Daily Brief

The Turkish state-backed group Sea Turtle has expanded espionage activities to include Dutch ISPs and telcos, along with Kurdish websites. Previously concentrated in the Middle East, Sweden, and the US, Sea Turtle uses DNS hijacking and man-in-the-middle attacks to gather intelligence. Hunt & Hackett analysts noted the group's moderate sophistication, relying on known vulnerabilities and compromised accounts for access. Sea Turtle attacks between 2021 and 2023 in the Netherlands indicate a strategic shift to acquire economic and political intelligence. New techniques include the use of 'SnappyTCP' for persistent access and the 'Adminer' tool for database management and SQL command execution. The group attempts to avoid detection by erasing logs and using VPNs for accessing compromised accounts. Sea Turtle focuses on initial access and data exfiltration without engaging in credential theft, lateral movement, or data manipulation post-compromise. Mitigation strategies recommended include enhanced network monitoring, multi-factor authentication, and limited SSH access.

Twilio has announced the discontinuation of its Authy desktop 2FA application across Windows, macOS, and Linux platforms, set for August 2024. Users are encouraged to transition to the Authy mobile app for iOS or Android, with mobile apps experiencing higher demand. The desktop app's discontinuation is part of Twilio's broader restructuring, coinciding with the departure of co-founder Jeff Lawson as CEO. Authy desktop app users must activate backups to ensure tokens are synced to their mobile devices before the service ends. Twilio has recommended alternative desktop applications for users who cannot use mobile devices for 2FA, including 1Password and KeepassXC. Users must manually disable 2FA for each account linked to Authy before migrating to a new solution to avoid being locked out. The process of transitioning from Authy's desktop app requires careful steps to prevent loss of access to secured accounts due to the lack of an export feature in the app.

A zero-day vulnerability in Apache OFBiz, an open-source ERP system, was disclosed on Dec 26, flagged with a near-maximum severity rating of 9.8. The flaw, identified as CVE-2023-51467, allows for authentication bypass and remote code execution by attackers, potentially leading to data exposure. Despite the disclosure and availability of a patch, SonicWall has observed thousands of daily attempts to exploit the vulnerability. A related vulnerability, CVE-2023-49070, was also patched by the Apache team by removing the XML-RPC API code, but attackers continue targeting the login functionality. Apache's OFBiz version 18.12.11 includes the fix for both vulnerabilities, with Apache urging users to upgrade immediately. Usage of Apache OFBiz is widespread, with over 120,000 companies relying on systems like Atlassian's Jira; however, Jira's implementation is reportedly not susceptible to this vulnerability. SonicWall's research team developed two test cases demonstrating exploitability, though these no longer work against the patched version. Apache OFBiz's prompt response to the issue and subsequent fix has been lauded by the security community.

loanDepot, a top U.S. mortgage lender, confirmed a ransomware incident resulting in data encryption and potential customer information exposure. Over the weekend, customers faced difficulties accessing loanDepot's payment portal and customer service phone lines due to the cyberattack. The company initiated an investigation with cybersecurity experts, notified regulators and law enforcement, and is in the process of restoring systems. loanDepot's customers were informed that recurring payments would continue, but delays in payment history updates and new payment processing issues have arisen. In their 8-K filing, loanDepot disclosed that attackers accessed company systems and encrypted data; the specific ransomware group remains unidentified. This incident raises concerns for customers' financial and personal data security, warranting vigilance against phishing and identity theft attempts. Previous incidents of cyberattacks in the mortgage industry are noted, with other large companies such as Mr. Cooper and First American Financial Corporation also being recent targets.

The LockBit ransomware group has taken credit for a cyberattack against Capital Health hospital network, threatening a data leak. Capital Health, serving New Jersey and Pennsylvania, faced an IT systems outage in November 2023 due to the cyberattack. Since the incident, Capital Health has restored their systems and implemented additional security measures. LockBit claims to have stolen 7 TB of sensitive data during the attack and plans to release it unless a ransom is paid. The ransomware group LockBit deviated from its rule to not encrypt hospital files, opting only for data theft, to avoid disrupting patient care. While some ransomware groups have ethical policies against attacking healthcare providers, LockBit has a history of targeting such institutions. The repercussions of ransomware attacks, even without data encryption, can include data breaches, financial loss, and impacts on patient care in the health sector.

