Daily Brief

An unnamed U.S. state government entity suffered a network breach via an admin account of a former employee. Compromised credentials, discovered in a public leak database, allowed threat actors to access a virtual private network and blend in with legitimate traffic. The attackers obtained additional credentials from a virtualized SharePoint server, further compromising the on-premises network and Azure Active Directory environment. While no lateral movement to the Azure cloud was detected, host and user data were accessed and posted on the dark web. Following the breach, immediate measures included password resets, the disabling of the compromised accounts, and reinforcement of privileged account security. The lack of multi-factor authentication (MFA) on the compromised accounts was a significant security oversight. The incident demonstrates the dangers of inadequately managed Active Directory accounts, including those of former employees. Recommendations include implementing the principle of least privilege, using separate admin accounts for on-premises and cloud environments, and altering default Azure AD application registration settings to prevent unauthorized privilege escalation.

The U.S. disrupted a botnet operated by the Russian-linked APT28, known for engaging in cyber espionage. The botnet targeted routers in small office/home office (SOHO) environments and was used for credential harvesting and spear-phishing campaigns. APT28, associated with Russia's GRU Unit 26165, employed MooBot malware to co-opt Ubiquiti routers and obscure their cyber operations. The FBI identified the botnet's use of default credentials to plant SSH malware on routers, allowing persistent remote access. The botnet was turned into a cyber espionage platform that repurposed routers to relay malicious traffic and mask threat actors' locations. Spear-phishing efforts included exploiting an Outlook zero-day and creating fake web pages to capture credentials. The U.S. government initiated Operation Dying Ember to issue commands to infected devices, copy/delete stolen data, and block APT28's access. The operation is part of ongoing efforts to combat state-sponsored cyber threats, following recent disruptions of Chinese and other Russian hacker campaigns.

Quest Diagnostics has agreed to a $5 million settlement for improperly disposing of confidential patient health information and hazardous waste in California. This settlement is a minor financial setback for the corporation, which posted $994 million in annual profit. The settlement will be divided among ten California counties, with additional funds allocated to environmental projects and legal fees. Quest Diagnostics will also appoint an independent environmental auditor to oversee improvements in waste-disposal practices at over 600 California facilities. The settlement came about after district attorneys conducted thorough inspections, finding numerous violations including the improper disposal of personal health information. Quest's actions were not only a violation of hazardous waste law and the California Medical Waste Management Act, but also posed risks to personal health information security. The settlement aims to enhance the protection of patient data and ensure the proper management of hazardous and medical waste in the future.

Ukrainian national Vyacheslav Igorevich Penchukov, also known as 'tank' and 'father,' has pleaded guilty in the United States to charges related to the leadership of the Zeus and IcedID malware groups. Penchukov was arrested in Switzerland in October 2022 and extradited to the U.S. in 2023; he faced initial charges from 2012 for his involvement in the Zeus malware operation. The Zeus and IcedID cybercrime groups, under Penchukov's leadership, were responsible for the theft of millions of dollars using information stolen from infected devices. Penchukov was also linked to the Maze and Egregor ransomware operations known for double-extortion attacks. He successfully evaded arrest by Ukrainian police in 2021 due to his alleged political connections despite his association with high-profile ransomware activities. Penchukov entered a guilty plea to one charge of racketeering and one charge of wire fraud conspiracy; he faces up to 40 years in prison, with sentencing scheduled for May 9.

The US government disrupted a Russian GRU military intelligence unit's botnet, which targeted various strategic entities. Over a thousand home and small business routers infected with Moobot malware—a Mirai variant—were neutralized. Non-GRU cybercriminals originally installed Moobot using default passwords; GRU agents then repurposed the network for cyber espionage. The botnet engaged in phishing, spying, credential harvesting, and data theft against governments and military, security, and corporate organizations. The operation involved deleting malicious files and stolen data from the routers and modifying firewall rules to block remote access. This preventive action allows for temporary collection of routing information to expose GRU attempts to interrupt the operation. The Justice Department emphasized the importance of changing default administrator passwords to prevent reinfection. This disruption follows a previous takedown of China's Volt Typhoon botnet and serves as a defensive measure ahead of elections vulnerable to interference by groups like Fancy Bear.

