Daily Brief

Microsoft and OpenAI report that nation-state actors from Russia, North Korea, Iran, and China are incorporating AI into their cyber warfare tactics. The collaborative efforts between the tech giants have led to the disruption of five state-affiliated cyber groups by terminating their AI service usage. Misuse of large language models (LLMs) by attackers focuses on social engineering and deceptive communications that exploit professional relationships. Although no breakthrough AI-driven cyberattacks have been observed, these actors are testing AI across multiple phases of cyber operations, including reconnaissance and malware development. Notably, Russia's Forest Blizzard group used OpenAI's resources for research on satellite communications and scripting assistance, showcasing the diverse applications of AI in cyber espionage. Microsoft is proactively developing principles to counteract the harmful use of AI tools by advanced persistent threats and cybercriminal organizations, emphasizing identification, notification, collaboration, and transparency.

Cybersecurity researchers identified a vulnerability in Ubuntu's command-not-found tool that could lead to the installation of rogue packages. The utility, meant to suggest packages for non-existent commands, could be manipulated to recommend malicious snaps from the snap repository. Attackers could register snap names corresponding to APT packages and trick users into installing counterfeit snaps instead of legitimate software. Up to 26% of APT package commands are susceptible to this potential exploitation, which includes typosquatting to dupe users into downloading malicious versions of intended packages. The example given includes the 'jupyter-notebook' APT package, which had its snap name unclaimed, leaving a gap for attackers to publish a malicious snap under the same name. Researchers are urging users to scrutinize the source of package installations and for developers to secure associated snap names for their packages. While the extent of the exploitation is unknown, the findings highlight the need for increased security awareness and preventative measures within the software supply chain.

DuckDuckGo has introduced an end-to-end encrypted Sync & Backup feature for securely syncing bookmarks, passwords, and settings across devices. The feature ensures privacy as users don't need an account to use it, and DuckDuckGo cannot access any synced data due to encryption. The new Sync & Backup is compatible with DuckDuckGo browser versions on Windows, macOS, iOS, and Android. DuckDuckGo's browser prioritizes user privacy with features like HTTPS upgrading, tracker blocking, and a 'Fire' button to delete browsing history. To use the new sync feature, users navigate to the Sync & Backup settings in the browser to connect devices through a QR code or alphanumeric code. A PDF with recovery codes is generated for users, providing access to their synced data if their devices are lost or stolen. DuckDuckGo is adding a password requirement for accessing Sync & Backup settings for additional security. The browser is currently in beta, with potential for occasional instability or performance hiccups.

UK utility provider Southern Water experienced a cyberattack in January, with data from 5-10% of its customers stolen. The intrusion was initially claimed by the Black Basta ransomware group but ransomware involvement hasn't been confirmed by Southern Water. Compromised data includes names, birth dates, national insurance numbers, banking details, and HR files, inadvertently verified by an initial data dump. Affected individuals are offered a year of free credit monitoring as Southern Water works with government and the National Cyber Security Centre. Operations have not been affected, and enhanced monitoring is in place to detect any further suspicious activity. Southern Water declined to comment on the removal of their data from Black Basta's leak site, which often indicates a paid ransom. Cyber attacks on critical infrastructure, including water and wastewater sectors, have been rising, with advisories from national cybersecurity agencies.

Bumblebee malware has reappeared in a new phishing campaign after a four-month hiatus, targeting U.S. businesses using voicemail-themed lures. Attackers are distributing a malicious Word document via OneDrive links, which uses VBA macros to execute a PowerShell script that downloads the Bumblebee loader. The malware, suspected to be linked to the Conti and TrickBot cybercrime syndicate, is known for downloading and executing ransomware and other payloads. Threat actors have adapted their methods due to Microsoft's default blocking of macros in Office files downloaded from the internet since July 2022. Concurrently, QakBot, ZLoader, and PikaBot malware variants have resurfaced with enhanced encryption and tactics, like evading detection in virtual machine environments. A separate phishing campaign has been discovered where attackers mimic financial institutions to trick victims into installing remote desktop software, enabling unauthorized machine control. The industry is observing a trend where cybercriminals adjust their strategies to navigate new security protocols and continue their attacks with sophisticated methods.

