Daily Brief

Two Canadian government contractors, BGRS and SIRVA, experienced cyber breaches, compromising sensitive data. The LockBit ransomware gang claimed responsibility for the attack on SIRVA and leaked 1.5TB of alleged stolen documents. Personal and financial information of government employees, RCMP, and Canadian Armed Forces personnel from 1999 is at risk. The Government of Canada responded by offering support services such as credit monitoring and passport reissuance to those affected. A detailed analysis is underway to determine the full scope of the breach and identify all impacted individuals. Affected individuals are advised to update login credentials, use multi-factor authentication, and monitor accounts for unusual activity.

A former COO, Vikas Singla, of the cybersecurity firm Securolytics, pleaded guilty to cyberattacks on two hospitals in 2018. Singla intentionally disrupted the Ascom phone system used for critical communications at Gwinnett Medical Center, impacting over 200 devices. The cyberattack compromised patient data stored on a Hologic R2 Digitizer, with information of over 300 patients stolen. After the attacks, Securolytics started reaching out to potential clients using the incidents to market their services. Singla's plea deal recommends house detention for 57 months instead of prison, citing his serious health conditions. Singla is ordered to pay restitution amounting to $817,804.12 to Northside Hospital and an insurance company for the damages caused by his actions. The rationalization for house detention includes Singla's battling with an extraordinary form of cancer and a dangerous vascular condition.

Kinsing malware operators are exploiting CVE-2023-46604, a critical vulnerability in Apache ActiveMQ, for remote code execution on Linux systems. Despite the availability of a patch since late October, many servers are still vulnerable, with several ransomware groups capitalizing on unpatched systems. Kinsing aims to deploy cryptocurrency miners, previously leveraging other vulnerabilities like Log4Shell and an Atlassian Confluence RCE bug. The malware utilizes 'ProcessBuilder' to execute commands for downloading additional payloads, while evading detection techniques. Before initiating crypto mining, Kinsing eliminates competition by terminating other Monero mining processes and establishes persistence through a cronjob. A rootkit is added to the '/etc/ld.so.preload' directory for stealthy, system-wide execution and to complicate its removal. Organizations are at continuous risk and advised to upgrade Apache Active MQ to versions inoculated against the security flaw to mitigate threats.

The Rhysida ransomware gang has claimed responsibility for the cyberattack on the British Library that occurred in October. The attack has caused an extensive IT outage, with the library's systems encrypted and services disrupted for several weeks. Rhysida is currently auctioning off data it claims to have stolen from the library, offering it exclusively to one buyer without the option for resale. A low-resolution screenshot of purportedly stolen ID scans from the library's systems was released by the group as proof of the breach. The FBI and CISA had previously warned about Rhysida's attacks targeting various sectors, describing the ransomware as a service (RaaS) operation. Leaked HR documents from the British Library have been confirmed, and users are urged to change their passwords as a precaution. The British Library's online and onsite services, such as Wi-Fi and its website, continue to be impacted nearly three weeks post-attack. The library holds over 150 million items and adds approximately 3 million new items annually, serving over 11 million visitors online and 16,000 individuals onsite and online daily.

Threat actors leverage NetSupport RAT, a former legitimate remote administration tool, for cyber espionage, specifically targeting the education, government, and business services sectors. VMware Carbon Black reports at least 15 new infections of NetSupport RAT, noting a variety of delivery mechanisms including fraudulent updates, drive-by downloads, and phishing campaigns. NetSupport RAT's deployment methods encompass deceptive websites, fake browser updates, and compromised WordPress sites with fake Cloudflare DDoS protection pages. Cybercriminals exploit JavaScript-based downloader malware such as SocGholish (aka FakeUpdates) and BLISTER-loader malware to distribute NetSupport RAT. The RAT enables attackers to monitor victim behavior, transfer files, change settings, and propagate within a network after the victim executes a JavaScript payload that triggers a PowerShell script to download the malware. NetSupport RAT connects to a command-and-control server post-installation, signaling a successful breach and allowing further remote control and lateral movement within infected networks.

