Daily Brief

ALPHV/BlackCat ransomware gang is identified as responsible for the cyberattack on Change Healthcare, impacting pharmacies like CVS and Walgreens. The attack has caused prescription fulfillment delays nationwide due to pharmacies' inability to transmit insurance claims. Change Healthcare disclosed the breach on February 21 and has been struggling to fully restore services. UnitedHealth, the parent company, suggested the possibility of a nation-state cyber threat actor in an SEC filing. ALPHV is linked to the Darkside/Blackmatter group known for the Colonial Pipeline attack and recent hits on critical infrastructure. Despite a US government bounty for information leading to the capture of ALPHV leaders, the group's activities continue to be disruptive. The healthcare provider is taking cautious measures, refusing to compromise security as they work to bring systems back online.

Threat actors are exploiting an old CMS text editor, FCKeditor, to carry out SEO poisoning on educational and government websites. Open redirects are used to guide users from reputable domains to malicious external URLs, effectively bypassing URL filters of security products. The tactic involves using trusted domains to increase the ranking of malicious URLs in Google Search results, a strategy known as SEO poisoning. Despite the potential for abuse, companies like Google and Microsoft do not always view open redirects as a security flaw needing immediate attention. Notable institutions such as MIT, Columbia University, and government sites like Virginia and Austin, Texas have been identified as victims of this campaign. The deprecated FCKeditor plugin, which was replaced by CKEditor in 2009, is still in use on some sites, leaving them vulnerable to these attacks. The attackers initially plant static HTML pages on a compromised domain to rank on search engines, later replacing them with links directing users to malicious sites. The cybersecurity community stresses the importance of updating and replacing outdated software to prevent such exploitation, noting that many government and educational entities often lag in this regard.

LockBit ransomware gang, recently targeted by law enforcement, claims to have resumed operations, potentially leaking sensitive information, including data related to Donald Trump. The group taunts law enforcement and boasts about their resilience following the seizure of their servers and the arrest of members. LockBit's new leak site lists over a dozen alleged victims, including the FBI and healthcare facilities, and also the recently targeted Georgia's Fulton County. Fulton County faces a new ransom threat, with LockBit setting a March 2 deadline for payment to prevent the disclosure of sensitive data, including juror identities from a murder trial. Law enforcement's recent operation, dubbed Operation Cronos, captured over 1,000 decryption keys but LockBit alleges most keys remain protected and unusable by the FBI. The ransomware group's spokesperson, LockBitSupp, admitted to a PHP vulnerability in their system but downplayed the impact of law enforcement's breach on their operations.

The Five Eyes intelligence alliance has issued a warning regarding the Russian SVR's (APT29) increased focus on cloud service attacks. APT29, known for the SolarWinds breach, has been targeting cloud infrastructure, including Microsoft 365 and Exchange Online accounts. The advisory outlines SVR's tactics, including brute force attacks, password spraying, exploiting dormant accounts, and using stolen access tokens. SVR uses sophisticated tools like MagicWeb malware to authenticate within compromised networks and targets government and critical organizations globally. Defenders are urged to enable MFA, enforce strong passwords, practice the principle of least privilege, establish canary accounts, and monitor for specific indicators of compromise. By implementing the recommended mitigations, organizations could strengthen their defense against this particular nation-state threat.

ThyssenKrupp confirms a cyberattack on its Automotive division, forcing a shutdown of IT systems. The company is a global steel industry leader with over 100,000 employees and significant influence in multiple sectors. The breach was detected by the company's IT security team, leading to immediate containment efforts. No other ThyssenKrupp business units have been affected, and the situation is reportedly under control. Measures are being taken to gradually restore normal operations after the attack. The Saarland plant, a major site for steel production and R&D, was directly affected but continues to supply customers. ThyssenKrupp has been targeted by cyberattacks in the past, with previous incidents focused on espionage and operational disruption. No threat actors have claimed responsibility for the attack, and the specific details of the breach are not yet disclosed.

