Daily Brief

The FBI's Internet Crime Complaint Center (IC3) registered 880,418 cybercrime complaints in 2023, with losses potentially exceeding $12.5 billion. Ransomware attacks escalated, with critical infrastructure sectors significantly affected—249 incidents in healthcare alone. Ransomware-related losses surpassed $59.6 million, with an 18% increase in network intrusions and a 74% rise in financial damage. Critical infrastructure saw a 37% increase in ransomware complaints, with 14 out of 16 sectors experiencing attacks. Prominent ransomware variants attacking these sectors included LockBit, ALPHV/Blackcat, Akira, Royal, and Black Basta. Despite international law enforcement efforts and takedowns, cybercriminal groups remain persistent, as seen with ALPHV/BlackCat's continued activity. Investment scams were the most costly in terms of losses in 2023, netting criminals over $4.57 billion, with cryptocurrency-related scams up by 53%. Business email compromise (BEC) schemes also remained highly profitable, with losses from reported cases totaling more than $2.9 billion.

TA4903 hacker group specializes in business email compromise (BEC) and has been imitating U.S. government entities. The entities impersonated include the U.S. Department of Transportation, Agriculture, and Small Business Administration. Proofpoint reports that TA4903's activities ramped up since mid-2023, with the recent use of QR codes in PDFs leading to phishing sites. PDF attachments contain consistent design and metadata suggesting Nigerian origins; QR codes redirect to sites that mimic official U.S. government agency portals. The group has used tactics like bypassing multi-factor authentication (MFA) in the past, but not observed this year. TA4903's motives are financial, targeting organizations through large-scale email campaigns, and recently shifted focus from government to small businesses. The complexity of their attacks offers multiple detection opportunities, and a multi-layered security strategy is recommended for defense.

Nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information is feared compromised due to a cybersecurity incident involving Infosys. Infosys, which experienced a ransomware attack attributed to the LockBit group, handles IT systems for Fidelity, resulting in data exposure. Exposed data includes names, Social Security numbers, bank account details, credit/debit card numbers, and security codes—potentially allowing for financial fraud and identity theft. The incident occurred between October 20 and November 2, affecting Infosys' service to both Fidelity and Bank of America, with over 85,000 individuals' information potentially stolen. Fidelity has been working with Infosys McCamish Systems (IMS) to investigate the breach, contain its consequences, and restore secure services. LockBit's involvement was claimed shortly after Infosys publicly disclosed the incident, although some of the gang's infrastructure has been shut down by law enforcement. Fidelity and Bank of America have both notified affected customers and are investigating the full extent of the data breach's impact.

Duvel Moortgat Brewery, known for its range of popular Belgian beers, was hit by a ransomware attack that stopped its beer production. The company's automated threat detection systems identified the attack, which occurred late at night, prompting an immediate pause in production. Duvel's communications manager reported that while the restart date for production is uncertain, there should be no impact on beer distribution due to ample stock. Beer enthusiasts online reacted with humor but also expressed concerns over a potential increase in beer prices if the disruption is prolonged. The extent of the attack on other company facilities is unclear, and no ransomware group has yet claimed responsibility for the cyber incident. BleepingComputer reached out to Duvel for further information, but no immediate response was provided. There's currently no information available about whether the attack has led to data theft or the possibility of extortion, only that brewing operations are affected.

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) experienced a cyber incident that led to preemptive offline measures for its corporate systems. FINTRAC assured that no intelligence or classified systems were breached, maintaining the security of sensitive information. Immediate actions included collaborating with federal partners to restore operations and strengthen future cybersecurity defenses. The nature of the cyberattack and the identity of threat actors involved have not been disclosed, with no claims of responsibility observed. This cyber incident is part of a recent wave of security breaches affecting various Canadian institutions, including the RCMP, TNPI, Toronto Zoo, and MUN. The consistent occurrence of cyberattacks highlights a period of heightened cybersecurity challenges for Canada.

