Daily Brief

AnyDesk has suffered a security breach, resulting in unauthorized access to its production servers. Hackers managed to steal source code and private code signing keys from the company’s systems. AnyDesk, widely used in enterprise settings for remote computer access, has taken steps to remediate the breach and strengthen security measures. The company has initiated a password reset for their web portal as a precaution, even though they claim authentication tokens could not be stolen due to their design. No evidence suggests that end-user devices were compromised in the incident. AnyDesk is replacing stolen code signing certificates and urges users to update to the latest version of their software. The breach was discovered following a four-day outage during which AnyDesk disabled client login for maintenance, later confirmed to be related to the cybersecurity incident. Users are advised to change their passwords and update to the new software version as the old code signing certificate will soon be revoked.

Continued ransomware attacks on hospitals disrupt patient care despite claims by groups like LockBit to avoid such targets. LockBit affiliates targeted Lurie Children's Hospital in Chicago, with reported delays in medical procedures due to IT shutdowns. A cyberfraudster from Ottawa linked to hundreds of ransomware cases has been sentenced to two years in prison. Coveware reports a drop in ransomware victims paying ransoms, with only 29% complying in the last quarter of 2023. Schneider Electric suffered a data breach due to a Cactus ransomware attack, and Truesec identified Akira ransomware's exploitation of an old Cisco vulnerability. Johnson Controls revealed a $27 million expense from a September 2023 ransomware attack and data breach. The Pentagon is probing a data theft by ALPHV ransomware from a U.S. military contractor, and international law enforcement operation Synergia shut down over 1,300 servers linked to cybercrime. Several new ransomware variants and strains were identified, including new versions of Phobos, Chaos, Dharma, and the emergence of Alpha ransomware.

AnyDesk production systems were compromised in a cyberattack, allowing hackers to access source code and private code signing keys. Hack discovered following signs of an incident on AnyDesk's servers; cybersecurity firm CrowdStrike is assisting with the response plan. Company claims AnyDesk software is still safe and there's no sign of customer device compromise. Despite no evidence of authentication token theft, AnyDesk resets all web portal passwords and prompts users to change reused passwords. AnyDesk is issuing new code signing certificates and has released a new software version with a new certificate (version 8.0.8). The security incident caused a four-day service outage for AnyDesk, preventing logins, now attributed to maintenance related to the breach. Users are strongly advised to update to the new version of AnyDesk and change their passwords as a precautionary measure.

Cloud service provider Blackbaud has reached a proposed settlement with the FTC after a significant data breach. The breach involved unauthorized access to Blackbaud's databases, compromising the personal data of millions. The FTC criticized Blackbaud's data retention policies and delayed, inaccurate breach notifications. The company reportedly paid the attackers $235,000 in ransom, without confirmation that stolen data was deleted. Blackbaud has agreed to pay $3 million to the SEC and $49.5 million to US states to settle related charges. As part of the FTC settlement, Blackbaud is to improve their data security practices, including eliminating unnecessary data retention, implementing multi-factor authentication, and using encryption for sensitive data. Blackbaud neither admits nor denies the allegations but has committed to enhancing cybersecurity measures.

A critical vulnerability in Mastodon, CVE-2024-23832, could enable attackers to take over user accounts remotely. The severity score of the vulnerability is 9.4, indicating high potential impact and relative ease of exploitation. Mastodon versions prior to 3.5.17, 4.0.x before 4.0.13, 4.1.x before 4.1.13, and 4.2.x before 4.2.5 are affected. Full details of the vulnerability will be withheld until February 15 to allow admins to secure their servers. Mastodon’s decentralized structure makes updating more complex, as each server is independently managed. More than half of the active Mastodon servers upgraded to a secure version within one day of the vulnerability's announcement. Past critical security issues on Mastodon include two vulnerabilities with high severity scores, CVE-2023-36460 and CVE-2023-36459, uncovered in July 2023.

