Daily Brief

Two brothers, Anton and James Peraire-Bueno, have been arrested and indicted for stealing $25 million in cryptocurrency via a complex Ethereum blockchain manipulation. The alleged scheme involved tampering with Ethereum's transaction validation processes to divert cryptocurrency during transactions. This theft, executed within approximately 12 seconds, is reported as a "first-of-its-kind" by the U.S. Department of Justice. The pair faces charges of wire fraud, conspiracy to commit wire fraud, and money laundering, with each charge carrying a potential 20-year prison sentence. The investigation was led by the IRS Criminal Investigation Cyber Unit in New York, with assistance from NYPD and U.S. Customs and Border Protection. The brothers used advanced knowledge from their education in computer science and math to learn trading behaviors and effectively hide their identities. Post-theft, they engaged in sophisticated laundering techniques using multiple cryptocurrency addresses, foreign exchanges, and shell companies. They also researched online about executing and concealing the attack and navigating legal challenges potentially arising from their actions.

The FBI has successfully seized BreachForums, a notorious marketplace for stolen data, marking the second takeover within a year. BreachForums was operational from June 2023 until May 2024, facilitating the trade of illegal items like breached databases and hacking tools. This seizure involved a multinational effort with contributions from authorities in Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine. The FBI also took control of the Telegram channel operated by Baphomet, who assumed leadership after the previous administrator's arrest in March 2023. A prior version of the site was taken down in late June 2023, and has faced repeated law enforcement actions against its various domains. While the recent operational status and arrests of administrators such as Baphomet and ShinyHunters are still unconfirmed, their profile images on the seizure banner suggest incarceration. The FBI is actively urging individuals with information related to criminal activities on BreachForums to come forward and contact them via Telegram or email.

Apple's anti-fraud technology prevented over $7 billion in fraudulent transactions on the App Store from 2020 to 2023. In 2023 alone, Apple halted $1.8 billion in suspicious transactions and prevented 3.5 million stolen credit cards from being used. Over four years, the tech giant detected and blocked 14 million stolen credit cards and deactivated 3.3 million accounts associated with these cards. The App Review team, comprising 500 experts, reviewed 6.9 million app submissions in 2023, rejecting 1.7 million for failing to meet security and privacy standards. In 2023, Apple removed 152 million fake or fraudulent app ratings and reviews from a total of 1.1 billion submissions. Aggressive enforcement led to the termination of 118,000 developer accounts and the suspension of 91,000 customer accounts for fraud or illegal activities. Despite robust review processes, some fraudulent apps managed to bypass security checks, with incidents involving fake versions of well-known apps like LastPass and Leather cryptocurrency wallet reported in 2023.

A comprehensive cyber defense strategy is essential to prevent, detect, and respond to cyber threats, helping avoid financial loss, reputational damage, and legal consequences. Key components of a robust defense strategy include risk assessments, technology customization, integration of security technologies, and incident response planning. Wazuh, a free and open source security tool, offers unified SIEM and XDR protection and is integral in enhancing security across various platforms, including cloud, on-premise, and containerized environments. Features of Wazuh include threat detection, incident response capabilities, vulnerability detection, security configuration assessments, and compliance with industry standards and regulations. Real-world applications like preventing SSH brute force attacks demonstrate Wazuh’s effectiveness in blocking attackers by integrating active response capabilities. Continuous improvement of cybersecurity measures is crucial, with regular monitoring, user training, and leveraging threat intelligence feeds to address new and emerging security challenges. Wazuh supports integration with third-party platforms enhancing its threat detection and incident response capabilities, making it a versatile tool for maintaining rigorous security standards. With an active community and extensive documentation, Wazuh aids organizations in refining and advancing their cybersecurity defenses to mitigate potential cyber risks effectively.

Financial criminals are exploiting the Windows Quick Assist tool to inject Black Basta ransomware into corporate networks. Attackers initiate their campaign by overwhelming victim’s emails, followed by impersonating IT support via phone to offer help. Victims are deceived into granting remote access to their systems, enabling attackers to deploy malware using scripted commands. Malicious software such as Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike are installed to facilitate further attacks. Post successful breach, perpetrators engage in domain enumeration and lateral movement within the network to deploy ransomware. Attackers also employ scripts to extract login credentials fraudulently, later sending these to their own servers. Microsoft recommends the removal of Quick Assist where unnecessary and advises training employees to spot tech support scams. The Black Basta group, active since April 2022, has successfully compromised over 500 organizations, including entities in critical infrastructure sectors.

