Daily Brief

Jason's Deli has issued a data breach notification alerting customers to a credential stuffing attack. Unauthorized parties accessed customer reward and online account credentials, potentially affecting 344,034 individuals. Attacks on December 21, 2023, utilized login information likely garnered from unrelated previous data breaches. The breach's impact varies based on the personal information customers added to their profiles. Jason's Deli admitted it's unable to assess the full scope of the breach but is informing all potentially affected users. Customers are advised to reset their passwords and are recommended to use unique credentials and 2FA on all platforms. The company has committed to restoring any unauthorized usage of Deli Dollars reward points to ensure customers do not incur losses.

A Baltimore resident, Chouby Charleron, allegedly sold personal data used for financial fraud, potentially facing a 20-year prison sentence. Operating under the alias "The Real Jwet King," Charleron reportedly managed a TLO service in an online chat group, trafficking victims' personally identifiable information (PII). His illicit service mimicked TLOxp, which provides detailed personal data, and was used by criminals for identity theft to procure credit cards fraudulently. The operation unfolded without the use of VPN, leading USPS investigators directly to Charleron's home IP address. Over 5,000 individuals' PII was sold, enabling fraudulent credit card activations and purchases totaling tens of thousands of dollars. Court documents describe cases where Charleron responded rapidly to criminal requests, providing PII within minutes for fraudulent financial activities. Despite an active arrest warrant, Charleron's current custody status is unclear, and he is charged with conspiracy to commit wire fraud, which includes hefty fines and lengthy prison time.

Fortra has issued a warning about a critical authentication bypass vulnerability in GoAnywhere MFT versions prior to 7.4.1. The flaw, tracked as CVE-2024-0204, allows attackers to remotely create new administrative users, gaining full system control. With a CVSS score of 9.8, the vulnerability poses serious risks, including data access, malware introduction, and enabling further network attacks. The issue affects GoAnywhere MFT versions 6.0.1 to 7.4.0, and a fix is available in version 7.4.1, released on December 7, 2023. Fortra has released both patches and manual mitigation recommendations for users to protect against the vulnerability. Previously, the Clop ransomware gang exploited a different flaw in GoAnywhere MFT, resulting in breaches at over 130 organizations. Organizations using GoAnywhere MFT are advised to promptly apply security updates and monitor logs for any signs of compromise.

VexTrio is a substantial cybercrime affiliate program identified by Infoblox, brokering malware for over 60 affiliates including ClearFake and SocGholish. Operative since at least 2017, VexTrio has been involved in distributing malware such as Glupteba through generated domains and compromised websites. In August 2023, VexTrio employed compromised WordPress sites to redirect users to malicious content using a sophisticated DNS-based traffic distribution system (TDS). VexTrio boasts a network of over 70,000 domains managing web traffic for its criminal efforts, using a dual system of HTTP and DNS-based TDS servers. The TDS servers profile site visitors based on attributes like geolocation and browser settings to reroute them to fraudulent sites, filtering non-profitable traffic. Infoblox highlights the operation's complexity and resilience, citing the intertwined affiliate network that has evaded definitive classification for over six years. The affiliate network leverages security vulnerabilities in CMS software, particularly WordPress, to inject malicious JavaScript and propagate nefarious activities.

Two npm packages, warbeast2000 and kodiak2k, were found stealing SSH keys from developers and storing them on GitHub. The packages were downloaded over 1,600 times before npm maintainers removed them. The security firm ReversingLabs identified multiple versions of the malicious packages, indicating an ongoing threat. The postinstallation scripts of these packages could execute additional malicious JavaScript files to access private SSH keys. The kodiak2k package was also seen executing a script capable of launching Mimikatz to extract credentials from memory. This incident highlights the continued risk of malicious software within open source package repositories and the impact on software supply chain security. The report also includes an awareness promotion for a SaaS Security Masterclass webinar derived from insights of a study spanning 493 companies.

