Daily Brief

'Wall of Flippers', a new Python project, can detect Bluetooth spam attacks by devices like Flipper Zero and Android smartphones. Security researcher 'Techryptic' showed in September 2023 that Flipper Zero could spam bogus Bluetooth connection notifications to Apple devices. Simon Dankelmann developed an equivalent Android app, broadening the attack's reach to Android and Windows devices, with potential disruptions to medical devices and payment readers experienced at Midwest FurFest 2023. These spam attacks might degrade the quality of life or present serious health risks for individuals using Bluetooth-connected medical equipment. While Apple introduced mitigations in iOS 17.2 against this type of BLE spam, similar protections are not yet confirmed for Android. The Wall of Flippers script passively captures the MAC address, signal strength, and packet data of potential attackers, helping users identify and respond to Bluetooth spam threats. The Wall of Flippers project is ongoing and available for Linux and Windows, with updates expected to enhance detection capabilities.

Iranian APT group Peach Sandstorm targeted U.S. defense orgs with a custom backdoor malware dubbed FalseFont, which gives remote access and exfiltration capabilities. Microsoft's threat intelligence identified the cyberespionage attempts, observing password spraying and use of custom tools for lateral movement. The group, also tracked as APT33 by Mandiant, has interests in commercial/military aviation and energy sectors, primarily in the U.S., Saudi Arabia, and South Korea. A international law enforcement operation, involving 17 countries, cracked down on credit card theft from e-commerce sites, identifying 443 compromised shops. Group-IB and Sansec, cybersecurity firms, participated in the operation against JavaScript-sniffers, uncovering 23 families of JS-sniffers affecting global e-commerce platforms. Critical vulnerabilities in various products, including a Chrome heap buffer overflow and a session rendering issue in macOS Sonoma, call for immediate patching. Russian infosec employee Nikita Kislitsin, wanted by the U.S. for cybercrimes, will be extradited from Kazakhstan to Russia, where he faces hacking charges.

Mint Mobile, an MVNO owned by T-Mobile, has experienced a security breach exposing customer personal information. Customers were notified of the incident on December 22, which may enable SIM swapping attacks using the exposed data. The breach revealed information such as names, addresses, emails, and phone numbers; however, credit card numbers were not stored and thus not compromised. Mint assured that strong cryptographic technology protects passwords, although it's unclear if hashed passwords were accessed. The company has resolved the breach and is working with cybersecurity experts to strengthen security. No customer action is deemed necessary, but a dedicated customer support number has been provided for related inquiries. Mint Mobile suffered a previous breach in 2021, and its parent company T-Mobile has faced multiple data breaches, including a significant one in January 2023. BleepingComputer reached out to Mint regarding the specifics of the breach and the status of hashed passwords but has not yet received a response.

The FBI successfully hacked the BlackCat/ALPHV ransomware operation, a group with over $300 million in ransom demands from more than 1,000 victims. During the operation, the FBI secured decryption and Tor private keys, allowing them to help 400 victims decrypt their data free of charge. Law enforcement has been battling the ransomware gang for control of their Tor URLs due to possession of the same private keys. The disruption caused by the FBI's action has led to a loss of trust among BlackCat's affiliates, pushing them to seek new methods of contact with victims or join other gangs. Despite setbacks, there are talks of a possible "cartel" formation between BlackCat and LockBit to unite against law enforcement efforts. Other notable cyber incidents mentioned include significant data breaches at Mr. Cooper affecting 14.7 million people and ESO Solutions impacting 2.7 million patients, while several ransomware attacks have occurred across various organizations.

Ubisoft is examining a possible security breach after internal software and developer tools images surfaced online. The company, known for acclaimed games like Assassin's Creed and FarCry, confirmed the investigation to BleepingComputer. Screenshots shared by VX-Underground suggest unauthorized access to Ubisoft's internal services. An unknown threat actor alleges to have breached Ubisoft's network, aiming to exfiltrate approximately 900GB of data. The accessed systems reportedly include Ubisoft's SharePoint server, Microsoft Teams, Confluence, and MongoDB Atlas panel. The actor claimed they tried to steal Rainbow 6 Siege user data but were thwarted before achieving their goal. MongoDB Atlas had a recent breach, which seems unrelated to this incident. Past breaches at Ubisoft include a 2020 ransomware attack and another disruption in 2022 affecting games and services.