Apple has patched four vulnerabilities in iOS and iPadOS, including two zero-days that were reportedly exploited in the wild. The patched zero-days, identified as CVE-2024-23225 and CVE-2024-23296, could allow attackers with kernel read and write access to bypass memory protections. Fixes have been implemented for the current iOS and iPadOS 17.4, as well as a dedicated update for older 16.x devices no longer supported by the latest OS releases. Details regarding the attacks involving the exploited zero-days and the severity of the vulnerabilities remain undisclosed, with the National Vulnerability Database still evaluating them. Apple has also addressed two lesser vulnerabilities: CVE-2024-23243 discovered by a student, threatening location data privacy, and CVE-2024-23256 related to Safari's locked private browsing tabs feature. The recent updates go beyond security fixes, including features mandated by the EU's Digital Markets Act, such as offering users a choice of browser engines and app download sources.

Hackers are exploiting misconfigured servers, including Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis, to mine cryptocurrency and establish remote access. Targets are selected using masscan or pnscan to detect vulnerable services, followed by automation tools delivering Golang payload exploits. Once compromised, attackers install rootkits and the Platypus reverse shell utility to conceal their presence and continue operations. The 'Spinning YARN' campaign is linked to known hacker groups like TeamTNT and WatchDog, and exhibits advanced understanding of cloud vulnerabilities. Uptycs identified similar attacks by the 8220 Gang, focusing on cloud infrastructure via known Apache Log4j and Atlassian Confluence Server flaws. These sophisticated attacks involve a range of evasive maneuvers, including disabling security features and modifying firewall rules to remain undetected. Cryptocurrency mining is a notable motive, but attackers are also engaging in diverse threats, including ransomware attacks on cloud and Linux infrastructure. The cloud security landscape requires heightened vigilance due to increased targeting of cloud services and the technical sophistication of threat actors.

VMware has patched critical vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation that could allow attackers to escape virtual machine sandboxes. The flaws, with scores up to 9.3, could enable unauthorized access to the host system and other virtual machines, undermining security isolation. CVE identifiers assigned to the vulnerabilities range from CVE-2024-22252 to CVE-2024-22255, exposing users to potential cyber-attacks. Workarounds include removing USB controllers from VMs, which might affect peripheral connectivity, while patches are also available for older versions. VMware stresses the importance of quick patch deployment, despite no reports of active exploitation, and advises admins to subscribe to their mailing list for updates. The company has released a FAQ to guide users through fixing or mitigating vulnerabilities for various product configurations.

BlackCat ransomware group has abruptly shut down their operations and potentially executed an exit scam following a purported $22 million ransom payment from a healthcare unit. Security experts have debunked the group's claim of being seized by law enforcement, revealing inconsistencies in the posted seizure notice code. The U.K.'s National Crime Agency confirmed it had no involvement in any disruption of BlackCat's online infrastructure. A disgruntled affiliate accused BlackCat of absconding with the full ransom amount, prompting speculation of an exit scam and possible future rebranding of the group. BlackCat, known for earlier iterations as DarkSide and BlackMatter, had previously regained control of their infrastructure after a seizure in December 2023, highlighting their resilience to law enforcement actions. The group's closure aligns with shifts in ransomware landscape, including LockBit moving activities to a new dark web portal and RA World's continued infiltration into various sectors since April 2023.

Capita has reported a significant net loss of £106.6 million for 2023, impacted by a costly cyberattack. The Black Basta ransomware group's attack in March last year cost Capita an estimated £25.3 million. The company's market value dropped 20% following the announcement of its losses. CEO Adolfo Hernandez announced further cost-cutting measures, targeting savings of £100 million by mid-2025. Despite the cyberattack, Capita continues to secure government contracts, including a £239 million pension scheme management deal. Capita's customer net promoter score dropped due to the cyberattack's impact on its pensions administration business. The company is cooperating with the Information Commissioner's Office and is not expecting a regulatory penalty at the moment. Ongoing dark web monitoring has not indicated further circulation of stolen data from the attack.

