Daily Brief

Police have revealed Dmitry Yuryevich Khoroshev as the leader of the notorious LockBit ransomware group. Khoroshev, also known by his alias LockBitSupp, has been added to several Western sanctions lists and faces various criminal charges in the US. The UK, US, and Australia have initiated sanctions against Khoroshev, who previously offered a $10 million reward for anyone who could expose his identity. Operation Cronos, led by British and US authorities, significantly disrupted LockBit activities, reducing their operations and unmasking key figures. Investigators analyzed LockBit's operations, finding many affiliates unprofitable and unsuccessful in extortion attempts. Despite a slight resurgence in LockBit activities, attacks have generally decreased by 73% in the UK, with reductions noted globally. Khoroshev faces up to 185 years in prison if convicted on numerous charges including conspiracy to commit fraud and extortion related to cyber activities. The exposure of Khoroshev represents a significant blow to cybercriminals globally, demonstrating enhanced international cooperation in battling cybercrime.

BetterHelp has agreed to pay $7.8 million to settle allegations by the FTC regarding the misuse and unauthorized sharing of consumer health data for ad targeting. The online therapy provider is accused of sharing sensitive data such as email and IP addresses, and health questionnaire responses with companies like Facebook and Snapchat. The exposed data was used to target similar consumers with advertisements, significantly boosting BetterHelp's clientele and revenue. Approximately 800,000 users who used BetterHelp services between August 2017 and December 2020 are eligible for refunds. The FTC uncovered these privacy violations following an investigation into BetterHelp's data handling practices. Consumers affected by this breach will receive an email from Ankura Consulting detailing the refund process with multiple payment options available. The settlement includes multiple BetterHelp-operated services like MyTherapist and Teen Counseling. Payments to the affected consumers will be issued this summer, with a deadline until June 10, 2024, to select a preferred payment method.

Dmitry Yuryevich Khoroshev, identified as the administrator and developer of LockBit ransomware, faces multiple international sanctions and a 26-count indictment with a potential 185-year sentence. Khoroshev used aliases including LockBitSupp and putinkrab and is linked to extensive cybercrimes against global corporations and institutions, leading to asset freezes and travel bans. The U.K.'s NCA, with support from the U.S. and Australian authorities, has collected over 2,500 decryption keys to assist LockBit’s 2,500+ victims worldwide. Since its inception in 2019, LockBit's RaaS activities have reportedly netted Khoroshev at least $100 million, demonstrating immense operational and financial scale. Authorities from the U.S., U.K., and Australia stated that LockBit accounted for significant percentages of their ransomware incidents, demonstrating its global impact. Post-operation efforts to revive LockBit have failed, though they falsely claimed recent attacks to inflate perceived activity. The coordinated international law enforcement operation, dubbed Cronos, successfully disrupted LockBit's operations, substantially reducing its network of affiliates.

Dmitry Yuryevich Khoroshev, leader of the LockBit ransomware gang, was finally identified and sanctioned after being a highly guarded secret. Operation Cronos led by the National Crime Agency (NCA) targeted this notorious ransomware operation, significantly impacting its activities worldwide. Despite sanctions, actual justice remains uncertain as Khoroshev resides in Russia, creating jurisdictional challenges. The US has offered a $10 million reward for information leading to Khoroshev's arrest or conviction, emphasizing the high stakes involved. Following the law enforcement disruption in February, LockBit's capabilities have been notably diminished, with many affiliates losing confidence. The initiative uncovered about 194 affiliates in February, with a large portion showing no profitable involvement in ransom operations. Recent data indicates a significant drop in LockBit attacks, with their operational capacity severely reduced post-intervention.

The FBI, UK National Crime Agency, and Europol announced indictments and sanctions against Dmitry Yuryevich Khoroshev, the admin of LockBit ransomware. Khoroshev, identified as a Russian national, faces multiple international legal actions including asset freezes and travel bans. The US Department of Justice is expected to release further details in an upcoming indictment. Concurrently, the US has issued a $10 million reward for information leading to Khoroshev's arrest or conviction under the Rewards for Justice program. Sanctions include prohibitions that complicate ransom payments, potentially leading to government fines for companies involved. Previous sanctions impacted the ability of ransomware negotiators to assist in transactions involving sanctioned entities. Law enforcement previously disrupted LockBit by seizing its infrastructure, obtaining over 2,500 decryption keys to aid victims. Europol continues to assist in the recovery process for those affected by LockBit ransomware attacks.

