Daily Brief

The U.S. State Department is offering up to $15 million for information on the LockBit ransomware group's leaders and participants. LockBit has executed over 2,000 attacks worldwide since January 2020, with victims paying more than $144 million in ransoms. A U.K. National Crime Agency-led operation has recently disrupted the LockBit group, linked to Russia and operating for over four years. LockBit operates as Ransomware-as-a-Service (RaaS), using affiliates to execute cyberattacks and sharing proceeds of the ransom payments. The group is known for its high frequency of attacks and willingness to target any type of infrastructure, making it highly destructive. Following an investigation starting from April 2022, arrests were made and servers seized, potentially allowing victims to recover data without payment. Despite LockBit experiencing disruptions, cybersecurity experts warn that the group could quickly regroup and resume operations under a different name.

Microsoft has expanded free logging features for Purview Audit standard customers, following a May breach involving Chinese hackers. Enhanced logging capabilities will help detect similar cyberattacks and comply with U.S. federal logging requirements. Expansion includes an automatic increase in log retention from 90 to 180 days, with no additional costs or configurations. The changes align with CISA’s Secure by Design guidance and respond to criticisms of Microsoft's previous logging license policies. Microsoft's actions follow the exposure of an Exchange Online breach where 60,000 emails from U.S. State Department officials were compromised. Senator Ron Wyden criticizes Microsoft for profiting from cybersecurity vulnerabilities and suggests holding software companies accountable for negligence.

Joomla has released fixes for five security vulnerabilities, with versions 5.0.3 and 4.4.3 containing the necessary patches. The most critical flaw, CVE-2024-21725, poses a high risk for remote code execution (RCE) and has a high probability of exploitation. Another issue, CVE-2024-21726, affects the CMS's core filter component, enabling cross-site scripting (XSS) attacks which could lead to RCE. XSS vulnerabilities allow attackers to inject malicious scripts that run when accessed by other users, with admin user targeting being a key path for potential exploitation. A successful exploit requires an administrator to click on a malicious link, indicating the necessity of user interaction for the vulnerability to be triggered. Recognizing the threat, vulnerability researchers have withheld technical details to give admins time to update their systems. Joomla administrators are urged to promptly apply the updates to mitigate these risks and secure their websites against potential attacks.

Microsoft has expanded free Purview Audit logging for U.S. federal agencies after a breach involving Chinese hackers. The breach occurred between May and June 2023, involving emails stolen from U.S. government accounts through Exchange Online. Enhanced logging will now be automatically enabled and available to agencies regardless of license tier, with retention increased to 180 days. This move aligns with mandates from OMB Memorandum M-21-31 and CISA's Secure by Design guidance, advocating for accessible high-quality audit logs. A hacking group, identified as Storm-0558, forged authentication tokens using a stolen Microsoft consumer key and accessed emails from around 25 organizations, including State Department officials, stealing over 60,000 emails. The expansion of logging capabilities was influenced by CISA's pressure on Microsoft, following criticism for limiting advanced logging to premium licenses. U.S. Senator Ron Wyden criticized Microsoft for profiting from security fees while failing to provide basic security measures without additional costs.

President Biden is set to authorize the US Coast Guard to enhance cybersecurity measures within the American marine transportation system (MTS). The USCG will gain "express authority" to tackle malicious cyber activities threatening ports, which are vital to the US economy and national security. New executive powers will enable Port Captains to establish "security zones" where they can regulate access and conduct searches to safeguard against digital threats. The move addresses concerns about foreign-produced cranes, especially Chinese-manufactured ones, which dominate US ports and may be exploited remotely. An upcoming Maritime Security Directive by the USCG will address cybersecurity for more than 200 Chinese ship-to-shore cranes present at US ports. Further cybersecurity standards for the MTS are expected, including incident reporting rules that align with international and industry norms. Under the new executive order, cyber incidents that pose a threat to vessels or ports must be immediately reported to federal authorities, including the FBI, CISA, and the USCG.

