Daily Brief

Hackers have compromised nearly 2,000 WordPress sites to trick visitors with fake NFT offers and crypto discounts via pop-ups, leading to crypto wallets being drained. Security firm Sucuri reported hackers initially infected 1,000 sites to promote crypto drainers, then expanded their efforts by turning browsers into tools for brute-forcing site admin passwords. The compromised sites, used in a large-scale brute-force campaign, included high-profile targets like Ecuador's Association of Private Banks' website. The cybercriminals' latest move involves using these sites to display fraudulent promotions that encourage users to connect their wallets, which subsequently get emptied by the drainers. An Urlscan search shows over 2,000 websites have loaded these malicious scripts in the past week, but not all are currently active in generating the scam pop-ups. The MetaMask service warns users when visiting sites with these malicious scripts, highlighting the importance of connecting wallets only to trustworthy platforms. Users are advised to remain vigilant and cautious with unexpected pop-up windows, especially those that are not congruent with the website's primary content or design.

Home Depot confirms that a third-party SaaS vendor exposed employee names, work email addresses, and User IDs. The data breach occurred during system testing by the unnamed third-party vendor. Details on the extent of the data exposure and the specific number of employees affected have not been disclosed. An individual on BreachForums, using the moniker "IntelBroker," claims to have uploaded a database containing 10,000 Home Depot employees' information. The stolen employee data could potentially lead to credential theft and unauthorized access to Home Depot's sensitive systems. Home Depot employs approximately 475,000 associates across its stores in the US, Canada, and Mexico. The same individual, IntelBroker, is also linked to the theft of classified information from the Pentagon and other high-profile data breaches. The State Department and other authorities are investigating these cyber incidents involving the IntelBroker.

Cyberattack targeted CVS Group, causing significant disruption to its veterinary operations in the UK. CVS Group is a major provider with 500 practices in the UK, Australia, the Netherlands, and Ireland, employing over 9,100 staff. Unauthorized access to CVS's IT systems prompted the company to shut down its systems to contain the threat. Third-party cybersecurity experts have been engaged to investigate the incident and aid in IT service restoration. The cyberattack's effects are confined to UK operations, with non-UK services not hosted on the affected infrastructure. CVS announced the acceleration of their strategic plan to migrate IT systems to the cloud, promising enhanced security but additional operational disruption. The company’s announcement on the London Stock Exchange site did not confirm if any personal data was compromised, and no ransomware group has claimed the attack.

UK-based CVS Group, a provider of veterinary services, suffered a cyberattack resulting in significant operational disruption. The attack affected the company's IT infrastructure, prompting CVS Group to shut down systems to contain the breach. CVS Group operates 500 veterinary practices and employs approximately 9,100 staff, including 2,400 veterinary surgeons and 3,400 nurses. Third-party cybersecurity specialists have been enlisted to aid in the investigation and restoration of the IT services. The cyber incident is currently limited to UK practices; international operations are unaffected as they do not use CVS Group's IT systems. The company is accelerating a strategic move to migrate all its IT infrastructure to the cloud, expected to enhance security and efficiency but extend operational disruptions. As of now, there has been no claim of responsibility by any ransomware groups, nor has there been confirmation of a data breach affecting staff or clients.

CVS Group, a major UK veterinary chain, experienced a "cyber incident" that has led to significant operational disruptions. The incident prompted the shutdown of IT systems as part of an emergency response plan to isolate the threat. There is potential risk of personal information being compromised, with the ICO notified due to possible data theft. Clinical care has reportedly still maintained its quality at most practices, although UK operations have experienced disruption. The incident did not affect operations outside of the UK, nor did it impact non-CVS hosted systems or e-commerce systems. CVS is accelerating its cloud migration strategy in response to the incident to enhance security and operational efficiency. The company's share price experienced a drop before recovering slightly, amidst a broader market concern over a CMA investigation into vet pricing practices. Further updates regarding the state of the data integrity and IT system recovery are anticipated.

