Daily Brief

Cybersecurity experts at Palo Alto Networks Unit 42 have discovered an upgraded variant of BunnyLoader, a sophisticated malware with enhanced data theft and evasion abilities. Named BunnyLoader 3.0 by its developer, the malware now boasts improved keylogging functions, smaller payload size, and written modules specifically designed for stealing data. Initially offered as malware-as-a-service (MaaS) for a monthly subscription, BunnyLoader has seen frequent updates to bypass antivirus measures and enhance its data collection capabilities. The latest upgrade includes denial-of-service (DoS) features for HTTP flood attacks and the separation of its different components into individual binaries for targeted deployment. BunnyLoader's proliferation involves a complex infection chain utilizing a new dropper named PureCrypter, leading to the delivery of multiple types of stealers, such as PureLogs and Meduza. The expanding MaaS landscape exemplifies the continuous retooling by threat actors to evade cybersecurity defenses. The study also references the persistence of SmokeLoader and a new information stealer called GlorySprout, shedding light on the evolving cybercrime ecosystem and the ongoing conflicts involving cyberattacks on Ukrainian government and financial institutions.

Security researcher Will Dormann has identified an advertisement on the social media platform X, supposed to link to Forbes, misleadingly redirecting users to a scam-related Telegram account. The ad manipulates the platform's preview system, which attempts to display the ultimate URL destination, but in this case, shows Forbes while redirecting to another site. Initially, users are taken to joinchannelnow[.]net which, depending on the user agent of the request, either redirects to the scam on Telegram or to a legitimate Forbes article. The fraudulent setup can trick X's preview system, especially on mobile apps where there's no status bar to reveal the true link destination before clicking. The vulnerability has been reportedly exploited by adversaries ranging from crypto scammers to malware and phishing operators, taking advantage of users' trust in the displayed URL. Users are advised to avoid clicking on external links in X posts and ads without thorough scrutiny, and on mobile devices, it is recommended to avoid tapping links altogether.

Ukrainian Cyber Police arrested three people for hacking over 100 million email and Instagram accounts worldwide. The suspects are accused of conducting brute-force attacks to gain unauthorized access to accounts and selling credentials on the dark web. Arrested individuals could face up to 15 years in prison if found guilty. Authorities executed seven searches across Ukraine, seizing computers, phones, and other assets. A U.S. national admitted to computer fraud for breaching over a dozen entities and exfiltrating personal data of 132,000 individuals. The U.S. defendant, who caused harm by extorting victims with sensitive data, agreed to pay over $1 million in restitution. The mention of Atlassian Server referring to Rewind's services and Censys Search appears to be unrelated promotional content.

The U.S. Environmental Protection Agency (EPA) is creating a Water Sector Cybersecurity Task Force to protect water systems from cyberattacks. EPA Administrator Michael Regan and National Security Advisor Jake Sullivan expressed concerns to U.S. Governors about the vulnerability of water and wastewater systems to cyber threats. Cyber Av3ngers and China-linked Volt Typhoon are among the groups identified as targeting U.S. water systems. There are significant risks involved as water systems are critical infrastructure, yet often lack adequate cybersecurity safeguards. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a fact sheet warning of the serious risk posed by Volt Typhoon and advised implementation of cybersecurity best practices. SentinelOne reported China's media strategy aims to manipulate global perception of U.S. hacking activities and espionage.

An IT contractor was sentenced to 2.5 years of imprisonment for unauthorized transactions from the National Maritime Museum's accounts. The individual exploited his role to reroute over AU$66,000 of museum funds to his personal accounts. A significant portion of the stolen funds was used to purchase advanced IT equipment and vehicle enhancements. The fraudulent activity was detected by the museum, leading to an investigation by the Australian Federal Police and a subsequent arrest in March 2023. The court has mandated a minimum non-parole period of 15 months out of the 30-month sentence. Separately, security concerns have been raised as Australian government contractors with security clearances have been sharing sensitive project details on LinkedIn. Additionally, it was discovered that over half of these contractors are listed on Have I Been Pwned, suggesting their credentials may have been compromised in previous data breaches.

