Daily Brief

Four individuals associated with the LockBit ransomware gang were arrested in a coordinated effort by law enforcement agencies from 12 countries. Arrests included a developer, a bulletproof hosting service administrator, and two linked to LockBit activities, with involvement from the UK's National Crime Agency and Europol. The crackdown follows massive disruptions to LockBit's infrastructure in February 2024, along with significant sanctions and operational actions targeting the gang's associates. LockBit has been responsible for major cyberattacks globally, including targets like Bank of America, Boeing, and the UK Royal Mail, tallying up to $1 billion extorted from at least 7,000 attacks. The operation also led to the seizure of 34 servers and over 2,500 decryption keys, facilitating the development of a LockBit 3.0 Black Ransomware decryptor. Further sanctions were imposed against individuals linked to LockBit and Evil Corp, including financial sanctions from the UK, US, and Australia. Previous arrests and convictions include key figures in the ransomware operation, continuing efforts to dismantle the cybercrime network globally.

The NCA has identified Aleksandr Ryzhenkov as a key member of Evil Corp and an affiliate of the LockBit ransomware group, known by the pseudonym "Beverley." Ryzhenkov is alleged to have orchestrated 60 LockBit ransomware attacks, demanding around $100 million in Bitcoin. This revelation marks the first known major crossover between the Russian-based Evil Corp and LockBit groups. Ryzhenkov is described as one of the closest professional allies and personal friends of Evil Corp leader Maksim Yakubets. The two have reportedly worked together in cybercrime since at least 2011. The identification of Ryzhenkov followed the LockBit Leak Week in February, which exposed 194 affiliates of LockBit using the gang's own website. Evil Corp, also linked with the Russian government, was previously known for distributing Dridex malware and started experimenting with ransomware in 2017. Despite sanctions and law enforcement disruptions since 2019, the NCA continues its efforts to dismantle Evil Corp and hold its members accountable.

Generative AI (GenAI) has significantly boosted enterprise productivity by enhancing software development, financial analysis, business planning, and customer engagement. Despite its benefits, GenAI poses high risks, especially concerning sensitive data leakage, forcing companies to juggle between full usage and complete bans. LayerX's new e-guide, "5 Actionable Measures to Prevent Data Leakage Through Generative AI Tools," advises on securing corporate data while leveraging GenAI benefits. The guide stresses the importance of not making binary decisions about GenAI use but recommends a balanced approach to avoid data breaches like the notable Samsung incident. Security managers are encouraged to adopt specific, actionable measures that allow safe GenAI utilization, positioning them as vital enablers in their organizations. The guide is a practical tool for immediate implementation to safeguard sensitive information without sacrificing the productivity gains provided by GenAI tools like ChatGPT.

Over 140,000 phishing attacks in the past year have been linked to the Sniper Dz Phishing-as-a-Service (PhaaS) platform, which targets user credentials. Sniper Dz provides an online admin panel that allows cybercriminals to use or download a variety of phishing page templates, either hosting them on Sniper Dz’s own servers or on their own infrastructure. The platform offers its services for free, but it practices "double theft" by exfiltrating the stolen credentials back to the platform’s operators. The utilization of Telegram channels with over 7,170 subscribers helps Sniper Dz distribute its phishing kits and offers support and updates for the phishing campaigns. Countermeasures by Sniper Dz include using a legitimate proxy server to hide their phishing sites, thereby making the detection of malicious sites more challenging. Phishing activity has surged, especially targeting users in the U.S., with the stolen credentials being tracked and collected through a centralized system by Sniper Dz. Other related cyber threats include email spam tactics by overloading web form fields and distributing phishing emails, and a new campaign leveraging Microsoft Excel to deploy a fileless Remote Access Trojan (RAT).

Cybersecurity researchers have identified a new cryptojacking attack targeting the Docker Engine API to infiltrate and use Docker installations for illicit cryptocurrency mining. The attackers use a malicious Docker Swarm for command-and-control, leveraging Docker's orchestration capabilities to direct and manage the infected nodes. Initial penetration is achieved by scanning for exposed Docker API endpoints, then deploying cryptocurrency mining malware through downloaded scripts. The malware enhances its spread by executing scripts designed to facilitate lateral movement to Docker, Kubernetes, and SSH endpoints, promoting a worm-like propagation across the network. Notably, the campaign utilizes rootkits to hide mining processes from detection and deploys scripts that forward harvested credentials from various services back to a central command-and-control server. Researchers noted similarities with tactics used by the known threat group TeamTNT, although direct attribution has not been confirmed. The impact of this campaign underscores ongoing risks associated with improperly secured cloud environments, particularly those exposing Docker API endpoints. The report highlights the continued threat of cryptojacking and the necessity for robust security practices in cloud and Docker container management.

