Daily Brief

The U.S. government has warned of BlackCat ransomware increasingly targeting the healthcare sector; nearly 70 victim leaks noted since mid-December 2023. The FBI, CISA, and HHS issued an advisory following the ransomware group's comeback after a failed takedown attempt of its leak sites. Despite the takedown, BlackCat has continued attacks on organizations like Prudential Financial, Optum, and others. The U.S. government offers up to $15 million for information leading to the arrest of members and affiliates of the e-crime group. BlackCat's resurgence comes alongside the comeback of LockBit ransomware and follows critical security flaws in ConnectWise's ScreenConnect software that have been exploited in attacks. Over 3,400 potentially vulnerable ScreenConnect hosts were found exposed online, with remote access software becoming a major vector for ransomware deployment. Ransomware groups are evolving, exemplified by RansomHouse's MrAgent tool for ransomware deployment on large-scale virtual environments, and the sale of direct network access. Public release of new Linux-targeting ransomware Kryptina could further increase the frequency and sophistication of attacks, with possible proliferation of spin-off variants.

A transformative webinar will introduce Twilio Segment's privacy-compliant Customer Data Platform (CDP) designed for managing first-party data. The webinar aims to educate on balancing personalized customer experiences with strict adherence to privacy regulations. Twilio Segment's State of Personalization Report indicates 63% of consumers are open to personalization based on directly shared data. The termination of third-party cookies and new privacy-centric browser technologies are pushing businesses towards privacy-first personalization strategies. The session will address how to navigate and comply with stringent data protection laws such as GDPR, while maintaining effective personalization. Businesses are urged to attend to learn about ethical customer data management and to stay competitive in an environment where data privacy is mandatory. Attendees will be offered a complimentary risk assessment from Vanta to check their security and compliance status.

Traditional perimeter-based security strategies are now seen as both costly and ineffective in safeguarding digital assets. The majority of cybersecurity risks are attributed to a small proportion of users, deemed 'superusers', who are essentially privileged users with access to sensitive systems and data. SSH Communications Security is a company that is focused on bridging the gap between Privileged Access Management (PAM) and Identity Management (IdM) to better protect these superusers. The integration of PIM (Privileged Identity Management), PAM, and IAM (Identity and Access Management) is essential for effective management and security of digital identities and access controls. Non-privileged users' access and identity verification can be managed with strong authentication methods, while privileged users require more stringent control measures due to the risks associated with their access. The article advocates for a shift toward a Zero Trust cybersecurity approach that is borderless, passwordless, keyless, and incorporates biometric authentication to strengthen security without relying on implicit trust. SSH Communications Security provides resources, such as whitepapers, to educate organizations on the benefits and implementation of passwordless and keyless cybersecurity models. Vanta offers a free risk assessment tool for organizations to evaluate their security and compliance posture and to uncover potential shadow IT issues.

President Biden is anticipated to issue an executive order to prevent the transfer of Americans' sensitive data to adversarial nations such as China and Russia. Proposed regulations will forbid companies from transferring large amounts of certain data types to countries of concern, including North Korea, Iran, Cuba, and Venezuela. The executive order targets sensitive information categories including genomic and biometric data, geolocation, health and financial data, personal identifiers, and sensitive government-related data. There will be exemptions for some commercial transactions and international business operations, like payroll within multinational companies. The proposed regulation, which has several steps before becoming law, will be enforced by the US Justice Department, aiming to close a current legal gap on the national security risk of data access by certain countries. The concern is that these nations could use American personal and government data for cyber-enabled activities, espionage, blackmail, AI training, and to target activists, journalists, and politicians. The White House emphasizes that these measures do not replace the need for comprehensive bipartisan privacy legislation, which President Biden has urged Congress to pass.

A new malware called TimbreStealer has been targeting Mexican users with tax-themed phishing scams since at least November 2023. TimbreStealer employs advanced obfuscation techniques and geofencing to evade detection and specifically target users in Mexico. The malware uses evasion strategies such as custom loaders and direct system calls, in concert with a technique called Heaven's Gate to execute 64-bit code within a 32-bit process. TimbreStealer's payload is designed to harvest credentials, system metadata, and checks for remote desktop software, while avoiding reinfection of previously compromised systems. Cisco Talos researchers note similarities with past malicious campaigns and highlight the versatility of TimbreStealer, which focuses on various industries including manufacturing and transportation. The report also mentions the emergence of other information stealers such as Atomic and XSSLite, showing a trend of evolving cyber threats. Stealer malware like Atomic, XSSLite, Agent Tesla, and Pony continue to be developed for information theft and are traded on underground markets.

