Daily Brief

Apple has incorporated a new post-quantum cryptographic protocol called PQ3 into its iMessage service to secure it against potential quantum computing attacks. PQ3 is designed to safeguard end-to-end encryption on iMessage, which is used by almost one billion iOS and macOS devices. The adoption of PQ3 aims to protect current communications and previous encrypted messages that could be at risk from "harvest now, decrypt later" scenarios. The PQ3 protocol combines with existing Elliptic Curve Cryptography (ECC) in a hybrid model to remain secure against both current threats and future quantum attacks. Apple's PQ3 makes use of the Kyber algorithm, a recognized post-quantum solution by the global cryptography community and NIST. A notable feature of PQ3 is its periodic post-quantum rekeying, which regularly updates quantum-resistant keys to maintain high security without affecting the user experience. Apple's move to PQ3 positions it as a leader in the field, potentially setting the standard for secure communication in the face of evolving quantum threats.

Microsoft is now offering free enhanced logging capabilities to all U.S. federal agencies, extending the log retention period. This move follows a cyber espionage effort by a China-linked group called Storm-0558, which compromised around 25 U.S. and European entities, including U.S. federal agency accounts. Enhanced logging in Microsoft Purview Audit played a crucial role in detecting the breach, particularly the MailItemsAccessed auditing action. The actors in the campaign showcased sophisticated technical skills, understanding their targets' security environments in-depth. It is reported that approximately 60,000 unclassified emails from U.S. State Department officials were stolen. In response to criticism, Microsoft made advanced audit logs available, previously only provided to higher-tier licensees. The initiative is part of the commitment to help federal agencies meet stringent cybersecurity standards set by the Office of Management and Budget Memorandum M-21-31.

Investigations into LockBit ransomware's financial operations suggest the cybercrime group has extracted over $1 billion in ransom payments over four years. The analysis of 30,000 cryptocurrency addresses linked to LockBit indicates approximately $126.6 million in assets, with $114 million yet to be spent. The estimations are based only on data from an 18-month period, implying that the actual amount extorted could be significantly higher. Affiliates of the LockBit group typically retain 80% of ransom payments, with the group claiming a 20% cut. The UK's National Crime Agency (NCA), in partnership with the South West Regional Organised Crime Unit and Chainalysis, is actively tracking and targeting related cryptocurrency accounts. Binance is currently restricting access to crypto assets in over 85 accounts associated with LockBit, as a part of the broader clampdown on the group's financial activities. LockBit's leak site was taken over by authorities and repurposed to reveal the gang's operations, scheduled to be shut down completely on February 25.

U-Haul has informed approximately 67,000 customers that their personal data was accessed during a cyber intrusion. Cyber-criminals used stolen credentials to access the U-Haul Dealer and Team Members system, which contained customer records. Personal information, such as names, dates of birth, and driver license numbers, were compromised, but no financial data was stolen. U-Haul has since strengthened security measures, including password changes and offering a free year of credit monitoring to affected customers. The spokesperson did not provide details on how the attackers obtained the stolen credentials, but this incident is part of a growing trend of identity-related cyber attacks. Reporting from IBM X-Force and CrowdStrike indicates a significant increase in attacks leveraging valid credentials and a focus on compromising various forms of identity verification methods.

Insomniac Games, owned by Sony, has notified employees of a data breach stemming from a November ransomware attack by the Rhysida group. The attack resulted in the theft and online leak of 1.67 TB of internal documents, including personal employee information. The data leaked includes ID scans, contract details, licensing agreements, and in-development game content, among other sensitive details. The attackers initially demanded a $2 million ransom, which was not paid, leading to the public release of 98% of the stolen data. Insomniac Games is offering affected employees an additional two years of complimentary credit monitoring and identity restoration services. The Rhysida ransomware group is known for its previous high-profile attacks, including those on the Chilean Army and the British Library. U.S. federal agencies have previously warned about Rhysida's opportunistic attacks across various sectors, showing their significant threat landscape.

