Daily Brief

A new phishing kit is targeting mobile users of various cryptocurrency services, impersonating SSO pages of platforms like Binance and Coinbase using email, SMS, and voice calls. Attackers construct highly convincing fake login screens that appear post-CAPTCHA completion, evading detection by automated tools. Over 100 individuals, including FCC employees and users from cryptocurrency exchanges such as Gemini and Kraken, have fallen victim to the sophisticated scheme. The phishing kit allows for customization of the fraudulent pages in real-time, including the display of the last digits of a victim’s phone number and flexibility in the 2FA token request. Once credentials and 2FA codes are obtained, attackers can redirect victims to any page they choose, whether legitimate or fake, to maintain the illusion of authenticity. Similarities are noted between these phishing pages and tactics used by Scattered Spider, a known cyber threat group, although it's unclear if there is a direct connection or if this kit is utilized by multiple actors. The effectiveness of these attacks is amplified by the high-quality duplications of real URLs, the urgency conveyed in communications, and the direct connection with victims via SMS and voice calls. Concurrently, a mention of financial institutions in Canada being targeted by a new PhaaS group named LabHost was made, showcasing the evolving threat landscape in cybercrime.

The UK's Information Commissioner's Office (ICO) has reprimanded West Midlands Police (WMP) for repeatedly confusing the records of two individuals with the same name and birth date. Mismanagement of records over several years resulted in numerous mistakes including police visiting the wrong locations and schools and sharing confidential information with the wrong individuals. The two individuals involved were both victims of crimes, but failure to distinguish between victim and suspect records led to a breach of the Data Protection Act 2018. One person received another's personal information regarding a serious assault, with WMP failing to remedy errors quickly and prevent reoccurrences. WMP has been advised to make technical and governance improvements, with recommendations including unmerging the records and instituting mandatory data protection training. Although WMP has compensated one of the individuals and corrected issues following the ICO investigation, they have not been fined due to the remedial actions taken. WMP handles millions of records daily and claims such data errors are rare, but they have acknowledged and accepted the reprimand and recommendations by the ICO.

GitLab suffered an 18-hour outage in 2017, accidentally deleting 300GB of user data due to a replication issue and failed primary and secondary database sync. GitLab's transparency in their postmortem has influenced data security practices; a testing snapshot inadvertently saved them from losing more data. In 2023, the backup service Tarsnap went offline due to catastrophic filesystem damage but lost no user data due to robust data storage and recovery strategies. Roblox experienced a 73-hour outage in 2021 when a critical system cluster failed, but system configuration data was eventually restored without user data loss. Cloudflare thwarted a potential data breach with their Zero Trust architecture, after discovering a nation-state-backed attacker had gained access to internal documents but not customer data. In response to the attack, Cloudflare undertook extensive credential rotations and system reimaging, emphasizing the importance of data security in crisis management. These postmortems encourage honesty, transparency, and taking proactive steps in data security and continuity planning, especially regarding cloud and SaaS platforms. Ownership of the data security lifecycle and the practice of thorough testing and documentation are vital in mitigating the risks of future failures.

Cybersecurity researchers have identified a new BIFROSE Linux remote access trojan variant that uses a deceptive domain resembling VMware for evasion. Active since 2004, BIFROSE has been utilized by state-backed Chinese hackers, with suspected repurposing since 2010. The malware enables attackers to execute remote shell commands, transfer files, and extract sensitive user information, such as hostname and IP address. The latest version of the trojan uses a command-and-control server named "download.vmfare[.]com" to appear legitimate, associating with a Taiwanese DNS resolver. Palo Alto Networks Unit 42 observed a significant increase in Bifrost activity from October 2023, finding over 100 related artifacts. The researchers also found an Arm version of BIFROSE, indicating an attempt to broaden the potential target range of devices. Recent eruptions of Bifrost activity underscore the ongoing evolution and threat posed by this malware family, paralleling the developments of similar RATs and malware like GuLoader and Warzone RAT.

