Daily Brief

UK utility provider Southern Water experienced a cyberattack in January, with data from 5-10% of its customers stolen. The intrusion was initially claimed by the Black Basta ransomware group but ransomware involvement hasn't been confirmed by Southern Water. Compromised data includes names, birth dates, national insurance numbers, banking details, and HR files, inadvertently verified by an initial data dump. Affected individuals are offered a year of free credit monitoring as Southern Water works with government and the National Cyber Security Centre. Operations have not been affected, and enhanced monitoring is in place to detect any further suspicious activity. Southern Water declined to comment on the removal of their data from Black Basta's leak site, which often indicates a paid ransom. Cyber attacks on critical infrastructure, including water and wastewater sectors, have been rising, with advisories from national cybersecurity agencies.

Bumblebee malware has reappeared in a new phishing campaign after a four-month hiatus, targeting U.S. businesses using voicemail-themed lures. Attackers are distributing a malicious Word document via OneDrive links, which uses VBA macros to execute a PowerShell script that downloads the Bumblebee loader. The malware, suspected to be linked to the Conti and TrickBot cybercrime syndicate, is known for downloading and executing ransomware and other payloads. Threat actors have adapted their methods due to Microsoft's default blocking of macros in Office files downloaded from the internet since July 2022. Concurrently, QakBot, ZLoader, and PikaBot malware variants have resurfaced with enhanced encryption and tactics, like evading detection in virtual machine environments. A separate phishing campaign has been discovered where attackers mimic financial institutions to trick victims into installing remote desktop software, enabling unauthorized machine control. The industry is observing a trend where cybercriminals adjust their strategies to navigate new security protocols and continue their attacks with sophisticated methods.

Cybersecurity challenges for financial institutions have escalated with more advanced cyber-attacks, including state-sponsored and AI-powered threats. Community banks are particularly vulnerable as they face the same sophisticated threats as larger institutions but have fewer resources. The trend of targeting financial service providers reflects the need for strong vendor management and governance within these banks. Financial institutions must adopt advanced cloud security strategies, such as comprehensive data encryption and robust identity management systems. A multi-layered defense strategy against ransomware is essential, involving advanced threat intelligence, regular security audits, and proactive threat hunting teams. Effective vendor risk management is crucial, necessitating continuous monitoring and regular security audits of third-party services. Navigating the complex regulatory compliance landscape requires dedicated teams and regular training to align cybersecurity practices with regulations. The cybersecurity talent gap can be bridged through internal training programs, collaboration with educational institutions, and outsourcing specific security operations. An effective cybersecurity framework includes strategic alignment with business goals, risk-centric action and deployment, and continuous recalibration and optimization to adapt to the changing threat landscape.

The Bumblebee malware loader, thought to have disappeared, has reemerged using an outdated method of attack VBA macros in Word documents. Previously associated with high-profile ransomware groups and the Russian-tied Conti, the malware's new tactics hint at less sophisticated operators. Targeting US organizations, the campaign uses "Voicemail February" themed emails from a seemingly legitimate business to lure victims into downloading a malicious OneDrive-hosted document. Microsoft had disabled VBA macros by default to prevent such attacks, making this tactic largely obsolete. Security trends had shifted towards different, more sophisticated methods of attack. Indicators of compromise are evident, and while this attack is considered easy to identify and should not pose a significant threat, it signals an uptick in threat actor activity in 2024. Proofpoint advises organizations to train employees to recognize suspicious activity and maintain security best practices, including keeping macros disabled by default.

Advanced threat actor Water Hydra used a zero-day vulnerability in Microsoft Defender SmartScreen to infect financial traders with DarkMe malware. CVE-2024-21412, a bypass flaw affecting Internet Shortcut Files, was exploited, prompting a Microsoft patch in February. Targets were lured to a malicious URL posted on forex forums disguised as a stock chart image shortcut file. The exploitation chain included several steps, using nested internet shortcut files and abusing the 'search:' protocol to evade SmartScreen protections. The DarkMe malware maintains stealth, downloads further instructions, and communicates with a command-and-control server while gathering system information. This incident highlights a growing trend of cybercrime groups leveraging zero-days, previously a hallmark of nation-state actors, in their attack methodologies. Trend Micro has been tracking the campaign since its inception and detailed the complex infection process to raise awareness and aid in defense.

