Daily Brief

QNAP disclosed two flaws, including a zero-day vulnerability, in their network-attached storage devices, leading to confusion over their severity. CVE-2023-50358 received a moderate severity score from QNAP, while Unit 42 and the BSI warned of "critical impact" and "major damage". The National Vulnerability Database is yet to assign an independent rating to the vulnerability. According to Unit 42, over 289,000 devices are publicly exposed, with Germany and the US housing the majority of vulnerable units. Unit 42 shared a technical breakdown on how to exploit CVE-2023-50358, a command injection flaw in QNAP's firmware. QNAP also detailed another vulnerability, CVE-2023-47218, with a similar severity rating, reported by Rapid7. QNAP's advisory focused on numerous patches for different firmware versions, advising users to upgrade or follow mitigation steps. In under two months of the year, QNAP has already issued 15 security advisories for 12 different command injection vulnerabilities.

A threat actor leaked 200,000 records from Facebook Marketplace containing personal user information. The leaked data includes mobile numbers, email addresses, and Facebook profile details, risking phishing and SIM swap attacks. The data was reportedly stolen by a cybercriminal from a Meta contractor managing cloud services for Facebook. BleepingComputer confirmed the authenticity of the sample data shared by the leaker, known as IntelBroker. Meta has yet to comment on the breach; however, the company has faced similar incidents, including a massive leak in April 2021. This leak's perpetrator, IntelBroker, has been linked to several other high-profile cybersecurity incidents in the past.

Integris Health has experienced a significant data breach, compromising the personal information of nearly 2.4 million patients. The data breach was uncovered after patients began receiving extortion emails threatening the sale of their data if Integris Health did not pay the attackers. The attackers have claimed they did not disrupt network operations and exclusively extracted data, thus operations were not hindered. Compromised data features personal information but does not include employment, driver's licenses, account credentials, or financial details. The stolen patient data is reportedly being sold on the dark web, with the potential for widespread misuse by cybercriminals. Integris Health is notifying affected patients and providing guidance on how to protect against identity theft and fraud. Despite not paying the ransom by the set deadline, the exact extent of the data's spread among other cybercriminals is not known.

Trans-Northern Pipelines, a Canadian pipeline operator, has reportedly been compromised by the ALPHV/BlackCat ransomware group, with 190GB of data claimed to be stolen. ALPHV, also connected to previous ransomware entities responsible for significant attacks like the one on Colonial Pipeline, is targeting critical infrastructure. Despite the claims made on ALPHV's site, Trans-Northern has not officially confirmed the breach and has yet to make a public response. This incident raises concerns about the security of vital energy infrastructure, drawing attention to the potential consequences of such breaches. The ALPHV ransomware gang has targeted multiple critical infrastructure organizations recently, including a US utility cooperative and energy providers in Spain and Canada. International cybersecurity expert Brett Callow emphasizes the urgent need for improved security measures to protect critical infrastructure from these types of attacks. The threat from cyber actors like China's Volt Typhoon heightens the risk to infrastructure in various sectors and stresses the importance of the Five Eyes' recent warnings.

Microsoft's February 2024 Patch Tuesday includes updates for 74 security flaws and addresses two zero-day vulnerabilities under active exploitation. The release features five critical updates tackling denial of service, remote code execution, information disclosure, and elevation of privileges issues. The patched zero-day vulnerabilities are CVE-2024-21351, a Windows SmartScreen bypass, and CVE-2024-21412, an Internet Shortcut File bypass that can circumvent security warnings. The SmartScreen bypass flaw was internally discovered by Microsoft's Eric Lawrence, while external researchers identified the Internet Shortcut File bypass, notably the APT group DarkCasino. The updates come alongside other non-security improvements, specifically a noted cumulative update for Windows 11 (KB5034765). In addition to Microsoft's patches, advisories and updates were also released by various vendors addressing security concerns in their respective products throughout February 2023.