Cybersecurity incidents are costly, with each data breach averaging $4.35 million. The frequency of cyber attacks increased by 38% last year, emphasizing the need for robust security measures. Google Cloud suggests that legacy productivity solutions may no longer be sufficient to combat modern cyber threats. The webinar proposes the use of a cloud-native architecture based on zero-trust principles and AI-powered threat defenses, as implemented in Google Workspace. The session will cover methods to enable secure remote work, maintain data control, simplify compliance, and prevent unauthorized access. Experts from Google Workspace will discuss securing organizations with zero trust and AI technologies, concluding with a Q&A session for deeper insights. Interested participants are invited to register for the webinar scheduled for 6 March, with reminders to be sent prior to the event.

The Five Eyes intelligence alliance (FVEY) has alerted about cyber threat actors exploiting Ivanti Connect Secure and Ivanti Policy Secure gateway vulnerabilities. Despite factory resets, attackers may maintain root-level persistence, evading detection by Ivanti's Integrity Checker Tool (ICT), which is deceived by directory exclusions. Ivanti has acknowledged five security flaws since January 10, 2024, with four actively exploited to deploy malware, including an encrypted variant called BUSHWALK. Threat actors have been able to install backdoors due to the ICT not scanning certain directories, as highlighted by both Mandiant and Eclypsium. The Five Eyes recommend that network defenders operate under the assumption that sophisticated actors could maintain persistent access to compromised devices. Organizations using Ivanti gateways are urged to assess the significant risks of continued operation amid these security concerns. Ivanti has responded by releasing a new version of ICT for improved detection and states there have been no successful persistences post-security updates and resets.

NTT West President Masaaki Moribayashi resigns after a significant data breach affecting 9.28 million customers. Data was leaked over a decade by a temporary employee who sold it to a third party. The organization had been warned about a potential breach in 2022 but failed to find it or implement proper security measures. NTT West issues an apology and vows to strengthen its information security, adding 100 personnel to the security division and allocating ¥10 billion for monitoring enhancements. The Japanese communication ministry has criticized NTT West for insufficient management of customer data and has ordered contract revisions with employment agencies. The former employee responsible for the data theft has been arrested and indicted for violating the unfair competition prevention law.

GitHub has announced the implementation of default secret scanning push protection for all public repository pushes to detect and block sensitive data exposure. When detected, developers can remove the secrets from commits or override the block if the secret is considered safe. Initially an opt-in feature, secret scanning push protection became generally available after testing phases starting from April 2022. The tool is capable of identifying over 200 different token types from more than 180 service providers, aiming to prevent misuse by malicious actors. This security update follows the expansion of the secret scanning service to include validity checks for services such as AWS, Microsoft, Google, and Slack. The enhancement is part of GitHub's response to the ongoing "repo confusion" attacks, which distribute malware through repositories with obfuscated malicious code meant to steal sensitive information. These "repo confusion" attacks exploit human error, often using social engineering to trick users into downloading the malicious versions of software packages.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a caution regarding the use of Ivanti VPN appliances after factory resets due to root persistence capabilities by attackers. Attackers exploiting vulnerabilities in Ivanti gateways may retain access even after resets and evade detection by Ivanti's internal and external Integrity Checker Tool. Vulnerabilities impacting Ivanti Connect Secure and Policy Secure gateways include critical issues such as authentication bypass and arbitrary command execution. Forensic analysis showed attackers could cover their tracks effectively, making it challenging for Ivanti's compromised appliance scans to detect previous compromises. Ivanti has released an updated external Integrity Checker Tool to improve detection of compromises. CISA advises organizations to assume compromised credentials, hunt for malicious activity using provided IOCs, run Ivanti's latest ICT, and apply patch guidance when available. In response to these threats, CISA issued guidance for federal agencies to disconnect affected devices, perform factory resets, rebuild using patched software, and revoke all exposed credentials. Nation-state actors and other threat groups have previously exploited similar vulnerabilities, underlining the critical nature of the issue and the importance of following CISA's advisory to mitigate risks.

