Daily Brief

Comcast's Xfinity confirmed a data breach resulting from a hacked Citrix server. The intrusion was detected after attackers exploited a critical Citrix vulnerability known as CVE-2023-4966. The security breach, occurring between October 16 and October 19, was investigated and confirmed stolen customer data on November 16. Compromised information includes usernames, hashed passwords, and potentially additional personal data. Xfinity has responded by prompting users to reset passwords, though reasons for resets were not initially communicated to customers. This incident follows a previous breach a year ago where Xfinity accounts were hacked and used to compromise other service accounts like Coinbase and Gemini. The ongoing investigation aims to understand the full scope and impact of the breach while Xfinity heightens security measures to protect user accounts.

Hacktivist group Predatory Sparrow claimed responsibility for a cyberattack that disrupted roughly 70% of Iran's gas stations. Iran's Oil Minister confirmed an attack on IT systems, leading to extended queues and jammed traffic as citizens struggled to refuel. The incidents took place during heightened tensions in the Middle East, particularly between Iran and Israel over the ongoing Gaza conflict. Predatory Sparrow, which has been linked to previous cyberattacks on Iranian infrastructure, suggested the attacks were a response to Iranian regional actions and signaled possible ties to a nation-state. The group attempted to limit potential damage from their cyberattack, claiming to take precautions to avoid impacting emergency services. Simultaneously, pro-Hamas groups have stepped up cyberattacks on Israeli and American targets, and Israel blamed Iran and Hezbollah for a cyberattack on Safed's Ziv Medical Center. Iran's accusations and the technical sophistication of the attacks hint at a more complex landscape potentially involving state-sponsored activities rather than mere hacktivism.

Mortgage lender Mr Cooper experienced a significant data breach, compromising the personal information of nearly 14.7 million individuals. The breach was initially reported in October as an isolated incident, but recent filings reveal an extensive loss of highly sensitive data. Unauthorized system access occurred between October 30 and November 1, 2023, leading to the theft of names, addresses, social security numbers, dates of birth, and bank account information. The breach has been found to affect customers of Mr Cooper and associated brands such as Nationstar Mortgage LLC and Centex Home Equity. Mr Cooper is actively monitoring the dark web for potential misuse of the stolen data and offers two years of free credit monitoring to affected individuals. The company has issued an apology and emphasized the importance of customer trust, while also disclosing increased estimated costs related to the breach to $25 million. Ongoing forensic investigations, interactions with law enforcement, and legal defenses continue as the company addresses the consequences of the cyberattack.

Microsoft identified a critical remote code execution flaw, CVE-2023-45849, in Perforce Helix Core Server, risking privileged access by unauthenticated attackers. Four vulnerabilities were reported in total, with three causing potential denial of service disruptions. Perforce Helix Core Server is widely used in industries like gaming, government, military, and technology, amplifying the potential impact of exploitation. Microsoft, a user of the Perforce platform for game development, conducted a security review and reported the issues to Perforce responsibly. There have been no known exploitation attempts in the wild, but upgrading to the patched version 2023.1/2513900 is strongly advised to mitigate risks. Microsoft recommends additional protective measures, including following Perforce's official security guidelines, to secure systems against these vulnerabilities.

VF Corp, the parent company of The North Face and Vans, experienced significant operational disruptions due to a cyber intrusion detected on December 13. The attack involved encryption of IT systems and theft of data, including personal information, suggesting a ransomware incident. Retail stores remain open, and e-commerce sites are accepting orders, but the company’s order fulfillment capabilities are currently compromised. VF Corp responded promptly by containing the threat, commissioning a cybersecurity firm for investigation, and collaborating with federal law enforcement. The corporation is actively working on remediation efforts to minimize the impact on retail and wholesale customer service. The SEC filing by VF acknowledges that the cyberattack will have a material impact on its business operations, but the full financial implications are yet to be determined. This cyberattack follows other significant breaches this year, including a costly network breach at Clorox Company and ransomware attacks on Caesars Entertainment and MGM Resorts.