Hackers exploited a stolen private key to illegitimately mint and steal over $290 million in PLA cryptocurrency from PlayDapp, a blockchain-based gaming platform. On February 9, 2024, unauthorized minting of 200 million PLA tokens valued at $36.5 million was detected, with security experts suggesting a private key leak. PlayDapp responded by shifting all its tokens to a new secure wallet, offering a $1 million "white hat" reward for the return of the stolen assets, and threatening legal action. Despite these measures, hackers proceeded to mint an additional 1.59 billion PLA tokens, bringing the total theft to $290.4 million and prompting a suspension of all PLA trading. Subsequent to the breach, PlayDapp is suspending deposits and withdrawals, freezing the hacker's wallets on major exchanges, and advising users to stay alert for scams. Elliptic, a cryptocurrency analysis firm, observed ongoing money laundering attempts with the stolen tokens, which have tanked in value, adversely affecting legitimate holders. The style of the attack suggests potential links to the Lazarus Group, known for similar large-scale thefts, although no definitive attribution has been established.

100 Romanian hospitals affected by a ransomware attack resulting in encrypted databases and systems taken offline. The Hipocrate Information System, managing medical and patient data, specifically targeted by hackers. While 25 hospitals confirm encryption of data, others have gone offline as a precaution; incident under active investigation. The Romanian Ministry of Health and National Cyber Security Directorate (DNSC) are assessing recovery options and investigating the impact. Backmydata ransomware, part of the Phobos family, identified as the malware used in the attack. Most impacted hospitals have recent backups, except for one with 12-day-old data; ransom demanded is 3.5 BTC (approximately €157,000). Day-to-day hospital operations, including prescription writing and record keeping, revert to paper methods due to system shutdowns. No public statement from Hipocrate healthcare system's software provider; ongoing investigations continue to assess scope, and as of now, there's no evidence of data theft.

Bumblebee malware has resumed attacks in a phishing campaign after a four-month hiatus, primarily targeting U.S. organizations. Discovered in April 2022, Bumblebee was developed by the Conti and Trickbot syndicate to replace the BazarLoader backdoor. The malware distributes through fake voicemail-themed phishing emails, containing malicious Word documents that use macros to download payloads. Despite Microsoft's efforts to block macro-based threats by default, attackers are using this method, potentially to target outdated systems or avoid detection. Proofpoint identifies the resurgence as a potential threat increase for the year ahead, but cannot attribute the campaign to a specific threat actor group. With the disruption of QBot, Bumblebee and other malware like DarkGate and Pikabot are filling the void in payload distribution markets. Zscaler reports a simplified version of Pikabot post-hiatus, indicating potential preparation for more sophisticated future versions.

Cybersecurity risks in Microsoft Teams and similar SaaS chat apps are often underappreciated. Criminal threat actors target Microsoft Teams using phishing, malware, and sophisticated social engineering tactics. Microsoft Teams has seen a rise in cyber incidents, including the DarkGate malware campaign, leveraging its vast user base. Attackers can exploit Microsoft Teams' default External Access setting, allowing outside contacts to join chats and share files. Recent vulnerabilities and tactics used in attacks on Teams include inviting targets to group chats and bypassing file-sharing restrictions. Adaptive Shield recommends measures such as limiting external access, blocking external invitations, and using Microsoft Defender to enhance Teams security. It is crucial to educate employees on the diverse nature of phishing attacks and encourage reporting of suspicious activities in messaging apps. Organizations must be proactive in securing their SaaS platforms to protect against evolving cyber threats.

The Glupteba botnet has been updated with a sophisticated UEFI bootkit, significantly improving its evasiveness. Researchers at Palo Alto Networks Unit 42 revealed Glupteba's ability to control the OS boot process, which hinders detection and removal efforts. Glupteba serves as an information stealer and backdoor, capable of engaging in crypto-mining, proxy deployment, and gathering private user data. The botnet maintains persistence through the Bitcoin blockchain, using it as a resilient command-and-control backup system. In recent campaigns, Glupteba distribution has involved pay-per-install services and multi-stage malware infection chains that bypass traditional security measures. The malware incorporates a modified version of an open-source project, EfiGuard, to thwart security features at boot time. Cybersecurity experts underscore Glupteba's exemplar role in illustrating the complexity and innovation of current cyber threats.