The FBI has taken control of BreachForums, a notorious platform used by cybercriminals to leak and sell stolen corporate data. Law enforcement action included seizing the forum’s servers and domains, displaying a seizure message on the website. The seizure banner encourages victims or informants to contact the FBI to help in investigating cybercriminal activities associated with BreachForums. The FBI also seized control of the forum's Telegram channel, further extending their efforts to gather information. The Internet Crime Complaint Center (IC3) subdomain of the FBI hosts a dedicated page providing details of BreachForums' operations and solicits information from the public. Previously, BreachForums operated under different domains, and was preceded by similar hacking forums, illustrating an ongoing pattern of such criminal enterprises. The global cooperation in seizing BreachForums highlights an international response to combat cybercrime effectively.

Banco Santander S.A. disclosed a data breach affecting numerous customers and employees across Spain, Chile, and Uruguay. A third-party service provider's database was accessed by unauthorized parties, leading to the compromise. Immediate actions were taken to contain the breach, including blocking compromised access and enhancing fraud prevention controls. While specific data details remain undisclosed, it was confirmed that transaction information and online banking credentials were not affected. Santander confirmed that the breach did not impact its systems and operations in the affected countries, ensuring that banking services continue uninterrupted. Only the markets of Chile, Spain, and Uruguay were affected; other regions where Santander operates were not impacted. Customers and employees whose information was exposed will be directly notified, and relevant law enforcement agencies have been informed. Investigations into the extent of the data exposed and the implications of the breach are ongoing.

Lateral movement attacks exploit stolen credentials to stealthily move through a network, often mimicking legitimate traffic to access sensitive data or systems undetected. These attacks typically begin with reconnaissance, credential theft, and the exploitation of initial access, which may involve social engineering, keyloggers, or dark web transactions. A highlighted case involved a former employee's credentials being used to breach a U.S. State Government network, leading to significant data exfiltration. Stolen or compromised credentials allow attackers to persist within the network, impersonate users, gain administrative access, and facilitate long-term, undetected operations. Attack methods include various social engineering tactics, deploying keyloggers, and using pass-the-ticket or pass-the-hash techniques to maintain unauthorized access without a password. Defense strategies include implementing strong password policies, multi-factor authentication, regular updates, security training, network monitoring, and intrusion detection systems. Organizations are urged to use tools like Specops Password Auditor and other software to detect compromised credentials in Active Directory and enhance overall network security. Network segmentation, active threat hunting, and a robust incident response plan are critical to minimizing the risk and impact of lateral movement attacks.

The Turla cyberespionage group, aligned with Russian state interests, deployed new backdoors named LunarWeb and LunarMail in European diplomatic targets. ESET attributed these espionage activities to Turla with medium confidence, linking the tactics to previous campaigns by this notorious group. LunarWeb, a server-targeting backdoor, uses HTTP(S) protocols for command-and-control communications, disguising traffic as legitimate requests. LunarMail, intended for workstations, operates as an Outlook add-in and communicates with the attackers through email, using embedded commands in document attachments. The detailed investigations by ESET suggest these malicious tools have been actively used since early 2020 or possibly earlier. The exact methods of initial penetration into the Ministry of Foreign Affairs remain unclear, though indicators suggest spear-phishing and exploitation of system vulnerabilities might be involved. Once activated, LunarWeb can execute various commands, gather system info, and exfiltrate data, masked as normal web traffic; LunarMail similarly supports complex operations and data theft via emails. These tools represent a sophisticated evolution in Turla's arsenal, emphasizing stealth and persistence in targeting diplomatic and governmental agencies.

CVSS v4.0 was introduced in late 2023 to improve vulnerability assessments in cybersecurity, replacing the older v3.0 and incorporating new metrics such as safety and automation. The updated CVSS model allows for a more nuanced evaluation of vulnerabilities by considering environmental and threat metrics alongside the base score. CVSS employs a numerical severity score system ranging from 0.0 to 10.0, and categorizes vulnerabilities into qualitative levels such as Low, Medium, High, and Critical. Utilization of CVE identifiers within CVSS helps organizations prioritize patching and mitigation efforts by focusing on the most critical vulnerabilities first. Enhanced detection and response systems like EDR and NDR use CVSS scores to block known and zero-day vulnerabilities effectively. NDR extends beyond traditional EDR by implementing behavior-based anomaly detection and adapting continuously to novel threat vectors. Risk-Based Alerting (RBA) within NDR environments prioritizes alerts based on established risk levels, optimizing resource allocation, and reducing response times. The integration of CVSS scores into operational security practices allows for tailored alert thresholds and improved incident response strategies.

