Daily Brief

Flagstar Bank warns that a cyber breach at third-party payment processing and mobile banking provider, Fiserv, has led to the theft of personal information of around 837,390 of its customers in the US. Fiserv was infiltrated through the broad CLOP MOVEit Transfer data theft attack, which exploited a zero-day vulnerability in the MOVEit Transfer product to gain access to systems and steal customer data. Data stolen reportedly comprises customer names and social security numbers (SSNs), although official documentation has redacted the precise nature of the compromised data. This third data breach which Flagstar Bank has suffered since March 2021 follows a previous Clop ransomware attack that affected its Accellion file transfer server and a breach of its corporate network in June 2022 which had impacted over 1.5 million customers. Concerns have been raised about Fiserv’s overall security as the company provides services to hundreds of banks; responses from Fiserv regarding the moving breach affecting further financial institutions and customers are pending.

A bounty of $12,288 has been offered for cracking the seeds used to generate the National Institute of Standards and Technology (NIST) elliptic curves, which were provided by the National Security Agency (NSA). If the bounty is donated to a 501(c)(3) charity, it will be tripled to $36,864. NIST elliptic curves are a crucial part of modern cryptography, the origins of the seeds of which are a subject of much speculation and uncertainty. The offer was made by cryptography specialist Filippo Valsorda, with support from figures known in the field of cryptography and cybersecurity, including professors from Johns Hopkins University and engineers from AWS. These seeds were presumed to be generated by Dr. Jerry Solinas using a hashing algorithm, potentially SHA-1, from hashed English sentences. The challenge mounted could serve dispel concerns about potentially intentional weaknesses in the NIST curves, and also holds historical relevance in modern cryptography. The nature of the challenge suggests it could be completed by anyone with sufficient GPU power and experience in passphrase brute-forcing.

The District of Columbia Board of Elections (DCBOE) confirmed that an unknown number of voter records were stolen in a data breach by a threat actor known as RansomedVC. Attackers accessed the information through the web server of DataNet, the hosting provider for Washington D.C.’s election authority. DCBOE's own servers were not directly compromised. With help from MS-ISAC's Computer Incident Response Team (CIRT), the election board shut down its website to contain the situation. DCBOE initiated a comprehensive security assessment in conjunction with data security experts, the FBI, and DHS. RansomedVC claims to have stolen over 600,000 lines of U.S. voter data and is offering the stolen information for sale on the dark web, with the price undisclosed for now. The threat actor provided a sample record allegedly containing personal details of a D.C. voter as verification of the data's authenticity. An anonymous source informed BleepingComputer on October 3rd that the stolen database was initially offered for sale on the BreachForums and Sinister.ly hacking forums. RansomedVC's recent claims of having breached Sony's systems to steal over 260GB of files were contested by another threat actor known as MajorNelson.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) identify unchanged default credentials in software, systems and applications as the main security misconfiguration leading to cyberattacks. The agencies released a cybersecurity advisory aiming to encourage software manufacturers to adopt secure-by-design and secure-by-default principles. Other top cybersecurity misconfigurations included improper segregation of user and admin rights, and lack of network monitoring. The agencies warned against "privilege creep," where accounts are given permissions beyond their necessary scope, making potential malicious activity harder to spot. The agencies stressed the need for both host-based and network monitoring to successfully identify and prevent potential threats. The agencies have reiterated their call for software companies to adopt and publish their commitment to secure-by-design principles to strengthen cybersecurity.

Cloud computing provider Blackbaud has reached a $49.5 million settlement with attorneys general from 49 U.S. states over a ransomware attack and the resulting data breach that occurred in May 2020. The attack compromised data belonging to over 13,000 Blackbaud business customers and their clients in the U.S., Canada, U.K., and the Netherlands. This sensitive data included demographic details, Social Security numbers, driver's license numbers, financial records, employment data, wealth information, donation histories, and protected health information. The settlement addresses allegations that Blackbaud violated state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA). As a part of the settlement, Blackbaud also has to take certain actions, including implementing a consolidated risk management strategy and undergoing annual, independent, third-party cybersecurity reviews, among others. Previously, in March this year, Blackbaud had agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC). The charges alleged that the company failed to disclose the full impact of the 2020 ransomware attack. In the context of these settlements, Blackbaud is reportedly facing multiple lawsuits including 23 proposed consumer class action cases related to the May 2020 security breach in the U.S. and Canada.