U.S. and allied cybersecurity agencies warn of threats by Russia-linked APT28 targeting Ubiquiti EdgeRouter devices. The advisory follows the recent takedown of the MooBot botnet, utilized by APT28 for various covert cyber operations. APT28 has exploited routers to harvest credentials, proxy traffic, and host phishing pages, affecting diverse global sectors. The threat actor has been active since at least 2007 and uses compromised routers to install and operate custom malware. Users are advised to reset their hardware to factory settings, update firmware, change default credentials, and implement firewall rules. Nation-state hackers are increasingly focusing on routers to create botnets for malicious activity and gain access to targeted networks. The intelligence bulletin coincides with a Five Eyes alert on APT29's cloud access tactics, underscoring the ongoing threat of Russian cyber espionage.

A botnet controlled by Russia using compromised Ubiquiti Edge OS routers was dismantled in January by international authorities. The US FBI and partners from multiple countries have issued a warning that Russia's GRU intelligence unit may attempt to revive the botnet. Device owners are urged to upgrade firmware, strengthen passwords, and implement strategic firewall rules to prevent re-compromise. The GRU's malware, named Moobot, allowed for phishing, spying, and data theft through a network of infected routers. A unique malware package, MASEPIE, was also uncovered, indicating the GRU's direct involvement in crafting tools for the operation. Indicators of Compromise (IOCs) provided, including bash histories, can help network administrators identify malicious activities. However, non-technical device owners might struggle to follow the advisory's recommendations due to a lack of detailed guidance.

Pharmaceutical services giant Cencora reported a cyberattack that resulted in data theft from its IT systems. The company, formerly known as AmerisourceBergen, announced the breach in a Form 8-K filing with the SEC. Cencora earned $262.2 billion in fiscal year 2023 and has an approximate workforce of 46,000. The company has engaged law enforcement, cybersecurity professionals, and external legal counsel to investigate the incident. Immediate containment actions were taken upon detection of the cyberattack, but the potential impact on Cencora's financial and operational standing remains unclear. Official response to inquiries directed to the statement made in the SEC filing, with emphasis on no current links to the recent Optum Change Healthcare ransomware attack. No culprit has been identified, and no ransomware group has claimed responsibility for the cyberattack on Cencora; the Lorenz ransomware group had allegedly breached the company in February 2023.

The FBI, CISA, and HHS have issued a warning on targeted ALPHV/Blackcat ransomware attacks against U.S. healthcare organizations. BlackCat, active since November 2021, is attributed to over 60 initial breaches and has collected over $300 million in ransoms from more than 1,000 victims. The healthcare sector has recently been the prime target for BlackCat, influenced by the group's strategic shift following law enforcement actions in December 2023. Critical infrastructure organizations, especially in healthcare, are urged to implement cybersecurity safeguards against tactics typically used by this threat group. The ransomware operation was linked to a recent cyberattack on Optum, causing a significant outage affecting Change Healthcare. Investigators found that BlackCat hackers exploited a known ScreenConnect vulnerability to gain access to networks. Despite disruptions to BlackCat's infrastructure by the FBI in December 2023, the gang has resumed operations and remains a significant threat. The U.S. State Department is offering rewards for information leading to BlackCat gang leaders and associates.

The US Commerce Department has placed Sandvine, a Canadian network technology company, on the Entity List for exporting networking monitoring tech used for surveillance in Egypt. Sandvine's gear was allegedly utilized for spying on political and human rights activists in Egypt. Entities are added to the list for posing a threat to American national security or foreign policy interests; China's Chengdu Beizhan Electronics also made the list for related activities. Sandvine's head office and branches across several countries, including India, Japan, and the UAE, are affected by the export restrictions. Sandvine has previously been accused of aiding authoritarian regimes in censorship and surveillance, with its PacketLogic devices linked to malware distribution in Turkey and Egypt. The company vows to work with government officials to address the US Commerce Department's concerns and emphasizes its commitment to providing a safe internet.

