Daily Brief

T-Mobile US CSO Jeff Simon highlighted novel infiltration techniques by a Chinese government-linked group, dubbed Salt Typhoon, targeting US telecom networks. The group significantly accessed multiple US providers, compromising wiretapping systems and stealing customer data. T-Mobile thwarted the attempts in a matter of days. Simon did not provide specific details about the duration or tactics used by the intruders but described the method of moving between telecom infrastructures as unique and undisclosed. FBI and CISA officials noted that despite no new techniques being used by hackers, the espionage campaign was extensive and severe. T-Mobile US, unlike other affected operators, detected no major breach of sensitive customer data or service disruption and attributes this to robust security measures and rapid credential rotation among their workforce. Increased emphasis on strong encryption for messaging and communications was advised by US officials to protect data from such sophisticated espionage efforts. T-Mobile US cooperated with federal authorities and other telecom companies to mitigate and understand the cyber-espionage activities better.

DroidBot, a new Android banking malware, has been designed to steal credentials from 77 banking and cryptocurrency apps in several European countries. Detected by Cleafy researchers, DroidBot is sold as Malware-as-a-Service (MaaS) for $3,000 per month, indicating its commercialization. Active since June 2024, the malware has affected numerous users across the UK, Italy, France, Turkey, and Germany with over 776 unique infections recorded. Seventeen affiliate groups utilize this malware, customizing it for targeted attacks, highlighting the scalability and adaptability of DroidBot. The malware often disguises itself as legitimate applications like Google Chrome or the Android Security suite to deceive users into installation. Strategic use of Android’s Accessibility Services by DroidBot allows it to monitor user actions and simulate inputs, making it particularly invasive. Researchers noted the ongoing development and potential expansion of DroidBot, suggesting evolving threats to regions beyond its current scope, including Latin America. Android users are advised to only install apps from the Google Play Store, be vigilant about permission requests, and utilize Play Protect feature to mitigate risks associated with such malware.

Chinese state-backed hackers, termed as Salt Typhoon, infiltrated telecom companies worldwide, including eight in the U.S., with breaches ongoing for possibly one to two years. The White House and CISA confirmed the cyber espionage campaign targeted U.S. and international telecommunications, affecting both private and limited government communications. The attack also breached networks by exploiting system vulnerabilities, leading to interceptions and thefts of vast internet traffic and sensitive data. T-Mobile, among other major U.S. carriers like Verizon, AT&T, and Lumen Technologies, were compromised, although T-Mobile reports no current attacker activity within its network. The FBI and CISA have urged the adoption of encrypted messaging solutions effectively to secure communications against potential data interception by these attackers. Federal agencies have issued comprehensive cybersecurity guidance to system administrators to enhance defenses against such sophisticated attacks, emphasizing the hardening of exposed or unpatched network infrastructure. Despite ongoing efforts, there is no definitive confirmation that Salt Typhoon has been completely expelled from the penetrated networks, with an uncertain full scope of the intrusion.

The FBI has issued warnings about scammers using generative AI technologies to craft sophisticated fraud schemes. These AI-assisted frauds include romance scams, fake investment opportunities, and deceptive job hiring processes. Artificial intelligence contributes to the believability and scalability of these scams, significantly cutting down the time required to deceive targets. Common fraudulent activities identified involve the use of AI to generate fake identities and deepfake videos, particularly involving celebrities to promote cryptocurrency scams. The FBI also highlighted how North Korean IT workers employ AI to fabricate personas to infiltrate global organizations for espionage or malware deployment. The agency advises the public to report suspected fraudulent interactions to IC3, including detailed descriptions of the interaction and any financial transactions. Specific measures and awareness can protect individuals and organizations from falling victim to these highly effective and realistic fraud schemes.

The UK National Crime Agency (NCA) disrupted two major Russian money laundering networks, arresting 84 Russian-speaking suspects. These networks were connected to globally operating ransomware gangs, including the defunct Ryuk and Conti ransomware operations. Operation Destabilise involved international partners such as the FBI, OFAC, and law enforcement from France, Ireland, and the UAE. The arrested individuals included leaders of the Smart and TGR organizations, which laundered over $2.3 million from ransomware attacks. UK sanctions were imposed on key figures in these networks in 2023, aligning with broader actions against Russian financial malfeasance. The laundered funds were also tentatively linked to Russian elites and transactions potentially connected to Russian state media funding in the UK. The operation revealed the previously unknown extent of these networks' operations, which were instrumental in bypassing western sanctions and supporting Russian paramilitary activities via cryptocurrency dealings linked to sanctioned entities.

