Daily Brief

Cybercriminals are targeting employees with phishing emails disguised as 401(k) statements and HR updates to steal corporate credentials. Cofense has reported a rise in phishing emails with embedded QR codes leading to fake login pages. Attackers are using lures related to open enrollment periods, salary adjustments, and employee satisfaction surveys. Cybercriminals capitalize on the importance and urgency employees associate with these communications to increase the chances of successful credential theft. Despite robust email security measures, many phishing attempts still penetrate corporate defenses and reach employee inboxes. HR departments are advised to schedule and pre-announce legitimate communications to help employees distinguish between genuine and malicious emails. Companies may need to educate employees extensively to mitigate risks, especially those that outsource HR operations. Organizations are recommended to avoid using QR codes in official communications, as they are frequently utilized in phishing scams.

Posing as security researchers, cybercriminals attempted to extort additional payments from ransomware victims. Fraudulent actors targeted businesses already hit by Royal and Akira ransomware, demanding fees for alleged "post-exploitation services." In one scheme, victims were promised deletion of their data from the attacker's server; in another, the offer was access to stolen data. The extortionist, employing various monikers, asked for about 5 Bitcoin, but no payments were made in the disclosed cases. Arctic Wolf Labs researchers found that both extortion attempts seem to be linked to the same individual or group. Established ransomware groups like Conti and Karakurt have been known for similar re-extortion practices. The recent targets were US-based SMBs, with motives for the specific targeting remaining unclear. The incidents may represent the work of an individual breaking away from their group, signified by the small ransom demands and the use of throwaway aliases.

Windows 10 users are facing installation failures when applying the KB5034441 security update for BitLocker with error code 0x80070643. The update was released as part of Microsoft's January 2024 Patch Tuesday to address a BitLocker encryption bypass vulnerability (CVE-2024-20666). Microsoft has acknowledged that the error occurs due to insufficient disk space in the Windows Recovery Partition to support the update's new version of Windows Recovery Environment (WinRE). Users are advised by Microsoft to manually enlarge the Windows Recovery Partition by shrinking the C: partition and following several command line steps. However, performing these manual steps bears a risk of damaging partitions, and users should back up their data beforehand. There are reports that even after increasing the Recovery Partition size, some users still experience the update failure. Microsoft has yet to offer an automated solution to mitigate the installation issues, advising less tech-savvy users to wait rather than risk performing complex manual steps.

Sebastien Raoult, a cybercriminal member of the ShinyHunters group, has been sentenced to three years in prison. Raoult was responsible for creating phishing websites that mimicked major brands, successfully harvesting login credentials. Proceeds from the illegal activities, including sales of the stolen data on the dark web, exceeded $6 million over two years. The cybercrime group targeted over 60 companies and was involved in high-profile breaches, including those affecting AT&T Wireless and Microsoft. In addition to prison time, Raoult is ordered to pay $5 million in restitution and will be under supervised release for three years following his sentence. Through international collaboration, Raoult was extradited from Morocco to the US after France declined extradition. Two accomplices, Gabriel Kimiaie-Asadi Bildstein and Abdel-Hakim El Ahmadi, are also indicted but have yet to be sentenced.

NoaBot, a new Mirai-based botnet, targets SSH servers to spread malware and facilitate crypto mining operations. Akamai researchers discovered NoaBot's self-spreading capabilities and SSH key backdoor for executing additional binaries. A resemblance between NoaBot and the P2PInfect malware campaign suggests possible actor crossover and strategy shifts. NoaBot uses an SSH scanner to brute-force vulnerable systems and establish persistent access via SSH public key authentication. Unlike other Mirai variants, NoaBot's antivirus detection signatures are different, complicating threat detection efforts. NoaBot features an obfuscated, modified version of XMRig for mining, which hides mining details, preventing profitability assessment. Approximately 849 victim IP addresses have been identified, with a significant concentration of attacks in China. Akamai emphasizes the importance of restricting open internet SSH access and using strong, unique passwords to mitigate risks.

