Daily Brief

WebTPA experienced a data breach impacting approximately 2.4 million policyholders across various large insurance providers including The Hartford, Transamerica, and Gerber Life Insurance. The breach occurred between April 18 and April 23, 2023, with unauthorized access detected on December 28, 2023, prompting an immediate investigation. Affected data includes personal information, though financial details and medical records were not exposed. WebTPA, a subsidiary of GuideWell Mutual Holding Corporation, alerted affected insurance companies and their customers starting March 25, 2024. WebTPA has provided affected individuals with two years of credit monitoring, identity theft protection, and fraud consultation services available through Kroll until August 1st. Despite no current evidence of the misuse of the exposed data, affected individuals are advised to stay vigilant and consider additional precautions like placing a security freeze on their credit files.

Cybersecurity researchers have analyzed advanced malware tactics by the BlackTech group, linked to China, targeting the Asia-Pacific region. The group has been deploying a new remote access trojan (RAT) called Deuterbear, which is an evolved version of the earlier Waterbear malware. Deuterbear employs a sophisticated two-stage infection tactic using HTTPS for communication and incorporates advanced evasion techniques like shellcode plugins and anti-memory scanning. The BlackTech group, active since at least 2007, uses malware to conduct cyber espionage, extracting sensitive information from key regional entities. Deuterbear has streamlined many commands of its predecessor, focusing on modular, plugin-based expansion to enhance functionality. Parallel disclosures reveal an extremely targeted U.S. cyber campaign targeting AI industries, utilizing another RAT named SugarGh0st, suggesting a broader specter of espionage. These findings highlight ongoing cybersecurity threats posed by nation-state actors and the continuous evolution of their methodologies and targets.

Recent operations have taken down high-profile cybercrime forums such as BreachForums, following successful actions against the LockBit ransomware group. Efforts led by the FBI have showcased a shift towards more aggressive tactics, including publicizing control over criminal websites and publicly identifying suspects. Despite the shutdown of these forums like RaidForums and BreachForums, challenges in completely dismantling these organizations persist, particularly when the operators are in countries providing safe harbor. The effectiveness of these police actions varies, with some leading to significant operational disruptions and others potentially moving towards full dismantlement by arresting key operators. Law enforcement continues to face challenges in fully dismantling cybercrime networks due to difficulties in attributing crimes to specific individuals and securing cooperation from countries harboring cybercriminals. The ongoing battle against cybercrime groups like Scattered Spider highlights the long-term, complex nature of cybercrime investigations and enforcement activities. Security experts emphasize the difference between disruption (temporary setbacks for criminal networks) and dismantlement (comprehensive breakdown of networks), with the latter being significantly harder to achieve.

A new report by XM Cyber, Navigating the Paths of Risk, reveals significant security insights based on attack path assessments done in 2023. Over 40 million exposures were identified, affecting millions of business-critical assets, with data analyzed by Cyentia Institute. Findings show that 80% of security exposures are due to identity and credential misconfigurations rather than CVE vulnerabilities, which make up less than 1%. Key threats include shared folder poisoning and usage of common local credentials across multiple devices, overshadowing CVE-based vulnerabilities in threat significance. While 74% of exposures are "dead ends" offering minimal risk, focus should be on the 26% that could allow attackers to reach and compromise crucial assets. Choke points, critical junctions in attack paths, make up only 2% of threats but are pivotal due to their potential to expose a significant portion of valuable assets. Security strategies need to prioritize ongoing exposure management and shift from a broad vulnerability focus to targeting specific high-risk exposures.

The U.S. Department of Justice charged five individuals with conducting cyber schemes to generate funds for North Korea's nuclear weapons programs. Charges include conspiracy to defraud the U.S., aggravated identity theft, and various fraud charges, with possible prison times up to 97.5 years. Two key suspects, an American and a Ukrainian, managed operations including "laptop farms" to mask North Korean IT workers as U.S. remote employees. North Korean operatives, posing through stolen U.S. identities, secured jobs at Fortune 500 companies, compromising over 300 U.S. businesses and 60 U.S. identities. Operations led to substantial tax liabilities for dozens of Americans and garnered millions in revenue, which was funneled back to support North Korea's nuclear ambitions. The U.S. has issued rewards for information on the suspects and has released new advisories on identifying and combatting similar schemes. This international cybercrime incident has significant implications for national security, corporate data safety, and international law enforcement collaboration.

