Daily Brief

The U.S. Department of Defense's Cyber Crime Center (DC3) has processed 50,000 vulnerability reports since launching its Vulnerability Disclosure Program (VDP) in November 2016. The VDP, which began after a successful 'Hack-the-Pentagon' bug bounty event, differs from typical bug bounties by allowing continuous reporting from ethical hackers. In 2018, the DC3 implemented an automated system to track and process vulnerability reports, enhancing both efficiency and hacker participation. The scope of VDP has expanded to cover all publicly accessible Defense Department IT assets, leading to the discovery and mitigation of 400 significant flaws in a 12-month program in 2021, reportedly saving $61 million in taxpayer funds. Though the annual report for 2023 is not yet released, it is estimated that 5,000 flaws were processed last year, based on the previous year's reports. The DoD's bug bounty program on HackerOne has seen over 27,000 issues resolved, with 1,231 reports received in the last 90 days. Ethical hackers looking to contribute to the DoD's cybersecurity can find participation guidelines on the VDP's HackerOne page.

Chinese hackers, known as Earth Krahang, have infiltrated over 70 organizations in 23 countries, focusing primarily on government entities using phishing and server exploits. Trend Micro has identified two custom backdoors, RESHELL and XDealer, and a consistent use of compromised government infrastructure to conduct further attacks. The researchers have noted strong similarities between Earth Krahang and another state-backed Chinese group, Earth Lusca, and possible connections to Chinese security contractor I-Soon. Government entities, education, telecommunications, and other sectors have been affected, with tactics including spear-phishing emails leveraged from compromised government accounts. The hackers exploit known vulnerabilities in public-facing servers such as CVE-2023-32315 in OpenFire and CVE-2022-21587 in Oracle Web Applications Desktop Integrator, and employ various open-source scanning tools to identify potential targets. There is evidence of lateral movement within networks using SoftEther VPN, including the installation of persistent backdoors and credential access. Security recommendations include educating employees on phishing threat avoidance, verifying sender identity before engaging with emails, and ensuring timely software updates and patch installations.

The CISA, along with the NSA, the FBI, and other international agencies, issued warnings targeting critical infrastructure at risk from the Chinese hacking group known as Volt Typhoon. The group has infiltrated multiple U.S. critical infrastructure organizations, maintaining access in some cases for over five years without detection. Volt Typhoon's objectives appear to focus on Operational Technology (OT) within networks, with the potential to disrupt essential services. U.S. agencies are advising infrastructure leaders to bolster cybersecurity, secure supply chains, and align performance management with cyber goals. Agencies recommend that cybersecurity teams ensure comprehensive logging for early detection and response to threats, and inquire about resource needs for effective compromise detection. Volt Typhoon, also known as Bronze Silhouette, leveraged a botnet (KV-botnet) across the U.S. to conceal their activities, which was disrupted by the FBI in December. Authorities have encouraged SOHO router manufacturers to enhance device security to prevent future Volt Typhoon attacks, highlighting the importance of secure configurations and eliminating web interface vulnerabilities.

The FBI reported that investment fraud, especially cryptocurrency scams, led to the largest financial loss from cybercrime in the US last year, totaling $4.57 billion. The majority of these scams exploited individuals seeking quick profits in the cryptocurrency market, with losses from such scams nearing $4 billion. The agency observed an increase in fraudulent schemes offering recovery services for previously lost investments, targeting victims for additional funds. Ransomware attacks accounted for a comparatively lower financial loss of $59.6 million for the year, but the report stressed that this figure may be underreported. Business Email Compromise (BEC) attacks and impersonation of customer support or government staff caused significant financial damage, with adjusted losses of $2.9 billion from BEC attacks alone. Elderly people over 60 were the most affected, representing 40% of all complaints and 58% of total losses, which amounted to $1.3 billion specifically from call center scams. Overall, cybercrime cost US citizens $12.5 billion in 2021, with daily complaints to the FBI numbering 2,412, and the financial impact of victimization increasing with the age of the victims.

