Daily Brief

Arion Kurtaj, an 18-year-old member of the Lapsus$ cybercrime group, has been sentenced to an indefinite hospital detention due to mental health issues. Kurtaj's sentencing follows a spree of cyberattacks on high-profile targets such as Uber, Nvidia, Rockstar Games, and Revolut by the Lapsus$ gang. A court determined Kurtaj was unfit for trial and he will remain in the hospital until deemed suitable for release by a mental health tribunal. A 17-year-old Lapsus$ member was also sentenced, receiving a youth rehabilitation order, but cannot be named due to legal protections. The Lapsus$ group's criminal activities included blackmail, fraud, and intrusion into the computer networks of several companies like BT, Microsoft, Samsung, and Okta. Law enforcement warns of the online dangers and serious consequences of cybercrime for youth, as seen in this case. The US government has advised organizations to improve security measures, including moving away from voiceand SMS-based multi-factor authentication, to protect against tactics used by groups like Lapsus$.

First American Financial Corporation experienced a cyberattack, leading to some of their IT systems being taken offline to contain the incident. As the company manages sensitive personal and financial data, the attack has raised significant concern, especially following a previous breach. In November 2019, First American paid a $1 million penalty for a cybersecurity violation involving their EaglePro application which had exposed customer data. Similar attacks have affected other title insurance providers, with Fidelity National Financial disclosing their own cyber incident last month. After the Fidelity attack, the ALPHV/BlackCat ransomware gang claimed responsibility, but no attribution has been given for the First American breach yet. Both companies faced operational disruptions; First American is working on resuming normal business services, while Fidelity National continues its recovery process.

A cryptocurrency drainer called 'MS Drainer' has been promoted through Google and Twitter ads, and has stolen approximately $59 million from over 63,000 people within nine months. Over 10,000 phishing sites using this drainer were discovered, exhibiting activity spikes in May, June, and November. Victims are lured to authentic-looking phishing sites where they unintentionally approve malicious contracts, resulting in unauthorized fund transfers to the attacker's wallet. The MS Drainer's source code is being sold for $1,500 by 'Pakulichev' or 'PhishLab,' who also collects a 20% fee on the stolen funds, and offers additional malware features for extra costs. One victim on the Ethereum blockchain lost $24 million, with other significant losses ranging from $440,000 to $1.2 million. Advertisements on Google abused tracking template loopholes to appear legitimate, while on Twitter, ads often came from verified accounts likely compromised by malware or stolen credentials. Phishing ads on Twitter utilized various themes such as "Ordinals Bubbles" NFT collections and token launches, and employed geofencing to avoid detection. Users are advised to exercise extreme caution with cryptocurrency-related advertisements and to verify the legitimacy of new platforms and contracts before engaging with them.

Arion Kurtaj, an 18-year-old member of the cybercrime group Lapsus$, has been sentenced to an indefinite stay in a secure UK hospital due to the risk he poses and his ongoing desire to engage in cybercrime. Kurtaj, diagnosed with autism and deemed unfit to stand trial, was involved in leaking content from the forthcoming Grand Theft Auto VI video game. A co-conspirator, a 17-year-old member of Lapsus$, received an 18-month Youth Rehabilitation Order and an online VPN ban after participating in breaches of NVIDIA and telecom companies. During his bail, Kurtaj circumvented restrictions using an Amazon Fire Stick to connect to cloud services and leak Grand Theft Auto VI assets, leading to his arrest. Lapsus$ is known for high-profile cyberattacks and data breaches against companies like Okta, Uber, Revolut, and Microsoft, opting for data extortion over ransomware. The court ruling highlights the ongoing threat posed by cybercriminals, even when those involved are relatively young or operating as part of smaller groups.

Arion Kurtaj, a key member of cybercrime group Lapsus$, has been sentenced to life in a secure hospital by a UK judge. Kurtaj was involved in the leak of assets from the highly anticipated video game Grand Theft Auto VI. Deemed a "high risk" due to his abilities and intent to commit cybercrime, Kurtaj will remain hospitalized until doctors determine he is no longer a danger. Another 17-year-old member of Lapsus$ was found guilty and received an 18-month Youth Rehabilitation Order with strict supervision, including a VPN usage ban. Kurtaj, who has autism, was deemed unfit for trial, and the jury had to assess if his actions were with criminal intent. The Lapsus$ group has been responsible for multiple high-profile cyberattacks on major tech firms, including Microsoft, Uber, Okta, and Revolut. Instead of encrypting data like ransomware groups, Lapsus$ engages in data extortion by stealing proprietary information and threatening to publish it if demands are not met.

