Daily Brief

The Brain Cipher ransomware gang began leaking documents stolen during an attack on Rhode Island’s RIBridges social services platform. Deloitte, the vendor for RIBridges, initially detected the breach on December 5, with confirmation of data theft provided on December 10. Stolen data includes personal identifying information (PII) of both adults and minors, distributed through the gang's data leak site. The breach has potentially impacted around 650,000 individuals, exposing sensitive information such as Social Security numbers and banking details. Rhode Island's Governor McKee advised residents to take protective actions like freezing credit and monitoring for fraud. Cybersecurity researcher Connor Goodwolf confirmed the availability of the data, which includes extensive databases and backups. The leaked data has raised concerns about targeted phishing scams using the breached information. Brain Cipher uses a data leak site for ransom extortion but faced possible DDoS attacks making the leaked data temporarily inaccessible.

Chinese cyber operatives reportedly infiltrated the US Treasury Department, accessing workstations and sensitive data, including information from the Office of Foreign Assets Control (OFAC). OFAC is responsible for administering economic and trade sanctions, suggesting the data theft could be linked to Chinese entities facing possible sanctions. The breach was traced back to a compromised API key from BeyondTrust's Remote Support software, granting unauthorized remote access to some Treasury office workstations. The Treasury disclosed the espionage in a December 30 letter to Congress, attributing the attack to a China state-sponsored APT (Advanced Persistent Threat) actor. BeyondTrust has updated and patched the vulnerability in both cloud and self-hosted instances, and is aiding law enforcement and affected clients in ongoing investigations. According to US officials, this is part of a series of escalating cyber operations by China, including a significant compromise of American telecommunications companies. At present, there is no evidence that the threat actor continues to have access to Treasury information.

Apple has agreed to pay $95 million to settle a lawsuit claiming Siri recorded conversations without user consent. The lawsuit, known as Lopez et al v. Apple Inc, was initiated after a whistleblower claimed in 2019 that Siri was activated and recorded audio without the required "Hey Siri" command. Plaintiffs allege these unauthorized recordings were used to target ads based on private conversations, such as medical discussions. The settlement could involve a wide range of claimants who owned Siri-equipped devices since 2011, potentially affecting the size of individual compensations. Despite the lawsuit, Apple maintains that Siri recordings are secure and reviewers are obligated to follow strict confidentiality protocols. The proposed settlement does not require Apple to admit any wrongdoing, and the issue reflects broader industry challenges as Google faces a similar privacy lawsuit in Belgium. Apple’s net income last year was $93.7 billion, making the $95 million settlement a minor financial impact.

A cybersecurity expert unveiled a new attack method known as "DoubleClickjacking" which exploits double-click mouse actions to hijack user accounts. This attack bypasses conventional clickjacking defenses by not using iframes or cross-domain cookies, focusing instead on legitimate sites. Attackers trick users into performing unintended actions such as installing plugins, connecting OAuth applications, or accepting multi-factor authentication requests. The technique leverages a sequence where a benign-looking button prompts users to double-click, inadvertently causing a second click on a dangerous element. Demonstrations have shown that this method can effectively compromise accounts on major platforms like Shopify, Slack, and Salesforce. The attacker utilizes a cunning overlay strategy, where a captcha or other interaction overlay swiftly vanishes, positioning the critical action unwittingly under the user’s cursor. To counteract this threat, the researcher proposed a JavaScript solution to delay button activation and a new HTTP header concept to prevent rapid context switching that enables the attack. This cybersecurity risk could extend to mobile devices and browser extensions, expanding potential vulnerabilities to include unauthorized transactions and disabling VPNs.

Chinese government-backed hackers infiltrated the U.S. Treasury Department's Office of Foreign Assets Control (OFAC), which handles economic sanctions. The breach utilized the BeyondTrust remote support platform, accessing sensitive information about potential sanctions against Chinese entities. The cyberattack extended to the Treasury's Office of Financial Research, with ongoing assessments to determine the full impact. Despite initial breaches, U.S. officials have found no evidence of current unauthorized access within the Treasury systems post-compromise. The responsible hacking group, known as "Salt Typhoon," has also targeted nine major U.S. telecom firms, extracting sensitive communication data. High-risk interceptions included text messages, voicemails, and wiretap information from U.S. law enforcement investigations. The Cybersecurity and Infrastructure Security Agency (CISA) has since recommended that government officials use encrypted messaging services like Signal. Following these incidents, a new legislative proposal aims to enhance the security frameworks of U.S. telecom networks.

