Daily Brief

LockBit ransomware gang allegedly compromised the tax filing service eFile.com, an IRS-authorized e-file provider. The Register has yet to confirm the validity of these claims, and both eFile.com and the IRS have not responded to inquiries. This repeat claim by LockBit puts numerous users' personal and financial data at risk, caution advised for monitoring suspicious banking activities. LockBit had previously targeted eFile.com in 2022 and might be reusing their claim for increased visibility or to cause disruption. eFile.com experienced a separate security breach in March 2023 when malicious JavaScript redirected users to malware downloads. The recent claim emerges as late filers rush to meet the extended IRS deadline of October 15. Despite a global crackdown on LockBit's operations, the gang remains active, with their ransomware ranking third in recent infection statistics by Check Point.

FBI Director Christopher Wray revealed that a Chinese group dismantled their own 260,000-device botnet after FBI intervention. The botnet was managed by Integrity Technology Group, which has ties to Chinese government intelligence efforts. Controlled devices included PCs, servers, and IoT devices infected with Mirai-based malware, primarily targeting U.S. infrastructure and academics. The FBI, with help from the NSA, took over the botnet's control servers, leading to a DDoS counterattack by the Chinese operators. Following their failure to regain control, the Chinese operators destroyed the botnet infrastructure and ceased operations. Wray also discussed the FBI's role in combating ransomware, including negotiating ransom payments down for victims, notably in a case involving a U.S. cancer treatment center. The FBI has helped save over $800 million for nearly 1,000 organizations by providing decryption keys and negoting with ransomware perpetrators.

Europol and international agencies from nine countries have dismantled "Ghost," an encrypted messaging service used by criminals for illicit activities such as drug trafficking and money laundering. The platform offered advanced security features, including triple-layer encryption and self-destructive messages, costing $2,350 for a six-month subscription. Authorities conducted coordinated raids leading to the arrest of 51 individuals across Australia, Ireland, Canada, and Italy. The investigation, initiated in March 2022 by Europol's Operational Taskforce, identified Ghost's servers in France and Iceland and traced platform owners and linked assets globally. Seized items from the raids included a drug lab, weapons, illegal substances, and over €1 million in cash. The crackdown disrupted the encrypted communications landscape, forcing criminals to seek alternative, less secure communication tools. Europol stresses the importance of a balanced approach to encryption, advocating for privacy yet ensuring lawful data access for criminal investigations.

Notorious ransomware gang LockBit has allegedly compromised eFile.com, an IRS-authorized provider for electronic tax returns. Although the claims haven't been verified, eFile.com and the IRS have yet to comment on the alleged security breach. If confirmed, this breach could expose significant personal and financial data of users, increasing risks of fraud. eFile.com has been given a 14-day deadline to pay the ransom demanded by LockBit. This incident follows a previous security issue at eFile.com in March 2023, where users were redirected to a fake browser update page that installed malware. The compromised JavaScript led to backdoors being installed on users' PCs, though the malicious code has since been removed. This breach notably occurs as late tax filers rush to meet the extended October 15 IRS filing deadline. Despite a global crackdown on LockBit earlier in the year, the group remains active, responsible for 8% of ransomware attacks in August as per Check Point data.

Russian efforts to interfere in the US presidential election have intensified, with troll farms producing fake news content. Microsoft's intelligence report highlights the creation of false narratives targeting Vice President Kamala Harris, aiming to discredit her presidential campaign. Two Russian groups, identified as Storm-1516 and Storm-1679, have been actively involved in creating and disseminating misleading videos. One video falsely depicted Harris supporters attacking a Trump rally attendee, while another video falsely accused Harris of involvement in a hit-and-run incident. Despite recent US government action to seize web domains linked to these operations, the groups continue to distribute disinformation through alternative channels. The overall strategy of these Russian-backed campaigns is to amplify political and racial tensions within the US, benefiting specific political agendas. This pattern of influence and disinformation aligns with past election interference tactics by Russia, seeking to sway public opinion and election outcomes in favor of preferred candidates.

Microsoft identified Vanilla Tempest as the threat actor behind recent INC ransomware attacks on the U.S. healthcare sector. INC Ransom operates as a Ransomware-as-a-Service (RaaS), targeting various public and private organizations since July 2023. The attackers gained initial access via Gootloader malware, facilitated by the Storm-0494 threat actor. Post-infection actions included deploying AnyDesk and MEGA for remote access and data synchronization, and lateral movement utilizing Remote Desktop Protocol (RDP). The ransomware disrupted hospital operations, leading to rescheduled appointments and compromised patient data systems. Vanilla Tempest, known previously as DEV-0832 and Vice Society, has a history of targeting multiple sectors with different ransomware strains. Ransomware source code related to INC Ransom was reportedly up for sale in hacking forums for $300,000.