Microsoft released patches for 73 security flaws, including 2 actively exploited zero-days. The updates address 5 Critical, 65 Important, and 3 Moderate severity vulnerabilities, plus 24 issues in the Chromium-based Edge browser. CVE-2024-21351 and CVE-2024-21412 zero-days enable attackers to bypass SmartScreen protections through malicious files. Water Hydra, an APT group targeting financial markets, employed CVE-2024-21412 in a sophisticated zero-day attack chain. Microsoft also patched five critical vulnerabilities, including an elevation of privilege flaw in Microsoft Exchange Server (CVE-2024-21410). CVE-2023-50387, a DNSSEC specification design flaw known as KeyTrap, can lead to DNS resolver DoS attacks, with fixes now available. CISA urges federal agencies to apply recent updates to combat these vulnerabilities by a specified deadline.

The Australian Taxation Office (ATO) investigated 150 staff for participating in a tax refund scam, involving identity fraud reaching $1.3 billion. Scammers defrauded the ATO by creating fake businesses, obtaining ABNs, and making fraudulent claims for Goods and Services Tax (GST) refunds. Operation Protego was launched in April 2022, dedicating 470 people to address fraudulent claims after a significant increase in GST fraud tip-offs. The scam affected over 57,000 people who lodged false claims between April 2022 and June 2023, facilitated by easily accessible online registration and refund tools. ATO's internal audit rated GST fraud detection operations as "partly effective" and identified the need for a centralized control register to improve detection methods. Despite the scam, the ATO's measures prevented an additional A$2.7 billion in suspect refunds and recovered A$123 million, implying some success in fraud control efforts. The majority of the ATO officials investigated were not current employees, with some being victims of identity theft themselves, but 12 active staff members were found guilty of fraud.

Two Microsoft vulnerabilities are actively being exploited, with a need for immediate patching. The first exploited vulnerability, CVE-2024-21412, allows attackers to bypass security features via malicious shortcut files. Water Hydra, a cybercriminal group, used the bypass flaw to target financial traders with the DarkMe remote-access trojan. The second vulnerability, CVE-2024-21351, involves a SmartScreen security feature bypass that could be exploited for code execution or data exposure. Adobe released six patches for 29 vulnerabilities, including two critical remote code execution flaws. SAP addressed a critical code injection and several other security issues with 16 Security Notes, some with high priority. Intel's 35 advisories covered 79 vulnerabilities, including escalation of privilege and denial of service risks. Cisco and Google also issued fixes for various vulnerabilities, with Google addressing a critical Android system component vulnerability.

A critical vulnerability called KeyTrap in DNSSEC could allow a single malicious DNS packet to disable DNS servers, disrupting global internet connectivity. DNSSEC is an enhancement to DNS that provides authentication of DNS queries to prevent tampering, but it does not encrypt the data for privacy. The vulnerability, assigned CVE-2023-50387, has been present for over two decades but was difficult to detect due to the complexity of DNSSEC validation requirements. KeyTrap can force public DNS services like Google's and Cloudflare's to conduct CPU-intensive calculations, potentially stalling the servers for up to 16 hours with a single packet. The ATHENE research team worked with vendors and public DNS providers to coordinate a release of patches to address the flaw, with no current evidence of its exploitation. A revision of the DNSSEC standard may be necessary to fully mitigate and eliminate the vulnerability as the issued patches do not completely prevent high CPU usage. DNSSEC's vulnerability highlights the delicate balance between internet security features and the risk of unforeseen exploits in widely adopted protocols.

Prudential Financial experienced a data breach, with unauthorized access gained on February 4, leading to the theft of employee and contractor data. The company manages approximately $1.4 trillion in assets and is the second-largest life insurance company in the United States. The incident was disclosed in an 8-K form filed with the U.S. Securities and Exchange Commission, indicating that Prudential detected the breach on February 5. Prudential suspects the involvement of a cybercrime group and has engaged law enforcement and regulatory authorities. No indication as of yet that customer or client data was accessed or obtained by the attackers. The company claims the incident has not materially impacted its operations or financial condition. Over 320,000 Prudential customers had data exposed in May 2023 due to a third-party vendor breach by the Clop cybercrime gang. Prudential is currently conducting an investigation to assess the complete impact and scope of the breach.

