Daily Brief

Ransomware continues to be a significant threat to businesses, with a recent push for a ban on ransomware payments by global law enforcement and cyber security experts. The LockBit ransomware crew has shown resilience, recovering online presence shortly after government-led take-down attempts. Former UK National Cyber Security Center CEO Ciaran Martin advocates for a ban on ransom payments to disrupt cybercrime long-term, acknowledging the associated challenges. Critics of the ban suggest that prohibition could leave businesses with no other option for recovery, potentially leading to severe consequences, including company closures. Proponents of the ban argue that similar measures in the past, like those against kidnapping in Italy, had significant positive impacts. Financial support packages for victims may be necessary, akin to government intervention during the Northern Ireland Troubles. A ban on ransom payments is not currently planned by the governments of the Five Eyes nations, but nearly 50 members of the Counter Ransomware Initiative pledged not to pay ransoms. The debate continues as the average extortion payment reached $1.5 million last year, indicating a rising trend in cyber extortion.

Cybercriminals exploited India's Unified Payments Interface (UPI) for money laundering, recruiting "money mules" through Telegram. The scam utilized an Android application named XHelper to manage mules and facilitate transactions, bypassing India's PMLA. Funds obtained from illegal activities were transferred to accounts in China, using mules to move the money under false pretenses. XHelper enabled mules to track earnings, complete transactions, and provided an incentive system through financial rewards. The application featured a referral system with a pyramid-like structure to expand the network of agents and mules. Mules received training on evading bank security measures and making large transactions through fake corporate accounts. The overarching issue highlights a growing ecosystem of mobile apps designed to streamline money laundering operations. Global efforts by law enforcement, including Europol, resulted in the arrest of over a thousand individuals connected to money mule operations.

American Express has issued a warning to customers regarding the exposure of credit card details through a third-party service provider hack. This data breach affected American Express Travel Related Services Company, a division dealing with travel services. Personal customer information such as card account numbers, names, and expiration dates were accessed by unauthorized parties. Specific details about the service provider compromised, the extent of the data breach, and the timing of the incident remain undisclosed. American Express has notified regulatory authorities, is investigating the breach, and is reaching out to impacted customers to inform them of the situation and the necessary precautions. Customers are advised to review their account statements for the next one to two years, report any suspicious activities, and consider changing their card numbers. The company assures customers that they will not be held liable for any fraudulent charges and recommends setting up instant notifications for transaction alerts.

Mid-market companies experiencing rapid growth must adapt to unique cybersecurity challenges, especially when utilizing third-party SaaS applications. As operations expand from 500 to 5000 employees, maintaining control and security over an increasing array of applications and shared data becomes critical. Static budgets and continuous threats by malicious actors put pressure on mid-market companies to find scalable and effective security solutions. Traditional SaaS security solutions, designed for large enterprises, do not align with the needs and resources of mid-market companies. Wing Security offers a tiered product approach that reduces labor costs through automation, effectively managing SaaS security with less than 8 hours of management time per month. The solutions provided by Wing Security aim to align with mid-market budgets and operational models, allowing for efficient risk mitigation without additional resources. As SaaS integration deepens within mid-market company operations, the demand for scalable and accessible security solutions increases, with a focus on automation and comprehensive coverage.

Law enforcement agencies from ten countries, including the FBI and the UK's National Crime Agency, collaborated in Operation Cronos to dismantle the LockBit ransomware gang's operations. Over 30 servers used by LockBit were seized, along with source code, decryption keys, chat logs, and affiliate information. The "Game over" seizure notice included a trolling element, mocking the gang with humorous imagery and a countdown timer parody. Despite suffering significant disruptions, LockBit and its spokesperson, LockBitSupp, resurfaced online soon after the operation with new hostage data and taunts directed at the authorities. Law enforcement claims to have obtained decryption keys to assist victims, while LockBitSupp insists these are ineffective, leaving the outcome of this cyber confrontation uncertain. The incident highlights the sophisticated disaster recovery capacities of criminal organizations like LockBit and the suggestion that businesses might benefit from similarly granular partitioning of their DR strategies. The article critiques the invulnerability of ransomware operations like LockBit as long as they can profit from cryptocurrencies without strict regulation and suggests that financial oversight is the key to curtailing their activities.

