Daily Brief

Tietoevry, a Finnish IT services company, faced a ransomware attack that impacted its cloud hosting customers in Sweden. The Akira ransomware gang is reportedly responsible for the attack, which occurred in one of Tietoevry's Swedish data centers. The attack caused service outages for various Swedish firms and institutions, including Filmstaden cinemas, universities, and government agencies. Tietoevry has isolated the affected platform and is working on restoring infrastructure and services using a well-tested methodology. The company had previously experienced a similar ransomware attack in 2021, resulting in disconnections of client services. The Finnish National Cyber Security Center (NCSC) has warned about ongoing Akira ransomware attacks targeting companies due to weak Cisco VPN implementations. To mitigate such risks, Cisco advises the implementation of multi-factor authentication (MFA) for all VPN accounts and the use of remote syslog servers to secure logs for analysis post-breach.

A widespread Facebook phishing campaign is exploiting users' trust by using posts from friends' hacked accounts. The posts, underpinned by an emotional message claiming "I can't believe he is gone. I'm gonna miss him so much," lead to sites that steal Facebook credentials. Despite Facebook's efforts, the campaign persists through new posts, although reported posts are being neutralized by deactivating the embedded links. The scam prompts users on mobile devices to a fake news site that requests Facebook login details to view a supposed video. Desktop users are redirected to various other scams, including sites promoting VPNs, browser extensions, or affiliate programs. The stolen Facebook credentials may be used to propagate the phishing scam further through the hacked accounts. It is recommended that Facebook users enable two-factor authentication using an authenticator app to prevent unauthorized logins should they fall for such scams, as phone numbers can be compromised in SIM swapping attacks.

Brave Software moves to deprecate 'Strict' fingerprinting protection in its browser to avoid website compatibility problems. 'Strict' mode aggressively blocks fingerprinting APIs, causing many websites to break or malfunction for users. Only 0.5% of Brave users employ 'Strict' mode, which ironically makes them more trackable due to their small numbers. The company's focus will be on enhancing 'Standard' mode, which provides extensive fingerprinting protection and is used by the majority. Despite the reduction in protection modes, Brave pledges to continue strengthening privacy features for all users. The transition away from 'Strict' fingerprinting protection will occur with the release of version 1.64 of the browser for desktop and Android. Over 330,000 users are estimated to be affected by this change, based on the number of active users and the percentage using 'Strict' mode.

A German programmer was fined €3,000 for hacking by a court after disclosing a cybersecurity issue in merchandise management software. The programmer discovered unauthorized access to the data of about 700,000 customers due to a security gap in the software by Modern Solution GmbH. After identifying the issue, the programmer and a tech blogger promptly informed the vendor and publicly disclosed the issue on the same day. Modern Solution GmbH disputed the existence of a security gap and reported the programmer for unauthorized data access and data spying. The programmer had retrieved a plaintext password from a software executable to investigate the issue, leading to charges based on Germany's hacking laws. Despite the programmer's intentions to inform the public about the security issue, the court ruled the data access as unauthorized under German law. Acknowledging the programmer's clean record, the judge issued a lower fine than the maximum possible. The defendant plans to appeal the decision. The impending appeal in a higher regional court could set a significant legal precedent regarding the handling of cybersecurity disclosures.

Meta faces criticism for failing to remove fake Instagram accounts despite obvious signs of impersonation and catfishing. Scammers on Instagram exploit real accounts of public figures and influencers to establish credibility and conduct scams, often targeting the follower lists of the impersonated individuals. Reports of catfishing to Instagram are frequently dismissed, with technology-assisted review processes failing to take action even after appeals for human review. Authors and users express frustration over Instagram's inaction, hinting at a potential push for paid verification services as a motive. Meta's 'Meta Verified' paid service claims to offer account protection and verification, but questions remain on its effectiveness in preventing impersonation. Users are encouraged to take individual precautions to secure their accounts and images from being misused by scammers and imposters on social media platforms.