A large-scale ad fraud campaign named "SubdoMailing" uses over 8,000 domains and 13,000 subdomains to send up to 5 million spam emails daily. Trusted brands like MSN, VMware, McAfee, and eBay were compromised, lending credibility to the spam, leading to engagement in fraudulent activities. Guardio Labs researchers uncovered the campaign, revealing the use of hijacked subdomains to bypass spam filters and exploit email authentication protocols. The fraudulent emails direct users to fake giveaways and scams, triggering ad revenue for the attackers through a complex series of website redirections. Attackers employ techniques like CNAME hijacking and exploitation of SPF records to take over domains and authenticate their spam activity. The discovery includes a detailed analysis of methods used to make emails appear legitimate, leveraging SPF, DKIM, and DMARC protocols to evade detection. The threat actors behind SubdoMailing maintain a vast network of domains and IP addresses to facilitate their ad fraud operations on a huge scale. Guardio Labs has set up a checker website to help domain owners identify and address potential misuse of their brands in this ongoing campaign.

Despite cybersecurity training, end-users often prioritize convenience, leading to risky password practices such as password reuse. Even with awareness of best practices, training alone does not consistently change behavior due to a focus on efficiency and a mindset that breaches won't personally affect them. Research from LastPass reveals that 79% of trained individuals find the training helpful, yet only 31% cease reusing passwords, demonstrating the gap between knowledge and action. The common practice of password reuse is a significant problem revealed by Bitwarden's finding that 84% of users reuse passwords, risking organizational security through potential external breaches. Organizations are encouraged to complement cybersecurity training with technological solutions, such as enforced strong password policies and continuous scanning against databases of compromised passwords. Specops Password Policy is one such technology that prevents weak passwords and provides real-time feedback, thereby enhancing password security and supporting better user behavior.

Ukrainian organizations in Finland have been targeted with Remcos RAT, delivered by the IDAT Loader malware. The attack involved innovative use of steganography to conceal and deploy the harmful software. The IDAT Loader is linked with Hijack Loader and has been observed distributing other payloads like DanaBot, SystemBC, and RedLine Stealer. A phishing campaign initially identified by CERT-UA employed war-themed lures to initiate the attack chain leading to Remcos RAT infection. The IDAT Loader hides the RAT within a PNG image using steganography, demonstrating an advanced technique for evasion. In a separate incident, Ukrainian defense forces were targeted with COOKBOX malware via Signal, linked to UAC-0149 group. The PikaBot malware has reemerged with new obfuscation methods and is under active development, indicating a growing sophistication among threat actors.

The EU's NIS2 Directive will become law in October 2024, enhancing cybersecurity for critical infrastructure. More than 160,000 organizations will be impacted, with potential fines up to €10m for non-compliance. The upgraded directive will extend security requirements, cover more organizations and sectors, and enforce stricter measures. The aim is to bolster security of supply chains, streamline reporting obligations, and reinforce sanctions across Europe. Proactive preparation for NIS2 compliance is essential for organizations to avoid penalties. An upcoming webinar hosted by the Register will address the NIS2 details and compliance preparations. Experts from Checkmarx and Cert2Connect will offer insights into the Directive's implications for application security and compliance strategies.

Over 8,000 subdomains from trusted brands and institutions hijacked for a spam operation named SubdoMailing, which began in September 2022. The cybercriminal group ResurrecAds is behind the campaign, abusing digital advertising infrastructure for profit through spam and phishing. Hijacked subdomains from recognizable entities including ACLU, eBay, Lacoste, and UNICEF used to bypass email security measures and distribute millions of spam emails daily. Emails crafted to slip past text-based filters by using images, employ redirects to present targeted ads or phishing sites, and evade standard email authentication checks (SPF, DKIM, DMARC). Threat actors exploit CNAME record aliasing techniques and register abandoned domains to send emails appearing to be from legitimate senders, with one example highlighted from an SMTP server in Kyiv. No evidence found that the hijacked subdomains were used for hosting phishing landing pages, but the potential risk exists. Guardio Labs offers a SubdoMailing Checker for domain administrators to detect possible compromises and advises on countermeasures to dismantle the fraudulent infrastructure.