Cybersecurity challenges for financial institutions have escalated with more advanced cyber-attacks, including state-sponsored and AI-powered threats. Community banks are particularly vulnerable as they face the same sophisticated threats as larger institutions but have fewer resources. The trend of targeting financial service providers reflects the need for strong vendor management and governance within these banks. Financial institutions must adopt advanced cloud security strategies, such as comprehensive data encryption and robust identity management systems. A multi-layered defense strategy against ransomware is essential, involving advanced threat intelligence, regular security audits, and proactive threat hunting teams. Effective vendor risk management is crucial, necessitating continuous monitoring and regular security audits of third-party services. Navigating the complex regulatory compliance landscape requires dedicated teams and regular training to align cybersecurity practices with regulations. The cybersecurity talent gap can be bridged through internal training programs, collaboration with educational institutions, and outsourcing specific security operations. An effective cybersecurity framework includes strategic alignment with business goals, risk-centric action and deployment, and continuous recalibration and optimization to adapt to the changing threat landscape.

The Bumblebee malware loader, thought to have disappeared, has reemerged using an outdated method of attack VBA macros in Word documents. Previously associated with high-profile ransomware groups and the Russian-tied Conti, the malware's new tactics hint at less sophisticated operators. Targeting US organizations, the campaign uses "Voicemail February" themed emails from a seemingly legitimate business to lure victims into downloading a malicious OneDrive-hosted document. Microsoft had disabled VBA macros by default to prevent such attacks, making this tactic largely obsolete. Security trends had shifted towards different, more sophisticated methods of attack. Indicators of compromise are evident, and while this attack is considered easy to identify and should not pose a significant threat, it signals an uptick in threat actor activity in 2024. Proofpoint advises organizations to train employees to recognize suspicious activity and maintain security best practices, including keeping macros disabled by default.

Advanced threat actor Water Hydra used a zero-day vulnerability in Microsoft Defender SmartScreen to infect financial traders with DarkMe malware. CVE-2024-21412, a bypass flaw affecting Internet Shortcut Files, was exploited, prompting a Microsoft patch in February. Targets were lured to a malicious URL posted on forex forums disguised as a stock chart image shortcut file. The exploitation chain included several steps, using nested internet shortcut files and abusing the 'search:' protocol to evade SmartScreen protections. The DarkMe malware maintains stealth, downloads further instructions, and communicates with a command-and-control server while gathering system information. This incident highlights a growing trend of cybercrime groups leveraging zero-days, previously a hallmark of nation-state actors, in their attack methodologies. Trend Micro has been tracking the campaign since its inception and detailed the complex infection process to raise awareness and aid in defense.

Microsoft released patches for 73 security flaws, including 2 actively exploited zero-days. The updates address 5 Critical, 65 Important, and 3 Moderate severity vulnerabilities, plus 24 issues in the Chromium-based Edge browser. CVE-2024-21351 and CVE-2024-21412 zero-days enable attackers to bypass SmartScreen protections through malicious files. Water Hydra, an APT group targeting financial markets, employed CVE-2024-21412 in a sophisticated zero-day attack chain. Microsoft also patched five critical vulnerabilities, including an elevation of privilege flaw in Microsoft Exchange Server (CVE-2024-21410). CVE-2023-50387, a DNSSEC specification design flaw known as KeyTrap, can lead to DNS resolver DoS attacks, with fixes now available. CISA urges federal agencies to apply recent updates to combat these vulnerabilities by a specified deadline.

The Australian Taxation Office (ATO) investigated 150 staff for participating in a tax refund scam, involving identity fraud reaching $1.3 billion. Scammers defrauded the ATO by creating fake businesses, obtaining ABNs, and making fraudulent claims for Goods and Services Tax (GST) refunds. Operation Protego was launched in April 2022, dedicating 470 people to address fraudulent claims after a significant increase in GST fraud tip-offs. The scam affected over 57,000 people who lodged false claims between April 2022 and June 2023, facilitated by easily accessible online registration and refund tools. ATO's internal audit rated GST fraud detection operations as "partly effective" and identified the need for a centralized control register to improve detection methods. Despite the scam, the ATO's measures prevented an additional A$2.7 billion in suspect refunds and recovered A$123 million, implying some success in fraud control efforts. The majority of the ATO officials investigated were not current employees, with some being victims of identity theft themselves, but 12 active staff members were found guilty of fraud.