Modern organizations are highly interconnected, increasing the risk of third-party data breaches. The global data volume is expected to reach 147 zettabytes by 2024, emphasizing the scale and impact of potential breaches. Third-party breaches happen when an entity within a network is compromised, potentially affecting associated organizations. Examples include the SolarWinds incident where hackers infiltrated multiple networks via compromised software updates. Password reuse significantly exacerbates third-party breach impacts, with credential stuffing attacks exploiting this vulnerability. External Attack Surface Management (EASM) tools are vital for identifying and mitigating vulnerabilities in an organization’s network and its third parties. Continuous monitoring of potentially compromised credentials and regular attack surface assessments are recommended to minimize risks.

APT42, backed by the Iranian government, utilizes deceptive tactics posing as journalists to infiltrate target systems, particularly cloud environments. Targets include NGOs, media entities, academic institutions, legal sectors, and activists across the Western and Middle Eastern regions. Social engineering strategies by APT42 help build trust, facilitating credential harvesting to access victim's cloud data covertly. Data of strategic interest to Iran is exfiltrated using built-in features and open-source tools, minimizing detection risks. APT42 operates under Iran's IRGC and is linked to APT35 but focuses on espionage aligned with Iran's domestic politics and foreign policy stability. The group employs spear-phishing, typo-squatting, and masquerading techniques to obtain crucial credentials and bypass MFA systems. In addition to credential theft, APT42 uses custom backdoors for further network penetration and maintains operational secrecy using VPNs and anonymized infrastructure. Despite regional conflicts like the Israel-Hamas war, APT42 remains focused on intelligence gathering without shifting to disruptive cyber tactics.

MITRE Corporation confirmed a cyber attack originating on December 31, 2023, exploiting vulnerabilities in Ivanti Connect Secure. Attackers used CVE-2023–46805 and CVE-2024–21887 to infiltrate the NERVE research network. Utilized ROOTROT, a Perl-based web shell, for initial access, followed by the deployment of other web shells including BEEFLUSH and BRICKSTORM. The intrusion involved profiling and controlling MITRE's VMware infrastructure, facilitating persistent access and the execution of arbitrary commands. Analysis revealed lateral movement attempts and SSH manipulations to maintain system control. The attack was linked to the China-connected cyber-espionage group UNC5221. MITRE observed data exfiltration and persistent network presence from January to mid-March 2024 following the disclosure of the exploited vulnerabilities.

CISA's Known Exploited Vulnerabilities (KEV) catalog, primarily aimed at federal agencies, also positively influences private sectors’ cybersecurity practices. Private organizations patch vulnerabilities listed in the KEV catalog about three times faster than those not listed—175 days compared to 621 days. Despite this improvement, most deadlines for vulnerability patches are still missed by both government and private organizations. Findings indicate that vulnerabilities linked to ransomware are patched significantly faster, demonstrating the influence of potential financial risks. Technology companies patch vulnerabilities the fastest, averaging 93 days due to higher exposure and industry reputation concerns. Critical severity vulnerabilities take an average of around four and a half months to be remediated, indicating room for improvement in response times. Bitsight suggests that organizations should adopt stringent internal deadlines for patching, tailored to the severity of the vulnerabilities. The imperative for executive support for robust security measures is highlighted, stressing the necessity for swift and effective vulnerability management.

A routine security scan identified hidden malicious code within an image posted in the comments section of a global retailer’s product page. This altered image containing a simple 'Thank You' message hid malware designed to steal personal identifying information from online shoppers. The malicious payload was embedded using steganography, a technique of hiding data within digital content, in this case, an RGB pixel modification in the image. The discovery was made by Reflectiz, a web security firm using continuous web threat management solutions to monitor and protect e-commerce platforms. This form of threat highlights the persistent risks and challenges e-commerce sites face from cyber criminals, including potential regulatory penalties and reputational harm. The full case study details the methods of protection and detection used to avert significant breaches, focusing on inexperienced users who might be unaware of such risks in seemingly innocent web interactions. Legislative frameworks like GDPR impose stringent security requirements and substantial penalties for breaches, aligning with the need for advanced security measures as demonstrated in this incident.

