Daily Brief

Cybersecurity experts report a new Windows version of a data wiper malware used by pro-Hamas hackers against Israeli targets. The malware, named BiBi-Windows Wiper, seeks to expand previous Linux attacks by damaging end user machines and application servers. Created by a group tracked as BiBiGun, the malware infects the C:\Users directory, overwriting files and obstructing file recovery by deleting shadow copies. BlackBerry researchers discovered the wiper, noting it operates with multithreading to maximize destruction speed using multiple processor cores. The exact distribution method for the malware remains unknown, and its deployment in real-world attacks has not been confirmed. Connections were drawn between the pro-Hamas group, Karma, and another group believed to be of Iranian descent, Moses Staff, with both targeting various sectors. The attack is part of a concerted effort to disrupt Israeli IT and government operations through strategic data destruction campaigns.

Australia's National Cyber Security Coordinator has declared a major cyber incident after an attack on logistics company DP World, which disrupted tech systems at four ports. DP World handles 40% of container shipments to Australia; while import and export continue, the attack has had a considerable impact on operations. As the ports remain closed, authorities are prioritizing restoring services, with the attribution of the attack to be investigated later. The company has indicated that service disruptions are expected to last several days, not weeks. Cloud Software Group, Citrix's parent company, has announced it will halt all new commercial transactions in China and Hong Kong due to increasing costs, maintaining only existing contracts. The chairman and CEO of Chinese game streaming site DouYu.com, Chen Shaojie, has disappeared, following earlier regulatory scrutiny by the Cybersecurity Administrator of China. Cambodia has deported five Japanese nationals for running an online phone scam operation, with local authorities under pressure to crack down on cross-border crimes. Micron has opened a new DRAM manufacturing facility in Taiwan, which is set to play a significant role in advancing the company's memory production capabilities.

LockBit ransomware group leaked over 43GB of data from Boeing, a leading aerospace company, after a ransom was not paid. Data released consists mostly of backups for different systems, with some of this data timestamped as of October 2022. Boeing had been given a deadline until November 2, 2023, to negotiate with the hackers, which the company did not meet. After not receiving a response from Boeing, LockBit followed through with their threat by releasing a 4GB sample and eventually all stolen data. The released data includes IT management software configurations, audit tool logs, and backups from Citrix appliances, raising concerns about the exploitation of the Citrix Bleed vulnerability. While Boeing acknowledged the cyberattack, they have not disclosed details on the breach method or the extent of the data compromise. LockBit is a notorious RaaS group with a history of targeting various sectors, including the extortion of approximately $91 million from U.S. organizations since 2020.

Iranian hacker group, Imperial Kitten, has targeted Israeli transportation, logistics, and tech firms with malicious cyberattacks. Imperial Kitten, associated with Iran's Islamic Revolutionary Guard Corps, employs malware campaigns and phishing attacks to compromise organizations. The latest detected campaign involves 'job recruitment' themed phishing emails, delivering malware through Microsoft Excel attachments. Once infected, attackers establish persistence, move laterally, and gather credentials using custom tools and malware like IMAPLoader and StandardKeyboard. CrowdStrike's research indicates these attacks followed the Israel-Hamas conflict and are part of ongoing cyber espionage efforts against Israel. Previous campaigns from Imperial Kitten involved compromising Israeli websites for information collection and introducing malware payloads into various sectors. Both CrowdStrike and PricewaterhouseCoopers have published Indicators of Compromise to help organizations identify and defend against these attack methods.

The Royal Malaysian Police, with international assistance, shut down BulletProftLink, a major phishing-as-a-service (PhaaS) platform. BulletProftLink offered over 300 phishing templates and services like page hosting and credential harvesting since at least 2018. At the time of its bust, the service had 8,138 active subscribers, marking a significant increase from the 1,618 reported in a 2021 Microsoft warning. Law enforcement arrested eight individuals and seized assets including servers and cryptocurrency wallets valued around $213,000. Examining the confiscated servers may lead to the identification of users who paid for stolen credential logs. BulletProftLink hosted phishing content on legitimate cloud services to avoid detection and offered tools to bypass multi-factor authentication. The takedown of BulletProftLink disrupts a key source of initial access for cybercriminals to infiltrate corporate networks.

