Daily Brief

Leicester City Council experienced a "cyber incident" leading to IT systems and crucial service phone lines being taken offline. Despite the use of vague terms, security experts suspect the attack could be ransomware, although there is no official confirmation yet. The incident led to the shutdown of some network services, including Citrix Netscaler and Cisco AnyConnect VPN appliances. The council is collaborating with cybersecurity experts and law enforcement to understand the attack and has consulted other councils for recovery strategies. Recovery efforts are focused on prioritizing critical services with hopes to commence the process by mid-week. Emergency phone numbers have been established for essential services, with online forms for reporting currently disabled. The attack on Leicester is not an isolated incident; other UK councils have recently endured cyberattacks, disrupting services for extended periods. There is some confidence that sensitive data held by Leicester City Council is protected and that the impact on personal data will be minimal.

Continuous Threat Exposure Management (CTEM) is a proposed strategy to effectively manage cyber risks by combining attack simulation, risk assessment, and remediation. The CTEM framework is becoming increasingly significant as organizations seek an integrated approach to improve security posture and risk management. XM Cyber highlights the importance of obtaining an "attacker's view" of an environment to prioritize vulnerabilities according to the risk they pose to crucial assets. A CTEM program operates in five stages to systematically de-escalate cyber threats and is distinguished from other security approaches by its continual, dynamic nature. Key benefits of CTEM include the ability to effectively prioritize and address the most critical exposures, thereby streamlining and enhancing organizational security efforts. Establishing a CTEM program requires organizational commitment, a shared understanding of risk, and a prioritization process tailored to an organization's unique needs. XM Cyber encourages organizations to adopt the CTEM framework and provides further insights in a whitepaper discussing the operationalization of the CTEM framework by Gartner®.

A new malware campaign has exploited a serious security vulnerability in the Popup Builder WordPress plugin, affecting over 3,900 websites. The campaign uses recently created domains, some registered as recently as February 12th, 2024, to insert malicious JavaScript through CVE-2023-6000. Attackers can generate rogue admin accounts and install unwanted plugins using the exploited flaw, leading to site redirections to phishing or scam pages. Website owners using WordPress are advised to update plugins and scan their websites for any unusual code or users to mitigate the threat. The threat emphasizes the critical importance of regularly updating and patching website software to avoid security vulnerabilities. Additionally, Wordfence has identified a high-severity bug in the Ultimate Member plugin that allows the injection of malicious scripts due to insufficient input sanitization. The XSS flaw in Ultimate Member, CVE-2024-2123, has been fixed in the most recent update, with prior versions of the plugin being susceptible to unauthenticated attacker exploits. The issue follows previous plugin and theme vulnerabilities within WordPress, highlighting the platform's ongoing challenge with securing against malicious activities.

Russia has detained a South Korean citizen, Baek Won-soon, on charges of cyber espionage and transferred him from Vladivostok to Moscow for further investigation. Won-soon is accused of transferring classified "top secret" information to unnamed foreign intelligence agencies. Initially detained in Vladivostok earlier this year, Won-soon's arrest has now been extended until June 15, 2024, and he has been relocated to Lefortovo pretrial detention center in Moscow. The same detention facility is currently holding American journalist Evan Gershkovich, who is awaiting trial on suspicion of espionage, charges he has denied. The arrest comes at a time of increasing geopolitical collaboration between Russia and North Korea, the latter known for its state-sponsored hacking efforts targeting Russia for intelligence. Additionally, the article mentions the recent arrest of a former Google engineer in the U.S. for allegedly stealing proprietary information while working for China-based companies.

Several French government websites experienced significant disruption due to a distributed denial of service (DDoS) attack. Cloudflare's Radar detected the onset of the attack on early Sunday, which escalated quickly, and saw fluctuations before sustaining an intense six-hour period of activity. France's digital transformation agency, DINUM, responded by deploying defensive measures against the attack amidst claims of ongoing disruptions by Anonymous Sudan. Anonymous Sudan claimed responsibility for the attack, which information security firm FalconFeeds suggests was likely assisted by Russian actors and other threat groups. The motive behind the DDoS attack remains unclear, but it comes after French President Macron suggested sending troops to support Ukraine against Russia's invasion, a move criticized by President Putin. The attacks targeted critical departments, including the prime minister's office, the civil aviation authority, and the Ministry of the Economy. However, at the time of reporting, the affected sites are accessible without obvious issues.