The FTC has issued a warning about scammers posing as agency employees to con Americans into sending money, with the median loss from such scams rising from $3,000 in 2019 to $7,000 in 2024. Victims, often elderly, have been duped into transferring funds or wiring money to the fraudsters. There were over 14,000 government impersonation complaints in the last year, causing over $394 million in losses. The FTC emphasizes it will never ask consumers to move funds for protection or pay with cryptocurrency, and has established a rule to combat impersonation scams more effectively. The FBI notes a 22% increase in online crime financial losses in 2023, reaching $12.5 billion, with BEC, investment scams, ransomware, and impersonation fraud as leading causes. People over 60 are particularly susceptible to these crimes, with cybercrime complaints to the FBI jumping 10% from the previous year to 880,000. The agency has published guidelines to assist the public in recognizing fraudulent activities and provides reporting channels for scams in both English and Spanish. The FBI encourages vigilance against fraud attempts and has previously provided tips to help individuals avoid becoming scam victims.

Ukrainian cyber police have arrested three individuals linked to the theft of over 100 million email and Instagram accounts. The suspects used brute-force attacks to hijack accounts, involving automated guessing of passwords until the correct one was found. Compromised accounts were sold on the darknet, allowing fraud groups to scam contacts of the victims by requesting money transfers. An organized criminal structure was revealed, with the leader assigning roles and infrastructure spread across multiple Ukrainian regions. Law enforcement conducted seven searches, seizing computers, phones, and financial instruments as part of the crackdown. Those arrested face charges that include unauthorized interference in computer systems, carrying penalties of up to 15 years in prison. A separate investigation has been opened to explore the hackers' potential ties with foreign entities, particularly concerning Russian interests. The police recommend the use of strong, unique passwords and multi-factor authentication (MFA) to enhance online account security.

APIs account for 71% of internet traffic in 2023, facilitating extensive data exchange between applications and databases. The average enterprise website experiences around 1.5 billion API calls annually, highlighting the critical role of APIs in digital services. Imperva's report indicates a significant risk associated with APIs in production that are inadequately cataloged, authenticated, or audited, with an average of 613 API endpoints per organization. API security incidents are costing global businesses an estimated $75 billion each year, with financial services suffering the brunt of API-related cyberattacks. Account takeover (ATO) attacks, often executed by malicious bots, represent almost half of the API-targeted cybercrime, especially impacting banking and online retail sectors. Developers frequently push APIs into production without proper security checks, leading to vulnerabilities that cybercriminals exploit. Imperva's report identifies shadow, deprecated, and unauthenticated APIs as major sources of cyber risk and advocates for regular security audits and continuous monitoring to enhance API security.

Cybercriminals have exploited Ethereum's CREATE2 opcode to steal millions from crypto wallets, prompting a call for increased wallet security. The CREATE2 function, introduced in 2019, facilitates efficient smart contract deployment but also enables attackers to drain funds using new, unflagged addresses. Attackers can pre-calculate addresses for deploying malicious contracts that lack a history of malicious activity, evading typical security measures. Security researchers cite a significant scam in January where $3.6 million in SuperVerse tokens were stolen, illustrating the severe impact on victims. The attack process involves social engineering to gain contract approval from the victim, followed by the deployment of the malicious contract using CREATE2-generated addresses. Security experts stress the need for continual vigilance, education, and updated security practices in the blockchain community to combat sophisticated attacks. High-profile wallet-draining incidents have occurred across various blockchains, with North Korea's Lazarus group suspected of involvement in many thefts.

A new data wiper malware, AcidPour, has been discovered targeting Linux x86 IoT and networking devices. AcidPour is a variant of the AcidRain malware and shares about 30% code overlap. SentinelLabs' researcher Tom Hegel identified AcidPour, which was uploaded from Ukraine on March 16, 2024. The wiper malware targets specific directories and device paths of embedded Linux systems and has improved its targeting to include devices with flash memory and virtual block devices used in LVM. There is evidence that the malware has functionalities or adaptation techniques similar to the VPNFilter malware's 'dstr' plugin. AcidPour’s targets and distribution volume are unknown; SentinelLabs shared the malware's hash for collaborative analysis within the security research community. NSA's Director of Cybersecurity, Rob Joyce, expressed heightened concern due to AcidPour's potential for wider hardware and system impact compared to AcidRain.

Due to the rise in cybercrime, US cyber insurance premiums surged by an average of 11% in the first quarter of 2023. Costs for cyber insurance have become increasingly prohibitive, with some companies seeing increases of 50-100%, thus affecting ease of obtaining coverage. Enhanced security for Active Directory is essential for organizations seeking to manage or lower cyber insurance expenses. Increases in remote work, the volume of cyberattacks, and the number of claims and ransomware payouts contribute to rising cyber insurance rates. Active Directory is a prime target for cyber attackers due to its central role in IT networks, emphasizing the need for strong security measures. Cyber insurers closely evaluate Active Directory security measures, such as regular audits, strict access controls, and patch management, to determine coverage eligibility. To mitigate cyber risks and maintain insurability, companies must adopt comprehensive security strategies, including password policy enforcement and privileged account protection.

