Daily Brief

Russian national Mikhail Pavlovich Matveev, known by multiple aliases including Wazawaka and Boriselcin, has been arrested and indicted in Russia for his ties to ransomware operations and hacking groups. Accused of developing ransomware aimed at encrypting commercial organizations’ data for ransom, his case is currently headed to the Central District Court of Kaliningrad. The U.S. Justice Department has also charged Matveev for his involvement with prominent ransomware groups such as Hive and LockBit, targeting various victims in the U.S. Matveev is identified as the original creator and administrator of the Ramp hacking forum and the Babuk ransomware, which was notably involved in the Washington DC Capital Police data exposure. The U.S. Department of the Treasury has sanctioned him for attacks against U.S. entities, including law enforcement and critical infrastructure, while the State Department offers a $10 million reward for information leading to his capture or conviction. Despite the indictments and sanctions, Matveev maintained a public online presence, engaging with cybersecurity experts and even taunting U.S. enforcement through social media.

Zabbix has disclosed a critical SQL injection vulnerability, identified as CVE-2024-42327, urging customers to update affected versions immediately to prevent possible system compromises. The vulnerability, with a CVSS score of 9.9, allows non-admin users with API access to execute SQL commands potentially leading to full system control. Affected versions include Zabbix 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0; updates are available for these versions that address the security risk. The flaw is part of a class termed "unforgivable" by US agencies like the FBI and CISA, emphasizing a long-standing expectation for vendors to resolve such vulnerabilities pre-release. Major global enterprises across various sectors, including Altice, Dell, and the European Space Agency, are among those potentially impacted by this vulnerability due to their use of Zabbix products. The vulnerability disclosure aligns with increased industry focus on 'Secure by Design' principles propagated by US government cybersecurity agencies throughout 2024. SQL injection vulnerabilities continue to represent a significant portion of known exploited vulnerabilities, often serving as gateways to further cyberattacks, including ransomware.

Bologna FC 1909 confirmed a ransomware attack on their systems, attributed to the RansomHub extortion group. The attack resulted in the theft and subsequent online leak of sensitive data including medical, personal, and confidential details of club players. The ransomware group, RansomHub, claimed responsibility on November 19, 2024, and threatened to publish the stolen data unless a ransom was paid. Bologna FC warned that downloading, possessing, or disseminating the stolen data is considered a serious criminal offense. The club declined to meet the ransom demands, leading to the publication of the stolen data on the dark web. The incident serves as a warning about the vulnerabilities and potential consequences of cyberattacks in sports organizations. Similar ransomware attacks have targeted high-profile sports teams in the past, indicating a trend that criminals might be exploiting lucrative targets within the sports industry.

An unofficial security patch has been released to address a zero-day vulnerability affecting the Mark of the Web (MotW) security feature in Windows Server 2012 and Server 2012 R2. The vulnerability allows attackers to bypass MotW labels that warn users about files from untrusted sources, potentially leading to malware installation. The flaw has existed undetected or unaddressed in Windows Server 2012 for over two years, even in servers with Extended Security Updates. The patches, provided by the 0patch platform of ACROS Security, are available for free and can be applied without requiring a system restart. Users need to create a 0patch account and install the 0patch agent to automatically deploy these micropatches unless blocked by custom patching policies. ACROS Security plans to withhold specific details about the vulnerability until Microsoft releases an official security update to mitigate potential attacks. The disclosure highlights ongoing risks in using legacy systems that no longer receive official updates, and the importance of alternative security solutions like 0patch for such systems.

A Moscow-based company, Social Design Agency (SDA), accused of AI-powered fake news campaigns against Ukraine and influencing U.S. political sentiment. SDA uses artificial intelligence to create videos and websites mimicking legitimate news outlets to spread disinformation in Ukraine, Europe, and the U.S. The campaign, named Operation Undercut, aims to undermine Ukraine's leadership, reduce Western aid effectiveness, and escalate socio-political tensions in the West. Operation Undercut is linked to previous campaigns, sharing infrastructure with both Doppelganger and Operation Overload, focusing on destabilizing Western elections and events. Over 500 social media accounts across platforms like 9gag are utilized to amplify SDA's misleading content, employing trending hashtags to widen reach. Concurrently, Russian-linked APT28 conducted a "nearest neighbor attack" to breach a U.S. company's network through an adjacent entity, highlighting sophisticated cyber intrusion techniques used by state-sponsored actors. APT28's attack involved stealing valid wireless credentials through password-spray attacks and accessing the target's Wi-Fi network without multi-factor authentication.