Cybersecurity researchers discovered 19 million plaintext passwords leaked due to misconfigured Firebase instances. Over five million domains were scanned, revealing 916 websites with poor security setups, exposing sensitive user records. Exposed data includes names, emails, passwords, phone numbers, and billing information with bank details from various companies. Researchers attempted to notify affected organizations, resulting in a quarter of them remedying the Firebase misconfigurations. Despite attempts to raise awareness, only 1% of site owners responded, and the researchers received bug bounties from two site owners. An Indonesian gambling network displayed the largest data exposure, including 8 million bank records and 10 million plaintext passwords. The total number of exposed records amounts to 223 million, which is a conservative estimate, suggesting the problem could be more extensive. This data exposure investigation follows a previous project where the same researchers found admin and superadmin access due to misconfigurations in an AI-powered hiring software used by various U.S. fast-food chains.

The White House and the Environmental Protection Agency (EPA) warn of ongoing cyberattacks targeting the United States' water sector. U.S. National Security Advisor Jake Sullivan and EPA Administrator Michael Regan urge governors to strengthen cybersecurity defenses for water systems. A Water Sector Cybersecurity Task Force is being established to develop strategies against cyber threats nationwide. Chinese and Iranian state-backed hackers have recently breached U.S. water systems, prompting increased security measures. The Cybersecurity and Infrastructure Security Agency (CISA) has released a security scan tool to help water utilities identify and address vulnerabilities. There have been multiple ransomware attacks on U.S. Water and Wastewater Systems Sector over the past decade, some leading to significant disruptions.

The U.S. Department of Defense's Cyber Crime Center (DC3) has processed 50,000 vulnerability reports since launching its Vulnerability Disclosure Program (VDP) in November 2016. The VDP, which began after a successful 'Hack-the-Pentagon' bug bounty event, differs from typical bug bounties by allowing continuous reporting from ethical hackers. In 2018, the DC3 implemented an automated system to track and process vulnerability reports, enhancing both efficiency and hacker participation. The scope of VDP has expanded to cover all publicly accessible Defense Department IT assets, leading to the discovery and mitigation of 400 significant flaws in a 12-month program in 2021, reportedly saving $61 million in taxpayer funds. Though the annual report for 2023 is not yet released, it is estimated that 5,000 flaws were processed last year, based on the previous year's reports. The DoD's bug bounty program on HackerOne has seen over 27,000 issues resolved, with 1,231 reports received in the last 90 days. Ethical hackers looking to contribute to the DoD's cybersecurity can find participation guidelines on the VDP's HackerOne page.

Chinese hackers, known as Earth Krahang, have infiltrated over 70 organizations in 23 countries, focusing primarily on government entities using phishing and server exploits. Trend Micro has identified two custom backdoors, RESHELL and XDealer, and a consistent use of compromised government infrastructure to conduct further attacks. The researchers have noted strong similarities between Earth Krahang and another state-backed Chinese group, Earth Lusca, and possible connections to Chinese security contractor I-Soon. Government entities, education, telecommunications, and other sectors have been affected, with tactics including spear-phishing emails leveraged from compromised government accounts. The hackers exploit known vulnerabilities in public-facing servers such as CVE-2023-32315 in OpenFire and CVE-2022-21587 in Oracle Web Applications Desktop Integrator, and employ various open-source scanning tools to identify potential targets. There is evidence of lateral movement within networks using SoftEther VPN, including the installation of persistent backdoors and credential access. Security recommendations include educating employees on phishing threat avoidance, verifying sender identity before engaging with emails, and ensuring timely software updates and patch installations.

The CISA, along with the NSA, the FBI, and other international agencies, issued warnings targeting critical infrastructure at risk from the Chinese hacking group known as Volt Typhoon. The group has infiltrated multiple U.S. critical infrastructure organizations, maintaining access in some cases for over five years without detection. Volt Typhoon's objectives appear to focus on Operational Technology (OT) within networks, with the potential to disrupt essential services. U.S. agencies are advising infrastructure leaders to bolster cybersecurity, secure supply chains, and align performance management with cyber goals. Agencies recommend that cybersecurity teams ensure comprehensive logging for early detection and response to threats, and inquire about resource needs for effective compromise detection. Volt Typhoon, also known as Bronze Silhouette, leveraged a botnet (KV-botnet) across the U.S. to conceal their activities, which was disrupted by the FBI in December. Authorities have encouraged SOHO router manufacturers to enhance device security to prevent future Volt Typhoon attacks, highlighting the importance of secure configurations and eliminating web interface vulnerabilities.

