Daily Brief

North Korean operatives allegedly infiltrated servers of South Korean chipmakers to steal product designs, aiding their home semiconductor industry development. Seoul's National Intelligence Service reported ongoing cyber-espionage activities aimed at semiconductor equipment makers since last year. Attackers utilized "living off the land" tactics by employing legitimate administrative tools to evade detection while conducting cyber operations. The intrusions resulted in the theft of product design drawings and facility photos, with at least two known companies affected in December and February. The South Korean spy agency is working closely with victimized firms to strengthen defenses and has informed all national semiconductor entities of potential threats. The announcement aligns with recent warnings about North Korean cybercriminals targeting global defense technologies and conducting elaborate social engineering operations. South Korea links these espionage efforts to the North's struggle to acquire technology due to international sanctions and the increased demand for semiconductors in their weapons programs.

A recording of a sensitive German defense call discussing Ukraine was intercepted and leaked by Russian media. The leak was confirmed by the German Ministry of Defense and involved conversations on the Cisco WebEx platform. High-level officials speculate the leak could have resulted from a Russian agent in the call or a flaw in the implementation of WebEx. The audio disclosure has led to allegations by Russia of Germany's intent to secretly aid Ukraine with Taurus missile deliveries. German officials fear Russia may have more intercepted recordings and that this leak is a strategic effort to influence Germany's military aid to Ukraine. Russian officials have made provocative statements, accusing Germany of becoming an enemy and preparing for war, escalating tensions further. The German government is treating the incident as a serious security breach and as an act of "information war" aimed at disinformation and division. The Bundeswehr is investigating the incident, while the defense minister has publicly denounced the leak as a hybrid disinformation attack.

BlackCat ransomware group has abruptly shut down its servers, stirring speculation about its motives. Allegations have been made that BlackCat scammed its own affiliate out of a $22 million ransom received from Optum after an attack on Change Healthcare. Despite the shutdown of their leak blog and negotiation sites, the group's final message remains cryptic, merely stating "Everything is off, we decide." The aggrieved affiliate claims to still possess 4TB of sensitive Optum data, threatening broader impacts on healthcare and insurance companies. Optum's parent company, UnitedHealth Group, has chosen not to comment on the ransom payment allegations, focusing instead on ongoing investigations. BlackCat, which has rebranded multiple times from DarkSide to BlackMatter, had previously been hit by law enforcement, and now there are hints that either an exit scam or another rebranding could be underway.

American Express has issued warnings to customers about a data breach involving one of their merchant processors, leading to the exposure of card information. The breach resulted in the unauthorized access of American Express Card members' data, including account numbers, names, and expiration dates, but not through a compromise of American Express' systems. The specifics regarding the number of affected customers, the identity of the compromised merchant processor, and the timing of the breach remain undisclosed. American Express has commenced an investigation, alerted regulatory authorities, and is in the process of notifying impacted customers in compliance with legal requirements. Customers are advised to monitor their statements for the next 12 to 24 months and report any suspicious transactions, enabling instant notifications through the American Express app for enhanced security. American Express reassures clients that they will not be held liable for any fraudulent charges made with their cards and suggests requesting a new card if their information was compromised.

The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense has announced a breach of the Russian Ministry of Defense (Minoborony) servers. Classified documents purportedly obtained in the cyber operation include sensitive national security details. The "special operation" is said to have been significantly aided by a key minister, Vadimovich, though little context is provided regarding the role or identity. Ukrainian officials released screenshots allegedly from the hacked databases as proof of the successful attack. The legitimacy of the screenshots has not been independently verified by third parties, and the Russian Ministry of Defense has not yet released a statement. The GUR has previously claimed responsibility for cyberattacks on other Russian entities but did not indicate any destructive actions, such as data deletion, in this particular incident with Minoborony.