BT Group's BT Conferencing division was targeted by Black Basta ransomware, prompting offline measures for some servers. Despite the ransomware breach, BT Conferencing services remain unaffected and operational, narrowly avoiding major disruptions. Black Basta claims to have stolen 500GB of data from BT, including sensitive financial and organizational records, though the full impact remains under investigation. The cybercrime group has threatened to leak the alleged stolen data on their dark web site, using countdown timers to pressure for ransom payments. BT continues to work closely with law enforcement and regulatory bodies to manage and mitigate the cybersecurity incident. The Black Basta RaaS has a notorious history, targeting significant global entities across various sectors, including healthcare and government contractors. No direct impact was reported on other BT Group services or customer-facing functions, though detailed assessments and investigations are ongoing.

DroidBot, a new Android banking malware, targets over 77 banking and cryptocurrency apps across several European countries. The malware operates under a malware-as-a-service (MaaS) model, available to affiliates for $3,000 per month. Discovered active since June 2024, DroidBot has infected 776 devices in countries including the UK, Italy, France, Turkey, and Germany. Affiliates can customize payloads for targeted attacks using provided tools such as a malware builder, command and control servers, and a central admin panel. Despite its lack of innovative features, DroidBot's significant activity and ongoing development suggest potential expansion into Latin America. It often masquerades as legitimate apps like Google Chrome or the Google Play store to deceive users into installation. Users are advised to only download apps from reliable sources, closely monitor permission requests, and ensure Play Protect is enabled to mitigate risks.

Solana's official JavaScript SDK, "@solana/web3.js", was compromised in a supply chain attack, leading to the theft of cryptocurrency private keys. Malicious versions 1.95.6 and 1.95.7 of the SDK were released after attackers compromised a publish-access account. These compromised versions contained code specifically designed to steal private and secret keys from developers and users of Solana dApps. The attack targeted the SDK's functions handling private keys, inserting a malicious "addToQueue" function to exfiltrate the keys. Attackers managed to drain cryptocurrency wallets and tokens including USD Coin and Solana, with the estimated stolen value at around $184,000. Solana has since unpublished the malicious versions and released a fixed version (v1.95.8). They recommend developers to upgrade immediately and rotate all keys. The attackers' Solana address involved in the heist has been identified and linked to the stolen assets.

Turla, a Russian APT group, exploited Pakistani hackers' servers to impact Afghan and Indian targets. Since December 2022, Turla has infiltrated the command-and-control servers of Storm-0156, expanding control by mid-2023. Turla leveraged these breaches to deploy custom malware, TwoDash and Statuezy, within networks of various Afghan government entities. Microsoft confirmed Turla's use of overlapping infrastructure tied to both Storm-0156 and other related activities. Turla’s operations are sophisticated, involving a diverse toolkit aimed primarily at government, military, and diplomatic organizations. Historical context shows Turla repeatedly hijacking other groups' infrastructures, including Iranian APTs and the commodity malware ANDROMEDA. The hijacked servers hosted crucial data including backdoors and exfiltrated information from military and defense sectors. This strategic approach allows Turla to obscure attribution efforts and collect intelligence with minimal direct engagement.

Russian cyber-espionage group Turla, linked to Russia's FSB, utilized Pakistani hacker group Storm-0156's infrastructure for covert attacks. Turla accessed networks previously breached by Storm-0156, targeting Afghan and Indian government organizations. The operation involved deploying malware such as TinyTurla, TwoDash, Statuezy, and MiniPocket to create backdoors in compromised networks. In mid-2023, Turla escalated their activities by infiltrating Storm-0156's own workstations, gaining access to malware tools and stolen data. Microsoft's Threat Intelligence Team collaborated with Lumen's Black Lotus Labs to uncover and document these covert operations. The strategy allows Turla to stealthily gather intelligence, shift blame, and complicate efforts to trace attacks back to them. The exploitation showcases a sophisticated layer of cyber warfare where nation-state actors hijack other malicious actors’ capabilities for broader geopolitical aims. Lumen has taken measures to disrupt Turla's access by null-routing traffic from the compromised command and control infrastructure.

