Daily Brief

Over 4,000 active web backdoors were secured after researchers registered expired domains formerly used to command them. This proactive cybersecurity effort was led by WatchTowr Labs in collaboration with The Shadowserver Foundation. The compromised systems included high-profile targets like government and university servers, which could execute commands remotely. Various backdoor types were identified, including r57shell, c99shell, and China Chopper, with some linked to known APT groups like the Lazarus Group. The breached systems spanned multiple countries, affecting organizations in China, Nigeria, Bangladesh, Thailand, and South Korea. After taking control of the domains, WatchTowr set up a logging system to monitor and analyze the incoming requests from compromised systems. Responsibility for these domains has now been transferred to The Shadowserver Foundation to prevent future malicious use and to continue monitoring the sinkholed traffic.

Medusind, a prominent healthcare billing firm, experienced a significant data breach in December 2023, impacting personal and health information of 360,934 individuals. The breach was identified following suspicious activity detected on the company's network, leading to an immediate investigation by cybersecurity experts. Exposed data included a variety of personal information, the specifics of which varied by individual affected. Medusind responded by taking the affected systems offline and engaging a forensic cybersecurity firm to contain the breach and investigate. Affected individuals have been offered two years of free identity monitoring services through Kroll, including credit monitoring and identity theft restoration. The company has advised all affected users to monitor their account statements and credit reports for signs of unauthorized activities. This incident comes amid broader regulatory changes by the U.S. Department of Health and Human Services, aiming to enhance the security of patient data in the healthcare sector.

Argentine cybersecurity firm Eclypsium revealed security vulnerabilities in popular DNA sequencing devices, such as Illumina’s iSeq 100. These devices were found to be using an out-of-date BIOS version from 2018, lacking critical security features like Secure Boot and firmware protections. The outdated BIOS exposes the devices to malware and ransomware attacks, potentially allowing unauthorized firmware modifications. There have been no reports of these vulnerabilities being exploited, but the history of firmware attacks suggests that risks are significant. The vulnerabilities could severely impact clinical research, posing threats to studies on genetic illnesses, cancers, and vaccines. Eclypsium's findings align with a broader trend of increasing attacks on BIOS/UEFI systems in recent years, as evidenced by attacks such as those by the Hacking Team and the use of Lojax and MosaicRegressor implants. Illumina has recognized the issue and issued security fixes for customers to implement, although the efficacy of these measures and their adoption remain unclear.

Initial access brokers (IABs) exploit corporate networks, steal data, and sell access credentials to other criminals, functioning as the gateway for further cyberattacks. A highlighted example includes attackers targeting Amazon Web Services (AWS), where they stole over two terabytes of data, including numerous access credentials, and sold them via private channels. IAB operations mimic legitimate business structures, featuring customer support, pricing tiers, and even guarantees on stolen access functionality. These brokers offer various stolen credentials, from VPN credentials and remote desktop access to high-level admin accounts, catering to both novice and experienced cybercriminals. Their primary commodity is compromised credentials, which are highly valued for their ease of use and potential to bypass security measures. Recent reports underline the significant role of stolen credentials in cyber breaches, emphasizing the need for robust security strategies including proactive threat intelligence and strict password policies. Organizations should use threat intelligence platforms to detect compromised credentials early and enforce advanced password policies to prevent their use in cyber attacks. Combining these security measures can significantly mitigate the risks posed by IABs and protect businesses from credential-based threats.

Over 8,500 customers affected by a data breach at the Green Bay Packers Pro Shop online store, credit card data stolen. Cybercriminals injected malicious code into the checkout page during September, which remained until detected on October 23. Affected payment information includes names, credit card numbers, expiration dates, and CVVs; gift cards and digital wallets were not compromised. Packers immediately disabled payment functionalities, initiated a forensic investigation, and mandated the hosting vendor to remove the malicious script and enhance security measures. Customers impacted were offered three years of credit monitoring services from Experian and encouraged to monitor their accounts for fraudulent activities. The Packers remain tight-lipped on the method of the cyberattack, but e-commerce security firm Sansec detailed the exploit using YouTube oEmbed and JSONP callback for data exfiltration. This incident is reminiscent of a similar attack on the San Francisco 49ers in 2022, highlighting recurring cybersecurity issues within NFL teams’ operations.

