Daily Brief

ALPHV/BlackCat ransomware group is claiming responsibility for cyberattacks on Prudential Financial and LoanDepot, with negotiations reportedly stalling. Prudential and LoanDepot have both filed reports with the SEC confirming cybersecurity incidents, but without mentioning ransomware. There has been no leaked data thus far. ALPHV alleges ongoing access to Prudential’s network and is threatening data disclosure, contrary to Prudential's filings indicating containment. Prudential reported no evidence of client data theft, while ALPHV may seek to sell or freely publish the stolen data as a pressure tactic. The ALPHV gang previously used SEC complaints to pressure victims, exemplified by filing against MeridianLink in November 2023. LoanDepot faced an initial demand for a $6 million ransom, with ALPHV accusing them of stalling and ceasing communication. ALPHV survived a takedown attempt by the authorities in December, with its operations appearing unaffected two months later. The US government has offered a reward of up to $15 million for the capture of ALPHV leadership, signaling the severity of the threat.

Anatsa Android malware, a banking trojan, has racked up at least 150,000 downloads on Google Play targeting users in various European countries. Security experts at ThreatFabric identified five campaigns disseminating malware through dropper apps disguised as legitimate offerings in Google Play's "Top New Free" category. These dropper apps have evolved to hijack Android’s Accessibility Service, effectively bypassing security defenses on systems up to Android 13. The most recent campaign featured apps such as a fake ‘Phone Cleaner – File Explorer’ and 'PDF Reader: File Manager', which alone has over 100,000 downloads. Despite Google's removal of the listed malicious apps, one remains available for download, hinting at the possibility of continued infection rates. The dropper apps use a multi-stage installation process, obtaining malware components from a C2 server in steps to avoid detection. Users are advised to vigilantly check app ratings, publisher histories, and scrutinize permissions, especially regarding the Accessibility Service, to prevent malware infections.

Meta Platforms reported actions taken against eight surveillance-for-hire companies from Italy, Spain, and the U.A.E., targeting major software platforms. The firms created malware for iOS, Android, and Windows that could access personal data, location, and activate device cameras and microphones. These entities conducted scraping, social engineering, and phishing on a variety of social networks and platforms to gather user data. RCS Labs was linked to a network of fake personas used for reconnaissance and phishing, while Variston IT's accounts on Facebook and Instagram were used for developing and testing exploits. Meta also took down networks from China, Myanmar, and Ukraine for coordinated inauthentic behavior and removed over 2,000 related accounts. New security features have been introduced by Meta, including Control Flow Integrity and VoIP memory isolation, to protect against exploitation. Despite these efforts, the surveillance industry continues to evolve, with recent discoveries of tools like Patternz and the MMS Fingerprint technique potentially linked to NSO Group.

Network Detection and Response (NDR) offers an advanced approach to cyber threat detection via risk-based alerting, outperforming traditional SIEM systems by prioritizing alerts based on risk levels. NDR employs real-time analysis, machine learning, and threat intelligence to provide immediate detection of anomalies, helping to reduce alert fatigue and enabling better decision-making. Risk-based alerting focuses organizational resources on the most critical threats, optimizing response efforts and ensuring efficient allocation of security resources. NDR systems utilize threat intelligence feeds and integrate user and entity behavior analysis to generate nuanced risk assessments for network activity, automating responses to high-priority threats. Machine learning within NDR continuously adapts to identify suspicious activity, adjusting risk scores as threats evolve to maintain a dynamic and responsive cybersecurity posture. Use cases demonstrate NDR's efficiency in differentiating high-risk events, such as unauthorized access attempts, from low-risk activities like routine software updates. The article concludes that NDR's real-time analysis and adaptive machine learning capabilities make it a superior solution for risk-based alerting compared to traditional SIEM tools.

Network Detection and Response (NDR) technology is favored over traditional SIEM systems due to its real-time analysis, machine learning, and threat intelligence capabilities. Risk-based alerting, prioritized by NDR systems, helps organizations focus resources on the most critical threats to their security posture, reducing alert fatigue and false positives. NDR systems detect network anomalies by analyzing traffic patterns and behavior, enhancing decision-making by assigning weighted risk scores to alerts. Threat intelligence feeds, integrated with NDR, bolster the capability for accurate risk assessment of network activities, enriching alert context. Automation in NDR setups facilitates rapid response to high-risk alerts and efficiently detects insider threats, compromised accounts, and unusual user activity. Machine learning algorithms within NDR provide dynamic risk assessments, learning from network behavior to identify and adapt to new threats and changing conditions. NDR proves superior to SIEM because it offers immediate anomaly detection and incorporates evolving threat intelligence, leading to more accurate, timely risk assessments. Application of NDR is illustrated through use cases: high-risk alerts for unauthorized access attempts are escalated, while low-risk alerts for routine activities receive proportionate responses.

