Daily Brief

Japanese game developer Ateam inadvertently exposed the personal information of around 935,779 individuals through a misconfigured Google Drive setting. For over six years, sensitive files were accessible to anyone with the link, including customer and employee data as well as business partner information. The exposed data varied but primarily affected customers, with over 700,000 Ateam Entertainment users' information made vulnerable. While there is no evidence that the data was maliciously accessed or stolen, the incident highlights the need for vigilant cloud service security practices. The Google Drive misconfiguration underscores the larger issue of cloud storage vulnerabilities, as similar incidents have occurred with Amazon S3 buckets leading to data breaches and leaks. The US Cybersecurity and Infrastructure Security Agency (CISA) provides guidance for securing cloud services to prevent such accidental exposures. Ateam has urged impacted individuals to be cautious of unsolicited contact that may result from the exposure.

Security researchers have developed a decryptor that exploits a flaw in the Black Basta ransomware to recover files without payment. The decryptor is effective for Black Basta ransomware victims targeted between November 2022 and a week before the recent fix by the cybercriminals. Larger files over 5,000 bytes and up to 1GB can be fully recovered, while the first 5,000 bytes of files larger than 1GB will be lost. The decryptor called "Black Basta Buster" uses a scripting approach to reverse the encryption, leveraging the mistake the ransomware made by writing the encryption key directly into files with zero-byte chunks. SRLabs, who discovered the flaw, indicates virtualized disk images have a high likelihood of being restored. Some digital forensics and incident response (DFIR) companies had been using the flaw to help clients avoid ransom payments for months before the decryptor was made public. Black Basta is linked to the FIN7 hacking group and has launched numerous attacks since April 2022, focusing on double-extortion tactics and targeting corporate victims.

Cybersecurity experts have detected an uptick in phishing campaigns targeting a variety of blockchain networks with methods designed to empty cryptocurrency wallets. The Angel Drainer phishing group is promoting a "scam-as-a-service" operation, taking a cut of the illicit proceeds for providing wallet-draining scripts to their partners. Inferno Drainer, another service implicated in stealing over $70 million in cryptocurrency from more than 100,000 victims, recently announced the cessation of its activities. These wallet-draining kits operate by deceiving users into connecting their wallets to fake websites, often via malvertising or misleading social media messages. Attackers trick victims into authorizing transactions that shift control over the funds, utilizing functions like "approve" or "permit" in malicious smart contracts. The stolen cryptocurrency is often laundered via mixers or split over multiple transfers to hide the culprits' tracks and allow for the illegal liquidation of the assets. Security recommendations for crypto users include using hardware wallets, verifying the legitimacy of smart contracts, and regularly checking wallet allowances for unauthorized activities.

LockBit ransomware affiliates have increased attacks on hospitals, despite the group's policy against such targets. LockBit provided a decryptor after attacking the Hospital for Sick Children in Toronto, yet recently targeted three German hospitals, disrupting ER services. Yakult Australia suffered a cyber incident leading to a 95GB data leak, affecting both Australian and New Zealand IT systems. The Ohio Lottery experienced a cyberattack on Christmas Eve, as claimed by the new DragonForce ransomware operation, leading to the shutdown of several internal applications. Two New York hospitals have initiated legal action to reclaim stolen data held on Wasabi Technologies' cloud servers following a LockBit ransomware attack. Microsoft has once more disabled the MSIX ms-appinstaller protocol handler due to its exploitation in malware campaigns, potentially leading to ransomware infections. New ransomware variants with unique file extensions and ransom notes have been identified, indicating ongoing developments in ransomware tactics.

Two New York not-for-profit hospitals are taking legal steps to retrieve data after a ransomware attack by the LockBit gang in August. The compromised data includes sensitive patient information such as names, social security numbers, and health records, currently held on Wasabi Technologies' servers. The hospitals, part of the North Star Health Alliance, provide services to over 220,000 residents and were forced to redirect urgent care patients elsewhere following the cyber attack. The breach not only compromised data but also disrupted patient care and emergency services. The hospitals are working in collaboration with the FBI and are seeking a court order for Wasabi to return the stolen data and for the ransomware group to destroy any copies made. LockBit's ransomware attacks have not only affected these hospitals but have a global reach, having disrupted emergency services in Germany and delayed treatments at a children's hospital in Toronto.

