Daily Brief

Meta has rolled out a new feature that tracks link history within its in-app browser on Facebook and Instagram to enhance targeted advertising. The link history feature stores webpages visited for 30 days and is pitched as a convenience for users, though it mainly serves ad targeting. Critical security vulnerabilities have been identified, with several patches released for Google Chrome addressing issues that may affect many users. Google's Mandiant and web3 firm CertiK suffered Twitter account hijackings, which were used to promote cryptocurrency scams. The incidents underline the importance of enforcing strong security measures even when one has two-factor authentication (2FA) enabled. A Nigerian national was arrested for allegedly defrauding two US charities of over $7.5 million through a business email compromise (BEC) scheme. The alleged scheme involved using stolen credentials to authorize fraudulent money transfers between the charities' banks. If convicted, the suspect faces a potential sentence of up to 20 years for each count of wire fraud among other charges.

U.S. Department of Justice has charged 19 individuals for involvement with the xDedic Marketplace, resulting in over $68 million in fraud. The collaborative international operation included efforts by Belgium, Germany, the Netherlands, Ukraine, and Europol. Sentences for defendants range from probation to 6.5 years in prison; Ukrainian national Glib Oleksandr Ivanov-Tolpintsev received four years for his role. Among the highest volume sellers on xDedic, Dariy Pankov earned over $350,000 from selling access to hacked servers. The Nigerian Allen Levinson, a major buyer on xDedic, targeted U.S. CPA firms for tax fraud purposes. Five individuals are pending sentencing for conspiracy to commit wire fraud; two others face potential 20-year sentences for wire fraud and identity theft. The xDedic Marketplace, shut down in 2019, traded stolen credentials for over 700,000 computers and servers as well as personal data of U.S. residents. Criminal activities facilitated by the use of these servers included tax fraud, ransomware attacks on critical infrastructure, and other illegal operations.

North Korean hackers have been linked to the theft of at least $600 million in cryptocurrency in 2023, which may rise to around $700 million considering late-year breaches. According to blockchain analytics firm TRM Labs, these cyber heists attributed to the DPRK were 10 times as impactful as attacks by other groups. The stolen funds are reportedly used to support North Korea's weapons of mass destruction and ballistic missile programs, amidst international sanctions. The cyberattacks often involve elaborate social engineering to compromise digital wallet private keys and seed phrases, allowing unauthorized access to crypto assets. Attackers tend to convert the stolen funds into USDT or Tron and then to hard currency using high-volume over-the-counter (OTC) brokers for laundering. DPRK's hackers are adapting their money laundering techniques in response to actions like the U.S. Treasury's sanctions on crypto mixer services like Sinbad. TRM Labs highlights the need for heightened vigilance and innovation to combat North Korea's sophisticated cyber capabilities that have amassed $1.5 billion over two years.

U.S. mortgage lender loanDepot experienced a cyberattack affecting their IT systems and online payment portal. The attack forced the company to take systems offline, disrupting customer access for loan payments and support. loanDepot, a major nonbank retail mortgage lender, services loans exceeding $140 billion and has a workforce of about 6,000. Acknowledging the cyber incident, the company is engaging with law enforcement and forensic experts to investigate and mitigate the breach. While the company's social media updates on the incident have been removed, customers are being directed to make payments through the call center. Recurring automatic payments will be processed but with updates delayed in the system; however, making new payments via the online servicing portal is currently impossible. The exact nature of the attack is unconfirmed, but the pattern suggests the possibility of a ransomware attack, which may have compromised sensitive customer data. Customers are advised to remain vigilant against phishing attempts and identity theft in light of the sensitive financial and personal information held by loanDepot.

AsyncRAT malware has been actively targeting specific entities within US infrastructure for the past 11 months. The malware is delivered via a sophisticated phishing campaign using hijacked email threads and malicious attachments that lead to the execution of the RAT. Cybercriminals have used over 300 unique loader samples and controlled the campaign through more than 100 domains, all paid for anonymously using cryptocurrency. The loaders are designed to bypass sandboxing and analysis tools by deploying decoy payloads and checking if they're running in a virtual machine environment. AT&T Alien Labs researchers uncovered a domain generation algorithm (DGA) within the malware that consistently creates new C2 domains every week. The researchers decoded the DGA logic and predicted future domains that will be generated up to January 2024, enhancing the ability to preemptively block potential C2 servers. While the campaign's perpetrators remain unidentified, their discretion and evasion techniques suggest a high level of sophistication and an intention to avoid detection.