Google has introduced a V8 Sandbox in the Chrome browser to improve defense against memory corruption vulnerabilities. The V8 Sandbox restricts V8 engine code execution to a confined part of the process' memory, preventing vulnerabilities from affecting the host process. This sandbox isolation is Google's response to address 16 identified zero-day vulnerabilities in V8 between 2021 and 2023. Traditional memory-corruption protection methods are ineffective for the unique challenges posed by the V8 HeapObject instances, prompting the adoption of this specialized sandbox technique. A small performance overhead of about 1% is observed, which is considered minimal enough to enable the sandbox by default in Chrome version 123 across multiple platforms. The sandbox requires a 64-bit system and allocates one terabyte of virtual address space, emphasizing that existing memory safety technologies cannot prevent all types of memory corruption in optimizing JavaScript engines. The development highlights ongoing efforts by Google in enhancing memory safety, as seen with the use of Kernel Address Sanitizer (KASan) in Android to detect and address over 40 memory bugs.

Change Healthcare has been targeted by a second ransomware gang shortly after an ALPHV ransomware attack. RansomHub claims to have 4 TB of the company's data including PII of US military personnel, medical records, and payment information, threatening to sell it unless a ransom is paid. The same group alleges Change Healthcare previously paid a $22 million ransom to ALPHV, a claim supported by crypto wallet monitoring but not confirmed by the company. Theories suggest ALPHV may have conducted an exit scam, with the affiliate responsible for the attack joining RansomHub to recover their "owed" share. Another theory posits that RansomHub could be ALPHV under a new name, which would explain the re-targeting of Change Healthcare despite a prior ransom payment. The case highlights the risks of ransom payments, as there is no guarantee cybercriminals will delete stolen data after payment, and such actions can encourage further attacks. Change Healthcare's parent company, UnitedHealth, had previously reported a cyber incident on February 22, leading to service disruptions in hospitals and pharmacies. A probe into Change Healthcare's data protection practices is imminent due to the significant impact of the cyberattack.

Notepad++ has called for public assistance to shut down a copycat website, notepad[.]plus, which mimics its branding but is not official. The impersonator website currently directs users to the legitimate Notepad++ download page but raises concerns about potential future security risks. Notepad++ developer Don Ho has received numerous complaints about the non-affiliated website, suggesting it may compromise user safety. The copycat site contains disclaimers stating it's a fan website and unaffiliated, possibly protecting it against certain accusations. The notepad[.]plus website is criticized for potentially harboring malicious advertisements and diverting traffic from the official Notepad++ site. BleepingComputer observed that the site does not appear to have active malicious ads currently. However, the use of Notepad++ branding could be a trademark issue. The developer's request to report the site via Google Safebrowsing may be ineffective since the site isn't distributing malicious software at present. Community members highlight the risk of any entity, including the official Notepad++ site, potentially turning malicious, underscoring the importance of vigilance in open-source communities.

Ransomware incidents decreased by 22% in Q1 2024 compared to Q4 2023, with 1,048 reported cases. Law enforcement agencies internationally collaborated in "Operation Cronos," leading to the arrest of LockBit ransomware affiliates and seizure of their assets. Despite arrests, LockBit quickly resumed operations, demonstrating the group's resilience and robust security measures. The FBI disrupted the ALPHV/BlackCat ransomware group, seizing their main site and creating decryption tools, resulting in a reduced number of their attacks. Compliance with ransom demands saw a historical drop to 29% in the last quarter of 2023, with average ransom payments also falling. New ransomware groups have emerged despite the decline in the number and profitability of ransomware attacks, but they have yet to compensate for this drop.

Researchers have identified a new downloader malware, Latrodectus, that is proliferating through email phishing campaigns. Latrodectus is linked to the threat actors behind IcedID malware and is used by initial access brokers to deploy various malware types. This malware is mainly associated with IABs TA577 and TA578, with the latter primarily utilizing Latrodectus since mid-January 2024. TA578 has been associated with several campaigns, utilizing legal threat narratives to direct victims to malicious downloads. Latrodectus can evade detection by assessing the environment, and once activated, it communicates with a command-and-control server to receive further instructions. Commands from the C2 server allow for various malicious activities such as file enumeration, executing binaries, and shutting down processes. The infrastructure associated with Latrodectus has operational connections to IcedID, suggesting an evolution in tactics among cyber criminals. Experts anticipate increased usage of Latrodectus among financially motivated threat actors previously involved with IcedID distribution.

