Daily Brief

International law enforcement agencies, including the FBI, NCA, and Europol, have relaunched the previously seized LockBit ransomware group's website, setting a countdown for new disclosures. The site, originally used by LockBit for extortion and data leaks, now features eight locked pages with a countdown, promising revelations about the gang's activities and possibly the identity of its members. Previously disappointing articles posted by the police on this site have been critiqued for lackluster information, with promises now of more substantive revelations. Charles Carmakal of Mandiant highlighted the significance of the upcoming reveal at the RSA Conference, suggesting it could provide detailed insights into the LockBit group and its key figure, LockbitSupp. The newly resurrected site will be operational only until May 10, indicating a limited window for these disclosures. Despite law enforcement actions, LockBit continues its operations unabated, recently targeting hospitals and government entities, demonstrating resilience and ongoing threat presence. The tension between LockBit's representatives and U.S. authorities continues, with accusations of deception from both sides, underscoring the complex dynamics of cyber enforcement and cybercrime engagement.

Mastodon has delayed releasing a fix for a bug that causes accidental DDoS attacks through its link preview feature. The decentralized structure of the Mastodon network contributes to multiple servers requesting data from a single site simultaneously, resembling a DDoS attack. The issue has persisted for over a year, with initial plans to address it in update version 4.3.0 now postponed to version 4.4.0. Websites impacted by this excess traffic can experience significant slowdowns or downtime, exemplified by the 504 Gateway Timeout error reported by the It's FOSS News blog. Despite the delay in resolving the DDoS problem, Mastodon faces other challenges, including varying update compliance across its servers, some of which remain vulnerable to other security issues. The progress on the upcoming version 4.4.0 is uncertain, with no clear timeline for the rollout of the planned fixes.

A former IT consultant, Vincent Cannady, is charged with attempting to extort $1.5 million from his previous employer, a multinational IT services company. Cannady was arrested in Missouri after allegedly using a company laptop to illegally download and store confidential data, including trade secrets and server architecture, to his personal cloud storage. Following his dismissal for poor job performance in June 2023, Cannady purportedly demanded a "settlement" equaling approximately fifteen years’ worth of salary under threats of legal action and data leakage. The extortion attempts included threats to release the stolen information to media outlets and the use of this information for a potential book deal to inflict reputational damage on the company. Kyndryl, identified through court records, sought a temporary restraining order against Cannady to prevent public disclosure of the proprietary data. Negotiations broke down after the company provided a draft settlement agreement that did not exempt Cannady from future prosecution, which he refused. Charged with Hobbs Act extortion, Cannady faces up to 20 years in prison if convicted, highlighting the legal repercussions of data theft and extortion in the cybersecurity realm.

The City of Wichita, Kansas experienced a ransomware attack leading to the shutdown of several network segments. The attack, which took place on May 5th, led to the encryption of the city’s IT systems. The city has not confirmed if any data was stolen; however, data theft is common in similar ransomware incidents. Wichita has initiated a comprehensive review to assess the impact, including potential data compromise. Due to ransomware, city’s online payment services, including water bills and court fees, are currently offline. First responder services such as police and fire departments continue operating under established business continuity plans. The specific ransomware group responsible for the attack has not been identified, though the incident has been reported to local and federal law enforcement for further investigation.

More than 50% of Tinyproxy hosts exposed on the internet are vulnerable to a critical flaw (CVE-2023-49606). The vulnerability, found in Tinyproxy versions 1.10.0 and 1.11.1, allows unauthenticated remote code execution through a specially crafted HTTP header. This flaw was identified by Cisco Talos with a high severity rating of 9.8 out of 10. Approximately 52,000 hosts out of 90,310 surveyed hosts use the affected Tinyproxy versions. Significant numbers of affected hosts are located in the U.S., South Korea, China, France, and Germany. Despite Talos releasing a proof of concept for the exploit, patch delays stemmed from reporting issues, as maintainers were not promptly informed. Recommendations include updating Tinyproxy as soon as patches are available and avoiding exposure of the Tinyproxy service to the public internet.

