Daily Brief

France's unemployment department, France Travail, reported a significant data breach affecting data dating back 20 years and up to 43 million individuals. Exposed information includes names, birth dates, social security numbers, and contact details, while passwords and banking details remain secure. The breach occurred between February 6 and March 5, and French citizens are advised to be vigilant against phishing attacks. The Cybercrime Brigade of the Paris Judicial Police is investigating the incident, believed to involve a combination of social engineering and technical attack vectors. France Travail is working to notify affected individuals and has promised to strengthen its cybersecurity measures in response to increasing threats. This breach comes on the heels of other significant French data breaches and DDoS attacks on government departments, suggesting a rise in cyber threats against France. France Travail's breach is now considered the largest in the country's history, eclipsing the previous record set by breaches at Viamedis and Almerys.

Google is set to update its Safe Browsing feature in Chrome, providing real-time phishing and malware protection. The protection will be available without compromising user privacy, utilizing encryption and privacy-enhancing techniques. The updated Safe Browsing will counter transient malicious websites by checking against server-side lists in real-time, aiming to block 25% more phishing attempts. This feature will also extend to Android devices, ensuring widespread security across different platforms. An "Enhanced Protection" mode is available for users seeking proactive defense, leveraging AI for deeper scans of downloads. User privacy is maintained through Fastly Oblivious HTTP (OHTTP) relays, which hide IP addresses and mix user requests to prevent identity matching. Google ensures that no single entity, including themselves or Fastly, can decrypt both the URL hash prefixes and the originating IP addresses, reinforcing user privacy.

The Cybercrime Atlas initiative has moved into its operational phase in 2024 with aims to map and disrupt global cybercriminal activities. Launched by the World Economic Forum (WEF) in 2023, the project involves public-private collaboration, including major players like Banco Santander, Fortinet, Microsoft, and PayPal. The initiative now counts over 20 law enforcement agencies, security firms, financial institutions, NGOs, and academics among its members. The group aims to target the infrastructure of cybercriminal groups, facilitate arrests, and attribute attacks, thus hindering their operations and profitability. Despite previous takedowns, cybercrime persists, with recent ransomware attacks on America's healthcare system and the British Library emphasizing the urgency of this initiative. The Cybercrime Atlas seeks to create actionable intelligence to challenge cybercriminals and has placed cyber threats on the agenda for CEOs and boards. The WEF is also addressing the cybersecurity skills gap and engaging non-cybersecurity audiences in discussions on combating ransomware and improving organizational cybersecurity resilience.

The US Department of Health and Human Services is starting an investigation into Change Healthcare after a reported 6 TB data theft by the ALPHV ransomware group. Change Healthcare's recovery from the cyberattack is underway, with critical services including prescription processing and insurance claims slowly coming back online. ALPHV claimed responsibility for the attack and the theft of sensitive data, which may include health information of US military personnel and payment details. The actual contents of the stolen data have not been confirmed by Change Healthcare, and security experts have detected a $22 million Bitcoin transaction possibly linked to the ransomware payment. Multiple class action lawsuits have been filed against Change Healthcare, and there is a move to consolidate these cases to streamline litigation processes. The cybersecurity measures of Change Healthcare are under scrutiny to check compliance with HIPAA data protection and privacy rules, following the breach.

A Russian-Canadian man, Mikhail Vasiliev, has been sentenced to nearly four years in prison in Canada for participating in the LockBit ransomware operation. Vasiliev was arrested in November 2022, following a search of his home where authorities found evidence of his involvement in cyber extortion. He pleaded guilty to multiple charges, including cyber extortion, and is responsible for paying more than $860,000 in restitution to victims. Vasiliev was labeled a "cyber terrorist" by Justice Michelle Fuerst, who highlighted his motivation by greed during the pandemic. LockBit's operations were severely impacted in February 2024 when law enforcement seized its infrastructure and arrested three affiliates. Meanwhile, a federal jury in Washington D.C. convicted Roman Sterlingov for laundering money through Bitcoin Fog, a service used to launder profits from various crimes including computer related offenses and theft.

