Daily Brief

INTERPOL's Operation Synergia netted 31 arrests in a global crackdown on phishing, banking malware, and ransomware. Over 1,300 IP addresses and URLs linked to cybercrime were identified, with a 70% takedown rate of malicious servers in Europe. Law enforcement agencies from 55 countries collaborated, resulting in the shutdown of 153 servers in Hong Kong and 86 in Singapore. Authorities conducted over 30 house searches, leading to the seizure of numerous electronic devices and the identification of 70 suspects. Partner organization Group-IB contributed by pointing out over 500 IP addresses hosting phishing sites and over 1,900 linked to various malware operations. The joint operation disrupted cybercriminal infrastructure distributed across 200+ web hosting providers globally. The successful operation illustrates a strong international commitment to combating cybercrime and enhancing online security for users worldwide.

Cloudzy has strengthened its cybersecurity measures through collaboration with threat intelligence specialists Recorded Future. The integration provides Cloudzy with real-time security analytics, significantly improving its capacity to respond to threats such as ransomware and APTs. Suspicious accounts are swiftly identified and banned, with additional measures to prevent re-entry via fake identities. CloudzPatrol, Cloudzy's threat detection system, has received substantial upgrades to better detect and respond to malicious activities within its infrastructure. Cloudzy consistently aligns its security enforcement with legal and ethical standards, updating its acceptable use policy accordingly. CEO Hannan Nozari asserts that implementing Recorded Future's intelligence marks a significant step forward in Cloudzy's commitment to cybersecurity excellence. Cloudzy invites collaboration with other organizations to enhance collective cybersecurity efforts across the industry. The company emphasizes its dedication to providing a secure, resilient platform for its clients, prioritizing user safety and data integrity.

A former CIA software engineer, Joshua Adam Schulte, has been sentenced to 40 years in prison for leaking classified documents to WikiLeaks and possessing child pornography. Schulte was convicted of the largest data breach in the CIA’s history, involving a large trove of sensitive data known as Vault 7 and Vault 8. The leaked information included CIA hacking tools and zero-day exploits that could target various electronic devices and operating systems. The breach caused significant damage to U.S. national security, costing hundreds of millions of dollars, and put the lives of CIA operatives at risk. Schulte is accused of lying to the FBI and trying to deflect the investigation by implying others could have accessed the documents. Investigators found over 3,400 images and videos of child sexual abuse material (CSAM) in his apartment, some downloaded while he was employed by the CIA. While in detention, Schulte attempted to continue disseminating restricted information using contraband cell phones to contact WikiLeaks and share CIA techniques. His actions not only compromised U.S. security but also expressed intents to disrupt global diplomatic relations, according to journal entries cited by the Department of Justice (DoJ).

Over 2,000 Ukrainian computers have been infected by a malware strain known as DirtyMoe. The malware has been used for cryptojacking and DDoS attacks, and can propagate via security flaws or fake software installers. The Ukraine Computer Emergency Response Team (CERT-UA) warns of the increased risk and advises heightened system and network security measures. A related phishing campaign, STEADY#URSA, targets Ukrainian military personnel to install a PowerShell backdoor called SUBTLE-PAWS. SUBTLE-PAWS backdoor is linked to Shuckworm, a threat actor believed to be part of Russia's FSB, and can spread through USB drives. CERT-UA recommends organizations to update their systems, enforce network segmentation, and monitor traffic for any unusual activity to mitigate these threats.

Russian state-sponsored hackers, known as APT28, have conducted NTLM v2 hash relay attacks on high-value targets including foreign affairs, defense, and transportation sectors, among others. From April 2022 to November 2023, APT28 compromised thousands of email accounts through sophisticated brute-force techniques. APT28, with multiple aliases such as Fancy Bear and Pawn Storm, is recognized for using spear-phishing and strategic web compromises to initiate their attack campaigns. In 2023, APT28 exploited vulnerabilities in Cisco networking equipment and in software like Microsoft Outlook and WinRAR to conduct reconnaissance and deploy malware. The group has refined their operational techniques to avoid detection, employing VPN services, Tor, and compromised routers for scanning and spear-phishing activities. Recent campaigns by APT28 against European governments involve fake Microsoft Outlook login pages to harvest credentials. Security researchers highlight the aggressive and elusive nature of APT28's intrusions, which mask complex post-exploitation actions following initial system breaches. Recorded Future News has identified parallel activities by another Russian hacker group, COLDRIVER, who mimic scholars to lead victims to phishing sites.

