Daily Brief

New York Attorney General Letitia James has filed a lawsuit against Citibank for not protecting customers from fraud and failing to reimburse those affected. The suit argues that Citibank violated the Electronic Fund Transfer Act by denying reimbursement to victims of unauthorized electronic transactions. Citibank is accused of using loopholes to avoid compensating customers and of having inadequate systems to detect and respond to fraudulent activity. The bank's inadequate response to customer fraud reports included long phone waits and misleading assurances, exacerbating the theft of funds. The New York AG's office seeks restitution for victims from the past six years, along with penal fees and the cessation of Citibank's deceptive practices. Citibank's statement in response to the lawsuit claims adherence to regulations and emphasizes efforts in fraud prevention and client education, noting a reduction in client wire fraud losses.

The Federal Police of Brazil, in collaboration with ESET, Interpol, Spain's National Police, and Caixa Bank, has disrupted a banking malware operation known as Grandoreiro. Five arrests and thirteen search and seizure actions were carried out across several Brazilian states, targeting a group responsible for electronic banking fraud. The criminal structure allegedly moved approximately 3.6 million euros through fraudulent activities since 2019. Grandoreiro, a Windows banking trojan active since 2017, primarily targets Spanish-speaking countries, using fake pop-ups and keystroke logging to commit financial theft. The malware necessitates manual interaction from attackers for financial theft, implying a highly targeted and hands-on approach. ESET tracked Grandoreiro servers using DGA analysis, revealing a daily average of 551 connections to its infrastructure with 114 new victims daily. Authorities disrupted the malware operation leading to a complete cessation of its activities; however, the roles of the arrested individuals and the possibility of the malware's return using new infrastructure remain uncertain.

Juniper Networks disclosed four previously unreported vulnerabilities following an investigative article. Apologies were issued to customers for the oversight in communication regarding these security flaws. The four separate vulnerabilities were reported by watchTowr but initially did not receive individual CVE identifiers. Newly issued advisories now list distinct CVEs for each vulnerability, with severity scores ranging from 5.3 to 8.8. Affected products include the J-Web component in Junos OS on SRX Series and EX Series, which required updates to fix authentication and cross-site scripting issues. The US Cybersecurity and Infrastructure Security Agency (CISA) has alerted users to review the bulletin and update their systems. Juniper's patch scheduling policy and prior decision not to assign CVEs earlier in the process have been questioned for potentially increasing exploitation risk. Juniper claims non-technical reasons typically delay their CVE application process, which they are now reviewing after these incidents.

China-linked cyber group Mustang Panda reportedly targeted Myanmar's Ministry of Defence and Foreign Affairs with backdoor attacks. Cybersecurity organization CSIRT-CTI identified the hacking campaigns occurring in November 2023 and January 2024. Attackers exploited legitimate software, such as a B&R binary and Windows 10 components, to sideload malicious DLLs. Mustang Panda, active since 2012, has a history of cyberespionage against various government entities in Southeast Asia. One attack vector involved a phishing email with a ZIP file to drop a custom loader and the PlugX malware. The group attempted to camouflage their command-and-control traffic as legitimate Microsoft update activity. A separate campaign deployed a bespoke loader called TONESHELL from an unreachable C2 server to likely install the same PlugX malware. The attacks by Mustang Panda are believed to coincide with Chinese geopolitical interests, particularly following unrest near the Myanmar-China border.

Less than half of cybersecurity professionals claim to have high or complete visibility into their organization’s vulnerabilities, highlighting the need for regular security posture assessments to identify and mitigate risks. Inadequate vulnerability management programs, deficiencies in detection and monitoring systems, and a lack of formalized cybersecurity policies and procedures are key weaknesses in many organizational security postures. Regular testing practices, such as penetration testing and third-party assessments, are critical to reveal potential security gaps and test the efficacy of incident responses. Training and cyber awareness for staff play a vital role in reducing human error-related security breaches, emphasizing the importance of ongoing cybersecurity education and a culture of security mindfulness. Adoption and proper implementation of cybersecurity frameworks, like NIST Cybersecurity Framework, CIS, or SANS, guide organizations in developing and maintaining a structured approach to cybersecurity. Understanding an organization’s risk appetite is fundamental for aligning cybersecurity strategies with the overall risk management goals and directing resource allocation effectively. The article underscores the continuous nature of cybersecurity efforts and the importance of vigilance in addressing the ever-evolving threat landscape to protect an organization's assets and reputation.

