Daily Brief

The adoption of Generative AI technologies is widespread, with 79% of organizations already incorporating these innovations. Generative AI, including Large Language Models (LLMs), represents the new forefront of technological advancement but introduces complex security challenges. A webinar featuring Elad Schulman, CEO & Co-Founder of Lasso Security, and Nir Chervoni from Booking.com will address securing Generative AI technologies. The session aims to aid IT professionals, cybersecurity experts, and business leaders in understanding the security intricacies of Generative AI. Attendees will gain expert knowledge on the immense potential and notable security considerations of Generative AI in business applications. The article emphasizes the importance of data security solutions for cloud services, like those offered by Rewind for Atlassian Cloud. It also highlights the necessity of keeping pace with advanced threat actors through tools such as Censys Search for improved threat intelligence.

The Five Eyes intelligence alliance has issued an urgent warning about potential cyber attacks from China's Volt Typhoon group targeting critical infrastructure. Volt Typhoon is associated with China and has previously compromised multiple critical infrastructure IT networks in America. The advisory from CISA and international partners alerts non-technical senior leaders to prioritize cybersecurity and implement recommended best practices. Critical suggestions include employing intelligence-informed prioritization tools, enabling comprehensive logging, and conducting regular incident response drills. The alert also places emphasis on supply chain security and the importance of vendor risk management, including adherence to strict security standards. Organizations are advised to be aware of foreign ownership, control, or influence over their suppliers, referencing U.S. Department of Commerce Entities and Unverified Lists.

Cybersecurity experts at Palo Alto Networks Unit 42 have discovered an upgraded variant of BunnyLoader, a sophisticated malware with enhanced data theft and evasion abilities. Named BunnyLoader 3.0 by its developer, the malware now boasts improved keylogging functions, smaller payload size, and written modules specifically designed for stealing data. Initially offered as malware-as-a-service (MaaS) for a monthly subscription, BunnyLoader has seen frequent updates to bypass antivirus measures and enhance its data collection capabilities. The latest upgrade includes denial-of-service (DoS) features for HTTP flood attacks and the separation of its different components into individual binaries for targeted deployment. BunnyLoader's proliferation involves a complex infection chain utilizing a new dropper named PureCrypter, leading to the delivery of multiple types of stealers, such as PureLogs and Meduza. The expanding MaaS landscape exemplifies the continuous retooling by threat actors to evade cybersecurity defenses. The study also references the persistence of SmokeLoader and a new information stealer called GlorySprout, shedding light on the evolving cybercrime ecosystem and the ongoing conflicts involving cyberattacks on Ukrainian government and financial institutions.

Security researcher Will Dormann has identified an advertisement on the social media platform X, supposed to link to Forbes, misleadingly redirecting users to a scam-related Telegram account. The ad manipulates the platform's preview system, which attempts to display the ultimate URL destination, but in this case, shows Forbes while redirecting to another site. Initially, users are taken to joinchannelnow[.]net which, depending on the user agent of the request, either redirects to the scam on Telegram or to a legitimate Forbes article. The fraudulent setup can trick X's preview system, especially on mobile apps where there's no status bar to reveal the true link destination before clicking. The vulnerability has been reportedly exploited by adversaries ranging from crypto scammers to malware and phishing operators, taking advantage of users' trust in the displayed URL. Users are advised to avoid clicking on external links in X posts and ads without thorough scrutiny, and on mobile devices, it is recommended to avoid tapping links altogether.

Ukrainian Cyber Police arrested three people for hacking over 100 million email and Instagram accounts worldwide. The suspects are accused of conducting brute-force attacks to gain unauthorized access to accounts and selling credentials on the dark web. Arrested individuals could face up to 15 years in prison if found guilty. Authorities executed seven searches across Ukraine, seizing computers, phones, and other assets. A U.S. national admitted to computer fraud for breaching over a dozen entities and exfiltrating personal data of 132,000 individuals. The U.S. defendant, who caused harm by extorting victims with sensitive data, agreed to pay over $1 million in restitution. The mention of Atlassian Server referring to Rewind's services and Censys Search appears to be unrelated promotional content.