"Operation Synergia" led by Interpol resulted in the takedown of over 1,300 servers related to ransomware, phishing, and malware. The operation involved 60 law enforcement agencies from 55 countries, disrupting significant cybercriminal infrastructure. Approximately 70% of the identified command and control (C2) servers have been dismantled, heavily impacting cybercrime activities. Law enforcement detained 31 individuals suspected of cybercrime and identified 70 more, along with conducting 30 house searches. The operation spanned various regions, including Europe, Asia, Africa, and the Americas. Cyber-intelligence firm Group-IB and other partners provided essential data in the operation, identifying over 1,900 IP addresses linked to cybercrime. While impactful, the effectiveness of C2 server takedowns has limitations, as some resilient botnets and ransomware groups can quickly recover or switch to backup systems.

A Belarusian and Cypriot national, Aliaksandr Klimenka, has been indicted in the U.S. for his role in laundering money for cybercriminals through digital currency exchanges. Klimenka allegedly controlled BTC-e, an unlicensed exchange, as well as Soft-FX and FX Open, and facilitated transactions from ransomware, identity theft, drug trafficking, and more. BTC-e served primarily the Russian market and was seized by U.S. authorities in 2017 after the arrest of its owner, Alexander Vinnik, for similar laundering charges. The exchange was accused of being involved in laundering money from the Mt. Gox hack and for ransomware such as Locky and WannaCry, operating without proper anti-money laundering controls and KYC procedures. Klimenka, said to have managed U.S.-based servers for BTC-e, was arrested in Latvia and appeared in a San Francisco court, facing up to 25 years in prison.

Cloudflare suffered a security breach by likely nation-state actors who gained unauthorized access to its Atlassian server. The intrusion occurred between November 14-24, 2023, with the hackers carrying out reconnaissance and gaining persistent access. Over 120 code repositories were viewed, and approximately 76 were believed to be exfiltrated, focusing on Cloudflare's backup systems, network configuration, and remote access. In response to the attack, Cloudflare rotated 5,000+ production credentials and conducted a comprehensive forensic analysis and system reboot. The incident was linked to stolen credentials from an October 2023 Okta support case management system hack. Cloudflare worked with CrowdStrike for an independent review of the breach and determined that the threat actor was primarily interested in understanding Cloudflare's global network architecture, security, and management.

Joshua Schulte, a former CIA employee, received a 40-year prison sentence for espionage, hacking, contempt, lying to the FBI, and child abuse material possession. Schulte's Vault 7 leak to WikiLeaks represented the largest data breach in CIA history and one of the most significant disclosures of classified data in US history. Schulte stole files from the CIA's Center for Cyber Intelligence, detailing covert operations and surveillance techniques, and transmitted them using anonymization tools. Vault 7 leaks outlined CIA's digital espionage methods, including the use of forged digital certificates to monitor foreign governments and alleged terrorist entities. The Vault 7 files were published by WikiLeaks starting March 2017, exposing sensitive CIA cyber-ops to the public. Schulte faced additional charges after the FBI found over 3,400 images and videos of child sexual abuse material during a home search. He has been described as a difficult individual, and his defense argued that his unpopularity at work made him a convenient scapegoat. The sentencing judge characterized Schulte's crimes as a "digital Pearl Harbor" with national security costs exceeding $300 million.

APIs have become crucial to digital economies but are vulnerable to security risks, such as data breaches and fraud, due to increased attack surfaces. Shadow APIs, often outdated or undocumented, exacerbate security vulnerabilities and compliance issues as they are overlooked and poorly managed. F5 Distributed Cloud Services provide AI and ML-based solutions to detect shadow APIs, authenticate users, authorize access, and prevent data leakage. The F5 platform offers a dynamic API security console for real-time monitoring and management, as well as predictive analytics to pre-emptively block suspicious activities. Dashboards facilitate in-depth visibility into API security, revealing the most attacked APIs, sensitive data types, and risk scores to aid in prioritization of security measures. F5's Distributed Cloud Platform supports the API lifecycle across various computing environments, thereby enhancing consistent policy enforcement and flexible deployment. The combination of AI and behavioral analytics used in the F5 solution allows for the identification of complex attack patterns and zero-day vulnerabilities beyond traditional rule-based systems.

