Daily Brief

Cybersecurity defenders were briefly enthused when the AlphV/BlackCat ransomware group's website went offline, though it was soon restored. Singapore-based Group-IB has successfully infiltrated several high-profile ransomware groups, gathering insider intelligence on their operations. Their multi-step approach involves thorough research into the targeted ransomware-as-a-service (RaaS) group, understanding terms and conditions, and establishing communication with ransomware managers. The crux of infiltration lies in passing a rigorous interview process, where researchers must convincingly assume the role of potential affiliates, showcasing technical knowledge and avoiding linguistic slips. Upon successfully gaining access, Group-IB gathers valuable data on the groups' internal workings, such as attack numbers, ransom payments, and affiliate payment structures, to support future mitigation and response efforts. Such operations are conducted within legal boundaries, aiming not to engage in any illegal activities, but to collect information to assist victims and understand threat actors better. The value of these undercover operations lies not only in the potential to aid victims and investigations but also in enhancing preventative measures against ransomware threats.

Europol alerted 443 online merchants about injections of malicious skimming scripts on their websites. The JavaScript skimmers intercept customers' payment data during purchases, risking unauthorized transactions and data sale on the dark web. The two-month international effort, led by Greece and supported by law enforcement from 17 countries, identified the compromised online shops. Analysis revealed 23 varieties of JavaScript sniffers that evade detection through techniques like mimicking legitimate web services. Group-IB and Sansec, along with national CSIRTs, collaborated with Europol during the investigation. Europol recommends merchants review their digital skimming defense guide, especially ahead of high online shopping seasons. Customers are advised to use one-time payment methods and monitor their statements for signs of card compromise.

Over 1.5 million users unknowingly installed malicious Chrome extensions disguised as VPN services. The extensions were distributed through installer files hidden in pirated video game torrents. Google has since removed the harmful extensions from the Chrome Web Store upon notification. The primary victims were in Russia and nearby countries, with extensions automatically installed without user interaction. The malware targeted other cashback and coupon extensions to monopolize profits from the infected devices. ReasonLabs revealed the extensions had extensive permissions, enabling data theft and browser manipulation. Command and control server communication was part of the extensions' operation, suggesting organized cybercrime involvement. The incident underscores the need for users to vigilantly review and manage their browser extensions to prevent malware infections.

Indian government and defense sectors faced a phishing onslaught aimed at implanting Rust-based malware for intelligence collection, dubbed Operation RusticWeb. The SEQRITE security firm identified the campaign, observing the use of novel Rust payloads and PowerShell commands for stealthy document exfiltration. Similarities found between Operation RusticWeb and two Pakistan-associated groups, Transparent Tribe and SideCopy, indicate a potential nation-state actor behind the attacks. Recent attacks utilized decoy Microsoft PowerPoint files and exploited vulnerabilities (CVE-2023-38831) for broad system control and remote access. The phishing approach starts with a malicious PDF, which initiates the Rust payload that secretly scans the system while showing the decoy document. The malware focuses on collecting system information and files, yet lacks complexity compared to other cybercriminal tools. A secondary SEQRITE-discovered attack chain uses PowerShell for data gathering and a Rust executable masquerading as a legitimate application for payload deployment. Continued aggressive cyberattacks by nation-state actors like the DoNot Team exemplify persistent threats in geopolitically sensitive regions such as Kashmir.

A phishing campaign is leveraging fake Microsoft Word documents to deliver Nim-based backdoor malware. Attackers disguise themselves as Nepali officials in emails to prompt victims to enable macros, which initiates malware deployment. The malware scans for analysis tools on infected hosts and self-terminates if any are found, challenging traditional security measures. The backdoor communicates with command-and-control (C2) servers, which have since been taken offline, for further instructions. This campaign is part of a trend where attackers utilize uncommon programming languages like Nim for malware creation to evade detection. Separate from this campaign, a social engineering campaign has been observed, leveraging social media messages to distribute Python-based Editbot Stealer malware. Ongoing phishing campaigns distribute known malware such as DarkGate and NetSupport RAT through emails and fake update lures. Proofpoint research highlights the evolving and creative malware delivery techniques employed by cybercriminals, including zero-day exploitation of a Windows SmartScreen bypass vulnerability.

