Daily Brief

Europol, alongside German authorities, has successfully shut down Manson Market, a clearnet marketplace involved in large-scale online fraud. Over 50 servers tied to Manson Market were seized and two suspects were arrested in Germany and Austria. Investigators gathered over 200 terabytes of data, suggesting extensive criminal activities facilitated by the marketplace. Manson Market specialized in selling sensitive information obtained via phishing and vishing scams, impacting numerous victims. The marketplace had customized offerings on stolen data, enabling tailored and efficient targeted fraud by criminals. Additionally, Manson Market promoted and distributed stolen credit card details through a Telegram channel. A cooperative effort between several European nations, including Austria, Czechia, Finland, Germany, the Netherlands, and Poland, led to the disruption of the criminal infrastructure across multiple countries. The arrests and seizures are part of a broader crackdown on cybercriminal activities, including the recent take downs of other criminal marketplaces and networks.

Latrodectus malware is named after the black widow spider, indicating its stealthy and aggressive nature. It targets a variety of systems, including corporate networks, financial institutions, and individual users, adapting and morphing to enhance its effectiveness. Associated with threat actors TA577 and TA578, Latrodectus is known for data theft, system reconnaissance, and occasionally ransomware functions. This malware shares similar initial access and data exfiltration tactics with the previously known IcedID malware. A multi-layered defense strategy, including proactive defenses, user awareness, and the latest security updates, is crucial for prevention. Wazuh helps in the detection and defense against Latrodectus through real-time monitoring, threat detection, and log analysis. The modular design of Latrodectus allows it to adapt capabilities based on the attacker’s objectives and the compromised systems.

Researchers discovered a critical vulnerability (CVE-2024-41713) in Mitel MiCollab's NuPoint Messaging component, enabling unauthorized file and admin access. The flaw involves a path traversal attack through improper input validation, posing a severe risk with a CVSS score of 9.8. CVE-2024-41713 can be exploited via a crafted HTTP request to access sensitive system information without authentication. This vulnerability has been connected to another SQL injection flaw (CVE-2024-35286) previously patched in May 2024. A combination of these vulnerabilities could allow attackers to perform unauthorized administrative actions and access sensitive user information. Mitel has issued a patch in the latest version of the software, and users are urged to update to MiCollab versions 9.8 SP2 (9.8.2.12) or later. The discovery underscores the ongoing risks and importance of stringent security measures and prompt patch management in corporate IT environments.

Earth Minotaur, an unidentified threat actor, uses the MOONSHINE exploit kit and DarkNimbus backdoor to conduct surveillance on Tibetan and Uyghur communities. MOONSHINE exploits various known vulnerabilities in Chromium-based browsers to deploy payloads capable of extracting sensitive data. DarkNimbus, a sophisticated Android and Windows backdoor, enables long-term surveillance, collecting a wide range of personal data including device metadata, call history, and even executing commands. The hacking campaign affects multiple countries globally, including the U.S., Canada, Australia, and several European nations. The attackers use social engineering via instant messaging apps, enticing victims to click on malicious links disguised as routine or culturally-relevant content. In cases where direct exploitation fails, MOONSHINE serves a phishing page prompting users to download a compromised update, facilitating the attack. Trend Micro identified the ongoing development and sophistication of the MOONSHINE toolkit, suggesting collaboration with other cyber threat actors like POISON CARP.

National Health Service (NHS) Trusts are working on recovery after recent cyberattacks hit multiple hospitals, affecting crucial services and causing delays. NHS Wirral reintroduced manual operations post-attack, downgrading the incident status but still experiencing service disruptions. Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital suffered breaches through a shared digital gateway, leading to unlawful data access. INC Ransom claimed responsibility for the attacks on Liverpool hospitals, and stolen data was posted online, exacerbating the situation. Investigation ongoing to determine the extent of the data breach, with critical patient and donor information potentially compromised. Despite restoration efforts, there is a continued risk of the stolen data being published before full security measures can be implemented. National Crime Agency is assisting in security operations, but the NHS's no-ransom policy remains, as evidenced by past precedents set with other attacks. All hospital services at Alder Hey continued unaffected, but the broader impact and public outrage have put additional pressure on the security response.

