Daily Brief

ESO Solutions, a healthcare software provider, experienced a ransomware attack leading to the data breach of 2.7 million patients. The cyber-incident occurred on September 28, with hackers exfiltrating sensitive data and then encrypting several of the company's systems. Sensitive personal data were accessed, with the types of compromised information varying based on what patients provided to healthcare entities using ESO's software. The FBI and state authorities have been notified, and affected customers were alerted on December 12. Impacted hospitals began sending out breach notifications to their patients shortly after being informed. No evidence suggests the stolen information has been misused; however, ESO is offering 12 months of free identity monitoring service. So far, no ransomware group has claimed responsibility for the breach, highlighting ongoing concerns about supply-chain attacks in the healthcare sector.

Nearly half of the incidents reported in Verizon's 2023 Data Breach Investigations Report involved compromised passwords. High-profile brands like 23andMe and Norton experienced password-related cyberattacks, potentially affecting millions of users due to credential stuffing. Affected organizations urge users to change passwords, particularly if reused across multiple services, to prevent further unauthorized access. Recovering from password breaches involves a series of steps including enacting a comprehensive password reset directive, assembling an incident response team, and notifying affected individuals with clear guidance. Businesses need to frequently educate employees on password security and avoid using the same passwords for multiple services. Proactive measures such as monitoring tools that check for compromised passwords can play a significant role in strengthening an organization's cybersecurity posture. With the right technologies and protocols in place, companies can enhance their defenses against password exploitation and safeguard critical information and systems.

German authorities, in coordination with international partners, have seized Kingdom Market, a major dark web marketplace for illicit goods. The operation, involving the BKA and ZIT, has led to the arrest of one of the marketplace administrators in the United States. Kingdom Market, in operation since March 2021, traded in drugs, malware, stolen data, and fake IDs, with transactions in various cryptocurrencies. The marketplace listed 42,000 items for sale, including 3,600 from Germany, and had tens of thousands of customer accounts and hundreds of sellers. Law enforcement is conducting further investigations to identify others involved in the operation of the illegal market, aided by the seizure of server infrastructure. Community members on the darknet forum Dread lament over lost funds and arrests following the marketplace's disbandment. Competing market operators are swiftly inviting "Kingdom refugees" to join their platforms, exploiting the market vacuum created by the shutdown.

Financially motivated cyber criminals are increasingly using remote encryption, or ransomware, to compromise entire corporate networks through a single vulnerable device. Mark Loman of Sophos highlights the necessity for organizations to identify and secure weak spots in their network, as attackers are exploiting these vulnerabilities to facilitate remote encryption attacks. Microsoft's recent findings indicate that 60% of ransomware attacks now involve remote encryption, predominantly originating from unmanaged devices. Sophos's report notes ransomware families like Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal using remote encryption, which bypasses traditional process-based security measures. Changes in the ransomware landscape include the use of atypical programming languages, attacks targeting non-Windows systems, timed attacks during off-business hours, and data auctioning. Ransomware groups are increasingly engaging with the media, controlling narratives, and using PR tactics such as press releases and FAQs to influence public perception and pressure victims. Cybercriminal organizations, with complex hierarchies resembling corporate structures, are now also recruiting English writers and speakers to enhance their media and PR capabilities.

Memcyco, a Tel Aviv-based company, introduces a solution to real-time website spoofing that threatens online businesses by cloning legitimate websites. Memcyco's Proof of Source Authenticity (PoSA™) technology protects customers and the company instantaneously from the time a fake site goes live, significantly reducing the window of vulnerability. The solution provides organizations with visibility of active impersonation attacks, even if the impostor site is newly created and unnoticed by customers. Memcyco's agentless application is easily installed, prompts instant alerts on user interaction with fake sites, and provides detailed attack information to security operations teams. A unique-to-the-user digital watermark verifies the authenticity of a site, enabling users to recognize the real website without requiring them to perform security checklists. The solution includes a comprehensive back-end dashboard offering real-time attack monitoring and analysis, enhancing response to brand impersonation threats. PoSA™ seamlessly integrates with existing Security Information and Event Management systems (SIEMS) for initiating workflows related to URL takedown and account takeover prevention. Memcyco's approach represents a paradigm shift from conventional takedown methods to proactive and preemptive defense, promising to reduce reputation damage and consumer fraud.

