Daily Brief

Denmark's critical infrastructure organizations faced the most significant cyberattacks in the country's history, impacting 22 companies. Attackers exploited unpatched vulnerabilities in Zyxel firewalls, leading to breaches and forcing some organizations to enter "island mode." Potential involvement of Sandworm, a group associated with Russia's GRU, as well as indications of highly coordinated and resourced attack efforts. Eleven of sixteen energy organizations targeted in the first wave were compromised due to the exploitation of CVE-2023-28771 for reconnaissance purposes. Subsequent waves of attacks included attempts to incorporate compromised infrastructure into the Mirai botnet for DDoS attacks, and potential exploitation of Zyxel firewall zero days prior to their public disclosure. SektorCERT highlighted that some compromised organizations were unaware of the presence of Zyxel firewalls in their networks, installed by third-party suppliers without thorough communication. The final wave involved alarm signals of advanced persistent threat (APT) traffic linked to previous Sandworm IP addresses and resulted in minor operational disruptions. SektorCERT commends the quick response of its team and the affected organizations, and emphasizes the need for attention to systemic vulnerabilities in critical infrastructure.

A new ransomware group named Hunters International has surfaced, utilizing Hive's source code and infrastructure after Hive was dismantled by law enforcement. Hive, once a prominent ransomware-as-a-service operation, ceased after a coordinated crackdown earlier in January 2023. Hunters International has been identified through code similarities to Hive, dispelling rumors of being a simple rebrand by stating they bought assets from Hive's developers. Five victims have been claimed by Hunters International, with a focus on data exfiltration rather than just encryption. The group's ransomware is built on Rust for enhanced security against reverse engineering, echoing Hive's shift to the language in the previous year. Hunters International's malware is designed for simplicity, with fewer command line parameters and streamlined processes compared to Hive's. Bitdefender's report suggests that while Hive was a significant threat, the impact and status of Hunters International in the cybercrime landscape remain to be proven.

Marketing departments extensively use SaaS applications for operations, facing unique security challenges due to various users and interconnected systems. External users, such as agency partners, require careful management of permissions to sensitive data, with the risk of access persisting even after employees leave. Publicly shared links for collaboration pose a risk of exposing sensitive assets if such links fall into the hands of unauthorized individuals. The connection of marketing apps to company credit cards requires vigilant security measures to prevent misuse and financial data breaches. Highly sensitive customer and prospect data within marketing SaaS tools necessitate robust access controls, multi-factor authentication, and user behavior monitoring. Marketing teams' reliance on numerous connected apps with varying permission levels increases the risk of intrusive access to company data. SaaS Security Posture Management (SSPM) solutions are critical for marketing teams to monitor and manage access, ensuring brand reputation and data integrity. SSPM platforms allow for collaboration between security and marketing departments to maintain productivity without compromising the security of marketing applications.

Data diodes, also known as unidirectional gateways, are designed to permit one-way data transfer to protect critical networks. These devices are not new but are gaining commercial popularity due to their unique ability to mitigate cybersecurity risks. The use of data diodes can prevent attackers from compromising less secure networks to reach highly sensitive data. Data diodes provide security with lower lifetime maintenance costs compared to traditional firewalls. They are particularly valuable in sectors where IT systems integrate with significant physical infrastructures, such as energy or manufacturing. While not a complete cybersecurity solution, data diodes considerably reduce the attack surface for critical systems. Industries are increasingly considering data diodes as a key component in securing IT and OT (operations technology) interconnections.

Traditional antivirus (AV) solutions are inadequate for stopping the latest cyber threats, particularly AI-enhanced intruders aiming at data exfiltration. Cybercriminals exploit sensitive information by capturing it from compromised systems, seeking to leverage it for ransom and extortion. BlackFog introduces on-device anti data exfiltration (ADX) technology, utilizing AI-based behavioural analytics to prevent unauthorized data transmission. ADX technology restricts even users with administrator privileges from sending unauthorized data outside the network, enhancing security measures. A webinar hosted by The Register with BlackFog's CEO, Dr Darren Williams, will discuss the effectiveness of ADX technology versus traditional AV solutions. The session aims to educate on securing devices and data against ransomware and how to implement ADX technology for superior cyber defence. Interested participants are invited to sign up for the webinar on data exfiltration prevention, scheduled for 15 November.