The U.S. District Court in Seattle has sentenced Sebastien Raoult of the ShinyHunters group to three years in prison with a restitution payment of $5 million. Raoult, also known as 'Sezyo Kaizen,' participated in a hacking operation that targeted over 60 companies and caused over $6 million in damages. The 22-year-old French national was arrested in 2022 in Morocco and extradited to the U.S. in January 2023; he pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. ShinyHunters used phishing pages and stolen credentials to access and steal sensitive data, including personal and financial information. The group threatened to leak or sell the data if ransoms were not paid, and they followed through on these threats, causing reputation and financial damage to victimized companies. Raoult expressed remorse for his actions and pledged to quit hacking while facing the possibility of early release due to time served in detention.

IT professionals face challenges in managing the ever-expanding enterprise attack surface due to digitization and the adoption of new technologies. Large organizations struggle to keep pace with security demands, often getting inundated with false positives from an excess of specialized security tools. The explosion of the attack surface is driven by increased cloud usage, remote working trends, proliferating IoT devices, supply chain vulnerabilities, AI/ML, and social networking. Traditional defensive measures like firewalls and VPNs have become obsolete; prioritizing identity security through IAM and PAM is now critical. Cyber insurance has become an important part of cybersecurity strategies, providing a financial safety net for organizations in the event of breaches. Safeguarding digital identities is essential, as compromised credentials are a frequent attack vector, with over 54% of analyzed attacks using valid user accounts for malicious activities.

Cisco Talos released a decryptor for the Tortilla variant of Babuk ransomware, aiding victims in file recovery. The release was facilitated by threat intelligence shared with Dutch police, leading to an arrest of the threat actor. Avast updated its Babuk decryptor, leveraging a single key effective for all Tortilla ransomware victims. The Tortilla ransomware exploited ProxyShell vulnerabilities in Microsoft Exchange and is based on leaked Babuk source code, indicating a trend of derivative ransomware. Security Research Labs developed a decryptor for Black Basta ransomware, exploiting a cryptographic flaw, although recent fixes by the creators have limited its effectiveness. The Black Basta Buster can partially or fully recover files, with limitations based on file size, highlighting ongoing efforts to counter ransomware threats.

The FTC has banned Outlogic (formerly X-Mode Social) from selling sensitive location data. The ban stems from allegations of tracking visits to sensitive locations without adequate safeguards. As part of a settlement, Outlogic must destroy collected data unless it has user consent or de-identifies it. This action represents the first-ever FTC ban on the sale of sensitive location data. Outlogic previously sold data to the U.S. military and other entities, drawing scrutiny in 2020. The company was accused of a lack of transparency and failing to honor user opt-out requests. Senator Ron Wyden commended the FTC's decision but emphasized the need for robust privacy legislation.

Microsoft's January 2024 Patch Tuesday addressed 48 vulnerabilities, with 2 rated Critical and 46 rated Important. The patches covered a range of Microsoft software, with no current evidence of any being publicly known or under active exploitation. The Critical issues include CVE-2024-20674, allowing for impersonation and requiring a machine-in-the-middle attack for exploitation. CVE-2024-20700 allows for remote code execution without authentication, dependent on a race condition. CVE-2024-20653, a privilege escalation vulnerability, and CVE-2024-0056, a TLS security bypass, were among other significant vulnerabilities patched. Microsoft disabled FBX file insertion in Office applications due to a remote code execution flaw (CVE-2024-20677). Other vendors also released updates, highlighting the continuous need for vigilant patch management across software used in enterprise environments.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six security flaws to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. Vulnerabilities affect various products: Apple iOS, Apache, Adobe, D-Link, and Joomla, with one high-severity flaw in Apache Superset enabling remote code execution. Apache Superset's vulnerability (CVE-2023-27524) has a CVSS score of 8.9 and was addressed in version 2.1; it presents a risk of credentials compromise and data exfiltration. CVE-2023-41990, a flaw in Apple's iOS, was exploited in Operation Triangulation attacks to execute remote code via a malicious iMessage PDF attachment. CISA has mandated Federal Civilian Executive Branch agencies to patch these vulnerabilities by January 29, 2024, to protect against these active threats. The agency's emphasis on these vulnerabilities highlights the ongoing risks and the importance of timely security updates in mitigating potential cyber attacks.

