Daily Brief

X, formerly known as Twitter, has rolled out the use of passkeys for iOS user logins in the United States. Passkeys are designed to provide a more secure authentication method, protecting against phishing and unauthorized access by leveraging public key cryptography. The new system does away with the need for passwords, reducing user burden and increasing security. Passkeys will synchronize across iOS devices via iCloud Keychain, ensuring backup in case of a device loss and enabling recovery through iCloud Keychain escrow if all devices are lost. Users can set up a passkey by accessing the security settings on their X account and following a guided process. The move to implement passkeys comes in the wake of several high-profile account hijacks on X, aiming to enhance security and prevent similar incidents. Although highly recommended, the use of passkeys by iOS users in the U.S. is optional and not mandatory at present.

Kasseika ransomware uses a technique called BYOVD to disable antivirus software before file encryption. The ransomware leverages an antivirus driver from TG Soft's VirtIT Agent System to shut down protective measures. Trend Micro analysts noted similarities between Kasseika and the defunct BlackMatter ransomware, suggesting a connection. The attack starts with a phishing email and progresses through credential theft, PsExec tool abuse, and lateral movement within the targeted network. Kasseika terminates crucial processes, including those related to security tools, before executing its encryption routine using ChaCha20 and RSA algorithms. Once files are encrypted, Kasseika issues a ransom note, changes the desktop wallpaper, and demands payment within 72 hours to prevent an increase in ransom amount. After the encryption process, Kasseika attempts to erase its tracks by clearing system event logs. Trend Micro has released indicators of compromise for organizations to detect Kasseika-related activities.

CISA Director Jen Easterly was the victim of a swatting attempt on December 30, at her home following a fake report of a shooting. The dangerous trend of swatting has been targeting politicians, election officials, judges, and even gamers, posing severe risks to the individuals and responding law enforcement officers. In her statement, Easterly emphasized the harassment threat to public officials and pledged CISA’s support to safeguard election officials and the democratic process. Swatting incidents have escalated and been leveraged in extortion attempts, with criminals targeting hospitals and medical clinics, demanding ransoms. The incident was initially reported by local news, with the Arlington County police investigating the hoax 911 call. However, the identity of the perpetrator or motives behind the targeting remains undisclosed. Recent swatting incidents in the US have affected various public figures, including Maine's Secretary of State and individuals related to cases against Donald Trump, highlighting the practice’s increase as the 2024 presidential election approaches.

Jason's Deli has issued a data breach notification alerting customers to a credential stuffing attack. Unauthorized parties accessed customer reward and online account credentials, potentially affecting 344,034 individuals. Attacks on December 21, 2023, utilized login information likely garnered from unrelated previous data breaches. The breach's impact varies based on the personal information customers added to their profiles. Jason's Deli admitted it's unable to assess the full scope of the breach but is informing all potentially affected users. Customers are advised to reset their passwords and are recommended to use unique credentials and 2FA on all platforms. The company has committed to restoring any unauthorized usage of Deli Dollars reward points to ensure customers do not incur losses.

A Baltimore resident, Chouby Charleron, allegedly sold personal data used for financial fraud, potentially facing a 20-year prison sentence. Operating under the alias "The Real Jwet King," Charleron reportedly managed a TLO service in an online chat group, trafficking victims' personally identifiable information (PII). His illicit service mimicked TLOxp, which provides detailed personal data, and was used by criminals for identity theft to procure credit cards fraudulently. The operation unfolded without the use of VPN, leading USPS investigators directly to Charleron's home IP address. Over 5,000 individuals' PII was sold, enabling fraudulent credit card activations and purchases totaling tens of thousands of dollars. Court documents describe cases where Charleron responded rapidly to criminal requests, providing PII within minutes for fraudulent financial activities. Despite an active arrest warrant, Charleron's current custody status is unclear, and he is charged with conspiracy to commit wire fraud, which includes hefty fines and lengthy prison time.