The U.S. Environmental Protection Agency (EPA) is creating a Water Sector Cybersecurity Task Force to protect water systems from cyberattacks. EPA Administrator Michael Regan and National Security Advisor Jake Sullivan expressed concerns to U.S. Governors about the vulnerability of water and wastewater systems to cyber threats. Cyber Av3ngers and China-linked Volt Typhoon are among the groups identified as targeting U.S. water systems. There are significant risks involved as water systems are critical infrastructure, yet often lack adequate cybersecurity safeguards. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a fact sheet warning of the serious risk posed by Volt Typhoon and advised implementation of cybersecurity best practices. SentinelOne reported China's media strategy aims to manipulate global perception of U.S. hacking activities and espionage.

An IT contractor was sentenced to 2.5 years of imprisonment for unauthorized transactions from the National Maritime Museum's accounts. The individual exploited his role to reroute over AU$66,000 of museum funds to his personal accounts. A significant portion of the stolen funds was used to purchase advanced IT equipment and vehicle enhancements. The fraudulent activity was detected by the museum, leading to an investigation by the Australian Federal Police and a subsequent arrest in March 2023. The court has mandated a minimum non-parole period of 15 months out of the 30-month sentence. Separately, security concerns have been raised as Australian government contractors with security clearances have been sharing sensitive project details on LinkedIn. Additionally, it was discovered that over half of these contractors are listed on Have I Been Pwned, suggesting their credentials may have been compromised in previous data breaches.

Cybersecurity researchers discovered 19 million plaintext passwords leaked due to misconfigured Firebase instances. Over five million domains were scanned, revealing 916 websites with poor security setups, exposing sensitive user records. Exposed data includes names, emails, passwords, phone numbers, and billing information with bank details from various companies. Researchers attempted to notify affected organizations, resulting in a quarter of them remedying the Firebase misconfigurations. Despite attempts to raise awareness, only 1% of site owners responded, and the researchers received bug bounties from two site owners. An Indonesian gambling network displayed the largest data exposure, including 8 million bank records and 10 million plaintext passwords. The total number of exposed records amounts to 223 million, which is a conservative estimate, suggesting the problem could be more extensive. This data exposure investigation follows a previous project where the same researchers found admin and superadmin access due to misconfigurations in an AI-powered hiring software used by various U.S. fast-food chains.

The White House and the Environmental Protection Agency (EPA) warn of ongoing cyberattacks targeting the United States' water sector. U.S. National Security Advisor Jake Sullivan and EPA Administrator Michael Regan urge governors to strengthen cybersecurity defenses for water systems. A Water Sector Cybersecurity Task Force is being established to develop strategies against cyber threats nationwide. Chinese and Iranian state-backed hackers have recently breached U.S. water systems, prompting increased security measures. The Cybersecurity and Infrastructure Security Agency (CISA) has released a security scan tool to help water utilities identify and address vulnerabilities. There have been multiple ransomware attacks on U.S. Water and Wastewater Systems Sector over the past decade, some leading to significant disruptions.

The U.S. Department of Defense's Cyber Crime Center (DC3) has processed 50,000 vulnerability reports since launching its Vulnerability Disclosure Program (VDP) in November 2016. The VDP, which began after a successful 'Hack-the-Pentagon' bug bounty event, differs from typical bug bounties by allowing continuous reporting from ethical hackers. In 2018, the DC3 implemented an automated system to track and process vulnerability reports, enhancing both efficiency and hacker participation. The scope of VDP has expanded to cover all publicly accessible Defense Department IT assets, leading to the discovery and mitigation of 400 significant flaws in a 12-month program in 2021, reportedly saving $61 million in taxpayer funds. Though the annual report for 2023 is not yet released, it is estimated that 5,000 flaws were processed last year, based on the previous year's reports. The DoD's bug bounty program on HackerOne has seen over 27,000 issues resolved, with 1,231 reports received in the last 90 days. Ethical hackers looking to contribute to the DoD's cybersecurity can find participation guidelines on the VDP's HackerOne page.