The recent hacking of multiple Twitter accounts was part of a pump-and-dump scheme involving the $HACKED cryptocurrency token on the Solana blockchain. High-profile Twitter accounts, including MoneyControl, People Magazine, and EUinmyRegion, were compromised, collectively influencing over 9 million followers. The cyberattack initiated around 2:00 PM ET, with hacked accounts posting identical messages promoting the $HACKED token to inflate its value artificially. Initially, the $HACKED token had only 42 holders and a market cap of about $5,000. Following the hacking incident, the number of token holders rose to 436, and the market cap surged to $166,175.57. The exact method of account compromise remains unclear, though speculations suggest a breached API key or third-party app vulnerabilities could be responsible. The incident has led to market volatility, with rapid fluctuations in the token’s value as traders exploited the artificially inflated prices for profits. BleepingComputer reached out to affected accounts for comments but has yet to receive any responses. The investigation into the hacking continues as this story develops.

Microsoft has identified the ransomware group Vanilla Tempest targeting U.S. healthcare organizations using INC ransomware. INC Ransom, active since July 2023, has previously targeted entities like Yamaha Motor Philippines and the U.S. division of Xerox Business Solutions. In a recent attack, Vanilla Tempest accessed healthcare networks via Storm-0494, using Gootloader malware and Supper malware for system infiltration. Attackers utilized legitimate tools such as AnyDesk and MEGA, coupled with lateral movement through RDP and Windows Management Instrumentation to spread ransomware. The impact includes disruptions to IT systems, patient information database access, and forced rescheduling of medical procedures. Previously known as DEV-0832 and Vice Society, Vanilla Tempest has been involved in deploying multiple ransomware strains across several sectors. The group was linked to the theft of patient data from Lurie Children's Hospital in Chicago by the Rhysida ransomware gang.

GitLab released security updates to address a critical SAML authentication bypass vulnerability in self-managed Community and Enterprise Editions. The vulnerability, identified as CVE-2024-45409, involved flaws in the OmniAuth-SAML and Ruby-SAML libraries, enabling attackers to bypass authentication. Attackers could exploit this flaw by sending manipulated SAML responses, leading to unauthorized access to GitLab instances. Affected versions include GitLab 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10, along with all earlier releases of these branches. Patched versions have upgraded OmniAuth SAML to version 2.2.1 and Ruby-SAML to version 1.17.0, mitigating the vulnerability. GitLab strongly recommends upgrading to the latest versions immediately or enhancing security with two-factor authentication (2FA) if immediate upgrade is not feasible. The issue does not affect GitLab Dedicated instances on GitLab.com, only impacting self-managed installations. GitLab has noted signs of potential exploitation attempts though it hasn't confirmed active exploitation in the wild.

Lebanon has been struck by deadly explosions involving pagers and walkie-talkies, which reportedly were tampered with and triggered remotely. The recent attacks have caused widespread casualties, with at least nine deaths and over 100 injuries reported in the latest incidents. The Lebanese government has accused Israel of conducting these attacks, attributing them to a covert operation by Mossad and the Israeli Defense Force. It is alleged that devices used by Hezbollah, ordered from Taiwan, were intercepted and modified by Israeli operatives to include explosives. This tactic mirrors a previous Israeli operation in 1996 that targeted a Hamas bomb maker by planting a bomb in his cellphone. The international community, including UN Secretary General Antonio Guterres, has expressed concern that these acts may lead to further escalation in the region. U.S. Secretary of State Antony Blinken has emphasized the importance of avoiding actions that could exacerbate the conflict, although the U.S. claims no involvement in the plot. Israeli Defense Minister Yoav Gallant hinted at a broader strategic shift in the conflict but did not confirm direct involvement in the bombings.

Chinese state-sponsored hackers infiltrated a major aerospace engineering firm's IT network, exploiting weak security on an IBM AIX server. Initial access was gained using default administrator credentials on an exposed admin portal, leading to four months of undetected network presence. The intruders, linked to noted Chinese espionage groups like APT40 and Volt Typhoon, sought to steal aerospace designs and manipulate the supply chain. After detection, the firm cooperated with federal law enforcement for mitigation and to thwart further intrusions, despite facing challenges due to legacy system vulnerabilities. Hackers achieved deep access by installing a web shell and initiating complex maneuvers within both the UNIX and Windows environments of the network. The presence of outdated systems with insufficient security monitoring tools significantly delayed the detection of malicious activities. Continuous attack attempts were observed, with a notable re-entry effort via a credential stuffing attack right after the initial expulsion. The incident underscores the ongoing threat of nation-state cyber espionage aimed at critical infrastructure sectors and technology theft.

