Daily Brief

CISA reports over 500 organizations globally have been compromised by Black Basta ransomware since its inception in April 2022. Ascension Healthcare suffered significant disruptions due to a Black Basta ransomware attack, prompting the release of the CISA report. Inc Ransomware is potentially selling its source code on hacking forums for $300,000, though the reasons remain unclear. The Phorpiex botnet has been actively distributing millions of phishing emails leading to LockBit Black ransomware infections. Black Basta conducted mailbombing attacks on targeted organization's employees to facilitate social engineering breaches. Australian electronic prescription provider MediSecure experienced a severe ransomware attack, leading to the shutdown of its IT systems. Various new STOP ransomware variants were identified, appending different file extensions like .paaa, .vehu, .vepi, and .capibara.

Starting July, Microsoft will enforce multi-factor authentication (MFA) for all Azure portal users involved in resource administration, with plans to extend enforcement to CLI, PowerShell, and Terraform. This initiative excludes service principals and other token-based accounts used for automation but includes a provision for additional customer feedback, particularly concerning break-glass and special recovery accounts. Microsoft encourages administrators to activate MFA ahead of the enforce date using the MFA wizard in Microsoft Entra and provides tools to monitor MFA registration and status across user bases. MFA has been proven to significantly enhance security, demonstrating a 99.99% effectiveness in preventing hacking attempts and reducing account compromise risks by 98.56%. The enforcement aligns with Microsoft's broader security strategy, which already includes a November announcement that Conditional Access policies will require MFA for admin portals and high-risk sign-ins in other Microsoft cloud apps. The initiative reflects Microsoft's overarching goal to achieve 100% MFA adoption, citing substantial reduction in account takeover risks, paralleling efforts by Microsoft-owned GitHub, which will require 2FA for developers starting January 2024.

Three individuals were arrested for allegedly aiding North Korea in securing IT employment in the US to fund Pyongyang's weapons programs. Minh Phuong Vong and Christina Marie Chapman are among the accused, reportedly facilitating jobs and using a laptop farm to provide remote work capabilities for North Korean operatives. Vong utilized his own identity to secure tech positions in the US, which were then reportedly outsourced to North Korean IT workers. Chapman is accused of allowing her home's laptops to appear as legitimate workstations for major US companies, implicating over 300 businesses including top media, tech, and defense firms. The operations allegedly generated $6.8 million for North Korean workers and involved validating stolen US identities, with the involvement of 60+ compromised identities. Additional information implicating Oleksandr Didenko suggests a broader network, with Didenko allegedly facilitating fraudulent freelance IT work through a website known to be used by North Koreans. The FBI emphasized the criticality of cybersecurity, indicating these arrests as part of a campaign against North Korea's sophisticated attempts to subvert US economic sanctions and security.

The Kinsing cryptojacking group has been actively executing illicit cryptocurrency mining operations since 2019 using a botnet. Security analysts at Aqua noted that Kinsing is utilizing new vulnerabilities in popular systems like Apache ActiveMQ, Citrix, and Oracle WebLogic among others to infiltrate and control systems for crypto-mining. The group uses misconfigured Docker, PostgreSQL, and Redis instances to gain initial access, thereafter disabling security measures and ousting competition from affected systems. An investigation by CyberArk linked Kinsing to NSPPS malware, suggesting they belong to the same family and primarily use different scripts and binaries depending on the operating system targeted. Kinsing’s infrastructure broadly comprises initial scanning and exploitation servers, payload staging servers, and C2 servers that communicate with compromised servers using IP addresses mainly from Russia, Luxembourg, the Netherlands, and Ukraine. Approximately 91% of Kinsing’s targeted applications are open-source, primarily focusing on runtime applications and databases. Aqua's report emphasizes the importance of proactive security measures, including workload hardening before deployment, to mitigate risks associated with botnets like Kinsing. The evolving nature of botnet malware, such as P2PInfect, highlights the ongoing challenge for security teams to secure servers and prevent recruitment into malicious networks.

The SEC has updated Regulation S-P, mandating financial institutions to report data breaches within 30 days of discovery. The regulation affects broker-dealers, investment firms, registered investment advisors, and transfer agents. This amendment aims to enhance the protection of private financial information amid increasing cybersecurity threats. Introduced in 2000, Regulation S-P outlines how financial entities should handle consumer’s nonpublic personal information. SEC Chair Gary Gensler emphasized the significant changes in the scale and nature of data breaches over the past two decades. The new rule will be effective 60 days post-publication in the Federal Register, with larger firms given 18 months and smaller entities two years to comply. In addition to these regulations, the SEC also mandates public companies to disclose breaches likely to impact their business materially.