The MGM Resorts service desk hack underscores the need for improved employee identity verification to secure helpdesk operations. Attackers used vishing and detailed impersonation techniques to deceive MGM's service desk and gain unauthorized network access. The importance of helpdesk security is highlighted, as these employees are the first contact point for user issues and thus a target for social engineering and cyberattacks. To counteract threats, helpdesks must educate staff on sophisticated attacks, create cultures that encourage identity verification, and implement multifactor authentication systems. Specops Secure Service Desk is recommended as a solution that provides a higher security level by employing advanced user verification methods. It is essential to safeguard communication channels, conduct regular security audits and pen-testing to find and patch vulnerabilities in the helpdesk process. Organizations are advised to transition away from security questions to MFA and other secure authentication methods to create barriers against cyber threats.

Anonymous Arabic, a threat group attributed to Syrian origins, is distributing a remote access trojan (RAT) named Silver RAT which evades detection and allows covert operations. Silver RAT enables cybercriminals to log keystrokes, encrypt data, destroy system restore points, and connect to a command-and-control (C2) server for further instructions. The malware has been actively promoted on various hacker forums and social media, with the RAT's capabilities including distribution of cracked RATs, Facebook and X (formerly Twitter) bots, and carding activities. First detected in November 2023, Silver RAT v1.0 had been leaked on Telegram in October 2023, with speculations on an upcoming Android version of the malware. The RAT contains advanced features such as delayed payload execution, keystroke logging, selective functionality logs, and stealthy application launches. Cybersecurity firm Cyfirma has identified one member of the group likely based in Damascus in their mid-20s, active across social media, development platforms, underground forums, and Clearnet websites. The malevolent activities of this group expand beyond malware distribution, encompassing various areas of cybercrime and suggesting a sophisticated and diverse cybercriminal enterprise.

The British Library denies speculative recovery cost estimates from a ransomware attack could reach nearly $9M. No confirmation on final costs yet as the rebuilding of digital services continues, with no fixed completion date available. Key services such as the online catalog are expected to return in a limited capacity; full restoration may take several months. The Public Lending Right service is disrupted, delaying payments to authors for borrowed works, specifically affecting Irish recipients. Personal data from internal management databases may have been compromised, raising concerns over privacy and security. The ransomware attack, claimed by the Rhysida group, led to significant file leaks and operational disruptions within the library. The National Cybersecurity Centre (NCSC) and Metropolitan Police are involved in supporting the recovery and investigation process.

Only 59% of organizations have updated their cybersecurity strategy in the past two years, per the Ponemon Institute, pointing to a concerning stagnation in adaptive security measures. The article emphasizes the necessity of breaking down silos between managed Security Operations Center (SOC), risk management, and cybersecurity strategy to enhance overall security dynamics. Organizations face challenges with cohesion in their security approach, leading to potential vulnerabilities and inefficient responses to cyber incidents. The piece suggests integrating managed risk and managed strategy with SOC operations for proactive threat mitigation and informed strategic planning. A unified cybersecurity approach can deliver cost-effective resource allocation, swift incident response, enhanced threat detection, streamlined compliance management, and facilitate continuous progress. Adopting an integrated, risk-centric cybersecurity program is crucial for building resilience and countering the evolving nature of cyber threats efficaciously. The future of cybersecurity will be shaped by AI, machine learning, quantum computing, and IoT, further underscoring the need for an adaptive and robust cybersecurity strategy.

Increasing digital expansion and internet exposure of software and infrastructure lead to greater risk of cyber threats. Traditional security architectures are no longer sufficient against sophisticated attacks that are now utilizing AI and as-a-service models. Gartner highlights attack surface expansion as a significant emerging cyber trend to monitor. Zero trust security is emphasized as a crucial strategy to reduce the attack surface and protect against data breaches, lateral movement, and network compromises. The upcoming webinar will cover the inadequacies of current security tools like VPNs and firewalls, and how they can paradoxically enlarge the attack surface. The potential vulnerabilities in systems such as shadow IT, public cloud applications, and unsecured servers are critical points that increase the risk for organizations. By attending the webinar, participants can learn how to apply Zero Trust principles to minimize their organization's attack surface and enhance overall cybersecurity posture.

