Daily Brief

Cryptocurrency scammers exploit a Twitter feature that allows modification of the account name in a tweet's URL, leading to potential scams. The URL's legitimacy is deterred by scammers changing the account name to resemble high-profile accounts while keeping the original tweet's status ID. Users are redirected to fraudulent promotions when clicking on the manipulated links which appear to come from legitimate organizations. Impersonated accounts observed include recognizable names in the crypto-space like Binance, the Ethereum Foundation, zkSync, and Chainlink. Scammers promote fake crypto giveaways and websites known for draining crypto wallets, exploiting unsuspecting victims. The tactic used by scammers involves creating misleading account names followed by a string of digits to appear as legitimate sources. Twitter users can reduce their exposure to such scams by employing the Quality Filter in their settings but at the risk of filtering out legitimate content. The deceptive links are particularly difficult to discern on mobile devices without an address bar, exacerbating the risk of falling for fraudulent promotions. Since this redirection is an inherent part of Twitter's functionality, users must remain vigilant by checking their address bar to avoid scams.

The Israel National Cyber Directorate (INCD) has issued a warning about phishing emails claiming to be security updates for F5 BIG-IP zero-day vulnerabilities that actually deploy data wipers. Hacktivist groups, including pro-Palestinian and Iranian activists, have been targeting Israeli organizations with theft and data-wiping attacks since October. A new data wiper named BiBi Wiper, which impacts both Linux and Windows systems, was identified in November and is believed to be the creation of pro-Hamas hackers. The phishing campaign misleadingly instructs recipients to download supposed security updates; these are in fact malicious files designed to wipe data on the affected systems. For Windows systems, the malicious file is an executable with the name 'F5UPDATER.exe', and for Linux, it is a shell script known as 'update.sh'. Though the intended function of these programs is to delete data from the devices, BleepingComputer found the Windows version to be inconsistent in achieving this goal. The INCD cautions against downloading files from unverified email sources and advises that security updates be obtained directly from the vendors' official channels.

Google has issued emergency updates to address a Chrome zero-day vulnerability, marking the eighth such patch this year. The vulnerability, identified as CVE-2023-7024, was being actively exploited, according to a security advisory. Updated versions have been released for Windows, Mac, and Linux, effectively mitigating the heap buffer overflow issue found in the WebRTC framework. Google's Threat Analysis Group, which focuses on defending against state-sponsored attacks, was credited with discovering the flaw. Google has not released detailed information on the exploitation of this vulnerability to prevent further misuse. Prior zero-days have included those leading to spyware deployment, with Google maintaining a policy of restricting access to bug details until fixes are widely disseminated.

Cybercriminals exploit the helpfulness of hotel staff by sending deceitful emails to obtain credentials. Email scams employ emotional manipulation and time pressure, urging staff to download malware disguised as supportive evidence or information. Fraudulent emails include complaints about fake issues during stays or elaborate requests linked to future bookings. Links in these emails redirect staff to legitimate cloud storage services hiding password-protected archives that contain credential-stealing malware. Stolen hotel management credentials are used to access the Booking.com partner portal and send legitimate-looking messages to customers, pressuring them for credit card details. The scam has raised demand for Booking.com credentials on underground forums, with prices up to $5,000 for valid information. Booking.com, while not breached itself, acknowledges the phishing attempts on partners and advises steps for customers to protect their information, such as verifying payment policies and not providing credit card information via phone, email, or text.

Cryptocurrency scammers manipulate a social media platform feature to impersonate notable accounts and promote scams. Fake giveaways and fraudulent Telegram channels are advertised, redirecting users to steal their cryptocurrencies and NFTs. Scammers alter legitimate post URLs by changing the account name while keeping the original status ID, which causes a redirect to the scam content. Security researchers highlight that this technique has been in use for at least two weeks, targeting followers of major cryptocurrency-related organizations. Accounts utilizing this scam tactic often have usernames formatted with a name followed by a series of digits (e.g., @name12345). The platform's Quality Filter can mitigate exposure to these scams, but it may inadvertently block desired content as well. Users are advised to inspect the address bar to confirm authenticity before engaging with posts that appear to be from prominent companies or individuals. Despite previous reports of potential for phishing with this feature, the platform has not implemented changes to prevent such abuse.

