Daily Brief

The Hospital Simone Veil in Cannes was targeted by a cyberattack on Tuesday, impacting significant operational aspects and reverting staff to manual processes. Critical services like emergency, medicine, surgery, and more are maintained, yet 30% of non-urgent surgeries were canceled, and several non-urgent consultations postponed. The CHC-SV hospital, an essential healthcare provider with 869 beds and over 2,100 employees, had to shut down all computers, severely disrupting their healthcare operations. There have been no ransom demands or identified data theft yet; the cyberattack is under investigation with assistance from ANSSI, Cert Santé, and Orange CyberDefense. Hospital records, including test results and patient information, are affected, with current efforts focused on restoring these systems; the timeline for resolution remains unclear. Prior cybersecurity exercises reportedly helped the hospital mitigate the impact somewhat, accounting for quicker containment and minimal data compromise. The ongoing investigation aims to determine the attackers and prevent future incidents, fundamental to regaining full operational capacity and trust.

The Akira ransomware group has attacked over 250 organizations globally since March 2023, generating around $42 million in ransoms. Victims span various industries and include significant entities like Nissan Oceania and Stanford University, impacting hundreds of thousands of individuals. Akira has utilized a Linux encryptor targeting VMware ESXi virtual machines, popular in enterprise environments. Ransom demands by Akira range from $200,000 to several million dollars, based on the size and type of the compromised organization. Authorities including the FBI, CISA, Europol's EC3, and NCSC-NL have jointly issued advisories and provided mitigation strategies to combat this threat. Recommendations for organizations include prioritizing patching known vulnerabilities, enforcing strong multifactor authentication, and conducting regular software updates and vulnerability assessments. The advisory also includes Akira-specific indicators of compromise and details on their tactics, urging organizations to follow the provided guidelines to reduce ransomware risks.

A Google Search advertisement misleadingly impersonated the Whales Market, a crypto trading platform, redirecting users to a phishing site. The phishing site, with a URL similar to the legitimate one but with an additional 's', mimicked the real Whales Market interface to deceive users. Once users connected their crypto wallets to the fraudulent site, a malicious script immediately drained their assets. This incident highlights the ongoing manipulation of Google Ads by cybercriminals to distribute malware and execute phishing attacks. Similar deceptive advertisement techniques have been used to impersonate other reputable brands leading to malware distribution and scams. Cybersecurity practices recommended include verifying the authenticity of web addresses before connecting wallets to any Web3 websites. Google's inability to filter out such malicious ads continues, despite these methods being a known issue for years. BleepingComputer has reached out to Google for comments on measures to prevent such deceptive ads but has not received any response.

The House of Representatives has approved the Fourth Amendment Is Not For Sale Act (H.R.4639), aimed at preventing U.S. government agencies from buying American citizens' data from brokers without a warrant. The bill passed narrowly with a 219-199 vote despite strong opposition from the White House, which argues that accessing commercially available information from data brokers is essential for intelligence and law enforcement purposes. The Biden administration contends that the bill, by only barring purchases from data brokers and not other types of entities, inadequately protects privacy while threatening national security. Recent revelations showed agencies like the IRS and NSA bypassing constitutional protections by acquiring data through brokers, claiming it was voluntarily surrendered. Research from Duke University highlighted the Department of Defense’s procurement of data, including rates as low as $0.12 per record for information about U.S. military personnel and their families. The ACLU supports the bill, emphasizing the necessity for government agencies to obtain a warrant if they want access to citizens' data, highlighting widespread data collection through mobile apps without user fully aware. This legislative activity is part of broader scrutiny and regulation of surveillance practices, including other bills aimed at limiting data sales to foreign adversaries and debates on the renewal of FISA’s Section 702, which allows warrantless surveillance for national security purposes.

A Korean researcher at Black Hat Asia detailed a sophisticated fraud scheme exploiting Apple's pickup policy using stolen credit cards. The operation, named "Poisoned Apple," involved phishing sites, stolen data, and misused second-hand shop platforms. Researchers identified over 50 online stores harboring the same phishing mechanism and uncovered records of 8,000 stolen credit cards and 5 million personal information pieces. Perpetrators employed second-hand shop scams to sell Apple products at discounted prices, purchasing these items with stolen credit cards and setting buyers as pickup agents. The fraudsters’ activities spanned from 2021 to 2023, mainly targeting individuals in Korea and Japan. Investigators believe the criminal group behind this operation is based in China, evidenced by breadcrumbs like domains registered using Chinese ISPs and clues in simplified Chinese found on the dark web. A notable technique involved weaponizing the comprehensive online payment systems in Korea to conduct scams, indicating a deep understanding of local authentication procedures. The entire fraudulent operation was discovered after identifying an exposed web server IP address, despite efforts to conceal it using Cloudflare's services.