The LockBit ransomware operation amassed over $125 million in ransom payments within 18 months. More than $110 million in Bitcoin remains unspent after the group's disruption by Operation Cronos. Over 500 cryptocurrency addresses linked to LockBit have been active, receiving significant funds. Authorities suggest the actual ransom amounts victims paid could be much higher, with global impacts in the multi-billions. The U.K.'s National Crime Agency obtained 30,000 Bitcoin addresses from the hacked LockBit infrastructure. Law enforcement's success in disrupting LockBit led to the discovery of 85 cryptocurrency exchange accounts, now restricted by Binance. Despite LockBit's infrastructure being under law enforcement control, the group's leaders and affiliates are mostly unidentified. The U.S. State Department offers up to $15 million for information leading to LockBit members and partners.

A previously inactive package on Python Package Index (PyPI) named django-log-tracker was found to be spreading malware. This package received an anomalous update after nearly two years, appearing to be a compromised developer account. The update was designed to disseminate an information stealer called Nova Sentinel. The altered django-log-tracker version was downloaded 107 times before being removed from PyPI. The update involved the package downloading and executing a malicious binary from a remote server. Nova Sentinel malware was originally identified by security researchers as being spread through fake Electron apps. The incident highlights the risks of supply chain attacks via package repositories and the importance of specifying package versions to avoid involuntary updates to malicious software.

The anticipated identity reveal of LockBit ransomware gang's spokesperson, LockBitSupp, by authorities fell short of expectations. Authorities dispelled rumors about LockBitSupp's place of residence and luxury car ownership but provided limited further details. LockBitSupp's interaction with law enforcement has created speculation regarding his potential cooperation with Operation Cronos. The National Crime Agency (NCA) has declined to share more information after a series of significant leaks exposing various aspects of LockBit's operations. Operation Cronos's takedown of LockBit showcased the unwinding of the cybercrime entity with daily informational "drops" starting February 20. The takedown resulted in the exposure of LockBit affiliates' identities, arrests in Ukraine, and a showcase of LockBit's bespoke StealBit tool. LockBit's financials suggest that the group may have extorted billions over the years, with the organization's infrastructure being dismantled by law enforcement. Despite the setbacks, LockBit members claim the ability to rebuild their infrastructure and maintain their identity secrecy, challenging law enforcement's narrative.

U-Haul has informed customers about a data breach after a hacker gained access to their internal system using stolen credentials. The compromised system was used by dealers and team members to track reservations and view customer records. Personal information such as full names, dates of birth, and driver’s license numbers was exposed; however, payment information was not affected. U-Haul, established in 1945 with an annual revenue over $4.5 billion, is now offering customers a one-year identity theft protection service. The company has reset passwords for all affected accounts and strengthened security measures to prevent future breaches. The exact number of customers affected by the breach is currently undetermined. This incident follows a previous breach disclosed in September 2022, where customer rental contracts were accessed using compromised credentials. U-Haul's website was down when the article was written and the company has yet to release further details on the breach's full impact.

The webinar addresses the increasing complexity of cloud security and the challenges it presents to security practitioners. It will cover how advanced automation can improve policy management in multi-cloud environments, reducing the risk of misconfigurations and attacks. Palo Alto Networks has developed Prisma Cloud, a platform designed to secure cloud-native applications with automated policy management. The webinar, sponsored by Palo Alto Networks and Accenture, includes a demonstration of Prisma Cloud and its features for automated remediation and security monitoring. Alex Pai from Palo Alto Networks will illustrate the process of cloning and enhancing security policies, as well as the integration with various public cloud services. Participants will learn how to set up alerts, automate ticketing for incidents, and automatically generate code and configuration changes. The webinar aims to provide valuable insights for security professionals struggling with the dual challenge of evolving cyber threats and rapid technology changes. Interested parties can sign up for the webinar taking place on February 26, with reminders to ensure attendance.

