Daily Brief

Palo Alto Networks (PAN) is facing a class action lawsuit for purportedly deceiving investors regarding its platform strategy and AI products. Investors experienced a significant loss when PAN’s share price plummeted by 28% following a lowered billings forecast and a report on slow growth projections. The lawsuit highlights accusations of PAN making false or misleading statements about the effectiveness of their platformization initiatives and sustainable growth. Defendants named in the lawsuit include PAN, its CEO, CFO, and head of product management, with claims that the company lacked a reasonable basis for their positive statements. PAN had implemented a strategy focusing on platform consolidation which was supposedly validated by the average customer lifetime value metrics presented by its CEO during an earnings call. The lawsuit indicates that PAN's aggressive push towards platformization and the activation of AI leadership failed to secure expected US federal government deals, which contributed to the stock price drop. Plaintiffs assert that economic loss occurred due to the revelations and subsequent stock price fall, claiming material omissions and misrepresentations by PAN. Palo Alto Networks has been approached for comment on the lawsuit allegations.

Epic Games denies evidence of any cyberattack or data theft following claims by the Mogilevich extortion group. Despite the group's claim of server breach and selling stolen data for $15,000, no proof has been provided to Epic Games. The company began investigating after a dark web page ad suggested a breach, yet communication with the alleged hackers yielded no response. Mogilevich reportedly shared stolen data samples only with individuals who could prove they had the funds to purchase it. Security researchers are skeptical due to the absence of shared proof and suspect Mogilevich might be selling fake data, branding them potential scammers. The group also claims to operate a Ransomware-as-a-Service model, but no evidence of an actual ransomware encryptor linked to them has been identified.

Iran-associated threat actor UNC1549 is targeting the aerospace, aviation, and defense sectors in the Middle East, notably in Israel and the U.A.E. This activity, which extends to countries like Turkey, India, and Albania, is ongoing since at least June 2022. UNC1549 employs social engineering with job-related lures and two custom backdoors, MINIBIKE and MINIBUS, for espionage purposes. The group uses Microsoft Azure cloud infrastructure for command-and-control and deploys LIGHTRAIL tunneling software for communication. The intelligence gathered from these cyber espionage attacks serves strategic Iranian interests and may support both espionage and kinetic operations. Evasion techniques, including tailored employment-theme lures and cloud infrastructure, complicate prevention, detection, and mitigation efforts by network defenders. Other Iranian-related cyber activities include "faketivists" targeting critical infrastructure and data-wiping attacks against industrial control systems in Israel.

Japan's JPCERT/CC issues alert on North Korean hacker group Lazarus distributing malware through PyPI package repository. Lazarus uploaded four malicious packages to PyPI designed to install 'Comebacker' malware on developers' systems. Malicious packages masquerade as part of the legitimate 'pycrypto' project, tricking developers into downloading them. As of the report, the packages have been removed from PyPI, but thousands of systems may already be compromised. The malware enables Lazarus to infiltrate networks for financial fraud and potentially instigate supply chain attacks. Investigations show continuity in North Korean cyber campaigns, with Lazarus previously exploiting npm packages in November 2023. Lazarus has a history of large-scale thefts, including stealing cryptocurrencies worth millions from various platforms.

Phishing remains the primary method cybercriminals use to gain initial access to networks, cited in 41% of cyber incidents. A recent campaign involved distributing DarkGate malware through malicious Microsoft Teams chat invites, affecting over 1,000 users. In a separate phishing scheme, attackers exploited open redirects on the Indeed website to hijack Microsoft 365 accounts belonging to high-level employees. Attendees of a NATO summit supporting Ukraine were targeted with a fake website imitating the Ukrainian World Congress, designed to disseminate malware. Organizations can combat phishing by educating employees, employing advanced email filtering, and implementing multi-factor authentication (MFA). Security automation technologies like Blink enhance phishing defenses by offering streamlined incident response and automated security workflows without the need for coding.