Fortra has issued a warning about a critical authentication bypass vulnerability in GoAnywhere MFT versions prior to 7.4.1. The flaw, tracked as CVE-2024-0204, allows attackers to remotely create new administrative users, gaining full system control. With a CVSS score of 9.8, the vulnerability poses serious risks, including data access, malware introduction, and enabling further network attacks. The issue affects GoAnywhere MFT versions 6.0.1 to 7.4.0, and a fix is available in version 7.4.1, released on December 7, 2023. Fortra has released both patches and manual mitigation recommendations for users to protect against the vulnerability. Previously, the Clop ransomware gang exploited a different flaw in GoAnywhere MFT, resulting in breaches at over 130 organizations. Organizations using GoAnywhere MFT are advised to promptly apply security updates and monitor logs for any signs of compromise.

VexTrio is a substantial cybercrime affiliate program identified by Infoblox, brokering malware for over 60 affiliates including ClearFake and SocGholish. Operative since at least 2017, VexTrio has been involved in distributing malware such as Glupteba through generated domains and compromised websites. In August 2023, VexTrio employed compromised WordPress sites to redirect users to malicious content using a sophisticated DNS-based traffic distribution system (TDS). VexTrio boasts a network of over 70,000 domains managing web traffic for its criminal efforts, using a dual system of HTTP and DNS-based TDS servers. The TDS servers profile site visitors based on attributes like geolocation and browser settings to reroute them to fraudulent sites, filtering non-profitable traffic. Infoblox highlights the operation's complexity and resilience, citing the intertwined affiliate network that has evaded definitive classification for over six years. The affiliate network leverages security vulnerabilities in CMS software, particularly WordPress, to inject malicious JavaScript and propagate nefarious activities.

Two npm packages, warbeast2000 and kodiak2k, were found stealing SSH keys from developers and storing them on GitHub. The packages were downloaded over 1,600 times before npm maintainers removed them. The security firm ReversingLabs identified multiple versions of the malicious packages, indicating an ongoing threat. The postinstallation scripts of these packages could execute additional malicious JavaScript files to access private SSH keys. The kodiak2k package was also seen executing a script capable of launching Mimikatz to extract credentials from memory. This incident highlights the continued risk of malicious software within open source package repositories and the impact on software supply chain security. The report also includes an awareness promotion for a SaaS Security Masterclass webinar derived from insights of a study spanning 493 companies.

The Australian government has sanctioned Russian national Aleksandr Gennadievich Ermakov for his role in the Medibank ransomware attack. Ermakov, a member of the REvil ransomware group, is implicated in the October 2022 cyberattack on the large Australian health insurer. Personal data of about 10 million individuals, including sensitive health information, was leaked following the breach. The sanctions aim to disrupt Ermakov's activities by exposing his identity and hindering his ability to conduct cybercrime anonymously. Any financial transactions or provision of assets to Ermakov, including cryptocurrency dealings, would now constitute a criminal offense. Australia aims to deter other cybercriminals by demonstrating the consequences of targeting Australian entities and the seriousness of the nation's response to cyber threats.

A new stealer malware targeting macOS Ventura 13.6 and later has been unearthed, which is spread through cracked applications. Security experts have found that the malware, distributed via booby-trapped DMG files, is designed to harvest cryptocurrency wallet data and system information. The malware dupes users into running an "Activator" component under the guise of applying a patch which requests administrator credentials. To avoid detection, the malware communicates with its command-and-control server using a unique DNS request method, downloading encrypted scripts that establish persistence. The backdoor, which is updated regularly, has the ability to run commands with elevated permissions, and it specifically targets Exodus and Bitcoin Core wallets to steal sensitive information. Researchers highlight an increase in the use of cracked software as an attack vector for delivering various types of malware to macOS users. The discovery underscores the growing sophistication of malware techniques aimed at cryptocurrency theft, showcasing the need for enhanced vigilance and cybersecurity measures.

