Daily Brief

Microsoft has experienced an increase in DDoS attacks on its cloud platforms. BaFin, the German Federal Financial Supervisory Authority, suffered a DDoS attack, disrupting critical services and information dissemination. Layer 7 DDoS attacks are becoming more prevalent, targeting application levels to cause service disruptions. Anonymous Sudan, also known as Storm-1359, is a rising threat group demanding ransoms and targeting nations opposed to Sudan. They may have Russian ties. The group has escalated its attacks from demanding $3,500 from SAS to asking for $1 million from Microsoft, and has threatened European banking systems. Password hygiene is integral to cybersecurity as poor practices can lead to vulnerabilities and escalate the severity of DDoS attacks. Specops Software provides a Password Policy solution to enhance password security as a measure against credential-based attacks.

ALPHV/BlackCat ransomware affiliates have employed malvertising to distribute Nitrogen malware via fake ads for legitimate software like Slack and Cisco AnyConnect. Victims downloading these advertised software packages are inadvertently installing Nitrogen malware, a preliminary step for subsequent ransomware attacks. eSentire's Threat Response Unit has observed and engaged with this campaign after it targeted their clients, preventing the progression to ransomware deployment. The malicious use of Python libraries allows the malware to camouflage within normal network traffic, making detection more challenging for security teams. Multiple sectors, including the healthcare industry, have been targeted by the group, with some victims being blackmailed with sensitive data breaches. Social media platforms and healthcare institutions like Reddit and Barts Health NHS Trust have been previous victims of BlackCat ransomware. BlackCat has shown adaptability by recruiting English-speaking cybercriminal affiliates to expand its range of potential targets. The broader issue of malvertising has been highlighted as a growing trend among cybercriminals, with insufficient preemptive measures from platforms like Google to prevent such malicious ad campaigns.

A new advanced persistent threat (APT) group named DarkCasino has exploited a WinRAR vulnerability, CVE-2023-38831, to conduct frequent and economically motivated attacks. Cybersecurity firm NSFOCUS identified DarkCasino as an APT with strong technical skills, adept at incorporating various APT attack techniques. DarkCasino's primary objective appears to be the theft of online property, specifically targeting online financial service users and cryptocurrency platforms. The group employs malware known as DarkMe, capable of collecting information, manipulating files, executing commands, and self-updating on infected systems. Initially focused on Mediterranean and Asian countries, DarkCasino's phishing attacks have now gone global, impacting cryptocurrency users, including non-English-speaking nations. NSFOCUS reports that DarkCasino's phishing methods and attacks are unrelated to previously known threat actors such as EvilNum. Several other APT groups have also been exploiting the WinRAR zero-day for various cyberattacks, posing increased threats to governments and critical infrastructure.

Royal Mail's parent company disclosed a £10 million recovery cost from the January ransomware attack by LockBit. The ransomware incident resulted in a significant delay in Royal Mail's international shipping and contributed to a 6.5 percent YoY revenue decline. The overall impact of the attack included a 5 percent reduction in international parcel volume, partially due to the cyber incident. Total half-year losses for the group were reported at £319 million, with additional costs stemming from an agreement to increase staff pay. IDS, the parent company, expressed concern over Royal Mail's financial performance in a challenging trading environment. Despite the incident and a decrease in international revenues, there has been a slight improvement since the company's last report in March 2023. Details of the ransomware negotiation between Royal Mail and LockBit revealed Royal Mail's refusal to pay the $80 million ransom and the use of stalling tactics during the talks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, and MS-ISAC have issued a warning about Rhysida ransomware attacks. Rhysida ransomware operates as a ransomware-as-a-service (RaaS), compromising entities in sectors like education, manufacturing, IT, and government. The threat actors exploit remote services, Zerologon vulnerability, and phishing to access and maintain presence in networks. Rhysida uses double extortion to demand ransoms for decryption and to prevent leaked data publication, with connections to Vice Society ransomware. Malwarebytes reported five Rhysida victims in October, trailing other major ransomware such as LockBit. Vice Society seems to have switched to deploying Rhysida, with no new victims posted since July 2023 when Rhysida began reporting victims. Sophos identifies the cyber gang as cluster TAC5279, and the overall ransomware landscape is rapidly evolving with new groups emerging, influenced by code leaks and criminal cross-pollination.