The U.S. Justice Department has charged five individuals, including a U.S. woman and a Ukrainian man, for aiding North Korean IT workers in infiltrating U.S. companies, generating funds for North Korea's nuclear program. The campaign, running from October 2020 to October 2023, involved using fraudulent means to secure remote IT jobs to provide financial support to North Korea. The two primary defendants, Christina Marie Chapman and Oleksandr Didenko, face charges including money laundering and identity theft; Chapman could be sentenced to up to 97.5 years if convicted. The operation included managing "laptop farms" in the U.S. to disguise the location of North Korean IT workers, misleading companies into hiring them under falsified identities. Over 300 U.S companies were compromised and false tax liabilities were imposed on over 35 U.S. citizens. A total of at least $6.8 million was funneled to the North Korean operatives from jobs at companies such as aerospace, defense, tech, and major network firms. The U.S. State Department is offering rewards up to $5 million for information on the involved North Korean IT workers and associates.

The U.S. Justice Department has charged five individuals, including a U.S. citizen and a Ukrainian, with crimes benefiting North Korea's nuclear weapons program. They are accused of infiltrating the U.S. job market to fraudulently raise funds for North Korea from October 2020 to October 2023. Arrests include Christina Marie Chapman in Arizona and Oleksandr Didenko in Poland; Didenko faces extradition to the U.S. Charges span multiple frauds, identity theft, wire fraud, and money laundering, with severe penalties including up to 97.5 years imprisonment. The scheme involved creating 'laptop farms' to make it appear North Korean IT workers were based in the U.S., securing jobs with major companies and affecting over 300 U.S. firms. FBI issues advisories on North Korean IT worker schemes, highlighting risks and providing detection guidance to companies. U.S. State Department offers a $5 million reward for information about the North Korean IT workers and their manager involved in these schemes.

The U.S. Department of Justice has charged Daren Li and Yicheng Zhang for leading a money laundering scheme linked to cryptocurrency scams, involving over $73 million. The suspects employed the "pig butchering" technique, where they gained victims' trust through social media to encourage crypto investments and subsequently drained their wallets. Over $341 million in cryptocurrency was discovered in a crypto wallet used by the suspects for laundering the pilfered funds. The laundered money was channeled through U.S. bank accounts associated with numerous shell companies and subsequently into various international bank accounts and crypto platforms to obscure the money's origin. Law enforcement intercepted communications detailing the laundering operations, including commissions, shell company information, and interactions with financial institutions. In 2023, the U.S. Secret Service recovered over $1.1 billion in financial fraud, highlighting the rampant nature of such cybercrimes. Besides Li and Zhang, four other individuals were charged in December for their involvement in a related $80 million pig butchering scam. Li and Zhang face up to 20 years in prison per count if convicted of conspiracy to commit money laundering and six counts of international money laundering.

WebTPA experienced a data breach impacting approximately 2.4 million policyholders across various large insurance providers including The Hartford, Transamerica, and Gerber Life Insurance. The breach occurred between April 18 and April 23, 2023, with unauthorized access detected on December 28, 2023, prompting an immediate investigation. Affected data includes personal information, though financial details and medical records were not exposed. WebTPA, a subsidiary of GuideWell Mutual Holding Corporation, alerted affected insurance companies and their customers starting March 25, 2024. WebTPA has provided affected individuals with two years of credit monitoring, identity theft protection, and fraud consultation services available through Kroll until August 1st. Despite no current evidence of the misuse of the exposed data, affected individuals are advised to stay vigilant and consider additional precautions like placing a security freeze on their credit files.

Cybersecurity researchers have analyzed advanced malware tactics by the BlackTech group, linked to China, targeting the Asia-Pacific region. The group has been deploying a new remote access trojan (RAT) called Deuterbear, which is an evolved version of the earlier Waterbear malware. Deuterbear employs a sophisticated two-stage infection tactic using HTTPS for communication and incorporates advanced evasion techniques like shellcode plugins and anti-memory scanning. The BlackTech group, active since at least 2007, uses malware to conduct cyber espionage, extracting sensitive information from key regional entities. Deuterbear has streamlined many commands of its predecessor, focusing on modular, plugin-based expansion to enhance functionality. Parallel disclosures reveal an extremely targeted U.S. cyber campaign targeting AI industries, utilizing another RAT named SugarGh0st, suggesting a broader specter of espionage. These findings highlight ongoing cybersecurity threats posed by nation-state actors and the continuous evolution of their methodologies and targets.