UK's Royal Mail's website found with an open redirect flaw, potentially endangering customers. Vulnerability could lead to malware infections and phishing attacks by redirecting to malicious sites. Despite notification, Royal Mail has not publicly addressed the issue; the affected site remains down. Maine state government's MOVEit instance breach exposes data of approx. 1.3 million people. Compromised data includes sensitive information, state offering free credit monitoring to affected individuals. New York radiology firm fined $450k for a data breach after failing to protect systems from known vulnerabilities. US Radiology Specialists' data breach in 2021 affected personal information of nearly 200,000 individuals.

Cybersecurity experts revealed espionage attacks by Chinese hackers on Cambodian government organizations. The attacks by groups like Emissary Panda are seen as part of China's efforts to expand influence and naval operations. Compromised domains include defense, election oversight, human rights, finance, commerce, politics, natural resources, and telecommunications. Hackers used cloud service disguises and timed operations coinciding with Chinese business hours to avoid detection. Malware used in the ASEAN attacks included EAGERBEE, RUDEBIRD, DOWNTOWN, and BLOODALCHEMY. Recorded Future reports a shift in Chinese cyber espionage to more mature, strategic, and coordinated activities. Chinese state-sponsored hacking now targets exploitation of known and zero-day vulnerabilities, aligning with China's strategic goals.

Malaysian authorities have successfully dismantled the BulletProofLink phishing-as-a-service syndicate, arresting eight individuals, including the ring leader. The operation was conducted with international aid from the AFP and FBI based on leads that the criminal group operated from Malaysia. Seized items in the arrest include servers, computers, luxury goods, vehicles, and cryptocurrency wallets totaling about $213,000. BulletProofLink offered phishing templates resembling pages of major companies like Microsoft, DHL, and Bank of America to facilitate credential theft. Microsoft's analysis revealed that BulletProofLink indulged in double theft, selling stolen credentials to both cybercriminals and the syndicate itself. BulletProofLink's platform, operational since at least 2015, boasted over 8,000 clients and provided tools for sophisticated cyberattacks including session cookies theft and multi-factor authentication bypass. The shutdown of BulletProofLink marks an ongoing trend of international efforts to disrupt cybercrime and sophisticated criminal platforms on the dark web.

Cybersecurity experts report a new Windows version of a data wiper malware used by pro-Hamas hackers against Israeli targets. The malware, named BiBi-Windows Wiper, seeks to expand previous Linux attacks by damaging end user machines and application servers. Created by a group tracked as BiBiGun, the malware infects the C:\Users directory, overwriting files and obstructing file recovery by deleting shadow copies. BlackBerry researchers discovered the wiper, noting it operates with multithreading to maximize destruction speed using multiple processor cores. The exact distribution method for the malware remains unknown, and its deployment in real-world attacks has not been confirmed. Connections were drawn between the pro-Hamas group, Karma, and another group believed to be of Iranian descent, Moses Staff, with both targeting various sectors. The attack is part of a concerted effort to disrupt Israeli IT and government operations through strategic data destruction campaigns.

Australia's National Cyber Security Coordinator has declared a major cyber incident after an attack on logistics company DP World, which disrupted tech systems at four ports. DP World handles 40% of container shipments to Australia; while import and export continue, the attack has had a considerable impact on operations. As the ports remain closed, authorities are prioritizing restoring services, with the attribution of the attack to be investigated later. The company has indicated that service disruptions are expected to last several days, not weeks. Cloud Software Group, Citrix's parent company, has announced it will halt all new commercial transactions in China and Hong Kong due to increasing costs, maintaining only existing contracts. The chairman and CEO of Chinese game streaming site DouYu.com, Chen Shaojie, has disappeared, following earlier regulatory scrutiny by the Cybersecurity Administrator of China. Cambodia has deported five Japanese nationals for running an online phone scam operation, with local authorities under pressure to crack down on cross-border crimes. Micron has opened a new DRAM manufacturing facility in Taiwan, which is set to play a significant role in advancing the company's memory production capabilities.

