Daily Brief

A French hospital experienced a significant data breach, exposing the medical records of 750,000 patients. The breach was executed by a threat actor using the pseudonym 'nears', who infiltrated the MediBoard platform by Softway Medical Group. Softway Medical Group identified that the breach was due to compromised credentials, not a software flaw or misconfiguration. The compromised data includes sensitive healthcare and billing information, which was put up for sale but currently lacks buyers. The breach also allowed potential access to modify patient appointments and medical records. Softway Medical Group stressed that the data was managed by the hospital and not hosted by them directly. The incident reveals a rising threat to patient privacy and increases the risk of phishing and social engineering attacks on affected individuals.

The U.S. Department of Justice has indicted five people linked to the cyber-gang "Scattered Spider" for their involvement in a cryptocurrency theft and phishing campaign. Suspects are accused of sophisticated cyber attacks including ransomware on MGM Resorts and Caesars Entertainment, and exploiting identity services provider Okta. The gang utilized SMS phishing and social engineering methods to deceive victims into revealing login details, which they then used to access crypto wallets and steal funds. The DoJ also dismantled an online criminal marketplace called PopeyeTools, arresting three administrators and seizing significant assets, including cryptocurrency worth over $283,000. PopeyeTools, operational since 2016, sold stolen bank and credit card details among other illegal digital goods, bringing in an estimated $1.7 million in revenue. The individual suspects face multiple charges including conspiracy to commit wire fraud and aggravated identity theft, with potential penalties of up to 20 years in prison. The FBI's investigation highlights the extensive collaboration with international law enforcement agencies to combat sophisticated online criminal activities and protect victims.

Senator Richard Blumenthal expressed concerns about American tech companies' operations in China posing a national security risk, emphasizing Elon Musk’s Tesla and SpaceX’s heavy reliance on the Chinese market. In a Senate hearing, CrowdStrike detailed activities of a new Beijing-linked cyber-espionage group named Liminal Panda, known for infiltrating telecom networks in South Asia and Africa. Liminal Panda has been active since 2020, engaging in complex cyber-espionage tactics to steal sensitive data from various telecommunications providers. CrowdStrike Vice President, Adam Meyers, highlighted how Chinese cyber-operations have evolved from simple attacks to sophisticated spying activities targeting high-value information and individuals. Another Chinese cyber-espionage group, Salt Typhoon, is suspected of compromising networks of major U.S. telecom providers and accessing sensitive communication data, including that of U.S. politicians. The testimony also revealed concerns about potential disruptions to U.S. military and logistics operations by Chinese cyber groups prepositioned within U.S. critical infrastructure. Meyers emphasized the advanced capabilities of Chinese cyber-espionage, which emphasize long-term information gathering and exploitation of strategic targets related to national interests.

Finastra, a major financial software provider, has confirmed a data breach involving unauthorized access to its Secure File Transfer Platform (SFTP). Over 8,000 financial institutions worldwide, including top global banks, potentially impacted after an attacker used compromised credentials to access the system on November 7, 2024. Data allegedly relating to the breach appeared on a hacking forum, advertised by a user named "abyss0," purporting to sell 400GB of stolen data; the post was later deleted. Finastra has engaged external cybersecurity experts to aid in their ongoing investigation, which currently shows no signs the breach extended beyond the compromised SFTP system. The breach’s impact and scope are still under evaluation, with affected customers to be contacted directly; public disclosure by Finastra is not anticipated pending conclusive findings. The compromised system did not serve as the default file exchange platform for all Finastra customers, and the firm has taken steps to isolate and secure the affected platform. This incident follows a previous security breach in March 2020 when Finastra was targeted by ransomware, highlighting past criticisms of the firm's cybersecurity measures.

MITRE has released its annual list of the top 25 most dangerous software weaknesses, which contribute to the majority of disclosed vulnerabilities. These weaknesses stem from flaws in code, design, or implementation, making systems vulnerable to severe cyber-attacks including data theft and denial-of-service. The analysis covered over 31,000 vulnerabilities, using data from CVE records spanning June 2023 to June 2024, focusing on flaws in CISA's KEV catalog. Highlighted vulnerabilities are easily exploitable, allowing attackers to take over systems, steal sensitive data, or disable applications. The report emphasizes the importance of addressing these weaknesses during software development and procurement to strengthen security at the foundational level. CISA supports the initiative with "Secure by Design" alerts and urges the elimination of highly exploitable vulnerabilities, such as default passwords and specific coding flaws highlighted by recent attacks. International cybersecurity bodies like FBI, NSA, and Five Eyes indicate an increasing trend in zero-days being exploited, underscoring the ongoing cybersecurity threat landscape.

