Daily Brief

Guidehouse and Nan McKay and Associates (NMA) agreed to pay $11.3 million to settle allegations related to cybersecurity failures. The settlements were the result of inadequate cybersecurity testing for New York’s emergency rental assistance program during the COVID-19 pandemic. Both firms failed to effectively test the ERAP system before deployment, resulting in sensitive data leakage shortly after the system went live. About 12 hours post-launch, it was discovered that personal information was leaking onto the internet. Although an investigation indicated no unauthorized use of Personally Identifiable Information (PII), the exposure triggered a formal "Information Security Breach" protocol. In addition to the data breach, Guidehouse admitted to using unauthorized third-party cloud software for storing PII. The US Attorney emphasized the importance of fulfilling cybersecurity obligations, especially when handling sensitive information under federal contracts.

A new malware campaign uses fake error messages from popular applications like Google Chrome, Microsoft Word, and OneDrive to deceive users into running malicious PowerShell scripts. The campaign involves various threat actors, including ClearFake, ClickFix, and TA571, noted for their spam operations that spread malware and ransomware. The method involves social engineering to convince users that there is a legitimate issue with their software, offering a PowerShell "fix" as a solution, which instead instigates malware installation. Techniques employed in these attacks include malicious overlays on websites, deceptive JavaScript in HTML attachments, and emails masquerading as official documents that prompt PowerShell command execution. Representative malware payloads delivered by these scripts include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. Proofpoint analysts identified three primary attack chains, suggesting a progressive refinement and testing of techniques to increase infection rates. Overall, attackers exploit user trust and lack of technical awareness, coupled with Windows' limitations in blocking such intrusions initiated by PowerShell.

Federal agents arrested Thomas Pavey and Raheim Hamilton, alleged operators of the dark-web marketplace Empire Market, accused of facilitating illegal transactions valued over $430 million. Empire Market, active from 2018 through 2020, offered a wide range of illicit goods including drugs, stolen account credentials, counterfeit money, and malware. The marketplace supported an ecosystem of thousands of vendors and was accessed via specialized software, with transactions exclusively in cryptocurrency to maintain anonymity. The site encouraged the use of cryptocurrency tumblers to obscure the origins of transaction funds, complicating efforts by law enforcement to trace illegal activities. In addition to current charges, Pavey and Hamilton were previously involved in selling counterfeit U.S. currency on another now-defunct dark-web market, AlphaBay. Authorities seized $75 million in cryptocurrency, along with cash and precious metals, during the investigation. The charges against the individuals include drug trafficking, computer fraud, money laundering among others, which could lead to life imprisonment. Both suspects remain detained awaiting federal arraignment.

Panera Bread likely paid a ransom following a ransomware attack in March, which disrupted their operations for a week. The attack encrypted all virtual machines, affecting Panera's website, mobile app, point-of-sale, and internal systems. Data including employee names and social security numbers were stolen, and Panera started sending data breach notifications to affected parties. Internal communications suggested Panera received assurances that the stolen data would be deleted and not published. An alleged employee claimed on Reddit that Panera paid the hackers to avoid the public leak of stolen data. No ransomware gang has claimed responsibility for the attack or threatened to leak the data, which is unusual if no payment was made. Ransomware attacks often involve data theft and encryption, using this leverage to demand payment for data deletion and decryption. Paying a ransom does not guarantee data deletion; threat actors may not fulfill their promises as seen in other recent incidents.

Blackbaud, a cloud software company, agreed to pay $6.75 million in a settlement with California's attorney general for cybersecurity negligence during a 2020 ransomware attack. The attorney general criticized Blackbaud for insufficient cybersecurity measures and misleading the public about the breach's impact, which involved personal data exposure. Despite settling with the Federal Trade Commission without a fine, Blackbaud previously settled similar allegations with 49 other states and the District of Columbia for $49.5 million. The ransomware breach resulted in unauthorized access to the sensitive personal information of millions, including social security numbers and medical details. Critical allegations included the use of weak or default passwords and the lack of multi-factor authentication for accessing sensitive areas. The settlement requires Blackbaud to enhance security practices, including better password management, data retention, and infrastructure monitoring. This is viewed as the final settlement in the U.S. related to Blackbaud's 2020 incident after prior multiple state settlements and a smaller fine to SEC.

