Daily Brief

Trans-Northern Pipelines, a Canadian pipeline operator, has reportedly been compromised by the ALPHV/BlackCat ransomware group, with 190GB of data claimed to be stolen. ALPHV, also connected to previous ransomware entities responsible for significant attacks like the one on Colonial Pipeline, is targeting critical infrastructure. Despite the claims made on ALPHV's site, Trans-Northern has not officially confirmed the breach and has yet to make a public response. This incident raises concerns about the security of vital energy infrastructure, drawing attention to the potential consequences of such breaches. The ALPHV ransomware gang has targeted multiple critical infrastructure organizations recently, including a US utility cooperative and energy providers in Spain and Canada. International cybersecurity expert Brett Callow emphasizes the urgent need for improved security measures to protect critical infrastructure from these types of attacks. The threat from cyber actors like China's Volt Typhoon heightens the risk to infrastructure in various sectors and stresses the importance of the Five Eyes' recent warnings.

Microsoft's February 2024 Patch Tuesday includes updates for 74 security flaws and addresses two zero-day vulnerabilities under active exploitation. The release features five critical updates tackling denial of service, remote code execution, information disclosure, and elevation of privileges issues. The patched zero-day vulnerabilities are CVE-2024-21351, a Windows SmartScreen bypass, and CVE-2024-21412, an Internet Shortcut File bypass that can circumvent security warnings. The SmartScreen bypass flaw was internally discovered by Microsoft's Eric Lawrence, while external researchers identified the Internet Shortcut File bypass, notably the APT group DarkCasino. The updates come alongside other non-security improvements, specifically a noted cumulative update for Windows 11 (KB5034765). In addition to Microsoft's patches, advisories and updates were also released by various vendors addressing security concerns in their respective products throughout February 2023.

Hackers exploited a stolen private key to illegitimately mint and steal over $290 million in PLA cryptocurrency from PlayDapp, a blockchain-based gaming platform. On February 9, 2024, unauthorized minting of 200 million PLA tokens valued at $36.5 million was detected, with security experts suggesting a private key leak. PlayDapp responded by shifting all its tokens to a new secure wallet, offering a $1 million "white hat" reward for the return of the stolen assets, and threatening legal action. Despite these measures, hackers proceeded to mint an additional 1.59 billion PLA tokens, bringing the total theft to $290.4 million and prompting a suspension of all PLA trading. Subsequent to the breach, PlayDapp is suspending deposits and withdrawals, freezing the hacker's wallets on major exchanges, and advising users to stay alert for scams. Elliptic, a cryptocurrency analysis firm, observed ongoing money laundering attempts with the stolen tokens, which have tanked in value, adversely affecting legitimate holders. The style of the attack suggests potential links to the Lazarus Group, known for similar large-scale thefts, although no definitive attribution has been established.

100 Romanian hospitals affected by a ransomware attack resulting in encrypted databases and systems taken offline. The Hipocrate Information System, managing medical and patient data, specifically targeted by hackers. While 25 hospitals confirm encryption of data, others have gone offline as a precaution; incident under active investigation. The Romanian Ministry of Health and National Cyber Security Directorate (DNSC) are assessing recovery options and investigating the impact. Backmydata ransomware, part of the Phobos family, identified as the malware used in the attack. Most impacted hospitals have recent backups, except for one with 12-day-old data; ransom demanded is 3.5 BTC (approximately €157,000). Day-to-day hospital operations, including prescription writing and record keeping, revert to paper methods due to system shutdowns. No public statement from Hipocrate healthcare system's software provider; ongoing investigations continue to assess scope, and as of now, there's no evidence of data theft.

Bumblebee malware has resumed attacks in a phishing campaign after a four-month hiatus, primarily targeting U.S. organizations. Discovered in April 2022, Bumblebee was developed by the Conti and Trickbot syndicate to replace the BazarLoader backdoor. The malware distributes through fake voicemail-themed phishing emails, containing malicious Word documents that use macros to download payloads. Despite Microsoft's efforts to block macro-based threats by default, attackers are using this method, potentially to target outdated systems or avoid detection. Proofpoint identifies the resurgence as a potential threat increase for the year ahead, but cannot attribute the campaign to a specific threat actor group. With the disruption of QBot, Bumblebee and other malware like DarkGate and Pikabot are filling the void in payload distribution markets. Zscaler reports a simplified version of Pikabot post-hiatus, indicating potential preparation for more sophisticated future versions.

