Daily Brief

Microsoft has identified the North Korean hacking group, Moonstone Sleet, as the orchestrator behind the FakePenny ransomware, demanding millions in ransom. Moonstone Sleet, initially similar to another group, Diamond Sleet, has developed its unique methods and tools, distancing itself from earlier shared techniques. The group uses various deceptive approaches like trojanized software, fake companies, and social media to infiltrate target networks, previously focusing only on espionage and now including financial extortion. The latest ransomware attacks show a significant increase in ransom demands, up to $6.6 million, indicating a shift towards large-scale financial gains. The tactics employed by Moonstone Sleet represent a broader trend of evolving capabilities among North Korean cyber groups, aiming to meet state-sponsored cyber objectives and potentially disrupt international targets. Historical context underscores the continuity and escalation of North Korean state-sponsored cyberattacks, with previous global incidents like WannaCry and Maui ransomware attacks linked to groups like Lazarus and Holy Ghost.

SpiderOak One experienced significant service disruptions following a datacenter upgrade on April 24, affecting its encrypted backup solution primarily used for ransomware protection. Many users, some with subscriptions spanning a decade, reported inability to back up data and expressed intentions to cancel their subscriptions despite ongoing payments. SpiderOak has been actively issuing refunds and reimbursing customers for unused subscription months while their services are not fully operational. Customer frustrations grew due to poor communication about the duration of service disruptions and delayed email responses from support. Despite the company's claim of nearing full operational status at 99% functionality, user reports suggest ongoing issues with reliability and account billing inconsistencies. The company’s support was temporarily shifted to its X social media account after the support system was compromised by the datacenter migration. SpiderOak attributes the migration to a necessary step for improving data redundancy, scalability, and disaster recovery, and states it is close to restoring full service. The remaining issue involves a specific cluster requiring more attention due to its unique architecture; SpiderOak denies hardware failure as a cause.

Security researchers at Horizon3 revealed a proof-of-concept (PoC) exploit for a critical command injection vulnerability in Fortinet’s SIEM solution. The vulnerability, identified as CVE-2024-23108, allows remote command execution as root without authentication and affects FortiSIEM versions from 6.4.0 upwards. Fortinet initially misidentified the bug as a duplicate of a previously addressed issue, CVE-2023-34992, but later confirmed it as a distinct vulnerability. This vulnerability, alongside another severe flaw CVE-2024-23109, was patched by Fortinet on February 8, although initially denied as real issues. The PoC exploit enables attackers to execute unauthorized commands on unpatched FortiSIEM appliances, potentially gaining full control. Horizon3 Attack Team also disclosed a PoC for a critical flaw in Fortinet's FortiClient EMS, which is currently being exploited in the wild. Fortinet systems have been targeted in recent cyberattacks, including the use of their vulnerabilities for deploying malware in corporate and government networks.

Christie's confirmed a data breach after the RansomHub extortion gang claimed to have stolen sensitive client data. The breach occurred earlier this month, with the ransomware group threatening to leak the data if not compensated. RansomHub listed Christie's on its dark web extortion page, demanding ransom and threatening GDPR fines. The attack compromised personal details of approximately 500,000 clients but did not affect financial or transaction records. Christie’s took immediate action by securing their systems and took their website offline to mitigate further risks. The company is actively notifying affected clients and relevant regulators and government agencies about the breach. Despite being labeled a ransomware group, RansomHub primarily executes data theft and extortion without using an encryptor. Christie's historical significance and high-profile auction sales highlight the potential impact and visibility of the breach.

Christie's auction house confirmed a data theft following an online ransomware attack by the RansomHub group. The attackers claimed to have stolen personal data of over 500,000 Christie's clients and provided a seven-day deadline for ransom payment. Christie's had previously experienced a disruption described as a “technology security issue” which took their online bidding system offline. The auction house took immediate action by taking their website offline and conducting an investigation which confirmed unauthorized access to their network. No financial or transactional records were reported compromised but limited client personal data was accessed. Christie's has contacted privacy regulators and government agencies and is in the process of notifying affected clients. The company has refused to meet the ransom demands, aligning with strategies to not comply with extortion to discourage future attacks despite potential data exposure risks.