Ubisoft is investigating a potential security breach following online leaks of internal software images and developer tools. Leaked screenshots seem to show access to internal services such as Ubisoft's SharePoint server, Microsoft Teams, and Confluence. An unknown threat actor claimed to vx-underground that they infiltrated Ubisoft's systems on December 20th with intentions to exfiltrate about 900GB of data. The same threat actor alleged efforts to steal Rainbow 6 Siege user data, but their access was cut off before successful exfiltration. Ubisoft has experienced previous breaches, such as the Egregor ransomware attack in 2020, which led to leaked source code, and another incident in 2022 that disrupted its operations. There is currently no evidence linking this alleged breach to the recent MongoDB Atlas breach, despite similar timing.

A fraudulent WordPress plugin is injecting malicious JavaScript to steal credit card data from e-commerce sites. Security firm Sucuri reports that this plugin fraudulently creates admin users and skims credit card information during the checkout process. The plugin hides itself in the WordPress 'must-use plugins' directory and disables functions to evade removal. It is part of a wider Magecart campaign, which uses skimming techniques to target online storefronts and exfiltrate data to a controlled domain. Recent WordPress phishing campaigns mimic security alerts to trick users into installing malicious plugins, leading to unauthorized admin access. Europol has highlighted digital skimming as an ongoing threat, with 443 online merchants notified about compromised customer payment data. Group-IB reveals 132 JS-sniffer malware families being used to compromise websites globally. Scammers are using Google Search and Twitter ads to promote a cryptocurrency drainer, resulting in significant financial loss to victims.

The Akira ransomware gang has claimed to have breached Nissan Australia, stealing approximately 100GB of data. Sensitive business and client information, including employee personal details, NDAs, and project files, are threatened to be leaked. After failed ransom negotiations, Akira ransomware group has announced intentions to publish the stolen data. Akira ransomware has been active since March 2023 and targets various sectors, including those using VMware ESXi servers for encryption. Lately, ransom demands range from $200,000 to millions, correlating with the size of the victimized organization. Nissan Australia is working to restore affected systems and assess the full impact of the breach, with an ongoing investigation. The company has notified relevant cyber security, privacy, and law enforcement agencies regarding the breach and advised customers to watch for suspicious activity. Nissan's response is underway, even as they maintain open lines of communication with their dealerships and customers.

Cybersecurity defenders were briefly enthused when the AlphV/BlackCat ransomware group's website went offline, though it was soon restored. Singapore-based Group-IB has successfully infiltrated several high-profile ransomware groups, gathering insider intelligence on their operations. Their multi-step approach involves thorough research into the targeted ransomware-as-a-service (RaaS) group, understanding terms and conditions, and establishing communication with ransomware managers. The crux of infiltration lies in passing a rigorous interview process, where researchers must convincingly assume the role of potential affiliates, showcasing technical knowledge and avoiding linguistic slips. Upon successfully gaining access, Group-IB gathers valuable data on the groups' internal workings, such as attack numbers, ransom payments, and affiliate payment structures, to support future mitigation and response efforts. Such operations are conducted within legal boundaries, aiming not to engage in any illegal activities, but to collect information to assist victims and understand threat actors better. The value of these undercover operations lies not only in the potential to aid victims and investigations but also in enhancing preventative measures against ransomware threats.

Europol alerted 443 online merchants about injections of malicious skimming scripts on their websites. The JavaScript skimmers intercept customers' payment data during purchases, risking unauthorized transactions and data sale on the dark web. The two-month international effort, led by Greece and supported by law enforcement from 17 countries, identified the compromised online shops. Analysis revealed 23 varieties of JavaScript sniffers that evade detection through techniques like mimicking legitimate web services. Group-IB and Sansec, along with national CSIRTs, collaborated with Europol during the investigation. Europol recommends merchants review their digital skimming defense guide, especially ahead of high online shopping seasons. Customers are advised to use one-time payment methods and monitor their statements for signs of card compromise.

