Daily Brief

Western authorities dismantled LockBit ransomware infrastructure in a coordinated effort named "Operation Cronos." The takedown included the seizure of the group's leak site, once used to publish victim information, now repurposed to reveal LockBit's secrets. The UK's National Crime Agency (NCA) controls the leak site, with countdown timers indicating when new information will be released, including the identity of LockBit's leader. Arrests have been made in Ukraine and Poland, building on previous arrests in the US and Canada. Additional indictments have been issued against Russian nationals alleged to have deployed LockBit ransomware in the US. The NCA acquired LockBit's source code and intelligence data, revealing that ransom-paying victims' data was not always deleted as promised by the criminals. Over 200 cryptocurrency accounts associated with LockBit have been frozen, and victim decryptors are being made available through the FBI and Europol's "No More Ransom" portal. Further disclosures are planned throughout the week, culminating in the unveiling of LockBitSupp's identity and insights into the gang's cryptocurrency transactions before the leak site is closed permanently.

A new malware campaign targeting Redis servers is facilitating cryptojacking by compromising Linux hosts for cryptocurrency mining. The campaign uses the Migo malware, a Golang ELF binary with obfuscation features that maintains persistence on infected machines. Migo works by disabling specific Redis server configurations to weaken security defenses and set up future attacks. It establishes persistence, removes competing miners, and deploys an XMRig installer for mining operations. Migo also disables SELinux and uses a modified version of the libprocesshider rootkit to conceal malicious activities. The campaign was discovered when unusual commands targeted honeypot instances of Redis servers, commonly used in cloud environments. While the operations resemble those of established cryptojacking groups, the exact intentions and targets remain partially unclear, demonstrating persistent evolution in cloud-focused attack strategies.

Wyze, a smart home security camera company, experienced a cybersecurity incident affecting around 13,000 users. Due to a third-party caching client library error, some Wyze customers had access to other users' camera feeds. The issue occurred following a system outage and the subsequent restoration of service, causing device ID and user ID mappings to be confused. Wyze took immediate action by revoking access to the Events tab and is implementing additional measures to prevent future incidents. Despite having a security team and undergoing multiple audits, Wyze acknowledged the incident as disappointing and contrary to their commitment to customer protection. The company is exploring new client libraries and has added extra verification layers to safeguard user-device relationships. Some Wyze users have reported feeling violated by the privacy breach, with discussions leaning towards negative sentiments and talks of review bombings across various platforms.

Ransomware groups largely rely on the cybercrime supply chain, where access to targets is purchased rather than independently discovered. Infostealer malware, which steals sensitive data like credentials and self-terminates, has seen significant growth and often results in ransomware attacks. Threat actors monetize stolen data via Telegram channels. Flare has tracked over 46 million stealer logs, with many containing corporate credentials. Initial access brokers specialize in gaining and selling access to company networks to ransomware groups and affiliates, with more than 500 entities breached in 2023. The ransomware ecosystem is expanding, with over 50 active groups and a complex network of affiliates who execute attacks and share profits. The competition among ransomware groups for skilled affiliates is intense, as demonstrated by public accusations and disputes on dark web forums. Building a Continuous Threat Exposure Management (CTEM) program is presented as essential for companies to disrupt the cybercrime supply chain and mitigate threats. Flare offers a Continuous Threat Exposure Management (TEM) solution for organizations to detect, assess, and mitigate cyber threats, integrating with security programs to enhance defenses.

German-based PSI Software SE experienced a ransomware attack impacting its internal infrastructure. As a global software service provider for energy suppliers, PSI specializes in control systems and operational management solutions. The company initially reported a cyber incident on February 15, leading to the shutdown of various IT systems, including email. PSI Software subsequently confirmed the nature of the disruption as a ransomware attack, although the entry point remains unidentified. Investigations have not found any indication of the attack spreading to customer systems. Authorities are involved, with support from the Federal Office for Information Security. Ransomware group Hunters International has taken credit for the attack, claiming to have filched over 36,000 files (88 GB). The legitimacy of Hunters International's claim, including the data theft, is yet to be verified, highlighting the ongoing threat of ransomware-as-a-service operations.