Southern Water, a prominent UK utility firm, has confirmed that its IT systems were compromised and a limited amount of data was stolen by criminals. The Black Basta ransomware group has claimed responsibility for the attack, threatening to release more stolen data unless a ransom is paid. Leaked data appears to include personal details of customers and employees, such as identity documents, HR records, and corporate car-leasing documents. The company is investigating the breach with the help of independent cybersecurity specialists and has reported the incident to UK government agencies including the ICO. There is currently no evidence suggesting that customer service or financial systems have been affected by the attack. The incident follows recent warnings from Western intelligence about the potential for cyberattacks on water providers and other critical infrastructure. Cybersecurity authorities have placed a heightened focus on protecting the water industry due to increasing threats and the sector's limited resources.

DDoS attacks have escalated in scale, with a reported >100% annual increase in peak attack volume, now measured in Terabits. Attack durations ranged from a few minutes to nine hours, with an average of about one hour, underscoring diverse strategies and the need for effective detection and mitigation. UDP floods were the most common type of DDoS attack at 62%, followed by TCP floods and ICMP attacks, highlighting the need for a multifaceted defense approach. The geographic origins of DDoS attacks were widespread globally, with the United States, Indonesia, and the Netherlands as leading sources, necessitating targeted defense and international cybercrime policy efforts. The gaming and financial sectors remain high-priority targets for DDoS attackers, which requires industry-specific security measures to mitigate potential economic and operational impacts. Gcore's data indicates a disturbing trend in DDoS threats with an increase in attack power up to 1.6 Tbps, suggesting that organizations across all sectors need to enhance their cybersecurity preparedness. The report emphasizes the importance of international cooperation and intelligence sharing to effectively confront the global challenge posed by DDoS attacks.

Conor Brian Fitzpatrick, creator of BreachForums, sentenced to 20 years of supervised release, avoiding jail. Arrested in March 2023 for access device fraud and child pornography, Fitzpatrick operated under the alias "pompompurin." BreachForums, active since March 2022, was a notorious marketplace for trading stolen data and hacking tools. The site offered bank details, Social Security numbers, and unauthorized system access services, affecting millions and numerous entities. The court considered Fitzpatrick's mental health in the sentencing; the final restitution for victims is pending. Fitzpatrick must undergo home arrest with GPS tracking and mental health treatment and avoid internet use for a year. BreachForums advertised a "Leaks Market" for trading illicit data and sold access to hacked databases with a credit system. Fitzpatrick previously jailed for a pre-sentencing release violation using unmonitored computer and VPN.

A critical vulnerability in Atlassian Confluence, identified as CVE-2023-22527 with a CVSS score of 10.0, is being actively exploited. Within three days of its public disclosure, over 40,000 attack attempts from 600+ unique IP addresses have been detected. The security flaw allows unauthenticated remote code execution on outdated versions of Confluence Data Center and Server 8. Attackers are primarily performing reconnaissance activities such as "testing callback attempts and 'whoami' execution." The majority of these attacks are originating from Russia, with significant numbers also coming from Singapore, Hong Kong, the U.S., and other countries. Over 11,000 Atlassian instances are accessible online, but the exact number of vulnerable systems is unknown. Security researchers warn of the high risk associated with this vulnerability, capable of permitting attackers to execute arbitrary code on affected systems.

Australia utilized its 2021 "significant cyber incidents" sanctions regime for the first time, targeting Russian Aleksandr Gennadievich Ermakov for a cyberattack on Medibank Private. The 2022 ransomware attack on Medibank resulted in the leakage of personal data of about ten million customers, including sensitive medical information. The REvil crime gang, reportedly harbored by Russia, was named as the likely perpetrator, with Ermakov being specifically implicated in the incident. Sanctions include a travel ban to Australia for Ermakov and severe penalties for anyone transacting with or supporting him. Aleksandr Ermakov's online pseudonyms are "aiiis_ermak," "blade_runner," "JimJones," and "GustaveDore," the latter referencing a renowned 19th-century French artist. Despite identifying Ermakov, the Australian government acknowledges it cannot enforce actions against him in Moscow. Following several major cyber incidents in Australia, including a data breach at Optus, this announcement serves to reassure the public of the government's proactive stance on cyber threats.