Chirag Tomar pleaded guilty to a wire fraud conspiracy involving over $37 million in cryptocurrency theft from unsuspecting victims globally and in the United States. The fraudulent operation consisted of a fake website, "CoinbasePro[.]com," deliberately designed to mimic the genuine cryptocurrency exchange platform, Coinbase Pro. Tomar and accomplices impersonated Coinbase customer service to obtain two-factor authentication codes from victims, enabling unauthorized access and theft of cryptocurrency from their legitimate Coinbase accounts. The stolen cryptocurrencies were transferred to wallets controlled by the fraudsters, converted into other digital currencies or moved to different wallets, and cashed out to fund a luxurious lifestyle, including high-end cars and international trips. Tomar's arrest took place as he entered the U.S. on December 20, 2023; he faces up to 20 years in prison and a $250,000 fine if convicted. The expose follows other arrests including a scheme aiding North Korean IT workers to fraudulently secure jobs at U.S. companies, indirectly supporting North Korea's weapons of mass destruction program despite international sanctions. This sequence of events underlines an ongoing global challenge with cryptocurrency theft and fraudulent schemes, showcasing significant international and multilateral cybersecurity threats.

Identifying and securing business-critical assets is crucial for cybersecurity and organizational success. A strategic approach includes mapping business processes to their underlying technology assets. Gartner’s continuous threat exposure management framework assists in focusing remediation efforts on maximizing impact. Prioritizing issues related to business-critical assets aligns security initiatives with executive concerns and business objectives. Implementing security measures should start from the most significant areas and use detailed risk assessments and stakeholder input for prioritization. Tools such as vulnerability management solutions or penetration test results are essential to identify and prioritize remediation actions. Focusing on business-critical assets not only secures them but also optimizes the company’s use of resources, enhancing overall business performance. Aligning security measures with business goals demonstrably supports business process continuity and meets executive expectations.

The CatDDoS malware botnet has been utilizing over 80 known security vulnerabilities to compromise devices and integrate them into a DDoS botnet. CatDDoS, a variant of the Mirai botnet, employs UDP, TCP, and other DDoS methods, mainly targeting devices in China and the U.S. Compromised devices include a wide range of routers and networking equipment from major brands like Cisco, Huawei, and NETGEAR. Attackers encrypt communications with C2 servers using the ChaCha20 algorithm and employ OpenNIC domains for evasion. Despite the suspected shutdown of the original CatDDoS operation in December 2023, its source code was sold, leading to new botnet variants. Newly disclosed DNSBomb attack exploits DNS features for a pulsing denial-of-service with an amplification factor of 20,000x, but major DNS software BIND is not vulnerable. The DNSBomb method leverages IP spoofing and controlled domain responses to create overwhelming traffic bursts difficult to detect and mitigate.

ARPA-H, inspired by DARPA, focuses on neglected yet crucial areas in health science and technology to produce impactful, sustainable innovations. The UPGRADE project, recently launched by ARPA-H, aims to develop automated systems for detecting vulnerabilities and managing patches in healthcare IT. UPGRADE uses a "digital twin" model to safely experiment and refine cybersecurity measures on a mirrored system without risking the primary system. The initiative seeks to establish a form of "digital immunology," drawing parallels between biological immune responses and cybersecurity defenses. Despite the potential benefits, the project faces significant challenges, including the complexity of creating accurate digital twins of intricate systems and the inconsistency in patch management and testing. The project emphasizes collaboration with open source communities to foster a more universally secure IT environment, potentially revolutionizing cybersecurity practices across industries. UPGRADE's success could lead to widespread adoption and improve systemic security, but it also confronts an industry reluctant to embrace necessary changes for enhanced security.