The Australian government has sanctioned Russian national Aleksandr Gennadievich Ermakov for his role in the Medibank ransomware attack. Ermakov, a member of the REvil ransomware group, is implicated in the October 2022 cyberattack on the large Australian health insurer. Personal data of about 10 million individuals, including sensitive health information, was leaked following the breach. The sanctions aim to disrupt Ermakov's activities by exposing his identity and hindering his ability to conduct cybercrime anonymously. Any financial transactions or provision of assets to Ermakov, including cryptocurrency dealings, would now constitute a criminal offense. Australia aims to deter other cybercriminals by demonstrating the consequences of targeting Australian entities and the seriousness of the nation's response to cyber threats.

A new stealer malware targeting macOS Ventura 13.6 and later has been unearthed, which is spread through cracked applications. Security experts have found that the malware, distributed via booby-trapped DMG files, is designed to harvest cryptocurrency wallet data and system information. The malware dupes users into running an "Activator" component under the guise of applying a patch which requests administrator credentials. To avoid detection, the malware communicates with its command-and-control server using a unique DNS request method, downloading encrypted scripts that establish persistence. The backdoor, which is updated regularly, has the ability to run commands with elevated permissions, and it specifically targets Exodus and Bitcoin Core wallets to steal sensitive information. Researchers highlight an increase in the use of cracked software as an attack vector for delivering various types of malware to macOS users. The discovery underscores the growing sophistication of malware techniques aimed at cryptocurrency theft, showcasing the need for enhanced vigilance and cybersecurity measures.

Southern Water, a prominent UK utility firm, has confirmed that its IT systems were compromised and a limited amount of data was stolen by criminals. The Black Basta ransomware group has claimed responsibility for the attack, threatening to release more stolen data unless a ransom is paid. Leaked data appears to include personal details of customers and employees, such as identity documents, HR records, and corporate car-leasing documents. The company is investigating the breach with the help of independent cybersecurity specialists and has reported the incident to UK government agencies including the ICO. There is currently no evidence suggesting that customer service or financial systems have been affected by the attack. The incident follows recent warnings from Western intelligence about the potential for cyberattacks on water providers and other critical infrastructure. Cybersecurity authorities have placed a heightened focus on protecting the water industry due to increasing threats and the sector's limited resources.

DDoS attacks have escalated in scale, with a reported >100% annual increase in peak attack volume, now measured in Terabits. Attack durations ranged from a few minutes to nine hours, with an average of about one hour, underscoring diverse strategies and the need for effective detection and mitigation. UDP floods were the most common type of DDoS attack at 62%, followed by TCP floods and ICMP attacks, highlighting the need for a multifaceted defense approach. The geographic origins of DDoS attacks were widespread globally, with the United States, Indonesia, and the Netherlands as leading sources, necessitating targeted defense and international cybercrime policy efforts. The gaming and financial sectors remain high-priority targets for DDoS attackers, which requires industry-specific security measures to mitigate potential economic and operational impacts. Gcore's data indicates a disturbing trend in DDoS threats with an increase in attack power up to 1.6 Tbps, suggesting that organizations across all sectors need to enhance their cybersecurity preparedness. The report emphasizes the importance of international cooperation and intelligence sharing to effectively confront the global challenge posed by DDoS attacks.

Conor Brian Fitzpatrick, creator of BreachForums, sentenced to 20 years of supervised release, avoiding jail. Arrested in March 2023 for access device fraud and child pornography, Fitzpatrick operated under the alias "pompompurin." BreachForums, active since March 2022, was a notorious marketplace for trading stolen data and hacking tools. The site offered bank details, Social Security numbers, and unauthorized system access services, affecting millions and numerous entities. The court considered Fitzpatrick's mental health in the sentencing; the final restitution for victims is pending. Fitzpatrick must undergo home arrest with GPS tracking and mental health treatment and avoid internet use for a year. BreachForums advertised a "Leaks Market" for trading illicit data and sold access to hacked databases with a credit system. Fitzpatrick previously jailed for a pre-sentencing release violation using unmonitored computer and VPN.