Lurie Children's Hospital in Chicago experienced a cyberattack, causing IT system disruption and medical care delays. The hospital responded by taking network systems offline to contain the attack and is working with experts and law enforcement. Essential services such as email, phone, and the MyChat platform were affected, pressing patients in an emergency to contact 911. Despite the cyberattack, the hospital remains operational and continues to prioritize providing safe and quality patient care, albeit with adjustments. Scheduled medical procedures faced delays, with diagnostic results impacted and prescriptions issued on paper due to IT system outage. The cyberattack forced the shifting of protocols to a first-come, first-served basis for prioritizing care, especially in emergency situations. No ransomware groups have claimed responsibility for the attack; however, healthcare institutions continue to be targeted despite some ransomware gangs' supposed guidelines against such actions. Recent hospital attacks in the U.S. and Germany by Lockbit illustrate the vulnerability of healthcare providers to ransomware, regardless of the gangs' stated policies.

Interpol arrested 31 individuals in a concerted three-month campaign to combat various cybercrimes across 55 nations. The operation, codenamed Synergia, took down over 70% of 1,300 identified malicious servers tied to phishing, banking malware, and ransomware. European countries hosted most of the command and control infrastructure, with the bulk of arrests made in Europe, and additional arrests in South Sudan and Zimbabwe. A network of about 60 law enforcement agencies was involved, conducting searches on 30 properties, spotlighting 70 more suspects. The operation was a response to the observed proliferation and professionalization of transnational cybercrime, requiring coordinated global action. Several private sector entities, such as Group-IB, provided essential intelligence, contributing more than 500 IP addresses associated with phishing and about 1,900 related to ransomware activity. Operation Synergia's achievements emphasize the critical need for cross-border law enforcement cooperation and private sector collaboration in fighting cybercrime. Interpol's recent Operation Turquesa V in the Americas targeted human trafficking for scam call centers, which plays a separate but related role in supporting cybercrime activities.

INTERPOL's Operation Synergia netted 31 arrests in a global crackdown on phishing, banking malware, and ransomware. Over 1,300 IP addresses and URLs linked to cybercrime were identified, with a 70% takedown rate of malicious servers in Europe. Law enforcement agencies from 55 countries collaborated, resulting in the shutdown of 153 servers in Hong Kong and 86 in Singapore. Authorities conducted over 30 house searches, leading to the seizure of numerous electronic devices and the identification of 70 suspects. Partner organization Group-IB contributed by pointing out over 500 IP addresses hosting phishing sites and over 1,900 linked to various malware operations. The joint operation disrupted cybercriminal infrastructure distributed across 200+ web hosting providers globally. The successful operation illustrates a strong international commitment to combating cybercrime and enhancing online security for users worldwide.

Cloudzy has strengthened its cybersecurity measures through collaboration with threat intelligence specialists Recorded Future. The integration provides Cloudzy with real-time security analytics, significantly improving its capacity to respond to threats such as ransomware and APTs. Suspicious accounts are swiftly identified and banned, with additional measures to prevent re-entry via fake identities. CloudzPatrol, Cloudzy's threat detection system, has received substantial upgrades to better detect and respond to malicious activities within its infrastructure. Cloudzy consistently aligns its security enforcement with legal and ethical standards, updating its acceptable use policy accordingly. CEO Hannan Nozari asserts that implementing Recorded Future's intelligence marks a significant step forward in Cloudzy's commitment to cybersecurity excellence. Cloudzy invites collaboration with other organizations to enhance collective cybersecurity efforts across the industry. The company emphasizes its dedication to providing a secure, resilient platform for its clients, prioritizing user safety and data integrity.

A former CIA software engineer, Joshua Adam Schulte, has been sentenced to 40 years in prison for leaking classified documents to WikiLeaks and possessing child pornography. Schulte was convicted of the largest data breach in the CIA’s history, involving a large trove of sensitive data known as Vault 7 and Vault 8. The leaked information included CIA hacking tools and zero-day exploits that could target various electronic devices and operating systems. The breach caused significant damage to U.S. national security, costing hundreds of millions of dollars, and put the lives of CIA operatives at risk. Schulte is accused of lying to the FBI and trying to deflect the investigation by implying others could have accessed the documents. Investigators found over 3,400 images and videos of child sexual abuse material (CSAM) in his apartment, some downloaded while he was employed by the CIA. While in detention, Schulte attempted to continue disseminating restricted information using contraband cell phones to contact WikiLeaks and share CIA techniques. His actions not only compromised U.S. security but also expressed intents to disrupt global diplomatic relations, according to journal entries cited by the Department of Justice (DoJ).