Two Chinese nationals, Haotian Sun and Pengfei Xue, face up to 20 years in prison for mail fraud and conspiracy. They attempted to defraud Apple by sending over 5,000 fake iPhones, aiming to receive genuine replacements under warranty. The fraudulent activity aimed to cause Apple a loss exceeding $3 million and occurred between 2017 and 2019. The counterfeit iPhones, imported from Hong Kong, were filed for repair using spoofed serial and IMEI numbers. Sun and Xue, and their co-conspirators utilized UPS mailboxes in the DC area to facilitate their scheme. The duo was apprehended by U.S. postal inspectors in December 2019 and await sentencing scheduled for June 21. The case echoes a similar scam in California where nearly 10,000 counterfeit devices were exchanged by Apple. Apple recently regained its position as the leading smartphone brand in China and Europe, surpassing Honor and Samsung respectively.

Apple has announced an upgrade to iMessage's cryptographic protocol, named PQ3, to protect against potential future quantum computer attacks. PQ3 aims to prevent the decryption of messages by quantum computers, which could theoretically break current encryption methods. The technology is designed to be quantum-resistant, with Apple claiming PQ3 offers the strongest security of any large-scale messaging protocol. PQ3 is being tested in developer previews and betas, with plans to fully replace iMessage's existing encryption protocol by year's end. Unlike previous security levels, PQ3 employs post-quantum cryptography in both the initial key establishment and ongoing rekeying of sessions. iMessage with PQ3 will use Elliptic Curve cryptography augmented by Kyber post-quantum public keys, aligning with NIST recommendations for post-quantum data protection. PQ3 introduces a rekeying process modeled after ratcheting techniques to continuously enhance security during conversations. Apple's PQ3 protocol has been internally and externally verified by cryptography experts, who found no security flaws in their assessments.

Security researchers identified a large-scale campaign distributing banking trojans via Google Cloud Run. Attackers targeted users with phishing emails in Spanish and Italian, posing as legitimate financial or governmental communications. The malicious emails contain links that lead to malware hosted on Google Cloud Run, often delivered as MSI installer files. The banking trojans involved are Astaroth, Mekotio, and Ousaban, aiming to steal sensitive financial data and credentials. Attack techniques include using BITSAdmin for payload delivery, evading detection, establishing persistence on systems, and redirecting to fake banking portals for credential phishing. Astaroth has expanded beyond Brazil and is now targeting a wider range of countries in Latin America, as well as cryptocurrency exchanges. There is potential collaboration between different malware operators or the possibility of a single actor managing multiple trojans. As of the article's publication, Google has not commented on measures to mitigate this misuse of their service.

Two Chinese nationals were convicted for attempting to defraud Apple by seeking replacements for over 5,000 counterfeit iPhones, amounting to a value of over $3 million. Leveraging Apple's warranty and replacement programs, the fraudsters, Haotian Sun and Pengfei Xue, submitted fake devices to Apple's repair and replacement services between July 2017 and December 2019. The counterfeit iPhones, shipped from Hong Kong to the US, were equipped with spoofed serial numbers and IMEI numbers to mimic non-functioning genuine devices. The scheme involved using legitimate identification to open mailboxes at commercial mail receiving agencies and receiving replacement iPhones through UPS, FedEx, and DLH. Once replaced by Apple, the genuine iPhones were shipped back to conspirators in Hong Kong, to be sold for profit. Following their arrest by U.S. postal inspectors in December 2019, both Sun and Xue face a maximum sentence of 20 years in prison, with sentencing scheduled for June 21, 2024.

The SSH-Snake malware operates as a self-modifying worm that maps networks and steals SSH keys to spread undetected. Discovered by Sysdig's Threat Research Team, the malware stands out by not following the usual patterns associated with scripted SSH worms. It searches for private keys across common locations, including shell history files, using them to move laterally across networks. The open-source tool used by SSH-Snake is designed for automated SSH-based network traversal, showcasing the interconnectedness through SSH. Released on January 4, 2024, SSH-Snake is a bash shell script capable of modifying itself to appear smaller, thus evading detection. The malware allows for customization to suit operational needs, enhancing its ability to locate and utilize private keys. A command and control server associated with SSH-Snake has been uncovered, revealing active exploitation of vulnerabilities and the harvesting of credentials. Researchers estimate that approximately 100 victims have been affected, marking SSH-Snake as an evolutionary step in malware targeting corporate environments.

