Daily Brief

CyberArk has released an online version of 'White Phoenix,' its open-source decryptor, to aid ransomware victims in file recovery. The tool is designed for non-technical users, enabling them to restore files affected by intermittent encryption without dealing with code. White Phoenix supports common file formats like PDFs, Word, Excel, ZIPs, and PowerPoint but is limited to files under 10MB online; larger files require the GitHub version. The tool exploits a flaw in intermittent encryption used by several ransomware strains, allowing partial data recovery by piecing together unencrypted file segments. CyberArk advises that for successful decryption, specific strings must be present in the files, such as "PK\x03\x04" for ZIPs and "0 obj" and "endobj" for PDFs. The online White Phoenix aims to automate the manual recovery process done by experts, though results may vary based on file type and ransomware used. While White Phoenix is not a complete solution for ransomware attacks, it offers a chance to recover important files when no other decryptors are available. CyberArk recommends downloading and using the tool locally from GitHub for those dealing with sensitive files, to avoid uploading them to external servers.

The U.S. Department of Justice has charged two additional individuals in connection with the hacking of around 68,000 DraftKings accounts in November 2022. A third defendant, Joseph Garrison, was charged in May and pleaded guilty, with his sentencing scheduled for the following Thursday. The attackers, Nathan Austad and Garrison, utilized a credential stuffing attack, employing automated tools with lists of previously breached user credentials. Account hijackers were sold access to DraftKings accounts; they stole approximately $635,000 from almost 1,600 accounts. The defendants instructed the hackers who bought the accounts on how to withdraw all the funds after verifying a new payment method. Evidence of involvement in the DraftKings attack and possession of tools and data for credential stuffing were found on Austad's seized phone and other devices. Garrison operated the "Goat Shop" website, selling hacked DraftKings, FanDuel, and Chick-fil-A customer accounts; Chick-fil-A confirmed a breach of 71,473 accounts due to a similar attack. The incident highlights the ongoing threat and successful execution of credential stuffing attacks, an issue the FBI had previously warned about.

Finnish authorities identified Julius Aleksanteri Kivimäki as the alleged hacker behind the Vastaamo psychotherapy clinic breach by tracing Monero transactions. In 2020, the hacker demanded 40 Bitcoins not to release stolen patient records but later targeted individual patients for smaller Bitcoin payments. The National Bureau of Investigation (KRP) of Finland tracked the payments to Kivimäki after he converted the Bitcoin to Monero and back to Bitcoin. While Monero is designed to be a privacy-oriented and untraceable cryptocurrency, KRP applied heuristic analysis methods to follow the trail. Despite Monero's enhanced privacy features following an August 2022 upgrade, Finnish authorities could link Kivimäki to the crimes through related Bitcoin transactions and bank transfers. The KRP has kept the exact methods of tracing Monero a secret, to protect their investigative techniques. Kivimäki faces multiple charges including aggravated data breach and extortion, potentially leading to a 7-year imprisonment sentence; he denies all allegations.

Researchers at RedHunt Labs discovered a publicly accessible GitHub token that exposed Mercedes-Benz's internal source code. Mercedes-Benz is renowned for its advanced vehicular software, which was potentially at risk due to the exposure. The leaked data included sensitive intellectual property such as database connection strings, cloud access keys, and design documents. Exposure of this data could lead to competitors reverse-engineering products or hackers exploiting vulnerabilities in vehicle systems. The incident was reported by RedHunt Labs and acknowledged by Mercedes-Benz, who revoked the token and are analyzing the extent of the breach. Mercedes-Benz confirmed that customer data was not affected, but did not provide details on detecting unauthorized access. The mishap draws parallels to a previous security lapse at Toyota, showcasing a systemic issue with the management of GitHub repository access. Mercedes-Benz maintains a vulnerability disclosure program for collaboration with security researchers.

US law enforcement recently undermined a Chinese state-sponsored hacking operation—dubbed Volt Typhoon—targeting American critical infrastructure. Ongoing federal operations were enabled by court-ordered permissions, allowing the disruption of parts of the Chinese cyber campaign. The Volt Typhoon group, which became known in May 2023, infiltrated US organizations using compromised internet-facing devices since at least 2021. Chinese hackers exploited routers, cameras, and similar devices to siphon credentials and sensitive data, escalating concerns over potential disruptions to military, utility, and ISP networks. The Volt Typhoon's activities signify a move beyond espionage to preparation for potential sabotage in conjunction with geopolitical events, such as an invasion of Taiwan. The operation against Volt Typhoon follows a CISA emergency directive for federal agencies to secure Ivanti Connect Secure VPN devices after hacks attributed to similar Chinese actors. US officials maintain ongoing vigilance towards Chinese cyber activities, concerned they align with known tactics of state-backed groups like Volt Typhoon.