The FBI reported that investment fraud, especially cryptocurrency scams, led to the largest financial loss from cybercrime in the US last year, totaling $4.57 billion. The majority of these scams exploited individuals seeking quick profits in the cryptocurrency market, with losses from such scams nearing $4 billion. The agency observed an increase in fraudulent schemes offering recovery services for previously lost investments, targeting victims for additional funds. Ransomware attacks accounted for a comparatively lower financial loss of $59.6 million for the year, but the report stressed that this figure may be underreported. Business Email Compromise (BEC) attacks and impersonation of customer support or government staff caused significant financial damage, with adjusted losses of $2.9 billion from BEC attacks alone. Elderly people over 60 were the most affected, representing 40% of all complaints and 58% of total losses, which amounted to $1.3 billion specifically from call center scams. Overall, cybercrime cost US citizens $12.5 billion in 2021, with daily complaints to the FBI numbering 2,412, and the financial impact of victimization increasing with the age of the victims.

The FTC has issued a warning about scammers posing as agency employees to con Americans into sending money, with the median loss from such scams rising from $3,000 in 2019 to $7,000 in 2024. Victims, often elderly, have been duped into transferring funds or wiring money to the fraudsters. There were over 14,000 government impersonation complaints in the last year, causing over $394 million in losses. The FTC emphasizes it will never ask consumers to move funds for protection or pay with cryptocurrency, and has established a rule to combat impersonation scams more effectively. The FBI notes a 22% increase in online crime financial losses in 2023, reaching $12.5 billion, with BEC, investment scams, ransomware, and impersonation fraud as leading causes. People over 60 are particularly susceptible to these crimes, with cybercrime complaints to the FBI jumping 10% from the previous year to 880,000. The agency has published guidelines to assist the public in recognizing fraudulent activities and provides reporting channels for scams in both English and Spanish. The FBI encourages vigilance against fraud attempts and has previously provided tips to help individuals avoid becoming scam victims.

Ukrainian cyber police have arrested three individuals linked to the theft of over 100 million email and Instagram accounts. The suspects used brute-force attacks to hijack accounts, involving automated guessing of passwords until the correct one was found. Compromised accounts were sold on the darknet, allowing fraud groups to scam contacts of the victims by requesting money transfers. An organized criminal structure was revealed, with the leader assigning roles and infrastructure spread across multiple Ukrainian regions. Law enforcement conducted seven searches, seizing computers, phones, and financial instruments as part of the crackdown. Those arrested face charges that include unauthorized interference in computer systems, carrying penalties of up to 15 years in prison. A separate investigation has been opened to explore the hackers' potential ties with foreign entities, particularly concerning Russian interests. The police recommend the use of strong, unique passwords and multi-factor authentication (MFA) to enhance online account security.

APIs account for 71% of internet traffic in 2023, facilitating extensive data exchange between applications and databases. The average enterprise website experiences around 1.5 billion API calls annually, highlighting the critical role of APIs in digital services. Imperva's report indicates a significant risk associated with APIs in production that are inadequately cataloged, authenticated, or audited, with an average of 613 API endpoints per organization. API security incidents are costing global businesses an estimated $75 billion each year, with financial services suffering the brunt of API-related cyberattacks. Account takeover (ATO) attacks, often executed by malicious bots, represent almost half of the API-targeted cybercrime, especially impacting banking and online retail sectors. Developers frequently push APIs into production without proper security checks, leading to vulnerabilities that cybercriminals exploit. Imperva's report identifies shadow, deprecated, and unauthenticated APIs as major sources of cyber risk and advocates for regular security audits and continuous monitoring to enhance API security.

Cybercriminals have exploited Ethereum's CREATE2 opcode to steal millions from crypto wallets, prompting a call for increased wallet security. The CREATE2 function, introduced in 2019, facilitates efficient smart contract deployment but also enables attackers to drain funds using new, unflagged addresses. Attackers can pre-calculate addresses for deploying malicious contracts that lack a history of malicious activity, evading typical security measures. Security researchers cite a significant scam in January where $3.6 million in SuperVerse tokens were stolen, illustrating the severe impact on victims. The attack process involves social engineering to gain contract approval from the victim, followed by the deployment of the malicious contract using CREATE2-generated addresses. Security experts stress the need for continual vigilance, education, and updated security practices in the blockchain community to combat sophisticated attacks. High-profile wallet-draining incidents have occurred across various blockchains, with North Korea's Lazarus group suspected of involvement in many thefts.