LastPass has issued a warning about a sophisticated phishing campaign using the CryptoChameleon kit, associated with cryptocurrency theft. CryptoChameleon, first identified while targeting FCC employees, has now expanded to include major cryptocurrency platforms and services like LastPass. The phishing kit creates fake webpages mimicking trusted sites such as Okta, Gmail, and LastPass to deceive victims into providing sensitive information. Recently, a phishing site under the domain "help-lastpass[.]com" was utilized to emulate LastPass customer support, combining voice phishing and email tactics. Attackers contact victims claiming to be LastPass employees assisting with account security, often using the email subject "We're here for you" and shortened URLs to hide malicious links. The specific phishing domain is now offline, but new similar attack vectors and domains are expected as the campaign evolves. LastPass advises users never to share their master passwords and to report suspicious communications to their abuse team at abuse@lastpass.com.

OfflRouter malware has infected Ukrainian government networks since 2015, undetected until recently. Discovered documents with malware were based on VBA macro virus, needing manual sharing to spread, unlike typical email propagation. The malware, unable to auto-spread via email, primarily transfers through shared documents and removable media like USB drives. Analysis reveals errors in the malware’s code, hinting at the creator's lack of advanced experience. The primary executable, ‘ctrlpanel.exe’, targets and modifies .DOC files, ignoring newer .DOCX formats. OfflRouter's functionality includes making permanent changes in the Windows Registry to ensure activation on system startup. Despite its long presence, the exact origins and initial infection vectors of OfflRouter remain unclear. The malware's unusual and limited spread largely restricted it within Ukraine, contributing to its undetected status over the years.

Cherry Health, a Michigan-based healthcare provider, reported a ransomware data breach affecting approximately 185,000 people. Sensitive data stolen includes names, addresses, phone numbers, health insurance details, patient IDs, provider names, service dates, diagnosis and treatment information, and financial account details. The attack, which occurred in December 2023, led to the theft of highly sensitive data including financial account numbers along with associated security details. Following the discovery of the breach, Cherry Health engaged third-party specialists to investigate and determine the scope of data compromised. The organization has begun notifying affected individuals and is offering 12 to 24 months of credit monitoring services as a protective measure. There is currently no evidence that the stolen data has been misused, but Cherry Health continues to monitor the situation closely. This incident is part of a growing trend of ransomware attacks targeting healthcare institutions, leveraging stolen data for double extortion schemes.

FIN7, a sophisticated cybercrime group, initiated a spear-phishing attack targeting the U.S. automotive industry using the Carbanak backdoor. The attack commenced with a misleading email linking to false websites that eventually led to malware download and system infiltration. The phishing email exploited IT department employees with administrative privileges, using a deceptive offer of a free IP scanning tool. The malware installation involved multiple stages that ultimately established system persistence and potential for further malicious activities. While primary motives appeared focused on initial access and data compromise, the rapid detection and containment prevented potential lateral movement or ransomware deployment. FIN7's history includes extensive criminal activities ranging from point-of-sale data theft to recent ransomware attacks with other malware like Black Basta and REvil. BlackBerry's investigation revealed the possibility of a broader campaign by FIN7, given the discovery of similar malicious domains linked to the group. Recommended defenses include vigilance against phishing, the use of multi-factor authentication, software updates, and monitoring unusual access patterns.

The EU's Data Protection Board (EDPB) has declared that digital platforms like Meta should not make users choose between paying for privacy or receiving targeted ads. EDPB's opinion highlights concerns that Meta’s "consent or pay" model fails to provide a legally valid way of obtaining user consent for processing personal data for marketing purposes. Despite Meta's subscription offer, which charges users a monthly fee to avoid personalized advertising, EDPB believes this approach typically contravenes data protection law essentials for valid consent. The decision is based on requests and complaints by data protection authorities from Netherlands, Norway, and Hamburg, underpinning that user consent under such a model may not be genuinely free. Meta contends that their model complies with EU laws, referencing a previous EU Court of Justice ruling supporting their subscription system. The ongoing disagreement will likely involve further dialogues with the Irish Data Protection Commission, Meta’s chief regulator in the EU. Privacy groups like noyb have criticized Meta’s model, arguing it undermines fundamental data protection rights by charging users a so-called "privacy fee" up to €250 annually.