Italy's data protection authority alleges privacy violations by OpenAI's ChatGPT under the EU GDPR. An investigation into ChatGPT's handling of personal data was launched after a temporary ban on the service. OpenAI has implemented privacy controls and reinstated access to ChatGPT but now has 30 days to respond to new findings. The concerns involve ChatGPT collecting personal data without proper consent and potential exposure of sensitive information. Separate but related, Google's Bard chatbot bug led to private conversations being indexed and exposed via Google search. Amidst privacy debates, Apple opposes the U.K.'s proposed law that it believes could undermine global user privacy and security. The webinar on SaaS security masterclass provides insights from a study of 493 companies, emphasizing important security practices.

The outgoing UK biometrics and surveillance commissioner, Dr Fraser Sampson, highlights serious governance issues in the Home Office in his final report. Sampson's tenure experienced challenges with limited engagement from Whitehall and insufficient resources to perform his duties effectively. The upcoming Data Protection and Digital Information (DPDI) Bill will dissolve the commissioner's role, transferring responsibilities to the Investigatory Powers Commissioner's Office (IPCO) with less oversight on biometrics. Technical problems within systems that manage National Security Determinations (NSDs) for biometric data retention have led to inaccuracies and inability to perform mandated duties. Ethical concerns are raised regarding the procurement and testing of surveillance technology within UK police forces, particularly the use of potentially compromised Chinese technology. Sampson moves to the private sector, continuing his work in biometric governance as a director at a retail face biometrics company, Facewatch. Tony Eastaugh is appointed as the new commissioner, tasked with transitioning powers to the IPCO, amid concerns over the future of UK biometrics and surveillance governance.

Security researchers have detected a revived campaign deploying a new variant of the ZLoader malware with upgraded features and 64-bit Windows compatibility. This resurgence comes nearly two years after a coordinated disruption effort led by Microsoft in April 2022 effectively dismantled the botnet responsible for the malware's distribution. The updated ZLoader now includes RSA encryption and a refined domain generation algorithm to aid in evading detection and analysis. The malware, which originated from the Zeus banking trojan, typically spreads through phishing and malvertising, and serves as a loader for other malicious payloads. The latest versions of ZLoader demonstrate advanced tactics to avoid analysis, including inserting junk code, employing string obfuscation, and requiring specific filenames to execute. Despite the disruption of its infrastructure in 2022, researchers anticipate that ZLoader's comeback could precipitate new ransomware attacks due to the persistence of the threat group behind it. Microsoft has taken steps to mitigate the threat by disabling the MSIX protocol handler by default since it had been increasingly exploited to spread malware, including ZLoader, since July 2023. The return of ZLoader is part of a broader trend of new malware variants emerging, like Rage Stealer and Monster Stealer, that are also used to pilfer information and launch further attacks.

Juniper Networks has issued out-of-band updates for high-severity vulnerabilities in its SRX and EX Series products. The flaws, identified as CVE-2024-21619 and CVE-2024-21620, could allow attackers to gain control over affected systems. Security firm watchTowr Labs identified and reported these critical issues. Users are advised to either disable the J-Web component or restrict access to it as immediate mitigation steps. The CVE-2023-36846 and CVE-2023-36851 vulnerabilities, disclosed in August and known to be exploited in the wild, are also covered in the KEV catalog by CISA. Juniper Networks previously addressed another critical vulnerability (CVE-2024-21591) that potentially allowed DoS attacks and remote code execution. A related SaaS Security Masterclass webinar provides insights into SaaS security practices based on the study of 493 companies.

Keenan & Associates notifies 1.5 million individuals of a data breach following a cyberattack in summer 2023. Personal information of customers and employees accessed by unauthorized parties between August 21 and August 27. The breach potentially exposes names, Social Security numbers, financial information, and health insurance details. Breach subjects affected individuals to risks of identity theft, financial fraud, and phishing scams. Following the breach, Keenan has taken measures to bolster its network and systems security. Affected parties are provided complimentary identity theft protection services and advised to monitor their accounts for irregularities.