Greater Manchester Police (GMP) has been issued an enforcement notice by the UK's Information Commissioner's Office (ICO) to address a significant backlog of Freedom of Information (FOI) requests. The GMP has over 850 outstanding FOI requests, with more than 800 being over six months old and the oldest dating back over two-and-a-half years. The ICO mandates a response time of up to 20 working days for FOI requests from public authorities, a timeline GMP has consistently failed to meet. This recent enforcement notice follows a February practice recommendation by the ICO due to a high volume of complaints about GMP's information handling practices. ICO's head of FOI casework emphasized the importance of prompt FOI responses in maintaining public trust and understanding, stressing that transparency is crucial. Several FOI-related incidents at police departments across the UK this past year have raised concerns about data handling and transparency practices, including a case where the safety of Afghan interpreters was compromised.

Chinese-speaking hackers have been impersonating the UAE Federal Authority for Identity and Citizenship to conduct smishing attacks. Cybercriminals send SMS or iMessage with malicious links using URL-shortening services to obscure the fake site's location. The 'Smishing Triad' group first identified in September 2023, sells smishing kits and engages in data theft via Magecart attacks. The latest smishing wave targets individuals updating their residence visas; upon clicking the link, victims are led to a fraudulent site asking for personal data. Geofencing technology is used to present the phishing form only to users accessing from UAE IP addresses and mobile devices. The threat actors may have gathered potential victims' details through various illicit means like data breaches or the dark web. In a related trend, cybercriminals have been repurposing Predator, a bot detection tool, to conduct phishing campaigns and avoid security detection.

Nearly 3,500 individuals have been arrested in Interpol's six-month global operation HAECHI-IV, targeting financial crime across 34 countries. The operation led to the seizure of assets worth $300 million, including $199 million in hard currency and $101 million in virtual assets. A range of financial crimes was tackled, including voice phishing, romance scams, sextortion, investment fraud, and e-commerce fraud. Authorities froze over 82,000 suspicious bank accounts and confiscated large amounts of currency and virtual assets, disrupting access to criminal funds. A significant arrest included a high-profile online gambling criminal in Manila after a collaborative effort between Filipino and Korean authorities. Investment scams, business email compromise, e-commerce fraud, and a new scam involving NFTs in South Korea were the most prevalent, comprising 75% of the cases. Usage of AI and deepfake technology in scams has emerged, enhancing the credibility of fraudulent activities and extortion methods. The success of HAECHI-IV follows the prior HAECHI-III operation, which confiscated $130 million in virtual assets, emphasizing the ongoing global war against cyber-enabled financial crimes.

A novel vulnerability, known as Terrapin, impacts the SSH protocol, allowing potential man-in-the-middle attacks to compromise connection security. Security researchers from Germany's Ruhr University Bochum have described the attack method and shared their findings after responsibly disclosing it to affected developers. Patches and workarounds have been issued to mitigate the threat posed by Terrapin, with updated software versions available for users to install. The underlying flaw involves the negotiation of encryption during SSH handshake, where a well-positioned adversary can inject 'ignore' messages to manipulate sequence counters. Affected SSH client AsyncSSH patched in versions 2.14.1 and 2.14.2, addressing both the generic and client-specific CVEs linked to the Terrapin vulnerability. The overall risk is mitigated by the requirement of an active man-in-the-middle attacker and specific exploitable encryption modes, with advice to disable vulnerable modes and prioritize non-vulnerable algorithms like AES-GCM. OpenSSH, one of the most widely-used SSH clients, released version 9.6 to address the vulnerability with a strict key exchange protocol, while other clients like Putty have also been updated.

A new Go-based malware, JaskaGO, targeting both Windows and macOS systems, has been identified by AT&T Alien Labs. JaskaGO can evade detection by checking if it's running in a virtual machine and then performing benign actions like pinging Google. The malware is capable of stealing information, modifying the clipboard to hijack cryptocurrency transactions, and downloading additional malicious payloads. Specifically on macOS, JaskaGO can gain root permissions, disable security features, and ensure persistence through system reboots. The distribution method of JaskaGO is not yet known, nor is the extent of the infection campaign. The emergence of JaskaGO is part of a larger trend of cybercriminals favoring the Go language due to its simplicity and cross-platform support.