Cybersecurity experts detected two harmful packages on Python Package Index (PyPI) that used DLL side-loading to run malicious code and dodge antivirus detection. The packages, NP6HelperHttptest and NP6HelperHttper, mimicked legitimate software tools related to ChapsVision's marketing automation solution. These packages were downloaded more than 700 times collectively before being removed from PyPI. They included scripts that downloaded a vulnerable executable and a malicious DLL, thereby side-loading the latter to conceal their true nature. The injected DLL communicated with a controlled domain to retrieve a Cobalt Strike Beacon, indicating an advanced persistent threat. This incident underscores the growing risks associated with software supply chain security, particularly concerning open-source repositories. Developers and organizations are being warned to remain vigilant against such sophisticated impersonation and side-loading tactics in repository ecosystems.

International law enforcement has arrested two LockBit ransomware operators and issued further arrest warrants and indictments. A decryption tool has been created and released to help LockBit victims recover their encrypted files for free. In a coordinated effort named Operation Cronos, police have seized over 200 crypto-wallets and compromised LockBit's primary infrastructure. Europol's intervention has led to the takedown of 34 servers across eight countries and identified over 14,000 rogue accounts linked to cybercriminal activities. The joint action included national agencies such as the U.K.'s NCA, Europol, the FBI, and law enforcement from other countries, underscoring the global approach to combating ransomware. Over 1,000 decryption keys have been retrieved, which have been used to develop a free LockBit 3.0 Black Ransomware decryption tool, now available through the 'No More Ransom' portal. The exact amount of cryptocurrency in the seized wallets is unclear, but there is potential for ransom recovery similar to past FBI efforts. Law enforcement has gained a significant amount of data about LockBit's operations, which will aid in ongoing and future actions against the group's leadership, developers, and affiliates.

Operation Cronos, led by the U.K. National Crime Agency, has successfully dismantled the LockBit ransomware operation and arrested key criminals. Two LockBit affiliates have been arrested in Poland and Ukraine, while indictments have been issued in the U.S. against two Russian nationals for LockBit ransomware attacks. Authorities obtained LockBit's source code, intelligence, and over 1,000 decryption keys, assisting victims in recovering their encrypted files. Over 200 cryptocurrency accounts associated with LockBit have been frozen, and the group's infrastructure, including affiliate servers and data leak site, has been taken down. The operation has damaged LockBit's credibility and operational capability, despite the possibility of the group attempting to rebuild its criminal enterprise. The ransomware group, operating since 2019, has affected more than 2,500 victims globally and amassed over $120 million from their illegal activities. A free decryption tool has been made available to victims through the No More Ransom project, offering relief without the need to pay ransoms.

Law enforcement agencies have made arrests and seized infrastructure in an international operation targeting the LockBit ransomware gang. Two LockBit operators were arrested in Poland and Ukraine, and authorities issued several international arrest warrants and indictories. Agencies from multiple countries collaborated in the operation, leading to the takedown of 34 servers and the control of LockBit's critical infrastructure. Law enforcement has developed a decryption tool to aid LockBit victims, available via the 'No More Ransom' portal. Over 200 crypto-wallets were seized which may result in the possibility of ransom payments recovery for some victims. A significant amount of LockBit's operational data was collected, aiding in continued efforts to dismantle the group and target its leaders, affiliates, and frameworks. LockBit's affiliate panel and dark web leak sites were confiscated, sending a strong message to affiliates and their criminal network.

An ex-employee of Stratford-on-Avon District Council misappropriated approximately 79,000 email addresses from a garden and waste collection database. The stolen email addresses were intended for the promotion of the individual's separate business venture. A linked database from Warwick District Council was also compromised due to a joint working arrangement between the two councils. The breach was discovered during an investigation following an alert in November; no financial or sensitive personal information was included in the stolen data. Stratford-on-Avon's chief executive has issued an apology, emphasizing that the breach was the result of the individual's actions, not systemic weaknesses. The perpetrator received an official caution from the police, who have confirmed the deletion of all stolen data, and the ICO has chosen not to pursue further action. Council executives from both councils have reassured residents that measures have been put in place to resolve the breach and have stressed the incident was an isolated occurrence.

