Daily Brief

Cybersecurity researchers have reported increased phishing campaigns delivering banking trojans via Google Cloud Run to users in Latin America and Europe. Observed since September 2023, these campaigns utilize malicious Microsoft Installers as droppers for malware payloads, namely Astaroth, Mekotio, and Ousaban. The operations leverage Google's trusted platform to bypass organizational security measures and distribute the malware through the same Google Cloud storage bucket. Phishing emails, mostly originating from Brazil, mimic government tax agency communications or invoices and contain malicious links that lead to malware downloads. Geofencing measures are in place to redirect users from certain geographies to legitimate websites to evade detection. Beyond current tactics, there is an increase in phishing attacks using QR codes to direct users towards fake login pages, leveraging users' mobile devices that often lack stringent security. Other malicious activities include targeting the oil and gas industry with Rhadamanthys info stealer and abusing legitimate services like SendGrid for enhanced phishing credibility. Phishing kit availability on platforms like Telegram, such as the Tycoon Group's phishing-as-a-service, underscores the evolving threat landscape and the low barrier to entry for attackers.

LockBit ransomware group back online with new dark web infrastructure, showing 12 new victims, after recent server seizure by law enforcement. The group's administrator admitted to a security lapse due to not updating PHP, potentially leading to law enforcement infiltration via a known PHP vulnerability. The LockBit operator suggests the FBI targeted them following a ransomware attack containing sensitive documents relating to Donald Trump's court cases. LockBit vows to enhance security measures for its operations, eliminating automatic trial decrypts and moving to manual processes to prevent future law enforcement access to decryptors. Russian law enforcement has arrested three members of the SugarLocker ransomware group, which operated under a legitimate IT company facade and offered its malware as part of a ransomware-as-a-service model. The arrest of Aleksandr Nenadkevichite Ermakov from SugarLocker follows international sanctions for his alleged involvement in the 2022 ransomware attack on Medibank, compromising sensitive health information of 9.7 million customers.

Following law enforcement's disruption, the LockBit ransomware gang has swiftly revived their operations using new infrastructure with an explicit threat to target government sectors. The group openly admitted that previous negligence in updating their systems had led to the breach during Operation Cronos, which resulted in their infrastructure being taken down by authorities. Despite the setback, LockBit managed to maintain their brand identity, shifting their data leak site to a new .onion address and continuing to list victims with deadlines for releasing stolen information. The relaunch includes changes to their approach, with LockBit promising improved security measures such as decentralized panels for affiliates and manual release of decryptors. LockBit also disclosed that of the 1,000 decryption keys obtained by the police, the compromised keys were from the less secure decryptors meant for lower-level affiliates demanding smaller ransoms. The group's public response and updates to their operation strategy serve as a means of damage control to restore trust among their affiliates after authorities exposed vulnerabilities in their system.

Security is often seen as a feature that must be built into the foundation of internet systems, rather than retrofitted. The early internet had several shortcomings, such as lack of scalability, which have been improved over time with new protocols like DNS and BGP. Security is comparable to other system requirements, such as scalability and availability; all must be consistently maintained at every layer without a single point of failure. Defense-in-depth (DiD) in security is analogous to building reliability in systems, where multiple, overlapping defenses ensure system integrity. Security is difficult because it is a negative goal which is challenging to prove—ensuring that something cannot happen is different from achieving a positive outcome. Cryptographic algorithms are critical to security, but they must be integrated into well-designed systems to be effective. Articulating clear requirements and assumptions is vital in security design, as is the separation of concerns and requirements to achieve clarity and evolve over time. The authors advocate for a systematic approach to discussing and designing secure systems that acknowledges both theoretical and practical aspects of computer networking.

PayPal has applied for a patent for technology to identify and thwart the theft of "super-cookies," which can be used to access accounts without proper authentication. The method proposed by PayPal can detect when cookies containing authentication tokens are stolen, helping to prevent account takeover attacks, even those bypassing 2FA. Super-cookies, different from regular cookies, are Local Shared Objects used for cross-site tracking and are more resistant to detection and deletion. PayPal's system would calculate a fraud risk score by examining expected values of a device's various cookie storage locations and comparing them during an authentication request. The authentication process could involve additional security measures depending on the assessed risk of fraud, based on the cookie values. The proposed method uses public-key cryptographic algorithms to encrypt cookie values retrieved during this process, enhancing security against potential tampering. The patent titled "Super-Cookie Identification for Stolen Cookie Detection" highlights PayPal's efforts to improve security measures for authentication and protect against unauthorized logins using stolen web cookies.

