Daily Brief

Italy's data protection authority issued a €15 million fine against OpenAI for GDPR violations related to data privacy with ChatGPT. OpenAI is penalized for not reporting a security breach and for using personal data to train ChatGPT without proper legal grounds. The authority highlighted OpenAI's lack of transparency and failure to meet information obligations towards users. OpenAI failed to implement age verification mechanisms, risking exposure of children to inappropriate content. In addition to the fine, OpenAI must conduct a six-month public communication campaign to inform about data collection practices and user rights under GDPR. Italy had temporarily banned ChatGPT access due to data protection concerns, lifting the ban after OpenAI addressed the issues. OpenAI plans to appeal the decision, deeming the fine disproportionate to its revenue from Italy. The European Data Protection Board (EDPB) recently provided opinions and guidelines on AI data processing and international data transfers.

North Korean hackers stole a record $1.34 billion in cryptocurrency through 47 attacks in 2024, representing 61% of the year's total stolen funds. Chainalysis reports a significant increase in hacking incidents, with a notable rise of 21% in the value stolen compared to the previous year. The largest heists included the DMM Bitcoin hack, losing over $305 million, and the WazirX hack with $235 million. DeFi platforms suffered the most, but centralized services also faced substantial losses, primarily due to private key compromises. Private key security remains a crucial vulnerability, highlighting the need for improved security practices. North Korean state-sponsored hackers continue to target the crypto sector to fund the country's weapons programs. Despite a focus on major heists, the frequency of lower-value attacks has also grown, indicating a broader strategy by DPRK hackers. The consistent hacking activities suggest an ongoing threat to financial technology platforms into 2025, encouraged by rising cryptocurrency values.

"FlowerStorm," a Microsoft 365 phishing-as-a-service (PhaaS) platform, has been gaining traction since June 2024, following the closure of a similar service, Rockstar2FA. Researchers at Trustwave first documented Rockstar2FA, which allowed cybercriminals to conduct large-scale adversary-in-the-middle (AiTM) attacks, targeting Microsoft 365 credentials for $200/two weeks. Rockstar2FA's shutdown on November 11, 2024, was due to technical failures, not law enforcement actions, as some critical service pages became unreachable. FlowerStorm, showing similarities with Rockstar2FA in terms of phishing tools and domain patterns, could be a rebranding of the latter, aimed at decreasing the operators' exposure. The majority of FlowerStorm's targets, around 63% of organizations and 84% of targeted users, are located in the United States, predominantly affecting the services, manufacturing, retail, and financial sectors. To combat these phishing threats, experts recommend implementing multi-factor authentication using AiTM-resistant FIDO2 tokens, along with deploying email and DNS filtering solutions.

Rostislav Panev, a dual Russian and Israeli national, has been charged by the U.S. for his involvement in developing LockBit ransomware, leading to billions in global damages. He was arrested in Israel in August and is awaiting extradition; investigations link him to around $230,000 in cryptocurrency earnings. LockBit, known for impacting over 2,500 entities across 120 countries, was part of a ransomware-as-a-service operation dismantled in February 2024. Panev's seized computer revealed he had access to the dark web repository with LockBit malware source code, and tools used for data exfiltration and encryption. In interviews, Panev admitted to coding and consulting for LockBit, including development of malware that disabled antivirus software and distributed ransom notes. The U.S. has charged several other LockBit members, indicating sustained efforts to neutralize this significant cybercrime threat. LockBit operators are reportedly planning a comeback with a new version, LockBit 4.0, showcasing the persistent challenge of combating cybercrime networks.

Sophos has patched three significant vulnerabilities in its Firewall product, targeting potential SQL injection, remote code execution, and unauthorized SSH access. Affected versions include Sophos Firewall version 21.0 GA and older; comprehensive patches and firmware updates have been rolled out. The vulnerabilities, designated as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, impact a small percentage of devices under specific configurations. Hotfixes for these vulnerabilities were distributed on various dates, with permanent solutions incorporated in later firmware versions. Apart from direct updates, Sophos has recommended specific mitigation measures to reduce risk, including limiting SSH access and ensuring sensitive interfaces are not exposed to public networks. These security fixes and recommendations are crucial for protecting networks from potential remote exploits by unauthenticated attackers. Sophos actively provides updates and detailed instructions on implementing these fixes to maintain security integrity across its user base.