Unknown attackers are exploiting the Dessky Snippets WordPress plugin to inject malicious PHP code into e-commerce sites, enabling stealing of credit card data. The malicious activity was flagged by Sucuri on May 11, 2024, noting that the plugin is installed in over 200 active sites. The attackers are using manipulated checkout processes in WooCommerce to insert additional fields in billing forms, asking for sensitive credit card information. The acquired data, including names, card numbers, expiry dates, and CVV numbers, get exfiltrated to a designated malicious server. The modified billing forms by the attackers disable autocomplete features to evade browser security warnings and decrease consumer suspicion. Previous exploits in similar veins have involved other WordPress plugins, such as WPCode and Simple Custom CSS and JS, targeting over 39,000 sites in recent campaigns. Website owners are advised to update their sites and plugins regularly, use robust passwords, and routinely check for signs of unauthorized alterations and malware.

A critical vulnerability in the TP-Link Archer C5400X gaming router allows for remote code execution. The flaw, identified as CVE-2024-5035, received the highest severity rating with a CVSS score of 10.0. All firmware versions up to 1_1.1.6 are affected; patch available in version 1_1.1.7. Attackers could exploit the router's RF testing binary by bypassing command restrictions using shell meta-characters. The vulnerability was disclosed by German cybersecurity firm ONEKEY, highlighting risks of rushed-API implementations. TP-Link addressed the issue in the latest firmware update by blocking commands containing special characters. Recent disclosures of unpatched vulnerabilities in other devices stress the need for secure network interface configurations.

TP-Link Archer C5400X gaming router had a critical flaw, CVE-2024-5035, allowing remote attackers to execute arbitrary commands. The vulnerability, scored CVSS v4 10.0, was discovered through binary static analysis by analysts at OneKey. Attackers could inject commands via TCP ports 8888, 8889, and 8890 due to improper input sanitization in the 'rftest' service. Exploiting the flaw could enable attackers to alter DNS settings, intercept data, and access internal networks. TP-Link released a patch on May 24, 2024, addressing this issue in firmware version 1.1.7, which filters out shell metacharacters. Users are urged to update their routers immediately to avoid potential security breaches. The patch was developed after the initial report to TP-Link’s PSIRT on February 16, 2024, with a beta patch being prepared by April 10, 2024.

Threat actors target Check Point VPN devices to infiltrate enterprise networks, utilizing outdated authentication methods. Check Point advises against using local VPN accounts with password-only authentication, encouraging adoption of certificate-based security. Recent reports indicate unauthorized VPN access attempts using obsolete account details; a hotfix to forcibly improve authentication methods has been released. Attackers focus on Quantum Security Gateway, CloudGuard Network, and Mobile/Remote Access VPN applications. The warning follows similar alerts from other major tech firms like Cisco, indicating a broader pattern of VPN-oriented cyberattacks. Cisco devices have similarly faced attacks originating from TOR exit nodes and masked by anonymization tools. Cisco also reports malware-driven brute-force incidents and state-sponsored exploits targeting its network products for espionage. VPN users are urged to enhance security by updating authentication protocols and eliminating vulnerable accounts.

President Biden's executive order from October emphasizes safe AI usage in federal agencies, focusing on mitigating risks and establishing security standards. Former Pentagon deputy CIO, Rob Carey, reports that the implementation of this AI order is progressing well, with agencies aligning with outlined specifications. Most government agencies have appointed a chief data officer and developed comprehensive data management plans to comply with the executive order. The executive order serves as a guideline rather than strict rules, offering guardrails for ongoing projects within federal agencies. Carey highlighted the importance of these guidelines in preventing the deployment of unreliable AI systems, like those that might misidentify individuals or erroneously deny services. The White House remains committed to the advancement of trustworthy and secure AI technologies in federal operations.

Sav-Rx, a pharmacy benefit management company, suffered a data breach in October 2023, affecting 2.8 million people in the USA. The cyberattack initially disrupted the company's network on October 8, 2023, but systems were quickly secured and restored by the following day. Despite quick system recovery, the breach exposed personal data, and the full scope was only understood after an eight-month investigation concluded on April 30, 2024. The data compromised included sensitive personal information, raising concerns about potential identity theft among the affected individuals. Sav-Rx implemented new security measures post-breach, including a 24/7 security operations center and multi-factor authentication. The company provided two years of credit monitoring and identity theft protection service to all impacted parties. Sav-Rx alerted its health plan customers between April 30 and May 2, 2024, and subsequently notified affected individuals.