Daily Brief

An updated decryptor for the Babuk ransomware, targeting the Tortilla variant, has been released by security researchers. The decryptor was made possible through collaboration among Cisco Talos, Avast, and the Netherlands police, leading to arrests. The Amsterdam police arrested the individual responsible for Babuk Tortilla, with prosecution by the Dutch Public Prosecution Office. The decryptor's efficacy stems from the ransomware operators' failure to update their encryption scheme with unique keys for each victim. The decryptor, now included in Avast's portfolio and the No More Ransom project, uses a single private key to unlock files across all victims. Babuk ransomware was initially identified between 2020 and 2021, attacked various sectors, and its code leak led to multiple spin-off ransomware families. The Tortilla variant exploited Microsoft Exchange servers using the ProxyShell vulnerability and demanded payment in Monero, often below average ransom amounts.

SaaS applications' collaborative features can lead to unintended data exposure, with 58% of security incidents involving data leakage. User errors, such as accidental exposure of private repositories or misconfigured permissions, are common causes of data leaks on platforms like GitHub. Publicly accessible calendars can present security risks by exposing meeting details, which could be used for phishing or social engineering attacks. Collaborating with external service providers without proper access controls can lead to unauthorized retention of sensitive data. Experts recommend using SaaS security tools to identify and secure publicly shared resources to mitigate risks. Keeping a resource inventory of publicly accessible files and implementing best practices for sharing are crucial for protecting company data. It's essential to maintain control over shared materials, especially when collaborating with short-term external team members, to prevent data breaches.

A significant security flaw in Kyocera's Device Manager has been reported, allowing potential interception and manipulation of Active Directory hashed credentials. The vulnerability, identified as CVE-2023-50916, is described as a path traversal issue enabling attackers to redirect database backup paths and achieve unauthorized access. The vulnerability can lead to NTLM relay attacks depending on the configuration, raising concerns about data theft and compromised client accounts. This issue has been addressed in the Kyocera Device Manager version 3.1.1213.0, marking an important security update. QNAP also fixed several high-severity vulnerabilities, notably CVE-2023-39296, which could cause system crashes through prototype pollution. QNAP updates addressing these vulnerabilities have been released for QTS and QuTS hero, amongst other affected software components. Users of affected QNAP and Kyocera products are strongly advised to update to the latest software versions to safeguard against these security flaws. Despite no current exploitation reports, timely updates are crucial to mitigate risks and ensure the security integrity of the enterprise's network systems.

Threat actors are using YouTube videos promoting cracked software to distribute an information-stealing malware known as Lumma Stealer. The videos direct users to a link in the description that downloads a fake installer, which ultimately installs the Lumma Stealer malware. Lumma Stealer is capable of harvesting sensitive data and has been available on underground forums since late 2022. The fraudulent installer involves a multi-step process that includes downloading a loader from GitHub and performing checks to evade virtual machine and debugging detection. This form of malware distribution exploits legitimate looking video editing tool links, such as Vegas Pro, but results in cryptocurrency theft and potentially unauthorized cryptocurrency mining on the infected machines. Previously similar methodologies were noted for delivering various types of malware, which highlights the continued use of YouTube as a platform for cybercriminals. The article also references an increase in stream-jacking and phishing attacks leading to account takeovers on YouTube, as well as a sophisticated 11-month-old AsyncRAT campaign targeting U.S. infrastructure management entities.

Toronto Zoo experienced a ransomware attack that did not affect animal welfare, public website, or the zoo's operational activities. The zoo is investigating whether guest, member, or donor information was compromised and assured no credit card information is stored on its systems. Operations including visitor admissions are continuing normally, and the Zoo is working with cybersecurity experts and the City of Toronto's Chief Information Security Office. Toronto Police Service has been notified, and the Zoo has requested patience from the public as they respond to inquiries during the investigation. In a separate incident, the Toronto Public Library suffered a ransomware attack by the Black Basta gang, impacting service availability and compromising personal data back to 1998. The Toronto Public Library, a major system with extensive resources, has not paid the ransom and is also engaging with external cybersecurity specialists.