Microsoft patched a Windows Defender SmartScreen zero-day (CVE-2024-21412) used by hackers to deploy DarkMe malware. The cybercriminal group Water Hydra, also known as DarkCasino, exploited the vulnerability against foreign exchange traders. Attackers used spearphishing techniques on forex trading forums and stock trading Telegram channels, leveraging compromised trading information sites. The exploited zero-day was designed to evade security checks and involved manipulating internet shortcuts and WebDAV components. The attackers employed social engineering, offering fraudulent trading advice and fake financial tools to induce malware installation. Microsoft's patch follows the repair of a related vulnerability (CVE-2023-36025) that was previously utilized to bypass Windows security prompts. Water Hydra has exploited zero-days in the past, including one in WinRAR software, linked to multiple nation-state backed hacking groups.

Microsoft released fixes on its February 2024 Patch Tuesday for 73 vulnerabilities, encompassing critical issues like denial of service and remote code execution. The Patch Tuesday updates addressed two zero-day flaws that were actively exploited in the wild. One of the patched zero-days involved a Windows SmartScreen security feature bypass, which could allow attackers to evade detection by SmartScreen. The other fixed zero-day allowed attackers to bypass the Mark of the Web (MoTW) security checks using specially crafted Internet Shortcut files, a vulnerability exploited by the DarkCasino APT group targeting finance professionals. The security updates do not include six Microsoft Edge flaws and one Mariner flaw which were fixed earlier in February. Additional non-security updates were released for Windows 11 and Windows 10, the details of which can be found in separate dedicated articles. Other technology vendors also released updates or advisories in February 2023, highlighting the importance of regular system updates across the tech industry.

QNAP disclosed two flaws, including a zero-day vulnerability, in their network-attached storage devices, leading to confusion over their severity. CVE-2023-50358 received a moderate severity score from QNAP, while Unit 42 and the BSI warned of "critical impact" and "major damage". The National Vulnerability Database is yet to assign an independent rating to the vulnerability. According to Unit 42, over 289,000 devices are publicly exposed, with Germany and the US housing the majority of vulnerable units. Unit 42 shared a technical breakdown on how to exploit CVE-2023-50358, a command injection flaw in QNAP's firmware. QNAP also detailed another vulnerability, CVE-2023-47218, with a similar severity rating, reported by Rapid7. QNAP's advisory focused on numerous patches for different firmware versions, advising users to upgrade or follow mitigation steps. In under two months of the year, QNAP has already issued 15 security advisories for 12 different command injection vulnerabilities.

A threat actor leaked 200,000 records from Facebook Marketplace containing personal user information. The leaked data includes mobile numbers, email addresses, and Facebook profile details, risking phishing and SIM swap attacks. The data was reportedly stolen by a cybercriminal from a Meta contractor managing cloud services for Facebook. BleepingComputer confirmed the authenticity of the sample data shared by the leaker, known as IntelBroker. Meta has yet to comment on the breach; however, the company has faced similar incidents, including a massive leak in April 2021. This leak's perpetrator, IntelBroker, has been linked to several other high-profile cybersecurity incidents in the past.

Integris Health has experienced a significant data breach, compromising the personal information of nearly 2.4 million patients. The data breach was uncovered after patients began receiving extortion emails threatening the sale of their data if Integris Health did not pay the attackers. The attackers have claimed they did not disrupt network operations and exclusively extracted data, thus operations were not hindered. Compromised data features personal information but does not include employment, driver's licenses, account credentials, or financial details. The stolen patient data is reportedly being sold on the dark web, with the potential for widespread misuse by cybercriminals. Integris Health is notifying affected patients and providing guidance on how to protect against identity theft and fraud. Despite not paying the ransom by the set deadline, the exact extent of the data's spread among other cybercriminals is not known.