German police and cybercrime units have arrested a 29-year-old man suspected of administrating the Crimenetwork, a major German-language online crime platform. This online marketplace, active since 2012, traded illegal items such as drugs, weapons, stolen data, and forged documents, predominantly among German-speaking users. Cryptocurrency worth approximately €1 million was seized during the arrest, with the platform having facilitated over €90 million in illicit transactions. The operation is part of broader efforts to combat organized cybercrime in Europe, similar to other large-scale law enforcement operations like Operation Cronos and Endgame. Authorities have hinted at extensive data collection from the site, including communications and transaction details, which may lead to further arrests and prosecutions. The Crimenetwork platform was previously taken down in 2017 but had resumed operations, resulting in repeated law enforcement actions. The crackdown reflects growing European coordination in tackling cybercrime, with tools for cross-border data sharing and analysis being developed and implemented.

Japan's CERT has issued a warning regarding the exploitation of zero-day vulnerabilities in I-O Data router devices. Hackers are using the vulnerabilities to modify device settings, execute arbitrary commands, and disable firewalls. Three specific flaws have been identified: information disclosure, remote OS command execution, and firewall disabling capabilities. Affected devices include the UD-LT1 and UD-LT1/EX models, which are primarily used in Japan. A security patch is expected to be released on December 18, 2024; in the meantime, mitigation steps are recommended. The currently available firmware version only addresses one of the three reported vulnerabilities. The exploitation of these vulnerabilities was reported by users who noticed unauthorized access to their router settings. I-O Data has acknowledged these security issues and recommended mitigations ahead of the scheduled software update.

NIST's updated cybersecurity guidelines prioritize password length over complexity to enhance security. The guidelines recommend supporting passwords up to 64 characters to deter hacking attempts. Implementing Multi-factor Authentication (MFA) is emphasized as crucial due to its proven effectiveness in reducing account breaches. NIST advises against mandatory frequent password changes unless there is evidence of compromise, suggesting a balanced approach with longer intervals between changes. Organizations are urged to prevent the use of passwords already compromised in previous breaches to protect against widespread attack methods. Traditional password hints and knowledge-based recovery methods are discouraged in favor of more secure recovery options like secure email links and MFA. Specops Software offers tools like Password Auditor and Password Policy to help organizations align with these best practices for password security and compliance.

Microsoft identified a problem with the Windows Recall feature not saving snapshots for some users on the Dev Channel. This issue was traced back to the installation of the non-security preview update KB5046740, released on November 21. Users who installed this update and then joined the Windows Insider Dev Channel experienced difficulties with the Recall functionality. Microsoft has advised against installing this particular preview update before joining the Dev Channel to avoid these issues. This situation underscores ongoing concerns about Microsoft’s quality control and the robustness of their preview releases. The Recall feature aims to enhance user productivity by enabling searches of past desktop activities through AI-powered snapshots. Despite its innovative approach, Recall has faced criticism for potential privacy and security vulnerabilities. Microsoft recommends users affected by this issue to consider reinstalling Windows to resolve the problem.

Europol announced the takedown of MATRIX, an encrypted messaging service designed for criminal activities, with operations led by French and Dutch authorities. The investigation into MATRIX began in 2021 after it was found on a criminal's phone involved in the murder of Dutch journalist Peter R. de Vries, leading to the interception of over 2.3 million messages. MATRIX, distinct from the decentralized app matrix[.]org, was used for serious crimes including international drug and arms trafficking and money laundering. Law enforcement operations were supported by authorities in Italy, Lithuania, and Spain, resulting in multiple arrests and the seizure of critical servers in France and Germany. The encrypted service had more than 8,000 users worldwide who paid between $1,360 and $1,700 in cryptocurrency for access, highlighting its global reach and financial operations. Confiscated items included €145,000 in cash, €500,000 in cryptocurrencies, four vehicles, and over 970 mobile phones. The takedown reflects ongoing efforts by Europol and global partners to counteract the fragmentation of criminal communications following previous shutdowns of similar networks.