A cyber espionage campaign named ArcaneDoor targets perimeter network devices, impacting several major vendors, including Cisco. China-linked threat actors, known as UAT4356 or Storm-1849, suspected behind the attacks that began in July 2023 and were detected in January 2024. Custom malware, Line Runner and Line Dancer, were deployed to exploit patched vulnerabilities in Cisco Adaptive Security Appliances. Attack interest extends to Microsoft Exchange servers and additional network devices, indicating a broader surveillance scope. Connections to China suspected based on SSL certificates and IP addresses linked to Chinese networks and technology companies. The attackers' infrastructure involved anti-censorship tools hinting at methods to circumvent Chinese internet restrictions. French cybersecurity firm Sekoia intercepted a related command-and-control server operation, revealing widespread infections across multiple countries. The espionage efforts are part of broader strategic intelligence activities, potentially linked to China's Belt and Road Initiative.

CISA has issued an urgent call to the software industry to address persistent directory traversal vulnerabilities, which have plagued systems for over 20 years. Recent exploits of these vulnerabilities in critical sectors, like healthcare, have prompted heightened vigilance from the cybersecurity agency. Directory traversal attacks allow unauthorized access to data and can lead to significant data theft and system compromises. Examples of recent severe exploits include vulnerabilities in ConnectWise's ScreenConnect and Cisco AppDynamics Controller. Out of 1,104 logged vulnerabilities in the CISA's KEV catalog, only 55 are directory traversals, yet their impact on critical infrastructure is significant. CISA recommends implementing well-known mitigations such as using random identifiers for file naming and restricting file name input characters to prevent such attacks. The move is part of a broader initiative by CISA to encourage 'secure-by-design' practices, which include addressing software vulnerabilities from the development phase.

Cybersecurity is increasingly essential across all IT disciplines, highlighting the importance of specialized training. The Complete 2024 Cyber Security Expert Certification Training Bundle offers a discount of $145, pricing the package at $49.99. This bundle provides 120+ hours of cybersecurity training across five courses, designed to prepare IT professionals for various certifications. Courses cover major frameworks and certifications, including NIST cybersecurity protocols, CRISC, CISM, CASP+, and CISSP. Training courses are developed by IDUNOVA, featuring lessons from experienced professionals in a self-paced online format. The courses aim not only to prepare for exams but also to equip IT professionals with practical, applicable cybersecurity skills. Access to the bundle simply requires an updated browser and a strong internet connection. Purchases support BleepingComputer.com through commissions, with sales facilitated by StackCommerce.

The FBI, NCA, and Europol have restarted a previously seized LockBit ransomware site, hinting at forthcoming announcements. Operation Cronos, conducted on February 19, dismantled LockBit's infrastructure, capturing servers, stolen data, cryptocurrency details, and 1,000 decryption keys. The seized data leak site was repurposed for press releases revealing the outcomes of the operation, including LockBit's deceitful practices towards victims. A teased announcement titled "Who is LockBitSupp?" ended in law enforcement claiming knowledge of the operator's identity but disclosed no substantial information, drawing criticism and being perceived as a potential misstep. New blog posts scheduled to go live simultaneously promise further exposures and updates on the LockBit operation's current status and future threats. Despite significant disruptions to its activities, LockBit continues to pose risks to global enterprises, with ongoing albeit reduced, cyber attacks.

Many SMBs are reducing their cybersecurity budgets, making themselves vulnerable to sophisticated cybercriminals who see these businesses as easy targets. Cyberattacks on SMBs can lead to substantial financial burdens, including disruptions in normal operations, extensive recovery costs, and potential legal fees. A significant proportion of SMBs have experienced cyberattacks or are unaware of breaches within the last year, highlighting widespread security gaps and the need for effective cybersecurity solutions. A Managed Endpoint Detection and Response (EDR) solution can provide essential cyber defense for SMBs, offering 24/7 monitoring and professional threat management without the need for extensive in-house resources. Implementing robust cybersecurity measures like managed EDR can be more cost-effective than the expenses associated with recovering from a cyberattack. The Huntress Managed EDR solution, backed by a dedicated Security Operations Center, ensures continuous monitoring and quick remediation of potential threats, alleviating the cybersecurity burden for SMBs. Beyond financial losses, cyberattacks can also cause reputational damage, psychological trauma, and legal issues, underscoring the wide-reaching impact of these security breaches.