Multiple malware families are exploiting an undocumented Google OAuth endpoint to restore expired authentication cookies and access user accounts. Session cookies, which contain authentication data, are being hijacked, allowing cybercriminals persistent access even after passwords are reset. Researchers from CloudSEK uncovered that the exploit uses a Google endpoint called "MultiLogin" for synchronizing Google service accounts. The exploit, first disclosed by a threat actor named PRISMA, enables regeneration of Google Service cookies using stolen token:GAIA pairs from Chrome profiles. Malware developers are rapidly integrating this exploit, with at least six different information-stealing malware families currently utilizing it. Lumma, one of the malware utilizers, has updated its exploit to evade Google's abuse detection measures, indicating Google is aware of the issue. Google's lack of response on this actively exploited zero-day flaw leaves the current status of the exploitation and mitigation efforts uncertain.

The "Downfall" mod for the Slay the Spire game was compromised, distributing Epsilon information stealer malware. The malware harvests cookies, saved passwords, credit card information from browsers, and details from Steam and Discord accounts. Users who launched the mod during the Christmas Day breach window are advised to change all important passwords. The attack utilized the game's Steam and Discord update mechanisms, appearing to be a Unity library installer. Information stolen by the malware can be used for further account breaches or sold on the dark web. Valve, the owner of Steam, has instituted SMS security checks for developers updating games to combat such threats. The breach believed to occur via token hijacking rather than direct password theft; no developer emails were compromised.

The Albanian Parliament and the telecom company One Albania were victims of cyber attacks, with the incidents being officially confirmed by Albania's National Authority for Electronic Certification and Cyber Security (AKCESK). One Albania, which services around 1.5 million subscribers, reported handling the incident smoothly, claiming no disruption to its mobile, landline, and IPTV services. AKCESK identified the attacks in real-time and noted that they did not originate from within Albania, focusing on tracing the source and safeguarding systems against future breaches. The Iranian hacker group Homeland Justice has taken credit for these cyber attacks as well as for hacking the national airline Air Albania, declaring a mission against "supporters of terrorists." The attacks have provoked AKCESK to re-evaluate and reinforce the nation's cybersecurity strategies, although the full extent and details of the cyber attacks are still undisclosed. This series of incidents follows similar cyber attacks that occurred in mid-2021, after which the United States imposed sanctions on Iran's Ministry of Intelligence and Security for its involvement in cyber activities against the U.S. and allied nations.

CERT-UA identified a phishing campaign by the Russia-linked APT28 group deploying new malware strains OCEANMAP, MASEPIE, and STEELHOOK. The attacks, observed between December 15-25, 2023, target government entities, urging them to click malicious document links that initiate malware infection. MASEPIE, a Python-based malware, downloads/uploads files, executes commands, and communicates with its C2 server over an encrypted TCP channel. STEELHOOK, a PowerShell script, collects web browser data and sends it to the hackers' server in Base64-encoded format. OCEANMAP, a C#-based backdoor, facilitates command execution and uses the IMAP protocol for its control channel, with persistence achieved via a URL file in the startup folder. The attacks include penetration tools like Impacket and SMBExec for swift reconnaissance and lateral movement within an hour after initial breach. APT28 also exploits critical vulnerabilities such as CVE-2023-23397 for unauthorized account access on Exchange servers, expanding their campaign reach.

North Korean hacking group Kimsuky has been reported using spear-phishing to deploy malware including AppleSeed, Meterpreter, and TinyNuke. South Korean cybersecurity firm AhnLab attributes these detailed attacks to Kimsuky, noting that their use of AppleSeed malware has been consistent for years. Kimsuky was sanctioned by the U.S. due to intelligence gathering activities supporting North Korea's strategic goals, including a shift in target focus from South Korea to global entities since 2017. Malicious documents sent through spear-phishing allow the malware to take control of systems, steal sensitive data, and drop additional payloads. AppleSeed, a notable backdoor used by Kimsuky since 2019, has iterated into an Android version and a Golang variant named AlphaSeed which uses the chromedp library for command-and-control server communication. Kimsuky's espionage tactics include phishing along with online presence on platforms like LinkedIn and GitHub to secure remote IT jobs, which serves as a revenue source for the North Korean regime. The evolving and aggressive nature of these cyber campaigns reflects North Korea's broader strategy to bypass international sanctions and illicitly profit from digital assets and intellectual property theft.