Chinese hackers, known as Earth Krahang, have infiltrated over 70 organizations in 23 countries, focusing primarily on government entities using phishing and server exploits. Trend Micro has identified two custom backdoors, RESHELL and XDealer, and a consistent use of compromised government infrastructure to conduct further attacks. The researchers have noted strong similarities between Earth Krahang and another state-backed Chinese group, Earth Lusca, and possible connections to Chinese security contractor I-Soon. Government entities, education, telecommunications, and other sectors have been affected, with tactics including spear-phishing emails leveraged from compromised government accounts. The hackers exploit known vulnerabilities in public-facing servers such as CVE-2023-32315 in OpenFire and CVE-2022-21587 in Oracle Web Applications Desktop Integrator, and employ various open-source scanning tools to identify potential targets. There is evidence of lateral movement within networks using SoftEther VPN, including the installation of persistent backdoors and credential access. Security recommendations include educating employees on phishing threat avoidance, verifying sender identity before engaging with emails, and ensuring timely software updates and patch installations.

The CISA, along with the NSA, the FBI, and other international agencies, issued warnings targeting critical infrastructure at risk from the Chinese hacking group known as Volt Typhoon. The group has infiltrated multiple U.S. critical infrastructure organizations, maintaining access in some cases for over five years without detection. Volt Typhoon's objectives appear to focus on Operational Technology (OT) within networks, with the potential to disrupt essential services. U.S. agencies are advising infrastructure leaders to bolster cybersecurity, secure supply chains, and align performance management with cyber goals. Agencies recommend that cybersecurity teams ensure comprehensive logging for early detection and response to threats, and inquire about resource needs for effective compromise detection. Volt Typhoon, also known as Bronze Silhouette, leveraged a botnet (KV-botnet) across the U.S. to conceal their activities, which was disrupted by the FBI in December. Authorities have encouraged SOHO router manufacturers to enhance device security to prevent future Volt Typhoon attacks, highlighting the importance of secure configurations and eliminating web interface vulnerabilities.

The FBI reported that investment fraud, especially cryptocurrency scams, led to the largest financial loss from cybercrime in the US last year, totaling $4.57 billion. The majority of these scams exploited individuals seeking quick profits in the cryptocurrency market, with losses from such scams nearing $4 billion. The agency observed an increase in fraudulent schemes offering recovery services for previously lost investments, targeting victims for additional funds. Ransomware attacks accounted for a comparatively lower financial loss of $59.6 million for the year, but the report stressed that this figure may be underreported. Business Email Compromise (BEC) attacks and impersonation of customer support or government staff caused significant financial damage, with adjusted losses of $2.9 billion from BEC attacks alone. Elderly people over 60 were the most affected, representing 40% of all complaints and 58% of total losses, which amounted to $1.3 billion specifically from call center scams. Overall, cybercrime cost US citizens $12.5 billion in 2021, with daily complaints to the FBI numbering 2,412, and the financial impact of victimization increasing with the age of the victims.

The FTC has issued a warning about scammers posing as agency employees to con Americans into sending money, with the median loss from such scams rising from $3,000 in 2019 to $7,000 in 2024. Victims, often elderly, have been duped into transferring funds or wiring money to the fraudsters. There were over 14,000 government impersonation complaints in the last year, causing over $394 million in losses. The FTC emphasizes it will never ask consumers to move funds for protection or pay with cryptocurrency, and has established a rule to combat impersonation scams more effectively. The FBI notes a 22% increase in online crime financial losses in 2023, reaching $12.5 billion, with BEC, investment scams, ransomware, and impersonation fraud as leading causes. People over 60 are particularly susceptible to these crimes, with cybercrime complaints to the FBI jumping 10% from the previous year to 880,000. The agency has published guidelines to assist the public in recognizing fraudulent activities and provides reporting channels for scams in both English and Spanish. The FBI encourages vigilance against fraud attempts and has previously provided tips to help individuals avoid becoming scam victims.

Ukrainian cyber police have arrested three individuals linked to the theft of over 100 million email and Instagram accounts. The suspects used brute-force attacks to hijack accounts, involving automated guessing of passwords until the correct one was found. Compromised accounts were sold on the darknet, allowing fraud groups to scam contacts of the victims by requesting money transfers. An organized criminal structure was revealed, with the leader assigning roles and infrastructure spread across multiple Ukrainian regions. Law enforcement conducted seven searches, seizing computers, phones, and financial instruments as part of the crackdown. Those arrested face charges that include unauthorized interference in computer systems, carrying penalties of up to 15 years in prison. A separate investigation has been opened to explore the hackers' potential ties with foreign entities, particularly concerning Russian interests. The police recommend the use of strong, unique passwords and multi-factor authentication (MFA) to enhance online account security.