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised using stolen npm tokens; modified to install cryptominers. The attack involved embedding XMRig, a Monero cryptocurrency miner, within the packages, using them as a vehicle for a supply chain attack. The malicious updates to @rspack/core and @rspack/cli were downloaded around 394,000 and 145,000 times weekly, while Vant averaged 46,000 downloads. Researchers discovered malicious code hidden in specific JavaScript files, programmed to automatically execute post-install and perform reconnaissance on victims’ systems. The malware attempted to minimize detection by limiting CPU usage for cryptomining activities to 75% of available resources. Both affected parties, Rspack and Vant, acknowledged the security breaches, reverted the malicious changes, and urged users to upgrade to the newly secured versions of the packages. The incident was promptly identified and addressed, with recommendations to users for upgrading to newer, secure versions of the software to avoid cryptomining exploitation.

The US Department of Justice has charged Rostislav Panev, a Russian-Israeli, for his role with LockBit ransomware. Panev allegedly developed the LockBit ransomware encryptors and the StealBit data theft tool. Arrested in Israel in August, Panev is currently waiting extradition to the United States. Investigations revealed Panev had administrator credentials for an online repository on the dark web containing source code for LockBit encryptors and StealBit tools. Panev also used a hacking forum to communicate with LockBit's primary operator, known as LockBitSupp or Dmitry Yuryevich Khoroshev. He reportedly earned about $230,000 for his programming contributions to LockBit over 18 months. LockBit has been the target of significant international law enforcement efforts, including a joint operation in February 2024 that disrupted its operations.

Sophos has resolved three critical vulnerabilities in its Firewall product that permitted SQL injections, remote code execution, and unauthorized SSH access. Affected versions include Sophos Firewall version 21.0 GA and older, with solutions delivered through hotfixes and new firmware updates. CVE-2024-12727 affects about 0.05% of firewall devices, requiring a specific configuration for exploitation. CVE-2024-12728 and CVE-2024-12729 impact 0.5% of firewall devices, with specific mitigations recommended for users unable to apply updates. Hotfixes for CVE-2024-12727 were provided in December, while fixes for the other vulnerabilities were distributed in November and December respectively. Sophos released guidance for mitigating risks associated with these vulnerabilities, recommending configurations to limit exposure and secure remote access via VPN. For users unable to immediately upgrade, Sophos suggested limiting SSH access and ensuring specific interfaces are not exposed to external networks.

Play ransomware gang claimed responsibility for a cyberattack on Krispy Kreme in November, disrupting U.S. operations, including online ordering. Krispy Kreme disclosed the breach in a December SEC filing, revealing unauthorized IT system activity was detected on November 29. The company has engaged external cybersecurity experts to assess the impact and is implementing measures to contain and remediate the breach. Play ransomware gang alleges it stole files containing sensitive information such as payroll, client documents, IDs, and financial records. The gang threatens to release the stolen data online by November 21 unless presumably a ransom is paid. Krispy Kreme employs 22,800 people and operates over 1,500 shops globally. Online sales contribute significantly to its revenue stream. The Play ransomware group is known for its double-extortion tactics and has previously targeted several high-profile organizations.

Ascension, a major U.S. healthcare provider, suffered a ransomware attack affecting 5.6 million patients and employees, compromising personal and health data. Link to Black Basta ransomware gang is suggested, though the group has not claimed responsibility on their data leak sites. Affected individuals are offered 24 months of IDX identity theft protection, including CyberScan monitoring and a $1,000,000 insurance policy. The data breach was reportedly initiated by an employee downloading a malicious file, believed to be an inadvertent error. The breach disrupted Ascension's critical systems including MyChart health records, phone services, and other operational technologies. Post-incident, emergency procedures were altered, and non-emergent operations were temporarily halted, impacting care provision. Ascension has engaged law enforcement and cybersecurity professionals to investigate and mitigate the breach aftermath. Insight indicates an industry-wide escalation in ransomware attacks on healthcare entities by Black Basta since April 2022.

