Daily Brief

DropBox has confirmed a significant breach of its DropBox Sign eSignature platform, formerly known as HelloSign. Hackers accessed authentication tokens, MFA keys, hashed passwords, and customer information including emails, usernames, and phone numbers. The breach was detected on April 24; unauthorized access was through an automated system configuration tool with elevated privileges. Fortunately, there is no evidence that customer documents or agreements were accessed, nor were other DropBox services affected. DropBox has reset all passwords, logged out sessions, and imposed restrictions on API key usage pending customer rotation. Users of DropBox Sign are advised to update MFA configurations and stay vigilant against potential phishing attempts using the stolen data. DropBox is contacting all affected customers and has issued a security advisory with guidelines on how to handle the situation securely.

The US government has issued a warning about pro-Russian hacktivists targeting operational technology (OT) systems in critical infrastructure sectors, especially water facilities. A joint advisory from several US agencies including CISA, FBI, NSA, and others, alongside international partners like CCCS (Canada) and NCSC-UK, emphasizes the threat to industrial control systems. These hacktivist activities mainly deploy unsophisticated methods but pose potential physical threats due to insecure and misconfigured OT environments. Recent incidents reported include targeted but non-breached attacks on water treatment facilities in Indiana and an overflow issue at a Texas water facility. The Cyber Army of Russia, linked to these attacks, has been connected to the Sandworm group, identified as APT44 under Russia’s GRU. Recommendations from the advisory stress the importance of securing and hardening OT devices including updating software, changing default passwords, and implementing multi-factor authentication. NSA has emphasized the expanded scope of these hacktivist operations impacting North American and European infrastructure, urging heightened cybersecurity measures.

Jack Blount, former CEO of Intrusion, settled with the SEC regarding false statements about his background and the company’s product, Intrusion Shield. Blount was charged with breaking anti-fraud rules under the Securities Exchange Act and the Securities Act, yet faces no financial penalty due to claimed financial inability. Misrepresentations included falsified claims about Blount’s roles as a director of public companies and as a CIO of the US Department of Agriculture. Under Blount’s direction, Intrusion allegedly exaggerated the success of their product Intrusion Shield and its adoption by several supposed beta testing companies. Only six out of thirteen beta testers purchased the product, despite claims of broader success and adoption by notable customers. Legal filings revealed Intrusion had given the product for free to a key customer and were instructed by Blount to conceal this fact. The misleading disclosures under Blount’s leadership resulted in a temporary surge in Intrusion’s stock price and trading volume. Blount was removed from his role in July 2021 following these incidents, and now faces a bar from serving as an officer or director in any public company.

Panda Restaurant Group disclosed a data breach affecting its corporate systems but not its in-store operations. The breach, detected on March 10, 2024, involved unauthorized access between March 7-11, leading to the theft of personal information. The breach impacted the parent company of popular chains including Panda Express, Panda Inn, and Hibachi-San. An undisclosed number of individuals' data, including names and driver's license numbers, was exposed. Panda has engaged third-party cybersecurity experts and law enforcement to investigate and respond to the breach. Additional technical safeguards have been implemented to enhance data security and prevent future breaches. The specifics regarding whether customers, employees, or both were affected remain unclear as investigations continue.

US prosecutors have charged 16 individuals for orchestrating grandparent scams, defrauding elderly Americans out of millions. The scams involved impersonating relatives of elderly victims, falsely claiming they were in urgent need of money for legal and medical emergencies. The accused are based in the Dominican Republic and the US, with ages ranging from 21 to 59. Scammers used various roles within the scheme, including "openers" who initiated contact and "closers" who impersonated legal and law enforcement officials to solidify the scam. Tactics included manipulating phone numbers to appear local, creating elaborate stories of car accidents or legal troubles, and demanding payment through cash or precious metals. The FBI noted that couriers involved in the scam transported over $55 million in assets, often unknowingly, between May and December 2023. Those charged face up to 20 years in prison and significant fines for each count of mail and wire fraud, with additional penalties for money laundering. This indictment highlights ongoing efforts by US law enforcement to protect elderly citizens from financial scams and exploitation.