Sophos detected ransomware attacks deploying LockBit variants through exploits in ScreenConnect vulnerabilities. Attackers target an authentication bypass flaw (CVE-2024-1709) in ScreenConnect servers, despite recent ConnectWise security updates. CISA has mandated federal agencies to patch the vulnerability by February 29 after noticing widespread exploitation. LockBit ransomware’s infrastructure was previously disrupted in Operation Cronos, but the ransomware still remains active. Some affiliates of LockBit continue operations using leaked tools, impacting sectors like local government and healthcare. Efforts against LockBit included international arrests and U.S. indictments against Russian suspects, with the US offering rewards for information on gang members.

Tines's SOC Automation Capability Matrix (SOC ACM) is a customizable, vendor-agnostic guidance framework to help security operations teams optimize their automation capabilities and incident response. The tool has been recommended by security community members and has seen adoption across industries such as Fintech and Cloud Security. It offers a structural approach to thinking about and implementing automation capabilities without being tied to specific products. The SOC ACM is divided into categories with different automation capabilities and is designed to adapt to what organizations find most valuable, whether beginner or advanced. An example use case for the SOC ACM is enhancing phishing response processes through a structured automation workflow leveraging capabilities such as Email Security Gateways, Domain Analysis, File Analysis, and User Notifications. The sequence of the matrix's use demonstrates the progressive enrichment, analysis, and communication aspects critical to effective security automation. The matrix supports customization and collaboration through its GitHub repository, catering to different organizational needs and reporting tools to demonstrate automation value to leadership. A case study with a Fintech company highlighted the matrix's ability to prioritize workflows, measure time savings, and pinpoint future automation opportunities.

Microsoft has introduced PyRIT, a tool for red teams to assess potential risks and vulnerabilities in generative AI systems. Designed for various organizations, PyRIT aims to complement rather than replace manual red teaming practices for responsible AI innovation. The framework focuses on identifying potential harms including misuse, prohibited content, security issues such as malware generation, and privacy concerns such as identity theft. PyRIT includes elements like a scoring engine, multiple interfaces, and a memory component for managing data during red team exercises. The tool can help researchers establish a performance baseline and monitor the impact of future model enhancements on the identified harm categories. Microsoft emphasizes the necessity of manual probing alongside automation to detect blind spots in AI systems, acknowledging that the process of identifying risks in generative AI is probabilistic and varies by system architecture. The release coincides with Protect AI's disclosure of critical security flaws in AI supply chain platforms, highlighting the importance of continuous scrutiny and risk management in the field of AI.

UnitedHealth Group's Optum suffered a cyberattack on the Change Healthcare platform, instigated by likely "nation-state" hackers. The attack caused a significant outage, disrupting payment exchange services in the U.S. healthcare system and prompting system shutdowns. Optum's Change Healthcare is integral to healthcare operations in the U.S., affecting electronic health records, payment processing, and data analytics. Widespread issues in healthcare clinics, billing companies, and pharmacies have emerged, with pharmacies notably unable to process insurance claims. The American Hospital Association has advised healthcare organizations to disconnect from Optum systems until safety can be assured. Institutions such as Columbia University have blocked connections to UnitedHealth Group domains to protect their systems from the cyber threat. The outage has also impacted Tricare, impairing the ability of military pharmacies to process prescriptions normally, forcing manual processing. Although the nature of the attack is not fully disclosed, it displays characteristics of a ransomware incident, with potential theft of patient and corporate data for leverage.

X suspended accounts in India upon receiving government orders under the threat of legal penalties, but the platform's management stands for freedom of expression. The suspension of accounts is connected with the ongoing farmers' protests demanding a floor price for produce, contrasting with the government's push for free market policies. India's Ministry of Electronics and IT directed social media platforms to block 177 accounts allegedly to maintain public order, with the takedown notices issued for multiple social networks including Facebook, Instagram, and Twitter/X. The Software Freedom Law Center (SFLC) accused the Indian government of suppressing dissent through internet shutdowns and social media bans linked to the farmers' strikes. Mobile internet services were disrupted in at least ten districts, a move the SFLC criticizes as an affront to democratic freedoms. India leads in government-imposed internet shutdowns, with 84 recorded in 2022, making up approximately 45% of global shutdowns that year.