LabHost, a Phishing as a Service (PhaaS) platform, facilitates cybercriminals in targeting Canadian banking customers with turnkey phishing solutions. Cybercriminal activity linked to LabHost has surged due to specialized phishing kits aimed at Canadian banks, enhancing the platform's popularity since early 2023. Fortra cybersecurity analysts have observed that LabHost has become a leading tool for phishing attacks, surpassing the previously favored PhaaS platform, Frappo. Following an outage in October 2023, LabHost has recovered, conducting several hundred phishing attacks monthly against a range of financial and online services. LabHost offers three membership tiers, with services including bank-targeted phishing kits, a real-time phishing attack management tool named LabRat, and an SMS spamming tool called LabSend. Such PhaaS platforms lower the entry threshold for aspiring cybercriminals and amplify the scale and impact of cybersecurity threats globally. Researchers also highlight the emergence of other PhaaS platforms like 'Greatness' and 'Robin Banks,' which offer advanced features like multi-factor authentication bypass and customizable phishing kits.

Black Basta and Bl00dy ransomware groups exploit critical authentication bypass vulnerability in ScreenConnect servers (CVE-2024-1709). The flaw allows attackers to create admin accounts, delete other users, and fully take over vulnerable instances. Active exploitation began shortly after ConnectWise released patches and proof-of-concept exploits were made public. CISA has ordered US federal agencies to secure their servers against CVE-2024-1709 by February 29. Trend Micro reports the exploitation of the flaw for initial access, network backdooring, and deployment of Cobalt Strike beacons by Black Basta. Bl00dy ransomware utilizes payloads from leaked Conti and LockBit Black builders. Over 10,000 ScreenConnect servers are tracked online, with only a fraction running the updated, secure version. Immediate patching of the software is urged as a critical security requirement to thwart ongoing attacks.

NIST has updated its Cybersecurity Framework to version 2.0, adapting to a decade’s worth of evolving security challenges. The CSF 2.0 expands its applicability to organizations of all sectors and sizes, aiming to assist with varying levels of cybersecurity sophistication. The framework now integrates more comprehensive resources that can be customized for an organization’s changing cybersecurity needs. Key inclusions in the new version are quick-start guides, implementation examples, a mapping catalog for self-assessment, and reference tools. Version 2.0 of the CSF was developed in alignment with President Biden's 2023 National Cybersecurity Strategy. A significant update in CSF 2.0 is the addition of a sixth core function, 'govern', focusing on integrating cybersecurity into the broader enterprise risk management strategy. NIST emphasizes that the updated framework is a living document, inviting feedback from the security community to further enhance its utility and effectiveness.

Russian military hackers from Military Unit 26165, known as APT28 or Fancy Bear, have compromised Ubiquiti EdgeRouters for espionage activities. The FBI, NSA, U.S. Cyber Command, and international partners issued an advisory about these cyberattacks targeting global militaries, governments, and organizations. The hijacked routers are being used to build botnets for credential theft, collecting NTLMv2 digests, and rerouting malicious traffic through victim networks. Ubiquiti routers are vulnerable due to default factory settings, lack of automatic firmware updates, and minimal firewall protections. Previous botnets, such as the one infected with Moobot malware, have been repurposed by APT28 for their extensive cyber espionage operations. The FBI discovered APT28's use of custom tools, phishing techniques, and Python scripts specifically tailored for credential harvesting on hacked routers. Recommendations for reviving compromised routers include measures to remove infections, block unauthorized access, and reporting suspicious activities to authorities. The advisory emphasizes historical patterns of Russian state-sponsored hackers targeting internet routing equipment for espionage and laying groundwork for further cyberattacks.

The Hessen Consumer Center in Germany experienced a ransomware attack affecting its IT systems and consumer service availability. Impact was significant on telephone and email communications, causing temporary disruptions in reaching consumer advocates. The center, providing essential consumer law and advice services, is not part of the government but serves over six million residents. External IT security experts are assisting in restoring all communication channels, although a timeline for full recovery remains unclear. There is concern about a potential data breach, as ransomware attacks often involve data theft; the center is investigating and will notify affected individuals if necessary. A criminal complaint has been filed with the Hessen police and the state's data protection and IT security offices have been notified. At the time of reporting, no known major ransomware groups have claimed responsibility for the attack.