The Hôpital de Cannes Simone Veil (CHC-SV) in France rejected a ransom demand from the Lockbit 3.0 ransomware gang. The hospital faced a severe cyberattack on April 17, disrupting operations and leading to the rescheduling of non-emergency procedures. LockBit 3.0 threatened to publish stolen data on the darkweb if their ransom demands were not met. CHC-SV alerted both local law enforcement and the National Agency for Information Systems Security (ANSSI) about the ransom demand. The hospital communicated through social media that it would not pay the ransom and would notify affected individuals if any data leakage occurs. Hospital IT staff are actively working to restore all affected systems to full functionality. The incident demonstrates LockBit’s indifference to disrupting healthcare services, despite previous claims of avoiding such actions. LockBit operations had briefly suffered after FBI disruptions but resumed with new tactics shortly after.

CISA has issued a warning about active exploitation of a high-severity GitLab vulnerability, tracked as CVE-2023-7028, allowing unauthorized account takeovers. The flaw exists due to improper access control, enabling attackers to initiate password reset emails and change passwords without user interaction. This vulnerability significantly impacts GitLab Community and Enterprise editions but does not affect accounts secured with two-factor authentication (2FA). GitLab has already released patches for affected versions, reducing the number of vulnerable online instances from 5,379 to 2,394. The U.S. cybersecurity agency has mandated federal agencies to secure their systems against this exploit by May 22 and recommends private organizations using GitLab to do the same. Despite current exploitations, there is no evidence of the vulnerability being used in ransomware attacks. Organizations potentially affected should consult GitLab’s incident response guide and check for signs of compromise immediately.

Qantas Airways encountered a data mishap where boarding passes and personal details were erroneously shown on other users' mobile app accounts. Issues included exposure of names, airline points, and boarding passes, affecting multiple customers' privacy. The airline attributed the error to a technological glitch potentially linked to recent system updates, not cybercrime. No financial data was disclosed during the incident, and airline points displayed were non-transferable. Qantas reassured that no fraudulent boarding or security breaches occurred due to built-in safeguards. The company has issued an apology and pledged continuous monitoring to prevent further glitches. Customers were recommended to stay vigilant against potential phishing attacks exploiting the incident, simulating previous patterns observed in the Thomas Cook collapse.

Elliptic and researchers from MIT-IBM Watson AI Lab uncovered illicit clusters in the Bitcoin blockchain. Using a 26 GB graph dataset known as Elliptic2, the analysis identified 122K labeled Bitcoin subgraphs among 49M node clusters. Research utilized machine learning to effectively predict criminal proceedings involving money laundering. Detected suspicious activities linked to crypto exchanges, a cryptocurrency mixer, and a Russian dark web forum. Identified money laundering techniques such as peeling chains and nested services, common in crypto laundering. Future research aims to enhance machine learning accuracy and extend techniques to other blockchains. Forensic tools used differ from traditional methods by analyzing shapes and patterns within transaction subgraphs for clues of illicit activity.

Researchers have identified a new malware, dubbed Wpeeper, that targets Android systems and hides its command-and-control (C2) servers using compromised WordPress sites. Wpeeper, an ELF binary, utilizes HTTPS to secure communications with its C2 servers and functions as a backdoor, capable of executing commands and managing files on infected devices. The malware was discovered embedded within a fake version of the UPtodown App Store app, designed to look legitimate and deceive users into downloading it. As of the latest update, the rogue app had been downloaded over 2,600 times, indicating significant exposure. Wpeeper's C2 infrastructure involves multiple layers, with initial servers acting as redirectors to conceal the actual C2 locations, thus avoiding immediate detection. This complex setup includes at least 45 identified C2 servers, with nine primary redirectors embedded within the malware code. The primary function of the malware includes collecting sensitive device data, updating C2 servers, downloading additional payloads, and self-deletion capabilities. Cybersecurity recommendations emphasize only downloading Android apps from reputable sources and carefully checking app permissions and reviews.