UAC-0099, a threat actor, has been actively targeting Ukrainian employees with LONEPAGE malware by exploiting a flaw in WinRAR. Cybersecurity firm Deep Instinct reports that the malware is delivered through phishing messages with malicious attachments. CERT-UA first reported UAC-0099 in June 2023, citing espionage attacks against state organizations and media. Attacks include HTA, RAR, and LNK files leading to malware capable of stealing information and taking screenshots. The group has reportedly gained unauthorized remote access to multiple computers in Ukraine during 2022-2023. Attack methods also involve self-extracting archives and ZIP files exploiting CVE-2023-38831, a vulnerability in WinRAR. The attackers use simple yet effective tactics, employing PowerShell and scheduled tasks to execute malware. CERT-UA has also issued a warning about phishing messages related to Kyivstar dues used to distribute the Remcos RAT, attributed to UAC-0050.

Microsoft has identified a new cyber threat, a backdoor named FalseFont, aimed at the defense sector. The threat originates from an Iranian group known as Peach Sandstorm, also recognized as APT33, Elfin, and Refined Kitten. FalseFont enables remote system access, file launching, and data transmission to control servers, evading traditional security measures. The implant was first detected in November 2023, consistent with Peach Sandstorm's evolving tactics. Past activities of Peach Sandstorm include password spray attacks on various global sectors, indicative of intelligence-gathering for Iranian state interests. The threat actor has been operational since at least 2013, now showing more sophisticated techniques. Additionally, the Israel National Cyber Directorate reported attempts by Iran and Hezbollah to attack the Ziv Hospital and spread wiper malware using phishing tactics.

Arion Kurtaj, an 18-year-old member of the Lapsus$ cybercrime group, has been sentenced to an indefinite hospital detention due to mental health issues. Kurtaj's sentencing follows a spree of cyberattacks on high-profile targets such as Uber, Nvidia, Rockstar Games, and Revolut by the Lapsus$ gang. A court determined Kurtaj was unfit for trial and he will remain in the hospital until deemed suitable for release by a mental health tribunal. A 17-year-old Lapsus$ member was also sentenced, receiving a youth rehabilitation order, but cannot be named due to legal protections. The Lapsus$ group's criminal activities included blackmail, fraud, and intrusion into the computer networks of several companies like BT, Microsoft, Samsung, and Okta. Law enforcement warns of the online dangers and serious consequences of cybercrime for youth, as seen in this case. The US government has advised organizations to improve security measures, including moving away from voiceand SMS-based multi-factor authentication, to protect against tactics used by groups like Lapsus$.

First American Financial Corporation experienced a cyberattack, leading to some of their IT systems being taken offline to contain the incident. As the company manages sensitive personal and financial data, the attack has raised significant concern, especially following a previous breach. In November 2019, First American paid a $1 million penalty for a cybersecurity violation involving their EaglePro application which had exposed customer data. Similar attacks have affected other title insurance providers, with Fidelity National Financial disclosing their own cyber incident last month. After the Fidelity attack, the ALPHV/BlackCat ransomware gang claimed responsibility, but no attribution has been given for the First American breach yet. Both companies faced operational disruptions; First American is working on resuming normal business services, while Fidelity National continues its recovery process.

A cryptocurrency drainer called 'MS Drainer' has been promoted through Google and Twitter ads, and has stolen approximately $59 million from over 63,000 people within nine months. Over 10,000 phishing sites using this drainer were discovered, exhibiting activity spikes in May, June, and November. Victims are lured to authentic-looking phishing sites where they unintentionally approve malicious contracts, resulting in unauthorized fund transfers to the attacker's wallet. The MS Drainer's source code is being sold for $1,500 by 'Pakulichev' or 'PhishLab,' who also collects a 20% fee on the stolen funds, and offers additional malware features for extra costs. One victim on the Ethereum blockchain lost $24 million, with other significant losses ranging from $440,000 to $1.2 million. Advertisements on Google abused tracking template loopholes to appear legitimate, while on Twitter, ads often came from verified accounts likely compromised by malware or stolen credentials. Phishing ads on Twitter utilized various themes such as "Ordinals Bubbles" NFT collections and token launches, and employed geofencing to avoid detection. Users are advised to exercise extreme caution with cryptocurrency-related advertisements and to verify the legitimacy of new platforms and contracts before engaging with them.