The Federal Trade Commission (FTC) has reported that Americans lost at least $2.7 billion to social media scams since 2021, a figure projected to be greater due to under-reporting. Research indicated that only 4.8% of scam victims lodged complaints with the Better Business Bureau or a government agency. A range of tactics is employed by scammers, including advertising fake products, offering false investment opportunities, and posing as romantic prospects. The FTC advised consumers to be cautious and safeguard themselves against such scams, limiting their social media posts, scrutinizing unsolicited contacts, and checking the credibility of companies before making online purchases. The FTC revealed that online shopping scams constituted the most frequently reported scams on social media, accounting for 44% of reports. The warning follows an earlier FTC report of a surge in social media fraud during 2021, with a record $8.8 billion losses to varied scam types reported by consumers in 2022.

U.S. biotechnology firm 23andMe has confirmed that user data from its platform was stolen in a credential-stuffing attack. Data including full names, usernames, photos, sex, date of birth, genetic ancestry results, and geographical location was posted on hacker forums. The sensitive data was accessed using credentials exposed from other breaches; there is no indication of a security incident within 23andMe's own systems. Threat actors offered to sell data profiles at a rate of $1-$10 per account, depending on the quantity purchased. The initial data leak involved 1 million lines of Ashkenazi people's data. The breached accounts had all opted into the 'DNA Relatives' feature, leading to additional data being exposed as the actor was able to scrape data of their DNA Relative matches. 23andMe encourages all users to enable two-factor authentication as an additional protection measure and to employ strong, unique passwords for all online accounts.

MGM Resorts has revealed that the cyberattack it suffered in September is expected to cost the company at least $100 million. The impact of the attack will significantly affect the firm's third-quarter earnings and will continue to influence its Q4 although this is predicted to be "minimal." The attack borked MGM's room-booking systems, took slot machines offline, and other elements of the firm's operations were disrupted. MGM has confirmed that personal data belonging to customers such as social security numbers, driving license numbers, passport numbers, contact details, and dates of birth was stolen during the hack. However, there's no evidence to suggest that financial information, including bank numbers and cards were compromised. The company expects its cyber insurance to cover the financial impact of the attack and is also hopeful that its rooms will be filled to near-normal levels starting this month. Cybercrime group Scattered Spider claimed responsibility for the attack and was allegedly responsible for a similar attack on Caesars Entertainment during the same period.

North Korea's Lazarus Group is reportedly responsible for laundering nearly $900 million in stolen cryptocurrency. The theft was part of a larger $7 billion in cryptocurrency illicitly laundered through cross-chain crime by various actors. Cross-chain crime, a method used to quickly convert crypto assets from one token or blockchain to another to obscure their origin, has been increasingly used by crypto thefts for money laundering. The Lazarus Group is estimated to have stolen approximately $240 million in cryptocurrency since June 2023, targeting several crypto platforms including Atomic Wallet and CoinsPaid. The group has also been linked to a number of risky transactions made through the Avalanche Bridge, which deposited over 9,500 bitcoin. South Korea's National Intelligence Service has recently issued warnings about North Korean cyber-attacks targeting its shipbuilding sector.

A ransomware attack by an affiliate of the BlackCat/ALPHV ransomware gang led to a loss of $100 million for MGM Resorts. The threat actor, identified as Scatteed Spider, infiltrated MGM's network, stole sensitive customer data, and disrupted services like online reservations, slot machines, credit card terminals, and ATMs. While MGM stated that this incident would not significantly impact its annual financial performance, it led to an estimated $10 million in one-time expenses for risk remediation, legal fees, and incident response measures. The hospitality giant has resolved the cybersecurity issue, restoring all customer-facing systems, and expects the remainder of its systems to resume normal operations soon. Concerning the data breach, customer information dating back to March 2019 was stolen. Although customer passwords, bank account numbers, and payment card information weren't unveiled as exposed, MGM has rolled out free credit monitoring and identity protection services for the affected customers. The company urges customers to be vigilant against unsolicited communications and incidents of fraud or identity theft, advising that they regularly monitor their account statements and credit reports.

