Daily Brief

Black Basta ransomware affiliates have compromised over 500 organizations globally, including sectors critical to infrastructure. The attacks targeted entities across North America, Europe, and Australia, encrypting and exfiltrating data. Notable victims include high-profile companies such as Rheinmetall, Hyundai Europe, and Capita, as well as institutions like the Toronto Public Library. After the Conti group's disbandment in 2022, Black Basta is speculated to be a spin-off or rebrand, possibly linked to other Russian cybercrime groups. This gang has amassed at least $100 million in ransoms from more than 90 victims as of late 2023. CISA and FBI provided tactical recommendations for organizations to defend against such ransomware attacks, emphasizing the need for updated systems, secure remote access, and phishing-resistant MFA. Specific advisories were issued to healthcare organizations, highlighting their vulnerability due to operational dependence on technology and sensitive data access. Recent suspected Black Basta involvement in a ransomware attack on Ascension's systems underscored the accelerating threat against the healthcare sector.

Europol confirmed a breach in its Europol Platform for Experts (EPE), following claims by threat actor IntelBroker. The breach reportedly involves stolen For Official Use Only (FOUO) documents; however, Europol states no operational data was jeopardized. The EPE portal, used for sharing non-personal crime data, was offline for maintenance following the incident. IntelBroker claims access to sensitive data from various Europol communities, including personal information from the EC3 SPACE database containing 9,128 records. The hacker markets the stolen data exclusively in exchange for the cryptocurrency Monero (XMR), emphasizing a sale to only reputable members. IntelBroker's previous attacks include breaches at U.S. government agencies and large corporations, demonstrating a pattern of targeting significant entities. Europol has initiated an investigation into the extent of the breach and taken preliminary measures to further secure its systems.

Europol confirmed a breach on its Europol Platform for Experts (EPE), no operational data compromised. Threat actor IntelBroker claims to have stolen For Official Use Only (FOUO) documents and personal data from the platform. The breach affected non-operational platforms, including EPE and EC3 SPACE, used by global law enforcement experts. IntelBroker is known for previous government and private sector breaches; now selling stolen EPE data on hacking forums. At publication time, EPE's website was offline for maintenance following the breach reveal. IntelBroker's claims include access to communities with sensitive cybercrime data and over 6,000 member profiles. The leaked data reportedly includes personal details of law enforcement agents and information used in cross-border criminal investigations. Europol is currently assessing the situation and conducting an ongoing investigation into the extent of the data breach.

FIN7, a financially motivated cybercrime group, has been deploying NetSupport RAT by spoofing Google advertisements to mimic reputable brands. Microsoft observed that the malicious MSIX files used in these ads can bypass defenses like Defender SmartScreen, promoting Microsoft to disable the MSIX protocol handler. eSentire reported that these attacks involve showing fake browser extension pop-ups that deceive users into downloading malicious MSIX packages, which deploy PowerShell scripts for malware. The PowerShell scripts executed are designed to gather system information, contact remote servers, and subsequently install the NetSupport RAT and additional malware. These tactics mark a significant shift for FIN7, which originally targeted point-of-sale systems and has since diversified to ransomware and now malvertising attacks. Other malware identified in the cyberattack chain includes DICELOADER, which is executed via a Python script. There is a noticeable shift toward targeting corporate users and exploiting business relations through deceptive malvertising and credential theft.

The FBI, NCA, and Europol identified and publicized the principal operator behind LockBit ransomware as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national. Operation Cronos significantly disrupted the LockBit operation by seizing its infrastructure and transforming its data leak site into a law enforcement announcement platform. Despite major setbacks, LockBit returned online, promising a continuation of their activities and released details of 119 entities purportedly compromised by their ransomware. LockBit is speculated to potentially shut down and morph into a new entity amidst ongoing law enforcement pressure. Separately, the healthcare provider Ascension faced considerable operational disruptions attributed to a ransomware attack by Black Basta, affecting emergency services and patient care. Other entities including the City of Wichita and Brandywine Realty Trust also suffered from ransomware attacks, leading to significant data breaches and operational challenges.