GitHub is tackling a large-scale malware distribution campaign involving over 100,000 compromised repositories. Malicious actors clone legitimate repositories, insert malware loaders, and then promote the infected code across online platforms. The malware, derived from BlackCap-Grabber, is designed to steal login credentials, browser passwords, cookies, and other sensitive data from users. GitHub employs dedicated teams for the detection and removal of content that breaches its policies, utilizing manual reviews and machine learning. Security researchers note that the automated nature of the attacks means a significant number of malicious repos evade detection. The scope of the attack affects the larger software supply chain, highlighting the need for improved security measures as recommended by the Biden administration and the NIST Cybersecurity Framework 2.0.

U.S. courts have requested access to push notification metadata over 130 times, highlighting mobile device privacy concerns. Push notification data has proven useful to law enforcement for cases involving terrorism, child sexual abuse, drugs, and fraud. The availability of such data raises issues, including the potential for prosecution in states with strict abortion laws and foreign governmental abuse. Senator Ron Wyden has inquired with the Justice Department regarding foreign governments demanding data from Apple and Google. Apple has committed to improving transparency in its reporting, and Google has expressed support for greater openness. Push notification metadata is not encrypted, revealing the app, time stamp, and network details. Security consultant Zach Edwards warns of the potential misuse of push notifications for intelligence gathering and loss of privacy. Concerns are heightened by companies like Pushwoosh's deceitful practices, as exposed in 2022, and the integration of various device identifiers.

Golden Corral, a U.S. restaurant chain, disclosed a data breach impacting over 180,000 people after an August cyberattack. Attackers had unauthorized access to the company's systems from August 11 to August 15, 2023, and exfiltrated personal data of employees and their beneficiaries. Sensitive information compromised includes names, Social Security numbers, financial details, driver's license numbers, medical records, and health insurance information. After the incident, Golden Corral contacted federal law enforcement and initiated measures to heighten security and prevent future breaches. Notifications to affected individuals began on February 16, following a thorough investigation to ascertain the extent and nature of the stolen data. The company has urged affected individuals to remain vigilant and report any suspicious activities to their insurance providers, health care providers, or financial institutions. At the time of reporting, there is no statement from a Golden Corral spokesperson regarding additional details of the breach.

The Biden Administration has petitioned a court to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for warrantless surveillance, bypassing congressional debate on the matter. Senator Ron Wyden criticizes the Justice Department's decision to seek a year-long extension without any reforms, as bipartisan support exists for reauthorization with added protections for Americans. The FISA Court has been asked to permit continued operation of surveillance programs for another year—a move defended as routine by National Security Council legal advisor Josh Geltzer. Privacy advocates and civil liberties organizations, such as the ACLU and EFF, argue against the administration's actions, insisting that reforms are necessary to prevent abuse of Section 702 powers. The FBI has previously been found to misuse these surveillance authorities, targeting U.S. elected officials and citizens without proper warrants, highlighting the need for stricter oversight. Four proposed bills aim to reauthorize Section 702 with added restrictions, including a requirement for warrants in certain investigations to protect civil liberties. The ongoing debate underscores tensions between national security priorities and the protection of individual privacy rights, with the future shape of Section 702 hanging in the balance.

Palo Alto Networks' Unit 42 discovers a new variant of Bifrost RAT with improved evasion tactics. The malware impersonates a VMware domain to avoid detection and complicates tracing by using a Taiwan-based DNS resolver. Bifrost collects sensitive information including hostnames, IP addresses, and process IDs, encrypting the data with RC4 before exfiltration. The new variant lacks debugging information, hindering analysis efforts. An ARM version of Bifrost has been developed, indicating an expansion in the threat actor's targeting capabilities. Despite Bifrost's long history, its recent enhancements suggest a push by developers to make it a stealthier threat. Unit 42's findings emphasize the necessity for heightened awareness and defense measures against such evolving malware threats.

Brave Software has introduced "Leo," a privacy-centric AI assistant, in the Android version of its browser. Leo is designed to perform tasks such as summarizing content, translating pages, writing code, and generating written materials. The AI assistant can be accessed by users through a simple interface within the Brave browser on Android. There are two service levels available: a free tier and a premium tier costing $14.99/month with added features and cross-device support. Leo leverages several advanced large-language models for accuracy and multilingual support, with privacy as a central emphasis. The roll-out of Leo is phased, meaning some users may need to wait before seeing the feature, with an iOS launch also on the horizon.