The Android banking trojan Anatsa has initiated a new campaign targeting users in Slovakia, Slovenia, and Czechia. Despite Google Play's security measures, the trojan has managed to bypass protections, mainly by exploiting the Android accessibility service. Anatsa, also known as TeaBot and Toddler, is disguised as benign applications on the Google Play Store to facilitate malware installation. Five dropper apps related to Anatsa have been downloaded over 100,000 times, illustrating the malware's significant reach. The trojan has the capability to gain comprehensive control of the affected devices and can steal user credentials and initiate fraudulent transactions. A particular dropper app named "Phone Cleaner File Explorer" was found to have downloaded approximately 12,000 times on Google Play before being removed. The malware uses a technique called versioning, where a benign app is updated with malicious code after initial scrutiny by the Play Store, to deploy its harmful payload. ThreatFabric notes that these attackers prefer concentrated attacks on specific regions, likely to maximize fraud cases on the targeted financial organizations.

Cyber-physical systems (CPS), essential for linking computational functions with physical processes, are critical for the advancement of smart infrastructure and the Fourth Industrial Revolution. CPS and the Extended Internet of Things (XIoT) create opportunities for efficiency and manageability in sectors like manufacturing, transportation, utilities, and healthcare, but also introduce significant security risks. Traditional cybersecurity solutions are often incompatible with industrial environments, failing to adequately protect interconnected systems from cyber threats. Regulatory requirements for cybersecurity in industrial organizations have grown complex, necessitating robust protection measures for critical infrastructure. Claroty's Buyers Checklist aids IT managers in identifying key features and requirements for CPS security solutions, ensuring alignment with organizational needs. The ideal CPS security solution will encompass telemetry collection, advanced AI analysis, and seamless integration with existing security tools, adaptable to various industrial protocols and organizational demands. As XIoT continues to evolve, the security dimension is crucial for the safe and effective transformation of engineered systems interaction, warning of potential dangers if not addressed properly.

Russian and Belarusian aligned threat actors have exploited vulnerabilities in Roundcube webmail to breach over 80 organizations. The campaign, attributed to Winter Vivern, affected entities mostly in Georgia, Poland, and Ukraine, and is being tracked as TAG-70 by Recorded Future. Winter Vivern has demonstrated sophisticated social engineering and XSS exploitation tactics, targeting governmental and military organizations' email systems. The espionage activities included delivering JavaScript payloads through Roundcube to steal credentials and monitor European political and military movements. Security firm Recorded Future uncovered the attacks, which occurred in early to mid-October 2023, and continued to detect related activities against Uzbekistan in March 2023. TAG-70 is also suspected of spying on Iranian embassies and the Georgian Embassy to understand diplomatic stances on issues like Iran's support for Russia in Ukraine and Georgia's EU and NATO aspirations.

Iranian threat group Charming Kitten, associated with the Islamic Revolutionary Guard Corps, has initiated attacks against Middle East policy experts using a new backdoor, BASICSTAR. The group created a fraudulent webinar platform to build trust and lure victims, often targeting think tanks, NGOs, and journalists with prolonged social engineering tactics. Microsoft has reported related malware attacks targeting high-profile individuals engaged in Middle Eastern affairs, with malware capable of extracting sensitive data from a host system. Phishing activities use compromised legitimate email accounts and multiple threat actor-controlled accounts for Multi-Persona Impersonation (MPI). Attack methodologies include RAR archives with LNK files to distribute malware. Targets are prompted to join fake webinars on topics relevant to their interests, eventually deploying BASICSTAR and other malware like KORKULOADER. BASICSTAR gathers system information, executes remote commands from a C2 server, and can display decoy PDF files, while other backdoors like POWERLESS and NokNok are tailored for different operating systems. Recorded Future has identified a network of Iranian contracting companies closely linked to the IRGC, focused on exporting surveillance technologies to countries such as Iraq, Syria, and Lebanon while hiding their true affiliations through cyber centers.

The US government has announced up to a $15 million bounty for information on the ALPHV/Blackcat ransomware group. The State Department is offering $10 million for identification and location of ALPHV's leaders and $5 million for arrest-related information of affiliates. The group, which potentially has ties to Russia, continues to target critical infrastructure, including an attack on the Canadian Trans-Northern Pipelines. Siemens has disclosed several critical vulnerabilities needing urgent patching by those using its hardware. Encrypted communication service EncroChat's takedown continues to yield arrests, including a 30-year sentence for a former Scandinavian footballer. Colorado State Public Defender's office was disrupted by a ransomware attack affecting network access and online court systems. An unnamed US state government's network was compromised using credentials obtained from a former employee, prompting a warning to enable multifactor authentication (MFA).