Microsoft's Security team identified a sub-group of the Lazarus Group targeting IT professionals with fake job assessment portals. The threat actor, known as Sapphire Sleet, is engaging in sophisticated social engineering attacks to facilitate cryptocurrency theft. Sapphire Sleet, with several aliases like APT38 and BlueNoroff, was recently linked to a newly discovered macOS malware, ObjCShellz. Microsoft noted that Sapphire Sleet often entices victims via LinkedIn with opportunities that lead to malicious websites. The group has adapted strategies, moving from using legitimate services like GitHub to custom-built phishing sites that are harder to analyze due to password protection. Early detection and removal of malicious payloads from platforms have pushed the threat actors to develop their own infrastructure for malware dissemination. To appear legitimate and avoid detection, Sapphire Sleet's phishing sites encourage recruiters to sign up, potentially compromising sensitive information.

Mr. Cooper, the largest U.S. home loan servicer, reported a cyberattack on October 31, leading to the exposure of customer data. The exact nature of the compromised data is under investigation; however, the company states that customers' financial information was not impacted, as it is stored with a third party. Affected customers will receive more information as the company continues its investigation into the breach. Customers have been instructed to monitor their credit reports and bank accounts for any suspicious or unauthorized activity. Mr. Cooper has advised potentially affected individuals to place a 'fraud alert' on their credit files as a precautionary step. The incident triggered a shutdown of IT systems, but the company assures that customers will not face fees or negative consequences for delayed payments during restoration. Mr. Cooper manages a customer base of 4.1 million and oversees loans totaling $937 billion as of Q3 2023.

Microsoft has identified that the North Korean hacking group BlueNoroff is preparing for new cryptocurrency thefts via LinkedIn-based social engineering campaigns. The group, which Microsoft refers to as Sapphire Sleet, is creating websites that impersonate skills assessment portals to target individuals within the cryptocurrency sector. BlueNoroff engages with targets on LinkedIn, then moves to deploy backdoor malware through malicious documents shared on social platforms after establishing trust. The group has shifted tactics, opting to host malicious payloads on their own password-protected websites, after previously using legitimate services like GitHub. These custom websites are disguised as recruitment tools to entice potential victims into registering and falling prey to the group's malicious intent. The FBI linked BlueNoroff to the record-breaking Axie Infinity's Ronin network bridge hack involving the theft of over $617 million in cryptocurrency. Over the years, BlueNoroff has been implicated in a spate of attacks against financial institutions globally, underlining the persistent threat posed by state-sponsored hacking collectives.

LockBit ransomware group claims to have leaked 50GB of data from Boeing after ransom demands went unmet. The leaked files reportedly include compressed archives and backups of various systems, finances, marketing, and supplier details. Boeing has not confirmed the authenticity of the data leak but has acknowledged a cybersecurity incident within its parts and distribution business. Speculation arises about the use of Citrix Bleed as the potential exploit for the initial breach, though Boeing hasn't commented on the entry point. Security researcher notices Boeing corporate emails among the leaked data, indicating potential risk for further malicious activities. Boeing appears on the LockBit dark web site as a victim, with negotiations either failing or never occurring, leading to the public data dump. The same week, LockBit also claimed responsibility for a ransomware attack on China's largest bank, ICBC, affecting its financial services systems.

Hackers have compromised multiple U.S. healthcare organizations using ScreenConnect remote access. Managed security platform, Huntress, noticed unauthorized activities suggesting preparations for further attacks. Persistent access to affected systems was established by attackers installing additional remote access tools like AnyDesk. The incidents, spanning from late October to early November 2023, involved similar methods, highlighting the likelihood of one actor. Intrusions occurred through a ScreenConnect instance associated with Transaction Data Systems (TDS), which may indicate a breach or credential compromise. The attackers executed sophisticated techniques to avoid detection while using memory-based payloads and misusing legitimate services. Attempts made by Huntress to alert the possibly affected company, Outcomes (formerly TDS), have been met with no response.

