Daily Brief

The Australian government has sanctioned Russian national Aleksandr Gennadievich Ermakov for his role in the Medibank ransomware attack. Ermakov, a member of the REvil ransomware group, is implicated in the October 2022 cyberattack on the large Australian health insurer. Personal data of about 10 million individuals, including sensitive health information, was leaked following the breach. The sanctions aim to disrupt Ermakov's activities by exposing his identity and hindering his ability to conduct cybercrime anonymously. Any financial transactions or provision of assets to Ermakov, including cryptocurrency dealings, would now constitute a criminal offense. Australia aims to deter other cybercriminals by demonstrating the consequences of targeting Australian entities and the seriousness of the nation's response to cyber threats.

A new stealer malware targeting macOS Ventura 13.6 and later has been unearthed, which is spread through cracked applications. Security experts have found that the malware, distributed via booby-trapped DMG files, is designed to harvest cryptocurrency wallet data and system information. The malware dupes users into running an "Activator" component under the guise of applying a patch which requests administrator credentials. To avoid detection, the malware communicates with its command-and-control server using a unique DNS request method, downloading encrypted scripts that establish persistence. The backdoor, which is updated regularly, has the ability to run commands with elevated permissions, and it specifically targets Exodus and Bitcoin Core wallets to steal sensitive information. Researchers highlight an increase in the use of cracked software as an attack vector for delivering various types of malware to macOS users. The discovery underscores the growing sophistication of malware techniques aimed at cryptocurrency theft, showcasing the need for enhanced vigilance and cybersecurity measures.

Southern Water, a prominent UK utility firm, has confirmed that its IT systems were compromised and a limited amount of data was stolen by criminals. The Black Basta ransomware group has claimed responsibility for the attack, threatening to release more stolen data unless a ransom is paid. Leaked data appears to include personal details of customers and employees, such as identity documents, HR records, and corporate car-leasing documents. The company is investigating the breach with the help of independent cybersecurity specialists and has reported the incident to UK government agencies including the ICO. There is currently no evidence suggesting that customer service or financial systems have been affected by the attack. The incident follows recent warnings from Western intelligence about the potential for cyberattacks on water providers and other critical infrastructure. Cybersecurity authorities have placed a heightened focus on protecting the water industry due to increasing threats and the sector's limited resources.

DDoS attacks have escalated in scale, with a reported >100% annual increase in peak attack volume, now measured in Terabits. Attack durations ranged from a few minutes to nine hours, with an average of about one hour, underscoring diverse strategies and the need for effective detection and mitigation. UDP floods were the most common type of DDoS attack at 62%, followed by TCP floods and ICMP attacks, highlighting the need for a multifaceted defense approach. The geographic origins of DDoS attacks were widespread globally, with the United States, Indonesia, and the Netherlands as leading sources, necessitating targeted defense and international cybercrime policy efforts. The gaming and financial sectors remain high-priority targets for DDoS attackers, which requires industry-specific security measures to mitigate potential economic and operational impacts. Gcore's data indicates a disturbing trend in DDoS threats with an increase in attack power up to 1.6 Tbps, suggesting that organizations across all sectors need to enhance their cybersecurity preparedness. The report emphasizes the importance of international cooperation and intelligence sharing to effectively confront the global challenge posed by DDoS attacks.

Conor Brian Fitzpatrick, creator of BreachForums, sentenced to 20 years of supervised release, avoiding jail. Arrested in March 2023 for access device fraud and child pornography, Fitzpatrick operated under the alias "pompompurin." BreachForums, active since March 2022, was a notorious marketplace for trading stolen data and hacking tools. The site offered bank details, Social Security numbers, and unauthorized system access services, affecting millions and numerous entities. The court considered Fitzpatrick's mental health in the sentencing; the final restitution for victims is pending. Fitzpatrick must undergo home arrest with GPS tracking and mental health treatment and avoid internet use for a year. BreachForums advertised a "Leaks Market" for trading illicit data and sold access to hacked databases with a credit system. Fitzpatrick previously jailed for a pre-sentencing release violation using unmonitored computer and VPN.

