Daily Brief

The City of Columbus, Ohio faced a ransomware attack on July 18, impacting 500,000 individuals with their personal and financial information stolen. The Rhysida ransomware gang, responsible for the attack, claimed they obtained 6.5 TB of data from city servers, including sensitive personal details. Despite initial claims from city officials that no data was compromised, the gang began publishing stolen data—including 3.1 TB—to a dark web portal. Security researcher David Leroy Ross demonstrated that the published data was not encrypted or corrupted, contradicting the city's earlier statements. The City has initiated legal action against Ross, acquiring a temporary restraining order to halt further data dissemination and seeking damages. Columbus city officials are now providing two years of free credit monitoring and identity restoration services to affected residents, encouraging vigilance in monitoring financial accounts for fraud. No evidence has been found yet that the leaked data has been misused, although monitoring and investigation continue.

Cybersecurity researchers identified six critical vulnerabilities in the Ollama AI framework. These security flaws can lead to denial-of-service (DoS) attacks, model poisoning, and model theft. Vulnerable instances of Ollama are widely exposed on the internet across various countries, with significant concentrations in China and the U.S. One in four internet-facing Ollama servers is susceptible to these flaws. Ollama’s maintainers suggested mitigating these issues by limiting endpoint exposure through web application firewalls or proxies. Past incidents include a severe flaw reported by Wiz that could have permitted remote code execution. The report encourages users to avoid exposing unnecessary Ollama endpoints to the internet to prevent exploitation.

German authorities disrupted dstat[.]cc, a platform facilitating DDoS attacks for users without technical skills. Dstat[.]cc was known for providing reviews and contact details for various stresser services that conduct DDoS attacks. The Federal Criminal Police Office (BKA) arrested two individuals, aged 19 and 28, linked to dstat[.]cc and other criminal activities. The suspects were also involved in the sale of narcotics and synthetic cannabinoids through an online platform called "Flight RCS." This operation is part of the larger PowerOFF initiative targeting DDoS-for-hire sites, with previous takedowns including digitalstress[.]su and Anonymous Sudan. The takedown highlights the increasing law enforcement focus on cybercrime and associated illegal activities.

Okta identified a security vulnerability in its AD/LDAP Delegated Authentication (DelAuth) potentially allowing unauthorized access using 52-character usernames. The exploit required specific conditions: a long username, cache key usage due to AD/LDAP agent downtime, and disabled or non-existent multi-factor authentication (MFA). This security loophole was discovered on October 30 and rectified immediately by Okta, after existing undetected for about three months. Okta has urged customers to review logs since July 23 for any signs of exploitation involving lengthy usernames. The company reinforced the importance of implementing multi-factor authentication and adopting phishing-resistant authenticators like Okta Verify FastPass and FIDO2 WebAuthn. Contributions from Brave security engineer Yan Zhu highlighted that bypass could occur because the bcrypt algorithm ignored characters beyond a certain length, thus accepting any password paired with a sufficiently long username. Mitigation strategies include processing input through algorithms like SHA-256 to prevent truncation and maintain security integrity.

North Korean state-backed hackers, known as Andariel, collaborated with the Play ransomware group in a digital extortion scheme. The initial system compromise traced back to May 2024, targeting multiple U.S. organizations. The collaboration indicates a merging of boundaries between nation-state actors and cybercrime syndicates. The attack involved financial motivations, highlighting a shift in typical nation-state activities which usually focus on espionage. This incident represents one of the first known collaborations between a nation-state group and a ransomware operation, marking a significant evolution in cyber threat tactics. It also indicates potential future risks involving advanced and well-resourced threat actors engaging in financially motivated cyber attacks. Recommendations include heightened vigilance and strengthened cyber defenses for organizations, especially those holding sensitive financial information.