Arion Kurtaj, an 18-year-old member of the cybercrime group Lapsus$, has been sentenced to an indefinite stay in a secure UK hospital due to the risk he poses and his ongoing desire to engage in cybercrime. Kurtaj, diagnosed with autism and deemed unfit to stand trial, was involved in leaking content from the forthcoming Grand Theft Auto VI video game. A co-conspirator, a 17-year-old member of Lapsus$, received an 18-month Youth Rehabilitation Order and an online VPN ban after participating in breaches of NVIDIA and telecom companies. During his bail, Kurtaj circumvented restrictions using an Amazon Fire Stick to connect to cloud services and leak Grand Theft Auto VI assets, leading to his arrest. Lapsus$ is known for high-profile cyberattacks and data breaches against companies like Okta, Uber, Revolut, and Microsoft, opting for data extortion over ransomware. The court ruling highlights the ongoing threat posed by cybercriminals, even when those involved are relatively young or operating as part of smaller groups.

Arion Kurtaj, a key member of cybercrime group Lapsus$, has been sentenced to life in a secure hospital by a UK judge. Kurtaj was involved in the leak of assets from the highly anticipated video game Grand Theft Auto VI. Deemed a "high risk" due to his abilities and intent to commit cybercrime, Kurtaj will remain hospitalized until doctors determine he is no longer a danger. Another 17-year-old member of Lapsus$ was found guilty and received an 18-month Youth Rehabilitation Order with strict supervision, including a VPN usage ban. Kurtaj, who has autism, was deemed unfit for trial, and the jury had to assess if his actions were with criminal intent. The Lapsus$ group has been responsible for multiple high-profile cyberattacks on major tech firms, including Microsoft, Uber, Okta, and Revolut. Instead of encrypting data like ransomware groups, Lapsus$ engages in data extortion by stealing proprietary information and threatening to publish it if demands are not met.

Microsoft identified a cyber-espionage campaign by an Iranian group, APT33, targeting the Defense Industrial Base sector using FalseFont malware. FalseFont, a new backdoor, provides remote access capabilities, including file execution and data transfer to the attackers' servers. The APT33 group, also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, has been operating since 2013 and targets various industry sectors worldwide. These attacks were observed as part of a broader pattern of targeting U.S., Saudi Arabian, and South Korean sectors ranging from government to finance. Microsoft recommends network defenders reset passwords, revoke session cookies, and implement multi-factor authentication to mitigate the risk from such attacks. The attacks are consistent with APT33's activity over the past year, indicating the group's ongoing efforts to refine their methods and tools. Other nation-state hacking groups from Russia, North Korea, and China have also been targeting defense agencies and contractors globally.

First American Financial Corporation experienced a cyberattack, forcing some systems offline to contain the impact. Official company website was taken down and a separate website was set up to inform about the cyberattack. The company is the second-largest title insurance provider in the U.S., established in 1889, with over 21,000 employees. First American Financial was previously fined $1 million for a cybersecurity incident that occurred in May 2019. Personal and financial data collected and stored by the company was at risk due to a vulnerability in their application. Fidelity National Financial, another title insurance firm, disclosed last month that they were also targeted by a cybersecurity incident. The ALPHV/BlackCat ransomware gang has claimed responsibility for the breach of Fidelity National Financial on November 22.

Microsoft is retiring Defender Application Guard (MDAG) for Edge for Business, which ensures security by opening untrusted sites in an isolated container. MDAG uses hardware-based virtualization for a secure sandbox experience, aiming to render conventional attack methods ineffective. After the deprecation, enterprise admins are encouraged to refer to the Microsoft Edge For Business security whitepaper for alternative security features. Introduced in April 2019 for Windows 10, MDAG's deprecation follows the recent discontinuation of Defender Application Guard for Office. Users should consider other security measures such as Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control. In parallel, Microsoft plans to remove VBScript in future Windows updates and has delayed the deprecation of older TLS protocols and Exchange Online CARs.