Implementing self-service password reset (SSPR) options improves productivity by allowing employees to manage password issues independently. The process reduces work interruption, anxiety, and risk of missing deadlines due to forgotten passwords. SSPR eliminates social engineering risks by using third-party tools for verification without human IT technician intervention. Integration of on-premises Active Directory with Microsoft 365 via Azure AD Connect enables SSPR with multi-factor authentication. Microsoft's SSPR requires certain user licenses and verification methods can be aligned with those used for multi-factor authentication. Specops uReset offers an alternative password reset solution that integrates with Active Directory and multiple authentication methods. User registration information is stored securely in Active Directory, and deployment is simplified through group policy and local server components. Adopting SSPR solutions reduces IT helpdesk calls, saves time, lowers costs, and diminishes data loss risks due to social engineering, thereby enhancing overall company productivity and success.

Silverfort offers the first unified identity protection platform, enhancing security across both on-premises and cloud resources, including legacy and command-line tools. A report indicates that 83% of organizations have suffered data breaches due to compromised credentials; Silverfort aims to mitigate this risk. The platform extends Risk-Based Authentication and Multi-Factor Authentication (MFA) to all resources by integrating with existing identity management solutions. Silverfort’s dashboard provides comprehensive oversight of user access types and attempts, as well as authentication analyses, with real-time protection updates. Advanced MFA module addresses the challenge of enforcing MFA on resources that traditionally do not support it, bypassing the limitations of older protocols. Service Account Protection module detects and secures service accounts with high privileges and low visibility, a common target for attackers. Silverfort's automatic policy creation for each service account allows for immediate response actions like alerts, blocks, or notifications to SIEM systems. The platform is pinpointed as a crucial innovation for organizations looking to substantially improve their defenses against identity-based attacks.

Phishing campaigns are utilizing DarkGate and PikaBot malware, employing tactics similar to the deactivated QakBot trojan. Malware delivery is initiated through hijacked email threads with unique URL patterns, echoing methods previously seen with QakBot. DarkGate features antivirus evasion, keylogging, PowerShell execution, and reverse shell capabilities, allowing remote control of infected hosts. PikaBot was previously analyzed by Zscaler, who noted its resemblance to QakBot in terms of distribution and behavior. These campaigns target various sectors, using booby-trapped URLs in email threads to deploy a ZIP containing a JavaScript dropper or XLL files as the infection vector. Ultimately, a successful infection by these malware could pave the way for further attacks, including crypto mining, reconnaissance, and ransomware deployment. The coordinated takedown of QakBot, Operation Duck Hunt, took place in August, but cybercriminals continue to adapt and reuse its effective strategies.

Lumma Stealer malware has updated its evasion techniques, utilizing trigonometry to measure mouse movements and escape virtual environments used by security software. The malware targets user data on Windows 7-11, capturing passwords, cookies, credit card details, and cryptocurrency wallet information. Initially offered on cybercrime forums in December 2022, Lumma quickly became popular in the underground community. New features such as control flow flattening, encrypted strings, and dynamic configuration files are intended to prevent automated analysis. By calculating the vector magnitudes and angles from the mouse movement, Lumma determines if the activity is human or simulated; non-human patterns pause its malicious activities. A crypter is now required to protect the malware executable from unauthorized access, with built-in checks to ensure it's used. Lumma 4.0 includes code-level hurdles like opaque predicates and dead code blocks to disrupt reverse engineering efforts. These updates illustrate a concerted effort by Lumma's developers to make the malware more resilient against security analysis and to maintain its efficacy for malicious actors.

Rhysida ransomware group claims responsibility for the October cyberattack on the British Library, leaking stolen data as proof. Auction for the stolen British Library data was set up by Rhysida with a starting bid of 20 Bitcoin, approximately $745,000. The British Library suffered significant disruption due to the ransomware attack, including IT outages and service limitations. As of the date of the article, the library's website was still down, and services continued to face outages. The British Library was aware of the ransomware nature of the incident since November 14, but only learned of Rhysida's claim on November 20. Authorities, including the US Cybersecurity and Infrastructure Security Agency (CISA), have been alerted to the ransomware strain's activities targeting multiple sectors since May 2023. Rhysida uses a double extortion model and is known for exploiting old vulnerabilities, phishing attacks, and credential theft to gain access to victims' networks.