AI-driven attacks, including business logic abuse and DDoS, are the primary security concerns for retailers this holiday season. Imperva's data indicates retailers face an average of 569,884 AI-driven attacks daily, with business logic abuse making up 30.7% of these attacks. DDoS attacks against retailers have increased by 61% over the last year, exposing them to potential revenue losses and reputational damage. Grinch bots continue to disrupt online retail by buying up high-demand items for resale at higher prices, affecting consumer access and satisfaction. AI-driven API violations have become a significant threat in the retail sector, potentially leading to data breaches and financial fraud. Retailers are advised to implement stringent monitoring, robust DDoS mitigation, enhanced bot detection, and secure API practices. Continuous update and adoption of advanced cybersecurity measures are recommended to protect against sophisticated AI-powered cyber threats during the holiday rush.

Transport for London (TfL) experienced a major cyberattack at the beginning of September, which primarily impacted its back office systems including ticketing and billing. Initially, TfL claimed that no customer data was compromised, but later admitted that 5,000 users' bank data was exposed and various customer services were disrupted. The incident caused disruptions to ticketing discount schemes and group privileges, affecting students and retirees, with vague promises from TfL regarding potential compensation. Reports indicate that the breach was more severe and widespread than previously acknowledged, including issues with the Oyster contactless ticketing system placing erroneous entries on accounts. A British teenager has been arrested in connection with the attack, suggesting the incident might not involve a larger criminal gang. Public sector organizations, including TfL, often display reluctance to disclose full details of such incidents, which is a challenging tendency that impacts public trust and accountability. The article suggests the necessity for better regulatory oversight and transparency in handling and reporting cyber incidents in public sector entities to improve cybersecurity and accountability.

Google's AI framework Big Sleep identified a zero-day vulnerability in the SQLite database engine. This discovery marks the first known instance of an AI finding an exploitable memory-safety issue in widely-used software. The vulnerability involves a stack buffer underflow, which can lead to crashes or arbitrary code execution. The issue was found in a development branch of SQLite and fixed following responsible disclosure protocols before official release. Big Sleep, initially called Project Naptime, leverages AI to simulate human analytical patterns to enhance automated vulnerability detection. The framework uses a combination of code analysis tools, sandboxed environments, and fuzzing techniques managed by AI. Google highlights the defensive potential of preemptively discovering and fixing vulnerabilities, potentially outpacing malicious attackers. Although promising, Google notes that these results are experimental and compares current AI effectiveness to traditional fuzzing methods.

Cisco addressed the recent unauthorized access to its DevHub portal, confirming that non-public files were downloaded due to a misconfiguration. The company analyzed the accessed files, determining they contained mostly publicly available data along with some customer-specific documents. Cisco directly notified the limited number of CX Professional Services customers affected by the leak. No exposed information in the contents was deemed exploitable to access Cisco’s production or enterprise environments. Post-incident response included restoring secure public access to the DevHub site, and confirmation that exposed documents were not indexed by search engines. While a threat actor alleged additional breaches involving a third-party development environment, Cisco has found no evidence of such actions impacting their systems. There is no indication from Cisco that financial or personal data was compromised.

Cybersecurity experts have identified a new variant of the FakeCall malware that targets Android devices to facilitate fraudulent banking activities. The malware uses vishing techniques to deceive victims into dialing fraudulent phone numbers that mimic banks, allowing attackers to access sensitive information. It captures a wide array of personal data including SMS messages, contact lists, locations, and installed apps, and can take pictures and record video streams. The malware gains extensive control over the device by setting itself as the default dialer, intercepting and modifying phone calls. Previous versions prompted users to initiate calls within the app under the guise of attractive loan offers from financial institutions. The discovery highlights evolving mobile phishing strategies in response to enhanced security measures such as caller identification apps. Newer iterations of the malware have adapted features to monitor the Bluetooth status and the device screen state.

Interlock, a new ransomware operation focusing on FreeBSD servers, launched attacks starting end of September 2024. The ransomware has affected six organizations to date, including Wayne County, Michigan, resorting to data leaks when ransoms are unpaid. Initial detection and insights into the ransomware came from incident responders and researchers who identified specific FreeBSD and Windows encryptors. Attempts to analyze the FreeBSD encryptor in a controlled environment were unsuccessful, though it was confirmed to be designed for FreeBSD systems. Trend Micro research highlights the strategic targeting of FreeBSD due to its prevalence in servers and critical infrastructure, enabling significant disruptive potential. Interlock implements double-extortion tactics, stealing data for leverage and employing a dedicated Tor negotiation site for ransom discussions. The ransomware adjusts the file names by appending a .interlock extension and includes a ransom note in affected directories. Ransom demands from Interlock can range vastly based on the size of the targeted organization, reaching up to millions of dollars.

