Daily Brief

The HelloKitty ransomware operation has been rebranded to HelloGookie by its creator, known as 'Gookee/kapuchin0'. The rebranding was announced alongside the launch of a new dark web portal, marking the event by releasing sensitive data from previous hacks. Private decryption keys and internal information from a 2022 Cisco hack, as well as passwords for CD Projekt's source code leaked in 2021, were made public. A group of developers have utilized the leaked Witcher 3 source code to compile and share development builds, including screenshots and videos. The released data from CD Projekt includes extensive assets from games like Witcher 3 and Cyberpunk, amounting to 450 GB of uncompressed data. There's no evidence of new victims or recent attacks by HelloGookie, but historical data from older attacks has been released. Collaboration between HelloGookie and another ransomware group, Yanluowang, has been indicated through shared data and operations. Cisco confirmed awareness of the incident's details from May 2022, where non-sensitive data was breached.

MITRE Corporation experienced a breach in January 2024 by a state-sponsored hacking group using Ivanti VPN zero-days. The hackers accessed MITRE’s unclassified Networked Experimentation, Research, and Virtualization Environment (NERVE) but did not impact the core enterprise network or partner systems. The threat actors exploited vulnerabilities to bypass multi-factor authentication and used sophisticated techniques like webshells and backdoors for system access and credential harvesting. The attack involved chaining two Ivanti Connect Secure zero-days, CVE-2023-46805 and CVE-2024-21887, identified for mass exploitation by various threat groups including the Chinese state-sponsored actors. Over 2,100 Ivanti appliances were reportedly compromised by the attackers, affecting a range of victims including Fortune 500 companies. MITRE has contacted affected parties and authorities, working on recovery and advocating for enhanced cybersecurity practices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to address these vulnerabilities promptly in January 2024.

The United Nations Development Programme (UNDP) suffered a ransomware attack, resulting in the theft of sensitive human resources and procurement data. The cyberattack was executed by compromising the local IT infrastructure at UN City, Copenhagen in late March. Upon receiving a threat intelligence notification on March 27, UNDP took immediate steps to contain the breach and assess the extent of the data exposure. The attack has been claimed by the 8Base ransomware group, which listed UNDP on its dark web data leak site and temporarily shared stolen files online. 8Base is known for using a variant of Phobos ransomware and has increased its criminal activities significantly since June 2023, targeting various industries with double extortion tactics. UNDP is actively investigating the incident to understand the full scope and impact and is assisting affected individuals in protecting their personal information. This attack follows previous breaches involving UN agencies, indicating ongoing vulnerabilities within United Nations' cybersecurity measures.

Approximately 22,500 Palo Alto GlobalProtect firewall devices are susceptible to exploitation by the CVE-2024-3400 flaw. CVE-2024-3400 allows unauthenticated attackers to execute commands with root access due to a command injection vulnerability in certain versions of PAN-OS. Patches for the flaw were issued between April 14 and 18, 2024, following an initial advisory on April 12. Attackers, including state-backed group 'UTA0218', exploited the vulnerability to deploy a custom backdoor named 'Upstyle'. Despite available patches, telemetry-based mitigations proved ineffective, with the only remedy being the application of updates. Public disclosure of the exploit details has led to a higher rate of attempted attacks by various threat actors. The most impacted devices are in the United States, Japan, India, Germany, the UK, Canada, Australia, and France. Urgent patching recommended as Greynoise and ShadowServer Foundations report extensive ongoing exploitation and vulnerability.

Apple has removed WhatsApp, Threads, Telegram, and Signal from its app store in China following government orders, citing security concerns. The apps, known for their encryption capabilities, were reportedly targeted to hinder their use as secure communication channels. This action coincides with increased international scrutiny of Chinese apps, including TikTok, by the US and EU. A new Chinese law effective April 1 requires developers to register with the government; non-compliance could influence app bans. Apple expressed reluctance but compliance in adhering to local laws despite philosophical disagreements. The banned apps continue to be accessible in Hong Kong and Macau, regions with different administrative rules than mainland China. The decision does not extend to all foreign apps, as other Meta platforms and services like X and YouTube remain unaffected in China.