A critical remote code execution flaw, CVE-2023-23897, affects approximately 45,000 online Jenkins automation servers. Multiple public proof-of-concept exploits for the CVE-2023-23897 vulnerability are circulating, placing unpatched systems at high risk. The flaw emerges from a CLI feature that swaps an "@" character followed by a file path with the file's content, potentially exposing sensitive information. Attackers could leverage this flaw to decrypt stored secrets, alter Jenkins server contents, or bypass CSRF protection, depending on permissions and configurations. Security updates 2.442 and LTS 2.426.3 were released by the Jenkins project on January 24, 2024, to address this security issue. Most exposed Jenkins instances are located in China and the United States, with Germany, India, France, and the UK also hosting numerous vulnerable systems. Threat monitoring has detected active scans targeting unpatched Jenkins servers, suggesting imminent exploitation is likely. Jenkins users are being urged to apply security updates or consult the official security bulletin for mitigation strategies if immediate updates are not feasible.

SolarWinds is contesting the SEC's lawsuit, claiming unjust victim blaming after its software was compromised by Russian state-sponsored hackers. The SEC accuses SolarWinds and its CISO of misleading investors about the company's cybersecurity practices since October 2018. SolarWinds' legal representation argues that the firm adequately disclosed risks and fulfilled its obligations to notify about security vulnerabilities. Approximately 18,000 organizations were affected by the Orion software backdoor, but the SEC's lawsuit focuses on alleged misleading investor communications. SolarWinds emphasizes that disclosing detailed cybersecurity weaknesses can be detrimental by giving attackers a potential roadmap to exploit. Legal documents assert that CISO Tim Brown, also targeted by the SEC, did not mislead investors and performed his role competently during the crisis. The SEC has not made a public response to the challenges raised by SolarWinds against the lawsuit.

Schneider Electric's Sustainability Business division was hit by the Cactus ransomware, resulting in the theft of corporate data. The attack occurred on January 17th, causing disruptions and ongoing outages in the Resource Advisor cloud platform. The ransomware gang has stolen terabytes of data and is threatening to leak it unless a ransom is paid. Customers of the affected division include major corporations, which may have had sensitive data regarding power utilization and regulatory compliance compromised. Schneider Electric has acknowledged the attack and is undertaking remediation and recovery efforts, with ongoing forensic analysis and discussions with affected customers. The company asserts that the attack was confined to the Sustainability Business division, with no other parts of the company impacted. This isn't the first cybersecurity challenge for Schneider Electric; they were previously impacted by the Clop ransomware's MOVEit data theft attacks.

The FBI has issued a warning about scammers employing courier services to collect money and valuables from victims of tech support and government impersonation scams. Criminals are instructing mostly senior victims to liquidate assets into cash or buy precious metals for "protection," only to have couriers pick them up. Scammers often pose as tech support, financial institutions, or government officials, claiming the victim's financial accounts are compromised. Victims are coerced into sending cash, converting assets into precious metals, or wiring funds to dealers, who are part of the scam. In-person pickups are arranged by scammers, who give victims a passcode to "authenticate" the fraudulent transactions with the courier. The FBI reports an uptick in this fraudulent activity, with losses over $55 million from May to December 2023. To combat these scams, the FBI advises against sending gold or valuables in response to phone requests and stresses the importance of not meeting with strangers or disclosing personal details. Victims should promptly report cases to the FBI with detailed information on the scammers.

Ransomware payment rates have decreased to a record low at 29% in Q4 of 2023, as reported by Coveware. The decline in payment rates is attributed to better organizational preparedness, distrust in cybercriminals' promises, and legal restrictions in some regions. Despite data theft in cyberattacks, only 26% made payments in the last quarter of 2023. Average ransom payments have decreased by 33% to $568,705, with the median payment at $200,000 in Q4 2023. The median size of organizations targeted by ransomware has decreased as cybercriminals adjust their strategies. Discussions on the impact of potential ransom payment bans suggest that such policies could drive the issue underground and hinder progress in victim and law enforcement cooperation. Coveware advises doubling down on existing measures to continue making ransomware less profitable for criminals. Even as ransomware remains a significant threat, the declining payment trend reflects progress in the fight against cybercrime.