The Kimsuky APT group, associated with North Korea, has deployed a Linux backdoor, Gomir, targeting South Korean organizations. Gomir is structurally similar to the previously known GoBear backdoor, sharing significant code and functionalities adapted for Linux. The malware was initially spotted as part of a campaign distributing another malware, Troll Stealer, via compromised security programs in South Korea. Trojanized versions of nProtect Online Security and other software from a construction-related association's website were used to spread the malware. The distribution method for these infected installer packages remains unidentified, complicating tracking and mitigation efforts. Gomir supports multiple commands for remote control, including file operations and proxy management, enhancing its threat capabilities. Symantec notes that software installation packages and updates are increasingly used as primary vectors for espionage by North Korean actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two D-Link router vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation signs. Affected devices include legacy D-Link products that are no longer supported, with urged replacement by June 6, 2024. The vulnerabilities could allow remote attackers to bypass authentication via HNAP port, gain elevated permissions, and execute commands as root. D-Link has acknowledged the issue but has yet to release a fix, describing it as a LAN-side unauthenticated command execution flaw. Additionally, a proof-of-concept exploit revealed at SSD Secure Disclosure enables attackers to bypass authentication and perform command execution on vulnerable routers. In a separate but related development, Ivanti has also patched multiple vulnerabilities in Endpoint Manager Mobile, including one that allows local attackers to bypass shell restrictions and execute arbitrary commands via malicious RPM packages. Ivanti has also addressed two SQL injection flaws that could potentially allow privileged users to access or alter database content, although no active exploitations have been reported.

A cybercrime gang, identified as Storm-1811, has exploited Microsoft's Quick Assist tool to deploy Black Basta ransomware in a social engineering scheme. The attacks began in mid-April and involve scammers posing as IT support, using voice phishing to convince victims to grant remote access to their computers. Once access is obtained, attackers gain full control over the victim’s device by tricking them into sharing their screen and approving control requests. Microsoft has acknowledged the issue and is working on enhancements to Quick Assist, including better transparency and warning messages to deter such scams. Victims of the attack often first receive spam emails before being contacted by fake IT support to address the fabricated issues. Microsoft advises customers to either block or uninstall Quick Assist and other remote management tools if they are not in use to mitigate risks. Additional security measures proposed include utilizing threat-hunting queries and indicators of compromise to identify and respond to suspicious network activities. After gaining access, the attackers use tools like PsExec for lateral movement within networks to spread ransomware.

The U.S. Justice Department has charged five individuals linked to cyber schemes that funded North Korea's nuclear initiatives. Charged parties include two apprehended individuals: Christina Marie Chapman in Arizona and Oleksandr Didenko in Poland, alongside three other foreign nationals using aliases. They are accused of various crimes including money laundering, wire fraud, and aggravated identity theft, orchestrated to infiltrate U.S. job markets. Their operations involved using a "laptop farm" run by Chapman to emulate U.S. locations for North Korean IT workers, enabling them to secure employment at Fortune 500 companies. These activities generated over $6.8 million and compromised more than 60 U.S. identities, impacting over 300 U.S. companies and creating false tax liabilities for over 35 citizens. Consequences if convicted are severe, with Chapman facing up to 97.5 years and Didenko up to 67.5 years in prison. The U.S. State Department offers a $5 million reward for information on Chapman's co-conspirators, further indicating the scheme's significant impact on national security.

The Norwegian National Cyber Security Centre (NCSC) is advising organizations to replace SSLVPN/WebVPN solutions with IPsec using IKEv2 by 2025 to enhance security. The move is intended to combat the repeated exploitation of SSL/TLS vulnerabilities by cybercriminals in corporate network breaches. Organizations under the 'Safety Act' or those in critical infrastructure sectors are urged to make the switch by the end of 2024. SSL VPNs use SSL/TLS protocols to create a secure connection, whereas IPsec with IKEv2 offers enhanced security by encrypting and authenticating each packet and periodically refreshing keys. NCSC acknowledges that while IPsec with IKEv2 also has vulnerabilities, it reduces the attack surface significantly due to its reduced tolerance for configuration errors. Interim measures suggested by NCSC include centralized VPN activity logging, strict geofencing, and blocking access from high-risk sources like VPN providers and Tor exit nodes. The urgency is underscored by recent breaches involving exploited vulnerabilities in SSL VPNs by state-sponsored and criminal hacking groups. International consensus, including recommendations from the USA and UK, indicates a shift toward IPsec as a more secure standard for VPN technologies.