Over 3 million POP3 and IMAP email servers currently lack TLS encryption, making them vulnerable to network sniffing attacks where attackers can see contents and credentials in clear text. IMAP and POP3 are popular methods for accessing emails, with IMAP syncing messages across devices and POP3 downloading messages to a single device. Many hosting services activate POP3 or IMAP by default, potentially without user engagement, increasing the risk exposure. Shadowserver, a security monitoring platform, has identified and alerted operators of these servers about the encryption shortcomings. Enabling TLS (Transport Layer Security) is crucial for securing email transmissions and protecting against credential interception and network eavesdropping. The evolution of TLS protocols over decades points to the importance of upgrading to modern, secure configurations to prevent cyber attacks.

Microsoft Dynamics 365 and Power Apps Web APIs have been patched to fix severe security vulnerabilities. Melbourne-based cybersecurity firm, Stratus Security, discovered three critical security flaws that could lead to significant data exposure. Two vulnerabilities were found within the Power Platform's OData Web API Filter, and one in the FetchXML API. The first vulnerability allowed unauthorized access to sensitive data in the contacts table by exploiting inadequate access controls. Threat actors could use the flaws to systematically extract hashed passwords and other personal data by manipulating API responses. The security patch addresses vulnerabilities that could potentially be used to extract email addresses and compile lists of password hashes. Stratus Security highlighted the importance of continuous cybersecurity vigilance, especially for large corporations that manage extensive datasets.

Cross-domain attacks have recently become more prominent, exploiting vulnerabilities across various domains such as endpoints, identity systems, and cloud environments. Adversaries, including eCrime groups like SCATTERED SPIDER and North Korea-nexus groups such as FAMOUS CHOLLIMA, use sophisticated techniques to leverage these weaknesses. These attackers often gain access through compromised credentials, allowing them to seamlessly integrate and move within the target's systems without immediate detection. The fragmentation of identity security tools exposes organizations to greater risks by creating significant visibility gaps and operational inefficiencies. Effective defense against such attacks requires a unified security strategy that prioritizes comprehensive identity protection and integrates all security tools. Modern security solutions should offer real-time protection and comprehensive visibility across all environments, including hybrid setups that span on-premises, cloud, and SaaS platforms. CrowdStrike Falcon represents a leading approach by integrating identity, endpoint, and cloud security, furnishing organizations with advanced threat detection, and response capabilities. The platform's use of AI-native technology and continuous threat intelligence enables proactive defense measures and quick adaptation to evolving adversarial tactics.

Researchers uncovered a malicious npm package posing as an Ethereum vulnerability detector, which secretly installs Quasar RAT. Named "ethereumvulncontracthandler," the package was available since December 2024, downloaded 66 times, and remains accessible. The malware uses complex obfuscation techniques including Base64 and XOR-encoding to evade analysis and detection. It prevents execution in sandbox environments, fetches and executes Quasar RAT via PowerShell commands. Quasar RAT modifies Windows Registry for persistence and connects to a C2 server for further instructions and data exfiltration. The RAT enables the attacker to surveil and control the infected systems, integrating them possibly into a botnet. Concurrent research highlights a rise in fake GitHub stars used to boost the credibility of repositories containing similar malware.

German prosecutors have charged three individuals of Russian-German descent with espionage, acting on behalf of Russia's secret service. One of the accused, Dieter S., faces additional charges linked to sabotage including photographing military installations. Dieter S. also allegedly plotted to undermine military support provided by Germany to Ukraine, showing readiness to attack military and industrial targets. This includes plans for explosive and arson attacks on facilities like U.S. military sites and railways used for transporting military goods. The espionage activities extended to scouting and documenting potential targets in Bavaria. The series of international intelligence issues also include charges against a Turkish citizen, a U.S. national, and a Chinese citizen for similar espionage activities in Germany. The U.S. national previously affiliated with the U.S. armed forces is accused of attempting to pass sensitive military information to Chinese intelligence services. The Chinese citizen arrested was involved in gathering sensitive information concerning armament flights and military personnel from a logistics company at Leipzig/Halle Airport.