Official Twitter accounts of Netgear and Hyundai MEA were hijacked to promote cryptocurrency wallet drainer malware. Hyundai has already recovered its account and removed malicious links, whereas Netgear's account still shows traces of the attack. Attackers changed Hyundai MEA's account name to Overworld, a known entity often impersonated in scams. Netgear's account was repurposed to entice users to a fake website, falsely promising significant monetary rewards. Verified Twitter accounts with 'gold' and 'grey' checkmarks are increasingly targeted by hackers to bolster the credibility of crypto scams. Even two-factor authentication did not prevent the hijacking of Mandiant's Twitter account. A wallet drainer campaign reportedly stole $59 million in cryptocurrency from 63,000 victims via Twitter ads. Twitter users associated with cryptocurrency are experiencing a particularly high volume of these malicious ads.

The Turkish state-backed group Sea Turtle has expanded espionage activities to include Dutch ISPs and telcos, along with Kurdish websites. Previously concentrated in the Middle East, Sweden, and the US, Sea Turtle uses DNS hijacking and man-in-the-middle attacks to gather intelligence. Hunt & Hackett analysts noted the group's moderate sophistication, relying on known vulnerabilities and compromised accounts for access. Sea Turtle attacks between 2021 and 2023 in the Netherlands indicate a strategic shift to acquire economic and political intelligence. New techniques include the use of 'SnappyTCP' for persistent access and the 'Adminer' tool for database management and SQL command execution. The group attempts to avoid detection by erasing logs and using VPNs for accessing compromised accounts. Sea Turtle focuses on initial access and data exfiltration without engaging in credential theft, lateral movement, or data manipulation post-compromise. Mitigation strategies recommended include enhanced network monitoring, multi-factor authentication, and limited SSH access.

Twilio has announced the discontinuation of its Authy desktop 2FA application across Windows, macOS, and Linux platforms, set for August 2024. Users are encouraged to transition to the Authy mobile app for iOS or Android, with mobile apps experiencing higher demand. The desktop app's discontinuation is part of Twilio's broader restructuring, coinciding with the departure of co-founder Jeff Lawson as CEO. Authy desktop app users must activate backups to ensure tokens are synced to their mobile devices before the service ends. Twilio has recommended alternative desktop applications for users who cannot use mobile devices for 2FA, including 1Password and KeepassXC. Users must manually disable 2FA for each account linked to Authy before migrating to a new solution to avoid being locked out. The process of transitioning from Authy's desktop app requires careful steps to prevent loss of access to secured accounts due to the lack of an export feature in the app.

A zero-day vulnerability in Apache OFBiz, an open-source ERP system, was disclosed on Dec 26, flagged with a near-maximum severity rating of 9.8. The flaw, identified as CVE-2023-51467, allows for authentication bypass and remote code execution by attackers, potentially leading to data exposure. Despite the disclosure and availability of a patch, SonicWall has observed thousands of daily attempts to exploit the vulnerability. A related vulnerability, CVE-2023-49070, was also patched by the Apache team by removing the XML-RPC API code, but attackers continue targeting the login functionality. Apache's OFBiz version 18.12.11 includes the fix for both vulnerabilities, with Apache urging users to upgrade immediately. Usage of Apache OFBiz is widespread, with over 120,000 companies relying on systems like Atlassian's Jira; however, Jira's implementation is reportedly not susceptible to this vulnerability. SonicWall's research team developed two test cases demonstrating exploitability, though these no longer work against the patched version. Apache OFBiz's prompt response to the issue and subsequent fix has been lauded by the security community.

loanDepot, a top U.S. mortgage lender, confirmed a ransomware incident resulting in data encryption and potential customer information exposure. Over the weekend, customers faced difficulties accessing loanDepot's payment portal and customer service phone lines due to the cyberattack. The company initiated an investigation with cybersecurity experts, notified regulators and law enforcement, and is in the process of restoring systems. loanDepot's customers were informed that recurring payments would continue, but delays in payment history updates and new payment processing issues have arisen. In their 8-K filing, loanDepot disclosed that attackers accessed company systems and encrypted data; the specific ransomware group remains unidentified. This incident raises concerns for customers' financial and personal data security, warranting vigilance against phishing and identity theft attempts. Previous incidents of cyberattacks in the mortgage industry are noted, with other large companies such as Mr. Cooper and First American Financial Corporation also being recent targets.