UK-based Amberstone Security inadvertently exposed nearly 1.3 million documents due to a misconfigured database. The exposed data included images of security guards' ID cards and photos of individuals suspected of criminal activities, dating back to 2017. Documents revealed personal details such as names, photos, expiration dates of ID cards, and in some cases, signatures. A security researcher discovered the breach, highlighting risks such as potential impersonation of security staff and unauthorized access to facilities. Exposed data also detailed suspect behaviors and tactics in theft incidents, revealing operational security details. Amberstone Security responded swiftly to the breach notification, securing the database and investigating the cause with the involved third-party contractor. The incident underlines significant privacy and security risks, prompting calls for enhanced measures including biometric updates to security ID cards.

Google has made the process of enabling two-factor authentication (2FA) simpler for both personal and Workspace accounts. Users can now set up 2FA without initially requiring a phone number, opting instead for methods like authenticator apps or hardware security keys. Over 400 million Google accounts adopted passkeys in the past year, supporting passwordless authentication that promises to curb phishing and hijacking instances. Despite these advancements, new threats like the adversary-in-the-middle (AitM) attack could bypass FIDO2 security, exploiting weaknesses in single sign-on (SSO) systems. AitM attacks allow unauthorized actors to hijack sessions after successful authentication via stolen session cookies, exposing the inadequacy in session protection post-authentication. Google proposes Device Bound Session Credentials (DBSC) in its Chrome browser to strengthen defenses against session cookie theft, a feature limiting potential unauthorized access. These updates underscore the ongoing evolution and challenges in cybersecurity, emphasizing the need for continuous improvement in authentication technologies and user security awareness.

Alexander Vinnik, a Russian national, admitted to money laundering charges stemming from the ownership and operation of the BTC-e cryptocurrency exchange. The charges relate to activities between 2011 and 2017, during which BTC-e facilitated transactions involving criminal activities such as hacking, ransomware scams, and drug trafficking. BTC-e failed to register as a money services business in the U.S. and did not implement mandatory anti-money laundering (AML) or Know Your Customer (KYC) protocols. Over its course of operation, BTC-e handled over $4 billion in Bitcoin and served more than one million users globally, including substantial dealings in the United States. Vinnik was captured in Greece in 2017 and extradited to the U.S. in 2022, facing multiple charges including operation of an unlicensed money service business and money laundering. The U.S. Department of Justice described BTC-e as a major avenue for cybercriminals to launder ill-gotten funds. Financial penalties were levied against BTC-e and Vinnik by the U.S. Department of the Treasury for severe violations of AML laws.

Ransomware attacks are evolving to exploit social engineering and psychological pressure, as reported by Charles Carmakal, CTO of Mandiant. Criminals are utilizing deeply personal attacks, such as SIM swapping the phones of executives' children, to increase pressure on victims to meet ransom demands. The tactic includes making phone calls to executives from their children's numbers, often using caller ID spoofing or direct SIM card manipulation. Incidents of ransomware have expanded beyond encrypting or stealing data, with criminals now resorting to endangering lives, as seen in attacks that delayed ambulances and exposed sensitive patient information. This shift focuses on psychological impacts, shifting the decision criteria from protecting customer data to safeguarding employees and their families. The increased leverage of cryptocurrencies has facilitated easier and more profitable extortion for perpetrators, broadening the scope of potential targets across various industries, especially healthcare. Mandiant's head of global intelligence, Sandra Joyce, highlights the difficult decisions companies must make when facing ransom demands, which might involve legal and ethical considerations, particularly when dealing with sanctioned entities.

Apple recently demanded iOS developers to justify the use of APIs potentially employed for device fingerprinting. Despite restrictions, apps from Google, Meta, and Spotify allegedly misuse these APIs to collect and externalize data against Apple's policies. Device fingerprinting gathers unique device identifiers, useful for precise ad targeting but controversial for privacy invasion. Apple claims APIs used for core app functionalities shouldn't be exploited for fingerprinting, regardless of user permission. Developers Talal Haj Bakry and Tommy Mysk reported that major tech companies fail to comply with Apple’s requirements to contain API-derived data onsite. This issue arises as Apple introduces stricter App Store submissions rules effective May 1, 2024, aiming to deter privacy breaches. Google acknowledged the report and is investigating the claims, while responses from Meta and Spotify remain pending. Critiques suggest Apple’s enforcement of API usage transparency lacks rigor, rendering their privacy measures ineffective.