Poloniex exchange was the target of a significant theft, with an estimated $120M in user funds stolen. Exchange founder Justin Sun has proposed a 5% "white hat bounty" to the thieves for the return of the stolen funds. Sun has threatened to involve law enforcement if the funds are not returned within 7 days. A portion of the stolen assets has been frozen, and the exchange claims its operating revenue can cover the losses. Systems have been restored, and the exchange is taking measures to ensure security before resuming full services. Blockchain security firms SlowMist and Cyvers have tracked and reported on the theft; various tokens were stolen through multiple transactions. There are indications the notorious Lazarus group, known for state-sponsored cyber activities, could be behind this and similar incidents.

Microsoft has extended Windows Server 2012 Extended Security Updates (ESUs) until October 2026, providing three additional years for users. This extension aims to give administrators more time for upgrading systems or migrating workloads to Azure. Windows Server 2012 and R2's mainstream support ended in October 2018, but ESUs allow for continued technical assistance and bug fixes. Customers on Azure may already receive free ESUs, while others can purchase the service, which is deployable via Azure Arc without keys. Microsoft offers step-by-step guidance for extending ESU protection and details on ESU activation scenarios. For on-premises servers, upgrading to Windows Server 2022 or migrating to Azure Virtual Machines are suggested alternatives to maintain security and compliance. The extension reinforces Microsoft's commitment to cybersecurity as older, unsupported versions of software can pose significant risks.

The State of Maine reported a data breach in their MOVEit file transfer tool, affecting the personal information of approximately 1.3 million people. A zero-day vulnerability was exploited by the Clop ransomware gang, leading to a massive data theft campaign. The breach occurred between May 28, 2023, and May 29, 2023, impacting various state agencies with Maine’s Department of Health and Human Services being the most affected. Types of data exposed include personal, financial, and minor-specific information, with the extent of exposure varying per individual's interaction with state agencies. Notification to the public was delayed due to the State's comprehensive investigation into the breach. Impacted individuals will receive free credit monitoring and identity theft protection services for two years, and are advised to monitor their financial accounts for any unusual activity. A dedicated call center has been established to assist and address concerns relating to the security incident.

Ransomed.vc, a ransomware group, announced its dissolution following a lack of interest in its sale and attention from law enforcement. Initially, the group offered itself for sale to a "trusted person," later dropping the price by 20% as it pushed for a rapid exit. The group cited that the involvement of inexperienced young affiliates, poor operational security (opsec), and the risk of their arrest as reasons for shutting down. Six individuals associated with the group are suspected to have been arrested, prompting the group's leader to terminate all of its 98 affiliates. Ransomed.vc, known for claiming an attack on Sony and Japan’s largest telco NTT Docomo, had its claims questioned by cyber researchers and rival cybercriminals. In addition to erratic behavior, the group engaged in a smear campaign against a cybersecurity executive, further diluting its credibility. The disappearing act of Ransomed.vc follows a pattern seen in ransomware circles, where groups often resurface with new identities after lying low.

McLaren Health Care announced a data breach affecting approximately 2.2 million individuals, with sensitive personal information compromised. The breach occurred between late July and August 2023, with the organization becoming aware of the security issue on August 22, 2023. An external cybersecurity team revealed that unauthorized access had been ongoing since July 28, with data exposure confirmed by October 10. Types of data accessed vary among individuals but remain undisclosed; all affected parties will receive instructions for 12-month identity protection services. McLaren has not found evidence of misuse of the data but warns those affected to monitor their financial accounts and be vigilant of unsolicited communications. ALPHV/BlackCat ransomware group claimed responsibility for an attack on McLaren's network, threatening to auction the collected data they say concerns 2.5 million people.