BlackTech, a cyber threat actor attributed to China, has been actively targeting technology, research, and government sectors in the Asia-Pacific region. The group uses a sophisticated tool called "Deuterbear," an enhanced version of the previously known Waterbear malware, which includes advanced evasion and anti-analysis capabilities. Trend Micro highlights that Deuterbear is equipped with features like anti-memory scanning and different decryption routines, distinguishing it significantly from its predecessor. Cyber attacks by BlackTech frequently involve modifying router firmware and exploiting trust relationships to move laterally from international subsidiaries to corporate HQs. Their tactics include using custom malware, exploiting legitimate administrative tools, and disabling logging on routers to conceal their activities. Waterbear, a core component of their attacks, has been in use since 2009 and is constantly updated to evade defense mechanisms, supporting nearly 50 different malicious commands. The newer Deuterbear variant employs HTTPS for secure command and control communications and incorporates multiple obfuscation techniques to avoid detection.

The World-Check database, used for verifying trustworthiness of individuals by various businesses, especially in financial institutions for KYC checks, has been compromised. Cybercriminal group GhostR claimed responsibility for stealing 5 million records from the database and has threatened to start leaking the information. The breach occurred through an unnamed third-party service provider, not directly from London Stock Exchange Group systems, which currently maintains the database. A sample of 10,000 records from the breach was reviewed, revealing sensitive information on political figures, suspected criminals, and others marked as high-risk individuals. GhostR's unauthorized access and theft of the database included personal details such as names, job roles, social security numbers, and reasons for inclusion in the database. This incident is a repeat occurrence, as a previous breach in 2016 implicated 2.2 million records when the database was under Thomson Reuters' ownership. LSEG is working closely with the third party to enhance data protection measures and has alerted the appropriate authorities regarding the breach. Potential risks include misuse of the data to perpetrate fraud, impacting the falsely labeled innocent individuals and organizations.

SaaS and cloud services have revolutionized company networks, hosting a significant portion of business systems and data. Organizations typically use numerous SaaS applications that are often adopted by end-users without formal IT approval, leading to security oversight issues. Identity management has become complex with multiple authentication methods available (SSO, OAuth), creating numerous potential entry points for attackers. Despite the critical role of identity in securing cloud environments, many apps lack proper security controls like SSO support or MFA, leaving substantial vulnerabilities. Attackers are increasingly targeting these vulnerabilities, focusing on identity theft via methods that bypass traditional security measures like malware. High-profile security breaches involving major companies highlight the prevalent issue and sophisticated nature of identity-based attacks. Current security tools focusing on central identity systems are insufficient for handling the dispersed identity landscape across multiple cloud apps and services. Organizations need to rethink security strategies to address the specific challenges posed by cloud identities and interconnected cloud applications.

Akira ransomware has extorted around $42 million by targeting over 250 entities globally including businesses and critical infrastructure across North America, Europe, and Australia. The group initially targeted Windows systems but shifted to Linux servers, specifically VMware ESXi virtual machines, in April 2023. Akira leverages known vulnerabilities in Cisco appliances and diverse methods like RDP, spear-phishing, and VPNs without MFA, to gain and escalate access in victim networks. The group uses sophisticated techniques for evasion and persistence, including abusing antivirus processes and creating new domain accounts. Data is exfiltrated via common file transfer and archiving tools and the ransomware uses a hybrid Chacha20 and RSA encryption method to lock victim data. It is suggested that the Akira ransomware group may have ties to the defunct Conti ransomware gang based on blockchain and source code analysis. A decryptor was released by Avast in July, though Akira likely remedied the vulnerabilities exploited by it. Parallel to Akira’s developments, other ransomware families are also shifting focus towards Linux systems, indicating a broader trend in cybercrime evolution.

Bavarian state police arrested two German-Russian citizens, Dieter S and Alexander J, suspected of planning to bomb sites aiding Ukraine against Russia's invasion. The suspects were allegedly working under instructions from Russia to target military and industrial facilities crucial for Ukraine’s defense. Key potential target included the United States Army Garrison Bavaria, where Ukrainian forces were trained. The arrest followed a surveillance period; Dieter S has historical ties to separatist activities in Donetsk from 2014-2016. The plot represents a significant escalation in Russia’s attempts to undermine support for Ukraine, had it succeeded, marking a direct action against a NATO member's territory. Germany has provided substantial aid to Ukraine, making it a significant ally and target for such espionage and sabotage activities. The situation underscores a broader pattern of aggressive foreign operations by Russia, raising concerns over international security.