The Royal Canadian Mounted Police (RCMP) is investigating a significant cyber attack on their networks. RCMP confirms that their operations are not currently affected and public safety is not at risk. RCMP's chief security officer has issued a warning for staff to be on alert following the "cyber event". There is no current evidence to suggest that foreign police or intelligence services have been compromised. The RCMP has alerted the Office of the Privacy Commissioner about the cyberattack. RCMP's website is down, displaying a 404 error, and appears to be redirecting to a non-existent install.php page. A separate RCMP domain is partially accessible, but the main website remains offline as the investigation proceeds.

The LockBit ransomware operation has been taken down in a coordinated international effort named Operation Cronos. Authorities claim the admin known as "LockBitSupp" has engaged with law enforcement, potentially creating distrust among the group's affiliates. Over 14,000 accounts linked to LockBit on services like Mega and Protonmail have been closed due to the takedown. Researchers suggest that multiple people could be operating under the LockBit and LockBitSupp accounts; the group increased its bounty for their identification to $20 million. LockBit has created multiple versions since 2019 and was developing a new version, LockBit-NG-Dev, which features a validity period and other updates to prevent reuse and resist analysis. Analysis by PRODAFT identified over 28 LockBit affiliates with connections to other Russian cybercrime groups. The LockBit group, also utilizing a "Ghost Group" operational model, has earned over $120 million from its illegal activities, with a global financial impact in the multi-billions. Following the crackdown, rebuilding LockBit's infrastructure is seen as highly unlikely due to a loss of trust from initial access brokers and the departure of key technical personnel.

Apple has incorporated a new post-quantum cryptographic protocol called PQ3 into its iMessage service to secure it against potential quantum computing attacks. PQ3 is designed to safeguard end-to-end encryption on iMessage, which is used by almost one billion iOS and macOS devices. The adoption of PQ3 aims to protect current communications and previous encrypted messages that could be at risk from "harvest now, decrypt later" scenarios. The PQ3 protocol combines with existing Elliptic Curve Cryptography (ECC) in a hybrid model to remain secure against both current threats and future quantum attacks. Apple's PQ3 makes use of the Kyber algorithm, a recognized post-quantum solution by the global cryptography community and NIST. A notable feature of PQ3 is its periodic post-quantum rekeying, which regularly updates quantum-resistant keys to maintain high security without affecting the user experience. Apple's move to PQ3 positions it as a leader in the field, potentially setting the standard for secure communication in the face of evolving quantum threats.

Microsoft is now offering free enhanced logging capabilities to all U.S. federal agencies, extending the log retention period. This move follows a cyber espionage effort by a China-linked group called Storm-0558, which compromised around 25 U.S. and European entities, including U.S. federal agency accounts. Enhanced logging in Microsoft Purview Audit played a crucial role in detecting the breach, particularly the MailItemsAccessed auditing action. The actors in the campaign showcased sophisticated technical skills, understanding their targets' security environments in-depth. It is reported that approximately 60,000 unclassified emails from U.S. State Department officials were stolen. In response to criticism, Microsoft made advanced audit logs available, previously only provided to higher-tier licensees. The initiative is part of the commitment to help federal agencies meet stringent cybersecurity standards set by the Office of Management and Budget Memorandum M-21-31.

Investigations into LockBit ransomware's financial operations suggest the cybercrime group has extracted over $1 billion in ransom payments over four years. The analysis of 30,000 cryptocurrency addresses linked to LockBit indicates approximately $126.6 million in assets, with $114 million yet to be spent. The estimations are based only on data from an 18-month period, implying that the actual amount extorted could be significantly higher. Affiliates of the LockBit group typically retain 80% of ransom payments, with the group claiming a 20% cut. The UK's National Crime Agency (NCA), in partnership with the South West Regional Organised Crime Unit and Chainalysis, is actively tracking and targeting related cryptocurrency accounts. Binance is currently restricting access to crypto assets in over 85 accounts associated with LockBit, as a part of the broader clampdown on the group's financial activities. LockBit's leak site was taken over by authorities and repurposed to reveal the gang's operations, scheduled to be shut down completely on February 25.