Kyber key encapsulation mechanism, part of the quantum-safe CRYSTALS suite, is vulnerable to a set of flaws named KyberSlash, which threaten encryption security. Flaws allow potential recovery of secret keys due to timing attacks during the decapsulation process, compromising the encryption's integrity. Projects like Mullvad VPN and Signal Messenger, which use Kyber for encryption, might be at risk, although the impact varies based on implementation. Patches for two vulnerabilities, KyberSlash1 and KyberSlash2, were released after researchers from Cryspen identified and reported them. Mullvad reports that their VPN product is not affected by KyberSlash, citing the use of unique key pairs for each connection as a mitigating factor. The article suggests that the overall threat posed by KyberSlash is contingent on specific use cases and the presence of additional security measures within the affected projects. There is no immediate comment from Signal on the impact of KyberSlash on their service or any remediation plans.

Malware strains Lumma and Rhadamanthys, among others, have been using an undocumented Google Chrome API to regenerate expired authentication cookies. The API, believed to be designed for synchronizing accounts, is being exploited to extend unauthorized access to Google accounts by refreshing "Refresh" tokens. Google has not publicly acknowledged this as an API vulnerability, considering it standard token theft, and has not documented this API beyond Chrome's source code. The company's advice to users includes logging out of Chrome or revoking sessions via g.co/mydevices to invalidate the Refresh token. Additionally, Google recommends changing passwords and enabling Enhanced Safe Browsing in Chrome for added protection against phishing and malware. Victims of such malware often remain unaware of the infection until their accounts are compromised, as was the case with an Orange España employee leading to operational disruptions. Google claims to have secured compromised accounts and notified affected users, but no clear strategy to prevent future abuse of the API has been announced.

A surge in advertisements on X (formerly known as Twitter) is leading users to malicious sites offering cryptocurrency scams. Scammers abuse the platform's advertising system to display crypto drainer scams, fake airdrops, and phishing operations, taking advantage of users' crypto-related interests. Security researcher MalwareHunterTeam has been documenting and alerting others of the prevalent scam advertisements, with many originating from verified accounts. Community warnings emerge as vigilant users try to alert others about the fraudulent ads and wallet draining schemes. A notable 'MS Drainer' scam was reported to have stolen $59 million from over 63,000 victims within nine months through deceptive ads on Google Search and X. User frustration is mounting over the platform's apparent lax ad vetting process amidst speculation that a sharp decline in ad revenue is leading to less scrutiny on ad content. X's diminished response rate to press inquiries underscores the growing concern regarding ad-related cybercrime on the platform.

Experts argue that a universal ransomware payment ban is impractical and could spur more targeted attacks on critical infrastructure. Criminals may exploit exceptions for critical infrastructure, knowing that hospitals and utilities cannot afford downtimes during crises. In 2023, ransomware gangs attacked 46 US hospital systems, affecting 141 hospitals and resulting in significant disruptions and data theft. Enforcement of a payment ban would require unprecedented international cooperation, which is challenging due to various geopolitical interests. Underfunded sectors like local governments and schools are increasingly targeted, and a ban without providing them with support would be detrimental. In the United States, there is nearly $375 million in available grants to help state and local governments enhance cybersecurity defense mechanisms. Despite challenges, there's a growing consensus around the non-payment of ransoms, with 50 countries pledging not to pay at a White House summit. The advice for organizations is to invest in proactive defenses: use strong passwords, encryption, zero-trust access, network segmentation, multi-factor authentication, regular software updates, and backups.

A threat actor named Sea Turtle, linked to Türkiye, has targeted Dutch IT and telecom companies for espionage. The group exploits supply chain vulnerabilities and uses DNS hijacking for credential theft and intelligence gathering. Victims include telecommunications, ISPs, IT service providers, media outlets, and Kurdish websites, with the aim of monitoring minority groups and political dissidents. Sea Turtle has been active since at least January 2017, with Microsoft connecting their operations to Turkish strategic interests in multiple countries. The group uses a Linux/Unix reverse TCP shell, SnappyTCP, with variants that include either secure TLS connections or cleartext communication for maintaining control and persistence. In a 2023 attack, Sea Turtle used a compromised cPanel account to deploy SnappyTCP and exfiltrate an email archive, though it's unclear how the initial credentials were obtained. Organizations are advised to adopt stronger passwords, enable 2FA, limit login attempts, monitor SSH traffic, and ensure timely updates of systems and software to mitigate the risk of such attacks.