Hackers have found vulnerabilities in Google Workspace and Google Cloud Platform that could be exploited for ransomware attacks and data theft. Compromised machines with Google Credential Provider for Windows (GCPW) are potential gateways for wider network breaches. By obtaining OAuth tokens, attackers can bypass multi-factor authentication and manipulate sensitive data associated with a Google Account. The "Golden Image" attack vector allows threat actors to use cloned virtual machines to spread to other systems within a network. An undocumented API endpoint can be exploited using acquired access tokens to decrypt stored passwords, heightening the risk of account takeover. Google has stated the issue is outside their threat model and won’t be fixed, as it aligns with Chrome’s data storage practices. The risk assessment suggests that once a local machine is compromised, the organizational network is vulnerable to extensive unauthorized access and manipulation.

70% of IT professionals report negative outcomes due to incomplete offboarding, including security incidents and unnecessary expenses. On average, five hours are spent on offboarding per employee, involving the deprovisioning of SaaS accounts and resource handoff. Nudge Security, a SaaS management platform, offers solutions for comprehensive IT offboarding and governance aligned with Google and Microsoft best practices. The Nudge Security playbook provides step-by-step guidance for revoking access, transferring resources, updating integrations, and cleaning up accounts. Automating offboarding tasks with Nudge Security can save up to 90% of time and effort required for securely deprovisioning departing employees' SaaS accounts. The platform helps ensure business operations continue smoothly post-offboarding by managing critical app-to-app integrations and transfers. Nudge Security can prevent unauthorized access by promptly revoking OAuth grants and resetting passwords for unmanaged accounts discovered by their system. A built-in reporting feature documents all offboarding activities, facilitating accountability and ease of sharing with internal stakeholders or auditors.

Russian hackers are suspected to have executed the "largest cyber attack against Danish critical infrastructure," affecting 22 energy sector companies. Denmark's SektorCERT links the attacks to Russia's GRU military intelligence and the known hacking group Sandworm, based on IP address evidence. On May 11, attackers exploited a critical Zyxel firewall vulnerability, CVE-2023-28771, to infiltrate companies and perform reconnaissance. The simultaneous nature of the assaults hindered information sharing between targets, enhancing the attacks' effectiveness. A second assault wave from May 22 to 25, utilizing different cyber weapons and critical Zyxel bugs, suggests the possibility of multiple threat actors. Some of the compromised devices were used for DDoS attacks against companies in the U.S. and Hong Kong. Attack attempts surged post-public vulnerability exposure, primarily from Poland and Ukraine IP addresses, leading to targets disconnecting from the internet. The energy sector is under increased threat, with ransomware groups and initial access brokers targeting nuclear energy firms. Related discoveries tie Moscow-based IT contractor NTC Vulkan to offensive cyber tool provision, potentially connected to the attacks.

Swedish digital rights group Qurium uncovers around 250 cloned websites pushing Chinese gambling ads. Investigation reveals sites belong to legitimate entities—private businesses, universities, and public libraries—copied for gambling ad revenue. Cloned sites predominantly advertise '188bet' and are linked to a company in the Isle of Man tax haven. The promoted gambling sites are connected to Kaiyun, which holds a UK business license and has a history of anti-money laundering regulation breaches. TGP Europe Limited, providing 'white label' gaming services connected to the cloned sites, has been previously flagged by the UK Gambling Commission. Domains for the cloned sites were registered by Gname.com, known for domain squatting for gambling purposes. Cloned websites serve as an advertising alternative for gambling operators, bypassing restrictions from publishers and ad networks. The motive behind the cloned sites may target the Chinese diaspora due to gambling restrictions in China. The cloned content causes SEO harm to the original sites.

