Daily Brief

U.S. prosecutors have decided not to proceed with a second trial against Sam Bankman-Fried (SBF), the disgraced cryptocurrency entrepreneur. The decision to forgo the second trial was based on the fact that the evidence for the eighth charge, related to unlawful campaign contributions, was largely considered during the first trial. Any additional trial would likely delay SBF's scheduled sentencing in March 2024 and require complicated extradition negotiations with The Bahamas. SBF had already been extradited from The Bahamas to face seven criminal charges in the U.S., which he was found guilty of in his first trial. The seven convictions include conspiracy to commit wire fraud, commodities fraud, securities fraud, and money laundering, with a maximum combined sentence of 110 years. It was revealed that SBF used FTX customer deposits to bail out his other enterprise, Alameda Research, leading to a defrauding of stakeholders of approximately $10 billion. Although the campaign finance charge will not be pursued in court, it may still influence SBF's sentencing, including potential orders of forfeiture and restitution for his crimes' victims. Allegations against SBF include living a lavish lifestyle on stolen funds, bribing Chinese officials, witness tampering, and using over $100 million in embezzled funds for political campaign contributions.

Security researchers reveal that malware can still access Google accounts even after password changes, due to an exploit in Google's OAuth system. A cybercriminal introduced the existence of a zero-day exploit in Google's security, allowing regaining access to victims' accounts by generating new session tokens. At least six malware families, including Lumma and Rhadamanthys, have incorporated this vulnerability, with others like Eternity Stealer planning updates. The exploit involves stealing web browser session tokens from an infected PC, which the malware then uses to access the victim's account despite password resets. The root of the exploit is an undocumented Google OAuth endpoint called "MultiLogin," which synchronizes accounts across services and can be manipulated with stolen tokens. The threat demonstrates a heightened level of cybercriminal sophistication, shifting to more stealthy and advanced cyber threat capabilities. Google has yet to respond to inquiries regarding countermeasures for this security issue, but logging out seems to invalidate the malicious use of session tokens.

Orbit Chain, a blockchain infrastructure project, has been compromised, resulting in a theft of $86 million in various cryptocurrencies. The security breach occurred on December 31, 2023, with the platform's balance plummeting from $115 million to $29 million following the incident. The attackers, potentially state-sponsored and possibly from North Korea, executed a sophisticated series of unauthorized transactions. Orbit Chain is collaborating with South Korean authorities, including the Korean National Police Agency and KISA, to investigate the breach. North Korean hacker groups like Lazarus have been suspected of conducting multiple crypto heists throughout 2023 to fund the country's sanctioned programs. The hack may be linked to previous attacks on related projects, hinting at an ongoing pattern of sophisticated, targeted cybercrime involving blockchain protocols. International efforts are in place to track and freeze the stolen funds, with warnings issued about phishing scams exploiting the event to victimize users further. Scam Sniffer's data shows wallet drainers have stolen $295 million from over 320,000 victims in 2023, indicating a widespread issue with crypto theft and scams.

Gallery Systems, a provider of museum software solutions, has been hit by a ransomware attack resulting in IT outages. The attack occurred on December 28, leading to the encryption of systems and taking them offline to halt further damage. Over 800 museums are affected, including MoMA, the Met, and SFMOMA, disrupting access to the eMuseum platform used for public online viewing. Gallery Systems is working to restore data from backups and has informed law enforcement and launched an internal investigation. The identity of the ransomware group responsible for the attack remains unknown and Gallery Systems hasn't provided further details on the extent of the breach. eMuseum.com subdomains, used by museums and colleges for online exhibitions, are currently offline due to the cyberattack.

Xerox Business Solutions (XBS) U.S. division has experienced a data breach after a ransomware gang leaked sensitive information. The breach involved possible exposure of personal data and was confirmed by Xerox Corporation. INC Ransom ransomware group claims to have stolen data and added XBS to its extortion portal on December 29. The attack was contained by Xerox cybersecurity personnel with no reported impact on Xerox's or XBS' operations. An investigation has been launched with the help of third-party cybersecurity experts, focusing on further securing XBS's IT environment. Samples of data shared by the ransomware group on its leak site included emails, payment details, and purchase orders. The extent of the breach is not yet fully known, but Xerox assured it will notify all individuals confirmed to be impacted. Xerox removed from INC Ransom's leak portal, potentially indicating resumed negotiations with the cybercriminals.