The U.S. Department of Justice has indicted six individuals involved in two separate fraud schemes targeting IT contracts with the federal government, aiming to defraud millions of dollars. The schemes involved bidding riggings by using insider information to secure contracts at non-competitive prices, primarily affecting the Department of Defense and parts of the intelligence community. Victor Marquez, leading the first fraud group, faces up to 70 years in prison for charges including wire fraud and major fraud, with his accomplices facing similar charges. Breal L. Madison Jr., from the second group, faces up to 185 years in prison if convicted for multiple charges including bribery and money laundering, using stolen funds to acquire luxury items such as a yacht and a sports car. The article also mentions a disrupted ecommerce fraud operation, which had been tricking consumers on a large scale for five years, and updates about global cybersecurity threats including hacking activities by Iranian hackers and Chinese threat actors exploiting networks. The issue underlines the ongoing challenges in securing IT infrastructure from insider threats and highlights the broader problem of international cyber threats targeting critical infrastructures.

Researchers demonstrate that OpenAI's ChatGPT-4o could potentially be used for conducting voice-based financial scams. The study reveals varying success rates (20-60%) for scams including bank transfers, crypto transfers, and credential theft. Techniques involved leveraging AI to navigate pages, input data, and handle two-factor verification, pointedly bypassing safety measures through simple prompt manipulation. The cost of executing scams using this AI was notably low, with complex bank transfer scams costing just $2.51 on average. Real websites, like Bank of America, were used in simulations to test the effectiveness of these scams. OpenAI has responded by enhancing their models, with the newer o1-preview model showing improved resistance to similar malicious manipulations. Despite advancements in AI safety features, the research underscores the ongoing risk and potential damages posed by AI-driven cybercrimes.

A critical Microsoft SharePoint RCE vulnerability (CVE-2024-38094) was exploited, allowing attackers to access and navigate through corporate networks. Microsoft addressed the bug in their July 2024 Patch Tuesday update, but exploitation details were initially unclear until a recent Rapid7 investigation. The attackers gained entry through an on-premise SharePoint server, installing a webshell for unauthorized access. The compromise escalated as attackers disabled internal security mechanisms using a deceptive antivirus installation, which facilitated further malicious activities including lateral movement. Tools such as Mimikatz, FRP, and custom scripts were utilized for credential harvesting, remote access, and persistence setup within the network. Attackers also attempted to destroy backup systems to hinder recovery processes, although these attempts were unsuccessful. System administrators are urged to update their SharePoint installations to prevent similar security breaches, following the ongoing exploitation of this vulnerability.

The Financial Conduct Authority (FCA) has urged UK financial institutions to enhance operational resilience following the CrowdStrike software malfunction in July, which impacted global financial systems including JPMorgan Chase, Bloomberg, and the London Stock Exchange. CrowdStrike's faulty update to its Falcon EDR platform triggered a critical error, leading to widespread system crashes and operational disruptions, highlighting the dependency on unregulated third-party IT services. Under FCA regulation PS21/3, these institutions must develop robust business continuity plans by March 2025 to effectively manage and mitigate the impact of such IT outages. Financial organizations that had already complied with PS21/3 showed better mitigation during the CrowdStrike incident by quickly prioritizing system recovery and utilizing pre-prepared incident response strategies. The FCA emphasizes the importance of comprehensive update-testing procedures to prevent such widespread disruptions and advises institutions to prepare external communication strategies to keep stakeholders informed during incidents. Despite significant impacts, most financial institutions managed swift recovery post-outage, demonstrating varying levels of preparedness and resilience. Delta Air Lines, however, faced extended downtime and has initiated legal actions against CrowdStrike, claiming substantial revenue losses.