Daily Brief

Scattered Spider targeted major financial and insurance institutions with notable ransomware attacks in 2023. Organizations often struggle with an effective incident response due to lack of preparedness for such attacks. Silverfort's threat research team developed an incident response playbook during an active Scattered Spider attack. The webinar will discuss the creation and execution of this response plan within a hybrid environment as the attack was unfolding. Challenges tackled included rapid response coordination, efficiency, and automating as much as possible. Insights will be shared on how to address lateral movement across three dimensions during an attack. Silverfort experts will provide a deep dive into their experiences and strategies in the upcoming limited-space webinar. A free risk assessment offer from Vanta is mentioned, highlighting the identification of security gaps and shadow IT.

The NIST cybersecurity framework is instrumental in securing SaaS applications, despite challenges in policy configuration across varied applications. Role-based access control (RBAC) and specifically managing admin accounts are crucial for NIST compliance and SaaS security. A balance between having a necessary number of admins for redundancy and limiting the attack surface is vital for secure SaaS operations. External admin accounts are discouraged by NIST due to risks of compromised security outside the organization’s control. Multi-factor authentication (MFA) for admin accounts and ideally all users is highlighted as an essential requirement according to NIST guidelines. SaaS configuration settings are key to preventing data leaks through unauthorized public sharing and should include measures like disabling public URL sharing and setting invite expirations. Strong password policies and avoiding common passwords can significantly decrease the risk of successful password spray attacks. Configuration management is critical since 25% of cloud-related security incidents originate from misconfigured settings, stressing the importance of aligning SaaS security with NIST standards.

ConnectWise has updated ScreenConnect to fix two critical security vulnerabilities. Affected software versions are 23.9.7 and earlier; version 23.9.8 contains the necessary fixes. The severe flaws could potentially allow remote code execution and data breaches. No current evidence suggests these vulnerabilities have been exploited in the wild. Vulnerabilities were disclosed to ConnectWise on February 13, 2024. ConnectWise urges users of on-premise or self-hosted versions to install updates immediately. The company is also providing patches for releases 22.4 through 23.9.7 but recommends upgrading to the latest version. The security flaws currently do not have assigned CVE identifiers.

A critical vulnerability in the WordPress Bricks theme, tracked as CVE-2024-25600 with a 9.8 CVSS score, is currently being exploited. The flaw allows unauthenticated threat actors to perform remote code execution on sites using versions of Bricks up to 1.9.6. The theme's developers released a patch in version 1.9.6.1 shortly after the issue was reported by security provider Snicco. The vulnerability is within the `prepare_query_vars_from_settings()` function and relates to insecure use of 'nonces' for permissions verification. WordPress security firm Wordfence observed over three dozen attempts to exploit this vulnerability since its public disclosure. The flaw was actively exploited starting February 14, a day after the vulnerability details were publicly disclosed. An estimated 25,000 active installations of the Bricks theme are at risk, and users are urged to update to the latest version.

The EU opened an investigation into TikTok for potential breaches of regulations two days after the Digital Services Act (DSA) came into effect. The probe focuses on TikTok's transparency and its obligations to protect minors on the platform. TikTok had previously submitted a risk assessment in September 2023, which did not fully satisfy the European Commission's concerns. As a Very Large Online Platform, TikTok is subject to the EU's strictest regulations, following its categorization under the DSA for having over 45 million monthly users. The in-depth investigation will assess TikTok's handling of illegal content, protection of minors, and data access practices. The duration of the investigation by the European Commission will vary, depending on factors like case complexity and TikTok's cooperation. Potential penalties for non-compliance with the DSA include fines of up to six percent of TikTok's global turnover and possibly subjecting the platform to enhanced EU supervision. TikTok has not yet publicly commented on the investigation, and further updates are pending.

Iranian and Hezbollah-backed hackers have launched cyberattacks to influence public perception and inject chaos in the backdrop of Israel-Hamas tensions. Google reports that Iran was responsible for significant targeted phishing attempts against Israeli interests in the six months before October 7 attacks. Cyber operations included the dissemination of malware, wiper attacks, and espionage tactics, carried out independently from on-ground military conflicts. A notable threat group, GREATRIFT, and hacktivists Karma and Handala Hack used malware and wiper strains to attack Israeli targets and influence narratives. Charming Kitten, an Iranian group, and Hamas-linked operatives deployed backdoors and spyware against media, NGOs, and software engineers in Israel. Hamas-associated DESERTVARNISH targeted Android devices with MOAAZDROID and LOVELYDROID spyware, while Iran's MYSTICDOME used MYTHDROID and SOLODROID for intelligence collection. Microsoft's findings align with Google's, indicating the increasing sophistication and destructiveness of cyberattacks, including tactics to aid the Hamas cause and undermine Israel and its allies. Collaboration among various Iran-affiliated cyber groups exemplifies concerted efforts to enhance capabilities in cyber warfare and influence operations.

An international operation led to the seizure of darknet domains linked to the LockBit ransomware group. Authorities from 11 countries, including the U.S., U.K., and members of Europol, coordinated the takedown named Operation Cronos. The law enforcement agencies utilized a critical PHP security flaw for the operation, leading to the control over LockBit's infrastructure. The authorities have also claimed possession of LockBit's source code, victim details, stolen data, and internal communications. LockBit, active since September 2019, has been involved in over 2,000 attacks and extorted an estimated $91 million from US entities. The crackdown on LockBit follows a similar takedown of the BlackCat ransomware group and coincides with the arrest of a Ukrainian national for unauthorized access and malware deployment.

