Daily Brief

Rhadamanthys stealer malware, updated to version 0.7.0, now features artificial intelligence including OCR for extracting cryptocurrency wallet seed phrases from images. Originally released in September 2022 and operating under a malware-as-a-service model, it continues to be sold despite bans in certain forums. It's marketed to cybercriminals for $250 monthly or $550 for three months via platforms like Telegram, and Jabber. The malware can collect a range of sensitive information, including system details, credentials, and data from various applications. New additions to version 0.7.0 include enhanced phrase recognition capabilities and tools to evade detection by security software. Rhadamanthys also incorporates a plugin system enabling additional functionalities such as keylogging and reverse proxy services. The stealer is part of a broader cybercrime landscape where similar malware families also continue to advance, posing significant security risks. Researchers highlight its high-risk potential and the necessity for organizations to remain vigilant against such sophisticated threats.

The U.S., UK, and Australia imposed new sanctions on Evil Corp, a notorious cybercrime syndicate, and indicted a member for ransomware attacks. Evil Corp's senior figures and related entities were sanctioned for their involvement in global cybercrime, including financial theft and ransomware deployment. The sanctioned individuals include members of leader Maksim Yakubets' family and former Russian FSB officer Eduard Benderskiy, who allegedly facilitated connections with Russian intelligence. New sanctions target assets linked to these individuals and businesses, severely restricting their international financial activities. Additionally, Evil Corp member Aleksandr Ryzhenkov was indicted for using BitPaymer ransomware to target U.S. companies, initiating the sanctions and legal actions. The group, known for the Dridex banking Trojan and various ransomware attacks, has tried evading past U.S. sanctions by deploying ransomware under different names. Operation Cronos identified Ryzhenkov as a LockBit ransomware affiliate, implicating him in further international cybercrimes. Companies affected by Evil Corp ransomware attacks may face legal consequences if they attempt to pay ransoms without appropriate OFAC authorization.

Evil Corp, known for ransomware activities, is alleged to have close ties with Russian FSB, SVR, and GRU intelligence agencies, implicating state-sponsored cyberattacks on NATO members. National Crime Agency (NCA) points to Maksim Yakubets, Evil Corp's leader, as being the prime liaison with Russian intelligence. Yakubets’ family connections, including his father-in-law and former FSB officer Eduard Benderskiy, are suspected of fostering the group's relationship with Russian state agencies. Benderskiy faced UK sanctions for supporting Evil Corp post-2019 law enforcement disruptions which highlighted his role in facilitating the gang's success post-sanctions. Multiple family members including Yakubets’ brother, cousins, and father alleged to have played significant roles in Evil Corp, raising concerns of a broader family network operation within cybercrime. Authorities allege that Evil Corp has extorted at least $300 million from victims across over 40 countries since 2014, targeting varied sectors from tech firms to healthcare. Recent disclosures align previously suspected narratives about the symbiotic relationship between certain Russian cybercrime groups and state intelligence operations.

Four individuals associated with the LockBit ransomware gang were arrested in a coordinated effort by law enforcement agencies from 12 countries. Arrests included a developer, a bulletproof hosting service administrator, and two linked to LockBit activities, with involvement from the UK's National Crime Agency and Europol. The crackdown follows massive disruptions to LockBit's infrastructure in February 2024, along with significant sanctions and operational actions targeting the gang's associates. LockBit has been responsible for major cyberattacks globally, including targets like Bank of America, Boeing, and the UK Royal Mail, tallying up to $1 billion extorted from at least 7,000 attacks. The operation also led to the seizure of 34 servers and over 2,500 decryption keys, facilitating the development of a LockBit 3.0 Black Ransomware decryptor. Further sanctions were imposed against individuals linked to LockBit and Evil Corp, including financial sanctions from the UK, US, and Australia. Previous arrests and convictions include key figures in the ransomware operation, continuing efforts to dismantle the cybercrime network globally.

The NCA has identified Aleksandr Ryzhenkov as a key member of Evil Corp and an affiliate of the LockBit ransomware group, known by the pseudonym "Beverley." Ryzhenkov is alleged to have orchestrated 60 LockBit ransomware attacks, demanding around $100 million in Bitcoin. This revelation marks the first known major crossover between the Russian-based Evil Corp and LockBit groups. Ryzhenkov is described as one of the closest professional allies and personal friends of Evil Corp leader Maksim Yakubets. The two have reportedly worked together in cybercrime since at least 2011. The identification of Ryzhenkov followed the LockBit Leak Week in February, which exposed 194 affiliates of LockBit using the gang's own website. Evil Corp, also linked with the Russian government, was previously known for distributing Dridex malware and started experimenting with ransomware in 2017. Despite sanctions and law enforcement disruptions since 2019, the NCA continues its efforts to dismantle Evil Corp and hold its members accountable.