The Alliance for Creativity and Entertainment (ACE) successfully dismantled a major sports streaming piracy operation based in Vietnam. The piracy network, known as Markkystreams, had amassed over 821 million visits in the past year, targeting mainly U.S. and Canadian audiences. This network illegally streamed a wide range of sports from both U.S. leagues and global sports categories. Significant sports streaming services like DAZN, beIN Sports, and Canal+ were among those impacted by this piracy operation. The shutdown included the transfer of control over 138 domain names associated with the piracy ring to ACE. ACE's action is part of a broader effort to combat live sports programming piracy, which poses a unique challenge due to the time-sensitive value of live broadcasts. The coalition continues to enforce anti-piracy measures and works closely with law enforcement agencies including the U.S. Department of Justice and Interpol. Previous successful shutdowns by ACE include large platforms like Openload and the anime pirate site Zoro.to.

Lazarus Group, associated with North Korea, has initiated attacks against nuclear engineers using a new malware, CookiePlus, part of their Operation Dream Job espionage campaign. The campaign, dating back to 2020, employs deceptive job offers to distribute malware to targets in sectors like defense, aerospace, and cryptocurrency. Recent activities by Lazarus Group involved distributing a trojanized VNC utility, under the guise of an IT skills assessment, which delivered malware aimed to compromise systems. One specific attack utilized a modified TightVNC app named "AmazonVNC.exe," deployed via ISO and ZIP files to install a backdoor and additional payloads. The CookieTime malware was also deployed, using HTTP cookie values for command-and-control communication, demonstrating Lazarus Group's sophisticated techniques. The group's ongoing development of modular malware like CookiePlus highlights their focus on evading detection and enhancing their cyber capabilities. Increased North Korean cyberattacks on cryptocurrency platforms have escalated in 2024, including a significant breach resulting in a $305 million theft from Japanese exchange DMM Bitcoin.

Two npm packages, @rspack/core and @rspack/cli, were found compromised in a supply chain attack, embedding cryptocurrency mining malware. Malicious versions 1.1.7 were removed from the NPM registry; the last secure versions are 1.1.8. Unauthorized publishing access was gained by attackers who implemented malicious scripts into the packages. The malware targets configurations and IP details, transmitting sensitive cloud credentials and restricting infection based on geographical location. The primary objective of the attack was to install an XMRig cryptocurrency miner on Linux systems via a post-installation script. The project maintainers responded by invalidating all npm and GitHub tokens, enhancing repository permissions, and thoroughly auditing the source code. The incident has prompted discussions on the need for enhanced security practices for package managers, including attestation checks to ward off similar attacks.

Juniper Networks has issued a warning about Mirai malware scanning the internet for Session Smart routers that use default credentials. Detected first on December 11, the botnet has since used these compromised routers to launch DDoS attacks. The malware accesses routers through default login credentials, allowing attackers to take control and initiate malicious activities. Juniper has instructed customers to change default passwords, use unique passwords, keep device firmware updated, and monitor network activities with intrusion detection systems and firewalls. The company also emphasized the need to reimage any infected systems to fully eliminate the malware, as it is unclear what changes or data might have been accessed. Further protective measures include reviewing access logs for anomalies and setting up automatic alerts for detected suspicious activities.

Sophos has issued hotfixes for three security vulnerabilities in its Firewall products, with two rated as Critical. The flaws could potentially allow attackers remote code execution and privileged system access. The vulnerabilities affect Sophos Firewall versions 21.0 GA and older. No evidence suggests these vulnerabilities have been exploited in the wild as of now. Users are advised to restrict SSH access and disable WAN access via SSH as temporary precautions. Sophos also recommends updating to the latest firewall versions where the vulnerabilities have been addressed. The announcement follows the recent unsealing of U.S. charges against a Chinese national for exploiting a different Sophos firewall vulnerability in 2020.