Daily Brief

CVS Group, a major UK veterinary chain, experienced a "cyber incident" that has led to significant operational disruptions. The incident prompted the shutdown of IT systems as part of an emergency response plan to isolate the threat. There is potential risk of personal information being compromised, with the ICO notified due to possible data theft. Clinical care has reportedly still maintained its quality at most practices, although UK operations have experienced disruption. The incident did not affect operations outside of the UK, nor did it impact non-CVS hosted systems or e-commerce systems. CVS is accelerating its cloud migration strategy in response to the incident to enhance security and operational efficiency. The company's share price experienced a drop before recovering slightly, amidst a broader market concern over a CMA investigation into vet pricing practices. Further updates regarding the state of the data integrity and IT system recovery are anticipated.

Google has introduced a V8 Sandbox in the Chrome browser to improve defense against memory corruption vulnerabilities. The V8 Sandbox restricts V8 engine code execution to a confined part of the process' memory, preventing vulnerabilities from affecting the host process. This sandbox isolation is Google's response to address 16 identified zero-day vulnerabilities in V8 between 2021 and 2023. Traditional memory-corruption protection methods are ineffective for the unique challenges posed by the V8 HeapObject instances, prompting the adoption of this specialized sandbox technique. A small performance overhead of about 1% is observed, which is considered minimal enough to enable the sandbox by default in Chrome version 123 across multiple platforms. The sandbox requires a 64-bit system and allocates one terabyte of virtual address space, emphasizing that existing memory safety technologies cannot prevent all types of memory corruption in optimizing JavaScript engines. The development highlights ongoing efforts by Google in enhancing memory safety, as seen with the use of Kernel Address Sanitizer (KASan) in Android to detect and address over 40 memory bugs.

Change Healthcare has been targeted by a second ransomware gang shortly after an ALPHV ransomware attack. RansomHub claims to have 4 TB of the company's data including PII of US military personnel, medical records, and payment information, threatening to sell it unless a ransom is paid. The same group alleges Change Healthcare previously paid a $22 million ransom to ALPHV, a claim supported by crypto wallet monitoring but not confirmed by the company. Theories suggest ALPHV may have conducted an exit scam, with the affiliate responsible for the attack joining RansomHub to recover their "owed" share. Another theory posits that RansomHub could be ALPHV under a new name, which would explain the re-targeting of Change Healthcare despite a prior ransom payment. The case highlights the risks of ransom payments, as there is no guarantee cybercriminals will delete stolen data after payment, and such actions can encourage further attacks. Change Healthcare's parent company, UnitedHealth, had previously reported a cyber incident on February 22, leading to service disruptions in hospitals and pharmacies. A probe into Change Healthcare's data protection practices is imminent due to the significant impact of the cyberattack.

Notepad++ has called for public assistance to shut down a copycat website, notepad[.]plus, which mimics its branding but is not official. The impersonator website currently directs users to the legitimate Notepad++ download page but raises concerns about potential future security risks. Notepad++ developer Don Ho has received numerous complaints about the non-affiliated website, suggesting it may compromise user safety. The copycat site contains disclaimers stating it's a fan website and unaffiliated, possibly protecting it against certain accusations. The notepad[.]plus website is criticized for potentially harboring malicious advertisements and diverting traffic from the official Notepad++ site. BleepingComputer observed that the site does not appear to have active malicious ads currently. However, the use of Notepad++ branding could be a trademark issue. The developer's request to report the site via Google Safebrowsing may be ineffective since the site isn't distributing malicious software at present. Community members highlight the risk of any entity, including the official Notepad++ site, potentially turning malicious, underscoring the importance of vigilance in open-source communities.

Ransomware incidents decreased by 22% in Q1 2024 compared to Q4 2023, with 1,048 reported cases. Law enforcement agencies internationally collaborated in "Operation Cronos," leading to the arrest of LockBit ransomware affiliates and seizure of their assets. Despite arrests, LockBit quickly resumed operations, demonstrating the group's resilience and robust security measures. The FBI disrupted the ALPHV/BlackCat ransomware group, seizing their main site and creating decryption tools, resulting in a reduced number of their attacks. Compliance with ransom demands saw a historical drop to 29% in the last quarter of 2023, with average ransom payments also falling. New ransomware groups have emerged despite the decline in the number and profitability of ransomware attacks, but they have yet to compensate for this drop.