The Pentagon launched six missile-detection satellites as concerns increase over Russia's potential placement of nuclear weapons in space. The deployed satellites include two for the Missile Defense Agency's Hypersonic and Ballistic Tracking Space Sensor (HBTSS) program and four for the Space Development Agency's Proliferated Warfighter Space Architecture (PWSA) communication constellation. The launch, executed using a SpaceX Falcon 9 rocket, was confirmed successful by L3Harris, the defense contractor responsible for designing five of the six satellites. These new satellites are designed to enhance the U.S. military's missile tracking, data transport, targeting, navigation, and encrypted communication capabilities. The MDA specified that these two HBTSS satellites are the only ones planned for now, and they are prototypes for future advanced missile threat detection. Concerns arise from a cryptic statement by House Intelligence Committee chairman Mike Turner about a "serious national security threat," which may refer to Russian plans for space-based nuclear weapons, though official evidence is not confirmed. The Kremlin has denied such accusations, framing it as U.S. manipulation to secure funding for Ukraine amidst ongoing conflicts. Despite Senate approval for a $95 billion defense assistance bill, there is no immediate plan for a House vote.

RansomHouse ransomware group developed 'MrAgent,' a tool that automates data encryption on multiple VMware ESXi hypervisors. The MrAgent tool was designed to streamline the ransomware deployment process, maximizing the operational disruption to affected businesses. This tool can disable firewalls, execute custom ransomware configurations, schedule encryption events, and change hypervisor welcome messages. MrAgent aims to reduce detection risks and administrative intervention by targeting all accessible virtual machines simultaneously. A Windows version of MrAgent suggests RansomHouse's intention to expand the tool's use for cross-platform attacks. Trellix emphasizes the need for strong cybersecurity defenses due to the heightened risk posed by automated tools like MrAgent.

The U.S. State Department is announcing rewards of up to $10 million for identification or location of ALPHV ransomware gang leaders. An additional $5 million reward is available for information on individuals involved in ALPHV ransomware attacks. The FBI attributes over 60 global breaches to ALPHV in its initial four months, with $300 million in ransoms from 1,000 victims as of September 2023. The rewards are part of the Transnational Organized Crime Rewards Program (TOCRP), with $135 million in payouts since 1986. Tips can be submitted through a Tor SecureDrop server, ensuring anonymity and security for informants. ALPHV is considered a successor to DarkSide and BlackMatter ransomware groups, responsible for high-profile attacks like the Colonial Pipeline. U.S. government also offered similar bounties for information on members of other ransomware gangs such as Hive, Clop, Conti, REvil, and DarkSide.

The FBI has successfully disrupted a botnet known as Moobot, which was controlled by Russia's GRU to conduct cyber espionage. GRU's Military Unit 26165, also known as APT28 or Fancy Bear, hijacked the botnet initially deployed by non-state cybercriminals. The botnet composed of Ubiquiti Edge OS routers was used in spearphishing and credential theft attacks against various targets, including U.S. and allied governments and military. FBI agents executed a court-authorized operation to delete malicious data and prevent GRU from reinfecting the routers through remote management access. The FBI operation was careful not to disrupt the standard functionality of the SOHO routers or to harvest user data. Router users are advised to reset their devices to factory settings and change default passwords to mitigate recompromise risks. APT28 is known for high-profile attacks, including the 2015 German Federal Parliament hack and the 2016 breaches of the DCCC and DNC.

The swift and inexpensive nature of training, validating, and deploying AI models can introduce significant security risks. Not only ethical actors but also malicious ones leverage AI to enhance their cyberattack capabilities, potentially bypassing security measures. The rapid pace of AI development often employs new, untested tools that may have unclear vulnerabilities, exposing organizations to cyber threats. Cloudflare, with its experience in protecting popular AI applications, offers insights into safeguarding businesses against AI-related cyber risks. A webinar hosted by The Reg's Tim Phillips with John Engates, Field CTO at Cloudflare, will explore the increase in attack surface due to AI consumption and deployment. The webinar will discuss tools, techniques, and services to minimize AI vulnerabilities and practical steps to secure AI operations. Executives and professionals involved in AI initiatives are encouraged to join the webinar for crucial information on protecting their AI projects. Reminders for the webinar's attendance on 22 February can be received by signing up through the provided link.

