remcos RAT. GuLoader has been used predominantly for distributing Remcos RAT and is now sold as TheProtect, a crypter that is fully undetectable by security software. New versions of Lumma Stealer, an information-stealing malware, have been detected. This malware is distributed via a fake website, and when a file is uploaded, the site returns a malicious binary pretending to be a PDF that steals sensitive data from the infected host. Lumma Stealer is an evolved version of the known malware Arkei.

Sebastien Raoult, a 22-year-old French national and a member of the hacking group ShinyHunters, has pleaded guilty in a U.S. court for conspiracy to commit wire fraud and aggravated identity theft. Raoult was apprehended in Morocco in 2022 and extradited to the U.S. in January 2023. His hacking activities reportedly resulted in damages exceeding $6 million. The guilty plea comes as Raoult and co-conspirators are accused of hacking into corporate computers to steal company and customer data, which was subsequently sold on various online forums under the ShinyHunters alias. The stolen data reportedly reached into the hundreds of millions of records. Between April 2020 to July 2021, datasets from over sixty companies were posted for sale by the ShinyHunters group. In some instances, the same company's data was sold multiple times; ransoms of up to $425,000 were also demanded from certain victims. The group also relied on cryptomining to augment its illicit proceeds, billing for the use of computing power to the victimized companies' cloud computing providers. Legal repercussions for Raoult could reach as high as up to 27 years in prison for his wire fraud conspiracy conviction, and at least an additional two years for his aggravated identity theft conviction.

Norway has expressed its desire for the European Data Protection Board (EDPB) to ban user data harvesting by Meta, particularly for advertising on Facebook and Instagram across Europe. This arises from an ongoing conflict between Meta and Norway's Data Protection Authority, Datatilsynet. The ban request was initiated after a Court of Justice of the European Union (CJEU) ruling, which clarified that Meta's data processing activities also included protected data (e.g., race, ethnicity, religious affiliation, sexual orientation) during behavioral marketing. Despite not being part of the EU, Norway is part of the single market and holds equal jurisdiction under the CJEU to ensure the implementation of European law and treaties. Meta previously insisted that its users gave consent for targeted advertising when agreeing to the Terms and Conditions. However, the CJEU did not accept this argument, and Datatilsynet argues for a consistent interpretation of the General Data Protection Regulation (GDPR) throughout the EU/EEA. Meta, which has been dealing with GDPR lawsuits for years, announced the intention to seek explicit consent from users for their personalized advertising data. The company expressed surprise at the actions of the Norwegian authority, given its commitment to consent basis for advertising in the EU/EEA. Notably, the United Kingdom was excluded from Meta's shift towards a consent basis for data processing, even though UK GDPR rules are similar to EU rules. The UK government, however, plans to replace the EU legislation, which could potentially affect UK businesses collecting and processing EU data.

Numerous users of the social platform Discord have reported that they are unable to access their accounts, with a "Sorry, you have been blocked" message appearing on-screen. Issue reports on Downdetector showed a sharp increase, which occurred concurrently with the start of the issues reported by users. Discord's engineers are currently investigating the sudden increase in API errors as a potential cause of this issue. No official explanation for the problem has been provided by Discord as yet, other than an acknowledgement on their Twitter support handle. Some users speculate that scheduled maintenance on Cloudflare could be the root cause, as this has reportedly affected other online platforms in addition to Discord. With some users already regaining access, this appears to be a temporary technical issue rather than a ban for policy violations, and a complete resolution is expected soon.

North Korea-affiliated Lazarus Group carried out a cyber espionage attack on an unnamed Spanish aerospace company, using a recruiter impersonating a Meta Platforms employee on LinkedIn. The attack forms part of a campaign dubbed "Operation Dream Job," in which target employees are encouraged to open a malicious executable file pretending to be a coding quiz or challenge. The payload delivered in the latest attack is a complex tool named LightlessCan, a tool exhibiting considerable sophistication in its design and operation, offering a significant advance over its predecessor, BLINDINGCAN. To initiate the attack, the victims receive a LinkedIn message from the fake recruiter, who sends two coding challenges via third-party cloud storage platforms, which contain malicious Quiz1.exe and Quiz2.exe files. Once executed, these files facilitate the introduction of an HTTP(S) downloader called NickelLoader, which can deploy any software into the victim's device memory, including the LightlessCan remote access trojan, and a variant of BLINDINGCAN, miniBlindingCan. Reflecting its advanced design, LightlessCan can mimic a wide range of Windows commands and has implemented 43 out of 68 possible distinct commands to date.