Suspected Chinese hackers, dubbed 'Velvet Ant,' utilized custom malware on compromised F5 BIG-IP devices to establish persistent network access and clandestinely exfiltrate sensitive data for three years. The hacking group exploited vulnerabilities in outdated F5 BIG-IP appliances used for firewall management and network load balancing, which were exposed online. Velvet Ant deployed various malware, including a modular remote access Trojan (RAT) called PlugX, traditionally favored by Chinese cyber actors for data harvesting. The attackers cleverly disguised their malicious traffic as legitimate, enabling them to bypass corporate security measures and continuously steal customer and financial information without detection. Despite initial eradication efforts by security professionals at Sygnia, the hackers redeployed their tools with updated configurations to evade detection and maintain their foothold. Sygnia underscored the critical need for a layered, comprehensive security strategy for network devices, which are often targets for initial breaches. The report indicated a worrying trend in 2023, where China-linked hackers increasingly exploited network infrastructure vulnerabilities across various devices to gather intelligence and infiltrate further into target networks.

ASUS has released updates for critical security vulnerabilities in its routers, notably CVE-2024-3080 with a high-risk score of 9.8. The flaw allows unauthenticated remote attackers to bypass authentication mechanisms on some router models. Another related high-severity vulnerability, CVE-2024-3079 (CVSS score: 7.2), enables attackers with admin privileges to run arbitrary commands. An exploit chain using both CVE-2024-3080 and CVE-2024-3079 could allow attackers to bypass security and execute malicious code. Additional vulnerabilities, such as CVE-2024-3912, were patched by ASUS in January, which could let attackers upload files and execute commands remotely. Users are urged to update their router software to the latest version to protect against these security threats. The updated security measures are part of ASUS's ongoing efforts to maintain strong cybersecurity defenses in its devices.

A 22-year-old British national allegedly part of the Scattered Spider hacking group was arrested in Palma de Mallorca, Spain. The individual is accused of leading a cybercrime gang that stole data and cryptocurrencies through phishing and sim-swapping strategies, targeting 45 U.S. companies. Authorities allege the group successfully stole $27 million in cryptocurrencies, exploiting compromised access credentials to access sensitive information and digital wallets. The arrest occurred at Palma airport as the suspect was about to depart for Naples, facilitated by a tip-off and an International Arrest Warrant from the FBI. Confiscated electronic devices, including a laptop and mobile phone, are undergoing forensic analysis for further evidence. Although officially unconfirmed, there are reports linking the suspect to Scattered Spider, a group known for its involvement with the Russian BlackCat ransomware gang and significant breaches like the MGM Resorts attack. The operation highlights ongoing international cooperation in combating sophisticated cybercrime networks.

Spanish police detained a 22-year-old British man believed to be the leader of the Scattered Spider cybercrime gang as he was about to fly to Naples. The investigation that led to his arrest began in May 2023, following a tip from the FBI concerning his activities in Spain. He is accused of orchestrating attacks on 45 companies in the U.S., including high-profile SIM-swapping and casino heists. At the time of arrest, police confiscated a laptop and mobile phone; the suspect allegedly amassed about $26 million from cybercrimes. Another gang member, Noah Michael Urban, was arrested earlier in January facing multiple charges linked to cybercrimes. Scattered Spider, primarily composed of young English-speaking adults, has evolved its operations from SIM-swapping to ransomware and pure extortion schemes. Despite recent arrests, the gang continues its illegal activities, including recent attacks targeting virtual machines and SaaS apps for data theft.

Suspected China-nexus cyber espionage group, Velvet Ant, targeted an East Asian organization for three years using compromised F5 BIG-IP devices. Velvet Ant used the F5 devices as internal command-and-control hubs to persistently collect sensitive customer and financial data. The attackers employed PlugX, a known Chinese-linked modular RAT, utilizing DLL side-loading for initial device infiltration. Two versions of PlugX were deployed; one with external C&C for data exfiltration and another configured without C&C for operation on legacy servers. The campaign involved disabling endpoint security and utilizing tools like Impacket for lateral movement within the network. Forensic analysis revealed additional tools like PMCD for command execution and EarthWorm for network packet capture and tunneling. The exact method of initial penetration—either spear-phishing or exploiting known vulnerabilities—is currently unidentified. This incident is part of a broader pattern of China-linked cyber operations targeting Asia to gather intelligence.