Hackers are exploiting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis using sophisticated Golang-based malware. The campaign involves using configuration weaknesses to introduce malware that performs unauthorized cryptocurrency mining and establishes a backdoor. New Golang payloads—h.sh, d.sh, w.sh, c.sh—automate the discovery and exploitation of vulnerable services, attempting to stay under the radar. The payloads exploit old vulnerabilities, such as CVE-2022-26134 in Atlassian Confluence, to execute unauthenticated remote code on the server. Cado Security uncovered the campaign when a Docker API honeypot was compromised, leading to an investigation that revealed the use of a multi-stage attack script. The threat actors use shell scripts and common Linux tactics to install miners, create persistence, and remove traces of the initial access. Despite widespread malware detection, the four new Golang binaries remain mostly undetected by antivirus engines, suggesting a recent onset of the campaign. Technical analysis and indicators of compromise have been shared by Cado Security for better industry awareness and defense against this campaign.

Reflectiz offers a sandbox solution that continuously monitors web applications for security threats, compliance risks, and privacy issues. The platform provides visibility into hidden website elements and third-party web apps that can introduce security risks or regulatory non-compliance. Reflectiz uses automated detection cycles and a proprietary browser to dynamically analyze web page activities, thus identifying immediate risks. The service includes a unique rating system to benchmark website exposure levels to various threats, based on continual monitoring and analysis. A comprehensive inventory system within Reflectiz allows for easy management and immediate action on risky scripts and data items. Reflectiz has introduced a PCI Dashboard add-on to meet the upcoming PCI DSS v4.0 requirements for compliance reporting and real-time script monitoring. The platform enables clients to establish a security baseline and provides alerts for unauthorized changes to website elements, reducing the frequency of false alerts. Reflectiz emphasizes a proactive approach to security, offering a 30-day free trial to demonstrate the platform's capability in enhancing web exposure management.

The article discusses the new Data Protection for Google Drive by Material Security, designed to manage the sharing of sensitive data and permissions within Google Drive. Many Google Workspace administrators struggle with the spread of confidential information being shared in an uncontrolled manner, leading to potential security risks. Correctly identifying and managing these risks is difficult using standard tools provided by Google, such as the Workspace admin dashboard or the Drive API. Material Security offers a powerful data platform that integrates with Google Workspace, enabling detailed inspections of historical and current file contents, metadata, permissions, and sharing settings. The system allows for precise searches and activity-based filtering to uncover risky sharing practices and automatically revokes improper access without disrupting productivity. Automated remediation workflows are sophisticated enough to distinguish between valid and invalid sharing scenarios, helping to maintain a secure yet productive environment. Material Security emphasizes the importance of strong security within productivity suites, considering them to be critical infrastructure for organizations. The article ends with an encouragement to schedule a demo with Material Security for a closer look at their capabilities in protecting Google Drive data.

SEMI, an industry association for chip vendors, has opposed the EU’s plan to impose export controls on China. The group emphasizes that these controls should be a "last resort" for national security purposes. SEMI warns that the European Commission's proposed measures could deter foreign investment and disrupt complex semiconductor supply chains. The European Chips Act could be jeopardized by excessive foreign investment screening, according to SEMI. SEMI suggests that rather than restricting outbound investments, the EU should focus on economic security and technology leakage prevention. The association argues for a balanced approach to economic opportunities and global market access for EU companies. SEMI's stance comes amid US restrictions on investments in China, highlighting the importance of investment in advancing semiconductor capabilities.

The U.S. Treasury Department sanctioned individuals and entities linked to Intellexa Alliance for distributing harmful spyware. Intellexa's software, including Predator, was used against U.S. officials, journalists, and policy experts by unnamed foreign actors. OFAC highlighted the security risks and human rights concerns stemming from the misuse of commercial spyware, citing its use to repress dissidents worldwide. The Intellexa Alliance and related companies have been previously placed on the U.S. Entity List, restricting their business operations. Predator spyware can infiltrate mobile devices without user interaction, allowing operators to collect sensitive information and conduct surveillance. The U.S.'s recent policy allows for visa restrictions on foreign individuals involved in commercial spyware misuse. The Treasury Department emphasizes the importance of responsible development and use of surveillance technologies to protect human rights and civil liberties.