Cybersecurity risks in Microsoft Teams and similar SaaS chat apps are often underappreciated. Criminal threat actors target Microsoft Teams using phishing, malware, and sophisticated social engineering tactics. Microsoft Teams has seen a rise in cyber incidents, including the DarkGate malware campaign, leveraging its vast user base. Attackers can exploit Microsoft Teams' default External Access setting, allowing outside contacts to join chats and share files. Recent vulnerabilities and tactics used in attacks on Teams include inviting targets to group chats and bypassing file-sharing restrictions. Adaptive Shield recommends measures such as limiting external access, blocking external invitations, and using Microsoft Defender to enhance Teams security. It is crucial to educate employees on the diverse nature of phishing attacks and encourage reporting of suspicious activities in messaging apps. Organizations must be proactive in securing their SaaS platforms to protect against evolving cyber threats.

The Glupteba botnet has been updated with a sophisticated UEFI bootkit, significantly improving its evasiveness. Researchers at Palo Alto Networks Unit 42 revealed Glupteba's ability to control the OS boot process, which hinders detection and removal efforts. Glupteba serves as an information stealer and backdoor, capable of engaging in crypto-mining, proxy deployment, and gathering private user data. The botnet maintains persistence through the Bitcoin blockchain, using it as a resilient command-and-control backup system. In recent campaigns, Glupteba distribution has involved pay-per-install services and multi-stage malware infection chains that bypass traditional security measures. The malware incorporates a modified version of an open-source project, EfiGuard, to thwart security features at boot time. Cybersecurity experts underscore Glupteba's exemplar role in illustrating the complexity and innovation of current cyber threats.

Hundreds of senior executives have fallen victim to an ongoing phishing campaign, resulting in numerous cloud account takeovers. Cybercriminals targeted C-suite positions, VPs, sales directors, and finance managers, compromising Azure environments and stealing sensitive data. A specific Linux user-agent was identified as a significant indicator of compromise, suggesting widespread unauthorized access to multiple Microsoft 365 applications. Potential links to Russian and Nigerian attackers have not been confirmed, but activity aligns with techniques commonly used by cybersecurity threat groups from these regions. Attackers manipulated Multi-Factor Authentication (MFA), adding their own authenticator apps and phone numbers for persistent access. After hijacking email accounts, the criminals launched additional phishing campaigns, conducted lateral movement, and attempted financial fraud. Researchers advise vigilance against unexpected emails and caution when opening links, as personalized phishing emails were used to deceive victims. The cybercriminal infrastructure utilizes proxy services to bypass geofencing policies, with some traffic linked to Russian and Nigerian ISPs.

PikaBot has undergone a devolution, simplifying its code by removing complex obfuscation and changing network communications. It functions as a malware loader and backdoor, allowing commands and payload injections from a C2 server, indicating possible Russian or Ukrainian origins. Recently, PikaBot and DarkGate have been used by threat actors like Water Curupira for initial network access via phishing and Cobalt Strike deployment. The latest PikaBot version features simpler encryption, added junk code for analysis resistance, and unencrypted plaintext bot configuration. Alterations in the C2 server communication were made, updating command IDs and employing a different encryption algorithm to secure traffic. Despite a period of inactivity, PikaBot remains a significant threat and is actively being developed with a focused yet less complex approach. In a separate cyber threat incident, Proofpoint reported an ongoing cloud account takeover campaign that has affected Azure environments and user accounts, including those of senior executives, since November 2023.

Over 25 Romanian hospitals were forced to take their systems offline due to a ransomware attack. The targeted system, HIP (Hipocrate Information System), managed medical activities and patient data. The Romanian Ministry of Health and the National Cyber Security Directorate (DNSC) are investigating the attack, which led to encrypted files and databases. Hospitals impacted include regional centers and cancer treatment facilities; they reverted to using paper for records and prescriptions. There's no confirmation yet if patient personal or medical data was compromised or stolen during the attack. Backmydata ransomware, a variant from the Phobos family, was identified as the encryption tool used in the attack. Most hospitals had recent backups, except for one with a 12-day-old backup; a ransom demand of 3.5 BTC (about €157,000) was made by the attackers. DNSC advises against contacting the IT teams of affected hospitals to allow them to focus on restoring services.

