Daily Brief

The recent hiatus in BlackCat/ALPHV's operations is rumored to have resulted from a law enforcement action. Some BlackCat/ALPHV affiliates are reaching out directly to victims for negotiations, bypassing the usual channels. Competing ransomware group LockBit is seizing the opportunity to recruit disgruntled ALPHV affiliates. Multiple ransomware attacks and new variants have been reported, including the advanced Linux-Qilin ransomware focusing on VMware ESXi. Law enforcement successes include the arrest of a Hive ransomware-affiliated money launderer and a Russian national's guilty plea for running a cryptocurrency exchange used by cybercriminals. High-profile breaches involve organizations such as Tipalti, HTC Global Services, Austal USA, Norton Healthcare, Toyota Financial Services, and Insomniac Games. Revelations of collaborations among ransomware groups underline the evolving threat landscape, pushing affected sectors to enhance cybersecurity measures.

Shakeeb Ahmed, a former Amazon security engineer, pled guilty to hacking cryptocurrency exchanges and stealing over $12.3 million. Utilizing his blockchain audit and smart contract reverse engineering skills, he exploited vulnerabilities in two unnamed crypto exchanges. He manipulated smart contract pricing data to generate inflated fees, netting approximately $9 million from one hack and $3.6 million from another using a flash loan loophole. After the heists, Ahmed attempted to launder the stolen funds through cryptocurrency mixers, converted to privacy-focused Monero and moved assets across various blockchains. His search history indicated plans to evade detection and potential extradition, including fleeing the US and changing citizenship. Ahmed agreed to return stolen crypto assets to the victims and forfeit the equivalent of over $12.3 million. He faces a single computer fraud charge with a maximum sentence of five years. The U.S. Attorney applauded the conviction as the first of its kind involving smart contract hacking, with sentencing scheduled for March 13, 2024.

Kraft Heinz has addressed claims by the Snatch ransomware group stating that their data was compromised, asserting that their systems are functioning normally. The issue is said to possibly relate to a minor, decommissioned marketing website hosted externally, which Kraft Heinz cannot currently confirm was attacked. Snatch ransomware-as-a-service group claimed it breached Kraft Heinz's IT infrastructure in August, although no specific stolen data has been disclosed. Security analyst Dominic Alvieri noted that this is the first public mention of the supposed breach, with the extent of any cyberattack on Kraft Heinz remaining unverified. Snatch is known for employing double-extortion tactics by encrypting victims' data and threatening to leak it unless a ransom is paid. The FBI has issued warnings about the Snatch group, highlighting their methods which include exploiting Remote Desktop Protocol (RDP) to gain unauthorized access to networks. The FBI has also observed the group's presence on victims' networks for up to three months before deploying ransomware. Kraft Heinz has downplayed the claims, emphasizing the normal operation of their internal systems and the inability to verify a broader attack.

Delta Dental of California notified nearly 7 million patients of a significant data breach linked to a vulnerability in MOVEit Transfer software. Personal data was exposed through unauthorized access exploiting a zero-day SQL injection flaw, resulting in remote code execution. The breach was discovered on June 1, 2023, and confirmed after a five-day investigation with unauthorized data access occurring from May 27 to May 30, 2023. Compromised information includes customer names, financial account numbers, and credit/debit card details, including security codes. Delta Dental of California is providing 24 months of free credit monitoring and identity theft protection services to affected patients. Patients are urged to be vigilant against unsolicited communications due to the risk of their data being used by phishing actors and scammers. This incident is considered the third-largest breach involving MOVEit software, trailing behind Maximus and Welltok incidents.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised technology manufacturers to eliminate the use of default passwords in their devices and software to enhance security. Default passwords can act as a backdoor for threat actors to access and compromise networks of organizations when such credentials are not altered post-deployment. CISA emphasizes the responsibility of manufacturers in ensuring the security of their products by avoiding static default passwords and promoting unique or time-bound credentials. Suggested security improvements include unique setup passwords for each product, time-limited passwords for initial setup, and the use of Multi-Factor Authentication (MFA). Physical access requirements for initial device setup and distinct credentials for different instances offer additional protection measures. A 10-year-old CISA advisory also highlighted the risks of default passwords, particularly in critical infrastructure and embedded systems. Iranian hackers' recent breach of a U.S. water facility using a default password underscores the ongoing threat and the necessity for immediate changes in security practices.