Over 2,000 Ukrainian computers have been infected by a malware strain known as DirtyMoe. The malware has been used for cryptojacking and DDoS attacks, and can propagate via security flaws or fake software installers. The Ukraine Computer Emergency Response Team (CERT-UA) warns of the increased risk and advises heightened system and network security measures. A related phishing campaign, STEADY#URSA, targets Ukrainian military personnel to install a PowerShell backdoor called SUBTLE-PAWS. SUBTLE-PAWS backdoor is linked to Shuckworm, a threat actor believed to be part of Russia's FSB, and can spread through USB drives. CERT-UA recommends organizations to update their systems, enforce network segmentation, and monitor traffic for any unusual activity to mitigate these threats.

Russian state-sponsored hackers, known as APT28, have conducted NTLM v2 hash relay attacks on high-value targets including foreign affairs, defense, and transportation sectors, among others. From April 2022 to November 2023, APT28 compromised thousands of email accounts through sophisticated brute-force techniques. APT28, with multiple aliases such as Fancy Bear and Pawn Storm, is recognized for using spear-phishing and strategic web compromises to initiate their attack campaigns. In 2023, APT28 exploited vulnerabilities in Cisco networking equipment and in software like Microsoft Outlook and WinRAR to conduct reconnaissance and deploy malware. The group has refined their operational techniques to avoid detection, employing VPN services, Tor, and compromised routers for scanning and spear-phishing activities. Recent campaigns by APT28 against European governments involve fake Microsoft Outlook login pages to harvest credentials. Security researchers highlight the aggressive and elusive nature of APT28's intrusions, which mask complex post-exploitation actions following initial system breaches. Recorded Future News has identified parallel activities by another Russian hacker group, COLDRIVER, who mimic scholars to lead victims to phishing sites.

"Operation Synergia" led by Interpol resulted in the takedown of over 1,300 servers related to ransomware, phishing, and malware. The operation involved 60 law enforcement agencies from 55 countries, disrupting significant cybercriminal infrastructure. Approximately 70% of the identified command and control (C2) servers have been dismantled, heavily impacting cybercrime activities. Law enforcement detained 31 individuals suspected of cybercrime and identified 70 more, along with conducting 30 house searches. The operation spanned various regions, including Europe, Asia, Africa, and the Americas. Cyber-intelligence firm Group-IB and other partners provided essential data in the operation, identifying over 1,900 IP addresses linked to cybercrime. While impactful, the effectiveness of C2 server takedowns has limitations, as some resilient botnets and ransomware groups can quickly recover or switch to backup systems.

A Belarusian and Cypriot national, Aliaksandr Klimenka, has been indicted in the U.S. for his role in laundering money for cybercriminals through digital currency exchanges. Klimenka allegedly controlled BTC-e, an unlicensed exchange, as well as Soft-FX and FX Open, and facilitated transactions from ransomware, identity theft, drug trafficking, and more. BTC-e served primarily the Russian market and was seized by U.S. authorities in 2017 after the arrest of its owner, Alexander Vinnik, for similar laundering charges. The exchange was accused of being involved in laundering money from the Mt. Gox hack and for ransomware such as Locky and WannaCry, operating without proper anti-money laundering controls and KYC procedures. Klimenka, said to have managed U.S.-based servers for BTC-e, was arrested in Latvia and appeared in a San Francisco court, facing up to 25 years in prison.

Cloudflare suffered a security breach by likely nation-state actors who gained unauthorized access to its Atlassian server. The intrusion occurred between November 14-24, 2023, with the hackers carrying out reconnaissance and gaining persistent access. Over 120 code repositories were viewed, and approximately 76 were believed to be exfiltrated, focusing on Cloudflare's backup systems, network configuration, and remote access. In response to the attack, Cloudflare rotated 5,000+ production credentials and conducted a comprehensive forensic analysis and system reboot. The incident was linked to stolen credentials from an October 2023 Okta support case management system hack. Cloudflare worked with CrowdStrike for an independent review of the breach and determined that the threat actor was primarily interested in understanding Cloudflare's global network architecture, security, and management.