A critical vulnerability in Atlassian Confluence, identified as CVE-2023-22527 with a CVSS score of 10.0, is being actively exploited. Within three days of its public disclosure, over 40,000 attack attempts from 600+ unique IP addresses have been detected. The security flaw allows unauthenticated remote code execution on outdated versions of Confluence Data Center and Server 8. Attackers are primarily performing reconnaissance activities such as "testing callback attempts and 'whoami' execution." The majority of these attacks are originating from Russia, with significant numbers also coming from Singapore, Hong Kong, the U.S., and other countries. Over 11,000 Atlassian instances are accessible online, but the exact number of vulnerable systems is unknown. Security researchers warn of the high risk associated with this vulnerability, capable of permitting attackers to execute arbitrary code on affected systems.

Australia utilized its 2021 "significant cyber incidents" sanctions regime for the first time, targeting Russian Aleksandr Gennadievich Ermakov for a cyberattack on Medibank Private. The 2022 ransomware attack on Medibank resulted in the leakage of personal data of about ten million customers, including sensitive medical information. The REvil crime gang, reportedly harbored by Russia, was named as the likely perpetrator, with Ermakov being specifically implicated in the incident. Sanctions include a travel ban to Australia for Ermakov and severe penalties for anyone transacting with or supporting him. Aleksandr Ermakov's online pseudonyms are "aiiis_ermak," "blade_runner," "JimJones," and "GustaveDore," the latter referencing a renowned 19th-century French artist. Despite identifying Ermakov, the Australian government acknowledges it cannot enforce actions against him in Moscow. Following several major cyber incidents in Australia, including a data breach at Optus, this announcement serves to reassure the public of the government's proactive stance on cyber threats.

Apple issued critical security updates for iPhones, Macs, and other devices to patch a zero-day vulnerability under active exploitation. The vulnerability, identified as CVE-2024-23222, is a type confusion issue allowing arbitrary code execution via malicious web content. Apple implemented improved checks to remediate the flaw, acknowledging reports of its exploitation. The zero-day is the first of its kind addressed by Apple in the current year, following 20 such fixes implemented last year. Apple also backported additional fixes for previously addressed vulnerabilities to older devices. The disclosure coincided with a report on Chinese authorities using known vulnerabilities in Apple's AirDrop to assist law enforcement. Apple's advisory did not specify details regarding the attackers or the scale of the compromise caused by the vulnerability.

Over 600 IP addresses are actively targeting a critical vulnerability (CVE-2023-22527) in Atlassian Confluence Data Center and Server for remote code execution (RCE) attacks. The security flaw, with a maximum severity CVSS score of 10, affects outdated Confluence versions and was disclosed by Atlassian, urging immediate updates. Despite Atlassian's warning, more than 11,000 instances remain unpatched and exposed, with Shadowserver recording over 39,000 exploit attempts. Both Shadowserver and GreyNoise are observing a high volume of attack attempts, suggesting widespread awareness of the vulnerability among attackers. Organizations are advised to assume compromise if they're running susceptible versions, and to proceed with patching, log reviews, monitoring, and system audits. This severe RCE vulnerability is part of a recent trend of critical bugs affecting Atlassian software, with previous incidents also involving high-risk flaws. Atlassian is ending support for Server products on February 15th, and a significant portion of their user base plans to continue using these unsupported versions, potentially increasing security risks.

The U.S. Securities and Exchange Commission (SEC) reported a SIM-swapping attack on the cell phone number associated with its X account. An unauthorized announcement about Bitcoin ETF approvals was issued from the hacked SEC X account prior to the SEC’s legitimate statement. The SEC's investigation revealed that their telecom carrier was deceived into transferring control of the phone number to the attackers’ device. The hackers did not gain access to internal systems or other social media accounts but managed to reset the @SECGov account password. The incident exposed the lack of multi-factor authentication (MFA) on the account, as the SEC had previously disabled it due to login issues. The SEC emphasized the importance of using hardware security keys or authentication apps for MFA instead of SMS. Law enforcement is actively involved in investigating the specific methods used in the SIM-swapping attack. This breach is part of a broader issue with X, which has faced numerous account hacks and the spread of malicious cryptocurrency-related advertisements.

