Daily Brief

The National Crime Agency (NCA) controls the LockBit site and has exposed nearly 200 registered affiliates from the past two years. Law enforcement agencies across multiple countries collaborated to takedown the world's leading ransomware gang, LockBit. Affiliates use LockBit's ransomware-as-a-service to extort victims and earn a commission, contributing to the spread of the ransomware. Internal LockBit data reveals the aliases used by affiliates, amounts extorted, and operational details following a significant information leak. Authorities warn LockBit affiliates that their detailed activities are now exposed and promise further investigations and potential legal actions. LockBit had developed a tool called StealBit for data exfiltration, which was integral to its operations; law enforcement has analyzed and neutralized StealBit's servers. The data breach gives law enforcement vital information for pursuing individuals who participated in the LockBit ransomware program, potentially leading to arrests and further disruption of cybercrime activities.

Cloud security practitioners face growing complexity in managing risks associated with cloud-native applications and multi-cloud architectures. The prevalence of misconfigurations and the threat of malicious attacks necessitate more efficient security policy management strategies. Palo Alto Networks introduces Prisma Cloud, a cloud-native application protection platform designed for "code-to-cloud" security and advanced policy management automation. A webinar hosted by The Register, featuring Palo Alto Networks' Alex Pai, will discuss the benefits of automated policy management and demonstrate Prisma Cloud's capabilities. Prisma Cloud enables streamlined monitoring and security management across cloud infrastructures, offering features like cloning and enhancement of policies and automated remediation. The webinar will also cover how to set up alerts, automate ticket creation for tracking issues more efficiently, and perform automatic code and configuration changes with pull requests. Interested individuals are encouraged to sign up for the webinar to learn how to manage security policies more effectively in the cloud environment.

Mustang Panda, a China-linked threat actor, has utilized an advanced form of PlugX malware, called DOPLUGS, to target multiple Asian countries. The DOPLUGS variant is designed primarily as a downloader for the full-feature backdoor and has been actively used against Taiwan, Vietnam, and other Asian regions. The cyber espionage group carries out spear-phishing campaigns to deploy their custom malware and has a history of creating specialized PlugX versions. Researchers identified a new strain of the DOPLUGS malware that uses the Nim programming language and its own RC4 decryption method instead of standard Windows libraries. DOPLUGS was first identified by Secureworks in September 2022 and includes backdoor commands that enable further malicious downloads and control by Mustang Panda. Trend Micro discovered that DOPLUGS also hosts the KillSomeOne module, which is adept at spreading via USB drives and conducting document theft and information collection. The continual refinement of their tools indicates that Mustang Panda remains highly active and poses a persistent threat, especially in Europe and Asia.

SaaS identity governance is a challenging task for IT teams due to the need to manage numerous applications and their individual security settings and controls. Nudge Security offers a SaaS security and governance solution to simplify this process, involving automated workflows and engagement with application owners. The tool helps to discover and categorize all SaaS apps within an organization, providing security profiles and allowing IT teams to greenlight or reject apps through automated notifications. It facilitates the creation and sharing of an approved app directory among employees, streamlining the process of requesting and granting access while maintaining centralized governance. Nudge Security automates the determination of each app's likely technical contact and periodically verifies ownership, reducing administrative overhead. The solution allows for the automation of user access reviews, ensuring compliance with various standards and generating reports for auditors. Unused and abandoned SaaS accounts can be easily identified and purged, providing cost savings and keeping account statuses up-to-date with visually appealing analytics. Nudge Security ensures thorough offboarding of employees by identifying all accounts associated with their organization's email, managing OAuth grants, and revoking access to minimize security risks. The company offers a free 14-day trial, coupled with a free risk assessment from Vanta to assess security and compliance posture and uncover shadow IT.

Thanksgiving Day 2023 saw a ransomware attack on U.S. hospitals, with systems failing and ambulances diverted, resulting in compromised patient care. Cybercriminals are increasingly targeting small to mid-sized healthcare organizations to steal sensitive data and extort ransoms, resulting in impaired healthcare delivery. The U.S. Department of Health and Human Services (HHS) has documented a 93% increase in large data breaches from 2018 to 2022, with ransomware breaches going up by 278%. Phishing attacks, particularly via email, have become the leading method of compromising healthcare systems, with over 90% of cyberattacks on these organizations stemming from such scams. Smallto mid-sized businesses (SMBs) often lack dedicated cybersecurity experts due to budget constraints, and healthcare organizations spend less than 6% of their IT budgets on cybersecurity, making them easier targets. The article stresses the importance of adopting a defense-in-depth approach to cybersecurity in healthcare, advocating for multi-factor authentication (MFA), security awareness training (SAT), and managed endpoint detection and response (EDR) as protective measures. Huntress is offered as a solution for healthcare cybersecurity, providing a managed EDR service monitored by a Security Operations Center 24/7, able to prevent, detect, and remediate cyber threats.