Researchers have identified a new downloader malware, Latrodectus, that is proliferating through email phishing campaigns. Latrodectus is linked to the threat actors behind IcedID malware and is used by initial access brokers to deploy various malware types. This malware is mainly associated with IABs TA577 and TA578, with the latter primarily utilizing Latrodectus since mid-January 2024. TA578 has been associated with several campaigns, utilizing legal threat narratives to direct victims to malicious downloads. Latrodectus can evade detection by assessing the environment, and once activated, it communicates with a command-and-control server to receive further instructions. Commands from the C2 server allow for various malicious activities such as file enumeration, executing binaries, and shutting down processes. The infrastructure associated with Latrodectus has operational connections to IcedID, suggesting an evolution in tactics among cyber criminals. Experts anticipate increased usage of Latrodectus among financially motivated threat actors previously involved with IcedID distribution.

Notepad++ developer Don Ho has called for public assistance in shutting down a lookalike website, notepad[.]plus, which mimics the project's branding. The imitator website currently redirects users to the official Notepad++ downloads but raises concerns for potential future security threats. Don Ho received multiple complaints about the site, which has confused users by appearing prominently in search results and could pose potential security risks. The website contains disclaimers about not being affiliated with the official Notepad++, yet it includes ads that could lead to revenue generation for its admins. Security checks by BleepingComputer did not find active malicious advertisements or promotional links on the unofficial site at the time of investigation. The community has mixed reactions, with some questioning the threat level of the unofficial site since it does not currently distribute malware. Don Ho emphasizes the importance of downloading open-source projects like Notepad++ directly from official websites to avoid the risks associated with counterfeit or trojanized versions.

Cybercriminals have launched a sophisticated phishing campaign specifically targeting the Latin American market, aiming to infect Windows systems. The phishing email distributes a ZIP file that, when extracted, leads to the download of a RAR archive containing a malicious PowerShell script. The script gathers system information and checks for antivirus software, using evasion techniques such as Base64-encoded PHP scripts and geographically restricted domains. Trustwave researchers note similarities with previous Horabot malware attacks, with tactics that include using new domains and country-specific behavior to avoid detection. Malwarebytes has reported a separate malvertising campaign using Microsoft Bing ads for a fake NordVPN to deliver the SectopRAT remote access trojan, highlighting the continued threat of malvertising. SonicWall identifies additional threats, including a fake Java Access Bridge installer and a new Golang malware using unique geolocation checks and HTTPS command-and-control communications. The report serves as a reminder of the evolving techniques used by threat actors to deploy malware and the importance of vigilant cybersecurity practices.

A top Israeli spy, Yossi Sariel, known for leading the elite Unit 8200, inadvertently exposed his own identity due to an online privacy error. The exposure happened after a book he authored under a pseudonym included an email that could be traced back to his real name and Google account. Sariel's unit faced criticism following an intelligence failure attributed to them when Hamas attacked Israel in October. His exposure raises questions about the real-life implications of even minor privacy lapses, especially for individuals in sensitive positions. In other news, Jackson County, Missouri, suffered a ransomware attack caused by a phishing link that led to operational issues and interrupted government services. Data-stealing malware incidents have surged by 643% over the past three years, with an average of 50.9 credentials stolen per infected device. It was noted that many individuals who experience a malware infection tend to repeat the mistake, with around 21% installing additional malware shortly after an initial incident.