Qantas Airways confirmed a misconfiguration in its app led to exposure of sensitive customer data. Personal details, including names, upcoming flight information, and frequent flyer account details, were visible to unrelated users. The data compromise was attributed to recent system changes, not by a cyberattack. Users were advised to log out and remain vigilant for potential scams exploiting this incident. The issue was specific to the app; no financial or additional personal data was compromised. Measures have been implemented to prevent similar incidents and ensure airport security and efficiency. The airline confirmed the resolution of the issue, with no customers affected by incorrect boarding passes.

Cuttlefish malware has been detected in enterprise and SOHO routers to monitor traffic and steal login information. The malware forms a covert VPN or proxy tunnel on infected routers, allowing data exfiltration while evading sign-in detection. It is capable of DNS and HTTP hijacking to disrupt internal communications and potentially deliver additional malicious payloads. There is a noted code overlap with HiatusRat, associated with Chinese interests, but no direct attribution has been confirmed. The malware, active since July 2023, has chiefly targeted Turkey, with additional impacts on satellite communication and data centers globally. Initial router infection methods are unclear, but may involve exploiting vulnerabilities or brute-forcing credentials. Once installed, Cuttlefish uses a packet filter to sniff out specific data like usernames and passwords, particularly from major cloud services. Black Lotus Labs recommends regular device reboots, updating firmware, stronger credentials, and securing traffic to combat Cuttlefish threats.

Security awareness training (SAT) is crucial for turning employees into a robust first line of defense against cyber threats. Traditional SAT programs often fail to effect behavioral change; 69% of employees reportedly bypass set cybersecurity guidelines. Outdated SAT methods are inflexible and burdensome, making them ineffective for modern cybersecurity needs. Effective SAT should be easy to deploy, manage, and use, aiming to make security second nature rather than a checklist. An ideal SAT program should adapt to the changing threat landscape, emphasizing real-world scenarios and comprehensive understandings. Asking the right questions before choosing an SAT solution can guide decision-makers in finding the most suitable option that addresses specific organizational needs. Huntress Security Awareness Training offers a user-friendly, effective alternative that enhances employee understanding and adherence to cybersecurity practices.

ZLoader Malware has been updated with an anti-analysis feature originating from the Zeus banking trojan, complicating forensic efforts. The new version 2.4.1.0 of ZLoader restricts its operational scope to the original infected machine, instantly terminating if executed elsewhere. A specific Windows Registry key and value check are used for this restriction; they must be manually replicated on new systems for the malware to operate. In addition to its complex anti-analysis tactics, ZLoader employs RSA encryption and has improved its domain generation algorithm to stay under the radar. ZLoader's evolution reflects an ongoing development interest, having resurged in activity since September 2023 after a two-year hiatus. The malware has been linked to malicious SEO tactics that promote fraudulent websites via legitimate platforms, increasing chances of malware spread. Recent related cyber activities include phishing campaigns across multiple nations, deploying Taskun malware intended in part to distribute Agent Tesla.

Ex-NSA worker Jareh Sebastian Dalke sentenced to nearly 22 years for attempting to sell U.S. secrets to Russia. Dalke was employed as an Information Systems Security Designer at NSA for a brief period in 2022. He attempted to transfer classified National Defense Information to an undercover FBI agent posing as a Russian spy. Dalke used an encrypted email to send top-secret document snippets, believing he was communicating with a Russian agent. He demanded $85,000 for the information, claiming it would benefit Russia and intended to share more upon his return to Washington, D.C. Arrested after physically transferring files via a laptop in Denver, he pleaded guilty to espionage charges in October 2023. This case highlights the serious consequences for those who betray trust and attempt to compromise national security.