The EU's updated NIS2 Directive addresses the rising threat levels and increased cyberattacks, strengthening cybersecurity requirements. NIS2 is set to become law in October 2024, imposing stricter measures on over 160,000 companies, with penalties up to €10 million for non-compliance. The directive expands the scope of organizations and sectors covered, intending to safeguard the security of supply chains and critical infrastructure. Reporting obligations have been streamlined under NIS2, aiming to facilitate a more effective cybersecurity regime across member states. A webinar is scheduled on February 28 to discuss the directive's details, relevant articles, and compliance strategies, featuring cyber security experts Dr. Carsten Huth and Reinier Landsman. Early preparation for the NIS2 Directive is essential for organizations to avoid sanctions and enhance their cybersecurity practices in line with EU regulations. The webinar is supported by Checkmarx, an application security testing firm, encouraging interested parties to sign up for insights into NIS2 compliance.

IBM X-Force and CrowdStrike reports indicate a sharp rise in cyber attacks utilizing valid credentials, with IBM noting a 71% increase in such attacks. Compromised valid accounts are now the most common initial access point for cybercriminals, constituting 30% of incidents X-Force responded to in 2023. Cloud account credentials are highly sought after in dark web markets, making up 90% of for-sale cloud assets. Even though phishing remains a prevalent threat, the overall volume has decreased by 44% from the previous year, partially due to attackers favoring legitimate credential use. Attackers are increasingly exploiting API keys, session cookies, OTPs, and Kerberos tickets, blending into the environment by utilizing legitimate tools and identities. The infamous group Scattered Spider has conducted sophisticated extortion attacks, using techniques like SIM swapping and social engineering to breach high-profile targets. Nation-state linked attackers, including Cozy Bear, continue to engage in identity-based attacks, often circumventing multi-factor authentication and leveraging leaked or stolen credentials.

The malware, named VietCredCare, has been targeting Facebook advertisers in Vietnam since August 2022. Developed by Vietnamese-speaking cybercriminals, it specifically harvests Facebook session cookies and credentials from compromised devices. VietCredCare checks if the Facebook accounts have business profiles and positive Meta ad credit balances for targeted takeovers. The malware is being sold as a service, allowing others to either access a botnet or purchase the source code for their own use. It spreads through fake software links on social media, being disguised as legitimate applications like Microsoft Office or Acrobat Reader. Capabilities include the extraction of browser credentials and the evasion of Windows security features like AMSI and Windows Defender. Several government, educational, financial, and e-commerce institutions in Vietnam have been compromised by this malware. Group-IB warns of the increasing risk of cybercrime due to such stealer-as-a-service models allowing non-technical individuals to perpetrate crimes.

GDPR has led to significant reductions in data storage and processing for European companies due to increased management costs. The cost of GDPR compliance can range from $1.7 million for SMBs to $70 million for large organizations. European firms decreased data storage by 26% and data processing by 15% compared to US firms. GDPR has necessitated measures that, on average, represent a 20% increase in the cost of data for EU firms, with even higher impacts on data-intensive industries. GDPR compliance has also led to higher information production costs, but not as much as data storage or computation costs. The economic study did not assess the benefits of GDPR to consumers, though prior research indicates it generally provides positive privacy benefits.

Signal, the encrypted messaging app, has introduced a feature for creating unique usernames, enhancing user privacy by allowing individuals to communicate without sharing their phone numbers. This measure is a response to privacy concerns, ensuring that a user's phone number will no longer be automatically visible to everyone they chat with. Contacts who already have a user's phone number saved will continue to see it, maintaining convenience for known connections. To further reduce the risk of impersonation, usernames require the inclusion of two or more digits at the end and can be changed multiple times if desired. Signal is making the visibility of phone numbers an opt-in feature, going a step further to conceal them by default from those not saved in a user's contacts list. Additionally, Signal has introduced a privacy setting that allows users to control who can find them by their phone number within the app, restricting unsolicited messages. These updates are part of Signal's ongoing efforts to provide secure, private communication options for its users in an increasingly security-conscious digital landscape.