The ransomware operation ALPHV/BlackCat filed a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink for not disclosing a cyberattack within the required time frame. MeridianLink, a provider of digital solutions for financial organizations, allegedly suffered a data breach on November 7, with the ransomware group claiming they stole data without system encryption. The ALPHV gang threatened to leak the stolen data unless a ransom was paid within 24 hours, listing MeridianLink on their data leak website. The SEC complaint was an attempt to pressure MeridianLink into responding and potentially negotiating a ransom, as they claimed the company had yet to reach out after the breach. ALPHV published a screenshot of their SEC complaint form, accusing MeridianLink of failing to disclose the breach as mandated by recent SEC rules for material cybersecurity incidents. MeridianLink confirmed the cyberattack, stating they contained the threat with minimal business interruption and engaged third-party experts to investigate the breach. While other ransomware groups have threatened to report breaches to authorities, this incident appears to be the first publicly acknowledged case.

Clorox's CISO Amy Bogac has stepped down after a breach that caused significant financial damage to the company. The cyberattack resulted in a 20 percent decrease in Clorox's Q1 net sales, equating to a $356 million reduction. Clorox's SEC filings reveal the attack led to "wide scale disruption," including manual order processing. Expenses related to the breach for Q3 totaled $24 million, mostly for IT recovery and professional forensic services. Ransomware group AlphV (BlackCat) filed an SEC complaint against MeridianLink, claiming they failed to disclose a data breach. No comment from the SEC on the AlphV complaint; Clorox is still dealing with the fallout and searching for a new CISO.

Samsung informs customers of a data breach affecting the UK online store, exposing personal information. The breach was due to a hacker exploiting a third-party application vulnerability. Customers who made purchases between July 1, 2019, and June 30, 2020, are affected. Exposed data may include names, contact details, and addresses, but financial data and passwords are secure. The incident is confined to the UK and does not impact US customers, employees, or retailers. Samsung has reported the issue to the UK's Information Commissioner's Office and taken steps to address the security breach. This marks Samsung's third data breach of the year, with previous incidents in March and July.

Scammers are spoofing accounts of known cryptocurrency researchers and blockchain security firms to promote phishing pages. The campaign involves fake security breach alerts, tricking users into visiting malicious websites under the guise of protecting their assets. Impersonated accounts include CertiK, ZachXBT, and Scam Sniffer, exploiting their credibility to deceive users. Despite warnings from legitimate sources, bot accounts helped amplify the scam, making related hastags trend on social media platforms. To date, the scammers have stolen over $305k in cryptocurrency by convincing users to interact with a fake 'Revoke Approvals' system on malicious sites. Impersonation of legitimate figures in the crypto community is becoming a common tactic for phishing operations, requiring users to verify information and exercise caution. Users are reminded to verify the authenticity of claims, consult official sources, and avoid connecting wallets to suspicious platforms or signing untrusted smart contracts.

Citrix has issued hotfixes for Citrix Hypervisor targeting two vulnerabilities, including a high-severity Intel CPU flaw known as "Reptar". The addressed vulnerabilities are identified as CVE-2023-23583, affecting Ice Lake and later Intel processor generations, and CVE-2023-46835, specific to Citrix Hypervisor 8.2 with certain AMD CPUs. CVE-2023-23583, disclosed by Intel, could cause system crashes or privilege escalation, although the likelihood of exploitation is deemed low. The flaw could allow guest VM code to compromise the VM and potentially the host system. CVE-2023-46835 concerns a scenario where privileged code in a guest VM might compromise an AMD-based host via a passed-through PCI device. The hotfixes also include updated Intel microcode to help mitigate these hardware issues. Detailed instructions for applying the hotfixes are available on Citrix's Knowledge Center.

The Toronto Public Library (TPL) suffered a ransomware attack that resulted in theft of personal information including employee, customer, volunteer, and donor details. Compromised data includes names, social insurance numbers, birth dates, home addresses, and government-issued ID copies dating back to 1998. The main cardholder and donor databases remained unaffected, but some data on the compromised server may have been exposed. TPL has not paid any ransom and is working with cybersecurity experts to investigate, while also reporting the incident to relevant authorities. The Black Basta ransomware group is believed to be behind the attack after a ransom note was seen on a TPL workstation. Black Basta, emerging in April 2022, allegedly has ties to the Conti ransomware group and the FIN7 cybercrime gang, and has targeted multiple high-profile entities.