Interpol's Operation HAECHI IV, with cooperation from 34 countries, has led to the arrest of 3,500 people linked to various cyber-enabled financial crimes. The operation focused on a range of illegal activities including voice phishing, romance scams, sextortion, fraudulent investments, online gambling, business email compromise, and e-commerce fraud. A considerable portion of the offenses were related to business email compromise, e-commerce fraud, and investment scams. Two Purple Notices were issued by Interpol, which provided insights on criminals' techniques, such as the use of AI for identity concealment in scams and a "rug pull" scheme involving non-fungible tokens (NFTs). South Korean and Filipino authorities successfully captured a notable online gambling criminal after a prolonged tracking operation. The enforcement action impeded financial transactions, freezing over 82,000 suspicious bank accounts and confiscating around $199 million in physical currency and $101 million in digital assets. The results of Operation HAECHI IV represent a substantial increase in arrests and seized assets compared to previous efforts, with a 200% rise in apprehensions.

Comcast's Xfinity service suffered a data breach impacting over 35 million user IDs due to the exploitation of the Citrix Bleed vulnerability. Personal information, including hashed passwords, usernames, contact details, and security question answers, were likely compromised in the cyberattack. The Citrix Bleed flaw was disclosed and patched on October 10, but by late October, widespread exploitation by ransomware groups was reported. Comcast identified and patched the vulnerable Citrix systems and noted unauthorized access between October 16 and October 19, 2023. Comcast alerted federal law enforcement and started an investigation which confirmed the likelihood of data acquisition on November 16. The stolen data potentially includes sensitive details like social security numbers, dates of birth, and contact information for some customers. Xfinity is now urging customers to reset their passwords and enable two-factor or multi-factor authentication as a security measure.

A malware campaign utilizing JavaScript web injections has targeted over 50,000 users of 40 banks worldwide, aiming to steal banking data. The malicious activity was detected by IBM's security team, noting that attack preparations began in December 2022 with domain registrations. Attackers have been injecting scripts to manipulate webpage content and intercept login credentials and OTPs, enabling unauthorized access to banking accounts. The infection process could involve methods like malvertising or phishing, with the subsequent stealthy injection of a script tag from an external server to evade detection. The malware mimics legitimate JavaScript content delivery networks to avoid raising red flags, conducting dynamic behavior adjustments based on server instructions. IBM's research suggests there may be connections between this campaign and DanaBot, a known banking trojan that has been active since 2018. IBM warns that the campaign is ongoing and highlights the need for increased caution when accessing online banking portals and apps.

Microsoft's security researchers identified four vulnerabilities in Perforce Helix Core Server, with one classified as a critical remote code execution (RCE) flaw. The Perforce Server is vital to many sectors including gaming, government, and tech, where secure source code management is crucial. All vulnerabilities can be remediated by upgrading to Perforce version 2023.1/2513900; appropriate patches were released in November. The most severe vulnerability, CVE-2023-45849, allows an unauthenticated remote attacker to execute code with LocalSystem privileges, potentially leading to data theft and further network compromise. Microsoft's team points out that while the vulnerabilities have not been exploited in the wild, the critical RCE presents significant risks if not addressed. Attackers could exploit these vulnerabilities to perform denial-of-service attacks and execute arbitrary code without user authentication. Microsoft emphasizes the importance of basic security practices such as patching software and network segmentation and recommends following Perforce's security guidelines for server hardening.

The ALPHV/BlackCat ransomware gang has amassed over $300 million in ransom payments from more than 1,000 victims globally by September 2023, according to the FBI. The majority of the affected entities are in the United States, with approximately 250 incidents reported outside the U.S. In collaboration with CISA, the FBI has offered guidance on mitigating the threat, including prioritizing the patching of exploited vulnerabilities and enforcing multi-factor authentication. The FBI and CISA recommend regular software updates, patching, and vulnerability assessments as a part of security best practices. ALPHV, believed to be a rebrand of DarkSide and BlackMatter, has been active since November 2021 and was involved in a high-profile attack on Colonial Pipeline. The FBI infiltrated ALPHV's operations, gained decryption keys, and helped at least 500 victims recover files, preventing approximately $68 million in ransoms from being paid. A seizure and subsequent "unseizing" of the ALPHV data leak site by both the FBI and the ransomware gang has led other cybercrime groups to invite ALPHV's affiliates to their operations.