Daily Brief

The U.S. Department of Justice has unsealed an indictment against Iranian national Alireza Shafie Nasab for conducting a cyber campaign against U.S. entities. Nasab is accused of targeting over a dozen U.S. organizations, including government departments, defense contractors, and private firms since at least 2016. He purportedly used spear-phishing and custom applications to breach systems, deploy malware, and exfiltrate sensitive data. Techniques included impersonating individuals to gain the victim's confidence and leveraging compromised accounts to conduct further spear-phishing attacks. Nasab faces charges including wire fraud, conspiracy to commit computer and wire fraud, and aggravated identity theft, with a potential sentence of up to 47 years in prison. Despite Nasab's current fugitive status, the U.S. State Department is offering a reward of up to $10 million for information leading to his identification or location. The indictment links Nasab's activities to Mahak Rayan Afraz, a company with connections to Iran's Islamic Revolutionary Guard Corps and involved in previous social engineering campaigns.

Jack Teixeira, an Air National Guardsman, is expected to enter a guilty plea for leaking classified Pentagon documents. Teixeira shared top-secret files through Discord, which were then disseminated on social media. The leaked content suggests an obsession with mass shootings and conspiracy theories, and a possible attempt to impress online gamers. A US Air Force report implicated Teixeira as the sole individual responsible for the leak, but also pointed to oversight failures in his chain of command. Despite previously pleading not guilty, Teixeira has requested a court proceeding to change his plea; the specific charges he will plead guilty to are currently undisclosed. Teixeira's pre-trial arguments for release, drawing a comparison to former President Donald Trump's bail situation, were denied by a judge. The leaked documents contained sensitive information about geopolitical issues, including America's role in the Russia-Ukraine conflict and espionage developments in China. Following the incident, 15 Air National Guard leaders were disciplined, and the US Air Force has taken measures to strengthen classified data access protocols.

NSO Group, an Israeli company known for its Pegasus surveillance software, has been ordered by a U.S. federal judge to disclose the source code to Meta's WhatsApp, amidst allegations of unauthorized spying on 1,400 users. The court order, stemming from a 2019 lawsuit by WhatsApp, demands NSO Group to provide the source code of Pegasus and other relevant spyware created between April 29, 2018, and May 10, 2020. NSO Group has been accused of leveraging a vulnerability in WhatsApp's VoIP stack to allow remote access to victims' conversations and sensitive information. The legal setback allows NSO to keep its client list and server architecture details confidential. NSO Group declined to comment on the ruling. NSO Group, previously restructured in 2022, faces additional legal challenges from Apple and the Knight First Amendment Institute, with their immunity claims and attempts to dismiss lawsuits being rejected in U.S. courts. The U.S. has sanctioned NSO Group and similar spyware vendors, while the White House has issued an executive order limiting government use of such software, with certain exemptions. Amnesty International declares Pegasus spyware has been used against human rights defenders and journalists worldwide, implicating it in serious abuses, including the murder of Saudi journalist Jamal Khashoggi.

German authorities took down Crimemarket, the largest German-speaking cybercrime platform, arresting six individuals including one of its main operators. The platform, with over 180,000 users, facilitated the trade of illegal drugs, narcotics, and offered cybercrime services and criminal tutorials. The shutdown is the result of extensive investigations, with evidence gathered through a coordinated operation involving numerous searches. In North Rhine-Westphalia, where the main suspect was arrested, police seized 1 kilogram of marijuana, ecstasy tablets, and nearly 600,000 euros in cash and assets. Police have emphasized that the ongoing investigation targets not only the operators but also the users of the Crimemarket platform. User reports indicated prior accessibility issues on the site, which were later confirmed to be due to law enforcement actions rather than technical problems. The home page of Crimemarket remains online displaying a seizure notice, indicating long-term police monitoring and data confiscation as part of a Europe-wide operation.