Traditional Vulnerability Management (VM) strategies are becoming outdated due to evolving cyber threats and expanded attack surfaces. Gartner® emphasizes the necessity of transitioning from a vulnerability-focused approach to an overarching Exposure Management (EM) framework. A key limitation of traditional VM is its inability to prioritize vulnerabilities effectively, leading to operational fatigue and misallocation of resources. Adding business context to security operations enhances alignment with organizational goals and transforms security into a strategic, proactive process. The expanded modern attack surface includes cloud services, IoT devices, remote work arrangements, and third-party integrations, necessitating better visibility and management. Effective Exposure Management requires improved metrics to align cybersecurity efforts with business objectives and demonstrate their value to leadership. A shift to EM demands a focus on protecting critical assets and operational continuity while reducing inefficiencies in handling unsorted vulnerabilities. Implementing EM enhances resilience by targeting the most pertinent risks and aligning cybersecurity measures with strategic business outcomes.

BT Group has confirmed an attempted cyber attack targeting its BT Conferencing unit, based in Massachusetts. The attack was publicized by the Black Basta ransomware group, which claimed to have stolen around 500 GB of sensitive data. The compromised data reportedly includes financial documents, non-disclosure agreements, user information, identity documents, and employee details, though the data appears to be outdated. Despite the breach, BT assured that the affected servers were isolated quickly and did not impact live conferencing services or any other BT or customer services. The company is actively investigating the incident and is collaborating with regulatory and law enforcement bodies to address the situation. Black Basta, responsible for the attack, is known for targeting over 500 organizations, including critical infrastructure and healthcare entities, since its emergence in April 2022. The ransomware group has amassed significant revenue, estimated at $100 million, through various high-profile attacks across different sectors.

A U.S. organization was the target of a suspected Chinese hacker group attack that lasted four months, starting from April 2024. Symantec identified the use of tactics linked to known Chinese threat groups, including DLL side-loading and the deployment of multiple data exfiltration tools. The attackers engaged in extensive lateral movement within the network, compromising Exchange Servers to gather intelligence and harvest emails. The exact initial access vector is unclear, but indications suggest an advanced ability to exploit network vulnerabilities, evidenced by compromised internal machines. The attack included the use of both proprietary and open-source tools, highlighting a sophisticated blend of techniques to maintain persistence and avoid detection. There is a historical context of similar attacks from groups linked to China targeting this organization, which is noted to have significant operations in China. Artefacts from the attack show parallels with those used in a known state-sponsored Chinese operation codenamed Crimson Palace. This incident underlines the ongoing cybersecurity risks posed by nation-state actors in the geopolitical landscape, particularly those linked to Chinese intelligence and military units.

Researchers at watchTowr identified a zero-day vulnerability in the Mitel MiCollab collaboration platform that allows arbitrary file reading. The flaw has not been fixed even after 90 days post-disclosure, with a patch expected by the first week of December 2024. Mitel MiCollab is widely used by various organizations, including large corporations and SMEs, especially those with remote or hybrid work setups. The vulnerability was discovered through the investigation of previous issues, specifically while probing the 'ReconcileWizard' servlet used in MiCollab. Sensitive system files, such as '/etc/passwd', are accessible due to the vulnerability, posing a significant security risk. Despite newer patches addressing other issues, this zero-day flaw remains open and currently poses a threat to users of the platform. Mitel has not updated its security advisory page concerning this new vulnerability, leaving users without official guidance on mitigating the risk.

The UK Cyber Team Competition, in collaboration with SANS and the UK government, aims to discover top cyber security talent aged 18-25. Recent reports highlight a significant basic skills gap in cyber security within 44 percent of UK businesses. The competition provides a platform for corporate sponsorship, offering various benefits including financial support, student mentoring, and training opportunities. Sponsors can gain visibility and prestige, enhance brand awareness, and network directly with the competition’s top 200 finalists. There are four levels of partnership – Platinum, Gold, Silver, and Bronze – each offering unique benefits like recruitment opportunities and increased brand recognition. The competition will commence with an initial round on November 30, 2024, leading up to a live final on January 18, 2025, where the top 30 participants will join the UK Cyber Team. This initiative not only helps fill the UK's cybersecurity skill gaps but also strengthens the national cyber security infrastructure on an international scale. Details on how to sponsor or participate in the competition are available through specific registration links provided in the article.