Suspected nation-state spies infiltrated Cloudflare via credentials obtained from an October Okta breach. Access was gained to Cloudflare's internal Atlassian installation and Bitbucket source code management system. Cloudflare initially failed to rotate compromised service tokens, believing them to be unused. Attackers conducted reconnaissance on Cloudflare's network, accessing internal wiki, Jira database, and installing backdoor access. 36 Jira tickets related to security protocols, and 120 Bitbucket repositories were of particular interest to the attackers. Cloudflare took immediate action to rotate potentially compromised secrets and strengthen security measures. A thorough internal response, named "Code Red," was conducted with assistance from Crowdstrike, with ongoing work in credential and software security.

Blackbaud, a cloud-based software provider, has settled with the FTC following accusations of insufficient security practices leading to a significant data breach in May 2020. The FTC charged Blackbaud with failing to monitor for hacking attempts, segment data, enforce data deletion, and properly implement multifactor authentication among other security shortcomings. The settlement obliges Blackbaud to improve security measures, maintain accurate data security and retention protocols, and establish a comprehensive information security program. The company must also create a detailed data retention schedule, delete unnecessary customer data, and report future breaches to the FTC promptly. The breach impacted over 13,000 Blackbaud customers, leaking sensitive data including social security numbers and banking details, and resulted in multiple lawsuits and a hefty settlement payment. Blackbaud was criticized for initially downplaying the breach's severity in its SEC filings and faced penalties amounting to $3 million and a separate $49.5 million settlement with US states' attorneys general. FTC officials have emphasized the company's responsibility to secure consumer data and the consequences of inadequate breach disclosure to affected individuals.

Cloudflare reported a breach of its internal Atlassian server by a nation state attacker who accessed the company's Confluence wiki and Jira bug database. The attackers gained initial access on November 14, then established persistent access and accessed Bitbucket source code management on November 22. Stolen credentials from the October 2023 Okta breach were used to penetrate Cloudflare's systems; this includes one access token and three service account credentials. Cloudflare detected and cut off the hacker's access between November 23 and 24, with a thorough investigation starting on November 26. Despite the breach, Cloudflare customer data, services, and global network systems remained secure and unaffected. The incident is taken seriously by Cloudflare, although operational impact is considered limited due to limited access to documentation and source code. The attack is believed to be a nation-state effort aiming to gain long-term access to Cloudflare's global network; the Security Incident Response Team's quick actions minimized impact.

PurpleFox malware campaign has hit over 2,000 devices in Ukraine, sowing uncertainty regarding its full impact on state entities and private individuals. Ukraine's CERT-UA has sounded the alarm on the issue and is providing guidance for detecting and eradicating the persistent malware known as PurpleFox, or DirtyMoe. First detected in 2018, PurpleFox carries capabilities like a rootkit for concealment and can be leveraged for backdoor access, downloading additional payloads, and enabling DDoS attacks. Recent PurpleFox iterations have been noted for using WebSocket protocols for less detectable C2 communications, and there have been instances of it being distributed as a fake Telegram desktop app. CERT-UA’s investigation revealed a range of IP addresses mostly in China, connected to the malware's control servers, and a list of steps to counter and remove PurpleFox. The agency stresses the importance of isolating outdated systems, reinforcing network security, and creating specific firewall rules to block common attack vectors to prevent further PurpleFox infections.

Gartner reports deepfake technology is undermining confidence in facial biometric security systems. Organizations doubt standalone identity verification methods due to AI-generated deepfakes. Enhanced security measures, including "liveness detection," are being bypassed by sophisticated deepfakes. Experts suggest adding layers to security, such as device location and IP verification, to counteract deepfake threats. Security systems employing AI to detect deepfakes must look for inconsistencies like replicated patterns in synthesized images. A defense-in-depth strategy utilizing multiple security layers is advocated to better protect against deepfake exploits. The urgency to adapt security measures follows incidents like manipulated AI-generated images of celebrities shared virally online.