Daily Brief

BreachForums, a notorious ransomware leak site, is operational again weeks after an FBI-led shutdown. The site is reportedly now managed by ShinyHunters, a group previously involved in its administration. Following its May 15 takedown, the FBI had control of their domains and displayed warnings on the website and its Telegram channel. Despite the apprehension of other admins, ShinyHunters claims no arrests among its members and successfully regained control of the site's domains. There has been no formal comment from the FBI or the US Department of Justice about the takedown or the site's reappearance. BreachForums has continually posed challenges to law enforcement, persistently reemerging even after high-profile shutdowns. Expert commentary suggests that completely dismantling such organized online criminal operations involves capturing all associated personnel and securing all technological and financial networks.

Evgeniy Doroshenko, a 31-year-old Russian national, has been indicted in the U.S. for wire and computer fraud from February 2019 to May 2024. Doroshenko operated as an "initial access broker," infiltrating corporate networks and then selling access to these networks on Russian cybercrime forums. He used the online aliases "FlankerWWH" and "Flanker" to carry out his operations, often utilizing brute-force attacks on Remote Desktop Protocol services. One highlighted case involved offering access to a New Jersey company's network with bids starting at $3,000 and a "buy now" price of $6,000. The indictment includes an instance where Doroshenko extracted data valued over $5,000 from one of the compromised systems. Wire fraud charges against Doroshenko carry a potential penalty of 20 years in prison and a $250,000 fine, while computer fraud could lead to five years in prison and similar fines. Doroshenko remains at large, likely in Russia, raising doubts about the feasibility of his extradition and arrest.

Microsoft has identified the North Korean hacking group, Moonstone Sleet, as the orchestrator behind the FakePenny ransomware, demanding millions in ransom. Moonstone Sleet, initially similar to another group, Diamond Sleet, has developed its unique methods and tools, distancing itself from earlier shared techniques. The group uses various deceptive approaches like trojanized software, fake companies, and social media to infiltrate target networks, previously focusing only on espionage and now including financial extortion. The latest ransomware attacks show a significant increase in ransom demands, up to $6.6 million, indicating a shift towards large-scale financial gains. The tactics employed by Moonstone Sleet represent a broader trend of evolving capabilities among North Korean cyber groups, aiming to meet state-sponsored cyber objectives and potentially disrupt international targets. Historical context underscores the continuity and escalation of North Korean state-sponsored cyberattacks, with previous global incidents like WannaCry and Maui ransomware attacks linked to groups like Lazarus and Holy Ghost.

SpiderOak One experienced significant service disruptions following a datacenter upgrade on April 24, affecting its encrypted backup solution primarily used for ransomware protection. Many users, some with subscriptions spanning a decade, reported inability to back up data and expressed intentions to cancel their subscriptions despite ongoing payments. SpiderOak has been actively issuing refunds and reimbursing customers for unused subscription months while their services are not fully operational. Customer frustrations grew due to poor communication about the duration of service disruptions and delayed email responses from support. Despite the company's claim of nearing full operational status at 99% functionality, user reports suggest ongoing issues with reliability and account billing inconsistencies. The company’s support was temporarily shifted to its X social media account after the support system was compromised by the datacenter migration. SpiderOak attributes the migration to a necessary step for improving data redundancy, scalability, and disaster recovery, and states it is close to restoring full service. The remaining issue involves a specific cluster requiring more attention due to its unique architecture; SpiderOak denies hardware failure as a cause.

Security researchers at Horizon3 revealed a proof-of-concept (PoC) exploit for a critical command injection vulnerability in Fortinet’s SIEM solution. The vulnerability, identified as CVE-2024-23108, allows remote command execution as root without authentication and affects FortiSIEM versions from 6.4.0 upwards. Fortinet initially misidentified the bug as a duplicate of a previously addressed issue, CVE-2023-34992, but later confirmed it as a distinct vulnerability. This vulnerability, alongside another severe flaw CVE-2024-23109, was patched by Fortinet on February 8, although initially denied as real issues. The PoC exploit enables attackers to execute unauthorized commands on unpatched FortiSIEM appliances, potentially gaining full control. Horizon3 Attack Team also disclosed a PoC for a critical flaw in Fortinet's FortiClient EMS, which is currently being exploited in the wild. Fortinet systems have been targeted in recent cyberattacks, including the use of their vulnerabilities for deploying malware in corporate and government networks.

