Daily Brief

Europe's Caravan and Motorhome Club (CAMC) faces a security incident with potential member data access but cannot confirm actual data theft. The compromise might include personal details like names, addresses, insurance policy details, and vehicle information, affecting policies from 2018 to 2024. While payment details, campsite bookings, and passwords are reportedly unaffected, members are advised to change passwords and stay alert for phishing attempts. CAMC has ceased updating social media about the incident, focusing on website communication and direct member contact as per cybersecurity experts' advice. The incident was initially reported to the Information Commissioner's Office (ICO) by the CAMC, which suggests regulatory compliance from the onset. LockBit ransomware group claims to hold 9.47 GB of CAMC data, though CAMC has not confirmed the ransomware link, indicating that any ransom demand may not have been met.

Ransomware has forced 18 hospitals in Romania to go offline, disrupting services and patient care. The Hipocrate Information System (HIS), which manages medical activities and patient data, was targeted and encrypted. The Romanian Ministry of Health stated that the attack occurred overnight between February 11-12, 2024. National Cyber Security Directorate and IT specialists are investigating and assessing recovery possibilities. Precautionary measures have been activated in other hospitals not yet affected by this cybersecurity breach. There is no information available regarding the ransomware group responsible or if patient data was exfiltrated. The company behind the HIS, RSC, has not made a public statement, and their spokesperson was unavailable for comment.

Multi-factor authentication (MFA), while effective, is not impervious to bypassing techniques used by adept cybercriminals leveraging social engineering. Hackers deploy 'Adversary-in-the-middle' attacks to intercept passwords and manipulate MFA prompts by tricking users into entering their credentials on fake websites. MFA prompt bombing involves incessant MFA prompts until the legitimate user, out of annoyance or mistake, accepts the authentication request, granting access. Service desk attacks trick help desk personnel into bypassing MFA by preying on password recovery processes and verification gaps. SIM swapping is a tactic where criminals convince phone service providers to transfer a victim's services to a SIM card they control, thereby hijacking MFA prompts. The article underscores the importance of having a strong password policy in place and not solely depending on MFA for security. Organizations are advised to employ tools like Specops Password Policy to enhance their Active Directory password policies and protect against compromised passwords.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Open Source Security Foundation (OpenSSF) have published a set of principles designed to secure package repositories. The "Principles for Package Repository Security" framework aims to establish foundational security rules for package managers and strengthen the open-source software ecosystem. OpenSSF highlighted the importance of package repositories in preventing and mitigating attacks, emphasizing that even basic security policies can result in significant improvements. The framework outlines four levels of security maturity for package repositories in areas such as authentication, authorization, general capabilities, and command-line interface (CLI) tooling. Package repositories are encouraged to self-assess and work towards at least security Level 1, with the goal of continuous security enhancement in response to evolving threats. The framework's release coincides with a warning from the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center about vulnerabilities in open-source software used for health industry applications.

Incident response is hampered by the difficulty in identifying and managing compromised user accounts, a critical aspect often overlooked in traditional IR practices. Manual investigations into compromised accounts create significant delays, allowing attackers more time to cause damage within the network. Silverfort's Unified Identity Protection Platform offers solutions to this problem by enabling real-time Multi-Factor Authentication (MFA) and identity segmentation. The platform is capable of enforcing MFA across all Active Directory authentications, rapidly detecting compromised accounts with minimal operational disruption. With Silverfort, containment policies can be implemented to immediately halt the spread of an attack, focusing on behavioral patterns of service accounts to detect anomalies without disrupting legitimate activities. The platform also helps in reducing identity attack surfaces by mitigating common weaknesses leveraged by attackers, like outdated authentication protocols and misconfigured accounts. Investing in IR tools that can effectively address compromised identities is crucial given that over 80% of cyber attacks exploit these vulnerabilities.