AI's large language models (LLMs) are now being used by cyber attackers to modify malware, evading detection tools like YARA rules. Threat actors are experimenting with generative AI to create malicious code snippets, phishing emails, and gather intelligence on potential targets. Recorded Future tested modifying the STEELHOOK malware, associated with APT28, using an LLM while retaining functionality and code integrity. The altered malware successfully bypassed simple string-based detection systems, although there are challenges with processing larger code bases. AI tools could also potentially be used for creating deepfakes of executives and fake websites, or for reconnaissance on critical infrastructure and sensitive information. Multimodal models are capable of extracting additional metadata from public images, increasing the threat to geolocation and infrastructure security. Publicly available images and videos depicting sensitive equipment should be carefully managed to reduce risks. Emerging vulnerabilities include the ability to "jailbreak" LLM tools to produce harmful content, suggesting a heightened need for improved AI security measures.

Atos' stock plummeted up to 20% after Airbus declined to purchase its big data and security business. The cancellation of talks with Airbus led Atos to postpone its 2023 earnings release to reassess strategic options. Atos is considering alternatives in light of French state sovereign interests, following Airbus's withdrawal. Previously, Airbus considered investing at the group level, but activist investors dissuaded the aerospace company. Atos had planned a business split in 2022 but sale discussions for its Tech Foundation with EPEI have also collapsed. The company's value has dramatically dropped from a five-year market cap high of €9.84 billion to just €191.59 million. Atos faces immediate challenges, including upcoming debt repayments and the need for a strategic resolution.

As digital transformation prevails, cybersecurity is now integral to corporate strategy and managing business risks. Chief Information Security Officers (CISOs) must shift their approach to demonstrate the strategic value of cybersecurity to board members. There is a noteworthy lack of specialized cybersecurity expertise in boardrooms, posing a challenge to effective governance and risk management. Recent regulatory changes increase the need for detailed cyber risk disclosures and faster incident reporting, holding executives and board members accountable. CISOs must communicate the importance of cybersecurity as it relates to financial performance, regulatory compliance, and overall risk management. Key board concerns include financial impact of cyber incidents, regulatory compliance, intellectual property protection, resilience against APTs, cloud security, and AI adoption in cybersecurity. CISOs should align cybersecurity discussions with business objectives and demonstrate how investments in cybersecurity serve as assets to the company's value proposition. Effectively conveying the cybersecurity strategy can lead to informed decisions and better alignment of cybersecurity programs with business goals.

Hackers are increasingly using digital document publishing platforms such as FlipSnack, Issuu, and Publuu to conduct phishing attacks. Cisco Talos researchers highlight that these reputable sites are not commonly blocked by web filters, which aids the attackers. Phishing documents hosted on these platforms often escape detection due to credibility and temporary content hosting, which also evades email security measures. Attackers utilize the free tiers of these services to distribute malicious content while exploiting productivity features to hide phishing links. The phishing technique involves embedding links in legitimate-looking documents, directing victims to fraudulent sites impersonating Microsoft 365 login pages to steal credentials. Cisco Talos underscores the challenge for defense since these DDP sites are not well-known risks and can bypass conventional phishing protections. Organizations are encouraged to stay vigilant and consider additional measures to protect against this evolving threat landscape.

A new data wiping malware variant named AcidPour, targeting Linux x86 devices, has been identified by SentinelOne. AcidPour is a progression from the previously discovered AcidRain malware, known to have been used against Viasat’s KA-SAT modems during the Russo-Ukrainian conflict. This variant is distinctive for being an ELF binary compiled for x86 architecture, with significant codebase differences from its predecessor. Five Eyes nations, along with Ukraine and the EU, attributed the earlier AcidRain attacks to Russia. AcidPour aims to delete data from RAID arrays and UBI file systems by targeting specific file paths, indicating a shift in the threat vectors used by attackers. The specific targets and the extent of the AcidPour malware's deployment are not yet clear; however, Ukrainian agencies have been alerted. The emergence of AcidPour emphasizes the ongoing trend of using wiper malware to severely disrupt targets and escalate the severity of cyberattacks.