Iran is considered the most likely nation to initiate a destructive cyber-attack against the US, according to former Air Force intelligence analyst Crystal Morin. Despite Iran's capabilities, China remains the greatest cyber threat to the US, influencing critical infrastructures and government networks. The intelligence community views China’s technological prowess in cyber capabilities as superior, having infiltrated various US sectors. Russia continues its focus on intelligence collection rather than direct destructive cyber warfare, avoiding mutually assured destruction. Morin's analysis as a cybersecurity strategist at Sysdig emphasizes the evolving landscape of global cyber threats faced by the US. US intelligence agencies concur on the significant cyber threat posed by both China and, to a slightly lesser extent, Russia.

Dell recently notified customers of a data breach that compromised 49 million customer records. The breach was initiated by a threat actor, known as Menelik, who exploited an API used by a partner portal. Menelik registered fake companies to gain unauthorized access to the portal and used it to scrape customer information without rate limiting. The scraped data included customer names, order details, service tags, and warranty information. Menelik originally notified Dell about the vulnerability in April, but claimed that Dell did not respond until the issue was made public. After the breach was disclosed, Dell engaged a third-party forensics firm and confirmed the incident was under investigation by law enforcement. APIs have become a significant security weak point, with several notable data breaches in recent years exploiting poorly secured APIs.

Ascension, a prominent U.S. healthcare network, is experiencing clinical operation disruptions and outages across several hospitals due to a suspected ransomware attack. Key systems affected include MyChart electronic health records, phone systems, and systems for ordering tests, procedures, and medications. Ambulances are being redirected and non-urgent procedures paused to prioritize emergency services and ensure safety and care continuity. Ascension advised business partners to disconnect from its network and is working with Mandiant experts to assess and mitigate the situation. Attack attributed to the Black Basta ransomware gang, known for accelerating attacks against the healthcare sector and other high-profile targets globally. The healthcare system remains on downtime procedures and is rescheduling non-emergent services, requiring patients to bring detailed personal medical information to appointments. Ascension is one of the largest private U.S. healthcare systems, with substantial national reach and significant annual revenue, demonstrating the potential scale and impact of the breach.

Over half a million customers of the Ohio Lottery had their personal data compromised following a security breach on Christmas Eve. The breach resulted in the exposure of names and social security numbers of approximately 538,959 individuals. Although Ohio Lottery has found no evidence of misuse of the leaked data, they have offered a year of free credit monitoring and ID theft protection to the impacted parties. The attack did not impact the lottery's gaming systems, but did temporarily prevent payouts for winnings above $599. DragonForce, a ransomware gang, claimed responsibility for the data theft, alleging to have stolen significantly more data than reported by Ohio Lottery. The stolen data, which supposedly includes dates of birth and other sensitive information not disclosed in the regulatory filing, has allegedly been made available for download by DragonForce. The nature of the attack—whether it involved ransomware or was solely for extortion—is still unclear, but the responsible group is known for using double extortion tactics.

Security researchers from Kaspersky identified critical flaws in Telit Cinterion cellular modems, commonly used in industrial, healthcare, and telecom sectors. A series of eight vulnerabilities, with impacts ranging from code execution to potential network compromise, have been disclosed. The most severe vulnerability, CVE-2023-47610, allows remote execution of arbitrary code via specially crafted SMS messages, without authentication. Attackers can exploit these vulnerabilities to gain in-depth access to the modem’s operating system and manipulate memory, potentially taking complete control of the device. Although Telit has patched some of the issues, others remain unresolved, posing ongoing risks. The vulnerabilities have broad implications, potentially affecting global network security and device integrity due to the wide deployment of these modems. Kaspersky suggests mitigation strategies including disabling SMS for vulnerable devices and enforcing strict application signature checks to protect against unauthorized changes.

The Ohio Lottery experienced a ransomware attack on December 24, 2023, affecting 538,959 individuals. Personal data compromised includes names, Social Security numbers, and other identifiers. The gaming network remained unaffected, ensuring no operational impact on lottery games. A detailed forensic investigation concluded on April 5, 2024, identifying the breach of specific files. In response, Ohio Lottery is offering free credit monitoring and identity theft protection services. DragonForce ransomware group claimed responsibility, later leaking data after failed negotiations. The leaked data reportedly involves 1.5 million records, lesser than the initially claimed three million. Ohio Lottery assures no evidence of the stolen data being used fraudulently has been found yet.