Hundreds of senior executives have fallen victim to an ongoing phishing campaign, resulting in numerous cloud account takeovers. Cybercriminals targeted C-suite positions, VPs, sales directors, and finance managers, compromising Azure environments and stealing sensitive data. A specific Linux user-agent was identified as a significant indicator of compromise, suggesting widespread unauthorized access to multiple Microsoft 365 applications. Potential links to Russian and Nigerian attackers have not been confirmed, but activity aligns with techniques commonly used by cybersecurity threat groups from these regions. Attackers manipulated Multi-Factor Authentication (MFA), adding their own authenticator apps and phone numbers for persistent access. After hijacking email accounts, the criminals launched additional phishing campaigns, conducted lateral movement, and attempted financial fraud. Researchers advise vigilance against unexpected emails and caution when opening links, as personalized phishing emails were used to deceive victims. The cybercriminal infrastructure utilizes proxy services to bypass geofencing policies, with some traffic linked to Russian and Nigerian ISPs.

PikaBot has undergone a devolution, simplifying its code by removing complex obfuscation and changing network communications. It functions as a malware loader and backdoor, allowing commands and payload injections from a C2 server, indicating possible Russian or Ukrainian origins. Recently, PikaBot and DarkGate have been used by threat actors like Water Curupira for initial network access via phishing and Cobalt Strike deployment. The latest PikaBot version features simpler encryption, added junk code for analysis resistance, and unencrypted plaintext bot configuration. Alterations in the C2 server communication were made, updating command IDs and employing a different encryption algorithm to secure traffic. Despite a period of inactivity, PikaBot remains a significant threat and is actively being developed with a focused yet less complex approach. In a separate cyber threat incident, Proofpoint reported an ongoing cloud account takeover campaign that has affected Azure environments and user accounts, including those of senior executives, since November 2023.

Over 25 Romanian hospitals were forced to take their systems offline due to a ransomware attack. The targeted system, HIP (Hipocrate Information System), managed medical activities and patient data. The Romanian Ministry of Health and the National Cyber Security Directorate (DNSC) are investigating the attack, which led to encrypted files and databases. Hospitals impacted include regional centers and cancer treatment facilities; they reverted to using paper for records and prescriptions. There's no confirmation yet if patient personal or medical data was compromised or stolen during the attack. Backmydata ransomware, a variant from the Phobos family, was identified as the encryption tool used in the attack. Most hospitals had recent backups, except for one with a 12-day-old backup; a ransom demand of 3.5 BTC (about €157,000) was made by the attackers. DNSC advises against contacting the IT teams of affected hospitals to allow them to focus on restoring services.

Russian-linked hackers, known as Midnight Blizzard, targeted Microsoft, leveraging password spraying tactics against a test environment. Cloudflare's Atlassian systems were compromised on Thanksgiving Day via exploited OAuth tokens linked to an earlier Okta breach. These breaches are symptomatic of a growing trend where nation-state actors attack SaaS providers for intelligence and espionage purposes. Despite security practitioners believing in robust defenses, AppOmni's report indicates a high incidence of cybersecurity incidents within SaaS environments. The incidents underline the critical need for continuous monitoring and proactive management of SaaS environments to deter sophisticated cyber threats. Common vulnerabilities, such as third-party app integrations and identity management flaws, pose significant risks and necessitate rigorous risk management practices. Strategies to mitigate risk include implementing SaaS Security Posture Management (SSPM) platforms for early detection and lifecycle management over SaaS environments.

Over 25 Romanian hospitals suffered a ransomware attack, causing their healthcare management systems to go offline. The attack targeted the Hipocrate Information System (HIS), used for managing medical activity and patient data. The Romanian Ministry of Health has confirmed system outages and encrypted files, triggering an investigation by the National Cyber Security Directorate (DNSC). Hospitals have reverted to paper-based systems for prescriptions and records due to the IT outage caused by the attack. There is no indication yet of patient data theft, and the service provider RSC (Romanian Soft Company SRL) has not issued a statement. The DNSC identified the ransomware as Backmydata from the Phobos family and disclosed a ransom demand of 3.5 BTC (approximately €157,000). In total, 21 hospitals were directly affected, with 79 others shutting down systems as a precaution; most have recent data backups, but one had a 12-day-old backup.