Cybersecurity researchers have discovered a substantial new IoT botnet, named Raptor Train, linked to a Chinese nation-state actor Flax Typhoon. Since May 2020, the botnet has affected over 200,000 small office/home office (SOHO) routers, DVRs/NVRs, NAS servers, and IP cameras. Raptor Train has developed a three-tier architecture, where command and control (C2) tasks start at management nodes, pass through C2 servers, and reach compromised IoT devices. Flax Typhoon has utilized various devices for bot recruitment across multiple countries including the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. The botnet leverages a custom Mirai-derived malware known as Nosedive, which lacks persistence through reboots but benefits from frequent device re-exploitation. The management infrastructure for Raptor Train includes upwards of 60 dynamically shifting C2 servers, facilitating continued operations and infection of new devices. Historical analysis indicates the botnet has targeted entities in sectors like military, government, telecommunications, and higher education, mainly in the U.S. and Taiwan. Despite the sophistication and scale, no DDoS attacks linked to this botnet have been reported, suggesting different operational objectives.

The Raptor Train botnet, believed to be operated by state-sponsored Chinese hackers, has infected over 260,000 networking devices globally, predominantly targeting the US and Taiwan. Initiated in May 2020, this sophisticated multi-tiered network has compromised routers, IP cameras, and storage servers, primarily without deploying DDoS attacks—a secondary functionality of its Mirai malware variant. U.S. cybersecurity agencies alongside the FBI have intervened, with the FBI executing court-authorized removal of the malware from thousands of affected devices, notably disrupting the botnet's operations. The botnet architecture involves multiple layers, including exploitation, payload delivery, and command and control tiers, managing extensive infections using zero-day and known vulnerabilities. Despite intense countermeasures, Raptor Train demonstrates resilience with fluctuating active device numbers around 60,000 and features capabilities for extensive C2 server management. Recent campaigns in 2023 exhibited a targeted approach, recruiting specific device types and achieving significant device involvement, which enabled the botnet to evade detection by infiltrating top domain lists. The FBI links the control of Raptor Train to the Flax Typhoon hacker group and a Chinese company, hinting at direct nation-state involvement in directing the botnet's activities. As part of ongoing network defense, regular system updates, reboots, and vigilance against abnormal data transfers are advised to mitigate risks associated with similar botnets.

Russian anti-malware company Dr.Web disclosed a security breach occurring over the weekend, leading to a temporary suspension of virus database updates to customers. Dr.Web detected unauthorized interference in its IT infrastructure, prompting a complete disconnection of all servers from their internal network to safeguard data and systems. The attack began on Saturday, September 14, 2024, but was swiftly contained by Dr.Web, preventing damage to their infrastructure and keeping customer systems protected. Comprehensive security diagnostics and measures, including deploying Dr.Web FixIt! for Linux, were initiated to analyze and eliminate the consequences of the incident. Virus database updates were resumed on Tuesday following the breach, with assurances from Dr.Web that the security breach had not impacted any customers. The incident adds Dr.Web to a growing list of Russian cybersecurity firms targeted in recent cyberattacks, with previous breaches reported at other major Russian security companies.

Chinese national Song Wu indicted on charges involving a long-term spear-phishing campaign targeting NASA, military, and research entities. Employed by AVIC, a state-owned Chinese aerospace firm under U.S. sanctions, Wu allegedly aimed to obtain specialized aerospace and military software. Charges include 14 counts of wire fraud and aggravated identity theft, facing up to 20 years per wire fraud count and a two-year consecutive sentence. Spear-phishing efforts from January 2017 to December 2021 involved impersonating U.S.-based engineers and researchers to illicitly acquire proprietary software. Targets included employees from NASA, the U.S. Air Force, Navy, Army, and the Federal Aviation Administration, along with major U.S. universities. The U.S. Department of Justice highlights the FBI's commitment to exposing and prosecuting international cybercriminals attempting to steal sensitive data. A separate indictment unsealed against Jia Wei, a PLA member, for infiltrating a U.S. communications company and installing malicious software. Coincides with a UK report on three individuals who pleaded guilty to running a website facilitating fraudulent banking transactions.