CISA, FBI, and EPA jointly released a defense measures fact sheet for U.S. water utilities, highlighting 8 key actions to mitigate cyberattacks. The agencies advocate reducing key assets' exposure to the public internet, conducting regular security assessments, and changing default passwords. Recommendations include implementing multifactor authentication, creating asset inventories, routinely backing up systems, and patching vulnerabilities. Water utilities are urged to develop incident response plans and conduct annual cybersecurity awareness training for employees. Recent ransomware attacks on water treatment companies have prompted these measures to ensure the resilience and safety of critical water infrastructure. The agencies offer support and tools for water utilities to improve their cyber resilience and have also previously released security programs and incident response guides for this critical sector.

ConnectWise's ScreenConnect has a critical remote code execution (RCE) vulnerability rated 10/10 CVSS and a second related path traversal flaw rated 8.4. Security researchers from Horizon 3 and Huntress have easily developed working exploits for these vulnerabilities. ConnectWise has recently updated its advisory announcing that compromised accounts have been reported after the initial disclosure stated no active exploit evidence. Exploiting the vulnerability allows an attacker to overwrite the internal user database, effectively granting them administrative access to the system. Attackers can leverage ScreenConnect's feature to create extensions executing .Net code as SYSTEM for direct code execution without needing to install a malicious extension for the path traversal flaw. All on-premise versions of ScreenConnect up to 23.9.7 are affected, with a strong recommendation to update to version 23.9.8 immediately; cloud customers should already be updated. A few attacker IP addresses have been identified and shared to help organizations monitor and potentially halt in-progress cyberattacks. Approximately 3,800 vulnerable ConnectWise instances exist, primarily in the US, highlighting the urgency for updating systems.

ConnectWise has disclosed two critical vulnerabilities in ScreenConnect, urging immediate updates. CVE identifiers CVE-2024-1708 and CVE-2024-1709 have been assigned to these security issues. Attackers began exploiting the vulnerabilities a day after ConnectWise's disclosure. ConnectWise confirmed that multiple accounts have been compromised through these exploits. Over 8,800 vulnerable ScreenConnect servers were initially exposed, with numbers later dropping to around 3,800. Huntress has shared a detailed analysis, highlighting the ease of developing an exploit for these vulnerabilities. Indicators of Compromise (IoCs) have been provided for admins to check for unauthorized access.

The U.S. State Department is offering up to $15 million for information on LockBit ransomware gang members. A total of $10 million is available for details that could lead to identifying or locating the group's leaders. An additional $5 million is dedicated to tips that can help arrest their ransomware affiliates. The LockBit gang has been linked by the Department of Justice to over 2,000 victims, with more than $120 million extorted from ransom demands. The rewards are distributed through the Transnational Organized Crime Rewards Program (TOCRP), which has paid over $135 million for information since 1986. LockBit's infrastructure was recently dismantled, its dark web leak sites taken down, and authorities issued a free ransomware decryptor. Arrests have been made in multiple countries, with international arrest warrants issued and indictments unsealed against Russian suspects involved in LockBit activities.

Two significant authentication bypass vulnerabilities were identified in Wi-Fi software affecting Android, Linux, and ChromeOS devices. The flaws, CVE-2023-52160 and CVE-2023-52161, allow attackers to lure users into connecting to malicious Wi-Fi networks and to join secure networks without a password. CVE-2023-52161 enables unauthorized access to Wi-Fi networks, potentially leading to malware infections, data theft, and business email compromise. The more critical CVE-2023-52160 affects devices that don't properly verify the authentication server's certificate, primarily impacting Android users. An attacker must have the network SSID and be near the victim to exploit CVE-2023-52160, posing risks particularly around business environments. Major Linux distributions have released advisories, and ChromeOS has a fix from version 118 onwards; however, Android fixes are still pending. Android users are urged to manually configure CA certificates for enterprise networks to mitigate the risk until an official fix is deployed.