Daily Brief

WordPress.org will require two-factor authentication (2FA) for developers with commit access to themes and plugins from October 1, 2024. The move aims to secure accounts that can push updates to millions of WordPress sites, hence enhancing community security and trust. Additional security measures include the introduction of high-entropy SVN passwords to separate code commit access from user account credentials. These SVN passwords function as an application-specific or user-specific password that helps safeguard the main account password. The enforcement of 2FA and SVN passwords addresses risks of unauthorized account takeovers and potential large-scale supply chain attacks by malicious actors. The security update comes amid reports of ongoing attacks like the ClearFake campaign that distributes malware to WordPress users through deceptive tactics. Experts advise keeping software up to date, using web application firewalls, reviewing administrator accounts regularly, and monitoring for unauthorized changes as preventative security measures.

Lehigh Valley Health Network (LVHN) agreed to a $65 million settlement following a ransomware attack by the ALPHV gang, which lead to the leak of patients' sensitive data. During the attack, extensive personal information including nude photographs, Social Security numbers, and medical records of 134,000 patients and staff were stolen. LVHN decided against paying the ransom, resulting in the criminals publishing patients' private data online. The breach and subsequent exposure sparked a class-action lawsuit, claiming LVHN prioritized financial considerations over patient privacy and security. The legal ramifications centered on violations of the Health Insurance Portability and Accountability Act, highlighting the hospital's perceived failure in duty of care. The settlement categorizes affected patients into tiers, with the highest compensation of $70,000 to $80,000 awarded to those whose nude photos were leaked. This case marks one of the largest per-patient settlements in a healthcare data breach related to ransomware.

Ransomware attacks recently halted operations in school districts across the United States and the United Kingdom, affecting thousands of students from kindergarten to high school. In the US, the Highline Public Schools in Seattle experienced unauthorized activity on their networks, prompting an immediate shutdown of all school functions, including online activities and upcoming classes. The UK's Charles Darwin School also faced a ransomware attack, leading to a three-week disruption of internet, email, and other school systems. The Black Suit ransomware gang, believed to be a derivative of the defunct Conti group, claimed responsibility for the attack on Charles Darwin School, allegedly stealing 200GB of sensitive data. Both affected institutions have engaged with cybersecurity experts and law enforcement to manage the fallout and, where possible, restore systems. These incidents underscore the vulnerability of educational institutions to cyberattacks, particularly ransomware, pushing the need for improved cybersecurity practices and readiness. Educational authorities and cybersecurity professionals emphasize the need for robust, preventive measures and contingency planning to manage and mitigate such risks effectively.

North Korean group Lazarus used fake recruiting tactics to distribute malware to Python developers under the guise of a coding test. The malicious projects were hosted on GitHub, with detailed instructions meant to both rush and legitimize the tasks to unsuspecting applicants. Victims were lured with job opportunities at prominent U.S. banks like Capital One and contacted primarily through LinkedIn. The coding test involved a sabotaged password manager application, which upon execution, downloads further malicious payloads from a command and control server. The rapid timeline for task completion discouraged victims from conducting thorough checks for malicious or obfuscated code. ReversingLabs confirmed that this “VMConnect campaign” is still active as of July 31, highlighting an ongoing threat. Developers are advised to verify the identity of contacts offering jobs and to review and execute code only in secure environments.

Meow ransomware group, initially a Conti offshoot, is now the second most active after a major rebranding and operational change. Unlike traditional ransomware methods, Meow has shifted from file encryption to primarily stealing victim data for sale. Meow ransomware now offers data at variable prices, with an option for exclusive access that may not be truthful as per the operational details. The gang’s decision to sell data indicates a potential new trend in ransomware operations, moving away from dual extortion tactics. Check Point Research's analysis casts doubt on the profitability of Meow's new tactic, suggesting it might be more about differentiation and marketing than revenue. RansomHub has become the leading ransomware operation, overtaking others in the market with sophisticated attacks, particularly in VMware ESXi environments. Concerns remain if Meow's strategic shift will pay off in the long term or affect its market position amid heightened cybersecurity measures.