Christie's confirmed a data breach after the RansomHub extortion gang claimed to have stolen sensitive client data. The breach occurred earlier this month, with the ransomware group threatening to leak the data if not compensated. RansomHub listed Christie's on its dark web extortion page, demanding ransom and threatening GDPR fines. The attack compromised personal details of approximately 500,000 clients but did not affect financial or transaction records. Christie’s took immediate action by securing their systems and took their website offline to mitigate further risks. The company is actively notifying affected clients and relevant regulators and government agencies about the breach. Despite being labeled a ransomware group, RansomHub primarily executes data theft and extortion without using an encryptor. Christie's historical significance and high-profile auction sales highlight the potential impact and visibility of the breach.

Christie's auction house confirmed a data theft following an online ransomware attack by the RansomHub group. The attackers claimed to have stolen personal data of over 500,000 Christie's clients and provided a seven-day deadline for ransom payment. Christie's had previously experienced a disruption described as a “technology security issue” which took their online bidding system offline. The auction house took immediate action by taking their website offline and conducting an investigation which confirmed unauthorized access to their network. No financial or transactional records were reported compromised but limited client personal data was accessed. Christie's has contacted privacy regulators and government agencies and is in the process of notifying affected clients. The company has refused to meet the ransom demands, aligning with strategies to not comply with extortion to discourage future attacks despite potential data exposure risks.

Chirag Tomar pleaded guilty to a wire fraud conspiracy involving over $37 million in cryptocurrency theft from unsuspecting victims globally and in the United States. The fraudulent operation consisted of a fake website, "CoinbasePro[.]com," deliberately designed to mimic the genuine cryptocurrency exchange platform, Coinbase Pro. Tomar and accomplices impersonated Coinbase customer service to obtain two-factor authentication codes from victims, enabling unauthorized access and theft of cryptocurrency from their legitimate Coinbase accounts. The stolen cryptocurrencies were transferred to wallets controlled by the fraudsters, converted into other digital currencies or moved to different wallets, and cashed out to fund a luxurious lifestyle, including high-end cars and international trips. Tomar's arrest took place as he entered the U.S. on December 20, 2023; he faces up to 20 years in prison and a $250,000 fine if convicted. The expose follows other arrests including a scheme aiding North Korean IT workers to fraudulently secure jobs at U.S. companies, indirectly supporting North Korea's weapons of mass destruction program despite international sanctions. This sequence of events underlines an ongoing global challenge with cryptocurrency theft and fraudulent schemes, showcasing significant international and multilateral cybersecurity threats.

Identifying and securing business-critical assets is crucial for cybersecurity and organizational success. A strategic approach includes mapping business processes to their underlying technology assets. Gartner’s continuous threat exposure management framework assists in focusing remediation efforts on maximizing impact. Prioritizing issues related to business-critical assets aligns security initiatives with executive concerns and business objectives. Implementing security measures should start from the most significant areas and use detailed risk assessments and stakeholder input for prioritization. Tools such as vulnerability management solutions or penetration test results are essential to identify and prioritize remediation actions. Focusing on business-critical assets not only secures them but also optimizes the company’s use of resources, enhancing overall business performance. Aligning security measures with business goals demonstrably supports business process continuity and meets executive expectations.

The CatDDoS malware botnet has been utilizing over 80 known security vulnerabilities to compromise devices and integrate them into a DDoS botnet. CatDDoS, a variant of the Mirai botnet, employs UDP, TCP, and other DDoS methods, mainly targeting devices in China and the U.S. Compromised devices include a wide range of routers and networking equipment from major brands like Cisco, Huawei, and NETGEAR. Attackers encrypt communications with C2 servers using the ChaCha20 algorithm and employ OpenNIC domains for evasion. Despite the suspected shutdown of the original CatDDoS operation in December 2023, its source code was sold, leading to new botnet variants. Newly disclosed DNSBomb attack exploits DNS features for a pulsing denial-of-service with an amplification factor of 20,000x, but major DNS software BIND is not vulnerable. The DNSBomb method leverages IP spoofing and controlled domain responses to create overwhelming traffic bursts difficult to detect and mitigate.