Microsoft identified a cyber-espionage campaign by an Iranian group, APT33, targeting the Defense Industrial Base sector using FalseFont malware. FalseFont, a new backdoor, provides remote access capabilities, including file execution and data transfer to the attackers' servers. The APT33 group, also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, has been operating since 2013 and targets various industry sectors worldwide. These attacks were observed as part of a broader pattern of targeting U.S., Saudi Arabian, and South Korean sectors ranging from government to finance. Microsoft recommends network defenders reset passwords, revoke session cookies, and implement multi-factor authentication to mitigate the risk from such attacks. The attacks are consistent with APT33's activity over the past year, indicating the group's ongoing efforts to refine their methods and tools. Other nation-state hacking groups from Russia, North Korea, and China have also been targeting defense agencies and contractors globally.

First American Financial Corporation experienced a cyberattack, forcing some systems offline to contain the impact. Official company website was taken down and a separate website was set up to inform about the cyberattack. The company is the second-largest title insurance provider in the U.S., established in 1889, with over 21,000 employees. First American Financial was previously fined $1 million for a cybersecurity incident that occurred in May 2019. Personal and financial data collected and stored by the company was at risk due to a vulnerability in their application. Fidelity National Financial, another title insurance firm, disclosed last month that they were also targeted by a cybersecurity incident. The ALPHV/BlackCat ransomware gang has claimed responsibility for the breach of Fidelity National Financial on November 22.

Microsoft is retiring Defender Application Guard (MDAG) for Edge for Business, which ensures security by opening untrusted sites in an isolated container. MDAG uses hardware-based virtualization for a secure sandbox experience, aiming to render conventional attack methods ineffective. After the deprecation, enterprise admins are encouraged to refer to the Microsoft Edge For Business security whitepaper for alternative security features. Introduced in April 2019 for Windows 10, MDAG's deprecation follows the recent discontinuation of Defender Application Guard for Office. Users should consider other security measures such as Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control. In parallel, Microsoft plans to remove VBScript in future Windows updates and has delayed the deprecation of older TLS protocols and Exchange Online CARs.

Predator spyware now offers a reboot survival feature to clients, confirming its advancement and persistence capabilities for infected Android devices. Produced by the Intellexa Alliance, including firms like Cytrox and Nexa Technologies, Predator targets both Android and iOS systems with high-cost licensing. The U.S. added Cytrox and Intellexa to the Entity List in July 2023 for trafficking in cyber exploits to access information systems. Exploit chains in mobile OS and browsers are used by spyware tools like Predator and Pegasus to infiltrate devices covertly. Security measures are adapting to counter such threats, driving exploit developers to continually seek new vulnerabilities or purchase them from brokers. Intellexa's business model separates itself from direct attack involvement by having clients set up their infrastructure, masked by shipping jargon for deniability. Although exposure of such surveillance tools has impacted the spyware market, companies like Intellexa adapt by acquiring new exploit chains, maintaining their operational capabilities. Cisco Talos emphasizes the need for public technical disclosures to improve malware detection and impose development costs on private-sector offensive actors.

OpenAI applied a mitigation for a data exfiltration flaw in ChatGPT, a popular conversational AI platform. A security researcher, Johann Rehberger, identified that the platform could potentially leak user conversation data to unauthorized external URLs. Despite OpenAI's efforts, the fix is partial, and attackers may still exploit the vulnerability under certain conditions. The safety measures to prevent data leakage are not yet implemented in the iOS mobile app version of ChatGPT, leaving iPhone and iPad users exposed. The flaw involves prompt injection and image markdown rendering, allowing theft of metadata, technical data, and conversation details from victims. The security researcher publicly disclosed the threat after OpenAI did not respond to his reports, demonstrating the issue with a custom AI model, 'The Thief!' OpenAI's client-side checking is not fully transparent, as the service is not open source, leading to unknown variances in the effectiveness of the fix. The vulnerability's remediation on Android is unclear, potentially affecting the significant user base of ChatGPT’s mobile app on the Google Play platform.