Two Microsoft vulnerabilities are actively being exploited, with a need for immediate patching. The first exploited vulnerability, CVE-2024-21412, allows attackers to bypass security features via malicious shortcut files. Water Hydra, a cybercriminal group, used the bypass flaw to target financial traders with the DarkMe remote-access trojan. The second vulnerability, CVE-2024-21351, involves a SmartScreen security feature bypass that could be exploited for code execution or data exposure. Adobe released six patches for 29 vulnerabilities, including two critical remote code execution flaws. SAP addressed a critical code injection and several other security issues with 16 Security Notes, some with high priority. Intel's 35 advisories covered 79 vulnerabilities, including escalation of privilege and denial of service risks. Cisco and Google also issued fixes for various vulnerabilities, with Google addressing a critical Android system component vulnerability.

A critical vulnerability called KeyTrap in DNSSEC could allow a single malicious DNS packet to disable DNS servers, disrupting global internet connectivity. DNSSEC is an enhancement to DNS that provides authentication of DNS queries to prevent tampering, but it does not encrypt the data for privacy. The vulnerability, assigned CVE-2023-50387, has been present for over two decades but was difficult to detect due to the complexity of DNSSEC validation requirements. KeyTrap can force public DNS services like Google's and Cloudflare's to conduct CPU-intensive calculations, potentially stalling the servers for up to 16 hours with a single packet. The ATHENE research team worked with vendors and public DNS providers to coordinate a release of patches to address the flaw, with no current evidence of its exploitation. A revision of the DNSSEC standard may be necessary to fully mitigate and eliminate the vulnerability as the issued patches do not completely prevent high CPU usage. DNSSEC's vulnerability highlights the delicate balance between internet security features and the risk of unforeseen exploits in widely adopted protocols.

Prudential Financial experienced a data breach, with unauthorized access gained on February 4, leading to the theft of employee and contractor data. The company manages approximately $1.4 trillion in assets and is the second-largest life insurance company in the United States. The incident was disclosed in an 8-K form filed with the U.S. Securities and Exchange Commission, indicating that Prudential detected the breach on February 5. Prudential suspects the involvement of a cybercrime group and has engaged law enforcement and regulatory authorities. No indication as of yet that customer or client data was accessed or obtained by the attackers. The company claims the incident has not materially impacted its operations or financial condition. Over 320,000 Prudential customers had data exposed in May 2023 due to a third-party vendor breach by the Clop cybercrime gang. Prudential is currently conducting an investigation to assess the complete impact and scope of the breach.

Microsoft patched a Windows Defender SmartScreen zero-day (CVE-2024-21412) used by hackers to deploy DarkMe malware. The cybercriminal group Water Hydra, also known as DarkCasino, exploited the vulnerability against foreign exchange traders. Attackers used spearphishing techniques on forex trading forums and stock trading Telegram channels, leveraging compromised trading information sites. The exploited zero-day was designed to evade security checks and involved manipulating internet shortcuts and WebDAV components. The attackers employed social engineering, offering fraudulent trading advice and fake financial tools to induce malware installation. Microsoft's patch follows the repair of a related vulnerability (CVE-2023-36025) that was previously utilized to bypass Windows security prompts. Water Hydra has exploited zero-days in the past, including one in WinRAR software, linked to multiple nation-state backed hacking groups.

Microsoft released fixes on its February 2024 Patch Tuesday for 73 vulnerabilities, encompassing critical issues like denial of service and remote code execution. The Patch Tuesday updates addressed two zero-day flaws that were actively exploited in the wild. One of the patched zero-days involved a Windows SmartScreen security feature bypass, which could allow attackers to evade detection by SmartScreen. The other fixed zero-day allowed attackers to bypass the Mark of the Web (MoTW) security checks using specially crafted Internet Shortcut files, a vulnerability exploited by the DarkCasino APT group targeting finance professionals. The security updates do not include six Microsoft Edge flaws and one Mariner flaw which were fixed earlier in February. Additional non-security updates were released for Windows 11 and Windows 10, the details of which can be found in separate dedicated articles. Other technology vendors also released updates or advisories in February 2023, highlighting the importance of regular system updates across the tech industry.