Recent operations have taken down high-profile cybercrime forums such as BreachForums, following successful actions against the LockBit ransomware group. Efforts led by the FBI have showcased a shift towards more aggressive tactics, including publicizing control over criminal websites and publicly identifying suspects. Despite the shutdown of these forums like RaidForums and BreachForums, challenges in completely dismantling these organizations persist, particularly when the operators are in countries providing safe harbor. The effectiveness of these police actions varies, with some leading to significant operational disruptions and others potentially moving towards full dismantlement by arresting key operators. Law enforcement continues to face challenges in fully dismantling cybercrime networks due to difficulties in attributing crimes to specific individuals and securing cooperation from countries harboring cybercriminals. The ongoing battle against cybercrime groups like Scattered Spider highlights the long-term, complex nature of cybercrime investigations and enforcement activities. Security experts emphasize the difference between disruption (temporary setbacks for criminal networks) and dismantlement (comprehensive breakdown of networks), with the latter being significantly harder to achieve.

A new report by XM Cyber, Navigating the Paths of Risk, reveals significant security insights based on attack path assessments done in 2023. Over 40 million exposures were identified, affecting millions of business-critical assets, with data analyzed by Cyentia Institute. Findings show that 80% of security exposures are due to identity and credential misconfigurations rather than CVE vulnerabilities, which make up less than 1%. Key threats include shared folder poisoning and usage of common local credentials across multiple devices, overshadowing CVE-based vulnerabilities in threat significance. While 74% of exposures are "dead ends" offering minimal risk, focus should be on the 26% that could allow attackers to reach and compromise crucial assets. Choke points, critical junctions in attack paths, make up only 2% of threats but are pivotal due to their potential to expose a significant portion of valuable assets. Security strategies need to prioritize ongoing exposure management and shift from a broad vulnerability focus to targeting specific high-risk exposures.

The U.S. Department of Justice charged five individuals with conducting cyber schemes to generate funds for North Korea's nuclear weapons programs. Charges include conspiracy to defraud the U.S., aggravated identity theft, and various fraud charges, with possible prison times up to 97.5 years. Two key suspects, an American and a Ukrainian, managed operations including "laptop farms" to mask North Korean IT workers as U.S. remote employees. North Korean operatives, posing through stolen U.S. identities, secured jobs at Fortune 500 companies, compromising over 300 U.S. businesses and 60 U.S. identities. Operations led to substantial tax liabilities for dozens of Americans and garnered millions in revenue, which was funneled back to support North Korea's nuclear ambitions. The U.S. has issued rewards for information on the suspects and has released new advisories on identifying and combatting similar schemes. This international cybercrime incident has significant implications for national security, corporate data safety, and international law enforcement collaboration.

The Kimsuky APT group, associated with North Korea, has deployed a Linux backdoor, Gomir, targeting South Korean organizations. Gomir is structurally similar to the previously known GoBear backdoor, sharing significant code and functionalities adapted for Linux. The malware was initially spotted as part of a campaign distributing another malware, Troll Stealer, via compromised security programs in South Korea. Trojanized versions of nProtect Online Security and other software from a construction-related association's website were used to spread the malware. The distribution method for these infected installer packages remains unidentified, complicating tracking and mitigation efforts. Gomir supports multiple commands for remote control, including file operations and proxy management, enhancing its threat capabilities. Symantec notes that software installation packages and updates are increasingly used as primary vectors for espionage by North Korean actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two D-Link router vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation signs. Affected devices include legacy D-Link products that are no longer supported, with urged replacement by June 6, 2024. The vulnerabilities could allow remote attackers to bypass authentication via HNAP port, gain elevated permissions, and execute commands as root. D-Link has acknowledged the issue but has yet to release a fix, describing it as a LAN-side unauthenticated command execution flaw. Additionally, a proof-of-concept exploit revealed at SSD Secure Disclosure enables attackers to bypass authentication and perform command execution on vulnerable routers. In a separate but related development, Ivanti has also patched multiple vulnerabilities in Endpoint Manager Mobile, including one that allows local attackers to bypass shell restrictions and execute arbitrary commands via malicious RPM packages. Ivanti has also addressed two SQL injection flaws that could potentially allow privileged users to access or alter database content, although no active exploitations have been reported.