MediSecure, an electronic prescription provider in Australia, faced a ransomware attack impacting personal and health information, with scale and specifics still under assessment. The attack, initiated through a third-party vendor, led to the shutdown of MediSecure's website and communication systems to mitigate further risk. Operating since 2009, MediSecure has been instrumental in delivering digital healthcare solutions, specifically managing and dispensing medications electronically. The company has initiated a thorough investigation into the breach and is collaborating with Australia's National Cyber Security Coordinator and the Office of the Australian Information Commissioner. Public statements acknowledged the incident and emphasized immediate steps taken to secure systems and data, although details regarding the ransom demand, if any, were not disclosed. This incident marks one of the significant healthcare-related cyber-attacks in Australia, following the major Medibank breach in October 2022, highlighting ongoing vulnerabilities in the healthcare sector related to cyberattacks.

A new vulnerability, CVE-2023-52424, identified in the IEEE 802.11 Wi-Fi standard enables attackers to force a downgrade to a less secure network. This security flaw affects all operating systems and Wi-Fi protocols, including WEP, WPA3, and 802.11X/EAP. Attackers can spoof network names (SSIDs) to trick victims into connecting to malicious networks to intercept their traffic. The vulnerability undermines the effectiveness of VPNs that deactivate when connecting to trusted networks. Researchers propose enhancing the Wi-Fi standard to include SSID authentication in the network connection process to mitigate the attack. Additional mitigation suggestions include using distinct credentials for different SSIDs, especially in enterprise environments. This discovery follows recent disclosures of similar security issues in Wi-Fi authentication mechanisms.

Security researchers identified new malware, LunarWeb and LunarMail, used by Russian hackers targeting a European government's diplomatic agencies. The malware was involved in breaches of the Ministry of Foreign Affairs, affecting diplomatic missions primarily in the Middle East since 2020. Spear-phishing emails with malicious Word documents initiated the infection, installing LunarMail through macros that also ensured persistence via Outlook add-ins. LunarWeb was delivered using a misconfigured network monitoring tool, with techniques to mimic legitimate traffic for covert operations and surveillance. Both backdoors allow remote command execution, data theft, and system manipulation, ensuring deep access and control over compromised systems. ESET attributes these attacks to the Turla group, a Russian state-sponsored entity, with medium confidence based on observed tactics and techniques. The company also released a list of indicators of compromise to help detect and mitigate these threats in affected network environments.

The European Commission has launched an investigation into Meta, scrutinizing its compliance with the Digital Services Act, particularly in safeguarding minors on Facebook and Instagram. Meta is under investigation for potentially exploiting the inexperience of minors, leading to addictive behaviors and excessive content immersion on their platforms. The Commission will assess the effectiveness and appropriateness of Meta’s age-verification tools to prevent minors from accessing harmful content. Additional scrutiny includes the examination of privacy and safety measures for minors, focusing on default settings and recommendation algorithms to ensure they align with legal requirements. Violations of the Digital Services Act could result in fines up to 6 percent of Meta's global annual turnover, approximately $8.5 billion. Separate proceedings are focused on other serious concerns, including Meta's role in the spread of political misinformation by foreign actors. Commissioner Thierry Breton emphasized the importance of rigorous investigations to uphold child protection standards on these widely used social platforms.

British intelligence has shifted its primary focus to countering cyber threats from China, surpassing concerns about other nation-states. The CYBERUK conference underscored the growing concern among UK officials regarding Beijing's attempts to dominate global technology standards and cyber capabilities. Recent discussions at the event highlighted the significant resources GCHQ is dedicating towards understanding and combating potential cyber threats from China. China's cyber strategy includes leveraging an extensive network of hacking groups and data brokers to advance its geopolitical and technological goals. UK intelligence is increasingly collaborating with Five Eyes allies, industry, and academic institutions to enhance cyber resilience against threats posed by nation-states like China and Russia. The narrative at CYBERUK stressed the urgent need for increased cyber resilience to deter future large-scale disruptions or attacks, particularly those that could be orchestrated by China. There is a pressing necessity for the tech industry and governments to innovate and cooperate to effectively counter sophisticated cyber operations from nation-states.