The "SubdoMailing" campaign is spamming up to five million emails daily using hijacked domains of well-known companies to bypass spam filters. Over 8,000 legitimate domains and 13,000 subdomains have been compromised, affecting brands like MSN, VMware, McAfee, and eBay. Clicks on malicious email links lead to fake giveaways and affiliate scams, generating ad revenue for the fraudsters. Guardio Labs researchers uncovered the campaign, which leverages domain hijacking techniques such as CNAME hijacking and SPF record exploitation. The cybercriminal group, dubbed "ResurrecAds," orchestrates the operation by systematically scanning for and hijacking vulnerable domains. The campaign uses a vast network of nearly 22,000 unique IPs and a thousand residential proxies to maintain operational scale. To help mitigate the issue, Guardio Labs has provided a SubdoMailing checker tool for domain owners to check if their brands are being exploited.

The UK Information Commissioner's Office (ICO) issued an enforcement notice to Serco Leisure for unlawfully processing over 2,000 employees' biometric data at 38 facilities. Serco was found to have used facial recognition and fingerprint scanning to monitor staff attendance and calculate pay without proper consent or opt-out options, creating a power imbalance. Employees felt compelled to surrender biometric data as a condition of employment, which raised significant privacy concerns. The ICO has mandated Serco Leisure to destroy all unlawfully retained biometric data within three months and to reassess the use of biometric technology. The ICO's statement emphasized the risks of biometric data usage, citing the inability to reset one's biometric information as one can with passwords. The enforcement not only impacts Serco and its associated community trusts but also extends to other trusts across various locations in the UK. Following the enforcement, the ICO has published new guidance on the appropriate use of biometric data to aid organizations in mitigating risks and preventing biases.

North Korean-linked hackers have targeted developers by publishing malicious npm packages in the Node.js repository. Fake packages were designed to steal cryptocurrency and credentials by masquerading as legitimate libraries, one being a variant of the popular "execution-time" library. The campaign, recognized as a software supply chain attack, involved concealment of malicious code within test files fetching further payloads to compromise web browser credentials. A GitHub profile was connected to the malicious activity, with repositories containing Python scripts that communicated with identified IP addresses. A series of accounts related to the hackers actively forked repositories, with efforts made to circumvent GitHub's defensive actions. Connections to a known North Korean malware campaign, 'Contagious Interview,' have been established, with similarities noted in the obfuscated JavaScript used. A developer confirmed the guile tactics used by attackers who shared the malicious repository posing as a part of a live coding interview test, though the targeted developer did not install it. The incident underlines the need for heightened vigilance in the software development community regarding open-source code security.

Florida journalist Tim Burke was arrested on charges related to unauthorized access to Fox News' computer systems. Burke's legal team argues that his actions constituted journalistic investigation, not hacking, as he accessed video streams via a link without using credentials. Among the accessed footage were unaired comments by Kanye West, which Burke then altered to conceal their origin. The Electronic Frontier Foundation (EFF) has called for the US Department of Justice to clarify how Burke's actions violate the Computer Fraud and Abuse Act (CFAA), emphasizing the law's vagueness. Separately, Apple's App Store approval process is questioned again after a fake cryptocurrency wallet app led to user losses, underscoring the ongoing challenge of app store security. The UK Office for Product Safety and Standards (OPSS) instructed EV charger manufacturer Wallbox to halt sales of a model failing to meet cybersecurity standards, which could pose a grid security risk. Wallbox was given a temporary waiver to sell their product but will stop in June due to hardware and operating system limitations that prevent full cybersecurity compliance.

Large Language Models (LLMs) like Github's Copilot have been shown to inadvertently reveal secrets such as passwords and API keys from their training data. Researchers from the University of Hong Kong developed an algorithm that prompted Copilot to disclose over 2,700 valid secrets. OWASP's Top 10 for LLMs includes "prompt injection" as a primary risk, where LLMs may output sensitive data if manipulated with crafted prompts. Tips to prevent accidental secrets disclosure include regularly rotating secrets, cleaning training data of sensitive information, and patching systems and limiting privileges. Rotating secrets involves reviewing and updating them regularly to ensure leaked data is obsolete, and using tools to check if secrets have been compromised. Sanitizing training data for LLMs is crucial to prevent the unintentional sharing of sensitive information. Open-source tools and services can help scan and remove secrets. Patching software and applying the principle of least privilege to app and LLM infrastructure can mitigate the risk of arbitrary code execution and sensitive data leaks. Large language models hold transformative potential but require cautious implementation and robust security measures to prevent misuse or accidental data exposure.