Over 100 artificial intelligence (AI) and machine learning (ML) models on the Hugging Face platform were identified as malicious by JFrog security researchers. These models were found to contain code execution vulnerabilities through pickle files, potentially granting attackers full control of victims' machines through backdoors. The malicious models initiate reverse shell connections to an IP associated with the Korea Research Environment Open Network (KREONET) and potentially other IP addresses worldwide. Some authors discouraged downloading their own models, suggesting it could be a security demonstration, but the connection to an active IP crosses a line in security research ethics. The implications of this discovery reach beyond individual user risk to potential large-scale data breaches and corporate espionage. Researchers have also developed methods to prompt harmful responses from language models and a generative AI worm, Morris II, that can steal data and autonomously spread malware. The generative AI ecosystem's connectivity has been exploited to deliver malicious inputs to new applications in attacks comparable to buffer overflow and SQL injection techniques. This situation highlights the ongoing threat within open-source repositories and emphasizes the need for vigilance regarding the supply chain and generative AI services.

BleepingComputer uncovers over 60 domains impersonating major news outlets for content plagiarism and SEO manipulation. These fake news websites repost articles from reputable sources without attribution, deceiving readers and boosting their SEO. The operation, based in India, leverages this network to sell expensive advertorial slots to marketers under the guise of credible outlets. The network, likely promoting online gambling and betting, maintains a presence on Google News and social media platforms. Domains share common WordPress CMS, registrar, and host, with operations traced back to at least 2022. Connections are made to jackpotbetonline.com, a betting entity based in Gurugram, India, pointing to gambling promotion motives. The potential for evolving into a disinformation network remains, posing risks beyond trademark and copyright infringement.

U.S. agencies issue warnings on Phobos ransomware targeting critical U.S. sectors like government, emergency services, and healthcare. Phobos ransomware, structured as a Ransomware as a Service (RaaS), has several variants and employs tactics such as phishing and exploiting RDP services. The e-crime group behind Phobos uses Windows API functions, open-source tools, and sophisticated techniques to escalate privileges and maintain persistence. Attackers exfiltrate files before demanding ransom; after initial payment, 78% of organizations face renewed attacks, often with increased demands. Recently, Bitdefender reported a coordinated attack by CACTUS ransomware on two independent companies, exploiting a critical vulnerability within 24 hours of its disclosure. The median ransom demand in 2023 has risen to $600,000, with the average payment per victim reaching about $568,705 with no guarantee against recurring attacks.

Law enforcement recently disrupted LockBit ransomware operations, seizing the group’s website. LockBit reestablished a new site, listing ransom deadlines, including one involving data from Fulton County related to Donald Trump. Fulton County's ransom deadline passed without data release; LockBit alleges ransom payment, while officials deny any payment. Security analyst suggests data might have been seized by law enforcement rather than ransom being paid. Critical vulnerabilities reported in Cisco's NX-OS; patches recommended. CISA issued an advisory on Ivanti vulnerability mitigations which may not detect compromises; Ivanti recommends patching and using their Integrity Checker Tool. Researchers from Semperis warn of potential Silver SAML attacks allowing SAML token forgery without compromising ADFS servers, raising concerns similar to SolarWinds incident.

Ahead of Super Tuesday, FBI Director Christopher Wray and Senator Mark Warner highlighted the escalating threats to U.S. election security, particularly from foreign and domestic misinformation amplified by advances in AI technology. The barriers to creating realistic and convincing disinformation have lowered due to generative AI, potentially giving both sophisticated and less-sophisticated foreign adversaries new tools to influence elections. Homegrown criminals also pose a threat, as evidenced by incidents like an Alabama man threatening election workers and a political consultant hiring a magician to send fake robocalls. Officials express concern that the U.S. is less equipped to handle foreign intervention in the 2024 elections compared to 2020, with the spread of misinformation on social media as a central worry. AI-generated deepfakes and sophisticated bot farms are being used by nation-state actors to sow distrust in the electoral process and outcomes, further exacerbating the challenge of maintaining election integrity. The cost of creating deceptive content has become significantly affordable, raising concerns about the proliferation of such content and its potential to influence public perception and voter behavior.