The U.S. has been warned of various threats to the 2024 election security, ranging from AI-driven disinformation to physical safety concerns like handling hazardous substances such as fentanyl, anthrax, and ricin. Election officials are urged to revert to paper ballots where feasible and to prepare for potential disinformation campaigns that could employ advanced technologies like deepfakes and AI. While domestic sources can propagate disinformation, the U.S., UK, and Canada are particularly focused on combating foreign information manipulation that threatens to undermine democratic processes and human rights. These countries have endorsed a Framework to Counter Foreign State Information Manipulation, aiming to detect and counteract such threats through digital tools and multinational collaboration. Although electronic ballot return offers convenience, government agencies warn of "significant security risks" and recommend paper ballots instead, highlighting the difficulty in securing internet-voted ballots. The U.S. has released guidelines advising election offices on how to handle suspicious packages and equip staff with safety training and overdose medication for possible exposure to toxic substances.

Ukrainian cyber police arrested a 31-year-old individual for hacking and selling access to U.S. and Canadian bank accounts. The suspect used trojanized software disguised as free resources on websites he controlled, distributing it through online ad campaigns. Compromised software affected both desktop and mobile (Android) devices, leading to theft of sensitive data. Hacker sold stolen bank and Google account information on the dark web using Bitcoin and communicated with buyers using a Russian phone number. The investigation is ongoing to identify potential accomplices who maintained darknet accounts related to this scheme. Since 2017 the hacker has been involved in cybercrime activities and shifted to phishing attacks in 2021, making at least $92,000 from the operations. During the arrest, authorities seized items including a luxury vehicle; the suspect faces up to 8 years in prison and asset forfeiture. Users are advised to exercise caution when searching for software tools online, verifying official vendor sites and considering the use of ad-blockers to prevent malware risk.

Vyacheslav Igorevich Penchukov, a Ukrainian national, pleads guilty for his lead role in Zeus and IcedID malware attacks. Originally arrested by Swiss authorities and extradited to the U.S., Penchukov faced charges for actions spanning from May 2009 to February 2021. Penchukov, part of the Jabber Zeus gang, was involved in schemes that defrauded millions via banking trojan malware, leading to unauthorized fund transfers. Using "money mules," the ill-gotten funds were moved to overseas accounts, obscuring the cybercriminals' financial trail. The defendant also contributed to attacks involving IcedID malware, functioning as an information stealer and a vehicle for delivering additional malicious payloads. Despite previous connections to Ukrainian political figures, Penchukov's evasion of local law enforcement ended with international cooperation leading to his extradition and guilty plea. Penchukov is set to be sentenced on May 9, 2024, potentially facing a maximum of 40 years in prison, aligned with two counts of conspiracy. The article also covers the extradition of another Ukrainian, Mark Sokolovsky, associated with the Raccoon malware, reinforcing the ongoing international efforts to curb cybercrime.

A serious design issue in DNSSEC, dubbed KeyTrap and tracked as CVE-2023-50387, enables attackers to cause a prolonged denial-of-service condition in DNS resolvers with just a single packet. KeyTrap exploits the DNSSEC requirement to send all relevant keys and signatures, including misconfigured or unsupported ones, which can greatly increase CPU load and delay response. Vulnerable resolvers can be forced into a DoS state lasting from 56 seconds to 16 hours, disrupting essential internet services such as web browsing, email, and instant messaging. Researchers have warned that the KeyTrap vulnerability has existed in the DNSSEC standard since 1999, and its discovery highlights the need to rethink DNSSEC’s design. Patches to mitigate KeyTrap have been issued by several vendors, with Google and Cloudflare already implementing fixes in their DNS services. Akamai, noting that approximately 30-35% of global internet users could be affected, has developed and released mitigations for their DNS infrastructure, limiting cryptographic failures to prevent resource exhaustion. Despite the deployment of fixes, the fundamental DNSSEC design vulnerabilities exposed by KeyTrap suggest a reevaluation of underlying DNS security approaches may be necessary.

The FBI has dismantled a botnet composed of SOHO routers infected with Moobot malware operated by GRU Military Unit 26165, known as APT28 or Fancy Bear. The botnet facilitated malicious activities including spearphishing and credential theft against U.S. and international targets, such as government and military institutions. GRU did not initially create the Moobot botnet but repurposed it after it was deployed by non-state cybercriminals who exploited Ubiquiti routers. FBI agents undertook "Operation Dying Ember" to remotely wipe malicious data, delete the Moobot malware, and block the GRU's remote access to the routers. The takedown operation temporarily modified firewall rules to prevent GRU from regaining access, while router functionality and user data remained unaffected. The actions taken by the FBI are reversible by users through a router factory reset or through local network access but warned against resetting without changing default passwords due to reinfection risks. The FBI's disruption of Moobot follows a similar takedown of the KV-botnet used by Chinese state-sponsored hackers earlier in the year.