Cybersecurity researchers have identified a new variant of the Chameleon Android banking malware with expanded targeting to U.K. and Italy users. The malware utilizes Android's accessibility service for Device Takeover attacks, harvesting data, and conducting overlay attacks. Chameleon is distributed via Zombinder, a dropper-as-a-service that binds malware to legitimate apps and can now bypass Android 'Restricted Settings'. The updated Chameleon Trojan can manipulate biometric authentication by switching the lock screen to a PIN, allowing unauthorized device access. ThreatFabric's report follows Zimperium's findings of 29 malware families, including 10 new ones, targeting 1,800 banking apps in 61 countries. Most targeted financial apps include those of major banks and services such as PhonePe, WeChat, Bank of America, Wells Fargo, Binance, and Barclays. Banking apps remain the primary target for such malware, with FinTech and trading apps increasingly being targeted as well.

The darkweb marketplace BidenCash has released for free 1.9 million stolen credit cards to promote its platform among cybercriminals. BidenCash began operations in early 2022, offering stolen credit and debit card data accrued through phishing or skimming on e-commerce sites. The released card data includes numbers, expiration dates, and CVVs, with most cards expiring between 2025 and 2029, although some expired cards from 2023 were also found. This is the fourth such data dump by BidenCash since October 2022, cumulatively amounting to over 5 million cards, although previous dumps have included duplicates and invalid cards. Valid cards in the dump are at risk of fraudulent transactions and could also facilitate scams targeting bank employees. BidenCash’s reputation for genuine data raises concerns over the authenticity of the pack despite lacking some of the data quality seen in prior releases. To counteract payment data risks, the recommendation is to shop with reputable outlets, utilize digital payments or single-use cards, and secure accounts with two-factor authentication.

The Chameleon Android trojan has evolved, now capable of disabling fingerprint and face unlock features to compel users to enter their PINs, which it then steals. This newest variant can infect devices running Android 13 and later by tricking users into manually enabling Accessibility permissions through an HTML page. Initially impersonating Australian entities, the malware distributes through the Zombinder service as a fake Google Chrome application. Zombinder is designed to attach malware to seemingly legitimate apps, bypassing runtime detection, Google Protect alerts, and antivirus software. Chameleon uses its access to interrupt biometric security features and capture PINs, enabling attackers to unlock devices and perform malicious operations without detection. ThreatFabric, which tracks Chameleon's development, notes added functionality for task scheduling to optimize the trojan's attack effectiveness. Users are advised to download apps only from official sources, ensure Play Protect is enabled, and perform regular device scans to prevent and detect malware infections.

Sonatype reveals that 80% of recent Apache Struts 2 downloads contain a critical remote code execution vulnerability (CVE-2023-50164). The vulnerability lies in the framework's file upload feature, which could allow attackers to unlawfully upload and execute malicious files on a server. Despite the availability of patched versions, developers continue to use vulnerable versions at an alarming rate, risking serious cyber threats. Proof of concept (PoC) exploit code has been released, and governmental cyber advisory services have urged rapid patching. The exploitability of the flaw is limited by certain preconditions, which has possibly led to a low download rate for the fixed version. Despite the low likelihood of general exploitation, the potential exists for targeted, automatable attacks if attackers can identify exploitable endpoints. Organizations' diminished staffing levels during holiday seasons could contribute to delayed security upgrades and heightened vulnerability. Experts urge developers and organizations to maintain vigilance and promptly update their Apache Struts 2 implementations to mitigate risks.

A sophisticated JavaScript malware has targeted over 40 financial institutions, compromising over 50,000 online banking sessions globally. IBM Security Trusteer uncovered the campaign, which leverages web injections to steal banking credentials, in March 2023. The malware manipulates bank login pages using scripts from a threat actor-controlled server, designed for pages with a common structure across multiple banks. It is speculated that the initial delivery of the malware could be through phishing or malvertising, followed by harvesting credentials and one-time passwords. The malware's dynamic behavior includes continuously adjusting to the bank's webpage and command-and-control server instructions, even staging fake error messages to delay victim login attempts. Indicators of compromise suggest a link to DanaBot, a known malware family responsible for providing initial access for ransomware attacks. Separate investigations by Sophos and Group-IB outlined related cyber fraud activities, ranging from investment schemes to phishing websites impersonating postal and delivery services, indicative of an organized crime ring’s involvement.