Kaspersky uncovered a campaign named DuneQuixote targeting Middle Eastern governments with a novel backdoor, "CR4T". The campaign employs sophisticated evasion techniques in malware code and network communications to avoid detection and analysis. Attack vectors include a dropper in executable/DLL formats or a compromised installer for the Total Commander tool. Unique decryption methods involving Spanish poems and MD5 hashing prevent automated tools from revealing the command-and-control server address. The malware features complex conditions to discourage analysis, such as blocking connections if specific system conditions are not met (e.g., debugger presence, insufficient system resources). CR4T facilitates remote command execution, file operations, and secure communications with the C&C server using Telegram API. A Golang variant of CR4T shows advancements in tradecraft, indicating ongoing development by the attackers for enhanced cross-platform capabilities. Kaspersky notes the campaign's extensive focus on stealth and persistence, showcasing advanced evasion and operational security skills.

A new variant of Redline infostealer malware mimics a game cheat tool named 'Cheat Lab,' encouraging users to spread the malicious software by offering a free licensed version if they infect friends. Distributed through deceptive ZIP files on Microsoft's 'vcpkg' GitHub repository, the malware comes as an MSI installer that deploys a compiler and a DLL file. Infected machines execute Lua bytecode compiled at runtime for evasiveness, using Just-In-Time compilation methods to remain undetected and integrate into legitimate processes. Researchers have identified traces of this Redline variant communicating with a command and control (C2) server previously associated with similar malware campaigns. The strategy includes enticing users with activation keys and promises of unlocking full software versions to amplify distribution. Installation procedures strategically avoid using executable files directly, instead of executing scripts from uncompiled bytecode to bypass some detection mechanisms. The malware establishes persistence by scheduling tasks at system startup and maintains a low profile to operate stealthily on infected machines. Despite the innovative deployment mechanisms, the new strain does not exhibit some typical behaviors of Redline, like stealing browser data.

Octapharma Plasma has shut down over 150 centers in the U.S. due to suspected ransomware, identified as BlackSuit. The network outage at Octapharma Plasma is affecting plasma supplies critical for European operations. Octapharma Plasma network issues might have large-scale implications for global medical supply chains, emphasizing the critical nature of cybersecurity in healthcare. Simultaneous to Octapharma's issues, ISP Frontier reported a cybersecurity breach with possible unauthorized access to customer information. Frontier's cyberattack led to operational disruptions affecting customer service and technician dispatch. Octapharma has not confirmed details but indicated an ongoing recovery process and will update via official channels. Earlier warnings from HHS about BlackSuit ransomware specifically targeting the healthcare sector highlight the heightened risk to these essential services. The situation underscores the growing threat of ransomware in critical industries, which may drive higher instances of ransom payment and exacerbates the risk of information leaks and operational hazards.

Microsoft reports cryptocurrency mining abuse in Kubernetes environments via unpatched OpenMetadata vulnerabilities. OpenMetadata vulnerabilities fixed in March allowed remote code execution and authentication bypass in versions prior to 1.3.1. Attackers scan for vulnerable OpenMetadata deployments online, gaining container access to deploy crypto-mining malware. The malware harvests information on network and hardware configurations, OS versions, and active users for further exploitation. Attackers also initiate reverse shell connections using Netcat and establish cronjobs to sustain malware activity. Microsoft advises administrators to update OpenMetadata images and strengthen authentication measures. Microsoft's separate report highlights intensified election disinformation efforts by Russia and China, leveraging AI in influence campaigns. Attackers leave personal notes in their malware pleading for cryptocurrency, citing personal and financial hardships.

Frontier Communications experienced a cyberattack, forcing a partial shutdown of its IT systems to curtail further unauthorized access. The breach, attributed to a cybercrime group, involved the exposure of personally identifiable information (PII), though it is unclear if the data pertains to customers or employees. Following the attack, identified on April 14, 2024, Frontier has managed to contain the breach and has begun restoring its core IT systems and business operations. The company has reported operational disruptions, including affected customer service capabilities, with its mobile apps down and Internet connectivity issues reported by users. Frontier is currently displaying warnings on its website about internal support technical issues but assures that residential and business networks remain unaffected. Ongoing measures include working with cybersecurity experts, continuous investigation of the breach, and notification to law enforcement authorities. Despite the incident, Frontier believes the breach is not likely to materially impact its financial condition or results of operations as per their SEC filing.