Ransomware gang Hunters International claims to have stolen over 5.2 million files from the London branch of the Industrial and Commercial Bank of China (ICBC). The allegedly stolen data amounts to 6.6 terabytes and includes highly sensitive financial information. Hunters International has set a deadline of September 13 for ICBC to meet their ransom demands or they will publish all the stolen data. ICBC, a state-owned entity, is the largest bank globally by assets, with $6.3 trillion and annual revenues around $113 billion. This incident highlights the vulnerability of financial institutions to ransomware attacks due to the sensitive nature of the data they hold, increasing the likelihood of compliance with ransom demands. Hunters International, a new player in the ransomware-as-a-service sector, has claimed over 134 organizational breaches worldwide this year, excluding targets in Russia. The legitimacy of the stolen data and ICBC’s response to the ransom demands have yet to be confirmed officially.

Adobe has released a patch for a critical zero-day vulnerability in Acrobat Reader, identified as CVE-2024-41869, which allows for remote code execution. The vulnerability is a "use after free" issue that can be exploited when a specially crafted PDF document is opened, potentially leading to malicious code execution. A proof-of-concept exploit for this vulnerability, though still under development and not containing malicious payloads, had been circulating publicly. The vulnerability was first detected by cybersecurity researcher Haifei Li using EXPMON, a sandbox-based detection platform focused on exploits and vulnerabilities rather than traditional malware. Li's detection system submitted many samples containing the exploit, leading to its discovery and subsequent disclosure to Adobe. An initial fix by Adobe in August was insufficient, as the vulnerability could still be triggered. A comprehensive fix was only released in the latest update. Li plans to publish details about how the vulnerability was detected on EXPMON's blog and in a Check Point Research report.

WordPress.org will require two-factor authentication (2FA) for developer accounts with commit access starting October 1st. The policy aims to secure accounts that can update themes and plugins, protecting millions of sites globally. This measure is to prevent unauthorized access and potential supply-chain attacks through compromised plugin or theme updates. Additional security includes SVN-specific passwords to distinctively separate coding access from main account credentials. Plugin authors utilizing deployment scripts, such as GitHub Actions, must update their scripts to accommodate new SVN passwords. The adjustments link to a broader strategy including high-entropy SVN passwords and deployment-time security features, enhancing overall platform integrity. WordPress is a widely-used open-source platform that supports a large number of websites through its themes and plugins system.

The Quad7 botnet, also known as 7777, has expanded its reach by compromising SOHO routers and VPN appliances using both known and previously unknown vulnerabilities. A variety of devices from manufacturers including TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR have been affected, showing the botnet’s diverse targeting. Security sources indicate that Quad7 has introduced a new backdoor called UPDTAE, enabling HTTP-based reverse shell operations for remote control and command execution. The botnet activity, first documented in October 2023, has been linked to potential Chinese state-sponsored origins, with a focus on malware deployment for greater stealth. Analysis suggests the botnet is part of a larger pattern of malicious activity aiming to compromise devices globally, with significant numbers of infections in Bulgaria, the U.S., and Ukraine. Experts have observed the botnet actively brute-forcing Microsoft 365 and Azure accounts, hinting at broader objectives behind these attacks. It remains uncertain how the botnet clusters are exactly utilized by the operators, though the strategic deployment of malware suggests potential preparations for more extensive cyber operations.

A Chinese-speaking cybercrime group, dubbed DragonRank, has been actively compromising Internet Information Services (IIS) servers across Asia and Europe for black hat SEO purposes. The campaign aims to manipulate search engine rankings by deploying BadIIS malware on compromised servers, repurposing them as relay points for malicious activities and SEO fraud. DragonRank utilizes various tactics, including exploiting vulnerabilities in widely-used web applications such as phpMyAdmin and WordPress, and leveraging the ASPXspy web shell. The malware is capable of masquerading as Google's search engine crawler to evade detection and manipulate content served to search engines, thereby boosting the SEO of selected websites. Industries affected include jewelry, media, healthcare, IT services, and more, suggesting a broad spectrum approach to target selection. Attackers not only focus on initial compromises but also aim to expand their control within networks using backdoors and credentialed-access tools like PlugX and Mimikatz. The group leverages social media platforms such as Telegram and instant messaging services like QQ to maintain communication with clients, ensuring tailored SEO manipulation strategies for various target demographics. Cisco Talos has highlighted the adaptability and growing sophistication of IIS malware, posing increased risks to global web server security.