3CX, a VoIP communications company, has issued a warning to customers regarding a potential vulnerability affecting SQL database integrations. Customers are advised to disable integrations with MongoDB, MsSQL, MySQL, and PostgreSQL databases as a precautionary measure until a fix is developed. The security issue specifically impacts versions 18 and 20 of 3CX's Voice Over Internet Protocol (VOIP) software, but not all web-based CRM integrations are compromised. The company previously experienced a supply chain attack in March that resulted in the trojanization of their 3CXDesktopApp client, which was subsequently flagged as malicious by multiple cybersecurity firms. 3CX claims over 12 million daily users and 350,000 businesses worldwide that use their Phone System, including notable organizations such as Air France and PepsiCo. At the time of the advisory, no further details have been released, and 3CX has not responded to media inquiries regarding the vulnerability.

The Hunters International ransomware gang claimed responsibility for a cyberattack on Fred Hutchinson Cancer Center, leading to patients receiving extortion threats. Fred Hutch, a cancer research and treatment center in Seattle, experienced unauthorized network access on November 19, 2023, prompting them to quarantine servers and go offline. Federal law enforcement has been notified, and an ongoing investigation with forensic experts has yet to confirm data theft. Hunters International has listed Fred Hutchinson on their dark web extortion portal, claiming to possess 533.1GB of stolen data. Patients have been individually emailed by the attackers, with threats to disclose their sensitive information, including medical history and Social Security numbers. Fred Hutch warns patients against paying the ransom, advises blocking and deleting the threatening emails, and continues to collaborate with law enforcement. Hunters International is considered to be a new Ransomware-as-a-Service operation, potentially linked to the now-defunct Hive ransomware group.

Delta Dental of California experienced a data breach due to MOVEit Transfer software vulnerability, exposing personal information of nearly 7 million people. A zero-day SQL injection flaw, CVE-2023-34362, was exploited, which allowed the Clop ransomware group to access thousands of organizations. Unauthorized access to Delta Dental's system occurred between May 27 and May 30, 2023, with the breach confirmed following an investigation on June 6, 2023. Compromised data includes names, financial account numbers, and credit/debit card information, including security codes. Delta Dental is offering 24 months of free credit monitoring and identity theft protection services to impacted customers. Impacted customers are advised to be vigilant against unsolicited communications that may lead to phishing or scams. This incident ranks as the third-largest in a series of breaches involving MOVEit software, trailing behind incidents at Maximus and Welltok.

Incident responders have discovered a new multi-platform malware named NKAbuse, which uses the New Kind of Network (NKN) protocol to conduct its operations. NKAbuse is capable of performing DDoS attacks, offering remote access trojan (RAT) functionality, and operates across multiple architectures, with a preference for Linux. The malware exploits the CVE-2017-5638 vulnerability in Apache Struts 2 to spread and can adapt payloads based on the victim's operating system. NKAbuse achieves persistence on compromised systems by creating cron jobs and ensures reliability and anonymity through the blockchain-based NKN protocol, making its traffic harder to trace. It is equipped with a variety of DDoS attack methods associated with known botnets and has comprehensive RAT capabilities, enabling attackers to perform a wide range of malicious activities. Victims have been identified in various countries including Mexico, Colombia, and Vietnam, demonstrating NKAbuse's global reach and potential for expansion.

A newly identified KV-botnet is targeting devices from Cisco, DrayTek, Fortinet, and NETGEAR for covert operations. The botnet is linked to Volt Typhoon, a threat actor with connections to China, and has been active since at least February 2022. Consisting of two clusters, KY and JDY, the botnet enables access to high-profile victims and establishes covert infrastructure. Telemetry data indicates botnet control from China-based IP addresses, with KY focusing on high-profile targets and JDY on broader scanning. The initial infection mechanism remains unknown, but once installed, the malware prioritizes its own persistence and prepares to receive further instructions. Recent changes to the botnet's infrastructure suggest preparation for new attacks, possibly targeting Axis IP cameras. The malware operates solely in memory, complicating detection but allowing for removal by power-cycling the infected device, although re-infection risks remain.