Cybercriminals are exploiting Microsoft Teams to distribute DarkGate malware via group chat invites. Attackers send malicious Teams chat requests using what appears to be compromised user accounts, targeting over 1,000 victims. Upon acceptance of the chat request, victims are tricked into downloading malware disguised with a double file extension. The malware communicates with a known command-and-control server, indicating an active infrastructure for the DarkGate malware family. Microsoft Teams' default External Access setting, which allows external communication, is a vulnerability that organizations are advised to disable if not needed. AT&T Cybersecurity emphasizes the importance of end-user training in recognizing unsolicited messages and the various forms of phishing beyond emails. DarkGate malware attacks have increased following the disruption of the Qakbot botnet, with the malware offering multiple capabilities attractive to cybercriminals. A security issue in Microsoft Teams allows attackers to bypass client-side protections and deliver malicious payloads with tools like TeamsPhisher.

A critical remote code execution (RCE) vulnerability, CVE-2024-23897, in Jenkins servers affects approximately 45,000 publicly accessible instances. The majority of vulnerable servers are located in the US and China, with thousands more across India, Germany, Korea, France, and the UK. Exploits for the flaw were publicly released just days after the coordinated disclosure, increasing the risk of potential cyberattacks. The vulnerability involves the built-in CLI feature of Jenkins which can be exploited to read sensitive files like SSH keys, credentials, and source code. Attackers primarily targeting Jenkins instances on Windows may have a higher success rate due to the feasibility of reading binary secrets. Jenkins has issued patches for the vulnerability, but many admins have yet to apply fixes. Disabling the CLI feature is recommended as a temporary safeguard. Jenkins advises against certain configuration settings that could exacerbate the risks by granting unnecessary read permissions to unauthorized users.

Brazilian Federal Police have arrested individuals linked to the Grandoreiro malware operation, executing arrest and search warrants across several states. Slovak cybersecurity firm ESET identified a flaw in Grandoreiro's network protocol, aiding in the investigation that mapped victim patterns. Grandoreiro, a Latin American banking trojan active since 2017, has targeted countries such as Spain, Mexico, Brazil, and Argentina, stealing data and bank details. The malware uses phishing tactics to deploy and then allows remote control of infected machines, frequently monitoring browser windows for banking activity. The malware's command-and-control (C&C) infrastructure utilizes domain generation algorithms and major cloud services like AWS and Azure, with a high frequency of active and new C&C IP addresses daily. ESET's investigation revealed an average of 551 victims connected to C&C servers per day, with an additional 114 unique victims on average connecting daily, primarily across Brazil, Mexico, and Spain. The Brazilian operation targeted the higher levels of the Grandoreiro hierarchy, signifying a significant blow to the malware's operations.

GitLab has issued an urgent update to address a critical flaw with a CVSS score of 9.9, affecting multiple versions of its CE and EE. The vulnerability, identified as CVE-2024-0402, enables authenticated users to write files arbitrarily on the GitLab server during workspace creation. The patched versions include GitLab 16.5.8, 16.6.6, 16.7.4, and 16.8.1, among others. The latest security update also fixes four medium-severity issues related to ReDoS, HTML injection, and email address disclosure. This release comes on the heels of previous critical security updates, emphasizing the need for users to upgrade to the latest patched versions immediately. GitLab.com and dedicated GitLab environments have already been updated to these secured versions. The article concludes by highlighting an upcoming webinar on the 2024 Customer Data Platform Report, unrelated to the security fixes.

The Akira ransomware group has been actively targeting small to medium-sized businesses (SMBs), with demands ranging from $200,000 to over $4 million. SMBs are vulnerable due to limited IT support and lax security procedures, making them easier targets for cybercriminals seeking entry points to larger enterprises. In 2022, 56% of SMBs experienced cyberattacks, with breaches often causing significant financial and reputational damage. The average cost of a data breach for SMBs is nearly $150,000, which includes indirect costs like customer trust erosion and data loss. Implementing cybersecurity best practices, such as NIST's framework for SMBs, can mitigate risks, including robust password policies and multi-factor authentication (MFA). Blocking the use of known compromised passwords and regularly auditing Active Directory accounts are critical steps in preventing unauthorized access. Training end-users to recognize phishing and other credential theft attempts can substantially reduce the risk of breaches, as human error is a leading cause. Specops Software offers solutions to reinforce password protection and enhance cybersecurity postures for SMBs, with tools like Specops Password Policy and free trials.