Assess your current VMware vSphere environment to identify VMs, dependencies, and resource usage patterns, determining which workloads are suitable for Azure migration. Design an Azure architecture that reflects your existing VMware setup, including VM sizes, network configurations, and security measures. Configure Azure resources such as subscriptions, VMs, networks, and storage, with attention to security settings like NSGs and firewalls. Prepare for data migration by evaluating storage needs, selecting appropriate transfer methods, and ensuring data integrity between VMware and Azure formats. Conduct test migrations to validate the migration plan, using enterprise-grade tools for non-disruptive testing to minimize potential downtime. Execute the actual migration, coordinating with stakeholders and monitoring the process to address any issues immediately. Post-migration, validate the functionality and performance of Azure workloads, test applications, and monitor resource utilization for optimization. Leverage Zerto's automated, orchestrated migration solutions to streamline the VMware to Azure transition, enhancing business continuity with minimal downtime.

Over the past 14 years, the Ebury botnet malware has compromised approximately 400,000 Linux servers, with more than 100,000 still affected as of late 2023. Slovak cybersecurity firm ESET described Ebury as a sophisticated financial malware campaign with activities including spam distribution, web traffic redirections, and credential theft. The malware was part of Operation Windigo and used to commit financial crimes like click-fraud and spam email schemes, alongside web skimmers for credit card and cryptocurrency theft. In 2017, Russian national Maxim Senakh was sentenced in the U.S. for his role in developing the Ebury botnet, which generated millions in fraudulent revenue. Delivery methods for Ebury include stealing SSH credentials, exploiting hosting provider vulnerabilities, and using stolen identities for server rental and misdirection of law enforcement. The malware serves as a backdoor and SSH credential stealer, allowing further deployment of payloads for financial exploitation through traffic redirection, spam, and more. Recent tools associated with Ebury—like HelimodSteal and HelimodProxy—focus on intercepting and redirecting web traffic and capturing credit card data from compromised servers.

A Dutch court has sentenced the Tornado Cash co-founder to over 5 years in prison on charges of money laundering. The defendant, Alexey Pertsev, has also been ordered to forfeit around $2.05 million in crypto assets and a Porsche car. Tornado Cash, a cryptocurrency mixer, was used to launder money by mixing illicit funds with legitimate ones to obscure their origin. The court ruled that the operations of Tornado Cash allowed for easy laundering of criminal assets without sufficient preventive mechanisms. It was underscored that Tornado Cash didn’t have essential anti-money laundering (AML) or Know Your Customer (KYC) checks and wasn't registered as a money-transmitting entity with U.S. FinCEN. The verdict comes after the U.S. Treasury Department sanctioned Tornado Cash, linking it to the North Korean hacking group, Lazarus. While the co-founder argued that Tornado Cash was meant to address privacy needs within the crypto community, the court found it intentionally designed for concealing criminal activities.

Microsoft's Patch Tuesday updates for May 2024 addressed 61 new security flaws, including two actively exploited zero-days. Among these, one flaw is considered Critical, 59 Important, and one Moderate, with additional patches for the Edge browser. The zero-days, known as CVE-2024-30040 and CVE-2024-30051, have been used in the wild without user interaction needed for one and offer SYSTEM privileges for the other. Discovered by groups from Kaspersky, Google, and others, these vulnerabilities indicate broad and dangerous exploitation. U.S. CISA has required federal agencies to apply these latest patches by June 4, 2024, due to their severity. Additional fixes include several for remote code execution, privilege escalation in various Windows components, and a security feature bypass in Windows. This extensive patch release reflects ongoing efforts by Microsoft to combat sophisticated cyber threats and secure its user base.

Microsoft addressed 60 Windows vulnerabilities including two exploited bugs related to system privilege elevation and security feature bypass. A notable Microsoft Windows bug (CVE-2024-30051) associated with the QakBot banking Trojan allows attackers to gain system privileges, urging an immediate patch. Another Microsoft vulnerability (CVE-2024-30040) enables attackers to bypass security features in Microsoft 365 by manipulating users to open malicious files. Apple patched multiple issues, including a critical memory corruption flaw in RTKit exploited to bypass kernel protections, impacting both iOS and iPadOS. Google updated Chrome to fix an exploited high-severity flaw in the V8 JavaScript engine along with fixing 38 Android vulnerabilities. VMware and Adobe released important security patches, including VMware's fix for a critical use-after-free vulnerability found during the Pwn2Own contest. SAP and Intel released critical updates, with SAP addressing vulnerabilities in SAP Commerce Cloud and NetWeaver Application Server, and Intel patching a privilege escalation bug rated 10 out of 10 on the CVSS scale.