Daily Brief

The EU opened an investigation into TikTok for potential breaches of regulations two days after the Digital Services Act (DSA) came into effect. The probe focuses on TikTok's transparency and its obligations to protect minors on the platform. TikTok had previously submitted a risk assessment in September 2023, which did not fully satisfy the European Commission's concerns. As a Very Large Online Platform, TikTok is subject to the EU's strictest regulations, following its categorization under the DSA for having over 45 million monthly users. The in-depth investigation will assess TikTok's handling of illegal content, protection of minors, and data access practices. The duration of the investigation by the European Commission will vary, depending on factors like case complexity and TikTok's cooperation. Potential penalties for non-compliance with the DSA include fines of up to six percent of TikTok's global turnover and possibly subjecting the platform to enhanced EU supervision. TikTok has not yet publicly commented on the investigation, and further updates are pending.

Iranian and Hezbollah-backed hackers have launched cyberattacks to influence public perception and inject chaos in the backdrop of Israel-Hamas tensions. Google reports that Iran was responsible for significant targeted phishing attempts against Israeli interests in the six months before October 7 attacks. Cyber operations included the dissemination of malware, wiper attacks, and espionage tactics, carried out independently from on-ground military conflicts. A notable threat group, GREATRIFT, and hacktivists Karma and Handala Hack used malware and wiper strains to attack Israeli targets and influence narratives. Charming Kitten, an Iranian group, and Hamas-linked operatives deployed backdoors and spyware against media, NGOs, and software engineers in Israel. Hamas-associated DESERTVARNISH targeted Android devices with MOAAZDROID and LOVELYDROID spyware, while Iran's MYSTICDOME used MYTHDROID and SOLODROID for intelligence collection. Microsoft's findings align with Google's, indicating the increasing sophistication and destructiveness of cyberattacks, including tactics to aid the Hamas cause and undermine Israel and its allies. Collaboration among various Iran-affiliated cyber groups exemplifies concerted efforts to enhance capabilities in cyber warfare and influence operations.

An international operation led to the seizure of darknet domains linked to the LockBit ransomware group. Authorities from 11 countries, including the U.S., U.K., and members of Europol, coordinated the takedown named Operation Cronos. The law enforcement agencies utilized a critical PHP security flaw for the operation, leading to the control over LockBit's infrastructure. The authorities have also claimed possession of LockBit's source code, victim details, stolen data, and internal communications. LockBit, active since September 2019, has been involved in over 2,000 attacks and extorted an estimated $91 million from US entities. The crackdown on LockBit follows a similar takedown of the BlackCat ransomware group and coincides with the arrest of a Ukrainian national for unauthorized access and malware deployment.

The Vietnamese government will start collecting comprehensive biometric data, including DNA and iris scans, from citizens in July as part of its new identification system. Amendments to the Law on Citizen Identification, passed in November last year, allow for the creation of a national database that will include data such as blood type and voice samples. The enhanced ID cards, mandatory for individuals over 14 years old, will incorporate multiple identification and certification functions, including health and social insurance as well as driver's licenses. The Ministry of Public Security will oversee the ID cards, which will exclude fingerprints and feature QR codes linked to personal data. Le Tan Toi, Chairman of the National Defense and Security Committee, supports the use of iris scans for identification, citing their permanence over time. With a population of about 70 million adults, the task of securely managing this extensive personal information presents significant challenges.

LockBit ransomware gang's website was seized by international law enforcement as part of a coordinated operation. A coalition of eleven nations, including the UK's National Crime Agency and FBI, collaborated on the LockBit disruption. Visitors to the ransomware gang's .onion site are now greeted with law enforcement logos and a message about the takeover. More details on the extent of Operation Cronos against LockBit will be revealed, outlining the successes of the operation. LockBit has been responsible for significant damages, executing at least 1,700 attacks in the U.S. and targeting various organizations, including a children's hospital and major companies. The group's business model evolved to put more pressure on affiliates to secure larger ransoms, signaling changes in the ransomware-as-a-service landscape. The disruption of LockBit, which has ties to Moscow, carries geopolitical significance, possibly impacting Russia's cyber-offensive capabilities.