Two US subsidiaries of Stoli Group filed for bankruptcy due to debts exceeding $84 million, worsened by a ransomware attack in August that disrupted major systems. CEO Charles Caldwell cited multiple factors for the financial strain including the disabling of their ERP system from the ransomware attack, forcing many processes to manual entry. Recovery of affected systems is not expected to complete until the first quarter of 2025, complicating compliance with lenders’ reporting requirements. The company has also suffered from decreased demand post-COVID-19, increased operational costs, and extensive legal fees from a prolonged litigation with the Russian government over trademark rights. Russia’s actions against Stoli, including the seizure of distilleries in 2024 valued at $100 million, came after the company's support for Ukrainian refugees, which led to branding the company and its owner as "extremists." The financial challenges were compounded by a refusal from their lender to release additional funds, leading to the necessity of filing for chapter 11 bankruptcy for reorganization and minimizing loss to creditors.

MirrorFace, linked to China, has launched a spear-phishing campaign targeting Japan, focusing on individuals and organizations. The campaign delivers two backdoors, NOOPDOOR and ANEL, with the latter previously used by APT10 against Japan. ESET documented MirrorFace's recent use of ANEL in an attack on a European Union diplomatic entity. The spear-phishing emails, laden with malicious links, aim to install malware under the guise of interview requests and discussions on U.S.-China relations affecting Japan's economic security. The malicious ZIP file downloaded from the links varies based on the target and contains a macro-enabled document designed to drop malware while evading detection. The malware deploys mechanisms for perpetuating ANEL in memory and initiating it using DLL side-loading techniques. ANEL functionality in the 2024 campaign includes capturing screenshots, file manipulation, and command execution with elevated privileges. The attacks are noted for their precision in targeting individuals with potential lower security measures, making detection and prevention challenging.

NCA executed Operation Destabilise, targeting Russian money laundering networks linked to criminal activities in the UK, Middle East, and South America. The operation resulted in the arrest of 84 individuals associated with the Smart and TGR networks, both based in Moscow. A total of £20 million in cash and cryptocurrencies were seized during these operations. The US Treasury has sanctioned five individuals and four entities related to these networks, notably the TGR Group for evading international sanctions. TGR Group and Smart Group provided illicit financial services including money laundering for sanctioned entities and converting illicit funds into digital assets. Smart network alleged to fund Russian espionage from late 2022 to mid-2023, however, details of the operations remain undisclosed. This operation revealed connections between Russian elites, cybercriminals, and UK street gangs, previously hidden financial networks now exposed.

CISA has updated its KEV catalog to include new vulnerabilities from Zyxel, ProjectSend, and CyberPanel due to evidence of active exploitation. CVE-2023-45727 was exploited by the Earth Kasha group, linked to Chinese cyber espionage, as per a Trend Micro report. CVE-2024-11680 has been used since September 2024 by malicious actors for deploying post-exploitation payloads, according to VulnCheck. Ransomware campaigns PSAUX and Helldown are exploiting CVE-2024-51378 and CVE-2024-11667, as reported by Censys and Sekoia. The U.S. Federal Civilian Executive Branch is urged to address these vulnerabilities by December 25, 2024, to protect their networks. Simultaneously, JPCERT/CC reported that I-O DATA routers are under attack, with some patches available and others expected by December 2024. Safety measures include disabling remote management and enhancing password security for the affected I-O DATA routers.

T-Mobile US CSO Jeff Simon highlighted novel infiltration techniques by a Chinese government-linked group, dubbed Salt Typhoon, targeting US telecom networks. The group significantly accessed multiple US providers, compromising wiretapping systems and stealing customer data. T-Mobile thwarted the attempts in a matter of days. Simon did not provide specific details about the duration or tactics used by the intruders but described the method of moving between telecom infrastructures as unique and undisclosed. FBI and CISA officials noted that despite no new techniques being used by hackers, the espionage campaign was extensive and severe. T-Mobile US, unlike other affected operators, detected no major breach of sensitive customer data or service disruption and attributes this to robust security measures and rapid credential rotation among their workforce. Increased emphasis on strong encryption for messaging and communications was advised by US officials to protect data from such sophisticated espionage efforts. T-Mobile US cooperated with federal authorities and other telecom companies to mitigate and understand the cyber-espionage activities better.