Ransomware gang INC Ransom has claimed responsibility for an attack on NHS Alder Hey Children's Hospital, threatening to leak sensitive data. The attack also affected Liverpool Heart and Chest Hospital NHS Foundation Trust, separate from an unrelated incident at Wirral University Teaching Hospital NHS Trust. Published stolen data allegedly includes patient and donor information, medical reports, and financial documents dating back to 2018. Alder Hey is working with the National Crime Agency and other partners to secure their systems and assess the impact of the breach. Despite the cyberattack, Alder Hey Children's Hospital has maintained normal operations, with no interruptions to scheduled procedures or appointments. This incident marks another attack by INC Ransom, which previously targeted NHS Scotland in June and NHS Dumfries and Galloway, resulting in significant data theft. The proximity and timing of the attacks on Alder Hey and Wirral NHS Trusts raise concerns given their rare occurrence within such a close geographical and temporal span.

Industry experts shared insights on the amalgamation of digital and physical security, evaluating the persistent need for robust cybersecurity measures as the boundaries between physical and virtual realms blur. Risks associated with hyperconnectivity and emerging tech trends, including AI and the Internet of Things (IoT), were discussed, highlighting the necessity for proactive security strategies. The discussion included a detailed exploration of evolving technological waves from Web 1.0 to AI integration, emphasizing the ongoing transformation and the importance of strategic security responses. Persistent security threats alongside technological evolution were identified, with an emphasis on deepfakes, compromised data privacy, and regulations tightening around new tech adoption. Key strategies outlined for staying ahead included enhancing AI-human collaboration, securing data, and building resilient supply chains against increasingly complex security threats. The importance of a balanced approach integrating both cyber and physical defenses was stressed, pointing towards a unified security framework as critical for future preparedness. Claro Enterprise Solutions presented their vision for a fully integrated cyber-physical defense system utilizing advanced technologies like AI Video Analytics and Zero Trust networking. The webinar concluded with actionable insights and solutions offered by Claro to support organizations in enhancing their security posture in anticipation of future cyber-physical challenges.

Cybersecurity experts have identified a phishing-as-a-service toolkit named Rockstar 2FA, which aims to compromise Microsoft 365 accounts. Rockstar 2FA facilitates adversary-in-the-middle (AiTM) attacks capable of intercepting credentials and session cookies, endangering users with enabled multi-factor authentication. This toolkit is an evolution of the DadSec (Phoenix) phishing kit, now being monitored by Microsoft under the name Storm-1575. Sold on underground forums such as ICQ, Telegram, and Mail.ru, Rockstar 2FA offers features like 2FA bypass, cookie harvesting, and antibot mechanisms for $200-$350 per subscription period. Trustwave researchers observed diverse access vectors used by the tool, including embedded URLs, QR codes, and document attachments in emails from compromised or spam accounts. The phishing pages mimic legitimate sign-in pages using sophisticated HTML obfuscations to evade detection and include antibot features to prevent automated analysis. Attackers host phishing links on reputable platforms like Google Docs Viewer and Microsoft OneDrive, taking advantage of their trusted status to deceive users. Exfiltrated data from phishing sites is used for further attacks, while related phishing activities and fraudulent apps pose substantial financial risks to users.

Microsoft has resolved four security vulnerabilities affecting its AI, cloud, ERP, and Partner Center services. One of the patched vulnerabilities, tagged as CVE-2024-49035, was actively exploited and involved unauthenticated privilege escalation at partner.microsoft[.]com. This particular vulnerability had a high severity score of 8.7 and allowed attackers to escalate network privileges without authentication. The flaw was discovered and reported by Gautam Peri, Apoorv Wadhwa, and an unidentified researcher. Fixes for these vulnerabilities are being implemented automatically in updates to Microsoft Power Apps. Additional vulnerabilities rated Critical and Important were also addressed but require users to update their Dynamics 365 Sales apps on Android and iOS to the latest versions. Microsoft has not disclosed specifics on the real-world exploitation tactics or the impact of these vulnerabilities.