A cybercriminal group identified as Savvy Seahorse has been utilizing CNAME DNS records to create and power scam campaigns centered around fake investment platforms. Victims are lured in through deceptive Facebook ads and conned into submitting funds and personal information to the phony platforms. The operation, active since at least August 2021, employs chatbots to enhance the scams' credibility and automate interactions with potential victims, promising high returns on investments. Researchers at Infoblox revealed the innovative use of CNAME records as a Traffic Distribution System (TDS), facilitating the rotation of IP addresses to avoid detection. The scam campaign operates in multiple languages and targets a global audience, with victims directed to fraudulent trading platforms after their data is collected and verified. Savvy Seahorse deploys domain generation algorithms to manage a vast number of domains, which hampers tracking and adds operational resilience by distributing infrastructure across various registrars and hosts. Meta Pixel trackers are used on the malicious pages for performance tracking, which likely informs the refinement of the group's scamming strategies. Detailed indicators of compromise and a list of domains associated with the scam are available on a GitHub page for further reference by security professionals.

The U.S. government has warned of BlackCat ransomware increasingly targeting the healthcare sector; nearly 70 victim leaks noted since mid-December 2023. The FBI, CISA, and HHS issued an advisory following the ransomware group's comeback after a failed takedown attempt of its leak sites. Despite the takedown, BlackCat has continued attacks on organizations like Prudential Financial, Optum, and others. The U.S. government offers up to $15 million for information leading to the arrest of members and affiliates of the e-crime group. BlackCat's resurgence comes alongside the comeback of LockBit ransomware and follows critical security flaws in ConnectWise's ScreenConnect software that have been exploited in attacks. Over 3,400 potentially vulnerable ScreenConnect hosts were found exposed online, with remote access software becoming a major vector for ransomware deployment. Ransomware groups are evolving, exemplified by RansomHouse's MrAgent tool for ransomware deployment on large-scale virtual environments, and the sale of direct network access. Public release of new Linux-targeting ransomware Kryptina could further increase the frequency and sophistication of attacks, with possible proliferation of spin-off variants.

A transformative webinar will introduce Twilio Segment's privacy-compliant Customer Data Platform (CDP) designed for managing first-party data. The webinar aims to educate on balancing personalized customer experiences with strict adherence to privacy regulations. Twilio Segment's State of Personalization Report indicates 63% of consumers are open to personalization based on directly shared data. The termination of third-party cookies and new privacy-centric browser technologies are pushing businesses towards privacy-first personalization strategies. The session will address how to navigate and comply with stringent data protection laws such as GDPR, while maintaining effective personalization. Businesses are urged to attend to learn about ethical customer data management and to stay competitive in an environment where data privacy is mandatory. Attendees will be offered a complimentary risk assessment from Vanta to check their security and compliance status.

Traditional perimeter-based security strategies are now seen as both costly and ineffective in safeguarding digital assets. The majority of cybersecurity risks are attributed to a small proportion of users, deemed 'superusers', who are essentially privileged users with access to sensitive systems and data. SSH Communications Security is a company that is focused on bridging the gap between Privileged Access Management (PAM) and Identity Management (IdM) to better protect these superusers. The integration of PIM (Privileged Identity Management), PAM, and IAM (Identity and Access Management) is essential for effective management and security of digital identities and access controls. Non-privileged users' access and identity verification can be managed with strong authentication methods, while privileged users require more stringent control measures due to the risks associated with their access. The article advocates for a shift toward a Zero Trust cybersecurity approach that is borderless, passwordless, keyless, and incorporates biometric authentication to strengthen security without relying on implicit trust. SSH Communications Security provides resources, such as whitepapers, to educate organizations on the benefits and implementation of passwordless and keyless cybersecurity models. Vanta offers a free risk assessment tool for organizations to evaluate their security and compliance posture and to uncover potential shadow IT issues.

President Biden is anticipated to issue an executive order to prevent the transfer of Americans' sensitive data to adversarial nations such as China and Russia. Proposed regulations will forbid companies from transferring large amounts of certain data types to countries of concern, including North Korea, Iran, Cuba, and Venezuela. The executive order targets sensitive information categories including genomic and biometric data, geolocation, health and financial data, personal identifiers, and sensitive government-related data. There will be exemptions for some commercial transactions and international business operations, like payroll within multinational companies. The proposed regulation, which has several steps before becoming law, will be enforced by the US Justice Department, aiming to close a current legal gap on the national security risk of data access by certain countries. The concern is that these nations could use American personal and government data for cyber-enabled activities, espionage, blackmail, AI training, and to target activists, journalists, and politicians. The White House emphasizes that these measures do not replace the need for comprehensive bipartisan privacy legislation, which President Biden has urged Congress to pass.