U-Haul has informed approximately 67,000 customers that their personal data was accessed during a cyber intrusion. Cyber-criminals used stolen credentials to access the U-Haul Dealer and Team Members system, which contained customer records. Personal information, such as names, dates of birth, and driver license numbers, were compromised, but no financial data was stolen. U-Haul has since strengthened security measures, including password changes and offering a free year of credit monitoring to affected customers. The spokesperson did not provide details on how the attackers obtained the stolen credentials, but this incident is part of a growing trend of identity-related cyber attacks. Reporting from IBM X-Force and CrowdStrike indicates a significant increase in attacks leveraging valid credentials and a focus on compromising various forms of identity verification methods.

Insomniac Games, owned by Sony, has notified employees of a data breach stemming from a November ransomware attack by the Rhysida group. The attack resulted in the theft and online leak of 1.67 TB of internal documents, including personal employee information. The data leaked includes ID scans, contract details, licensing agreements, and in-development game content, among other sensitive details. The attackers initially demanded a $2 million ransom, which was not paid, leading to the public release of 98% of the stolen data. Insomniac Games is offering affected employees an additional two years of complimentary credit monitoring and identity restoration services. The Rhysida ransomware group is known for its previous high-profile attacks, including those on the Chilean Army and the British Library. U.S. federal agencies have previously warned about Rhysida's opportunistic attacks across various sectors, showing their significant threat landscape.

The LockBit ransomware operation amassed over $125 million in ransom payments within 18 months. More than $110 million in Bitcoin remains unspent after the group's disruption by Operation Cronos. Over 500 cryptocurrency addresses linked to LockBit have been active, receiving significant funds. Authorities suggest the actual ransom amounts victims paid could be much higher, with global impacts in the multi-billions. The U.K.'s National Crime Agency obtained 30,000 Bitcoin addresses from the hacked LockBit infrastructure. Law enforcement's success in disrupting LockBit led to the discovery of 85 cryptocurrency exchange accounts, now restricted by Binance. Despite LockBit's infrastructure being under law enforcement control, the group's leaders and affiliates are mostly unidentified. The U.S. State Department offers up to $15 million for information leading to LockBit members and partners.

A previously inactive package on Python Package Index (PyPI) named django-log-tracker was found to be spreading malware. This package received an anomalous update after nearly two years, appearing to be a compromised developer account. The update was designed to disseminate an information stealer called Nova Sentinel. The altered django-log-tracker version was downloaded 107 times before being removed from PyPI. The update involved the package downloading and executing a malicious binary from a remote server. Nova Sentinel malware was originally identified by security researchers as being spread through fake Electron apps. The incident highlights the risks of supply chain attacks via package repositories and the importance of specifying package versions to avoid involuntary updates to malicious software.

The anticipated identity reveal of LockBit ransomware gang's spokesperson, LockBitSupp, by authorities fell short of expectations. Authorities dispelled rumors about LockBitSupp's place of residence and luxury car ownership but provided limited further details. LockBitSupp's interaction with law enforcement has created speculation regarding his potential cooperation with Operation Cronos. The National Crime Agency (NCA) has declined to share more information after a series of significant leaks exposing various aspects of LockBit's operations. Operation Cronos's takedown of LockBit showcased the unwinding of the cybercrime entity with daily informational "drops" starting February 20. The takedown resulted in the exposure of LockBit affiliates' identities, arrests in Ukraine, and a showcase of LockBit's bespoke StealBit tool. LockBit's financials suggest that the group may have extorted billions over the years, with the organization's infrastructure being dismantled by law enforcement. Despite the setbacks, LockBit members claim the ability to rebuild their infrastructure and maintain their identity secrecy, challenging law enforcement's narrative.