A massive security breach at two healthcare payment servicers, Viamedis and Almerys, has exposed personal data of more than 33 million individuals in France. Compromised data includes dates of birth, marital status, social security numbers, and insurance information, but no banking, medical, or contact details were lost. The breach is believed to be the largest in French history and was partially due to a phishing attack on Viamedis, while Almerys's breach method remains undisclosed. French data privacy authority CNIL is coordinating with the companies to inform affected individuals as mandated by the EU's General Data Protection Regulation. Officials warn the stolen data could be used in phishing campaigns or social engineering attacks, and an investigation is underway to assess the companies' liabilities. Juniper Networks fixed a support portal flaw after an intern discovered leaks of customer device lists, a result of an improperly configured Salesforce SaaS tool. Canada is considering a ban on the Flipper Zero device, fearing it aids in vehicle theft, despite modern car security generally being immune to such attacks. A Florida inmate, Damien Dennis, has received an additional sentence for operating an identity theft scheme involving the creation and sale of fraudulent identities for bank fraud.

Microsoft has rolled out a Sudo feature for Windows 11 preview builds, aiding users to execute commands with administrative privileges. Similar to Unix/Linux systems, "Sudo for Windows" enables users to run elevated commands from an unelevated console. The feature enhances convenience by eliminating the need to open a new elevated console to execute a higher-privilege command. Available in Windows 11 builds starting from 26045, it can be enabled in the "For Developers" section in Settings. Sudo for Windows offers three options, including running applications in a new elevated window and running processes with or without input stream in the current window. Microsoft is also taking steps to open-source the Sudo for Windows project, encouraging community contributions and feedback on GitHub.

The U.S. Department of State is offering up to $10 million for information leading to the arrest of individuals affiliated with the Hive ransomware operation. An additional $5 million reward is available for details resulting in the arrest/conviction of anyone attempting to participate in Hive ransomware activities. After a coordinated law enforcement effort dismantled Hive's darknet infrastructure and arrested one suspect in Paris, another ransomware group called Hunters International has emerged, likely with ties to Nigeria. Ransomware attacks increased significantly in 2023, with threat actors collecting approximately $1.1 billion in cryptocurrency ransoms, nearly double the $567 million from the year prior. Manufacturing, professional and legal services, and the high-tech industry were among the most impacted by ransomware in 2023. Law enforcement actions against Hive prevented around $130 million in ransomware payments and might have reduced further attacks by Hive affiliates. A significant 34% increase in active ransomware gangs occurred in 2023, suggesting the ecosystem is continuously attracting new players. Cybercriminals are increasingly using cross-chain bridges, instant exchangers, and gambling services to launder ransom payments, steering clear of centralized exchanges.

ExpressVPN identified and removed a bug that caused some DNS requests to leak, affecting users who enabled the split tunneling feature in their software. The vulnerability existed in ExpressVPN versions 12.23.1 – 12.72.0 for Windows, released from May 19, 2022, to February 7, 2024. Split tunneling allowed selective routing of internet traffic, but due to the bug, DNS queries could be exposed to users' ISPs rather than being securely directed through ExpressVPN's DNS servers. This DNS request leak undermines the privacy guarantees of VPN services by potentially disclosing domains visited by users to third parties. The issue, discovered by CNET's Attila Tomaschek, affected only about 1% of ExpressVPN's Windows users, specifically in the "Only allow selected apps to use the VPN" mode. Users are urged to update to the latest ExpressVPN client version, which temporarily removes the split tunneling feature, or disable the feature to prevent any further DNS leaks. ExpressVPN plans to reintroduce split tunneling in a future software update after ensuring the bug is fully resolved.

The U.S. Justice Department successfully seized online infrastructure to disrupt Warzone RAT, a widely-used remote access trojan. Two individuals responsible for selling and supporting Warzone RAT, originating from Malta and Nigeria, have been arrested and indicted. Daniel Meli and Prince Onyeoziri Odinakachi are charged with crimes including unauthorized computer access and conspiracy to commit computer intrusion. Meli had been active in malware services since 2012, and Odinakachi provided customer support for Warzone RAT users. Warzone RAT, also known as Ave Maria, had keylogger, remote access, and other espionage capabilities, and was advertised as part of a malware-as-a-service offering. Phishing attacks using bogus Excel files exploiting CVE-2017-11882 were a primary distribution method for Ave Maria. The FBI's undercover purchase of the RAT confirmed its malicious capabilities, and the takedown involved collaborative efforts from multiple international law enforcement agencies.