VF Corporation, owner of prominent brands like Vans and The North Face, reported a ransomware attack that disrupted their business operations. The cyberattack on December 13, 2023, led to the encryption of some of the company’s computers and the theft of personal data. VF Corp responded by shutting down affected systems and engaging external security experts to mitigate the breach. The specifics regarding whose personal data was compromised—whether it be employees, partners, or customers—remain unclear, with no ransomware group claiming the attack. The incident has significantly impacted VF Corp’s operations and is likely to continue affecting the business as recovery efforts are underway. Physical retail stores of VF Corp's brands remain operational worldwide, but delays are expected in fulfilling online orders and potential issues in placing new orders. The company is currently evaluating the full extent of the breach and its implications on financials and operations, with the situation exacerbated by the timing of the Christmas shopping season.

Microsoft launches a new troubleshooter to correct a widespread issue where Windows PCs mislabel printers as HP LaserJet M101-M106. Users reported printers being renamed and the HP Smart app installing without prompting across various online platforms and Microsoft's community site. The problem stems from incorrect printer metadata introduced in late November and affects Windows 10 (version 1809 or later) and Windows Server 2012 or newer. The troubleshooter restores correct printer model information and removes unrelated HP Smart app installations. Enterprise administrators are advised to run the tool with Local System account privileges to address the issue across all users on a system. Microsoft indicates that it might take several hours for the changes to take effect once the troubleshooter has been run. This incident follows a previous similar issue earlier in the year, which affected certain printers' automatic Wi-Fi connection setup.

The FBI, CISA, and ASD's ACSC have jointly warned that the Play ransomware group has compromised approximately 300 organizations, including critical infrastructure. Attacks by the Play ransomware, starting in June 2022, have affected sectors across North America, South America, and Europe. Unlike typical ransomware groups, Play's affiliates use email for negotiation and steal sensitive data before encrypting victims' files. High-profile victims include the City of Oakland, car retailer Arnold Clark, Rackspace, and the Belgian city of Antwerp. The advisory recommends that organizations address known vulnerabilities, implement multifactor authentication, and regularly update and patch software. Government agencies advise adhering to the mitigation strategies in the joint advisory, which includes maintaining offline backups and implementing a recovery plan.

Two patched security flaws in Microsoft Windows could be exploited for zero-click remote code execution (RCE) in Outlook. The vulnerabilities, CVE-2023-35384 and CVE-2023-36710, could lead to unauthorized Outlook server access and NTLM credential theft. Russian APT29 has actively exploited similar flaws for unauthorized Exchange server access. CVE-2023-35384 bypasses a security flaw patched in March, while CVE-2023-36710 involves an integer overflow in Windows Audio Compression Manager. An attacker could make Outlook clients download and autoplay a malicious sound file causing RCE without user interaction. To counter these threats, organizations are advised to use microsegmentation, disable NTLM, or add users to the Protected Users security group.

Conor LaHiff, a previous IT manager at a New Jersey high school, pleaded guilty to a cyberattack following his termination in June 2023. He is charged with one count of unauthorized damage to protected computers under the Computer Fraud and Abuse Act (CFAA). In retaliation, LaHiff used his administrative access to delete thousands of Apple IDs and disable over 1,400 accounts, crippling the school's operations. His cyberattack left the school's phone service inoperable for a day and resulted in direct financial losses of at least $5,000. The incident highlights the risk of not promptly revoking access rights from dismissed employees, which can prevent such internal threats. Despite LaHiff's actions at the high school, he managed to obtain a similar job at a different school, which he is required to inform of his guilty plea. LaHiff's sentencing is set for March 20, 2024, with possible penalties including a 10-year prison sentence and fines up to $250,000.