Robert Westbrook, a 39-year-old from London, has been charged by the U.S. Department of Justice with securities fraud, wire fraud, and computer fraud. Arrested recently, he is expected to be extradited to the U.S. where he faces charges for a fraudulent scheme amounting to nearly $3.75 million. Between January 2019 and May 2020, Westbrook hacked into Microsoft 365 accounts of corporate executives to gain non-public, financially sensitive information. He exploited this insider information to trade securities ahead of at least 14 corporate earnings announcements, securing illegal profits. The SEC highlighted Westbrook's methods to conceal his identity, which included using VPNs, anonymous emails, and bitcoin transactions. Advanced data analytics and technology used by the SEC played a critical role in identifying Westbrook’s activities despite his efforts at anonymity. Westbrook faces a potential maximum penalty of 20 years in prison for securities fraud, with similar maximum penalties for wire fraud and up to five years for each count of computer fraud.

Over 304,000 customers of digiDirect, an Australian camera and tech retailer, potentially had their personal data leaked online. A cybercriminal, known as “Tanaka,” is accused of stealing a database containing names, email addresses, phone numbers, and addresses. The stolen information was posted on a cybercrime forum, including a shoutout to another cybercriminal, “Chucky.” digiDirect has yet to respond to the allegations, and there is no confirmation from Australian authorities regarding an investigation. Customers are urged to monitor their bank accounts and digital identities for signs of fraudulent activities. The potential breach is part of a broader issue affecting Australians, with recent high-profile data theft incidents involving Ticketmaster, MediSecure, and Nissan Oceania. In 2021, digiDirect faced penalties for misleading advertising, highlighting past issues with consumer trust.

Rackspace experienced a security breach due to a zero-day vulnerability in a third-party application used in its internal performance monitoring setup. Intruders exploited the vulnerability in a utility bundled with ScienceLogic’s software, gaining unauthorized access to three of Rackspace’s internal web servers. The breach enabled attackers to access "limited" monitoring-related customer information, including account names, usernames, and encrypted credentials. Although the monitoring dashboard was temporarily taken offline, there was no reported impact on Rackspace's broader monitoring functionalities or customer services. Rackspace has since isolated and patched the affected systems in cooperation with ScienceLogic, which also provided a patch to its customers. ScienceLogic has not disclosed the identity of the third-party utility used in the SL1 package to mitigate risk, though they confirmed a patch was rapidly developed. Rackspace has assured customers that no additional products or services were compromised and has actively started notifying and updating affected users.

Ransomware incident at University Medical Center in Lubbock, Texas, has severely limited hospital operations, impacting vital emergency services. The cyberattack occurred on a Friday, causing the hospital to divert both emergency and non-emergency incoming ambulance patients to nearby facilities. University Medical Center, a critical level-one trauma center, is the sole provider of high-level emergency care within a 400-mile radius, adding significant risk to patient safety due to the attack. Hospital's IT network showed unusual activity, prompting disconnection from the main system and intervention by third-party cybersecurity specialists. The FBI may assist in recovery and negotiations, as they sometimes help reduce ransom demands and support system restoration. Sophos reports an increase in ransomware attacks on the healthcare sector despite a general downtrend in other industries, as healthcare remains a prime target due to the critical nature of its services and data. Two-thirds of healthcare facilities have experienced at least one ransomware attack in the past two years, with over half paying the ransom to regain control of their networks.

T-Mobile US has agreed to a $31.5 million settlement following several network intrusions between 2021 and 2023, impacting millions of customers. The settlement includes a $15.75 million civil penalty to the US Treasury and an equal amount allocated for enhancing the telco's cybersecurity measures over the next two years. The FCC charged T-Mobile with violations of the Communications Act of 1934 for failing to adequately protect customer information and maintain reasonable cybersecurity defenses. At least seven security breaches over the past five years have resulted in significant customer data leaks, though the settlement specifically addresses four incidents since 2021. T-Mobile admitted no wrongdoing but acknowledged the breaches, immediately addressing the issues and committing to ongoing improvements in their cybersecurity infrastructure. Specific breaches involved sophisticated attacks, including unauthorized access via impersonation, exploitation of a T-Mobile lab environment, illegal SIM swaps, phishing attacks, and API misconfiguration. The FCC has stressed the necessity for top-tier cybersecurity protections for consumer data, reflecting increased regulatory scrutiny on telecommunications providers’ data security measures.