Brad Smith, Microsoft's Vice Chair and President, has been called to testify before the House Committee on Homeland Security concerning severe cybersecurity breaches attributed to nation-state actors from China and Russia. The hearing, named "A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security,” is set for May 22, in response to significant security incidents including the attack on Microsoft Exchange by a China-linked group. This group, identified as Storm-0558, compromised senior U.S. officials' emails, unlawfully accessing around 60,000 emails. Additionally, a group linked to Russia, known as Midnight Blizzard or APT29, accessed emails of Microsoft's executives and stole source code by exploiting a vulnerability in network management software. The Cyber Safety Review Board criticized Microsoft for a series of preventable errors leading to these breaches, prompting Microsoft’s pledge for major internal security reforms under the newly launched Secure Future Initiative. This initiative emphasizes critical areas such as protecting identities, isolating production systems, monitoring threats, and accelerating response to threats. The article mentions widespread concern about Microsoft's ability to safeguard data, which has prompted urgent calls for accountability similar to other U.S. government vendors.

North Korean threat actor Kimsuky deployed new Golang-based malware, named Durian, targeting South Korean cryptocurrency companies. Observed by Kaspersky in their Q1 2024 APT trends report, the attacks occurred in August and November 2023, leveraging legitimate South Korean software for initial infection. Durian serves extensive backdoor functions including command execution, file downloads, and data exfiltration. The Durian infection chain includes multiple malware such as AppleSeed and LazyLoad, along with legitimate tools like ngrok and Chrome Remote Desktop, to steal browser data like cookies and login details. The use of LazyLoad suggests possible operational overlap or collaboration with another North Korean subgroup, Andariel, part of the Lazarus Group. Kimsuky has been active since at least 2012, associated with high-level North Korean military intelligence, focusing on geopolitical intelligence theft and crafting sophisticated spear-phishing attacks. Recent reports link North Korean groups to other high-target cyber campaigns including the use of TutorialRAT spear-phishing attacks that utilize Dropbox for evasion and targeted attacks with Windows shortcut files by group ScarCruft.

Researchers from Singapore demonstrated a technique called GhostStripe that manipulates CMOS sensor-based cameras in autonomous vehicles to distort traffic sign recognition. The attack uses rapid light flashes to affect a camera’s image capture line-by-line, creating inconsistent color stripes that make traffic signs unrecognizable to the vehicle's computer vision systems. GhostStripe1 and GhostStripe2 are two versions of the attack; the former tracks cars and adjusts LED flickering remotely, while the latter requires direct access to the vehicle’s camera system. Tests conducted on real roads with a camera used in Baidu Apollo's vehicles achieved a successful manipulation rate of over 90% on various traffic signs, with effectiveness decreasing in bright ambient light. Common countermeasures suggested include replacing CMOS cameras with CCDs, altering the line capture method, adding more cameras, or incorporating the attack pattern into AI training models to improve detection. The technique underscores ongoing vulnerabilities in autonomous vehicle technologies and the potential for targeted cyber-attacks that compromise road safety.

In 2008, a malware-infected USB stick used in a military laptop in Afghanistan led to a significant breach of the U.S. Department of Defense's networks. The breach, suspected to be conducted by Russian cyber spies, quickly spread across both classified and unclassified DoD systems. This incident prompted the Pentagon to initiate Operation Buckshot Yankee, aiming to eliminate the malware from its networks, a process which took over a year. The severity of the situation led to the establishment of US Cyber Command, initially a sub-unified command in 2009, which later became an independent unified command in 2018. Four key figures in the development of US Cyber Command, dubbed the "Four Horsemen of Cyber," recently reunited to discuss the command’s inception and early challenges at the RSA Conference. During the initial aftermath of the breach, there was a fundamental lack of cybersecurity awareness among senior military and government officials, highlighting a major gap in digital warfare readiness. The discussion also covered the broader implications of cyber threats and the necessity of incorporating cybersecurity in national defense strategy effectively. A classified narrative created to persuade the DoD of the necessity for a cyber warfighting command was mentioned, with hopes for future declassification.