SaaS applications have become central to corporate IT, with service and non-service businesses heavily relying on cloud-based software for data storage. The democratization of SaaS has empowered business units with direct software purchase and onboarding but necessitated new security collaboration and tools for customized application guidance. ITDR is emerging as a crucial strategy to mitigate risks of privileged account breaches in SaaS applications by detecting tactics and indicators of compromise. Global companies face challenges in meeting different regulatory requirements, leading to multiple SaaS tenants that must be individually secured without impacting software costs. SaaS application misconfigurations have led to significant data breaches, with organizations recognizing the importance of securing settings to prevent such exploits. The rise of third-party SaaS applications poses a risk due to high-level permissions requested, necessitating better visibility and management of these integrations by security teams. The prevalence of remote work has intensified the need for security protocols for multiple devices, especially when high-privileged users access SaaS apps from unsecured personal technology. Adoption of SaaS Security Posture Management (SSPM) tools is growing, providing automated monitoring, configuration baseline tools, third-party app risk assessment, and improved communication between business and security teams to safeguard SaaS stacks.

Rhadamanthys malware, known for its information-stealing capabilities, is being constantly updated with new features, including a customizable plugin system. Sold as malware-as-a-service (MaaS) since September 2022, Rhadamanthys can target web browsers, crypto wallets, email clients, VPNs, and messaging apps. Check Point's analysis indicates a clear trend towards modularity, allowing the malware to more effectively cater to the specific needs of its distributors. The malware includes active and passive components for information theft and adds capabilities such as clipboard data manipulation to hijack cryptocurrency transactions. New functionalities like keyloggers and system information collectors are transforming Rhadamanthys into a more versatile spyware tool. The article also notes an overlap in design and implementation with the Hidden Bee coin miner, demonstrating fast-paced development in malware technology. Trend Micro's research details unrelated RAT infections using code injection into aspnet_compiler.exe, highlighting another stealth tactic by another malware family. The use of Dynamic DNS (DDNS) by threat actors in these cases contributes to their ability to avoid detection by constantly changing their IP addresses.

Mortgage company Mr. Cooper fell victim to a cyberattack on October 30, 2023, compromising the data of 14.7 million individuals. Attackers accessed customer data; however, no financial information was reported as exposed. The breach prompted a shutdown of IT systems, affecting online payment portals and other services. A notification sent to affected users included an offer for 24 months of identity protection services. Mr. Cooper is actively monitoring the dark web for signs of misuse of the breached data but has not observed any as of the report. Regulatory authorities, such as the Office of the Maine Attorney General, have been notified of the incident scale and details. Ongoing investigation into the breach, with no specific details on the nature of the attack or attackers, and no claims of responsibility from any ransomware groups.

The National Grid is removing Chinese-manufactured equipment over cybersecurity concerns, after consulting with the UK’s National Cyber Security Centre. The contract with NR Electric UK, a subsidiary of China's Nari Technology, was terminated, though exact reasons were not publicly given. Both the National Grid and UK government bodies remained silent on the details, emphasizing the importance of security infrastructure. The removed components are crucial for the communication and stability of the UK's energy grid, which has implications for preventing blackouts. This move continues the trend of the UK removing Chinese technology from its critical national infrastructure, following the exclusion of Huawei from its 5G networks. Concerns about Chinese companies include legal obligations they may have to share data with the Chinese government, though no hard evidence of misconduct has been made public. China has been previously implicated in deploying malware in foreign power grids, according to cybersecurity firm Symantec.

Four U.S. nationals have been indicted for running cryptocurrency scams, specifically pig butchering schemes, defrauding victims of over $80 million. Defendants are charged with money laundering-related offenses; two have been arrested, while two remain at large. The Department of Justice reports the scheme involved at least 284 transactions, victimizing multiple individuals. In a separate case, a Nigerian national was sentenced to three years for similar offenses affecting 34 victims across 13 countries. Nearly $9 million in Tether cryptocurrency was recently seized by the U.S. DoJ, linked to a Southeast Asia-based group conducting pig butchering scams. Pig butchering scams often originate on dating apps and lead victims to transfer funds to fraudulent investment platforms. Scammers are increasingly using group chats and leaked personal data from databases to target potential victims. The FBI's IC3 reported cryptocurrency investment scams resulted in losses of $2.57 billion in 2022, a 183% increase from the previous year.