A new phishing attack on Instagram users employs a 'copyright infringement' ploy to obtain their 2FA backup codes. These attacks circumvent traditional 2FA protection by targeting the backup codes provided for emergency account access. The phishing emails impersonate Instagram's parent company, Meta, falsely alerting users of copyright complaints. Targets are lured to a fake Meta portal, then to an "Appeal Center" page, where they are tricked into providing login credentials and 8-digit backup codes. Trustwave analysts highlight the sophistication of these phishing attempts, despite some apparent signs of fraud that savvy users might notice. The phishing campaign's design and the urgency it conveys can effectively deceive many users into compromising their account security. Experts advise users to protect their backup codes with the same vigilance as their passwords and only use them on official Instagram pages.

Ivanti has released patches for 13 critical remote code execution (RCE) vulnerabilities in its Avalanche enterprise mobile device management (MDM) platform. The vulnerabilities were discovered by Tenable and Trend Micro's Zero Day Initiative, stemming from stack or heap-based buffer overflows. An attacker could exploit these flaws without authentication or user interaction, potentially causing a Denial of Service (DoS) or executing arbitrary code. Ivanti recommends users to update to Avalanche version 6.4.2 to mitigate the risks associated with the vulnerabilities, which affect all supported Avalanche versions from 6.3.1. In addition to the critical fixes, Ivanti also addressed eight mediumand high-severity issues susceptible to denial of service, remote code execution, and server-side request forgery (SSRF) attacks. Previously, Ivanti had patched similar critical buffer overflow vulnerabilities in August and had been targeted by state-affiliated hackers exploiting zero-day flaws in April. Mobile device management systems like Avalanche are high-value targets for cybercriminals and nation-state actors due to the expansive control over numerous devices they offer.

ESO Solutions, a healthcare software provider, experienced a ransomware attack leading to the data breach of 2.7 million patients. The cyber-incident occurred on September 28, with hackers exfiltrating sensitive data and then encrypting several of the company's systems. Sensitive personal data were accessed, with the types of compromised information varying based on what patients provided to healthcare entities using ESO's software. The FBI and state authorities have been notified, and affected customers were alerted on December 12. Impacted hospitals began sending out breach notifications to their patients shortly after being informed. No evidence suggests the stolen information has been misused; however, ESO is offering 12 months of free identity monitoring service. So far, no ransomware group has claimed responsibility for the breach, highlighting ongoing concerns about supply-chain attacks in the healthcare sector.

Nearly half of the incidents reported in Verizon's 2023 Data Breach Investigations Report involved compromised passwords. High-profile brands like 23andMe and Norton experienced password-related cyberattacks, potentially affecting millions of users due to credential stuffing. Affected organizations urge users to change passwords, particularly if reused across multiple services, to prevent further unauthorized access. Recovering from password breaches involves a series of steps including enacting a comprehensive password reset directive, assembling an incident response team, and notifying affected individuals with clear guidance. Businesses need to frequently educate employees on password security and avoid using the same passwords for multiple services. Proactive measures such as monitoring tools that check for compromised passwords can play a significant role in strengthening an organization's cybersecurity posture. With the right technologies and protocols in place, companies can enhance their defenses against password exploitation and safeguard critical information and systems.

German authorities, in coordination with international partners, have seized Kingdom Market, a major dark web marketplace for illicit goods. The operation, involving the BKA and ZIT, has led to the arrest of one of the marketplace administrators in the United States. Kingdom Market, in operation since March 2021, traded in drugs, malware, stolen data, and fake IDs, with transactions in various cryptocurrencies. The marketplace listed 42,000 items for sale, including 3,600 from Germany, and had tens of thousands of customer accounts and hundreds of sellers. Law enforcement is conducting further investigations to identify others involved in the operation of the illegal market, aided by the seizure of server infrastructure. Community members on the darknet forum Dread lament over lost funds and arrests following the marketplace's disbandment. Competing market operators are swiftly inviting "Kingdom refugees" to join their platforms, exploiting the market vacuum created by the shutdown.