France Travail, the French unemployment agency, disclosed a significant data breach impacting 43 million individuals. Hackers targeted the agency's systems between February 6 and March 5, accessing personal data of job seekers registered over the past 20 years. Exposed data includes job candidate profiles, increasing the risk of identity theft and phishing attacks among the affected individuals. Although bank details and passwords were not compromised, the exposed information could be combined with other breaches by cybercriminals. Notifications will be sent to potentially impacted individuals, and the agency emphasizes heightened vigilance regarding communication they receive. The National Commission of Informatique and Liberties (CNIL) is involved and has been notified of the breach's extent. Victims can file a complaint with the Paris prosecutor’s office, aiding in the investigation of the breach. This breach surpasses the previous largest in France, both in scope and number of individuals affected.

Nissan Oceania experienced a cyberattack in December 2023, with the Akira ransomware group claiming responsibility. The attack resulted in a significant data breach involving personal information of around 100,000 current and former employees and customers. Compromised data includes government identification such as Medicare cards, driver's licenses, passports, and tax file numbers, as well as loan documents and employment details. Akira has already leaked some of the stolen data on the dark web. Nissan is in the process of contacting the affected individuals directly to provide details and support, with efforts to reduce redundancies in the contact list. Up to 10% of the impacted individuals had their government IDs exposed, and the remaining had other personal data compromised. Nissan is offering free identity protection services, credit monitoring, and reimbursement for replacing compromised government IDs to support those affected. Customers are advised to exercise increased vigilance for potential scams, to use multi-factor authentication, and update their passwords regularly.

A high-severity vulnerability in Kubernetes which allowed remote code execution on Windows nodes has been disclosed. Identified as CVE-2023-5528, the vulnerability affected kubelet versions starting from 1.8.0. The flaw was patched on November 14, 2023, and is specific to Kubernetes clusters using in-tree storage plugins for Windows nodes. Exploitation could result in an attacker gaining SYSTEM privileges and potential full control over all Windows nodes within a cluster. The vulnerability stems from using insecure function calls and lack of input sanitization, particularly when mounting local volumes in a pod. Kubernetes developers have replaced the vulnerable command line call with a native Gö function to remove injection risks. The disclosure is accompanied by news of a separate critical security flaw in Uniview ISC camera model 2500-S being exploited to spread the NetKiller Mirai botnet variant.

The Russian-speaking cybercrime group, RedCurl, has been exploiting the legitimate Windows Program Compatibility Assistant (PCA) for corporate espionage. The PCA tool (pcalua.exe), which resolves compatibility issues with older programs, is being manipulated for command execution and security bypass. RedCurl, operating since 2018, has targeted organizations in multiple countries, including Australia, Canada, Germany, Russia, the U.K., and the U.S., to steal corporate secrets and employee data. The attack begins with phishing emails containing malicious .ISO or .IMG attachments, which initiate a multi-stage process involving cmd.exe and a legitimate curl utility to deliver a loader (ms.dll or ps.dll). The malicious DLL exploits PCA to start a downloader process, which establishes a connection to fetch the loader; the Impacket open-source tool is also used for further unauthorized command execution. Connections to the RedCurl group are evident from shared command-and-control infrastructure and similar downloader artifacts used previously. Trend Micro's report highlights the group’s sophisticated tactics aimed at evading detection, including misusing PowerShell, curl, and PCA. Meanwhile, the Russian nation-state group Turla has been implementing a new Pelmeni wrapper DLL that deploys the Kazuar backdoor through DLL side-loading techniques, signifying an overarching theme of advanced threat groups employing evasive maneuvers.

CISOs use Cato SSE 360 from the Cato SASE Cloud platform to achieve a balance between security and productivity without compromise. Leveraging Cato yields comprehensive visibility into the organization's security, networking, and connectivity, much like an SIEM. The platform provides real-time threat prevention with built-in security capabilities such as IPS, Anti-Malware, and daily security updates; it safeguarded against Log4j quickly. Cato supports data sovereignty through DLP and CASB functionalities, aiding in sensitive information protection and controlled SaaS application interaction. The article also mentions easy policy enforcement and minimal configuration, ensuring protection against the latest threats across all users and locations. It positions Cato as a future-proof solution for CISOs, implying that it accommodates growth and evolves with security needs with no barriers to deployment or onboarding.