A pro-Iranian group called Homeland Justice used a wiper malware named No-Justice to target Albanian organizations, including ONE Albania and Eagle Mobile. The cyberattacks were specifically directed at Albania after the group declared it would "destroy supporters of terrorists." The No-Justice malware is configured to make the operating system unrecoverable by tampering with the Master Boot Record. In the cyber campaign, a PowerShell script was deployed alongside the wiper for propagation within the network. The attacks have raised concerns, given the increased activity of Iranian hacktivist proxies like Cyber Av3ngers and Cyber Toufan across Israel and the U.S. These threat actors utilize double-retaliation strategies in their attacks, leveraging psychological warfare and targeting both Israeli and U.S. entities. Despite the efforts to curb such threats, several organizations remain severely affected, with some still inoperable over a month after being attacked. The Israel National Cyber Directorate is monitoring around 15 hacker groups exploiting Israeli cyberspace, employing tactics reminiscent of the cyber dimension of the Ukraine-Russia conflict.

BleepingComputer demonstrated a new decryptor for Black Basta ransomware that was used by professionals until the group fixed the flaw in December 2023. Despite the decryption capability, Black Basta's negotiation sites remain operational although their data leak site is facing technical difficulties. Xerox subsidiary XBS was targeted by a ransomware attack; the INC Ransomware group claimed to have significant access, which has not been independently verified. Australia's Court Services Victoria (CSV) experienced a ransomware incident, compromising the security of court hearing recordings. Sale of Zeppelin Ransomware source code on a hacking forum could indicate the potential rise of ransomware-as-a-service operations requiring close monitoring. Several new ransomware variants were identified, including Shuriken, a new Xorist variant, Mallox, and Empire, each with unique file extensions and ransom notes. A notable incident reported was the Russian hacker attack on Ukraine's largest telecom, Kyivstar, resulting in a complete wipe of the core network's systems.

Attackers infiltrated Seattle's Fred Hutchinson Cancer Center, stealing sensitive medical records and then threatening to swat patients unless a ransom was paid. Swatting involves making false reports to law enforcement, prompting an armed response at victims' locations—here, used as pressure to force payment. The center notified both FBI and local authorities; FBI investigated the cyber incident as well as the swatting threats. Integris Health in Oklahoma suffered a similar cyber incident, with patients informed about potential personal data breaches and subsequent threats. These crimes reflect a disturbing trend towards more aggressive extortion measures by cybercriminals, including threatening real-world violence. Security experts like Emsisoft advocate for a ban on ransom payments, citing an escalation in criminals' aggression. Miscreants have expanded extortion tactics from encryption to sending threatening texts, delivering flowers with demands, and leveraging clients of victim companies. There is an increase in ransomware attacks against hospitals, with the number of US hospital networks infected rising from 25 in 2022 to 46 in the previous year.

The U.S. Department of Justice, with international support, charged 19 suspects for involvement with the xDedic cybercrime marketplace. xDedic facilitated over $68 million in fraudulent activities and offered more than 700,000 compromised servers, including 150,000 in the U.S. The transnational operation seized xDedic's domains and infrastructure, with law enforcement from multiple countries participating. Two key figures in the operation, Moldovan Alexandru Habasescu and Ukrainian Pavlo Kharmanskyi, have been sentenced to prison terms. Marketplace seller Dariy Pankov and buyer Allen Levinson were also sentenced for their roles, with Pankov listing over 35,000 compromised servers and Levinson requesting over $60 million in fraudulent tax refunds. The operation is part of a broader international law enforcement effort that has taken down various dark web markets and arrested numerous cybercriminals.

Conor Fitzpatrick, admin of BreachForums, was arrested for breaking pretrial release terms. Initially detained for managing BreachForums, a platform for leaking stolen data, Fitzpatrick was known as Pompourin in cybercriminal circles. After RaidForums' seizure by the FBI, Pompourin founded BreachForums to continue similar activities. Fitzpatrick faced charges for theft and sale of sensitive information affecting millions and numerous entities. Released on a $300,000 bond, Fitzpatrick was barred from computer usage without monitoring software and from accessing VPN services. A court document reveals an additional arrest on January 2nd for violating these specific pretrial conditions. Fitzpatrick is to remain in custody pending a court appearance in the Eastern District of Virginia.