The U.S. National Institute of Standards and Technology (NIST) is warning of increased privacy and security risks stemming from rapid AI system deployment. Risks include adversarial manipulation of AI training data, exploitation of model vulnerabilities, and unauthorized extraction of sensitive information through AI system interactions. Rapid integration of AI into online services, particularly generative AI like OpenAI's ChatGPT and Google's Bard, exacerbates the threat landscape at various stages of machine learning operations. Vulnerabilities identified by NIST encompass corrupted training data, software security flaws, model poisoning, supply chain issues, and privacy breaches through prompt injection attacks. NIST computer scientist Apostol Vassilev highlights the lack of guaranteed benign exposure and robust defenses against AI system manipulations. NIST categorizes potential attacks based on the attacker's knowledge level (white-box, black-box, or gray-box) and calls for the tech community to strengthen AI defenses. These warnings follow international collaborative efforts by the U.K., U.S., and other partners to create guidelines for the secure development of AI systems, addressing unresolved issues in AI algorithm security.

Meta has rolled out a new feature that tracks link history within its in-app browser on Facebook and Instagram to enhance targeted advertising. The link history feature stores webpages visited for 30 days and is pitched as a convenience for users, though it mainly serves ad targeting. Critical security vulnerabilities have been identified, with several patches released for Google Chrome addressing issues that may affect many users. Google's Mandiant and web3 firm CertiK suffered Twitter account hijackings, which were used to promote cryptocurrency scams. The incidents underline the importance of enforcing strong security measures even when one has two-factor authentication (2FA) enabled. A Nigerian national was arrested for allegedly defrauding two US charities of over $7.5 million through a business email compromise (BEC) scheme. The alleged scheme involved using stolen credentials to authorize fraudulent money transfers between the charities' banks. If convicted, the suspect faces a potential sentence of up to 20 years for each count of wire fraud among other charges.

U.S. Department of Justice has charged 19 individuals for involvement with the xDedic Marketplace, resulting in over $68 million in fraud. The collaborative international operation included efforts by Belgium, Germany, the Netherlands, Ukraine, and Europol. Sentences for defendants range from probation to 6.5 years in prison; Ukrainian national Glib Oleksandr Ivanov-Tolpintsev received four years for his role. Among the highest volume sellers on xDedic, Dariy Pankov earned over $350,000 from selling access to hacked servers. The Nigerian Allen Levinson, a major buyer on xDedic, targeted U.S. CPA firms for tax fraud purposes. Five individuals are pending sentencing for conspiracy to commit wire fraud; two others face potential 20-year sentences for wire fraud and identity theft. The xDedic Marketplace, shut down in 2019, traded stolen credentials for over 700,000 computers and servers as well as personal data of U.S. residents. Criminal activities facilitated by the use of these servers included tax fraud, ransomware attacks on critical infrastructure, and other illegal operations.

North Korean hackers have been linked to the theft of at least $600 million in cryptocurrency in 2023, which may rise to around $700 million considering late-year breaches. According to blockchain analytics firm TRM Labs, these cyber heists attributed to the DPRK were 10 times as impactful as attacks by other groups. The stolen funds are reportedly used to support North Korea's weapons of mass destruction and ballistic missile programs, amidst international sanctions. The cyberattacks often involve elaborate social engineering to compromise digital wallet private keys and seed phrases, allowing unauthorized access to crypto assets. Attackers tend to convert the stolen funds into USDT or Tron and then to hard currency using high-volume over-the-counter (OTC) brokers for laundering. DPRK's hackers are adapting their money laundering techniques in response to actions like the U.S. Treasury's sanctions on crypto mixer services like Sinbad. TRM Labs highlights the need for heightened vigilance and innovation to combat North Korea's sophisticated cyber capabilities that have amassed $1.5 billion over two years.

U.S. mortgage lender loanDepot experienced a cyberattack affecting their IT systems and online payment portal. The attack forced the company to take systems offline, disrupting customer access for loan payments and support. loanDepot, a major nonbank retail mortgage lender, services loans exceeding $140 billion and has a workforce of about 6,000. Acknowledging the cyber incident, the company is engaging with law enforcement and forensic experts to investigate and mitigate the breach. While the company's social media updates on the incident have been removed, customers are being directed to make payments through the call center. Recurring automatic payments will be processed but with updates delayed in the system; however, making new payments via the online servicing portal is currently impossible. The exact nature of the attack is unconfirmed, but the pattern suggests the possibility of a ransomware attack, which may have compromised sensitive customer data. Customers are advised to remain vigilant against phishing attempts and identity theft in light of the sensitive financial and personal information held by loanDepot.