The notorious LockBit ransomware operation has been disrupted in a coordinated international effort called "Operation Cronos." The National Crime Agency of the UK has taken control of LockBit's data leak website, displaying a law enforcement banner and indicating joint collaboration with the FBI and international partners. The ransomware gang's other dark web sites remain operational, despite the seizure of the leak site. A joint press release by the law enforcement agencies involved in Operation Chronos is scheduled to be published, detailing the disruption efforts. LockBit RaaS emerged in September 2019 and has targeted numerous high-profile organizations, with cybersecurity authorities reporting at least $91 million extorted and approximately 1,700 attacks on U.S. entities since 2020.

North Korean cyber-espionage campaign targets the global defense industry to steal military technology. Germany's BfV and South Korea's NIS release a joint advisory warning of ongoing operations by North Korean government-associated hackers. The advisory provides details of attacks executed by the Lazarus group, explaining their tactics, techniques, and procedures (TTPs). One incident involved a supply-chain attack via a compromised IT service provider, enabling unauthorized infiltration into a maritime research center's systems. The second case involves "Operation Dream Job," a social engineering tactic targeting defense organization employees, leading to malware infections. Security recommendations include limiting service provider access, employing multi-factor authentication (MFA), adopting strict patch management policies, and educating employees on cyberattack trends. The agencies stress the importance of the principle of least privilege, strong authentication mechanisms, and proper audit logs to enhance defense against such sophisticated attacks.

Schneider Electric's network was breached, and 1.5TB of data allegedly stolen by the Cactus ransomware gang. The ransomware group leaked 25MB of data on their dark web site, including American passports and non-disclosure agreements. The attack occurred on January 17th, impacting Schneider Electric's Sustainability Business division. Schneider Electric provides consulting services to high-profile clients; stolen data may include sensitive information on industrial control systems and compliance. The company has over 150,000 employees and reported $28.5 billion in revenue for 2023. Cactus ransomware utilizes double-extortion tactics and has been active since March 2023. The group uses purchased credentials, malware distribution partnerships, phishing, and exploiting vulnerabilities to access networks and steal data. Over 100 companies have been added to the Cactus ransomware's data leak site, where the threat actors leak data or use it to extort ransom payments.

A privilege escalation vulnerability (CVE-2024-21410) affects up to 97,000 Microsoft Exchange servers, with 28,500 confirmed as vulnerable. Microsoft released a patch for the zero-day on February 13, but many servers remain unpatched. Exchange Server is essential for business communication, making this vulnerability significant for email and collaboration security. The flaw allows unauthenticated attackers to perform NTLM relay attacks and gain higher privileges. Germany, the United States, and the United Kingdom are among the most affected countries. While no public PoC exploit exists yet, the potential for exploitation remains high. CISA has flagged CVE-2024-21410 as 'Known Exploited Vulnerabilities' and set a deadline for federal agencies to patch or cease using affected servers by March 7, 2024. Unaddressed, this vulnerability can enable attackers to access sensitive data and launch broader network attacks.

Hackers are actively exploiting a critical remote code execution flaw in the Bricks Builder Theme for WordPress. The vulnerability, identified as CVE-2024-25600, allows unauthenticated users to execute arbitrary PHP code. This security issue was discovered on February 10 and reported by a researcher under the alias ‘snicco.’ Bricks released a patch for the vulnerability on February 13 with the version update 1.9.6.1 and urged users to update immediately. Patchstack, which monitors WordPress vulnerabilities, observed active exploitation attempts beginning on February 14. Malware observed in the post-exploitation phase is designed to disable security plugins like Wordfence and Sucuri. Bricks users are advised to promptly upgrade to the latest version to prevent potential exploitation.