The International Civil Aviation Organization (ICAO) reported a cyber breach involving 42,000 recruitment records. Compromised data includes names, email addresses, dates of birth, and employment histories but excludes financial info, passwords, or passport details. The data breach specifically targeted the recruitment database; ICAO's critical aviation safety and security systems remain unaffected. ICAO has taken immediate steps to bolster security and is in the process of identifying and notifying affected individuals. The breach occurred between April 2016 and July of the previous year, with no current risk to flight operations or security highlighted. Additional investigation and updates on the matter are ongoing, reflecting ICAO's commitment to personal data security and privacy. ICAO, a key global entity in aviation regulation and safety, continues its broader roles without impact from this specific breach incident.

NonEuclid is a new remote access trojan (RAT) targeting Windows systems, enabling unauthorized remote control with advanced evasion and offensive capabilities. The malware employs antivirus bypass, privilege escalation, anti-detection techniques, and ransomware-like encryption for critical files. It has been actively promoted in underground forums and on platforms like Discord and YouTube since late November 2024. NonEuclid uses API calls to monitor and manipulate system processes, and can terminate or exit processes based on predefined settings. The malware includes mechanisms to identify virtual or sandbox environments, terminating itself if detected to avoid analysis. Features include setting up exclusions in Microsoft Defender Antivirus, bypassing User Account Control (UAC), and Windows AMSI to ensure persistence and operation. The trojan can also encrypt files and rename them, adding a ".NonEuclid" extension, displaying ransomware-like behavior. Its promotion and discussion in various online forums illustrate its popularity among cybercriminals and the challenge posed to cybersecurity defenses.

The International Civil Aviation Organization (ICAO), a UN body, confirmed a security breach in its recruitment database, with approximately 42,000 records compromised. The data breach was publicly disclosed after a hacker known as "Natohub" leaked details on a hacking forum, claiming possession of documents containing personal information of applicants. The affected data includes names, email addresses, dates of birth, and employment histories of applicants, though no financial, password, or sensitive passport details were compromised. ICAO clarified the breach was limited to the recruitment database and did not impact any systems related to aviation safety or security. Following the breach, ICAO has implemented enhanced security measures to protect its systems and is currently working to assess the full impact of the incident. The organization is also in the process of identifying and notifying individuals whose information may have been affected by the breach. This breach is part of a series of cyberattacks targeting UN agencies, including the UN networks in Vienna and Geneva in 2019 and a cyberattack on the United Nations Development Programme in 2024.

Researchers at watchTowr Labs discovered over 4,000 unique backdoors using expired or abandoned domains, posing serious security risks to hosts owned by governments and academic institutions. The study showcased how cybercriminals take over already established backdoors, utilizing them to easily access compromised systems without the initial effort of hacking. They highlighted instances where attackers had inserted additional backdoors into the web shells they sold, allowing them to access all the data handled by the purchaser. More than 40 domains were bought and re-registered to study incoming requests, revealing compromised hosts belonging to various government and educational entities globally. Among the compromised, there were critical hosts such as the Federal High Court of Nigeria, indicating high-profile cybersecurity vulnerabilities. The researchers' approach involved collecting, de-obfuscating, and registering old web shells using AWS Route53 API, turning it into a study on the widespread and ongoing risks associated with neglected cybersecurity practices. The ShadowServer Foundation has agreed to take over and sinkhole the registered domains to prevent further abuse, part of an effort to manage the carelessly abandoned digital assets responsibly.

2024 saw major companies like Dell and TicketMaster hit by cyberattacks, indicating an ongoing trend of targetted malware assaults. Lumma, a prevalent malware family sold on the Dark Web since 2022, is designed to steal sensitive information from targeted applications. XWorm, introduced in July 2022, gives cybercriminals remote control over infected machines, collects sensitive data, and can manipulate the system's clipboard. AsyncRAT, active since 2019, records activities, installs additional malware, and launches overwhelming attacks on websites. Remcos, marketed as a legitimate remote access tool since its 2019 launch, is used widely in cyberattacks to steal sensitive information and control infected systems. LockBit ransomware, a significant part of the Ransomware-as-a-Service (RaaS) ecosystem, remains active with high-profile compromises and a new version expected in 2025. Proactive security measures, including the use of ANY.RUN’s cloud-based sandbox technology, are essential for analyzing and defending against these malware threats.