Russian-aligned hackers have targeted Ukraine with disinformation and attempts to harvest Microsoft login credentials through spam emails and spear-phishing attacks. ESET, a Slovak cybersecurity firm, attributed the attacks to Russian threat actors and codenamed the campaign 'Operation Texonto.' The disinformation spread involved emails with PDF attachments about heating, drug, and food shortages in Ukraine, some pretending to be from Ukrainian ministries. The campaign intensified with a second wave of emails during the holiday season, some suggesting extreme measures to avoid military drafts, and targeted Ukrainian speakers in Europe. Attackers used a domain initially involved in phishing to send spam advertising a fake Canadian pharmacy, possibly as a financial ploy after the phishing campaign was uncovered. Though no specific Russian threat actors were identified, techniques used in Operation Texonto overlapped with those of COLDRIVER, known for credential phishing. The situation reflects the ongoing influence operations amidst the war, alongside the decline of Russian state media's reach on social media platforms due to Western blocks and a strategy shift towards domestic audiences.

VMware has issued an advisory to uninstall their Enhanced Authentication Plugin (EAP) due to a critical security vulnerability. The flaw, with identifier CVE-2024-22245 and CVSS score of 9.6, could allow arbitrary Active Directory Service Principal Names (SPNs) ticket requests and relay by attackers. EAP has been deprecated since March 2021 and was used for direct login to vSphere's management interfaces via web browsers. An additional session hijack flaw, CVE-2024-22250 with CVSS score of 7.8, was also found, allowing potential privilege escalation on Windows systems. VMware will not release a fix; instead, it recommends complete removal of EAP from client systems to mitigate risk. The article also references a separate incident where SonarSource disclosed moderate-severity XSS vulnerabilities (CVE-2024-21726) in Joomla! CMS, which have been patched. Critical vulnerabilities and misconfigurations in Salesforce's Apex programming language were identified, potentially allowing data leakage, corruption, and business function compromise.

China's censorship system is extensive but suffers from bureaucracy overlap, inconsistent development, and underfunding, a USCC-commissioned report by Exovera reveals. Key censorship agencies in China, like the Central Propaganda Department and Cyberspace Administration, have overlapping functions, leading to inefficiencies. Local censorship efforts are disorganized, with regional governments relying on ad hoc channels for information control, often criticized for being "careless" in their approach. The lack of skilled staff at local levels means censorship duties sometimes fall to part-time workers or volunteers, creating potential for information control gaps that may incite social unrest. Despite varying resources—some regional bodies operate with limited budgets and human resources—uniform results are expected in the implementation of censorship. Chinese internet service providers and technology giants contribute to the censorship efforts with dedicated in-house or outsourced teams. Recommendations for the US include promoting alternative views in China through methods like satellite broadband, and developing tools to defend against China's propaganda and botnet attacks. The think tank urges the US to study Chinese tactics in influencing foreign companies and to consider sanctions on technology that supports China's AI-powered censorship.

The Monetary Authority of Singapore (MAS) has recommended that financial institutions prepare for quantum computing threats, suggesting the adoption of post-quantum cryptography (PQC) and quantum key distribution (QKD). MAS highlights that quantum computing could compromise current encryption and digital signature algorithms, posing significant cybersecurity risks within the coming decade. Financial institutions should monitor quantum computing advancements and ensure they can update cryptographic measures without disrupting current systems. MAS emphasizes the importance of awareness within institutions, especially among third-party providers and management, in understanding and mitigating quantum risks. Upgrading systems to be quantum-resistant is advised, along with implementing personnel training, setting standards, and preparing contingency plans. The advisory is likely to influence financial services across Asia, given Singapore's growing status as a regional financial hub. Industry experts support MAS's advisory, noting recent developments that show cryptographically relevant quantum computers may be nearer than expected. Cybersecurity professionals recommend early action to guard against potential "capture now decrypt later" attacks, highlighting the longevity of sensitive data's relevance.

VMware issued a warning for admins to remove a vulnerable authentication plugin, the Enhanced Authentication Plug-in (EAP), susceptible to attacks. Two unpatched security vulnerabilities, CVE-2024-22245 and CVE-2024-22250, enable authentication relay and session hijack attacks in Windows domain environments. The deprecated EAP allows seamless logins to VMware's management interfaces but has been outmoded since vCenter Server 7.0 Update 2 in March 2021. There are no current indications that the vulnerabilities have been exploited in the wild; however, VMware provides guidelines for removing or disabling the plugin. The deprecated plugin must be manually installed, and VMware recommends using alternative authentication methods like Active Directory over LDAPS or ADFS. VMware disclosed that a critical vCenter Server vulnerability patched in October was actively exploited by the UNC3886 Chinese cyber espionage group for over two years.