The U.S. Justice Department has charged five individuals affiliated with the Scattered Spider cybercrime gang. They are accused of stealing over $11 million from cryptocurrency wallets through SMS phishing and SIM swap attacks. The gang used stolen credentials from company employees to access and exfiltrate sensitive data including intellectual property and personal information. Charged members include Ahmed Hossam Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan. Scattered Spider is known for its varied and sophisticated attack strategies, including social engineering and multi-factor authentication bombing. The group has alleged connections with Russian ransomware gangs and is linked to significant cyberattacks on entities like MGM Resorts, DoorDash, and Reddit. Scattered Spider operates under various aliases and has a fluid structure, complicating efforts by law enforcement to monitor and attribute specific activities to them.

Five local privilege escalation vulnerabilities were identified in Ubuntu Linux's needrestart utility, affecting versions since 2014. Security firm Qualys discovered the flaws, cataloged under CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. The vulnerabilities allow attackers with local system access to escalate to root-level privileges without additional user interaction. Needrestart is critical in Linux environments as it restarts services requiring updates to use current versions of libraries, commonly utilized in server setups. Successful exploitation mirrors historical Linux elevation attacks, suggesting significant risk despite local access prerequisites. Recommendations for mitigation include upgrading to needrestart version 3.8 or later and modifying configuration files to disable interpreter scanning, reducing vulnerability exposure. The prolonged exposure period raises concerns about the potential impacts on critical systems using older, unpatched versions of the utility.

Change Healthcare, a major US healthcare payment network, has restored its clearinghouse services nine months after a ransomware attack by ALPHV/Blackcat, which began in February. The attack disrupted 15 billion healthcare transactions yearly, impacting 94 percent of US hospitals and causing significant financial strains with losses reported up to $1 million per day. Recovery efforts are mostly complete, except for full restoration of Clinical Exchange, MedRX, and Payer Print Communication, while overall costs related to the attack have exceeded $2 billion. In response to the financial turmoil caused by the attack, UnitedHealth's Optum, which owns Change Healthcare, initiated a Temporary Funding Assistance Program, loaning over $6 billion interest-free to affected providers. The security breach compromised sensitive data of approximately 100 million people, nearly a third of the US population, including full names, email addresses, banking information, and medical claims. The incident led UnitedHealth CEO Andrew Witty to testify before Congress, admitting the payment of $22 million to the attackers and highlighting significant security failings such as the lack of multi-factor authentication and network segmentation.

Google's OSS-Fuzz project, utilizing large language models (LLMs), has identified 26 vulnerabilities in various code repositories, including a critical flaw in OpenSSL. The OpenSSL vulnerability, flagged as CVE-2024-9143, was present for approximately two decades and was deemed unlikely to be discovered through traditional human-driven methods. Other vulnerabilities found by OSS-Fuzz's AI include issues within the cJSON project, showcasing the effectiveness of AI in identifying bugs that human processes miss. Google has leveraged AI-based fuzzing since August 2023 to enhance fuzzing coverage, aiming to test a larger portion of codebases more thoroughly. In 2024, OSS-Fuzz was released as an open source project, highlighting Google's ongoing efforts to iterate and improve the fuzzing process including runtime performance analysis and root cause triage. Google's future plans involve enabling the LLM to fully automate the fuzzing workflow, including generating suggested patches for identified vulnerabilities. The inclusion of AI in security research is seen as crucial, given the potential for threat actors to exploit vulnerabilities that traditional methods may not detect.

Cybercriminals have developed 'Ghost Tap,' utilizing stolen credit card details through NFC to conduct fraudulent transactions worldwide without needing the physical card or device. Ghost Tap builds on earlier mobile malware techniques but with advanced obfuscation and does not require continuous interaction with the victim, making detection harder. The method involves intercepting OTPs for mobile payment enrollment and using money mules who unknowingly conduct transactions at PoS terminals. Unlike previous tactics, Ghost Tap avoids ATMs, opting for retail purchases across a distributed network of mules, thus complicating tracking efforts and reducing risk to the primary fraud operators. Financial institutions struggle to detect these frauds as they mimic legitimate transaction patterns across various locations, often bypassing traditional anti-fraud systems. Threat Fabric suggests that the only effective countermeasure may be flagging transactions that are geographically improbable within short time frames. Consumers are advised to monitor their accounts closely for any unauthorized transactions and report them promptly to minimize potential losses.