Google announces the discontinuation of Usenet support on Google Groups due to increasing spam and decline in legitimate use. The change will take place on February 22, 2024, preventing new posts, subscriptions, or viewing of Usenet content via Google Groups. Historical Usenet data prior to the cutoff will still be accessible for search and view on the platform. The use of Usenet has shifted from text-based discussions to mainly file sharing and spam, prompting Google's decision. Google's cessation of support includes shutting down its NNTP server services and content peering with other NNTP servers. Non-Usenet groups on the Google Groups platform will not be affected by this update. Google provides guidance for users to transition to alternative Usenet platforms, including advice on selecting new Usenet clients and public NNTP servers.

The Court Services Victoria (CSV) audiovisual network faced a cybersecurity incident, suspected to be a ransomware attack, compromising court hearing recordings. The incident was detected on December 21, and recordings from November 1 to December 21 were potentially accessed, along with a small number of earlier files. This breach impacted various levels of the court system, with some courts, such as the Supreme Court of Victoria, only affected for a limited time. CSV has assured that its other systems, including employee and financial data, were unaffected, and the administration of justice continued uninterrupted. The CSV is working with justice agencies to identify sensitive cases, notifying parties involved, and offering support in partnership with IDCARE. Currently, there are no confirmed releases of the recordings, but CSV has established a contact center for additional support concerning the incident. CSV is enhancing the security of its IT infrastructure as part of the system restoration process, with cybersecurity experts from the Department of Government Services assisting. While the CSV has not officially confirmed ransomware or identified the attackers, experts suggest the Russia-based Qilin group may be involved, employing a double extortion tactic.

Court Services Victoria (CSV) detected and announced a cyberattack on December 21, 2023, that compromised video recordings of court hearings. Attackers gained access to CSV's audio-visual archive, potentially exposing sensitive information from hearings conducted between November 1 and December 21, 2023. The breach was later discovered to have occurred on December 8, 2023, raising concerns over the extent and duration of the exposure. CSV has isolated the affected system and notified relevant authorities, including Victoria Police and Australia's IDCARE. Individuals potentially impacted by the breach will receive notifications from the affected courts. Despite the cybersecurity incident, CSV ensures that court operations will continue as scheduled, with additional security measures being implemented. The Qilin ransomware group, previously known as "Agenda", is allegedly responsible for the attack on CSV according to sources, but this has not been officially confirmed. CSV has not disclosed whether a ransom demand was made or if any data was stolen and published by the threat actors.

Enterprise browsers are emerging as a key solution to address security challenges posed by the extensive use of web browsers in corporate environments. Traditional security solutions are insufficient to manage the risks associated with browsers, which are major targets for attacks and unintentional data leaks. The definitive Enterprise Browser Buyer’s Guide has been released to aid security teams in selecting the right enterprise browser with an actionable checklist. Enterprise browsers must protect against unintended data exposure and various types of malicious activity, including browser vulnerabilities and phishing. The guide emphasizes the importance of deployment, user experience, security functionalities, and user privacy when choosing an enterprise browser solution. The Enterprise Browser Buyer’s Guide provides a detailed breakdown of necessary security functionalities, presented in five primary pillars for comprehensive coverage. The guide concludes with a checklist of essential capabilities of an enterprise browser, facilitating a more straightforward evaluation and decision-making process for security professionals.

Google has settled a class-action lawsuit claiming it tracked users' browsing activities even in 'Incognito Mode.' The lawsuit filed in June 2020 accused Google of misleading users and violating federal wiretap laws. Plaintiffs argued that Google collected data from private browsing sessions without adequate user consent. A settlement has been reached, but the specific terms and financial details were not disclosed. Google's defense centered on user consent communicated through their Incognito warning, which was found insufficient by the court. The case emphasizes the complexities surrounding online privacy and the use of analytics and advertising APIs. Users were unaware that their private browsing activities could still be tracked by various online services despite using 'Incognito Mode'.