SANS Institute marks its 35th anniversary by enhancing its comprehensive cybersecurity education offered globally. SANS has issued approximately 240,000 GIAC certifications, reflecting its significant impact on cybersecurity professionalism. Continuous updates to courses ensure that they meet the evolving challenges in cybersecurity, with over 85 courses now available. New courses for 2025 include Cybercrime Intelligence and LINUX Incident Response, highlighting the expansion into specialized areas of cybersecurity. Existing courses like Cloud Security Architecture and Windows Forensic Analysis have been refreshed to keep pace with technological advancements. SANS remains dedicated to providing actionable and practical knowledge to cybersecurity experts to effectively counter modern cyber threats. Highlighting the importance of continuous professional education in cybersecurity to adapt to the ever-changing threat landscape.

Ping Li, a 59-year-old U.S. citizen, was sentenced to four years in prison for acting as a spy for China, specifically the Ministry of State Security (MSS). Originally from the People's Republic of China, Li was employed at major corporations like Verizon and Infosys, from where he collected sensitive information. Li's espionage activities began as early as August 2012 and included gathering data on Chinese dissidents, pro-democracy advocates, and particulars of U.S. politicians. The sentencing also includes a $250,000 fine and three years of supervised release following his prison term. Information Li shared included internal corporate training materials from Verizon, and information on significant cyber incidents like the SolarWinds attack. Li used anonymous email accounts to transmit information to his contacts in the MSS, including an old school and college friend. The Department of Justice highlights the broader context of ongoing Chinese espionage efforts targeting U.S. telecommunications and political entities. Recent convictions and reports indicate a persistent and widespread pattern of espionage by the Chinese Communist Party in the U.S. across multiple sectors.

Nearly two dozen security vulnerabilities identified in Advantech EKI wireless access points, with some enabling authentication bypass and code execution. Cybersecurity firm Nozomi Networks revealed the vulnerabilities, which include allowing unauthenticated remote code execution with root permissions. Six out of the twenty discovered vulnerabilities are considered critical and can permit persistent internal access and potential network infiltration. Attack vectors include deploying backdoors, triggering denial-of-service conditions, and converting devices into Linux workstations for further attacks. Significant vulnerabilities pertain to improper handling of special elements in OS commands and missing authentication mechanisms. Affected firmware versions have been updated to address these security issues following responsible disclosure. Special attack scenario requires proximity to the device, exploiting a combination of cross-site scripting and OS command injection via malicious Wi-Fi SSID broadcasting.

The Tor Project urgently requests community help to deploy 200 new WebTunnel bridges to combat increased governmental censorship. The initiative aims to strengthen the resistance against censorship tactics that target the browser's built-in features and the overall effectiveness of Tor. Currently, the organization has 143 WebTunnel bridges in operation, which are crucial for users in regions with high censorship to access the internet freely. WebTunnel bridges function by disguising Tor traffic as normal HTTPS traffic, making it difficult for censors to detect and block. The ongoing crackdown in Russia involves blocking Tor access points and targeting popular hosting providers, disrupting many existing bridges and apps. A new campaign running until March 10, 2025, encourages volunteers to participate in setting up new bridges with incentives for substantial contributions. Volunteers need a static IPv4 address, a self-hosted website with a valid SSL/TLS certificate, and significant bandwidth to participate.

A significant cyber incident has impacted a North West England NHS group, necessitating a switch to paper-based operations. The Wirral University Teaching Hospital NHS Trust detected suspicious activity, leading to the isolation of systems to prevent the issue from spreading. Scheduled procedures were cancelled, and IT systems were taken offline as a security measure. The Trust is collaborating with national cybersecurity services to resolve the issue and restore normal operations promptly. Despite the cybersecurity issues, essential services like maternity and emergency treatments remain operational, though with potential delays. Patients with scheduled appointments are advised to attend unless specifically instructed otherwise. The incident first came to light on Monday evening, with initial advice to avoid certain NHS facilities for non-serious conditions due to expected long waiting times.

Serverless environments like AWS Lambda are highly scalable and efficient but pose significant security challenges. Traditional security practices in serverless settings primarily use log monitoring and static analysis, which are inadequate for detecting certain types of attacks, such as malicious code injections that do not generate logs. Real-world risk scenarios include unauthorized subprocesses within Lambda functions or exploitations of third-party vulnerabilities. The evolution of cloud security emphasizes the need for runtime protection measures that offer proactive defense mechanisms rather than reactive log-based approaches. Sweet Security has introduced a serverless sensor for AWS Lambda that enhances security by enabling deep, real-time monitoring of functions. This sensor not only observes Lambda runtime activities but also detects and blocks suspicious behavior and anomalies internally before any damage occurs. The new approach from Sweet Security allows for a dynamic defense against sophisticated threats in serverless architectures, demonstrating a critical shift from traditional to advanced security tactics.