Hackers exploit cracked macOS apps to install information-stealing malware, targeting macOS Ventura and later. Kaspersky uncovered the malware delivery through hidden scripts in DNS records, cloaked within PKG files of illegitimate apps. Upon installation, a fake Activator window prompts for administrative permissions, which triggers the malware's execution. The malware downloads base64-encoded Python scripts as domain TXT records, camouflaging the payload in seemingly normal DNS traffic. The executed scripts enable backdoor access and collect system information, with updates suggesting ongoing development of the threat. Malicious code checks for Bitcoin Core and Exodus wallets, swaps them with compromised versions, and can exfiltrate wallet credentials to the attackers. Kaspersky findings highlight the risks of downloading and using cracked applications, a common vector for introducing malware onto users' devices.

Aerospace leader AerCap reported a ransomware attack but has not disclosed financial loss from the incident. Ransomware group Slug claims responsibility for the breach, boasting a theft of 1TB of AerCap's data. AerCap has engaged cybersecurity experts for investigation and has reported the event to law enforcement, maintaining control over IT systems. LoanDepot suffers a separate ransomware incident, with personal details of roughly 16.6 million individuals compromised. LoanDepot has been working with forensic and security experts to restore its systems and recover from the cyberattack. Both companies have made disclosures to the SEC regarding their respective cybersecurity incidents and ongoing investigations. The extent of data exfiltration in both breaches is still being assessed as part of continuous investigations.

Security researchers at Palo Alto Networks' Unit 42 have been analyzing over 10,000 scripts from the Parrot traffic direction system (TDS), highlighting a trend towards greater stealth. Parrot TDS targets vulnerable WordPress and Joomla sites, infecting them with JavaScript code that redirects users to malicious sites, and has been operational since 2019. Parrot TDS has infected at least 16,500 websites, selling redirected traffic to threat actors for profiling and scamming visitors. The evolution of Parrot TDS shows increased script obfuscation to avoid detection, with four major versions identified. The latest version accounts for 75% of analyzed samples. The malicious scripts assess user environments and discreetly fetch payload scripts to redirect the victims to phishing or malware-delivering sites. Payload script analysis reveals nine variants, with the majority using a non-obfuscated version, while others include intricate layers of obfuscation. Advice to website owners includes: checking for unauthorized PHP files, scanning for specific Parrot TDS keywords, employing firewalls, and using URL filtering to block malicious traffic.

Mortgage lender loanDepot experienced a ransomware attack on January 6, leading to a significant data breach. Personal information of approximately 16.6 million individuals was compromised. The attack disrupted loanDepot's systems, affecting automatic payments, online portals, and customer service operations. After the breach, affected customers will receive notifications and offers of free credit monitoring and identity protection services. Ransomware gangs often use stolen data for double-extortion schemes, increasing risks of phishing and identity theft for victims. The extent of personal information accessed and stolen remains unspecified by loanDepot. This incident follows a previous disclosure of a cyberattack in August 2022 that also exposed customer data. loanDepot is a significant player in the U.S. mortgage sector, servicing over $140 billion in loans.

Apple has fixed its first zero-day vulnerability of the year, identified as CVE-2024-23222, affecting iPhones, Macs, and Apple TVs. This WebKit confusion issue could allow attackers to execute arbitrary code on vulnerable devices by convincing users to visit a malicious web page. Apple is aware that this security flaw has been exploited but has not released specifics on the nature of the attacks. Security updates have been released for devices running iOS 16.7.5 and later, iPadOS 16.7.5 and later, macOS Monterey 12.7.3 and higher, and tvOS 17.3 and later. A wide range of Apple devices, both new and old, are vulnerable to this exploit, prompting advice for immediate installation of the updates. Apple has also provided patches for two additional WebKit zero-days from last November, backporting them to older iPhone and iPad models. In the previous year, Apple countered a total of 20 zero-days that were actively exploited, addressing severe security risks within their ecosystem.