Google has launched a lawsuit against two developers, Yunfeng Sun and Hongnam Cheung, who allegedly created fraudulent cryptocurrency investment apps. The scam lured users with the promise of high returns and used fake Android apps to deceive over 100,000 users and steal their investments. These apps, approximately 87 in number, were available on the Google Play Store as part of a social engineering scam active since 2019. Victims were compelled to pay additional fees under the pretense of accessing their principal investments and gains, a method known as "pig butchering." The scammers employed sophisticated fake identities and online personas across various platforms, including social media and dating sites, to target and gain trust from potential investors. Google accused the defendants of persistent fraudulent activities and of making false representations to Google's services, violating numerous policies and the RICO Act. The issue of fake investment apps is not unique to Android, as similar fraudulent applications have also been found on the Apple App Store. This lawsuit follows Google's recent legal measures to prevent misuse of its products, demonstrating the company's increased effort to protect its platforms and users from cybercrime.

Home Depot confirmed a data breach caused by a third-party SaaS vendor exposing employee data. Limited information for about 10,000 employees was leaked by threat actor IntelBroker on a hacking forum. Exposed details include names, work email addresses, and user IDs, which are not highly sensitive but could enable phishing attacks. Home Depot warned its employees to be vigilant about phishing attempts seeking additional sensitive information or credentials. The data breach raises concerns about the security protocols of third-party vendors and the risks they present. IntelBroker, the threat actor behind the leak, has been involved in previous high-profile breaches, including one affecting U.S. House members and their staff. Home Depot employees are advised to report suspicious emails to IT staff for verification to prevent potential security breaches.

Sophisticated backdoor was discovered in the xz software library, a tool commonly used across many systems. The infected library could have allowed remote control over affected machines via SSH. Rogue contributor had inserted the malicious code, impacting upcoming releases of Linux distributions like Debian Unstable and Fedora. The backdoor was identified and addressed before widespread deployment, avoiding potential widespread damage. The incident raises questions about the security of open source projects and the resources provided by corporations benefiting from them. Discussion on this issue has been featured in a Kettle series episode with cybersecurity experts and The Register's journalists. The episode explores the balance between the fragility and strength of open source ecosystems and strategies for their protection.

The U.S. Department of Health and Human Services (HHS) warns about social engineering attacks directed at IT help desks in the Healthcare and Public Health sector. Attackers gain system access by impersonating employees and enrolling rogue multi-factor authentication (MFA) devices after convincing help desk personnel. By pretending to be from the financial department and using stolen ID details, attackers manipulate IT helpdesk to facilitate MFA changes. Once MFA is compromised, attackers access and divert company funds to their own accounts, including international transfers. These tactics echo those of Scattered Spider, notorious for breaching high-profile networks, although these specific health sector incidents have not been explicitly attributed to them. Companies are advised to implement stringent verification processes and educate help desk personnel on social engineering tactics to prevent such breaches.

Over 92,000 D-Link NAS devices have been identified with a backdoor account vulnerability, discovered by a threat researcher known as Netsecfish. The flaw, tracked as CVE-2024-3273, is due to a hardcoded account with an empty password and a command injection issue in the HTTP GET Request Handler script. Attackers exploiting the vulnerability could execute arbitrary commands on the devices, potentially leading to unauthorized data access, system modification, or denial of service. D-Link confirmed that theses NAS devices are end-of-life and are no longer supported, with no patches available to rectify the newly identified security issues. D-Link has published a security bulletin to alert users to retire or replace their old devices and has set up a dedicated support page for legacy device owners to download the last available security updates. The company advises against exposing NAS devices to the internet, as they are frequent targets for data theft and ransomware attacks.

A critical security flaw, CVE-2024-20720, in Magento has been exploited to inject malicious code into e-commerce websites, allowing the theft of payment data. Adobe acknowledged and patched the flaw, with a CVSS score of 9.1, on February 13, 2024, which allowed remote code execution through special elements. The attackers used a layout feature in Magento combined with the beberlei/assert package to execute the 'sed' command and insert a backdoor. When customers access the checkout cart on an infected store, the malicious block executes and deploys a Stripe payment skimmer. The skimmer captures financial information and exfiltrates it to another compromised Magento store. Separately, the Russian government has charged six individuals with stealing credit card data from foreign e-commerce stores using skimmer malware since 2017. The cybercrime group captured information from nearly 160,000 payment cards and sold the data on dark web platforms.