Criminal IP has integrated its IP address risk detection data with IPLocation.io, augmenting the latter's IP analysis tools. IPLocation.io users now access enhanced insights into IP threats thanks to Criminal IP’s threat intelligence database, which utilizes AI-driven machine learning ecosystems for data accuracy. The integration allows for broader information on IPs beyond geographic tracking, including data from network intrusion system Snort and vulnerability assessments on open ports. New functionalities provided include VPN and proxy assessments to pinpoint discrepancies in reported IP locations, aiding in evasion detection. The service expansion includes Tor data to detect and analyze traffic routed for anonymity, indicating higher risks of malicious activities. Criminal IP’s AI-based analysis now offers predictive insights on potential future threats by understanding evasion patterns and attack scenarios. AI SPERA, the parent company of Criminal IP, continues to develop advanced cybersecurity tools and holds credible industry certifications like PCI DSS v4.0. This partnership marks a significant advancement in self-assessing risk for IP addresses leveraging fact-based evidence and machine learning accuracy.

Six Chinese nationals and one Singaporean were arrested for involvement in a global cybercrime syndicate. The operation in Singapore seized numerous electronic devices equipped with hacking tools, and illegal access credentials. Singaporean authorities identified stolen personally identifiable information (PII) during the raids. Approximately $1.39 million in cash and cryptocurrencies were confiscated as part of the criminal evidence. The arrests were executed by 160 officers from various units including the Singapore Police Force and Internal Security Department. The associated malware, PlugX, is recognized for its use in cyber espionage mostly by Chinese state-sponsored groups. Although specific affiliations to known hacker groups like APT10 and APT41 were not confirmed, PlugX has been linked to such groups in the past.

Executives of an undisclosed company paid a ransom to unlock critical encrypted files, only to discover the provided decryptor was ineffective. The infected organization had to involve a third-party company, GuidePoint, after initial decryptor versions failed to restore their data. The ransomware group, identified as the Hazard crew, ceased communication after delivering non-functional decryption tools. GuidePoint resorted to modifying the decryptor binary and brute-forcing to finally decrypt the files, emphasizing the uncertainty of paying ransoms. Despite ransom payments, victims can still face significant obstacles and potential data loss, underlining that these transactions do not guarantee recovery. The incident illustrates both the technical challenges and ethical dilemmas of dealing with ransomware and cybercriminals. Cybersecurity professionals stress the importance of business awareness and preparedness for ransomware threats rather than relying solely on decryption tools after an attack.

The Singapore Police Force detained six individuals, including five Chinese nationals and one Singaporean, linked to a global cybercrime syndicate. A coordinated law enforcement operation involved about 160 officers and simultaneous raids at multiple locations on September 9, 2024. Seized items include electronic devices, over S$24,000 in cash, and approximately USD$850,000 in cryptocurrency. One of the suspects was found in possession of a laptop with access to web servers used by known hacking groups. Other confiscated materials from the suspects included personal data related to foreign ISPs, hacking tools, and malware control software like PlugX. All individuals have been charged with offenses under Singapore’s Computer Misuse Act 1993, which includes unauthorized access and retention of personal data and malware. The operation underscores Singapore’s stringent stance against using its territory for conducting illegal cyber activities.

Researchers from watchTowr Labs uncovered a significant vulnerability in the WHOIS protocol during the Black Hat conference. By purchasing an expired domain for $20, the team was able to set up a WHOIS server attracting queries from critical systems worldwide. The WHOIS server received over 2.5 million queries, including from government, military, and educational entities, and major cyber security firms. Many systems had not updated their WHOIS client to the new [.mobi] address, making them vulnerable to misinformation. The potential for misuse includes issuing false certificates for domains like google[.]mobi and microsoft[.]mobi, which nation-states could exploit. The incident highlights significant security risks in internet infrastructure, particularly in the management and trust of SSL/TLS certificates. The team emphasized the ease of exploiting known vulnerabilities in these systems, suggesting a high risk if the domain fell into less scrupulous hands. The scenario demonstrates a broader issue with internet protocols' reliability and the trust placed in digital encryption processes.