A consultant, "Jack," worked for a managed security services provider (MSSP) serving an African bank hit by a state-sponsored cyber attack. Incident sparked bank's "panic purchase" of cybersecurity tools and services. CEO of the bank was not fully satisfied with the MSSP, questioning the value for money. Tensions between the CEOs of the bank and MSSP increased after an unauthorized security test instigated by the bank's CEO. The test involved the CEO's preferred cybersecurity provider and was not communicated to the MSSP, causing a false alarm in the security monitoring system. The incident resulted in a formal assessment of the MSSP's work, likened to "meeting an unhappy proctologist" by Jack. Four months passed before the working relationship between the bank and the MSSP normalized.

Microsoft has disabled the ms-appinstaller protocol by default to prevent its abuse by threat actors deploying malware. Attackers have used signed malicious MSIX application packages to distribute malware through platforms like Microsoft Teams and search engine ads. Cybercriminals have been selling a malware kit exploiting the MSIX format and the ms-appinstaller protocol as a service. App Installer version 1.21.3421.0 and above will have the changes implemented to combat this issue. Since mid-November 2023, at least four cybercrime groups have used the App Installer service to introduce ransomware into systems. One of the malware distributed through this vector, GHOSTPULSE, was involved in a campaign mimicking legitimate software installers. Microsoft had previously disabled the ms-appinstaller protocol in February 2022 to prevent attacks using Emotet, TrickBot, and Bazaloader. Microsoft notes that threat actors preferred ms-appinstaller because it could bypass security mechanisms like Microsoft Defender SmartScreen.

A popular Slay the Spire expansion mod, Downfall, was breached on Christmas Day to distribute Epsilon information stealer malware. The compromised package was a standalone modified game version, not a Steam Workshop mod, and did not trigger security measures. Attackers gained control of a Downfall developer's Steam, Discord, and email accounts to manipulate the mod's Steam account. The malware harvested cookies, saved passwords, credit cards, and other sensitive information from various applications and documents. Users who launched Downfall during the breach are at risk and advised to change passwords, especially for accounts without 2FA. The malware installed itself on infected systems as part of the Windows Boot Manager or under the name UnityLibManager. Epsilon Stealer, sold on Telegram and Discord, is typically used to target gamers with the false promise of bug-testing games for payment. Valve has tightened Steam security, requiring SMS-based checks for developers updating games to prevent such instances since October 24, 2023.

Eagers Automotive, a major car dealership operator in Australia and New Zealand, halts trading following a cyberattack. The company employs 8,500 staff and reported revenues of AU$4.82 billion in the first half of 2023. The cyber incident affected numerous IT systems, leading to a shutdown of operations in various locations. The full impact of the cyberattack is not yet known; external cyber response experts have been engaged. Eagers Automotive has informed the Australian Cyber Security Centre and the New Zealand National Cyber Security Center. The company is concerned about a potential data breach that may compromise sensitive customer and employee information. As of yet, no ransomware group has publicly claimed responsibility for the cyberattack on Eagers Automotive. The cyberattack is part of a larger pattern of recent cyber incidents targeting significant Australian businesses and organizations.

EasyPark, a parking application developer, has announced a data breach impacting potentially millions of users, discovered on December 10, 2023. Information compromised may include personal details, payment card numbers, telephone numbers, and email addresses, but is not enough for unauthorized transactions. The breach primarily affects European users of the EasyPark application, which has considerable reach, operating in over 4,000 cities across various countries. Users are advised to check the app for personalized notifications regarding the breach and encouraged to reset passwords as a security measure. The company's security team is enhancing security protocols to prevent further issues, while the data protection authorities in Sweden, the UK, and Switzerland have been informed. Previous breach of ParkMobile, a related app under EasyPark, in 2021 had led to data for 21 million customers being leaked online. Despite the breach, there have been no claims of responsibility from ransomware groups, but interest in the stolen data has been observed on hacking forums.