D-Link has advised users to discard old VPN routers citing an undisclosed severe remote code execution (RCE) vulnerability. The affected models include DSR-150, DSR-250, DSR-500N, and others, most of which will reach end-of-life status by May 2024, with some models already discontinued as far back as 2015. Due to the risk posed by the vulnerability, D-Link is offering a 20% discount on a newer model, DSR-250v2, which is not susceptible to the identified issues. The vulnerability involves a buffer overflow that allows unauthenticated remote code execution, creating a high risk for connected devices. Previous incidents with similar vulnerabilities have resulted in the installation of rootkits, surveillance of web traffic, and potential data theft including sensitive credentials. No patches will be issued for the vulnerable devices as they are either already end-of-life or approaching it. D-Link strongly recommends updating device passwords regularly and ensuring Wi-Fi encryption is enabled to mitigate potential threats.

Amazon, Amazon Music, and Audible face a surge in bogus listings promoting questionable "forex trading" schemes and links to pirated software sites. These spam listings include direct links to suspicious external websites, aimed at boosting search engine rankings through SEO poisoning. A pattern identified involves the abuse of podcast and digital music distribution channels, exploiting these platforms' high SEO value. The dubious content was found across multiple Amazon domains, including amazon.com, amazon.co.uk, and amazon.com.au. Listings on Amazon portray themselves as podcasts but contain zero-second episodes, purely serving as a vehicle for spam. BleepingComputer reports similar exploitation tactics on Spotify, indicating a broader issue with third-party podcast publication services like Firstory. Despite efforts to curb such practices, platforms like Firstory struggle with ongoing spam challenges, striving to implement more stringent content filters. Amazon removed reported listings but has yet to publicly address or comment on the broader implication of these spam attacks.

Ford is probing into an alleged data breach announced by the threat actor 'EnergyWeaponUser' involving 44,000 customer records. Leaked data includes names, physical locations, purchase details, and dealer information, potentially aiding phishing and social engineering attacks. The breach is tied to the activity of hacker 'IntelBroker,' known for multiple confirmed breaches, adding credibility to the claims. The compromised data had a low sale price on BreachForums, offered for just over $2 worth of credits. Ford responded to the claim stating an active investigation into the breach, which they initially believed impacted Ford's data directly. The investigation later revealed the issue originated from a third-party supplier and the leaked data was a minor batch of publicly available information. Ford reassures that substantial systems or sensitive customer data were not compromised as initially feared. Following the incident, Ford and possibly affected customers are advised to remain vigilant against unsolicited communications and information requests.

Threat actors leverage near-field communication (NFC) to steal funds from mobile payment users globally using a technique called Ghost Tap. Criminals exploit Google Pay and Apple Pay by transmitting tap-to-pay information remotely, without requiring physical possession of the victim's card or phone. The fraud involves downloading malware that captures banking credentials, linking stolen credit cards to mobile payment apps, and relaying tap-to-pay data to accomplices. NFCGate, a legitimate research tool, is misused to capture and pass NFC traffic between devices, enabling fraudulent transactions at point-of-sale terminals. This method allows cybercriminals to make purchases, often gift cards, at various retail locations without being physically present, significantly complicating detection efforts. Transactions appear to originate from a single device, helping to bypass anti-fraud mechanisms and obscure the fraudsters' actual location. These coordinated attacks pose significant challenges for financial institutions and retailers due to their scale, speed, and the anonymity of the perpetrators.

Microsoft has launched the Windows Resiliency Initiative to improve system security and reliability. The initiative aims to enable more applications to run without admin privileges and to improve the control of unsafe apps and drivers. A notable feature, Quick Machine Recovery, will allow IT administrators to apply fixes remotely, even if PCs can’t boot, slated for early 2025. Microsoft plans to introduce capacities for running security tools in user mode, enhancing system stability and error recovery, with a preview set for July 2025. The updates align with the Secure Future Initiative, a comprehensive approach by Microsoft to prioritize security in product design and address cyber threats. Microsoft is boosting its bug bounty efforts with a new challenge titled Zero Day Quest, focusing on enhancing security in cloud computing and artificial intelligence.