New York Attorney General Letitia James has filed a lawsuit against Citibank for not protecting customers from fraud and failing to reimburse those affected. The suit argues that Citibank violated the Electronic Fund Transfer Act by denying reimbursement to victims of unauthorized electronic transactions. Citibank is accused of using loopholes to avoid compensating customers and of having inadequate systems to detect and respond to fraudulent activity. The bank's inadequate response to customer fraud reports included long phone waits and misleading assurances, exacerbating the theft of funds. The New York AG's office seeks restitution for victims from the past six years, along with penal fees and the cessation of Citibank's deceptive practices. Citibank's statement in response to the lawsuit claims adherence to regulations and emphasizes efforts in fraud prevention and client education, noting a reduction in client wire fraud losses.

The Federal Police of Brazil, in collaboration with ESET, Interpol, Spain's National Police, and Caixa Bank, has disrupted a banking malware operation known as Grandoreiro. Five arrests and thirteen search and seizure actions were carried out across several Brazilian states, targeting a group responsible for electronic banking fraud. The criminal structure allegedly moved approximately 3.6 million euros through fraudulent activities since 2019. Grandoreiro, a Windows banking trojan active since 2017, primarily targets Spanish-speaking countries, using fake pop-ups and keystroke logging to commit financial theft. The malware necessitates manual interaction from attackers for financial theft, implying a highly targeted and hands-on approach. ESET tracked Grandoreiro servers using DGA analysis, revealing a daily average of 551 connections to its infrastructure with 114 new victims daily. Authorities disrupted the malware operation leading to a complete cessation of its activities; however, the roles of the arrested individuals and the possibility of the malware's return using new infrastructure remain uncertain.

Juniper Networks disclosed four previously unreported vulnerabilities following an investigative article. Apologies were issued to customers for the oversight in communication regarding these security flaws. The four separate vulnerabilities were reported by watchTowr but initially did not receive individual CVE identifiers. Newly issued advisories now list distinct CVEs for each vulnerability, with severity scores ranging from 5.3 to 8.8. Affected products include the J-Web component in Junos OS on SRX Series and EX Series, which required updates to fix authentication and cross-site scripting issues. The US Cybersecurity and Infrastructure Security Agency (CISA) has alerted users to review the bulletin and update their systems. Juniper's patch scheduling policy and prior decision not to assign CVEs earlier in the process have been questioned for potentially increasing exploitation risk. Juniper claims non-technical reasons typically delay their CVE application process, which they are now reviewing after these incidents.

China-linked cyber group Mustang Panda reportedly targeted Myanmar's Ministry of Defence and Foreign Affairs with backdoor attacks. Cybersecurity organization CSIRT-CTI identified the hacking campaigns occurring in November 2023 and January 2024. Attackers exploited legitimate software, such as a B&R binary and Windows 10 components, to sideload malicious DLLs. Mustang Panda, active since 2012, has a history of cyberespionage against various government entities in Southeast Asia. One attack vector involved a phishing email with a ZIP file to drop a custom loader and the PlugX malware. The group attempted to camouflage their command-and-control traffic as legitimate Microsoft update activity. A separate campaign deployed a bespoke loader called TONESHELL from an unreachable C2 server to likely install the same PlugX malware. The attacks by Mustang Panda are believed to coincide with Chinese geopolitical interests, particularly following unrest near the Myanmar-China border.

Less than half of cybersecurity professionals claim to have high or complete visibility into their organization’s vulnerabilities, highlighting the need for regular security posture assessments to identify and mitigate risks. Inadequate vulnerability management programs, deficiencies in detection and monitoring systems, and a lack of formalized cybersecurity policies and procedures are key weaknesses in many organizational security postures. Regular testing practices, such as penetration testing and third-party assessments, are critical to reveal potential security gaps and test the efficacy of incident responses. Training and cyber awareness for staff play a vital role in reducing human error-related security breaches, emphasizing the importance of ongoing cybersecurity education and a culture of security mindfulness. Adoption and proper implementation of cybersecurity frameworks, like NIST Cybersecurity Framework, CIS, or SANS, guide organizations in developing and maintaining a structured approach to cybersecurity. Understanding an organization’s risk appetite is fundamental for aligning cybersecurity strategies with the overall risk management goals and directing resource allocation effectively. The article underscores the continuous nature of cybersecurity efforts and the importance of vigilance in addressing the ever-evolving threat landscape to protect an organization's assets and reputation.