Financially motivated cyber criminals are increasingly using remote encryption, or ransomware, to compromise entire corporate networks through a single vulnerable device. Mark Loman of Sophos highlights the necessity for organizations to identify and secure weak spots in their network, as attackers are exploiting these vulnerabilities to facilitate remote encryption attacks. Microsoft's recent findings indicate that 60% of ransomware attacks now involve remote encryption, predominantly originating from unmanaged devices. Sophos's report notes ransomware families like Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal using remote encryption, which bypasses traditional process-based security measures. Changes in the ransomware landscape include the use of atypical programming languages, attacks targeting non-Windows systems, timed attacks during off-business hours, and data auctioning. Ransomware groups are increasingly engaging with the media, controlling narratives, and using PR tactics such as press releases and FAQs to influence public perception and pressure victims. Cybercriminal organizations, with complex hierarchies resembling corporate structures, are now also recruiting English writers and speakers to enhance their media and PR capabilities.

Memcyco, a Tel Aviv-based company, introduces a solution to real-time website spoofing that threatens online businesses by cloning legitimate websites. Memcyco's Proof of Source Authenticity (PoSA™) technology protects customers and the company instantaneously from the time a fake site goes live, significantly reducing the window of vulnerability. The solution provides organizations with visibility of active impersonation attacks, even if the impostor site is newly created and unnoticed by customers. Memcyco's agentless application is easily installed, prompts instant alerts on user interaction with fake sites, and provides detailed attack information to security operations teams. A unique-to-the-user digital watermark verifies the authenticity of a site, enabling users to recognize the real website without requiring them to perform security checklists. The solution includes a comprehensive back-end dashboard offering real-time attack monitoring and analysis, enhancing response to brand impersonation threats. PoSA™ seamlessly integrates with existing Security Information and Event Management systems (SIEMS) for initiating workflows related to URL takedown and account takeover prevention. Memcyco's approach represents a paradigm shift from conventional takedown methods to proactive and preemptive defense, promising to reduce reputation damage and consumer fraud.

Greater Manchester Police (GMP) has been issued an enforcement notice by the UK's Information Commissioner's Office (ICO) to address a significant backlog of Freedom of Information (FOI) requests. The GMP has over 850 outstanding FOI requests, with more than 800 being over six months old and the oldest dating back over two-and-a-half years. The ICO mandates a response time of up to 20 working days for FOI requests from public authorities, a timeline GMP has consistently failed to meet. This recent enforcement notice follows a February practice recommendation by the ICO due to a high volume of complaints about GMP's information handling practices. ICO's head of FOI casework emphasized the importance of prompt FOI responses in maintaining public trust and understanding, stressing that transparency is crucial. Several FOI-related incidents at police departments across the UK this past year have raised concerns about data handling and transparency practices, including a case where the safety of Afghan interpreters was compromised.

Chinese-speaking hackers have been impersonating the UAE Federal Authority for Identity and Citizenship to conduct smishing attacks. Cybercriminals send SMS or iMessage with malicious links using URL-shortening services to obscure the fake site's location. The 'Smishing Triad' group first identified in September 2023, sells smishing kits and engages in data theft via Magecart attacks. The latest smishing wave targets individuals updating their residence visas; upon clicking the link, victims are led to a fraudulent site asking for personal data. Geofencing technology is used to present the phishing form only to users accessing from UAE IP addresses and mobile devices. The threat actors may have gathered potential victims' details through various illicit means like data breaches or the dark web. In a related trend, cybercriminals have been repurposing Predator, a bot detection tool, to conduct phishing campaigns and avoid security detection.

Nearly 3,500 individuals have been arrested in Interpol's six-month global operation HAECHI-IV, targeting financial crime across 34 countries. The operation led to the seizure of assets worth $300 million, including $199 million in hard currency and $101 million in virtual assets. A range of financial crimes was tackled, including voice phishing, romance scams, sextortion, investment fraud, and e-commerce fraud. Authorities froze over 82,000 suspicious bank accounts and confiscated large amounts of currency and virtual assets, disrupting access to criminal funds. A significant arrest included a high-profile online gambling criminal in Manila after a collaborative effort between Filipino and Korean authorities. Investment scams, business email compromise, e-commerce fraud, and a new scam involving NFTs in South Korea were the most prevalent, comprising 75% of the cases. Usage of AI and deepfake technology in scams has emerged, enhancing the credibility of fraudulent activities and extortion methods. The success of HAECHI-IV follows the prior HAECHI-III operation, which confiscated $130 million in virtual assets, emphasizing the ongoing global war against cyber-enabled financial crimes.