Law enforcement agencies around the world have conducted operations disrupting a wide array of cybercrimes, including cryptocurrency scams, phishing, and ransomware attacks. Operations included infiltration of the Hive ransomware gang, leading to the seizure of their infrastructure and a rebranding effort from the criminals. Dutch police hacked the encrypted communication platform Exclu to monitor criminal activities, resulting in 42 arrests after extensive investigations. Targeted efforts by German and Ukrainian law enforcement disrupted the DoppelPaymer ransomware group, apprehending core members. The FBI arrested the suspected administrator of NetWire RAT malware and seized related infrastructure, a tool used in various cybercrimes. Fake DDoS-for-hire websites were created by the UK's NCA to unmask would-be cybercriminals and collect data on illegal service purchasers. A significant amount of stolen cryptocurrency was seized by the DOJ from investment scammers, with plans to return the funds to victims. Genesis Market, a popular stolen credentials market, was taken down during Operation Cookie Monster, with massive amounts of digital fingerprints seized. Interpol's Operation HAECHI IV led to the arrest of 3,500 suspects and the seizure of $300 million linked to various cybercrimes. ALPHV ransomware servers were hacked by the FBI, leading to the creation of a decryption tool, while German police took down Kingdom Market, a significant dark web cybercrime marketplace.

Credential stuffing attacks compromised 23andMe, revealing the data of 6.9 million users, with some data leaked on a hacking forum, prompting class action lawsuits. Danish hosting providers CloudNordic suffered a crippling ransomware attack, resulting in a total customer data loss after unsuccessful recovery efforts. Hacktivists from Anonymous Sudan demonstrated their might by disrupting major tech firms, including Microsoft and Cloudflare, through DDoS attacks. Innovative acoustic attacks by researchers showcased the ability to capture keystrokes with up to 95% accuracy via machine learning algorithms. PayPal faced a large-scale credential stuffing attack, where 34,942 accounts were breached, exposing sensitive personal information. DISH Network was hit by a ransomware attack linked to Black Basta, causing significant outages and resulting in customer data theft. GoDaddy and MGM Resorts experienced severe cyberattacks, with GoDaddy's multi-year breach leaking code and customer information, and MGM's resort operations being disrupted by ransomware. North Korean hacking group Lazarus infiltrated 3CX with a unique supply chain attack, distributing previously unknown info-stealing malware. Barracuda's Email Security Gateway appliances were hacked using a zero-day vulnerability by Chinese actors, leading to the unusual recommendation of replacing the devices. A rampant ransomware campaign dubbed ESXiArgs targeted exposed VMware ESXi servers across the globe, causing swift encryption of numerous companies' virtual machines.

Researchers have identified a new DLL search order hijacking variant that evades Windows 10 and 11 security features. The technique abuses executables in the trusted WinSxS folder, eliminating the need for elevated privileges to run malicious code. This exploitation method relies on placing a malicious DLL with the same name as a legitimate one in a non-standard directory. When a vulnerable binary from the WinSxS folder is executed, it triggers the malware without copying the legitimate executable. This subtle approach requires monitoring process relationships and the activities of binaries within the WinSxS folder closely. Security Joes, the cybersecurity firm, emphasizes the need for organizations to take preventive measures against this method. Additional binaries within the WinSxS folder might be vulnerable to this type of attack, increasing the urgency for protective actions.

A vulnerability named Terrapin (CVE-2023-48795) could let attackers downgrade the security of SSH connections. Researchers discovered the flaw allows removal of messages during handshake without detection. SSH uses cryptography to authenticate and secure connections but is vulnerable when using certain encryption modes. The attack requires an active adversary-in-the-middle (AitM) to intercept and modify TCP/IP traffic. Risk is high for organizations with large networks that access privileged data, and a patch is crucial. Many SSH client and server implementations are affected and maintainers have issued patches. Companies need to patch both servers and clients to fully mitigate the vulnerability across their infrastructures.

A new malware loader, JinxLoader, is being used in phishing attacks to distribute Formbook and XLoader malware. Cybersecurity firms Palo Alto Networks Unit 42 and Symantec have identified the multi-step attack strategies involving JinxLoader. JinxLoader was first advertised on hackforums[.]net and is available for purchase with subscription options ranging from $60 to $200. Attackers are employing phishing emails, purportedly from the Abu Dhabi National Oil Company, with password-protected RAR files to execute the malware. There has been a noticeable increase in loader malware campaigns, with infections delivering various information stealers, including a newcomer named Rugmi. The Meduza Stealer malware has been updated, offering new features targeting browser-based cryptocurrency wallets and improved credit card data theft. A new stealer family, Vortex Stealer, has emerged, designed to harvest browser data and other credentials and share them through Gofile, Anonfiles, Discord webhooks, and Telegram bots. These developments indicate that stealer malware remains a highly profitable enterprise for cybercriminals, fueling the continuous innovation in malware delivery methods.