A new malware called TimbreStealer has been targeting Mexican users with tax-themed phishing scams since at least November 2023. TimbreStealer employs advanced obfuscation techniques and geofencing to evade detection and specifically target users in Mexico. The malware uses evasion strategies such as custom loaders and direct system calls, in concert with a technique called Heaven's Gate to execute 64-bit code within a 32-bit process. TimbreStealer's payload is designed to harvest credentials, system metadata, and checks for remote desktop software, while avoiding reinfection of previously compromised systems. Cisco Talos researchers note similarities with past malicious campaigns and highlight the versatility of TimbreStealer, which focuses on various industries including manufacturing and transportation. The report also mentions the emergence of other information stealers such as Atomic and XSSLite, showing a trend of evolving cyber threats. Stealer malware like Atomic, XSSLite, Agent Tesla, and Pony continue to be developed for information theft and are traded on underground markets.

U.S. and allied cybersecurity agencies warn of threats by Russia-linked APT28 targeting Ubiquiti EdgeRouter devices. The advisory follows the recent takedown of the MooBot botnet, utilized by APT28 for various covert cyber operations. APT28 has exploited routers to harvest credentials, proxy traffic, and host phishing pages, affecting diverse global sectors. The threat actor has been active since at least 2007 and uses compromised routers to install and operate custom malware. Users are advised to reset their hardware to factory settings, update firmware, change default credentials, and implement firewall rules. Nation-state hackers are increasingly focusing on routers to create botnets for malicious activity and gain access to targeted networks. The intelligence bulletin coincides with a Five Eyes alert on APT29's cloud access tactics, underscoring the ongoing threat of Russian cyber espionage.

A botnet controlled by Russia using compromised Ubiquiti Edge OS routers was dismantled in January by international authorities. The US FBI and partners from multiple countries have issued a warning that Russia's GRU intelligence unit may attempt to revive the botnet. Device owners are urged to upgrade firmware, strengthen passwords, and implement strategic firewall rules to prevent re-compromise. The GRU's malware, named Moobot, allowed for phishing, spying, and data theft through a network of infected routers. A unique malware package, MASEPIE, was also uncovered, indicating the GRU's direct involvement in crafting tools for the operation. Indicators of Compromise (IOCs) provided, including bash histories, can help network administrators identify malicious activities. However, non-technical device owners might struggle to follow the advisory's recommendations due to a lack of detailed guidance.

Pharmaceutical services giant Cencora reported a cyberattack that resulted in data theft from its IT systems. The company, formerly known as AmerisourceBergen, announced the breach in a Form 8-K filing with the SEC. Cencora earned $262.2 billion in fiscal year 2023 and has an approximate workforce of 46,000. The company has engaged law enforcement, cybersecurity professionals, and external legal counsel to investigate the incident. Immediate containment actions were taken upon detection of the cyberattack, but the potential impact on Cencora's financial and operational standing remains unclear. Official response to inquiries directed to the statement made in the SEC filing, with emphasis on no current links to the recent Optum Change Healthcare ransomware attack. No culprit has been identified, and no ransomware group has claimed responsibility for the cyberattack on Cencora; the Lorenz ransomware group had allegedly breached the company in February 2023.

The FBI, CISA, and HHS have issued a warning on targeted ALPHV/Blackcat ransomware attacks against U.S. healthcare organizations. BlackCat, active since November 2021, is attributed to over 60 initial breaches and has collected over $300 million in ransoms from more than 1,000 victims. The healthcare sector has recently been the prime target for BlackCat, influenced by the group's strategic shift following law enforcement actions in December 2023. Critical infrastructure organizations, especially in healthcare, are urged to implement cybersecurity safeguards against tactics typically used by this threat group. The ransomware operation was linked to a recent cyberattack on Optum, causing a significant outage affecting Change Healthcare. Investigators found that BlackCat hackers exploited a known ScreenConnect vulnerability to gain access to networks. Despite disruptions to BlackCat's infrastructure by the FBI in December 2023, the gang has resumed operations and remains a significant threat. The U.S. State Department is offering rewards for information leading to BlackCat gang leaders and associates.