The FBI, CISA, Treasury Department, and Financial Crimes Enforcement Network have issued an alert on the Karakurt extortion gang's tactics. Karakurt targets organizations indiscriminately, stealing data without encrypting assets, and demands ransom with serious harassment strategies. Ransom demands range from $25,000 to $13 million, paid in Bitcoin, with a one-week deadline after initial contact. The gang gains access through stolen credentials, vulnerabilities in VPNs like Cisco AnyConnect, compromised SonicWall appliances, and outdated servers. Karakurt utilizes tools such as Cobalt Strike, Mimikatz, and AnyDesk to steal credentials, maintain access, and exfiltrate large volumes of data. Victims report that despite paying ransoms, Karakurt does not always honor promises to maintain the confidentiality of stolen data. Officials strongly advise against paying ransoms and have issued indicators of compromise, including tool signatures and email addresses associated with the gang.

Ledger's software supply chain was breached due to a phishing attack on a former employee, leading to a significant theft of virtual assets. Over $600,000 was stolen after threat actors gained access to Ledger's npm account and propagated malicious code in the "@ledgerhq/connect-kit" module. Attackers uploaded three tainted versions of the module which included a crypto drainer malware that rerouted funds to hacker-controlled wallets. The tampered modules were used to display fake prompts to users, deceiving them into connecting their wallets and subsequently draining funds. Although the malicious versions were live for approximately five hours, the actual window of fund drainage was less than two hours. Ledger has since removed the compromised versions, released a mitigated update, and reported the incident, leading to the freezing of stolen funds by stablecoin issuer Tether. This incident reflects the increasing use of software registries for malware distribution via supply chain attacks, particularly targeting crypto assets for swift financial gains.

Web applications are increasingly targeted by attackers due to the wealth of sensitive data they process and store. SQL Injections and Broken Access Control (BAC) are among the most prevalent vulnerabilities in web applications. SQL Injections can manipulate a backend database to unlawfully access data by injecting malicious SQL code. BAC has become the top web application security risk, with incidents including both vertical and horizontal privilege escalations. A practical approach to preventing SQL injections is input validation, which involves treating user input as data values instead of executable code. While Web Application Firewalls (WAFs) can improve security, they are not foolproof and can be circumvented by zero-day exploits. Secure coding practices, proper sanitization, and the principle of least privilege are fundamental to protecting web applications alongside WAFs. Incident response and recovery plans are critical for mitigating attacks, with expert consultation and reporting mechanisms in place for immediate support.

Multiple security vulnerabilities have been identified in the pfSense firewall software, which could allow attackers to execute arbitrary commands. The issues include two reflected cross-site scripting (XSS) bugs and one command injection flaw that can be exploited by deceiving an authenticated user. An attacker can inject malicious scripts that are executed on the admin user's web browser, enabling unauthorized actions within the firewall with root-level access. Successful exploitation could lead to attackers spying on internal traffic or attacking services on the local network. The vulnerabilities primarily affect pfSense CE 2.7.0 and below, as well as pfSense Plus 23.05.1 and below. Patches have been released with pfSense CE 2.7.1 and pfSense Plus 23.09 following a responsible disclosure on July 3, 2023. The disclosure comes after Sonar's recent identification of a remote code execution flaw in Microsoft Visual Studio Code, which was patched in the September 2023 updates.

The Information Commissioner's Office (ICO) has reminded businesses to properly use email fields to prevent personal data breaches. Staff must be trained to correctly use the "CC" (carbon copy) and "BCC" (blind carbon copy) features, with various incidents reported due to misuse. Case studies showed personal email addresses openly shared due to incorrect usage of "To" or "CC" instead of "BCC," revealing information about individuals. An NHS Trust and a charity were highlighted as examples where such errors resulted in the identification of trust patients and disclosed email addresses of HIV advisory board members. The ICO underscores the importance of understanding the distinction between "CC" and "BCC," implementing warning systems for potential misuse, and considering delays before sending emails to allow error correction. Additional advice includes turning off the autocomplete function to avoid unintended recipients and evaluating whether email is the best method for sharing information, including when using third-party services. Organizations are encouraged to take a risk-based approach to email communications, ensuring they adhere to privacy requirements and best practices.