A Linux backdoor named GTPDOOR has been discovered targeting mobile operator networks. GTPDOOR is believed to be associated with the threat group LightBasin (UNC1945), known for infiltrating telecommunications systems. The malware infiltrates systems critical to mobile communications like SGSN, GGSN, and P-GW, potentially accessing a telecom’s core network. Using the GPRS Tunnelling Protocol Control Plane, GTPDOOR camouflages its communications to avoid detection. It listens for specific "magic packets" to activate and perform operations, maintaining stealth through encrypted and authenticated packets. Antivirus engines struggle to detect GTPDOOR, as it targets outdated Linux versions and can masquerade its process name. Detection strategies include monitoring for abnormal socket activities and process names, with proposed defenses such as GTP firewalls and GSMA security guidelines.

BleepingComputer has uncovered a content farm operating over 60 websites that impersonate renowned media outlets such as the BBC, CNBC, and The Guardian. These fraudulent news websites, traced back to an operator in India, plagiarize content from legitimate sources without permission to boost their SEO and sell advertising. The fake news websites offer advertorial slots for press releases and product reviews, with prices ranging from $50 to $1000, potentially duping marketers seeking publicity. The syndicate of fake news sites may also be enrolled as a Google News publisher and maintains a social media presence to appear credible. BleepingComputer's ongoing investigation has revealed that while the current goal seems to be SEO optimization and ad sales; there's potential for the operation to spread disinformation in the future. The operation behind these websites is linked to promoting online gambling and betting activities and has been associated with jackpotbetonline.com, based in India. The content farm abuses trademarked media names which raises legal concerns, and the legitimacy of marketed products or services on these sites is questionable.

Hackers are using a new phishing kit named CryptoChameleon to target employees of the Federal Communications Commission (FCC) and users of cryptocurrency platforms (e.g., Binance, Coinbase, Kraken, Gemini). Attackers are employing a sophisticated social engineering strategy involving emails, SMS, and voice calls that mimic legitimate customer support, prompting victims to input sensitive information on fake SSO pages. The phishing campaign includes realistic replicas of Okta login screens and can adapt to request additional authentication, such as MFA codes, in real-time. Leveraging CAPTCHA challenges, the scam adds credibility to the phishing process and screens out non-human traffic. Victims are often redirected to the actual sign-in page or a decoy page claiming an account review to lower suspicion and provide attackers with more time to exploit the stolen data. Lookout's research revealed over 100 successful phishing victims, with many fake sites remaining active and continuing to harvest credentials hourly. Hosting for phishing pages transitioned from Hostwinds and Hostinger to Russia-based RetnNet, likely for prolonged operational capabilities for the scam sites. The identity of the threat actors remains unknown, as it's unclear whether CryptoChameleon is operated by a single group or shared among several cybercriminal entities.

Microsoft patched a serious Windows Kernel bug in February that was exploited as a zero-day since August 2023. The flaw, identified as CVE-2024-21338, affects Windows 10, Windows 11, and Windows Server versions since 2019. North Korean Lazarus hackers used the vulnerability to disable security tools and conduct stealth operations at the kernel level. The exploitation of the bug allows attackers to disrupt security software, hide malware indicators, and manipulate protected processes. Avast researchers linked the flaw to enhanced capabilities of the FudModule rootkit and a new remote access trojan used by Lazarus. Avast will share detailed insights into the attacks at BlackHat Asia in April. Users are urged to apply the latest security updates to protect against these sophisticated attacks by the Lazarus group.

A U.S. federal court has ruled that NSO Group must provide Meta with the source code for Pegasus spyware as part of ongoing litigation. The lawsuit, initiated by Meta in October 2019, accuses NSO Group of exploiting WhatsApp to install Pegasus on roughly 1,400 mobile devices, including those of Indian activists and journalists. NSO Group exploited a critical zero-day vulnerability in WhatsApp for the distribution of the spyware, which did not require call answer to infect the device. Though NSO Group must release details on the spyware, it is not required to disclose its server architecture or the identities of its clients. Amnesty International expressed disappointment that the clientele of NSO Group remains confidential, despite the firm facing U.S. sanctions for supplying cyber tools used in malicious operations against various individuals and entities. The order comes alongside revelations that the Intellexa Alliance's Predator mobile spyware is part of a new, complex delivery infrastructure involving multiple countries, highlighting ongoing concerns around mercenary spyware and its global implications.