OpenAI has deactivated accounts of state-backed threat groups from Iran, North Korea, China, and Russia that were abusing ChatGPT. The actions were taken after collaboration with Microsoft's Threat Intelligence team, which helped identify the malicious use of OpenAI's services. Threat groups utilized ChatGPT for various nefarious activities such as reconnaissance, social engineering, and developing tactics to evade detection. While there has been an increase in the use of AI tools for phishing and social engineering, there was no direct evidence of these tools being used to write malware or build sophisticated cyber attack tools. The UK's NCSC had forecasted in January that by 2025, AI tools would become instrumental for APT groups in creating advanced malware. OpenAI is employing specialized monitoring technology and information sharing with partners to detect and prevent misuse by sophisticated actors. OpenAI emphasizes the importance of learning from these incidents to improve security measures and prepare for potential future widespread malicious activities.

Zoom has disclosed a series of security vulnerabilities, including a critical privilege escalation flaw with a CVSS score of 9.6. The critical vulnerability (CVE-2024-24691) could allow unauthenticated users to gain escalated privileges through network access. Affected products include various Windows-based Zoom applications, with the company urging updates to the latest versions for security. The security issues were identified by Zoom's Offensive Security division; however, no in-the-wild exploitation has been reported. Additional vulnerabilities addressed include denial of service (DoS) risks, information disclosure flaws, and other medium-severity concerns. One high-severity vulnerability (CVE-2024-24697) could allow local privilege escalation for authenticated attackers on some 32-bit Windows clients. All Zoom desktop apps, mobile apps, and various clients are affected by at least one of the disclosed vulnerabilities, necessitating a review of the advisories for version-specific details.

Over 13,000 Ivanti gateway servers remain unpatched for critical security vulnerabilities that were disclosed over a month ago. These vulnerabilities range from high to critical severity, impacting Ivanti Connect Secure and Policy Secure endpoints. The security flaws include an XXE vulnerability in the SAML component, command execution, and injection issues, with some already exploited by nation-state actors. More than 3,900 Ivanti endpoints are vulnerable to an unauthorized access flaw (CVE-2024-22024), predominantly affecting servers in the United States. As of February 15, 2024, security updates for four of the critical vulnerabilities (CVE-2024-21893, CVE-2024-21888, CVE-2023-46805, and CVE-2024-21887) have not been applied to over 13,000 servers. The global patching rate for the most recent vulnerability (CVE-2024-22024) is just 21.1%, leaving 19,132 servers at risk. Due to the short disclosure period for these flaws, administrators may face challenges in applying the necessary patches promptly, potentially leaving systems exposed for extended periods.

A Russian-linked threat group, Turla, has launched a campaign targeting Polish NGOs using a new backdoor variant called TinyTurla-NG. The malware campaign against Polish NGOs lasted for over three months, starting from December 2023. TinyTurla-NG operates as a "last-chance" backdoor, used when other unauthorized accesses are compromised or detected. Turla's activities have recently focused on the defense sector in Ukraine and Eastern Europe, with other tools like the DeliveryCheck backdoor and Kazuar implant. The campaign's beginnings trace back to November 2023, indicated by the malware's compilation dates. The backdoor is distributed via compromised WordPress websites, executes commands, downloads/uploads files, and can deliver scripts to exfiltrate sensitive data. The ongoing actions of nation-state actors, including Turla, show an interest in generative AI tools to support espionage and cyber operations.

Automated vulnerability scanners are essential but can miss critical application security flaws that entail complex logic and context-specific understanding. Logic flaws and the ability to bypass business rules in applications are often overlooked by automated scanners because they cannot comprehend complex business logic. Vulnerability scanners may not cover all areas of an application, potentially underestimating the risk of vulnerabilities in less visible features. False positives and generic risk assessments by automated scanners do not provide the nuanced vulnerability evaluations needed for precise threat mitigation. Advanced attack techniques, such as zero-day exploits and obfuscated payloads, are often not detectable by automated scanners, highlighting the need for human analytical skills. Manual penetration testing adds significant value by understanding the specific context of an application and executing attack simulations that mimic real-world threats. The combination of automated scanning with manual penetration testing can create a more robust security posture for organizations, addressing vulnerabilities that automated tools alone might not catch. Outpost24's Pen Testing-as-a-Service (PTaaS) aims to provide continuous monitoring and expert manual testing to ensure a comprehensive level of application security.