Daily Brief

A cybercriminal using the alias IntelBroker claimed to have stolen classified data from Europol, including source code and employee information. The affected platform, Europol Platform for Experts (EPE), has been offline since May 10 for maintenance, following the data breach allegations. Europol confirmed that the incident involves a closed user group within the EPE, but stressed that no core systems or operational information were compromised. IntelBroker also claimed responsibility for breaching additional parts of Europol, such as the cryptocurrency and space divisions of the European Cybercrime Centre, and other projects. Data allegedly stolen included screenshots and discussions from the EPE on obtaining sensitive data from social media platforms. Europol has initiated an investigation and taken preliminary actions but has not provided detailed comments on the situation. The incident coincides with a recent security breach at the European Parliament, suggesting a broader pattern of cyber threats targeting EU institutions.

The disconnect between IT management and analysts has increased due to high volumes of alerts and manual triage processes. Analysts face alert fatigue, leading to overlooked incidents and repeated false positive findings, causing significant time inefficiencies. The SHQ Response Platform integrates AI to automate log correlation, improving incident analysis efficiency by centralizing critical data. This platform enables analysts to remain within one interface instead of pivoting across multiple systems, thereby gaining clarity on incident narratives through automated timelines and updates. Automated tools within the platform can block identified compromises, streamlining the process from detection to mitigation. SecurityHQ's Risk Register fosters a collaborative environment, aligning technical analysis with business strategy and mitigating actions. By reducing manual tasks, analysts can also see the impact of their work in broader organizational contexts, increasing job satisfaction and efficacy. The platform suggests a shift towards proactive cybersecurity management, focusing on strategies and long-term goals rather than immediate incident closure.

Cybersecurity researchers identified multiple severe vulnerabilities in Cinterion cellular modems, impacting various critical sectors including industrial, healthcare, and financial services. The most dangerous flaw, designated as CVE-2023-47610, allows remote code execution via SMS, enabling attackers to manipulate modem memory without physical access. Additional vulnerabilities relate to Java-based MIDlet applications in the modems, permitting unapproved elevation of user privileges and code execution. The vulnerabilities were first revealed at OffensiveCon in Berlin and further detailed by Kaspersky’s ICS CERT in advisories. The complex integration of modems within broader technology ecosystems makes it difficult to determine the full range of affected products. Mitigation recommendations include disabling non-essential SMS features, using private Access Point Names, enhancing physical security controls, and routine security evaluations. Researchers Sergey Anufrienko and Alexander Kozlov are credited with discovering these flaws, highlighting ongoing security challenges in integrated network devices.

Black Basta ransomware-as-a-service has affected more than 500 organizations in North America, Europe, and Australia across 12 critical infrastructure sectors. Joint advisory by CISA, FBI, HHS, and MS-ISAC warns that Black Basta uses phishing, exploits known vulnerabilities, and employs double-extortion tactics. Unlike typical ransomware, Black Basta's ransom notes do not demand immediate payment but instead instruct victims to contact them via a specific URL. The group uses techniques including network scanning, lateral movement tools, and privilege escalation exploits to conduct attacks. Incident response observed the use of Backstab tool to disable endpoint detection, with final encryption through ChaCha20 algorithm. Ransomware landscape shows an 18% decrease in Q1 2024 activities, influenced by law enforcement actions and changing tactics among groups. Payment trends indicate a significant drop in the average ransom payments, correlating with an increased reluctance among victims to meet ransom demands.

British cybersecurity infrastructure faces critical challenges addressing ransomware, data breaches, and extortion threats. Recent attacks on Leicester City Council and NHS Scotland underscore the frequency and scale of these cybersecurity incidents. Criminal groups are increasingly organized, stealing data and monetizing it through sophisticated use of cryptocurrencies. Rubrik's CISO, Richard Cassidy, emphasizes the need for proactive security investments to mitigate cyber threats. Cassidy, with 20 years in cybersecurity, discusses the importance of understanding and improving cyber defense strategies. Continuous changes in cybercriminal methods necessitate a comprehensive approach to cybersecurity policies and practices. Potential consequences of inadequate cyber strategies include severe regulatory actions, hefty fines, and custodial sentences.