Zerto, a part of Hewlett Packard Enterprise, offers real-time ransomware detection and recovery using continuous data protection (CDP) with recovery point objectives (RPO) reduced to seconds. CDP technology does not rely on traditional snapshots or agents, allowing unaffected production workload and offering RPOs of 5-15 seconds across numerous virtual machines. Virtual Protection Groups (VPGs) allow entire application stacks recovery in sync, maintaining RPOs efficiently and avoiding data loss in multiple VM scenarios. Zerto’s in-line real-time data scanning capabilities enable organizations to receive immediate indicators of ransomware activity within their systems. On recognizing suspicious activity, Zerto provides automated alerts and facilitates instant recovery of applications or files to their state mere seconds before attack, minimizing operational disruption. The solution extends to large-scale scenarios, enabling comprehensive failover to secondary sites with full automation, suitable for significant enterprise environments under attack. Zerto encourages proactive protection strategies and offers a 14-day trial to test out their ransomware resilience capabilities in preventing and recovering from cyber threats.

Sandboxes are widely used for both dynamic and static malware analysis, allowing malware execution within a safe, virtual environment to identify and understand malicious behaviors. Static analysis in sandboxes can effectively detect threats hidden in PDF files by examining embedded scripts and URLs, revealing possible malware download mechanisms. Investigating LNK files (shortcuts) via static analysis can reveal potential malicious commands without spawning new processes, enhancing early threat detection. Email analysis within a sandbox environment helps identify spam and malicious elements in emails quickly and safely, including scrutinizing attachments and phishing links without risking the security of actual systems. Static analysis of Office documents in sandboxes aids in identifying embedded macros, scripts, images, and even QR codes without opening the files, thus minimizing the risk of triggering malicious content. Analyzing archived files like ZIP and RAR in sandboxes uncovers hidden executable files or scripts, facilitating a comprehensive threat assessment without manual unpacking. ANY.RUN sandbox offers real-time analysis capabilities for files and links, delivering initial results in under 40 seconds, and provides detailed interactive and static analyses. The tool emphasizes the importance of both static and dynamic analysis techniques, empowering security teams with tools for deeper investigations and enhanced control over the analysis environment.

SoumniBot, a new Android trojan, specifically targets users in South Korea by exploiting Android manifest parsing vulnerabilities to evade detection. The malware employs three main techniques to avoid analysis: altering the compression method value, misrepresenting the manifest file size, and using extremely long XML namespace names in the manifest file. Once installed, SoumniBot communicates with a server using MQTT protocol to receive commands and send collected data, which includes extensive personal and device information. The trojan is capable of managing contacts, sending SMS, toggling silent mode, enabling debug mode, and it conceals its icon to hinder uninstallation from the infected device. SoumniBot also searches external storage for digital signature certificates used by South Korean banks and government services, potentially to facilitate fraudulent transactions or unauthorized access to online services. This malware represents an evolution in Android banking trojans, with its ability to seamlessly install and operate despite the corrupted manifest files. Cybersecurity experts emphasize the ongoing need for heightened security measures due to such sophisticated threats that exploit system weaknesses.

An international law enforcement effort led to the arrest of 37 individuals connected to the phishing service LabHost. LabHost, a Phishing-as-a-Service (PhaaS) platform, provided over 170 fake websites, allowing global cybercriminals to harvest personal information. The service was particularly notorious in Canada, the U.S., and the U.K., targeting banking and several other sectors. LabHost users were implicated in generating phishing links sent through email and SMS, designed to mimic reputable organizations to steal credentials and 2FA codes. Agencies from 19 countries collaborated in the operation, leading to the seizure of LabHost’s infrastructure and domain. The immediate disruption of LabHost prevented potential fraud, as the platform hosted nearly 40,000 domains involved in criminal activities. Over 94,000 victims in Australia and approximately 70,000 in the U.K. were identified as having entered their details into these phishing sites.

International police operation led by the UK's Metropolitan Police Service (MPS) has successfully dismantled LabHost, a notorious phishing platform. LabHost provided cybercriminals with sophisticated phishing kits mimicking over 170 well-known global brands, contributing to widespread identity theft and fraud. The crackdown involved coordination from law enforcement in 17 countries, resulting in the seizure of LabHost’s domains and the arrest of 35 individuals. Phishing kits sold via LabHost enabled quick deployment of fake brand websites for harvesting victims’ data, with tools like "LabRat" enhancing the illicit data collection process. Operation stemmed from a prior initiative named “Elaborate,” which targeted similar cybercriminal activities and infrastructure. Police utilized innovative outreach methods, including crafting messages in the style of Spotify Wrapped, to inform LabHost users of the platform’s compromise. Authorities are intent on deterring cybercriminals by demonstrating the increasing risk and consequences of engaging in such illegal activities. Additional measures are being taken to support the victims, including direct communications and resources available through the MPS’s victim support package.