Microsoft has updated the Publish API for Edge extension developers, focusing on increased security for developer accounts and the extension update process. Developers must now use the Partner Center to submit new Microsoft Edge browser extensions for approval; subsequent updates can also utilize the Publish API. The updated API introduces dynamically generated API keys for each developer, minimizing the risks associated with static credential exposure. API keys are stored as hashes within Microsoft’s databases to prevent potential leaks, enhancing overall security. Access token URLs, crucial for updating extensions, are now generated internally, limiting exposure and risks associated with malicious updates. API keys' validity has been shortened to 72 days from the previous two years, promoting frequent rotation and reducing misuse risks. Microsoft encourages developers to adopt the new, more secure API system, although it is currently optional to minimize transition disruptions. The security overhaul is part of Microsoft's broader Secure Future Initiative, aimed at strengthening security across all products to prevent cyber threats like phishing and information-stealing malware.

The U.S. Securities and Exchange Commission (SEC) has charged U.K. citizen Robert B. Westbrook with hacking into the systems of five public U.S. companies to acquire confidential earnings information. Westbrook allegedly performed insider trading based on this stolen data, executing trades before 14 different earnings announcements from January 2019 to August 2020. He reportedly gained around $3,750,000 in illicit profits from these trades. The method used involved resetting passwords of senior executives to gain unauthorized access to financial documents and emails. To conceal his identity and activities, Westbrook employed anonymous email accounts, VPNs, and Bitcoin for transactions. Despite efforts to erase digital traces, the SEC was able to trace Westbrook's activities using advanced data analytics. Westbrook now faces both civil and criminal charges, including wire fraud, securities fraud, and unauthorized computer access, with potential for significant prison time and fines.

Microsoft Defender now detects and alerts users of unsecured Wi-Fi networks to enhance privacy protection for users with a Microsoft 365 Personal or Family subscription. The updated Defender VPN automatically encrypts internet traffic and routes it through Microsoft's servers for users connected to public or suspicious Wi-Fi, safeguarding their data and identity against potential threats. The feature uses Defender heuristics to assess the security of a Wi-Fi network and provides notifications for both unsecure and unsafe Wi-Fi connections. Users have the option to activate Defender VPN for additional security, defending against Evil Twin and Man-in-the-Middle attacks which can lead to information theft. The unsafe Wi-Fi alerts are currently available on Defender for Android, iOS, and Windows platforms, with macOS support expected soon. Microsoft has expanded Defender VPN support to Windows and macOS systems and has recently launched the service in Germany and Canada, with plans to reach more countries in the coming months. Defender VPN does not collect browsing data or personal details; it only sends anonymized service data like the duration and bandwidth used during VPN connections and names of detected potentially malicious Wi-Fi for research purposes, after obtaining user consent.

T-Mobile agreed to a $31.5 million settlement with the FCC due to multiple data breaches that exposed personal information of millions of consumers. The settlement includes a $15.75 million investment in cybersecurity upgrades and an equal civil penalty to the U.S. Treasury. Breaches occurred across 2021, 2022, and 2023, including incidents involving API vulnerabilities and sales application breaches. T-Mobile commits to advanced security measures such as zero-trust architecture and multi-factor authentication to enhance data security. FCC Chairwoman Jessica Rosenworcel emphasized the importance of top-notch cybersecurity to protect sensitive consumer data. The FCC’s Privacy and Data Protection Task Force, a newly formed entity in 2023, played a crucial role in the investigation and settlement process. Recent FCC actions reflect ongoing efforts to enforce stricter data security standards among major U.S. telecom providers.

JPCERT/CC has developed techniques to detect ransomware attacks through analysis of Windows Event Logs. The detection revolves around identifying specific log entries that indicate ransomware activity, which can aid in quick response to mitigate threats. The suggested logs to monitor include Application, Security, System, and Setup, which might reveal ransomware entry points and tactics. Common ransomware traces in Event Logs include errors like Event IDs 13 and 10016, indicating access issues related to ransom activities. Monitoring logs is not foolproof but is essential for timely detect pre-spread of ransomware in networks. JPCERT/CC’s approach contrasts with older ransomware strains like WannaCry and Petya which did not leave evident traces in Windows logs. This methodology is increasingly relevant given the evolution and sophistication of modern ransomware threats.