Multiple security vulnerabilities were disclosed in Xiaomi devices running Android, affecting various applications and system components. Reported flaws could lead to unauthorized activities and services access, arbitrary file theft, and data leakage involving Xiaomi account details. Specific vulnerabilities include a shell command injection in the System Tracing app and data leakage issues in the Settings app. Additional flaws found in the Print Spooler and Phone Services show that modified legitimate components from AOSP are susceptible to attacks. A memory corruption issue was also discovered in the GetApps application, stemming from an unresolved bug in an Android library. The Mi Video app is at risk of broadcasting sensitive user information such as usernames and emails, which can be intercepted by third-party apps. Oversecured reported these security issues to Xiaomi from April 25 to April 30, 2024, advising users to update their systems to protect against these vulnerabilities.

Cybersecurity researchers discovered a new macOS-targeted spyware named Cuckoo, affecting both Intel and Arm Macs, capable of stealing host information and establishing persistent access. Cuckoo utilizes a fake password prompt for privilege escalation and conducts thorough surveillance, including harvesting data from iCloud Keychain, Apple Notes, and various applications such as web browsers and crypto wallets. The malware checks the machine's locale and avoids execution if the system is based in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. Distribution methods seem to involve deceptive websites claiming to offer music ripping and MP3 conversion software, with affected sites including dumpmedia.com, tunesolo.com, and others. The infected disk images from these sites initiate a bash shell to ascertain and prepare the host system before deploying the malware. Some application bundles associated with the malware come signed with a valid developer ID from Yian Technology Shenzhen Co., Ltd., except for one variant from fonedog.com with a different developer ID. This disclosure follows recent discoveries of other macOS threats, including CloudChat and a variant of AdLoad malware, indicating rising threats against macOS systems. Cuckoo's multifaceted approach includes screening for specific files, executing commands to extract hardware details, capturing running processes, and taking screenshots.

German officials have attributed a series of cyberattacks on government, infrastructure, and private sectors to APT28, also known as Fancy Bear, a Russian-linked cyber group. The attacks are believed to be a response to Germany's military support to Ukraine, including the provision of tanks. Although described as largely ineffective, these attacks also targeted the Social Democratic Party of Germany and are part of ongoing Russian cyber operations against its geopolitical adversaries. The United States has supported Germany's claims, following joint efforts to disrupt APT28's use of compromised networks and devices for malicious activities. APT28 has previously been involved in significant global cyber incidents, including the creation of the NotPetya malware and exploitation of major vulnerabilities. The situation underscores the continuing threats from state-sponsored cyber actors and international tensions surrounding cyber warfare and intelligence operations.

Finland's Transport and Communications Agency (Traficom) has issued a warning about a malware campaign targeting Android users to breach bank accounts. The malware masquerades as a McAfee app, tricking victims into downloading it via SMS messages that appear to be from banks or local telecom operators using spoofing technology. Once installed, the malware grants threat actors access to victims' banking accounts, enabling unauthorized transactions and fund transfers. The scam involves sending victims SMS prompts to call a number, where they are then persuaded to install the fraudulent app from a link outside the official app store. Police reports highlight significant financial losses, with one victim losing 95,000 euros due to unauthorized access to their banking account. The malware, suspected to be a new version of the Vultur trojan, features advanced capabilities like file management abuse and service disruptions, making detection and removal challenging. Traficom advises infected users to contact their banks immediately for protective measures and to perform a factory reset on devices to eliminate the malware. Enhanced vigilance is recommended, including skepticism towards unexpected requests for app installations or sharing sensitive information via phone.

Robin Wilton of the Internet Society advocates for the continued use of strong end-to-end encryption (E2EE), despite opposition from law enforcement. Law enforcement agencies argue that E2EE hinders their ability to investigate serious crimes, including human trafficking and child exploitation. Wilton counters this perspective by highlighting the steady number of arrests despite the increased use of E2EE services since 2015, suggesting encryption does not impede crime solving. Europol's recent statements pushing against E2EE lack substantial evidence, according to Wilton. The UK's Online Safety Act, challenging E2EE by favoring police access, reflects ongoing tensions but does not signify a victory against encryption, per Wilton. Wilton emphasizes the necessity of E2EE in the modern world, given the ubiquity of connected devices and the unrealistic expectations of selective encryption legislation.