The LockBit ransomware group has taken credit for a cyberattack against Capital Health hospital network, threatening a data leak. Capital Health, serving New Jersey and Pennsylvania, faced an IT systems outage in November 2023 due to the cyberattack. Since the incident, Capital Health has restored their systems and implemented additional security measures. LockBit claims to have stolen 7 TB of sensitive data during the attack and plans to release it unless a ransom is paid. The ransomware group LockBit deviated from its rule to not encrypt hospital files, opting only for data theft, to avoid disrupting patient care. While some ransomware groups have ethical policies against attacking healthcare providers, LockBit has a history of targeting such institutions. The repercussions of ransomware attacks, even without data encryption, can include data breaches, financial loss, and impacts on patient care in the health sector.

The MGM Resorts service desk hack underscores the need for improved employee identity verification to secure helpdesk operations. Attackers used vishing and detailed impersonation techniques to deceive MGM's service desk and gain unauthorized network access. The importance of helpdesk security is highlighted, as these employees are the first contact point for user issues and thus a target for social engineering and cyberattacks. To counteract threats, helpdesks must educate staff on sophisticated attacks, create cultures that encourage identity verification, and implement multifactor authentication systems. Specops Secure Service Desk is recommended as a solution that provides a higher security level by employing advanced user verification methods. It is essential to safeguard communication channels, conduct regular security audits and pen-testing to find and patch vulnerabilities in the helpdesk process. Organizations are advised to transition away from security questions to MFA and other secure authentication methods to create barriers against cyber threats.

Anonymous Arabic, a threat group attributed to Syrian origins, is distributing a remote access trojan (RAT) named Silver RAT which evades detection and allows covert operations. Silver RAT enables cybercriminals to log keystrokes, encrypt data, destroy system restore points, and connect to a command-and-control (C2) server for further instructions. The malware has been actively promoted on various hacker forums and social media, with the RAT's capabilities including distribution of cracked RATs, Facebook and X (formerly Twitter) bots, and carding activities. First detected in November 2023, Silver RAT v1.0 had been leaked on Telegram in October 2023, with speculations on an upcoming Android version of the malware. The RAT contains advanced features such as delayed payload execution, keystroke logging, selective functionality logs, and stealthy application launches. Cybersecurity firm Cyfirma has identified one member of the group likely based in Damascus in their mid-20s, active across social media, development platforms, underground forums, and Clearnet websites. The malevolent activities of this group expand beyond malware distribution, encompassing various areas of cybercrime and suggesting a sophisticated and diverse cybercriminal enterprise.

The British Library denies speculative recovery cost estimates from a ransomware attack could reach nearly $9M. No confirmation on final costs yet as the rebuilding of digital services continues, with no fixed completion date available. Key services such as the online catalog are expected to return in a limited capacity; full restoration may take several months. The Public Lending Right service is disrupted, delaying payments to authors for borrowed works, specifically affecting Irish recipients. Personal data from internal management databases may have been compromised, raising concerns over privacy and security. The ransomware attack, claimed by the Rhysida group, led to significant file leaks and operational disruptions within the library. The National Cybersecurity Centre (NCSC) and Metropolitan Police are involved in supporting the recovery and investigation process.

Only 59% of organizations have updated their cybersecurity strategy in the past two years, per the Ponemon Institute, pointing to a concerning stagnation in adaptive security measures. The article emphasizes the necessity of breaking down silos between managed Security Operations Center (SOC), risk management, and cybersecurity strategy to enhance overall security dynamics. Organizations face challenges with cohesion in their security approach, leading to potential vulnerabilities and inefficient responses to cyber incidents. The piece suggests integrating managed risk and managed strategy with SOC operations for proactive threat mitigation and informed strategic planning. A unified cybersecurity approach can deliver cost-effective resource allocation, swift incident response, enhanced threat detection, streamlined compliance management, and facilitate continuous progress. Adopting an integrated, risk-centric cybersecurity program is crucial for building resilience and countering the evolving nature of cyber threats efficaciously. The future of cybersecurity will be shaped by AI, machine learning, quantum computing, and IoT, further underscoring the need for an adaptive and robust cybersecurity strategy.