The Biden administration and US lawmakers are pushing for UnitedHealth Group to quicken payments to medical providers after a ransomware attack by ALPHV/BlackCat affiliates. Senator Ron Wyden criticized the cyber attack on Change Healthcare as inexcusable, stressing that the healthcare sector has been a known target for cybercriminals for years. The ransomware attack disrupted patient care and created severe cash-flow issues due to Change Healthcare's significant role in processing healthcare transactions. Health secretaries from the DHHS and DOL urged UnitedHealth and insurance companies to mitigate the impact on providers by expediting funds, accepting paper claims, and simplifying electronic interactions. Senator Wyden has called for mandatory cybersecurity standards in the healthcare industry and regular auditing to protect patient data. The criticism extends to federal regulators for not mandating minimum security requirements amidst a rise in cyber attacks against healthcare organizations. Concerns are also being raised about the systemic risks posed by large healthcare entities, such as the $13 billion merger of Optum and Change Healthcare. Senator Mark Warner sees the need for legislation, including mandatory cyber hygiene standards for healthcare providers, to ensure patient care and safety against future cyber threats.

The Kremlin has alleged that the U.S. is plotting a cyberattack against Russia's electronic voting system. Russian intelligence claims that American NGOs are instructed to lower voter turnout. No evidence was provided by the Russian Foreign Intelligence Service to back up the accusations. Russia warns that any foreign meddling would be seen as an act of aggression, offering a potential pretext for election discrepancies. The claims follow Russia's recent assurance that it will not interfere in U.S. elections, countering past allegations of meddling in 2016 and 2020. U.S. officials have not observed any significant threats or irregularities in their own ongoing election processes.

Tuta Mail introduces TutaCrypt, a new encryption protocol designed to resist quantum decryption. The Germany-based email service aims to secure communications against future "harvest now, decrypt later" attacks. TutaCrypt combines quantum-safe algorithms like CRYSTALS-Kyber with traditional ones such as X25519 for robust encryption. Existing AES 256/Argon2 cryptography layers enhance protection from current threats, without requiring user action for migration. Tuta's initiative addresses a growing concern over quantum computing's potential impact on current cryptographic standards. TutaCrypt generates dual key pairs for both quantum-resistant key encapsulation and traditional ECDH, stored securely on German servers. Current and future users will be transitioned to TutaCrypt automatically, signaling a proactive step in email security advancement. While the protocol currently has limitations regarding message integrity and key compromise risk, further improvements are planned.

Okta has denied that its data was leaked following a claim by a cybercriminal on a hacking forum. The threat actor, using the name 'Ddarknotevil,' alleged that the database containing details of 3,800 Okta customers was from a breach in October 2023. The data purportedly included user IDs, full names, company names, office addresses, phone numbers, email addresses, and positions/roles. After being notified, Okta conducted a thorough investigation and found no evidence of a new breach or a link to the October incident. Okta suggested the data might be aggregated from public sources, noting some dates in the leaked information are over a decade old. Cyber-intelligence firm KELA concluded that the data does not originate from Okta, but matches a July 2023 data dump from a different company's breach.

New York-based EquiLend Holdings LLC suffered a data breach as a result of a ransomware attack in January. The breach led to the theft of employees' personally identifiable information (PII), including names, birth dates, and Social Security numbers. Despite the breach, there is currently no evidence of the stolen data being used for identity theft or fraud. EquiLend has offered two years of complimentary identity theft protection services to affected employees through IDX. The company managed to restore all client-facing services post-attack and has found no indication of client transaction data being compromised. LockBit ransomware group claimed responsibility for the attack, although EquiLend has not explicitly confirmed the group's involvement. EquiLend, backed by ten global banks since its establishment in 2001, has a significant footprint with over 330 employees and its services used by more than 190 firms worldwide.