Generative AI (GenAI) has significantly boosted enterprise productivity by enhancing software development, financial analysis, business planning, and customer engagement. Despite its benefits, GenAI poses high risks, especially concerning sensitive data leakage, forcing companies to juggle between full usage and complete bans. LayerX's new e-guide, "5 Actionable Measures to Prevent Data Leakage Through Generative AI Tools," advises on securing corporate data while leveraging GenAI benefits. The guide stresses the importance of not making binary decisions about GenAI use but recommends a balanced approach to avoid data breaches like the notable Samsung incident. Security managers are encouraged to adopt specific, actionable measures that allow safe GenAI utilization, positioning them as vital enablers in their organizations. The guide is a practical tool for immediate implementation to safeguard sensitive information without sacrificing the productivity gains provided by GenAI tools like ChatGPT.

Over 140,000 phishing attacks in the past year have been linked to the Sniper Dz Phishing-as-a-Service (PhaaS) platform, which targets user credentials. Sniper Dz provides an online admin panel that allows cybercriminals to use or download a variety of phishing page templates, either hosting them on Sniper Dz’s own servers or on their own infrastructure. The platform offers its services for free, but it practices "double theft" by exfiltrating the stolen credentials back to the platform’s operators. The utilization of Telegram channels with over 7,170 subscribers helps Sniper Dz distribute its phishing kits and offers support and updates for the phishing campaigns. Countermeasures by Sniper Dz include using a legitimate proxy server to hide their phishing sites, thereby making the detection of malicious sites more challenging. Phishing activity has surged, especially targeting users in the U.S., with the stolen credentials being tracked and collected through a centralized system by Sniper Dz. Other related cyber threats include email spam tactics by overloading web form fields and distributing phishing emails, and a new campaign leveraging Microsoft Excel to deploy a fileless Remote Access Trojan (RAT).

Cybersecurity researchers have identified a new cryptojacking attack targeting the Docker Engine API to infiltrate and use Docker installations for illicit cryptocurrency mining. The attackers use a malicious Docker Swarm for command-and-control, leveraging Docker's orchestration capabilities to direct and manage the infected nodes. Initial penetration is achieved by scanning for exposed Docker API endpoints, then deploying cryptocurrency mining malware through downloaded scripts. The malware enhances its spread by executing scripts designed to facilitate lateral movement to Docker, Kubernetes, and SSH endpoints, promoting a worm-like propagation across the network. Notably, the campaign utilizes rootkits to hide mining processes from detection and deploys scripts that forward harvested credentials from various services back to a central command-and-control server. Researchers noted similarities with tactics used by the known threat group TeamTNT, although direct attribution has not been confirmed. The impact of this campaign underscores ongoing risks associated with improperly secured cloud environments, particularly those exposing Docker API endpoints. The report highlights the continued threat of cryptojacking and the necessity for robust security practices in cloud and Docker container management.

Robert Westbrook, a 39-year-old from London, has been charged by the U.S. Department of Justice with securities fraud, wire fraud, and computer fraud. Arrested recently, he is expected to be extradited to the U.S. where he faces charges for a fraudulent scheme amounting to nearly $3.75 million. Between January 2019 and May 2020, Westbrook hacked into Microsoft 365 accounts of corporate executives to gain non-public, financially sensitive information. He exploited this insider information to trade securities ahead of at least 14 corporate earnings announcements, securing illegal profits. The SEC highlighted Westbrook's methods to conceal his identity, which included using VPNs, anonymous emails, and bitcoin transactions. Advanced data analytics and technology used by the SEC played a critical role in identifying Westbrook’s activities despite his efforts at anonymity. Westbrook faces a potential maximum penalty of 20 years in prison for securities fraud, with similar maximum penalties for wire fraud and up to five years for each count of computer fraud.

Over 304,000 customers of digiDirect, an Australian camera and tech retailer, potentially had their personal data leaked online. A cybercriminal, known as “Tanaka,” is accused of stealing a database containing names, email addresses, phone numbers, and addresses. The stolen information was posted on a cybercrime forum, including a shoutout to another cybercriminal, “Chucky.” digiDirect has yet to respond to the allegations, and there is no confirmation from Australian authorities regarding an investigation. Customers are urged to monitor their bank accounts and digital identities for signs of fraudulent activities. The potential breach is part of a broader issue affecting Australians, with recent high-profile data theft incidents involving Ticketmaster, MediSecure, and Nissan Oceania. In 2021, digiDirect faced penalties for misleading advertising, highlighting past issues with consumer trust.