North Korea reportedly targeted South Korean semiconductor firms to steal sensitive engineering data. South Korea's National Intelligence Service (NIS) identified increased cyber espionage activities against chipmakers in the latter half of 2023. Attackers exploited known vulnerabilities in internet-facing servers to gain initial access and used "living off the land" tactics to steal data and remain undetected. Incidents in December 2023 and February 2024 led to the theft of product designs and facility information. While the companies targeted have not been named, Samsung Electronics and SK Hynix are major players in the sector, with substantial contributions to the global semiconductor market. These cyberattacks are believed to be part of North Korea's efforts to enhance its military and technological capabilities. South Korea's NIS has alerted the affected firms and provided recommendations for detecting and mitigating these threats, emphasizing the importance of security updates and strict access controls.

Ransomware continues to be a significant threat to businesses, with a recent push for a ban on ransomware payments by global law enforcement and cyber security experts. The LockBit ransomware crew has shown resilience, recovering online presence shortly after government-led take-down attempts. Former UK National Cyber Security Center CEO Ciaran Martin advocates for a ban on ransom payments to disrupt cybercrime long-term, acknowledging the associated challenges. Critics of the ban suggest that prohibition could leave businesses with no other option for recovery, potentially leading to severe consequences, including company closures. Proponents of the ban argue that similar measures in the past, like those against kidnapping in Italy, had significant positive impacts. Financial support packages for victims may be necessary, akin to government intervention during the Northern Ireland Troubles. A ban on ransom payments is not currently planned by the governments of the Five Eyes nations, but nearly 50 members of the Counter Ransomware Initiative pledged not to pay ransoms. The debate continues as the average extortion payment reached $1.5 million last year, indicating a rising trend in cyber extortion.

Cybercriminals exploited India's Unified Payments Interface (UPI) for money laundering, recruiting "money mules" through Telegram. The scam utilized an Android application named XHelper to manage mules and facilitate transactions, bypassing India's PMLA. Funds obtained from illegal activities were transferred to accounts in China, using mules to move the money under false pretenses. XHelper enabled mules to track earnings, complete transactions, and provided an incentive system through financial rewards. The application featured a referral system with a pyramid-like structure to expand the network of agents and mules. Mules received training on evading bank security measures and making large transactions through fake corporate accounts. The overarching issue highlights a growing ecosystem of mobile apps designed to streamline money laundering operations. Global efforts by law enforcement, including Europol, resulted in the arrest of over a thousand individuals connected to money mule operations.

American Express has issued a warning to customers regarding the exposure of credit card details through a third-party service provider hack. This data breach affected American Express Travel Related Services Company, a division dealing with travel services. Personal customer information such as card account numbers, names, and expiration dates were accessed by unauthorized parties. Specific details about the service provider compromised, the extent of the data breach, and the timing of the incident remain undisclosed. American Express has notified regulatory authorities, is investigating the breach, and is reaching out to impacted customers to inform them of the situation and the necessary precautions. Customers are advised to review their account statements for the next one to two years, report any suspicious activities, and consider changing their card numbers. The company assures customers that they will not be held liable for any fraudulent charges and recommends setting up instant notifications for transaction alerts.

Mid-market companies experiencing rapid growth must adapt to unique cybersecurity challenges, especially when utilizing third-party SaaS applications. As operations expand from 500 to 5000 employees, maintaining control and security over an increasing array of applications and shared data becomes critical. Static budgets and continuous threats by malicious actors put pressure on mid-market companies to find scalable and effective security solutions. Traditional SaaS security solutions, designed for large enterprises, do not align with the needs and resources of mid-market companies. Wing Security offers a tiered product approach that reduces labor costs through automation, effectively managing SaaS security with less than 8 hours of management time per month. The solutions provided by Wing Security aim to align with mid-market budgets and operational models, allowing for efficient risk mitigation without additional resources. As SaaS integration deepens within mid-market company operations, the demand for scalable and accessible security solutions increases, with a focus on automation and comprehensive coverage.