Quantum computing advances risk breaching commonly used RSA encryption, potentially compromising a vast amount of digital data. Even if encrypted, captured data could be decrypted in the future once quantum computers are more accessible, posing a retrospective security risk. Post-quantum cryptography (PQC) could prove a solution, offering resistant algorithms to attacks from both classical computers and quantum ones. PQC has recently begun to appear in consumer applications due to growing awareness of quantum threats and enhanced maturity of PQC algorithms. Hybrid cryptography, such as that implemented by messaging app Signal, uses PQC to enhance existing encryption systems, boosting resistance against quantum threats. As quantum computing develops considerable momentum, PQC may need to become a standard feature in consumer applications to ensure user data is protected both presently and in the future.

Microsoft's AI-powered Bing Chat, an interactive search experience, is mistakenly serving ads that lead users to malware-distributing sites, according to cybersecurity firm Malwarebytes. Bing Chat, launched by Microsoft in February 2023, began experimenting with the placement of ads in conversations a month later, unintentionally providing an avenue for threat actors to distribute malware. Threat actors are taking advantage of the chatbot, inserting malicious ads into a Bing Chat conversation. When users hover over certain links, an ad is displayed first, which can lead to booby-trapped sites. One example highlighted by Malwarebytes shows a rogue installer configured to run a Visual Basic Script. The payload of the malware is not known yet. A threat actor managed to infiltrate the ad account of a legitimate Australian business to create the offending ads. This discovery highlights the need for users to be cautious about clicking on unsolicited links, even when they appear legitimate, and to be suspicious of urgent or threatening messages asking for immediate action. Other recent cyberattacks have targeted the hospitality sector, leveraging steals to access accounts and phishing emails that seem innocuous but direct recipients to insert their Microsoft credentials.

The North Korean 'Lazarus' hacking group successfully breached a Spanish aerospace company’s network using 'LightlessCan', a previously unknown backdoor. Lazarus conducted the attack using their ongoing "Operation Dreamjob" campaign where they approach a target, engage in a fake recruitment process, and trick the victim into downloading a malicious file. Cybersecurity firm, ESET, found that Lazarus initiated the attack with a LinkedIn message, pretending to be a Meta (Facebook) recruiter named Steve Dawson. LightlessCan, identified as the successor to BlindingCan, has a more sophisticated code structure, different indexing, and enhanced functionality. Version 1.0 supports 43 commands but has 25 unimplemented commands in its code. ESET revealed that one of the payloads of LightlessCan was encrypted and could only be decrypted with a key dependent on the target's environment, preventing outside access by security researchers or analysts. The hacking campaign and the new LightlessCan payload indicates Lazarus' objectives are not limited to financial gains – but also extend to espionage. Their continued activity presents an ongoing threat to potential target organizations.

Progress Software released urgent hotfixes to correct a critical security flaw and seven other vulnerabilities in WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. The most severe flaw, tracked as CVE-2023-40044, has a CVSS score of 10.0, indicating maximum severity, and impacts all versions of the software. This flaw allows a pre-authenticated hacker to execute remote commands on the underlying WS_FTP Server operating system through a .NET deserialization vulnerability in the Ad Hoc Transfer module. Researchers Shubham Shah and Sean Yeoh from Assetnote discovered and reported this vulnerability. Additional flaws affect versions of WS_FTP Server prior to 8.8.2, making them attractive targets for ransomware groups such as Cl0p, thus highlighting the importance of swift patch application. Alongside issuing the hotfixes, Progress Software is also managing the fallout from a major hacking of its MOVEit Transfer secure file transfer platform since May 2023, which is estimated to have affected over 2,100 organizations and 62 million individuals.

Cisco issued a warning about an attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit a remote attacker to execute code on affected systems. The medium-severity vulnerability has been tracked as CVE-2023-20109 with a CVSS score of 6.6 and affects all versions of the software with the GDOI or G-IKEv2 protocol enabled. An attacker could exploit the vulnerability by gaining administrative control of either a group member or a key server, causing the affected device to execute an arbitrary code or crash. The vulnerability was discovered during an internal investigation and source code audit launched after an attempted exploitation of the GET VPN feature. Cisco also detailed another set of five flaws in its Catalyst SD-WAN Manager that could allow an attacker to gain unauthorized access or a denial of service condition on affected systems. Customers are urged to upgrade to a fixed software release to remediate these vulnerabilities.

Chinese cybercriminals reportedly stole approximately 60,000 emails from the US State Department over the summer. The targeted emails were from unclassified systems held on Microsoft's cloud platform, as no signals of classified systems being breached was found. The data theft implicated ten State Department officials, with nine of them focused on Indo-Pacific diplomacy. The stolen email data included diplomatic discussions, travel plans, and the officials' social security numbers. The hackers also procured a list of all State Department email addresses, potentially paving the way for future phishing efforts or other social-engineering schemes. The State Department discovered the breach in July and alerted Microsoft, which traced the intrusion back to a China-based threat actor known as Storm-0558. During the intrusion, the cybercriminals accessed email data from around 25 organizations, including the US Commerce Department. US authorities have not officially accused China or its cyber-espionage groups for the data breach but have expressed their agreement with Microsoft's attribution. This intrusion represents an increasing concern over cyber-espionage threats from China, as evidenced by recent warnings from US and Japanese governmental and cybersecurity agencies.