Wyze acknowledged a security flaw affecting at least 13,000 users, enabling access to other users' video feeds. A third-party caching client library caused the glitch following a massive outage, resulting in the exposure of user video data. Users reported accessing others' video feeds via the Events tab, leading Wyze to disable the tab and launch an investigation. The issue stems from improper mapping of device IDs and user IDs during a service restoration after an AWS outage. 1,504 users engaged with the wrong thumbnails, potentially viewing other users' event videos. Wyze is contacting impacted customers and implementing additional verification to access video content to prevent future incidents. The company is updating its systems to prevent similar issues during "extreme events" and will transition to a new client library.

ALPHV/BlackCat ransomware group is claiming responsibility for cyberattacks on Prudential Financial and LoanDepot, with negotiations reportedly stalling. Prudential and LoanDepot have both filed reports with the SEC confirming cybersecurity incidents, but without mentioning ransomware. There has been no leaked data thus far. ALPHV alleges ongoing access to Prudential’s network and is threatening data disclosure, contrary to Prudential's filings indicating containment. Prudential reported no evidence of client data theft, while ALPHV may seek to sell or freely publish the stolen data as a pressure tactic. The ALPHV gang previously used SEC complaints to pressure victims, exemplified by filing against MeridianLink in November 2023. LoanDepot faced an initial demand for a $6 million ransom, with ALPHV accusing them of stalling and ceasing communication. ALPHV survived a takedown attempt by the authorities in December, with its operations appearing unaffected two months later. The US government has offered a reward of up to $15 million for the capture of ALPHV leadership, signaling the severity of the threat.

Anatsa Android malware, a banking trojan, has racked up at least 150,000 downloads on Google Play targeting users in various European countries. Security experts at ThreatFabric identified five campaigns disseminating malware through dropper apps disguised as legitimate offerings in Google Play's "Top New Free" category. These dropper apps have evolved to hijack Android’s Accessibility Service, effectively bypassing security defenses on systems up to Android 13. The most recent campaign featured apps such as a fake ‘Phone Cleaner – File Explorer’ and 'PDF Reader: File Manager', which alone has over 100,000 downloads. Despite Google's removal of the listed malicious apps, one remains available for download, hinting at the possibility of continued infection rates. The dropper apps use a multi-stage installation process, obtaining malware components from a C2 server in steps to avoid detection. Users are advised to vigilantly check app ratings, publisher histories, and scrutinize permissions, especially regarding the Accessibility Service, to prevent malware infections.

Meta Platforms reported actions taken against eight surveillance-for-hire companies from Italy, Spain, and the U.A.E., targeting major software platforms. The firms created malware for iOS, Android, and Windows that could access personal data, location, and activate device cameras and microphones. These entities conducted scraping, social engineering, and phishing on a variety of social networks and platforms to gather user data. RCS Labs was linked to a network of fake personas used for reconnaissance and phishing, while Variston IT's accounts on Facebook and Instagram were used for developing and testing exploits. Meta also took down networks from China, Myanmar, and Ukraine for coordinated inauthentic behavior and removed over 2,000 related accounts. New security features have been introduced by Meta, including Control Flow Integrity and VoIP memory isolation, to protect against exploitation. Despite these efforts, the surveillance industry continues to evolve, with recent discoveries of tools like Patternz and the MMS Fingerprint technique potentially linked to NSO Group.

Network Detection and Response (NDR) offers an advanced approach to cyber threat detection via risk-based alerting, outperforming traditional SIEM systems by prioritizing alerts based on risk levels. NDR employs real-time analysis, machine learning, and threat intelligence to provide immediate detection of anomalies, helping to reduce alert fatigue and enabling better decision-making. Risk-based alerting focuses organizational resources on the most critical threats, optimizing response efforts and ensuring efficient allocation of security resources. NDR systems utilize threat intelligence feeds and integrate user and entity behavior analysis to generate nuanced risk assessments for network activity, automating responses to high-priority threats. Machine learning within NDR continuously adapts to identify suspicious activity, adjusting risk scores as threats evolve to maintain a dynamic and responsive cybersecurity posture. Use cases demonstrate NDR's efficiency in differentiating high-risk events, such as unauthorized access attempts, from low-risk activities like routine software updates. The article concludes that NDR's real-time analysis and adaptive machine learning capabilities make it a superior solution for risk-based alerting compared to traditional SIEM tools.