Russian-linked hackers, known as Midnight Blizzard, targeted Microsoft, leveraging password spraying tactics against a test environment. Cloudflare's Atlassian systems were compromised on Thanksgiving Day via exploited OAuth tokens linked to an earlier Okta breach. These breaches are symptomatic of a growing trend where nation-state actors attack SaaS providers for intelligence and espionage purposes. Despite security practitioners believing in robust defenses, AppOmni's report indicates a high incidence of cybersecurity incidents within SaaS environments. The incidents underline the critical need for continuous monitoring and proactive management of SaaS environments to deter sophisticated cyber threats. Common vulnerabilities, such as third-party app integrations and identity management flaws, pose significant risks and necessitate rigorous risk management practices. Strategies to mitigate risk include implementing SaaS Security Posture Management (SSPM) platforms for early detection and lifecycle management over SaaS environments.

Over 25 Romanian hospitals suffered a ransomware attack, causing their healthcare management systems to go offline. The attack targeted the Hipocrate Information System (HIS), used for managing medical activity and patient data. The Romanian Ministry of Health has confirmed system outages and encrypted files, triggering an investigation by the National Cyber Security Directorate (DNSC). Hospitals have reverted to paper-based systems for prescriptions and records due to the IT outage caused by the attack. There is no indication yet of patient data theft, and the service provider RSC (Romanian Soft Company SRL) has not issued a statement. The DNSC identified the ransomware as Backmydata from the Phobos family and disclosed a ransom demand of 3.5 BTC (approximately €157,000). In total, 21 hospitals were directly affected, with 79 others shutting down systems as a precaution; most have recent data backups, but one had a 12-day-old backup.

Meta deflects responsibility for account takeovers associated with recycled phone numbers, points to telecoms. Telecom companies' practice of recycling phone numbers allows the possibility of unauthorized account resets and takeovers. The issue was highlighted in a 2021 Princeton University report revealing significant risks linked to this practice. A privacy consultant's bug bounty report to Meta regarding this vulnerability was rejected, with Meta claiming no control over telecom policies. Procedures for account recovery via phone numbers can bypass other security measures, potentially ignoring email validation. The privacy consultant has reported Meta to the Irish Data Protection Commission, citing EU GDPR violations. Despite measures by some telecoms, such as T-Mobile, to advise customers to update their contact information across services, the problem persists.

A security flaw in Ivanti Connect Secure, Policy Secure, and ZTA gateways is being exploited to install a backdoor named DSLog on over 670 IT infrastructures. The backdoor installation commenced swiftly after a proof-of-concept (PoC) code for vulnerability CVE-2024-21893 was made public. CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability in the SAML module that enables unauthorized access to restricted resources. Observations by Orange Cyberdefense indicate that attackers are inserting the DSLog backdoor into an existing Perl file to evade detection and ensure persistence. The DSLog backdoor employs unique hashes for each infected appliance, making it challenging to use the same hashes to detect other compromised devices. The attackers have also been observed clearing logs to conceal their activities, although Oranged Cyberdefense could still identify 670 initially compromised assets. Ivanti recommends that customers reset their appliances to factory settings before applying patches to eliminate any traces of the backdoor and prevent persistent threats.

Infosys McCamish Systems (an Infosys subsidiary) was identified as the source of a significant data breach affecting the Bank of America. Confidential information of 57,028 individuals, potentially including Social Security Numbers and account details, was compromised. The security incident, classified as an "External system breach (hacking)," led to the non-availability of certain applications and systems. While Bank of America's systems remained secure, the data related to deferred compensation plans managed by the bank was exposed. The exact extent of the data accessed by the hackers remains uncertain, heightening the risk of identity fraud for the affected individuals. The LockBit ransomware gang is suspected of orchestrating the cybersecurity incident at Infosys McCamish Systems. Impacted individuals have been offered advice on precautionary measures and two years of complimentary identity theft protection services from Experian.