Security experts unveiled a repository called Misconfiguration Manager to address attack techniques stemming from improper configurations of Microsoft's Configuration Manager. Microsoft Configuration Manager (MCM), previously known as SCCM, is widely used in Active Directory environments to manage servers and workstations. Vulnerabilities due to misconfigurations can provide attackers with administrative domain privileges or enable payload execution. Common misconfigurations include the use of network access accounts (NAAs) with excessive privileges, which can lead to severe security breaches, such as gaining domain controller access. One documented security lapse involved overprivileged NAAs that led from a compromised SharePoint account to full domain control. Another vulnerability allows enrolling domain controllers as clients, creating potential for remote code execution if proper site hierarchy isn't maintained. Misconfiguration Manager offers insights and defense strategies for 22 attack techniques, aiming to educate defenders on securing Microsoft MCM correctly. Administrators are urged to validate the defensive actions suggested by the repository within a non-production environment prior to live deployment due to the complexity and potential impact on security posture.

New York-based EquiLend Holdings suffered a ransomware attack in January, leading to the theft of employee data. The financial technology firm initially took systems offline on January 22 to contain a breach and confirmed the incident resulted from ransomware. Although client services resumed, and there is no evidence of client data exfiltration, employee personally identifiable information (PII) was stolen. Stolen PII includes names, birth dates, and Social Security numbers of EquiLend employees. LockBit ransomware group claimed responsibility, but EquiLend has not confirmed the attackers' identity. Affected employees are being offered two years of free identity theft protection services through IDX. EquiLend, founded by major banks and broker-dealers, serves over 190 firms globally and facilitates transactions worth over $2.4 trillion monthly.

Roku has confirmed a data breach affecting 15,363 customers, with accounts being used for unauthorized purchases. Stolen accounts were sold for $0.50 apiece, enabling buyers to use the victims' stored payment information. The breach was due to credential stuffing attacks using details from other breaches to access Roku accounts. Once inside an account, attackers could alter passwords, email, and shipping addresses, blocking out the legitimate user. Roku responded by securing the breached accounts, forcing password resets, and initiating refunds for unauthorized transactions. Roku has faced criticism for new "Dispute Resolution Terms" that may be connected to the credential stuffing attacks and the resultant fraudulent activities. At present, Roku does not support two-factor authentication, potentially leaving accounts more vulnerable to such attacks.

A counterfeit Leather cryptocurrency wallet app on Apple's App Store has been reported as a "wallet drainer," stealing users' digital assets. The authentic Leather wallet platform has warned its community and advised that any user who entered their passphrase into the fake app should immediately transfer their assets to a secure wallet. Despite Leather's warnings and a report to Apple, the malicious app, published by 'LetalComRu,' remains available for download and sports a suspiciously high user rating. Victims have already reported losses, indicating that the fake app is actively draining cryptocurrency from those who have installed it. This incident echoes previous occurrences on the App Store, highlighting that even with Apple's strict security measures, scammers are managing to bypass checks. Experts recommend accessing any digital wallet app via official links from verified websites, using the real Leather website as an example at leather.io.

A new banking trojan named CHAVECLOAK is targeting Brazilian users, disseminated through phishing emails with PDF attachments. The emails utilize contract-themed DocuSign lures, prompting users to click a button which downloads malware from a remote link. CHAVECLOAK uses DLL side-loading with an executable "Lightshot.exe" to infect systems, specifically aiming at Brazilian financial institutions. The trojan can block screens, log keystrokes, and use deceptive pop-ups to steal credentials, with a focus on banks and cryptocurrency platforms like Mercado Bitcoin. A Delphi variant of the malware has been identified, continuing the trend of Delphi-based malware in Latin America. This threat emphasizes the evolving cyberthreat landscape in the financial sector and parallels other phishing campaigns, like the mobile banking fraud campaign deploying Copybara malware in Europe. Advanced evasion techniques, geofencing, and real-time remote interaction with infected devices demonstrate the growing sophistication of on-device fraud (ODF) schemes.