ARPA-H, inspired by DARPA, focuses on neglected yet crucial areas in health science and technology to produce impactful, sustainable innovations. The UPGRADE project, recently launched by ARPA-H, aims to develop automated systems for detecting vulnerabilities and managing patches in healthcare IT. UPGRADE uses a "digital twin" model to safely experiment and refine cybersecurity measures on a mirrored system without risking the primary system. The initiative seeks to establish a form of "digital immunology," drawing parallels between biological immune responses and cybersecurity defenses. Despite the potential benefits, the project faces significant challenges, including the complexity of creating accurate digital twins of intricate systems and the inconsistency in patch management and testing. The project emphasizes collaboration with open source communities to foster a more universally secure IT environment, potentially revolutionizing cybersecurity practices across industries. UPGRADE's success could lead to widespread adoption and improve systemic security, but it also confronts an industry reluctant to embrace necessary changes for enhanced security.

Unknown attackers are exploiting the Dessky Snippets WordPress plugin to inject malicious PHP code into e-commerce sites, enabling stealing of credit card data. The malicious activity was flagged by Sucuri on May 11, 2024, noting that the plugin is installed in over 200 active sites. The attackers are using manipulated checkout processes in WooCommerce to insert additional fields in billing forms, asking for sensitive credit card information. The acquired data, including names, card numbers, expiry dates, and CVV numbers, get exfiltrated to a designated malicious server. The modified billing forms by the attackers disable autocomplete features to evade browser security warnings and decrease consumer suspicion. Previous exploits in similar veins have involved other WordPress plugins, such as WPCode and Simple Custom CSS and JS, targeting over 39,000 sites in recent campaigns. Website owners are advised to update their sites and plugins regularly, use robust passwords, and routinely check for signs of unauthorized alterations and malware.

A critical vulnerability in the TP-Link Archer C5400X gaming router allows for remote code execution. The flaw, identified as CVE-2024-5035, received the highest severity rating with a CVSS score of 10.0. All firmware versions up to 1_1.1.6 are affected; patch available in version 1_1.1.7. Attackers could exploit the router's RF testing binary by bypassing command restrictions using shell meta-characters. The vulnerability was disclosed by German cybersecurity firm ONEKEY, highlighting risks of rushed-API implementations. TP-Link addressed the issue in the latest firmware update by blocking commands containing special characters. Recent disclosures of unpatched vulnerabilities in other devices stress the need for secure network interface configurations.

TP-Link Archer C5400X gaming router had a critical flaw, CVE-2024-5035, allowing remote attackers to execute arbitrary commands. The vulnerability, scored CVSS v4 10.0, was discovered through binary static analysis by analysts at OneKey. Attackers could inject commands via TCP ports 8888, 8889, and 8890 due to improper input sanitization in the 'rftest' service. Exploiting the flaw could enable attackers to alter DNS settings, intercept data, and access internal networks. TP-Link released a patch on May 24, 2024, addressing this issue in firmware version 1.1.7, which filters out shell metacharacters. Users are urged to update their routers immediately to avoid potential security breaches. The patch was developed after the initial report to TP-Link’s PSIRT on February 16, 2024, with a beta patch being prepared by April 10, 2024.

Threat actors target Check Point VPN devices to infiltrate enterprise networks, utilizing outdated authentication methods. Check Point advises against using local VPN accounts with password-only authentication, encouraging adoption of certificate-based security. Recent reports indicate unauthorized VPN access attempts using obsolete account details; a hotfix to forcibly improve authentication methods has been released. Attackers focus on Quantum Security Gateway, CloudGuard Network, and Mobile/Remote Access VPN applications. The warning follows similar alerts from other major tech firms like Cisco, indicating a broader pattern of VPN-oriented cyberattacks. Cisco devices have similarly faced attacks originating from TOR exit nodes and masked by anonymization tools. Cisco also reports malware-driven brute-force incidents and state-sponsored exploits targeting its network products for espionage. VPN users are urged to enhance security by updating authentication protocols and eliminating vulnerable accounts.