The Vietnamese government will start collecting comprehensive biometric data, including DNA and iris scans, from citizens in July as part of its new identification system. Amendments to the Law on Citizen Identification, passed in November last year, allow for the creation of a national database that will include data such as blood type and voice samples. The enhanced ID cards, mandatory for individuals over 14 years old, will incorporate multiple identification and certification functions, including health and social insurance as well as driver's licenses. The Ministry of Public Security will oversee the ID cards, which will exclude fingerprints and feature QR codes linked to personal data. Le Tan Toi, Chairman of the National Defense and Security Committee, supports the use of iris scans for identification, citing their permanence over time. With a population of about 70 million adults, the task of securely managing this extensive personal information presents significant challenges.

LockBit ransomware gang's website was seized by international law enforcement as part of a coordinated operation. A coalition of eleven nations, including the UK's National Crime Agency and FBI, collaborated on the LockBit disruption. Visitors to the ransomware gang's .onion site are now greeted with law enforcement logos and a message about the takeover. More details on the extent of Operation Cronos against LockBit will be revealed, outlining the successes of the operation. LockBit has been responsible for significant damages, executing at least 1,700 attacks in the U.S. and targeting various organizations, including a children's hospital and major companies. The group's business model evolved to put more pressure on affiliates to secure larger ransoms, signaling changes in the ransomware-as-a-service landscape. The disruption of LockBit, which has ties to Moscow, carries geopolitical significance, possibly impacting Russia's cyber-offensive capabilities.

The notorious LockBit ransomware operation has been disrupted in a coordinated international effort called "Operation Cronos." The National Crime Agency of the UK has taken control of LockBit's data leak website, displaying a law enforcement banner and indicating joint collaboration with the FBI and international partners. The ransomware gang's other dark web sites remain operational, despite the seizure of the leak site. A joint press release by the law enforcement agencies involved in Operation Chronos is scheduled to be published, detailing the disruption efforts. LockBit RaaS emerged in September 2019 and has targeted numerous high-profile organizations, with cybersecurity authorities reporting at least $91 million extorted and approximately 1,700 attacks on U.S. entities since 2020.

North Korean cyber-espionage campaign targets the global defense industry to steal military technology. Germany's BfV and South Korea's NIS release a joint advisory warning of ongoing operations by North Korean government-associated hackers. The advisory provides details of attacks executed by the Lazarus group, explaining their tactics, techniques, and procedures (TTPs). One incident involved a supply-chain attack via a compromised IT service provider, enabling unauthorized infiltration into a maritime research center's systems. The second case involves "Operation Dream Job," a social engineering tactic targeting defense organization employees, leading to malware infections. Security recommendations include limiting service provider access, employing multi-factor authentication (MFA), adopting strict patch management policies, and educating employees on cyberattack trends. The agencies stress the importance of the principle of least privilege, strong authentication mechanisms, and proper audit logs to enhance defense against such sophisticated attacks.

Schneider Electric's network was breached, and 1.5TB of data allegedly stolen by the Cactus ransomware gang. The ransomware group leaked 25MB of data on their dark web site, including American passports and non-disclosure agreements. The attack occurred on January 17th, impacting Schneider Electric's Sustainability Business division. Schneider Electric provides consulting services to high-profile clients; stolen data may include sensitive information on industrial control systems and compliance. The company has over 150,000 employees and reported $28.5 billion in revenue for 2023. Cactus ransomware utilizes double-extortion tactics and has been active since March 2023. The group uses purchased credentials, malware distribution partnerships, phishing, and exploiting vulnerabilities to access networks and steal data. Over 100 companies have been added to the Cactus ransomware's data leak site, where the threat actors leak data or use it to extort ransom payments.

A privilege escalation vulnerability (CVE-2024-21410) affects up to 97,000 Microsoft Exchange servers, with 28,500 confirmed as vulnerable. Microsoft released a patch for the zero-day on February 13, but many servers remain unpatched. Exchange Server is essential for business communication, making this vulnerability significant for email and collaboration security. The flaw allows unauthenticated attackers to perform NTLM relay attacks and gain higher privileges. Germany, the United States, and the United Kingdom are among the most affected countries. While no public PoC exploit exists yet, the potential for exploitation remains high. CISA has flagged CVE-2024-21410 as 'Known Exploited Vulnerabilities' and set a deadline for federal agencies to patch or cease using affected servers by March 7, 2024. Unaddressed, this vulnerability can enable attackers to access sensitive data and launch broader network attacks.

Hackers are actively exploiting a critical remote code execution flaw in the Bricks Builder Theme for WordPress. The vulnerability, identified as CVE-2024-25600, allows unauthenticated users to execute arbitrary PHP code. This security issue was discovered on February 10 and reported by a researcher under the alias ‘snicco.’ Bricks released a patch for the vulnerability on February 13 with the version update 1.9.6.1 and urged users to update immediately. Patchstack, which monitors WordPress vulnerabilities, observed active exploitation attempts beginning on February 14. Malware observed in the post-exploitation phase is designed to disable security plugins like Wordfence and Sucuri. Bricks users are advised to promptly upgrade to the latest version to prevent potential exploitation.

Wyze acknowledged a security flaw affecting at least 13,000 users, enabling access to other users' video feeds. A third-party caching client library caused the glitch following a massive outage, resulting in the exposure of user video data. Users reported accessing others' video feeds via the Events tab, leading Wyze to disable the tab and launch an investigation. The issue stems from improper mapping of device IDs and user IDs during a service restoration after an AWS outage. 1,504 users engaged with the wrong thumbnails, potentially viewing other users' event videos. Wyze is contacting impacted customers and implementing additional verification to access video content to prevent future incidents. The company is updating its systems to prevent similar issues during "extreme events" and will transition to a new client library.