LockBit ransomware group leaked over 43GB of data from Boeing, a leading aerospace company, after a ransom was not paid. Data released consists mostly of backups for different systems, with some of this data timestamped as of October 2022. Boeing had been given a deadline until November 2, 2023, to negotiate with the hackers, which the company did not meet. After not receiving a response from Boeing, LockBit followed through with their threat by releasing a 4GB sample and eventually all stolen data. The released data includes IT management software configurations, audit tool logs, and backups from Citrix appliances, raising concerns about the exploitation of the Citrix Bleed vulnerability. While Boeing acknowledged the cyberattack, they have not disclosed details on the breach method or the extent of the data compromise. LockBit is a notorious RaaS group with a history of targeting various sectors, including the extortion of approximately $91 million from U.S. organizations since 2020.

Iranian hacker group, Imperial Kitten, has targeted Israeli transportation, logistics, and tech firms with malicious cyberattacks. Imperial Kitten, associated with Iran's Islamic Revolutionary Guard Corps, employs malware campaigns and phishing attacks to compromise organizations. The latest detected campaign involves 'job recruitment' themed phishing emails, delivering malware through Microsoft Excel attachments. Once infected, attackers establish persistence, move laterally, and gather credentials using custom tools and malware like IMAPLoader and StandardKeyboard. CrowdStrike's research indicates these attacks followed the Israel-Hamas conflict and are part of ongoing cyber espionage efforts against Israel. Previous campaigns from Imperial Kitten involved compromising Israeli websites for information collection and introducing malware payloads into various sectors. Both CrowdStrike and PricewaterhouseCoopers have published Indicators of Compromise to help organizations identify and defend against these attack methods.

The Royal Malaysian Police, with international assistance, shut down BulletProftLink, a major phishing-as-a-service (PhaaS) platform. BulletProftLink offered over 300 phishing templates and services like page hosting and credential harvesting since at least 2018. At the time of its bust, the service had 8,138 active subscribers, marking a significant increase from the 1,618 reported in a 2021 Microsoft warning. Law enforcement arrested eight individuals and seized assets including servers and cryptocurrency wallets valued around $213,000. Examining the confiscated servers may lead to the identification of users who paid for stolen credential logs. BulletProftLink hosted phishing content on legitimate cloud services to avoid detection and offered tools to bypass multi-factor authentication. The takedown of BulletProftLink disrupts a key source of initial access for cybercriminals to infiltrate corporate networks.

Microsoft's Security team identified a sub-group of the Lazarus Group targeting IT professionals with fake job assessment portals. The threat actor, known as Sapphire Sleet, is engaging in sophisticated social engineering attacks to facilitate cryptocurrency theft. Sapphire Sleet, with several aliases like APT38 and BlueNoroff, was recently linked to a newly discovered macOS malware, ObjCShellz. Microsoft noted that Sapphire Sleet often entices victims via LinkedIn with opportunities that lead to malicious websites. The group has adapted strategies, moving from using legitimate services like GitHub to custom-built phishing sites that are harder to analyze due to password protection. Early detection and removal of malicious payloads from platforms have pushed the threat actors to develop their own infrastructure for malware dissemination. To appear legitimate and avoid detection, Sapphire Sleet's phishing sites encourage recruiters to sign up, potentially compromising sensitive information.

Mr. Cooper, the largest U.S. home loan servicer, reported a cyberattack on October 31, leading to the exposure of customer data. The exact nature of the compromised data is under investigation; however, the company states that customers' financial information was not impacted, as it is stored with a third party. Affected customers will receive more information as the company continues its investigation into the breach. Customers have been instructed to monitor their credit reports and bank accounts for any suspicious or unauthorized activity. Mr. Cooper has advised potentially affected individuals to place a 'fraud alert' on their credit files as a precautionary step. The incident triggered a shutdown of IT systems, but the company assures that customers will not face fees or negative consequences for delayed payments during restoration. Mr. Cooper manages a customer base of 4.1 million and oversees loans totaling $937 billion as of Q3 2023.