Ransomware attacks have severely impacted healthcare institutions in recent months, with Change Healthcare, a UnitedHealth Group subsidiary, facing a significant attack linked to the BlackCat ransomware operation. The attack on Change Healthcare has disrupted billing services for pharmacies and patients, potentially affecting access to medications, with some patients being forced to pay high out-of-pocket costs. BlackCat claims to have stolen 6TB of data from Change Healthcare, putting millions of individuals' personal information at risk. A joint advisory from the FBI, CISA, and HHS warns of BlackCat's targeted attacks on U.S. hospitals, reflecting the seriousness of the threat. Rhysida ransomware operation is attempting to monetize stolen patient data from Lurie Children's Hospital in Chicago, demanding $3.6 million. Despite LockBit ransomware being hit by a police operation and returning with a reduced capacity and new infrastructure, it could potentially shut down after losing trust and tarnishing its reputation in the cybercrime community. Other ransomware activities include claims by an extortion group claiming to breach Epic Games without evidence of such an attack and multiple ransomware gangs exploiting ScreenConnect RCE vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) instructs U.S. agencies to secure Windows systems against a critical Microsoft Streaming Service vulnerability actively exploited by malware. CVE-2023-29360, a significant bug due to an untrusted pointer dereference, allows attackers with local access to escalate privileges to SYSTEM level without user interaction. Security expert Thomas Imbert discovered the vulnerability, which was patched in June 2023, but a proof-of-concept exploit appeared on GitHub by September. CISA confirms no ransomware links but emphasizes the risk to the federal enterprise, adding the bug to the Known Exploited Vulnerabilities Catalog. Federal agencies directed to patch the issue by March 21, following the Binding Operational Directive (BOD 22-01), while the private sector is also urged to prioritize the fix. Check Point reveals the Raspberry Robin malware has been exploiting the vulnerability since August 2023, showcasing the quick adoption of the exploit by cybercriminal groups. Raspberry Robin, identified as a worm spreading through USB drives, is associated with cybercriminal factions and has been found on networks across various industries since its 2021 emergence.

The US Department of Justice has indicted Iranian national Alireza Shafie Nasab for leading cyberattacks against US defense contractors and government agencies since 2016. Nasab's operations, under the guise of a cybersecurity company, compromised over 200,000 accounts containing sensitive or classified defense information. Targets included defense contractors with Department of Defense clearance, US State and Treasury Departments, an accounting firm, a hospitality company, and entities of a foreign government. Tactics used by Nasab and his co-conspirators involved spear-phishing, social engineering, in-house software tools, and impersonating female personas to gain victim trust. The DoJ alleges successful account compromises, including an administrator email at a defense contractor, which facilitated further attacks against another contractor and a consulting firm. A parallel legal development cites Russian citizen Maxim Marchenko's guilty plea for smuggling OLED displays for potential military use into Russia, facing a 30-year prison sentence. Facebook previously identified connections between Nasab's firm and the Iranian cybercriminal group "Tortoiseshell," which outsourced malware development with potential ties to Iran's Revolutionary Guard Corps. Nasab remains at large, and a $10 million bounty is offered for information leading to his identification or location, accentuating the US government's drive to counter cross-border cybercriminal activities.

The Düsseldorf Police in Germany have successfully dismantled Crimemarket, the major German-language cybercrime platform, resulting in the arrest of six individuals. The platform was known for trading illegal drugs, narcotics, and cybercrime services, and it also offered tutorials for committing various forms of criminal activity. The police action was the culmination of extensive investigative work, supported by 102 search warrants executed throughout the country in a coordinated operation. The focus of the operation was in North Rhine-Westphalia, where significant evidence, including IT devices and narcotics, was seized alongside almost 600,000 euros in cash and assets. Law enforcement is not only targeting the operators of Crimemarket but also its users, indicating a wider scope to the ongoing investigations. The Crimemarket platform had experienced connectivity issues prior to the police announcement, which had been rumored to be connected to the ChipMixer bust and was confirmed to be due to law enforcement action. Although the homepage is still accessible, other pages display a police seizure notice, and it's been suggested that law enforcement allowed the platform's operation to continue briefly to collect further incriminating evidence.

The quantum computing era presents new challenges to cybersecurity defenses, necessitating quantum-safe encryption measures. Arqit specializes in providing advanced encryption technology that addresses quantum threats, complementing Juniper's SRX Firewall for enhanced VPN security. A webinar on 'Quantum-safe network security for 21st century threats' is scheduled for March 7, featuring key speakers from Arqit and Juniper Networks. The discussion will center around understanding quantum-safe encryption and its role in protecting organizations against both current and future cyber threats. The webinar aims to guide attendees through the landscape of available cybersecurity solutions and the importance of regulatory compliance. Industry experts will address potential internal resistance to adopting new technologies and will share insights on efficient implementation. Strategies for engaging customers in conversations about cybersecurity and the commercial aspects of solutions like Arqit's NetworkSecure Solution will also be discussed. Interested parties are encouraged to sign up for the webinar, with reminders sent out to registered participants.

The U.S. Department of Justice has indicted Alireza Shafie Nasab, an Iranian national, for hacking U.S. government and defense entities. Nasab is accused of spearheading a cyber-espionage campaign from 2016 to 2021, compromising over 200,000 computers. Targets included the Departments of the Treasury and State, defense contractors, and accounting and hospitality firms in New York. Working for Iranian IT company Mahak Rayan Afraz, Nasab allegedly utilized phishing attacks and malware to infiltrate sensitive systems. Social engineering techniques, such as impersonating women, were used to deceive victims into installing malicious software. Charges against Nasab include conspiracy to commit computer and wire fraud, carrying potential prison sentences of 5 to 20 years, plus mandatory two years for identity theft. The U.S. Department of State's Rewards for Justice Program is offering up to $10 million for information leading to Nasab’s location.