2024 witnessed significant cybersecurity incidents including major data breaches, cyberattacks, and the emergence of new threat groups. The Internet Archive faced dual cyberattacks; a data breach compromising 33 million user records and a DDoS attack orchestrated by different threat actors. Faulty CrowdStrike Falcon updates led to crashes across 8.5 million Windows devices globally, causing widespread operational disruptions and subsequent phishing campaigns. The U.S. government banned Kaspersky antivirus, with mandatory software replacements leading to customer dissatisfaction and privacy concerns. Russian state-sponsored hackers infiltrated Microsoft’s email servers, stealing sensitive corporate emails and repeatedly exploiting this access. National Public Data breach exposed nearly 2.7 billion personal records, making it one of the largest data breaches, affecting various sectors. The Snowflake data platform experienced credential compromises leading to massive unauthorized data exports and ransom demands. North Korean IT workers infiltrated the U.S. job market as part of a cyber-espionage and revenue generation scheme linked to their country’s nuclear program. A ransomware attack on UnitedHealth's Change Healthcare disrupted U.S. healthcare services, leading to a significant breach and a costly ransom payment.

Oracle faced backlash over a scandalous Java licensing issue and inefficient HR systems that contributed to severe financial losses. The Internet Archive suffered significant disruptions due to cyberattacks and faced a $600 million lawsuit from major record labels over copyright issues. The year marked notable network outages, with Facebook experiencing the largest with 11.1 million users affected. Apple's much-anticipated Vision Pro goggles failed to attract software developers, resulting in a lack of applications for the device. Elon Musk repurposed X (formerly Twitter) into a platform criticized for trolling, leading to a significant user migration to competitors. Microsoft's desktop AI tools, Copilot PCs and Recall, faced strong criticism for privacy concerns and general intrusiveness. General Motors discontinued its autonomous vehicle project, Cruise, underscoring the ongoing challenges in the self-driving car industry. The shutdown of cloud-based AI for the children's robot Moxie raised ethical concerns as it left many users with inoperative devices.

A newly discovered "DoubleClickjacking" technique allows attackers to bypass existing clickjacking protections and facilitate account takeovers on major websites. The exploit uses a timing-based vulnerability that leverages a double-click sequence, unlike traditional single-click vulnerabilities. This attack method exposes a gap in traditional web application security measures, as current defenses such as X-Frame-Options and SameSite cookies are ineffective against it. DoubleClickjacking can manipulate user interfaces by replacing benign elements with malicious ones between the two clicks, deceiving users into executing unintended actions. Some websites, like Dropbox, have implemented preventive measures by disabling critical interface buttons until a specific user interaction is detected. Security researchers recommend that browser manufacturers develop new defensive standards similar to X-Frame-Options to specifically address vulnerabilities associated with double-click actions. The vulnerability was identified and exposed by security researcher Paulos Yibelo, who previously discovered related clickjacking variants such as cross window forgery. As a long-term solution, continued innovation and adaptation of browser and web application defenses are necessary to protect against evolving threats like DoubleClickjacking.

The U.S. Treasury Department has imposed sanctions on entities from Iran and Russia for attempting to interfere in the 2024 presidential election. Sanctioned groups include a subsidiary of Iran's Islamic Revolutionary Guard Corps and a Moscow-based affiliate of Russia's GRU. These entities engaged in disinformation campaigns aimed at influencing the U.S. electoral process and stoking socio-political tensions. Actions included orchestrating cyber operations to access sensitive election-related information, utilizing AI to create and disseminate deepfakes, and operating fake news websites. Meta blocked WhatsApp accounts linked to an Iranian hacking group targeting individuals across multiple countries, part of a broader strategy to undermine democratic processes. The U.S. government has also unsealed criminal charges against individuals associated with these operations, highlighting ongoing efforts to protect electoral integrity. The Kremlin supports these operations with financial resources, using covert operations to mask its involvement and broaden the impact of its influence campaigns.

A U.S. Army soldier, Cameron John Wagenius, was indicted for unlawfully transferring confidential phone records. Wagenius is linked to breaches of at least 15 telecommunications companies, including major firms like AT&T and Verizon. He is purported to be the cybercriminal "Kiberphant0m," involved in the Snowflake data storage hacks that impacted numerous organizations. Following the arrest of Connor Riley Moucka, Wagenius allegedly boasted on BreachForums about stealing and threatening to leak phone records of high-profile political figures. The case ties into a larger investigation, with Wagenius being the third arrest related to the compromise of over 165 Snowflake customers by cybercriminals. Federal prosecutors are seeking his extradition to Washington state for further proceedings. This arrest has brought international attention, highlighting significant vulnerabilities in cloud storage and data security practices.