A Mirai botnet variant has been exploiting a security flaw in Four-Faith industrial routers since early November 2024 to conduct DDoS attacks. The botnet, dubbed "gayfemboy," leverages over 20 security vulnerabilities and weak Telnet credentials to infiltrate systems. Infectious activity primarily targets regions in China, Iran, Russia, Turkey, and the United States, maintaining about 15,000 daily active IP addresses. The exploited vulnerability, CVE-2024-12856, allows operating system command injection using unchanged default credentials in router models F3x24 and F3x36. Recent exploits generate DDoS attacks producing traffic around 100 Gbps and target hundreds of different entities daily. The malware conceals its processes and uses a Mirai-based command format to scan, update, and execute attacks. Security firms have recently highlighted an increase in malware attacks targeting devices with default passwords and misconfigured servers. These attacks pose substantial threats to various sectors by using evolving strategies to conduct precise and highly concealed strikes.

The U.S. FCC has launched the U.S. Cyber Trust Mark, a cybersecurity certification for IoT consumer devices. The initiative aims to label smart products that comply with high cybersecurity standards to help consumers identify secure devices easily. Devices such as internet-connected cameras, smart appliances, and fitness trackers are included, but it excludes medical devices, motor vehicles, and wired devices. The Cyber Trust Mark will feature a QR code linking to a registry with detailed security information about the product, including software update practices and password management. Third-party cybersecurity label administrators will evaluate and authorize the label use, while accredited labs will conduct compliance testing. The program aligns with cybersecurity criteria from the U.S. National Institute of Standards and Technology. The mark excludes products from companies listed for national security concerns or banned from Federal procurement under various U.S. departments.

Akamai is discontinuing its content delivery network (CDN) services in China effective June 30, 2026, steering customers towards either their international CDNs or local Chinese providers like Tencent Cloud and Wangsu Science & Technology. The company’s strategic shift is not directly due to operational challenges in China, but aligns with its global reorientation towards more profitable cloud computing and security services. This decision reflects the evolving business priorities of Akamai, as stated by CEO Tom Leighton, emphasizing the higher growth and profitability potential in the cloud and security sectors. Akamai remains engaged with the Chinese market and continues to be a valuable partner for Chinese companies operating globally. Customers in China are advised to transition to alternative services by the decommissioning date to avoid service interruptions. Akamai is assisting in the migration process, particularly to Tencent Cloud. The move also mirrors broader concerns among tech companies about the risks of intellectual property leakage and stringent operational requirements in China. This strategic pivot away from CDN services, which are now seen as comparatively low-value, highlights an industry trend of tech giants moving towards more specialized and high-margin offerings.

PowerSchool confirmed a data breach affecting its student information system (SIS) platform, impacting students and teachers' personal information. Unauthorized access was gained via compromised credentials on PowerSchool's customer support portal, PowerSource. The attacker exploited a data manager tool within PowerSource to export sensitive data to CSV files, which included names, addresses, and possibly SSNs and medical information. PowerSchool has engaged cybersecurity firm CrowdStrike for investigation and mitigation, including password rotations and stricter policies. In response to the breach, the company negotiated with the threat actor and paid a ransom to ensure the deletion of the stolen data. Continuous monitoring of the dark web is underway to check for any leakage of the compromised data. PowerSchool is offering credit monitoring and identity protection services to those affected and is actively notifying impacted districts. The company seeks to maintain operational normality and transparency, awaiting a detailed investigation report from CrowdStrike.

CISA has added three critical vulnerabilities found in Mitel MiCollab and Oracle WebLogic Server to its KEV catalog. These vulnerabilities are currently being actively exploited, prompting an urgent security response. CVE-2024-41713 and CVE-2024-55550 can be exploited together, allowing unauthenticated remote attackers to access server files. The exposure of these vulnerabilities was first reported by WatchTowr Labs, which also uncovered a separate critical bug in Mitel MiCollab earlier. Oracle had previously communicated about potential malicious exploitations of recently patched vulnerabilities, including CVE-2020-2883. There is limited information on the specifics of the exploitation techniques, the identity of the attackers, or the exact targets. Federal agencies are mandated to implement necessary security updates by January 2025 as per Binding Operational Directive 22-01.