Notepad++ developer Don Ho has called for public assistance in shutting down a lookalike website, notepad[.]plus, which mimics the project's branding. The imitator website currently redirects users to the official Notepad++ downloads but raises concerns for potential future security threats. Don Ho received multiple complaints about the site, which has confused users by appearing prominently in search results and could pose potential security risks. The website contains disclaimers about not being affiliated with the official Notepad++, yet it includes ads that could lead to revenue generation for its admins. Security checks by BleepingComputer did not find active malicious advertisements or promotional links on the unofficial site at the time of investigation. The community has mixed reactions, with some questioning the threat level of the unofficial site since it does not currently distribute malware. Don Ho emphasizes the importance of downloading open-source projects like Notepad++ directly from official websites to avoid the risks associated with counterfeit or trojanized versions.

Cybercriminals have launched a sophisticated phishing campaign specifically targeting the Latin American market, aiming to infect Windows systems. The phishing email distributes a ZIP file that, when extracted, leads to the download of a RAR archive containing a malicious PowerShell script. The script gathers system information and checks for antivirus software, using evasion techniques such as Base64-encoded PHP scripts and geographically restricted domains. Trustwave researchers note similarities with previous Horabot malware attacks, with tactics that include using new domains and country-specific behavior to avoid detection. Malwarebytes has reported a separate malvertising campaign using Microsoft Bing ads for a fake NordVPN to deliver the SectopRAT remote access trojan, highlighting the continued threat of malvertising. SonicWall identifies additional threats, including a fake Java Access Bridge installer and a new Golang malware using unique geolocation checks and HTTPS command-and-control communications. The report serves as a reminder of the evolving techniques used by threat actors to deploy malware and the importance of vigilant cybersecurity practices.

A top Israeli spy, Yossi Sariel, known for leading the elite Unit 8200, inadvertently exposed his own identity due to an online privacy error. The exposure happened after a book he authored under a pseudonym included an email that could be traced back to his real name and Google account. Sariel's unit faced criticism following an intelligence failure attributed to them when Hamas attacked Israel in October. His exposure raises questions about the real-life implications of even minor privacy lapses, especially for individuals in sensitive positions. In other news, Jackson County, Missouri, suffered a ransomware attack caused by a phishing link that led to operational issues and interrupted government services. Data-stealing malware incidents have surged by 643% over the past three years, with an average of 50.9 credentials stolen per infected device. It was noted that many individuals who experience a malware infection tend to repeat the mistake, with around 21% installing additional malware shortly after an initial incident.

Google has launched a lawsuit against two developers, Yunfeng Sun and Hongnam Cheung, who allegedly created fraudulent cryptocurrency investment apps. The scam lured users with the promise of high returns and used fake Android apps to deceive over 100,000 users and steal their investments. These apps, approximately 87 in number, were available on the Google Play Store as part of a social engineering scam active since 2019. Victims were compelled to pay additional fees under the pretense of accessing their principal investments and gains, a method known as "pig butchering." The scammers employed sophisticated fake identities and online personas across various platforms, including social media and dating sites, to target and gain trust from potential investors. Google accused the defendants of persistent fraudulent activities and of making false representations to Google's services, violating numerous policies and the RICO Act. The issue of fake investment apps is not unique to Android, as similar fraudulent applications have also been found on the Apple App Store. This lawsuit follows Google's recent legal measures to prevent misuse of its products, demonstrating the company's increased effort to protect its platforms and users from cybercrime.

Home Depot confirmed a data breach caused by a third-party SaaS vendor exposing employee data. Limited information for about 10,000 employees was leaked by threat actor IntelBroker on a hacking forum. Exposed details include names, work email addresses, and user IDs, which are not highly sensitive but could enable phishing attacks. Home Depot warned its employees to be vigilant about phishing attempts seeking additional sensitive information or credentials. The data breach raises concerns about the security protocols of third-party vendors and the risks they present. IntelBroker, the threat actor behind the leak, has been involved in previous high-profile breaches, including one affecting U.S. House members and their staff. Home Depot employees are advised to report suspicious emails to IT staff for verification to prevent potential security breaches.