A US Navy petty officer, Wenheng Zhao, was sentenced to 27 months in prison for providing sensitive military information to Chinese intelligence operatives. Zhao, based at Naval Base Ventura County, received around $14,866 in bribes from August 2021 to May 2023. Using encrypted communication, Zhao shared details on US Navy operations, military training, exercises, and critical infrastructure, including plans and blueprints. The sailor took steps to destroy evidence and conceal the espionage activities from US authorities. Zhao's actions were part of China's broader efforts to undermine US national security, emphasizing the ongoing conflict between US law enforcement and Chinese intelligence operations. The recent APEC summit displayed attempts to improve communication between the US and Chinese military leadership despite historical tensions and underlying strategic conflicts. Zhao's sentencing reflects the commitment of the US Justice Department and the FBI to counter foreign espionage and penalize those who compromise national security.

Olugbenga Lawal, a Nigerian national, has been sentenced to over 10 years in prison for money laundering connected to elder fraud. Victims of the fraud were often deceived to believe they were in a romantic relationship, which led to financial exploitation. In 2022, elder Americans reported massive losses of $3.1 billion to internet fraud schemes, indicating a significant rise in such crimes. Lawal was a member of the Black Axe organized crime group, which specifically targeted elderly individuals for large-scale financial scams. He and his associates laundered millions of dollars obtained through business email compromise and romance scams from January 2019 to June 2020. Lawal's operations involved multiple bank accounts, financial institutions, and the purchase and export of vehicles to repatriate funds to West Africa. INTERPOL's recent operation led to the arrest of over 70 suspects linked to the Black Axe group, with some tied to $1.8 million in fraud. Along with the prison sentence, Lawal has been ordered to pay restitution exceeding $1.46 million.

The Twitter account for the U.S. Securities and Exchange Commission was hacked to falsely claim the approval of Bitcoin ETFs. The fraudulent post announced Bitcoin ETF listings on registered securities exchanges, complete with fake quotes from SEC Chairperson Gary Gensler. As a result of the fake announcement, Bitcoin's price experienced a transient surge before retracting upon revelation of the cyberattack. Chairperson Gensler and the SEC refuted the claims, emphasizing that there have been no approvals for Bitcoin exchange-traded products. The SEC is investigating the breach, with concerns about whether proper security measures, such as two-factor authentication, were in place. This incident is part of a broader trend of verified Twitter accounts being compromised for cryptocurrency-related frauds and scams. Just recently, accounts of notable entities like Netgear, Hyundai MEA, and Web3 and cybersecurity firms have also been targeted by similar hacking incidents.

Microsoft's Patch Tuesday offered 49 Windows security updates, including two critical-rated bugs and four high-severity Chrome flaws in Microsoft Edge. None of the January CVEs are currently being exploited, but CVE-2024-20674 in Windows Kerberos is noted as "exploitation more likely." CVE-2024-20700, another critical update, addresses an RCE bug in Windows Hyper-V, requiring network access for exploitation. Adobe patched six "important" vulnerabilities in Substance 3D Stager, with no known active exploits prior to the update. SAP released 12 patches, highlighted by three HotNews Notes with CVSS scores of 9.1, addressing serious vulnerabilities such as privilege escalation. Cisco rolled out an update for privilege escalation vulnerabilities in its Identity Services Engine, with one CVE lacking a patch but considered a non-critical issue due to certain prerequisites for exploitation. Google's January Security Bulletin for Android corrected 59 CVEs, with the most severe allowing local privilege escalation, though no active exploits were reported.