A new phishing kit is targeting mobile users of various cryptocurrency services, impersonating SSO pages of platforms like Binance and Coinbase using email, SMS, and voice calls. Attackers construct highly convincing fake login screens that appear post-CAPTCHA completion, evading detection by automated tools. Over 100 individuals, including FCC employees and users from cryptocurrency exchanges such as Gemini and Kraken, have fallen victim to the sophisticated scheme. The phishing kit allows for customization of the fraudulent pages in real-time, including the display of the last digits of a victim’s phone number and flexibility in the 2FA token request. Once credentials and 2FA codes are obtained, attackers can redirect victims to any page they choose, whether legitimate or fake, to maintain the illusion of authenticity. Similarities are noted between these phishing pages and tactics used by Scattered Spider, a known cyber threat group, although it's unclear if there is a direct connection or if this kit is utilized by multiple actors. The effectiveness of these attacks is amplified by the high-quality duplications of real URLs, the urgency conveyed in communications, and the direct connection with victims via SMS and voice calls. Concurrently, a mention of financial institutions in Canada being targeted by a new PhaaS group named LabHost was made, showcasing the evolving threat landscape in cybercrime.

The UK's Information Commissioner's Office (ICO) has reprimanded West Midlands Police (WMP) for repeatedly confusing the records of two individuals with the same name and birth date. Mismanagement of records over several years resulted in numerous mistakes including police visiting the wrong locations and schools and sharing confidential information with the wrong individuals. The two individuals involved were both victims of crimes, but failure to distinguish between victim and suspect records led to a breach of the Data Protection Act 2018. One person received another's personal information regarding a serious assault, with WMP failing to remedy errors quickly and prevent reoccurrences. WMP has been advised to make technical and governance improvements, with recommendations including unmerging the records and instituting mandatory data protection training. Although WMP has compensated one of the individuals and corrected issues following the ICO investigation, they have not been fined due to the remedial actions taken. WMP handles millions of records daily and claims such data errors are rare, but they have acknowledged and accepted the reprimand and recommendations by the ICO.

GitLab suffered an 18-hour outage in 2017, accidentally deleting 300GB of user data due to a replication issue and failed primary and secondary database sync. GitLab's transparency in their postmortem has influenced data security practices; a testing snapshot inadvertently saved them from losing more data. In 2023, the backup service Tarsnap went offline due to catastrophic filesystem damage but lost no user data due to robust data storage and recovery strategies. Roblox experienced a 73-hour outage in 2021 when a critical system cluster failed, but system configuration data was eventually restored without user data loss. Cloudflare thwarted a potential data breach with their Zero Trust architecture, after discovering a nation-state-backed attacker had gained access to internal documents but not customer data. In response to the attack, Cloudflare undertook extensive credential rotations and system reimaging, emphasizing the importance of data security in crisis management. These postmortems encourage honesty, transparency, and taking proactive steps in data security and continuity planning, especially regarding cloud and SaaS platforms. Ownership of the data security lifecycle and the practice of thorough testing and documentation are vital in mitigating the risks of future failures.

Cybersecurity researchers have identified a new BIFROSE Linux remote access trojan variant that uses a deceptive domain resembling VMware for evasion. Active since 2004, BIFROSE has been utilized by state-backed Chinese hackers, with suspected repurposing since 2010. The malware enables attackers to execute remote shell commands, transfer files, and extract sensitive user information, such as hostname and IP address. The latest version of the trojan uses a command-and-control server named "download.vmfare[.]com" to appear legitimate, associating with a Taiwanese DNS resolver. Palo Alto Networks Unit 42 observed a significant increase in Bifrost activity from October 2023, finding over 100 related artifacts. The researchers also found an Arm version of BIFROSE, indicating an attempt to broaden the potential target range of devices. Recent eruptions of Bifrost activity underscore the ongoing evolution and threat posed by this malware family, paralleling the developments of similar RATs and malware like GuLoader and Warzone RAT.

Cybersecurity incidents are costly, with each data breach averaging $4.35 million. The frequency of cyber attacks increased by 38% last year, emphasizing the need for robust security measures. Google Cloud suggests that legacy productivity solutions may no longer be sufficient to combat modern cyber threats. The webinar proposes the use of a cloud-native architecture based on zero-trust principles and AI-powered threat defenses, as implemented in Google Workspace. The session will cover methods to enable secure remote work, maintain data control, simplify compliance, and prevent unauthorized access. Experts from Google Workspace will discuss securing organizations with zero trust and AI technologies, concluding with a Q&A session for deeper insights. Interested participants are invited to register for the webinar scheduled for 6 March, with reminders to be sent prior to the event.