Europol criticized Meta for its use of end-to-end encryption (E2EE), claiming it hides child sexual abuse material (CSAM), yet no statistical evidence supports this assertion. Critics argue against weakening E2EE, highlighting it as detrimental and lacking in viable secure alternatives. A report from Dublin City University discusses how social platforms like TikTok and YouTube Shorts target teens with harmful content through their algorithms. Public discourse includes propositions such as banning mobile phones for under-16s and imposing strict usage limits similar to measures in China, despite their practical and ethical implications. These discussions are part of a broader concern about a supposed crisis in youth mental health, attributed by some to increased screen time, though such claims are contested by various professionals. The narrative that urgent action is needed to safeguard youth often overlooks the potential negative impacts of suggested interventions. Experts suggest improving the situation by fixing harmful algorithms and enhancing parental controls on devices rather than imposing restrictive measures.

Cybersecurity experts discovered a malicious Python package named requests-darwin-lite imitating the popular requests library, embedding a Golang-version of Sliver C2 malware. The malware is ingeniously hidden within a PNG image of the library’s logo, utilizing a steganographic method. The fake package has been downloaded 417 times before its removal from the Python Package Index (PyPI). It targets specific systems by proceeding with the infection chain only if a pre-set Universally Unique Identifier (UUID) matches, hinting at either a highly targeted attack or a preparatory step for a broader campaign. The deceptive package modifies the setup.py file to decode and execute a Base64-encoded command that collects the system's UUID. Unlike the original requests library logo file which is 300 kB, the malicious PNG image in the compromised package is about 17 MB, containing hidden binary data. This incident underscores the ongoing vulnerabilities within open-source ecosystems and emphasizes the need for systematic security strategies to protect against such malware infiltration.

ASEAN organizations are experiencing an increase in cyber threats across various industries. A July 2023 Cloudflare whitepaper highlights that 78% of surveyed cybersecurity professionals faced at least one incident over the past year. The majority (76%) noted a rise in the frequency of these security incidents, with many reporting multiple events. The complexity of cybersecurity is growing due to the hybrid working model and distributed IT infrastructure. Cloudflare's comprehensive solution, "Everywhere Security," offers unified threat management across cloud-native platforms. The company’s platform aims to simplify cybersecurity, integrating services such as Zero Trust, application protection, and email security. Cloudflare’s extensive network helps apply real-time threat intelligence, enhancing threat visibility and reducing alert redundancies. The initiative aligns with the ASEAN Digital Masterplan 2025, promoting secure, transformative digital services across the region.

Encrypted email provider Proton Mail handed over personal identifying information of users to law enforcement. After revealing IP addresses in 2021, Proton Mail has attracted criticism for not fully upholding its privacy claims. Recently, Proton provided a user's recovery email to Spanish police, aiding in tracking activities related to Catalan separatism. US Patent and Trademark Office admitted a second data leak in two years, exposing 14,000 patent applicants' private addresses. Google addressed an exploited vulnerability in Chrome, highlighting the need for users to update their browsers. LockBit ransomware continues to pose a threat by disrupting critical services in Wichita, Kansas, despite law enforcement pressures. Proton clarifies that while it offers privacy by default, it does not guarantee anonymity; user details can be disclosed if legally compelled.

Ransomware activities reached peak levels last year, identifying over 4,500 victims across 60 criminal gangs. Drew Schmitt, a professional ransomware negotiator, discussed evolving ransomware tactics and the complexities of incident response. Schmitt emphasizes that his team focuses on threat actor communication and risk advisement, not solely on facilitating ransom payments. Debate continues regarding whether ransom payments should be banned, amidst growing use of coercive tactics by ransomware gangs. Law enforcement efforts to combat ransomware gangs have shown some success, indicating that no group is entirely immune to takedowns. Some ransomware entities, like ALPHV, experience significant disruptions, while others like LockBit might only be temporarily impacted. Schmitt advocates for a multifaceted approach to combat ransomware, including incentives for improved security measures rather than just a payment ban. There’s discussion about potentially regulating ransomware negotiators and broader legal strategies in managing ransomware incidents.