Security researchers discover connections between the new 3AM ransomware operation and the notorious Conti and Royal cybercrime gangs. 3AM uses innovative extortion tactics, including notifying victims' social media followers of data leaks and employing bots to target high-profile Twitter accounts. The investigation reveals overlaps in tactics, infrastructure, and communication channels used by 3AM, Conti, and rebranded Royal gang 'Blacksuit'. Technical analysis indicates similarities between the tools and infrastructure used by 3AM and other malware associated with Conti, such as Cobalt Strike and IcedID. Intrinsec uncovers evidence pointing to testing of a new extortion technique involving bot-driven Twitter campaigns to pressure victims. Despite appearing less sophisticated, 3AM is warned not to be underestimated due to its potential for criminal activity and links to experienced cybercrime groups. Conti syndicate recognized as the precursor of several splinter cells contributing expertise to various stages of ransomware attacks post-dissolution.

Instagram has seen an increase in fake profiles used for catfishing, with Meta failing to remove these accounts even after they've been reported. Examples reveal that even when evidence of impersonation is clear, Instagram's system, which appears partly automated, often does not take action against the fake accounts. Victims of impersonation have critiqued Instagram for not acting on reports and speculated whether this is to push them to pay for verification services, which promise added protection. Despite paid verification, there is no full-proof protection against impersonation and undue account suspension, as evidenced by some verified users’ experiences. Meta's policy and the effectiveness of handling reports of impersonation have been questioned, indicating a need for improved moderation practices. Social media users are encouraged to take their own steps to protect their images and accounts to deter imposters and enhance platform safety.

An sophisticated cyber espionage group with ties to China, designated as UNC3886, has been exploiting a critical VMware vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021. This vulnerability is a severe out-of-bounds write with a CVSS score of 9.8, and allows privileged access to vCenter, with potential to compromise attached ESXi hosts and guest virtual machines. UNC3886 employs stealth tactics and zero-day vulnerabilities, aiming to bypass detection recently confirmed by Mandiant. VMware patched the flaw on October 24, 2023, following Mandiant's disclosures of UNC3886's stealthy exploitation of previously unknown VMware vulnerabilities. The hackers deployed VIRTUALPITA and VIRTUALPIE malwares to maintain access to Windows and Linux systems through backdoors installed on compromised VMware setups. Apart from VMware vulnerabilities, UNC3886 leverage a Fortinet FortiOS flaw (CVE-2022-41328) to implant THINCRUST and CASTLETAP, for command execution and data exfiltration. VMware vCenter Server users are strongly recommended to update their systems to the latest version to protect against these threats. These series of attacks underscore the group's focus on exploiting vulnerabilities in firewall and virtualization technologies that typically lack support for endpoint detection and response (EDR) systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to Federal Civilian Executive Branch (FCEB) agencies. Directive targets two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure that are under active exploitation. Threat actors can execute arbitrary commands on the system or move laterally, perform data exfiltration, establish persistent system access, and fully compromise target information systems. Ivanti is expected to release an update next week, but temporary workarounds are available via an importable XML file for configuration changes. Organizations using affected Ivanti products are advised to apply the mitigation, use an External Integrity Checker Tool, revoke and reissue certificates, and reset passwords. Cybersecurity firms have observed the deployment of web shells and backdoors using the exploits, with 2,100 devices reportedly compromised. The initial attacks in December 2023 were linked to a Chinese nation-state group, while recent activities show exploitation by various actors, including for financial gains through cryptocurrency mining.

Microsoft identified a sophisticated nation-state attack attributed to the Russian APT group known as Midnight Blizzard, which compromised emails from top executives. The attack commenced in late November 2023 and was detected on January 12, 2024, after which immediate investigation and mitigation steps were taken. Attackers executed a password spray attack on a legacy non-production test tenant account to access corporate emails, affecting senior leadership and departments like cybersecurity and legal. No evidence suggests that customer data, production systems, source code, or AI systems were compromised. The total number of infiltrated accounts and the extent of accessed information remain undisclosed, with impacted employees currently being notified. The same hacking group was previously responsible for the SolarWinds supply chain attack and has targeted Microsoft on several occasions. Microsoft highlighted the persistent risks posed by well-resourced nation-state actors, emphasizing the need for robust security measures across organizations.