Progress Software has urged its customers to urgently patch several critical vulnerabilities found in its WS_FTP Server software. Two of the flaws are rated as critical, with one (CVE-2023-40044) getting a perfect severity score of 10 out of 10; it allows unauthenticated attackers to execute remote commands after exploitation of a .NET deserialization vulnerability. The other critical bug (CVE-2023-42657) is a directory traversal vulnerability that allows attackers to perform file operations outside the authorized WS_FTP folder path. The company says the vulnerabilities, particularly CVE-2023-40044, can be exploited with low complexity and without user interaction. Progress Software has advised its customers to upgrade to WS_FTP Server version 8.8.2 to address the vulnerabilities. The company is also still dealing with the aftermath of a widespread data theft attack exploiting a zero-day vulnerability in its MOVEit Transfer file-sharing platform, with more than 2,100 organizations and over 62 million individuals affected. Despite this, the firm reported a 16% year-on-year increase in revenue for its fiscal third quarter ending on August 31, 2023.

The Privacy and Civil Liberties Oversight Board (PCLOB) has voted 3-2 in favor of reauthorizing Section 702 spying powers for federal agencies, but with strengthened protections for US citizens. The PCLOB supports all 19 recommendations in a report about Section 702, which include a stipulation that FBI agents should get approval from the Foreign Intelligence Surveillance Court before reviewing Americans' electronic communications. The board also supports the requirement of probable cause as the standard for court approval before federal agencies can run warrantless Section 702 queries on US citizens to recover evidence of purported crime. Section 702 of the Foreign Intelligence Surveillance Act allows US intelligence agencies to surveil foreigners' overseas communications and includes data on Americans if they are a part of those communications. Two Republicans on the PCLOB argue for reforming the FBI to better incorporate privacy and civil liberties into its operations, rather than changing the surveillance program itself. Despite the renewed focus on protection measures, privacy and civil liberties advocates argue that spying on Americans won't stop unless Congress gives Section 702 a significant overhaul. The board's recommendations were praised by the Center for Democracy and Technology (CDT), most notably the request for the requirement of FISA court approval for US person queries. The CDT emphasized that the limiting scope of surveillance is the most important reform.

Chinese hackers have stolen nearly 60,000 emails from the official accounts of US State Department via a breach in Microsoft's Exchange email platform. The hackers also obtained a complete list of the department's email accounts. The breach was first noticed in May and primarily affected personnel working on Indo-Pacific diplomacy efforts, via Outlook accounts of officials within East Asia, the Pacific, and Europe. In July, Microsoft admitted that the breach resulted in the compromise of accounts related to around 25 organisations, which included the US State and Commerce Departments. However, the company failed to disclose the specific details about the attack's ramifications. The attack was reportedly orchestrated by a group known as Storm-0558, with the objective of stealing sensitive data via email systems. The group managed to acquire a consumer signing key through a breach, enabling them to exploit a zero-day validation vulnerability and impersonate accounts within the targeted organizations. Microsoft has subsequently revoked the stolen signing key and found no further instances of unauthorized access. The tech giant also agreed to broaden access to cloud logging data, under pressure from the Cybersecurity and Infrastructure Security Agency, a move intended to aid in the identification of future breach attempts. Senator Eric Schmitt emphasised the need to strengthen the federal government's cyber defenses and scrutinize its reliance on a single vendor. He has pledged to continue pushing for action to prevent the nation's sensitive information from falling into the hands of malevolent actors like China.

A new malware campaign has been detected hacking into GitHub accounts and committing malicious code masked as Dependabot contributions, targeting to steal developers' passwords. Checkmarx, the software supply chain security firm, discovered this activity. This malicious code transfers the defined secrets of the compromised GitHub project to a malicious C2 server and modifies any existing JavaScript files in the targeted project with a web-form password-stealer malware, impacting any end-user that submits their password in a web form. The malware has been designed to capture GitHub secrets and variables and sent them to a remote server via a GitHub Action. Checkmarx spotted these unusual commits to several public and private GitHub repositories from 8 to 11 July 2023, with victims' GitHub personal access tokens (PATs) being stolen and used by the attackers to make malicious code commits to users' repositories, posing as Dependabot. Most of the compromised users are based in Indonesia, but the exact theft method remains unclear, though it is thought it might involve a rogue package unknowingly installed by developers. This campaign adds to the continuing attempts by threat actors to disrupt open-source ecosystems and facilitate supply chain compromises, a trend highlighted by a new data exfiltration campaign targeting both npm and PyPI using up to 39 fraudulent packages to collect sensitive machine information and send it to a remote server.