Rackspace experienced a security breach due to a zero-day vulnerability in a third-party application used in its internal performance monitoring setup. Intruders exploited the vulnerability in a utility bundled with ScienceLogic’s software, gaining unauthorized access to three of Rackspace’s internal web servers. The breach enabled attackers to access "limited" monitoring-related customer information, including account names, usernames, and encrypted credentials. Although the monitoring dashboard was temporarily taken offline, there was no reported impact on Rackspace's broader monitoring functionalities or customer services. Rackspace has since isolated and patched the affected systems in cooperation with ScienceLogic, which also provided a patch to its customers. ScienceLogic has not disclosed the identity of the third-party utility used in the SL1 package to mitigate risk, though they confirmed a patch was rapidly developed. Rackspace has assured customers that no additional products or services were compromised and has actively started notifying and updating affected users.

Ransomware incident at University Medical Center in Lubbock, Texas, has severely limited hospital operations, impacting vital emergency services. The cyberattack occurred on a Friday, causing the hospital to divert both emergency and non-emergency incoming ambulance patients to nearby facilities. University Medical Center, a critical level-one trauma center, is the sole provider of high-level emergency care within a 400-mile radius, adding significant risk to patient safety due to the attack. Hospital's IT network showed unusual activity, prompting disconnection from the main system and intervention by third-party cybersecurity specialists. The FBI may assist in recovery and negotiations, as they sometimes help reduce ransom demands and support system restoration. Sophos reports an increase in ransomware attacks on the healthcare sector despite a general downtrend in other industries, as healthcare remains a prime target due to the critical nature of its services and data. Two-thirds of healthcare facilities have experienced at least one ransomware attack in the past two years, with over half paying the ransom to regain control of their networks.

T-Mobile US has agreed to a $31.5 million settlement following several network intrusions between 2021 and 2023, impacting millions of customers. The settlement includes a $15.75 million civil penalty to the US Treasury and an equal amount allocated for enhancing the telco's cybersecurity measures over the next two years. The FCC charged T-Mobile with violations of the Communications Act of 1934 for failing to adequately protect customer information and maintain reasonable cybersecurity defenses. At least seven security breaches over the past five years have resulted in significant customer data leaks, though the settlement specifically addresses four incidents since 2021. T-Mobile admitted no wrongdoing but acknowledged the breaches, immediately addressing the issues and committing to ongoing improvements in their cybersecurity infrastructure. Specific breaches involved sophisticated attacks, including unauthorized access via impersonation, exploitation of a T-Mobile lab environment, illegal SIM swaps, phishing attacks, and API misconfiguration. The FCC has stressed the necessity for top-tier cybersecurity protections for consumer data, reflecting increased regulatory scrutiny on telecommunications providers’ data security measures.

Microsoft has updated the Publish API for Edge extension developers, focusing on increased security for developer accounts and the extension update process. Developers must now use the Partner Center to submit new Microsoft Edge browser extensions for approval; subsequent updates can also utilize the Publish API. The updated API introduces dynamically generated API keys for each developer, minimizing the risks associated with static credential exposure. API keys are stored as hashes within Microsoft’s databases to prevent potential leaks, enhancing overall security. Access token URLs, crucial for updating extensions, are now generated internally, limiting exposure and risks associated with malicious updates. API keys' validity has been shortened to 72 days from the previous two years, promoting frequent rotation and reducing misuse risks. Microsoft encourages developers to adopt the new, more secure API system, although it is currently optional to minimize transition disruptions. The security overhaul is part of Microsoft's broader Secure Future Initiative, aimed at strengthening security across all products to prevent cyber threats like phishing and information-stealing malware.

The U.S. Securities and Exchange Commission (SEC) has charged U.K. citizen Robert B. Westbrook with hacking into the systems of five public U.S. companies to acquire confidential earnings information. Westbrook allegedly performed insider trading based on this stolen data, executing trades before 14 different earnings announcements from January 2019 to August 2020. He reportedly gained around $3,750,000 in illicit profits from these trades. The method used involved resetting passwords of senior executives to gain unauthorized access to financial documents and emails. To conceal his identity and activities, Westbrook employed anonymous email accounts, VPNs, and Bitcoin for transactions. Despite efforts to erase digital traces, the SEC was able to trace Westbrook's activities using advanced data analytics. Westbrook now faces both civil and criminal charges, including wire fraud, securities fraud, and unauthorized computer access, with potential for significant prison time and fines.