Today's security landscape demands agility and innovation from defenders due to an evolving attack surface and dynamic threats. Security leaders are encouraged to adopt a hacker mindset to understand exploitable pathways and prioritize remediation efforts. Traditional defense strategies often fail to consider the interconnectedness of vulnerabilities, unlike hackers who seek a single entry point to access high-value targets. Smaller organizations are also at risk, as indicated by Verizon's 2023 Data Breach Investigation Report, which shows substantial incidents in small businesses. To think like a hacker, defenders should understand attackers’ tactics, reveal complete attack paths, prioritize remediation based on impact, and validate security investments. Automated Security Validation, such as offered by Pentera, helps organizations to continually test and improve their security posture against real-world threats. Defender effectiveness should be communicated up to CEOs and boards in terms that reflect the true business impact, beyond conventional metrics like vulnerabilities patched.

LummaC2 malware now uses a sophisticated anti-sandbox trigonometry-based technique to avoid detection. This technique delays the malware's activation until it detects human-like mouse movement patterns. LummaC2, which is written in C, has been traded on underground forums and continues to receive updates to enhance its evasion capabilities. The malware calculates the angles between successive cursor positions to determine the presence of human interaction. If the mouse behavior meets the criteria, LummaC2 proceeds with execution; otherwise, it restarts the detection process. The rise of LummaC2 coincides with an increase in the appearance of various information stealers and remote access trojans targeting sensitive data. These developments underscore the ongoing threats posed by malware-as-a-service (MaaS) models that enable complex, damaging cyberattacks.

The Randstorm exploit impacts Bitcoin wallets created between 2011 and 2015, potentially affecting 1.4 million bitcoins. Weak cryptographic keys generated due to subpar random number quality in older web browsers render these wallets vulnerable. The issue was rediscovered in January 2022 by cryptocurrency recovery firm Unciphered while assisting a customer. The vulnerability is linked to the BitcoinJS library's use of the SecureRandom() function and the Math.random() function's cryptographic weaknesses. Wallets generated before March 2012 are at the highest risk, with the exploit allowing brute-force attacks to recover private keys. BitcoinJS stopped using the JSBN library in March 2014, which was responsible for the vulnerability. The situation highlights the broader risks associated with supply chain vulnerabilities in open-source dependencies. Funds within compromised wallets remain at risk unless transferred to a new wallet created with updated, secure software.

Indian hack-for-hire group, Appin Security, involved in a decade-long global espionage operation, targeting the U.S., China, and other countries. SentinelOne analysis uncovers Appin Security's origins as a security training startup while conducting covert hacking since 2009, despite company denials. Appin's operations included cyber attacks with information-stealing malware and services allowing clients to access campaign data and conduct trojan campaigns. Evidence links Appin to the macOS spyware known as KitM and domestic cyber-espionage targeting Sikhs in India and the U.S. The group used third-party infrastructure for phishing and exfiltrated data, leveraging private spyware and exploit vendors like Vervata, Vupen, and Core Security. Appin reportedly used platforms like Elance (now Upwork) to hire external developers for malware creation and developed custom hacking tools in-house. The expose of Appin's activities coincides with Israeli PI Aviram Azari's sentencing for a similar hack-for-hire scheme, highlighting the use of Indian hackers like BellTroX Infotech in international cyber espionage operations.

NordPass has released its yearly list showcasing the most commonly used passwords, revealing persistent use of weak and easily guessable passwords such as "123456". Despite minor shifts in password choices, like "password" moving to number seven, users continue to favor simple numeric sequences, which can severely compromise security. In certain regions like the US, generic passwords prevail, with unique entries like "shitbird" appearing in the top 20. UK users frequently use football team names and other common words as passwords. The report indicates that streaming services accounts are particularly vulnerable due to especially weak passwords compared to other accounts maintained by users. NordPass emphasizes the importance of using long, complex passwords that incorporate a mix of characters and advises against reusing passwords to enhance cybersecurity. The US Federal Communications Commission has introduced regulations to protect against SIM swap and port-out fraud, requiring wireless providers to authenticate customers more securely. A new ransomware named Rhysida is exploiting old vulnerabilities, particularly ZeroLogon from 2020, to attack sectors like education, healthcare, and government, underscoring the necessity for timely software updates and patch management.