DevSecOps integrates security throughout the software development lifecycle, enhancing collaboration among development, security, and operations teams. By embedding security early in development processes ("shift security left"), DevSecOps enables early vulnerability detection and compliance with regulatory requirements. Traditional security practices, conducted at the end-cycle of development, are inefficient and risk production delays due to the late discovery of vulnerabilities. DevSecOps necessitates profound cultural shifts for success, emphasizing shared responsibility and continuous collaboration across departments. The approach leverages automated tools, AI, and continuous security testing strategies to maintain high development velocity while ensuring software security. Effective DevSecOps implementation helps in managing and securing the increased use of open source and third-party software components in applications. Organizations are compelled to adopt DevSecOps due to increasing regulatory pressures and the evolving threat landscape targeting software vulnerabilities.

Amazon Web Services (AWS) announced mandatory multi-factor authentication (MFA) for privileged account users starting in 2024, with a phased implementation beginning in July for standalone account root users. The new security measure will initially target management account root users within AWS Organizations, a change ongoing since May this year. Users affected by this change will have a 30-day grace period to enable MFA, after which access will be denied until MFA is activated. AWS supports using FIDO2 passkeys, allowing authentication via biometrics or device PINs across multiple devices through systems such as Apple Touch ID and Windows Hello. The initiative responds to an observed increase in credential-based attacks, including credential stuffing, credential spraying, and brute-force attacks, where MFA could significantly reduce vulnerabilities. Instances of major security breaches in companies like Pure Storage, Ticketmaster, and Santander Bank, which failed to implement MFA, underscore the importance of this security step. AWS's implementation of MFA and support for FIDO2 passkeys are part of broader efforts by major tech companies to enhance product security over the next year.

A cybersecurity researcher discovered that UK health club chain Total Fitness exposed over 474,000 images of members and staff due to an unsecured database. The unprotected 47.7GB database contained not only images but also sensitive information including identity documents, bank details, and immigration records. Total Fitness, which operates 15 clubs across northern England and Wales, admitted the exposed data was used for legitimate business purposes but contained more personal information than initially claimed. The company has since locked down the database, conducted a thorough review of the images and removed those that included identifiable data, ensuring member images are not linked to other identifying data. Despite Total Fitness claims, the database was left unsecured for an extended period, potentially since March 2021, exposing members to risks associated with identity theft and digital impersonation. The company reported the incident to the UK's Information Commissioner's Office (ICO) and is supporting ongoing investigations. The incident highlights the larger issue of AI and deepfake technology misusing personal images, raising concerns over digital identity security and privacy in online environments.

UNC3944, previously involved in ransomware, has shifted focus to data theft extortion without using ransomware. The group employs social engineering and fearmongering, including threats of doxxing and physical harm, to manipulate help desk staff into resetting credentials. They exploit SaaS applications like VMware vCenter, CyberArk, Salesforce, and Office 365 to gain access and create virtual machines. These virtual environments within victim infrastructures enable persistent operations and are used to exfiltrate data. Mandiant's report emphasizes the usage of tools like Airbyte and Fivetran by UNC3944 to transfer stolen data into cloud storage they control. Increased vigilance and monitoring are suggested, particularly around SaaS applications and MFA re-registration processes. Mandiant advises centralizing logs and enhancing logging capabilities for detecting malicious activities in SaaS environments.

Legitimate websites, including those based on WordPress, have been compromised to distribute a Windows backdoor known as BadSpace, using deceptive browser update notifications. The malware deployment involves a multi-stage attack sequence initiated by visiting a compromised website, which leads to the execution of a JScript downloader and installation of the backdoor. During a victim's first visit to the compromised site, the site's embedded code collects device data such as IP address and location, and sends it to a malicious domain. A fake Google Chrome update pop-up is then used to either drop the malware directly or download further malicious components. BadSpace is linked to a known malware called SocGholish or FakeUpdates, which also spreads through similar fake update prompts. Features of BadSpace include anti-sandboxing techniques, data theft, the ability to execute commands and take screenshots, and maintaining persistence on the infected system through scheduled tasks. Security firms eSentire and Sucuri have issued warnings regarding ongoing campaigns that employ fake browser updates to implant malware.