MGM Resorts International, a prominent hospitality and entertainment company, underwent a significant cyberattack last month, costing the firm an estimated $100 million and resulting in the theft of customers' personal data. The hackers, found to be an affiliate of the BlackCat/ALPHV ransomware gang known as Scattered Spider, breached MGM's network and encrypted over a hundred ESXi hypervisors. This caused a disruption to in-casino services, online reservations systems, and the company's main website. In addition to the considerable direct loss, MGM also incurred less than $10 million in one-time expenses due to the cyberattack, which will be reportedly covered by the company's cybersecurity insurance. MGM states that despite the significant disruption experienced, it anticipates the financial impact to be predominantly confined to Q3 2023 and does not foresee any considerable effect on its annual financial performance. The company asserts that the incident has been contained, with all customer-facing systems having been fully restored. Notably, the data stolen did not include customer passwords, bank account numbers or payment card information. MGM Resorts is offering free credit monitoring and identity protection services to those affected by the breach and warns customers to watch out for incidents of fraud and unsolicited communications involving their personal information.

Ransomware group, LockBit, suggests CDW data will be leaked after the IT reseller refused to offer a satisfactory payment in ransom negotiations. CDW, a global market player, has not yet issued a comment regarding the incident; the UK Information Commissioner's Office confirm no breach report has been received from CDW. Repeated posting to LockBit’s blog, a tactic designed to prompt faster responses from the victim, indicates a breakdown in negotiations. LockBit’s aggressive tactics, including setting deadlines, have been previously used to create a sense of urgency in victims and for negotiation leverage. Despite the risk of posts being scare tactics without behind the substance, historical activity such as the Royal Mail International case reflects established ransomware operations, including potential staged data leaks. The National Cyber Security Centre discourages paying ransoms, with less than 50% of businesses regaining all of their data following payment, according to a CyberEdge study. LockBit has been accused of using "PR stunts" to increase its notoriety, often involving fake attacks or mistaken association to illicit groups. The ransomware group's previous claims about breaching other businesses have sometimes turned out to be partially true, indicating a complex strategy for exerting pressure on targets.

An identity theft attack on Anthony Cusimano, director of technical marketing at storage company Object First, was a catalyst for the company's focus on data protection, particularly against ransomware. Recognising the need for indelible backup solutions, Object First developed Ootbi a new system designed to provide a highly resilient data protection solution for use with Veeam backup software. The Ootbi solution combines the immutability of a WORM (write once, read many) disk with the convenience of constantly connected online backup storage. Object First's creation operates based on the idea of resiliency domains, whereby if one software stack is compromised, others can still be relied upon for recovery. The storage approach followed by Object First is the 3-2-1-1-0 backup rule: three copies of data, two media types, one copy off-site, one offline copy, and zero errors. The company's hardware solution, optimised for Veeam, also ensures data isn’t compromised by using a hardened version of Linux OS and storing data as uniquely identifiable units, preventing unauthorised alterations. Object First has prioritised user convenience, creating a system where once backup data is stored, there are no digital ways for it to be removed. The system is designed with expandability in mind, allowing users to build clusters of up to four Ootbi appliances, with capacity to increase this further as customer demand rises.

Google has committed to changing its data processing operations and granting users better control of their data following proceedings by the German Federal Cartel Office. The adjustments are in accordance with a 2021 revision of German competition law that gives regulators enhanced powers over large digital companies and matches the EU's Digital Markets Act. Free and informed consent will be necessitated from users before their data can be shared between different services. Commitments do not apply to services already covered by the European Commission's Digital Markets Act. They cover operations such as News, Android Auto, and Workspace that were not previously addressed. Google must present an implementation plan within three months, and the conditions must be met for Assistant and Contacts by March 6, 2024, and for other services by September 30, 2024. While these changes specifically target the German marketplace, they could potentially be rolled out in other regions. Google has yet to specify its plans for other areas.

A China-linked group, known as Lucky Mouse and other aliases, has been associated with a campaign targeting semiconductor companies in East Asia, using a backdoor named HyperBro to deploy Cobalt Strike beacons. The attack used malware disguised as Taiwan Semiconductor Manufacturing Company (TSMC) and sophisticated social engineering techniques to infiltrate targets, according to Dutch cybersecurity firm EclecticIQ. An alternate sequence of the attack utilized an undocumented malware downloader to deploy Cobalt Strike, indicating the group had multiple methodologies for infiltrations. The group is also connected to another cluster tracked as RedHotel, known to overlap with Earth Lusca, also a hacking group. Reportedly, the group used compromised Cobra DocGuard web server to host the second-stage binaries, including a Go-based implant called ChargeWeapon, disseminated via the downloader. Notably, the C2 server address hardcoded in the Cobalt Strike beacon was disguised as a legitimate jQuery CDN to bypass firewall defenses. These discoveries align with recent reports by the Financial Times and the U.S. Department of Defense (DoD), highlighting increasing cyber espionage threat from China.