Over 1.5 million users unknowingly installed malicious Chrome extensions disguised as VPN services. The extensions were distributed through installer files hidden in pirated video game torrents. Google has since removed the harmful extensions from the Chrome Web Store upon notification. The primary victims were in Russia and nearby countries, with extensions automatically installed without user interaction. The malware targeted other cashback and coupon extensions to monopolize profits from the infected devices. ReasonLabs revealed the extensions had extensive permissions, enabling data theft and browser manipulation. Command and control server communication was part of the extensions' operation, suggesting organized cybercrime involvement. The incident underscores the need for users to vigilantly review and manage their browser extensions to prevent malware infections.

Indian government and defense sectors faced a phishing onslaught aimed at implanting Rust-based malware for intelligence collection, dubbed Operation RusticWeb. The SEQRITE security firm identified the campaign, observing the use of novel Rust payloads and PowerShell commands for stealthy document exfiltration. Similarities found between Operation RusticWeb and two Pakistan-associated groups, Transparent Tribe and SideCopy, indicate a potential nation-state actor behind the attacks. Recent attacks utilized decoy Microsoft PowerPoint files and exploited vulnerabilities (CVE-2023-38831) for broad system control and remote access. The phishing approach starts with a malicious PDF, which initiates the Rust payload that secretly scans the system while showing the decoy document. The malware focuses on collecting system information and files, yet lacks complexity compared to other cybercriminal tools. A secondary SEQRITE-discovered attack chain uses PowerShell for data gathering and a Rust executable masquerading as a legitimate application for payload deployment. Continued aggressive cyberattacks by nation-state actors like the DoNot Team exemplify persistent threats in geopolitically sensitive regions such as Kashmir.

A phishing campaign is leveraging fake Microsoft Word documents to deliver Nim-based backdoor malware. Attackers disguise themselves as Nepali officials in emails to prompt victims to enable macros, which initiates malware deployment. The malware scans for analysis tools on infected hosts and self-terminates if any are found, challenging traditional security measures. The backdoor communicates with command-and-control (C2) servers, which have since been taken offline, for further instructions. This campaign is part of a trend where attackers utilize uncommon programming languages like Nim for malware creation to evade detection. Separate from this campaign, a social engineering campaign has been observed, leveraging social media messages to distribute Python-based Editbot Stealer malware. Ongoing phishing campaigns distribute known malware such as DarkGate and NetSupport RAT through emails and fake update lures. Proofpoint research highlights the evolving and creative malware delivery techniques employed by cybercriminals, including zero-day exploitation of a Windows SmartScreen bypass vulnerability.

UAC-0099, a threat actor, has been actively targeting Ukrainian employees with LONEPAGE malware by exploiting a flaw in WinRAR. Cybersecurity firm Deep Instinct reports that the malware is delivered through phishing messages with malicious attachments. CERT-UA first reported UAC-0099 in June 2023, citing espionage attacks against state organizations and media. Attacks include HTA, RAR, and LNK files leading to malware capable of stealing information and taking screenshots. The group has reportedly gained unauthorized remote access to multiple computers in Ukraine during 2022-2023. Attack methods also involve self-extracting archives and ZIP files exploiting CVE-2023-38831, a vulnerability in WinRAR. The attackers use simple yet effective tactics, employing PowerShell and scheduled tasks to execute malware. CERT-UA has also issued a warning about phishing messages related to Kyivstar dues used to distribute the Remcos RAT, attributed to UAC-0050.

Microsoft has identified a new cyber threat, a backdoor named FalseFont, aimed at the defense sector. The threat originates from an Iranian group known as Peach Sandstorm, also recognized as APT33, Elfin, and Refined Kitten. FalseFont enables remote system access, file launching, and data transmission to control servers, evading traditional security measures. The implant was first detected in November 2023, consistent with Peach Sandstorm's evolving tactics. Past activities of Peach Sandstorm include password spray attacks on various global sectors, indicative of intelligence-gathering for Iranian state interests. The threat actor has been operational since at least 2013, now showing more sophisticated techniques. Additionally, the Israel National Cyber Directorate reported attempts by Iran and Hezbollah to attack the Ziv Hospital and spread wiper malware using phishing tactics.