Raspberry Robin malware exhibits advanced evasion by targeting one-day exploits in recently patched vulnerabilities. The malware is known for spreading via USB devices and has been associated with prominent cybercrime groups. Check Point's research indicates large-scale Raspberry Robin attacks began to escalate in October 2023. The recent variants use Discord to deliver malicious files and employ evasion techniques to avoid security detection. Raspberry Robin used exploits for CVE-2023-36802 and CVE-2023-29360, suggesting access to exploits soon after vulnerability disclosure. The malware incorporates anti-analysis features and lateral movement tactics to maintain persistence and avoid system shutdowns. Continuous evolution of Raspberry Robin is expected, with a focus on non-public exploits and increasing stealthiness. Security professionals are advised to monitor for indicators of compromise as provided by Check Point's report.

The UK is planning to replace physical Biometric Residence Permits (BRPs) and Biometric Residence Cards (BRCs) with e-Visas by 2025 to digitize borders. Current BRPs will expire on December 31, 2024, regardless of their indicated expiry date. e-Visas will provide a secure, digital proof of immigration status, which can be verified online, aligning with systems in countries like Australia. The shift from physical documents is expected to increase convenience for customers and those required to check immigration status, such as employers and landlords. Online UKVI accounts will become the standard way for all immigrants to view and prove their status in the UK from 2025. The Home Office emphasizes the enhanced security and cost-savings anticipated from this digital transformation. All immigrants, including those with a current eVisa, are advised to keep their personal details up to date within their UKVI account. The UK government is committed to a digital border and immigration system, with no present intentions to digitize physical passports.

The UK plans to replace Biometric Residence Permits (BRPs) and Biometric Residence Cards (BRCs) with digital e-Visas by 2025. Existing BRPs will expire on December 31, 2024, regardless of the holder's immigration status duration. Post-Brexit, the UK is not required to follow EU next-generation encryption technology regulations for immigration documents. The digital system will simplify the process for proving immigration status for employers, landlords, and service providers. While e-Visas offer convenience and reduce physical document reliance, concerns arise about verification during internet outages. Existing BRP holders are expected to create online UKVI accounts to manage and prove their immigration status digitally. Some sectors like the DWP and NHS will have secure access to e-Visa records, enhancing public service delivery. Physical passports will not be replaced with digital versions, despite the move towards a more tech-forward border and immigration system.

A new backdoor, RustDoor, has been discovered targeting Apple macOS devices since November 2023. RustDoor masquerades as a Microsoft Visual Studio update and is compatible with both Intel and Arm architectures. The backdoor is distributed as FAT binaries and has been actively developed with multiple versions observed. The malware's capabilities include file gathering, information harvesting, and communication with a C2 server. There is evidence suggesting a linkage between RustDoor and known ransomware families such as Black Basta and BlackCat. The BlackCat ransomware group, related to the malware, was targeted by the U.S. government leading to the release of a decryption tool for victims.

VexTrio, a network of about 70,000 compromised websites, has been distributing malware and conducting phishing campaigns since at least 2017. Affiliates of VexTrio use these hijacked sites to redirect users to other pages delivering malware, stealing credentials, and perpetrating fraud. Check Point's global threat index for January marked VexTrio as a significant security threat due to its sophisticated infrastructure and broad impact. Infoblox's investigation revealed that nearly half of the domains in the network appeared in customer networks and provided indicators of compromise for detection. One prevalent malware strain distributed by VexTrio, SocGholish, topped Check Point's January list for the most widespread malware and installs various malicious payloads, including GootLoader, Dridex, and ransomware. TA569 by Proofpoint and UNC1543 by Mandiant are the suspected operators behind SocGholish, according to cybersecurity research. The article also notes the activity of ransomware groups at the start of 2024, with LockBit3, 8Base, and Akira being among the most prominent, warning that data from leak sites used to compile such reports might not be entirely reliable.