North Korean state-sponsored hackers are conducting a cyber espionage campaign targeting global defense industries to steal advanced technologies. The joint advisory issued by Germany and South Korea attributes the attacks to North Korea's pursuit of military advancements including ballistic missiles and submarines. The Lazarus Group engaged in social engineering through fake or compromised LinkedIn profiles since August 2020, using the "Dream Job" operation to distribute malware. Victims are tricked with job opportunities and malware-infected documents that compromise their systems when opened. A separate attack on a defense research center involved a software supply chain attack via a web server maintenance vendor, allowing the infiltration of the facility and theft of sensitive information. The second North Korean hacking operation demonstrates the strategic use of supply chain vulnerabilities and the exploitation of trusted relationships to bypass high-security environments. North Korean hackers have adapted their laundering techniques using the YoMix bitcoin mixer following the shutdown of a previously preferred mixer, showing their ability to pivot in response to law enforcement.

Scattered Spider targeted major financial and insurance institutions with notable ransomware attacks in 2023. Organizations often struggle with an effective incident response due to lack of preparedness for such attacks. Silverfort's threat research team developed an incident response playbook during an active Scattered Spider attack. The webinar will discuss the creation and execution of this response plan within a hybrid environment as the attack was unfolding. Challenges tackled included rapid response coordination, efficiency, and automating as much as possible. Insights will be shared on how to address lateral movement across three dimensions during an attack. Silverfort experts will provide a deep dive into their experiences and strategies in the upcoming limited-space webinar. A free risk assessment offer from Vanta is mentioned, highlighting the identification of security gaps and shadow IT.

The NIST cybersecurity framework is instrumental in securing SaaS applications, despite challenges in policy configuration across varied applications. Role-based access control (RBAC) and specifically managing admin accounts are crucial for NIST compliance and SaaS security. A balance between having a necessary number of admins for redundancy and limiting the attack surface is vital for secure SaaS operations. External admin accounts are discouraged by NIST due to risks of compromised security outside the organization’s control. Multi-factor authentication (MFA) for admin accounts and ideally all users is highlighted as an essential requirement according to NIST guidelines. SaaS configuration settings are key to preventing data leaks through unauthorized public sharing and should include measures like disabling public URL sharing and setting invite expirations. Strong password policies and avoiding common passwords can significantly decrease the risk of successful password spray attacks. Configuration management is critical since 25% of cloud-related security incidents originate from misconfigured settings, stressing the importance of aligning SaaS security with NIST standards.

ConnectWise has updated ScreenConnect to fix two critical security vulnerabilities. Affected software versions are 23.9.7 and earlier; version 23.9.8 contains the necessary fixes. The severe flaws could potentially allow remote code execution and data breaches. No current evidence suggests these vulnerabilities have been exploited in the wild. Vulnerabilities were disclosed to ConnectWise on February 13, 2024. ConnectWise urges users of on-premise or self-hosted versions to install updates immediately. The company is also providing patches for releases 22.4 through 23.9.7 but recommends upgrading to the latest version. The security flaws currently do not have assigned CVE identifiers.

A critical vulnerability in the WordPress Bricks theme, tracked as CVE-2024-25600 with a 9.8 CVSS score, is currently being exploited. The flaw allows unauthenticated threat actors to perform remote code execution on sites using versions of Bricks up to 1.9.6. The theme's developers released a patch in version 1.9.6.1 shortly after the issue was reported by security provider Snicco. The vulnerability is within the `prepare_query_vars_from_settings()` function and relates to insecure use of 'nonces' for permissions verification. WordPress security firm Wordfence observed over three dozen attempts to exploit this vulnerability since its public disclosure. The flaw was actively exploited starting February 14, a day after the vulnerability details were publicly disclosed. An estimated 25,000 active installations of the Bricks theme are at risk, and users are urged to update to the latest version.