Law enforcement agencies from ten countries, including the FBI and the UK's National Crime Agency, collaborated in Operation Cronos to dismantle the LockBit ransomware gang's operations. Over 30 servers used by LockBit were seized, along with source code, decryption keys, chat logs, and affiliate information. The "Game over" seizure notice included a trolling element, mocking the gang with humorous imagery and a countdown timer parody. Despite suffering significant disruptions, LockBit and its spokesperson, LockBitSupp, resurfaced online soon after the operation with new hostage data and taunts directed at the authorities. Law enforcement claims to have obtained decryption keys to assist victims, while LockBitSupp insists these are ineffective, leaving the outcome of this cyber confrontation uncertain. The incident highlights the sophisticated disaster recovery capacities of criminal organizations like LockBit and the suggestion that businesses might benefit from similarly granular partitioning of their DR strategies. The article critiques the invulnerability of ransomware operations like LockBit as long as they can profit from cryptocurrencies without strict regulation and suggests that financial oversight is the key to curtailing their activities.

Over 100 artificial intelligence (AI) and machine learning (ML) models on the Hugging Face platform were identified as malicious by JFrog security researchers. These models were found to contain code execution vulnerabilities through pickle files, potentially granting attackers full control of victims' machines through backdoors. The malicious models initiate reverse shell connections to an IP associated with the Korea Research Environment Open Network (KREONET) and potentially other IP addresses worldwide. Some authors discouraged downloading their own models, suggesting it could be a security demonstration, but the connection to an active IP crosses a line in security research ethics. The implications of this discovery reach beyond individual user risk to potential large-scale data breaches and corporate espionage. Researchers have also developed methods to prompt harmful responses from language models and a generative AI worm, Morris II, that can steal data and autonomously spread malware. The generative AI ecosystem's connectivity has been exploited to deliver malicious inputs to new applications in attacks comparable to buffer overflow and SQL injection techniques. This situation highlights the ongoing threat within open-source repositories and emphasizes the need for vigilance regarding the supply chain and generative AI services.

BleepingComputer uncovers over 60 domains impersonating major news outlets for content plagiarism and SEO manipulation. These fake news websites repost articles from reputable sources without attribution, deceiving readers and boosting their SEO. The operation, based in India, leverages this network to sell expensive advertorial slots to marketers under the guise of credible outlets. The network, likely promoting online gambling and betting, maintains a presence on Google News and social media platforms. Domains share common WordPress CMS, registrar, and host, with operations traced back to at least 2022. Connections are made to jackpotbetonline.com, a betting entity based in Gurugram, India, pointing to gambling promotion motives. The potential for evolving into a disinformation network remains, posing risks beyond trademark and copyright infringement.

U.S. agencies issue warnings on Phobos ransomware targeting critical U.S. sectors like government, emergency services, and healthcare. Phobos ransomware, structured as a Ransomware as a Service (RaaS), has several variants and employs tactics such as phishing and exploiting RDP services. The e-crime group behind Phobos uses Windows API functions, open-source tools, and sophisticated techniques to escalate privileges and maintain persistence. Attackers exfiltrate files before demanding ransom; after initial payment, 78% of organizations face renewed attacks, often with increased demands. Recently, Bitdefender reported a coordinated attack by CACTUS ransomware on two independent companies, exploiting a critical vulnerability within 24 hours of its disclosure. The median ransom demand in 2023 has risen to $600,000, with the average payment per victim reaching about $568,705 with no guarantee against recurring attacks.

Law enforcement recently disrupted LockBit ransomware operations, seizing the group’s website. LockBit reestablished a new site, listing ransom deadlines, including one involving data from Fulton County related to Donald Trump. Fulton County's ransom deadline passed without data release; LockBit alleges ransom payment, while officials deny any payment. Security analyst suggests data might have been seized by law enforcement rather than ransom being paid. Critical vulnerabilities reported in Cisco's NX-OS; patches recommended. CISA issued an advisory on Ivanti vulnerability mitigations which may not detect compromises; Ivanti recommends patching and using their Integrity Checker Tool. Researchers from Semperis warn of potential Silver SAML attacks allowing SAML token forgery without compromising ADFS servers, raising concerns similar to SolarWinds incident.