A critical vulnerability in Atlassian Confluence, identified as CVE-2023-22527 with a CVSS score of 10.0, is being actively exploited. Within three days of its public disclosure, over 40,000 attack attempts from 600+ unique IP addresses have been detected. The security flaw allows unauthenticated remote code execution on outdated versions of Confluence Data Center and Server 8. Attackers are primarily performing reconnaissance activities such as "testing callback attempts and 'whoami' execution." The majority of these attacks are originating from Russia, with significant numbers also coming from Singapore, Hong Kong, the U.S., and other countries. Over 11,000 Atlassian instances are accessible online, but the exact number of vulnerable systems is unknown. Security researchers warn of the high risk associated with this vulnerability, capable of permitting attackers to execute arbitrary code on affected systems.

Australia utilized its 2021 "significant cyber incidents" sanctions regime for the first time, targeting Russian Aleksandr Gennadievich Ermakov for a cyberattack on Medibank Private. The 2022 ransomware attack on Medibank resulted in the leakage of personal data of about ten million customers, including sensitive medical information. The REvil crime gang, reportedly harbored by Russia, was named as the likely perpetrator, with Ermakov being specifically implicated in the incident. Sanctions include a travel ban to Australia for Ermakov and severe penalties for anyone transacting with or supporting him. Aleksandr Ermakov's online pseudonyms are "aiiis_ermak," "blade_runner," "JimJones," and "GustaveDore," the latter referencing a renowned 19th-century French artist. Despite identifying Ermakov, the Australian government acknowledges it cannot enforce actions against him in Moscow. Following several major cyber incidents in Australia, including a data breach at Optus, this announcement serves to reassure the public of the government's proactive stance on cyber threats.

Apple issued critical security updates for iPhones, Macs, and other devices to patch a zero-day vulnerability under active exploitation. The vulnerability, identified as CVE-2024-23222, is a type confusion issue allowing arbitrary code execution via malicious web content. Apple implemented improved checks to remediate the flaw, acknowledging reports of its exploitation. The zero-day is the first of its kind addressed by Apple in the current year, following 20 such fixes implemented last year. Apple also backported additional fixes for previously addressed vulnerabilities to older devices. The disclosure coincided with a report on Chinese authorities using known vulnerabilities in Apple's AirDrop to assist law enforcement. Apple's advisory did not specify details regarding the attackers or the scale of the compromise caused by the vulnerability.

Over 600 IP addresses are actively targeting a critical vulnerability (CVE-2023-22527) in Atlassian Confluence Data Center and Server for remote code execution (RCE) attacks. The security flaw, with a maximum severity CVSS score of 10, affects outdated Confluence versions and was disclosed by Atlassian, urging immediate updates. Despite Atlassian's warning, more than 11,000 instances remain unpatched and exposed, with Shadowserver recording over 39,000 exploit attempts. Both Shadowserver and GreyNoise are observing a high volume of attack attempts, suggesting widespread awareness of the vulnerability among attackers. Organizations are advised to assume compromise if they're running susceptible versions, and to proceed with patching, log reviews, monitoring, and system audits. This severe RCE vulnerability is part of a recent trend of critical bugs affecting Atlassian software, with previous incidents also involving high-risk flaws. Atlassian is ending support for Server products on February 15th, and a significant portion of their user base plans to continue using these unsupported versions, potentially increasing security risks.

The U.S. Securities and Exchange Commission (SEC) reported a SIM-swapping attack on the cell phone number associated with its X account. An unauthorized announcement about Bitcoin ETF approvals was issued from the hacked SEC X account prior to the SEC’s legitimate statement. The SEC's investigation revealed that their telecom carrier was deceived into transferring control of the phone number to the attackers’ device. The hackers did not gain access to internal systems or other social media accounts but managed to reset the @SECGov account password. The incident exposed the lack of multi-factor authentication (MFA) on the account, as the SEC had previously disabled it due to login issues. The SEC emphasized the importance of using hardware security keys or authentication apps for MFA instead of SMS. Law enforcement is actively involved in investigating the specific methods used in the SIM-swapping attack. This breach is part of a broader issue with X, which has faced numerous account hacks and the spread of malicious cryptocurrency-related advertisements.