Firstmac Limited, a key Australian non-bank financial firm, reported a significant data breach, with over 500GB of customer data potentially compromised. The breach announcement came a day after the Embargo cyber-extortion group claimed responsibility and leaked the data online. Firstmac is a prominent mortgage lender in Australia, managing $15 billion in mortgages and has served over 100,000 home loans. The breached data includes potentially sensitive information, although Firstmac reassured customers that their accounts and funds remain secure. Enhanced security measures, including two-factor authentication for account changes, have been implemented following the incident. Firstmac is offering free identity theft protection services to affected customers and advises vigilance against unsolicited communication. The exact nature of the Embargo group is still unclear, with no prior ransomware activity confirmed and uncertainty about their operations in data breaches.

Almost 75% of critical infrastructure companies faced a ransomware attack last year. Claroty CEO Yaniv Vardi emphasizes the increasing trend of both physical and digital attacks on crucial networks. Critical infrastructure includes essential systems like power lines, internet cables, and water control technologies. The threats are escalating due to the rapid pace of connectivity outstripping security measures. Vardi advocates for stronger public-private cooperation and stricter governmental regulations. He highlights that suppliers of software and hardware must be held more accountable to enhance security. The need for comprehensive defense strategies is urgent as the vulnerability of critical infrastructures heightens.

The Post Millennial, a conservative Canadian news magazine, was hacked, leading to data leaks impacting nearly 27 million people. Hackers defaced the website, posting false messages attributed to editor Andy Ngo and shared links to the stolen data which included personal information of writers, editors, and subscribers. The leaked data includes highly sensitive details such as IP addresses, physical addresses, emails, phone numbers, and plaintext passwords. The information was reportedly sourced from The Post Millennial and various mailing lists used in different campaigns, some not directly managed by the news site. Cybersecurity expert Troy Hunt added the data to the Have I Been Pwned service to help notify affected individuals, though the exact source of the data remains unconfirmed. The Post Millennial has yet to release an official statement about the breach, and efforts to obtain comments from them and associated media groups have been unsuccessful. Individuals potentially impacted are advised to reset passwords, monitor account activities, and be cautious of unsolicited communications in any form.

Black Basta ransomware affiliates have compromised over 500 organizations globally, including sectors critical to infrastructure. The attacks targeted entities across North America, Europe, and Australia, encrypting and exfiltrating data. Notable victims include high-profile companies such as Rheinmetall, Hyundai Europe, and Capita, as well as institutions like the Toronto Public Library. After the Conti group's disbandment in 2022, Black Basta is speculated to be a spin-off or rebrand, possibly linked to other Russian cybercrime groups. This gang has amassed at least $100 million in ransoms from more than 90 victims as of late 2023. CISA and FBI provided tactical recommendations for organizations to defend against such ransomware attacks, emphasizing the need for updated systems, secure remote access, and phishing-resistant MFA. Specific advisories were issued to healthcare organizations, highlighting their vulnerability due to operational dependence on technology and sensitive data access. Recent suspected Black Basta involvement in a ransomware attack on Ascension's systems underscored the accelerating threat against the healthcare sector.

Europol confirmed a breach in its Europol Platform for Experts (EPE), following claims by threat actor IntelBroker. The breach reportedly involves stolen For Official Use Only (FOUO) documents; however, Europol states no operational data was jeopardized. The EPE portal, used for sharing non-personal crime data, was offline for maintenance following the incident. IntelBroker claims access to sensitive data from various Europol communities, including personal information from the EC3 SPACE database containing 9,128 records. The hacker markets the stolen data exclusively in exchange for the cryptocurrency Monero (XMR), emphasizing a sale to only reputable members. IntelBroker's previous attacks include breaches at U.S. government agencies and large corporations, demonstrating a pattern of targeting significant entities. Europol has initiated an investigation into the extent of the breach and taken preliminary measures to further secure its systems.