Blind Eagle, a cybercrime group, has been using Ande Loader malware to deploy RATs such as Remcos RAT and NjRAT. The malware primarily targeted Spanish-speaking individuals in the manufacturing sector in North America through phishing emails. The threat actor employs phishing emails containing RAR or BZ2 archive files, which initiate the infection chain through a malicious VBScript. The Ande Loader malware establishes persistence by adding to the Windows Startup folder and then releases the selected RAT payload on the victim's system. There have been cases where malware was distributed via Discord CDN links, showcasing an evolution in the attack methodology. Blind Eagle utilizes crypters from known developers, one of which has hardcoded servers involved in the campaign. The report also references a SonicWall study exposing a different loader malware family (DBatLoader), which uses a compromised driver to bypass security measures.

DarkGate malware uses a recently patched Microsoft vulnerability (CVE-2024-21412) to bypass Windows SmartScreen, enabling zero-day attacks. Phishing emails contain PDF attachments with Google DoubleClick open redirects leading to malicious sites that distribute fake Microsoft (.MSI) installers loaded with DarkGate malware. The attack targets financial institutions and deploys through convincing social engineering, using bogus software such as iTunes and NVIDIA. Multiple malware families like Planet Stealer and Tweaks are exploiting popular platforms and social engineering to steal sensitive data. Cybercriminals are increasing their reach through ad campaigns and legitimate platform exploits to deliver various information stealers and remote access trojans. Security experts warn users to be vigilant and only trust software installers from official channels to prevent infections.

Fortinet has disclosed a critical SQL injection vulnerability in FortiClientEMS software, potentially leading to unauthorized code execution. The security flaw, designated CVE-2023-48788, has a high severity level with a CVSS score of 9.3 and affects Horizon3.ai, among other versions. Exploitation of this vulnerability could lead to remote code execution as SYSTEM on the server, with plans to release technical details and a PoC exploit shortly. This vulnerability was identified by Thiago Santana of the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC). Additionally, Fortinet has rectified two other critical bugs in FortiOS and FortiProxy that also enable execution of arbitrary code via captivated portal HTTP requests. There have been no active exploitations reported for these flaws, yet it's crucial for users to apply the provided software updates swiftly due to prior instances of unpatched Fortinet appliances being targeted by cybercriminals.

The U.S. House of Representatives has passed the Protecting Americans from Foreign Adversary Controlled Applications Act, targeting TikTok specifically. If passed, the bill would force TikTok's parent company ByteDance to sell the app's US operations or potentially face a ban. The bill, gaining bipartisan support, passed with 352 votes, citing concerns over potential intelligence gathering and surveillance by Beijing through TikTok. The Senate is yet to consider the bill, with some senators indicating plans to slow the process due to free speech concerns and the potential impact on TikTok users. The practicality of disentangling TikTok's US operations from its global infrastructure is in question and past rumors of big tech acquisitions have emerged again. The bill's advancement is set against the backdrop of China's ban on non-Chinese social networks, highlighting an asymmetry in social network regulations between the two nations.

Nissan Oceania is contacting around 100,000 Australian and New Zealand individuals affected by a data breach in December 2023. The breach may have been executed by the Akira ransomware gang, which claims to have stolen thousands of ID documents. Compromised data includes government IDs, with up to 10% of victims having sensitive documents like Medicare cards, driving licenses, passports, and tax file numbers stolen. Other stolen data may consist of loan transactions, employment, and salary details and could include personal information like dates of birth. Customers from associated financial services for other automakers marketed by Nissan are also affected. Nissan is offering free credit monitoring services and assistance replacing stolen ID documents, with support from IDCARE to protect against data misuse. The Akira group, responsible for significant attacks on other entities, boasts about the data on their website, suggesting they did not receive a ransom from Nissan.