TA866, a threat actor, has launched a large-scale phishing campaign distributing WasabiSeed and Screenshotter malware after nine months of inactivity. The campaign targeted North American entities with invoice-themed emails containing PDF attachments that led to a multi-step infection. Proofpoint identified the phishing attack on January 11, 2024, and had documented TA866's activities as early as February 2023. These attacks aim to capture desktop screenshots for reconnaissance purposes to identify high-value targets and eventually deploy the Rhadamanthys information stealer. The recent campaign uses PDFs with malicious OneDrive URLs instead of macro-enabled attachments, demonstrating an adaptation in tactics. The spam service TA571 aids in distributing the phishing emails, which can carry a range of malware, including IcedID, AsyncRAT, and DarkGate. DarkGate malware, active since 2017, is continually evolving with new features and anti-analysis techniques to avoid detection. Evasion tactics leveraging caching mechanisms in security products have been noted, particularly targeting sectors like financial services, with attackers waiting for safe verdict caching before switching to malicious payloads.

Russian state-sponsored hackers, known as Midnight Blizzard, breached Microsoft corporate email accounts. Microsoft's security team detected the issue on January 12th and commenced investigative and mitigation activities. The hackers accessed the system via password spray attack, compromising a non-production account. Compromised accounts include those of leadership, cybersecurity, and legal department personnel, with email and attachment theft occurring. The target of the attack seems to be information concerning the Midnight Blizzard group itself. Microsoft is notifying affected employees and assures that the breach was due to an account attack, not a product vulnerability. Nobelium, the group behind the attack, is notorious for the 2020 SolarWinds attack and has a history of high-profile breaches, including another Microsoft corporate account breach in 2021.

Chinese espionage group UNC3886 exploited a critical vulnerability in VMware vCenter Server, actively targeted since late 2021. Despite a patch, Mandiant detected intrusions by UNC3886 on several organizations, with a similar modus operandi observed in previous attacks. Russian hackers, identified as Midnight Blizzard (APT29 or Cozy Bear), compromised a small number of Microsoft corporate email accounts, including those of executives and cybersecurity personnel. The Microsoft breach, first identified in late November 2023, was not due to a vulnerability but rather a password spray attack on a test tenant account. Microsoft announced potential upcoming disruptions as they implement enhanced security measures in response to the breach. Ivanti Connect Secure devices, including those used by US federal agencies, were urgently directed to apply mitigations against zero-day vulnerabilities linked to potential Chinese nation-state exploitation. CISA's directive reflects ongoing concerns about Chinese cyber threats, despite no current evidence of successful exploits against federal agencies by PRC actors.

Russian state-sponsored hackers, Midnight Blizzard, breached Microsoft and accessed corporate email accounts. Microsoft detected the cyberattack on January 12th, identifying the group also known as Nobelium or APT29. The breach occurred through a password spray attack in November 2023, exploiting a legacy non-production test account. Attackers gained access for over a month, stealing emails and attachments from key areas including leadership, cybersecurity, and legal departments. Targeted accounts contained information about Midnight Blizzard; Microsoft is notifying affected employees. Microsoft has stated the incident was not due to product vulnerabilities but was a result of a brute force password attack. While ongoing investigations continue, Microsoft pledges to share further details as they become available, underscoring the breach's significance.

BreachForums hacking forum administrator Conor Brian Fitzpatrick sentenced to 20 years of supervised release. Fitzpatrick faced charges for stealing and selling personal information of millions and possession of child pornography. Known online as "Pompompurin," he played a key role in the cybercriminal community by running BreachForums. Originally faced with a government recommendation of approximately 15.7 years in prison, he received a sentence of time served plus supervised release. Fitzpatrick's supervised release includes home arrest with GPS for two years and mandatory mental health treatment. He will have no internet access in the first year and must approve any future online sales with authorities. Restitution for victims' losses to be determined, reflecting the impact of Fitzpatrick's criminal activities.