Daily Brief

The U.S. Department of Justice, with international support, charged 19 suspects for involvement with the xDedic cybercrime marketplace. xDedic facilitated over $68 million in fraudulent activities and offered more than 700,000 compromised servers, including 150,000 in the U.S. The transnational operation seized xDedic's domains and infrastructure, with law enforcement from multiple countries participating. Two key figures in the operation, Moldovan Alexandru Habasescu and Ukrainian Pavlo Kharmanskyi, have been sentenced to prison terms. Marketplace seller Dariy Pankov and buyer Allen Levinson were also sentenced for their roles, with Pankov listing over 35,000 compromised servers and Levinson requesting over $60 million in fraudulent tax refunds. The operation is part of a broader international law enforcement effort that has taken down various dark web markets and arrested numerous cybercriminals.

Conor Fitzpatrick, admin of BreachForums, was arrested for breaking pretrial release terms. Initially detained for managing BreachForums, a platform for leaking stolen data, Fitzpatrick was known as Pompourin in cybercriminal circles. After RaidForums' seizure by the FBI, Pompourin founded BreachForums to continue similar activities. Fitzpatrick faced charges for theft and sale of sensitive information affecting millions and numerous entities. Released on a $300,000 bond, Fitzpatrick was barred from computer usage without monitoring software and from accessing VPN services. A court document reveals an additional arrest on January 2nd for violating these specific pretrial conditions. Fitzpatrick is to remain in custody pending a court appearance in the Eastern District of Virginia.

Security researchers have identified critical RCE vulnerabilities, CVE-2023-33246 and CVE-2023-37582, in Apache RocketMQ servers. Hundreds of IP addresses are scanning or attempting to exploit these vulnerabilities in Apache RocketMQ services daily. Initial patching efforts were incomplete, particularly failing to secure the NameServer component in RocketMQ versions 5.1 and older. Attackers can execute commands remotely on exposed NameServer components without proper permission verifications. Users are advised to update their NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x to avoid attacks. The ShadowServer Foundation is tracking hosts scanning for vulnerable systems, noting possible reconnaissance or exploitation attempts. The DreamBus botnet was observed using the CVE-2023-33246 exploit to install Monero miners on compromised servers as early as August 2023. CISA has issued alerts and patching directives to federal agencies to mitigate the risk posed by these vulnerabilities.

CertiK's Twitter account, followed by over 343,000 users, was hijacked in a social engineering attack. Attackers posed as journalists to phish for CertiK employees' credentials through a fraudulent scheduling website link. After gaining access, the attackers posted a tweet from CertiK's account directing followers to a crypto wallet drainer under the guise of a security warning. Revoke.cash responded quickly, alerting the public that CertiK's account was compromised and warning against the fake website. The malicious post was removed 15 minutes after being published, with CertiK acknowledging that this event was part of a larger, ongoing social engineering campaign targeting numerous accounts. Government and business entities with verified Twitter accounts have been increasingly targeted by similar cryptocurrency scam tactics. The ongoing issue raises concerns about the effectiveness of current security measures, such as two-factor authentication (2FA), in protecting against sophisticated phishing schemes.

Researchers have identified a new macOS backdoor dubbed SpectralBlur, linking it to North Korean cyber threat actors. SpectralBlur shares traits with another malware, KANDYKORN, used by North Korea-linked Lazarus sub-group BlueNoroff. The malware enables various back-end functions like file management, shell command execution, and evasion techniques. The discovery indicates an escalating focus by North Korean hackers on macOS systems, especially those associated with cryptocurrency and blockchain. This year has seen a significant rise in macOS-targeted malware families, with 21 new types found compared to 13 in the previous year. Security experts are raising an alarm about the potential increase in macOS malware in the backdrop of the operating system's growing popularity in enterprise environments.

The Memorial University of Newfoundland (MUN) suffered a cyberattack on December 29 that led to IT service disruptions. This incident resulted in the delay of the winter semester's start at Grenfell campus, with classes pushed from January 4 to January 8. While Marine Institute campus services are back online, Grenfell Campus is still facing outages, including a lack of internet and WiFi for resident students, as well as inoperative payment terminals. The university has required all staff and students to reset their MUN login passwords as a preventative measure. MUN has engaged law enforcement but has not yet confirmed whether student data was compromised in the attack. No ransomware group has claimed responsibility for the incident at the time of the report. Additional IT specialists from other campuses have been deployed to help restore systems at the affected campus.

Conor Brian Fitzpatrick, alias Pompompurin, was arrested for breaching pretrial conditions, including the use of VPN and violation of computer restrictions. Fitzpatrick, with ties to cybercrime forum BreachForums, pled guilty to charges including access device fraud and possession of child sex abuse material. Initially granted pretrial release on a $300,000 bond, he violated multiple conditions and will now remain in custody until his sentencing. He faces up to 10 years for each count of access device fraud, and a further 20 years for the child sex abuse material charge. The sentencing hearing was postponed to January 19 following a request by his legal team for further psychological evaluation. BreachForums, founded after similar site RaidForums was shut down, became a marketplace for cybercriminals where Fitzpatrick acted as an escrow agent. BreachForums is still operational under a new domain despite Fitzpatrick's legal challenges and law enforcement crackdown on similar platforms.

Bill Lou, co-founder of Nest Wallet, mistakenly lost $125,000 in a phishing scam while trying to participate in a cryptocurrency airdrop. The scam involved a fake giveaway website that imitated a legitimate airdrop promotion, tricking Lou into signing a message that led to the loss. Lou criticized the popular Metamask wallet for not catching the scam and claimed his own wallet startup's product would have provided better security. The fraudulent website (lessfeesandgas[.]io) was designed to mimic the legitimate domain (lessfeesandgas.org) and targeted unsuspecting crypto users. Social media users had mixed reactions, with some expressing sympathy and others ridiculing Lou for not using his own wallet and for claiming his product's superiority. The incident highlights the ongoing issue of cryptocurrency-related scams and emphasizes the need for heightened security awareness in the blockchain community.

The Ultimate 2020 White Hat Hacker Certification Bundle offers a $70 discount on courses aimed at improving ethical hacking capabilities. The bundle includes ten comprehensive courses delivered by cybersecurity professionals such as Nathan House and Joe Parys. Instruction covers a wide range of topics, from understanding hacker tactics to network security, endpoint protection, and hands-on ethical hacking practice. Python programming for security purposes, both defensive and offensive, is a specific area of focus within the course materials. Participants will receive in-depth training on using Nmap for network security and preparing for CompTIA's PenTest+ and CySA+ certification exams. The bundle is marketed as essential for IT workers in any role, seeking to bolster their skills against emerging cybersecurity threats. While the listed price of the bundle is $110, it's currently being offered for $39.99, representing a significant savings opportunity.

Exposed secrets within a company's source code, such as API keys and credentials, represent a significant security threat requiring immediate action. Secret scanners can detect exposed secrets but lack the context needed to assess the severity and formulate an appropriate response. Steps to contextualize secrets include classifying by sensitivity, assessing the exposure's scope and impact, identifying the root cause, and enriching secret information. Remediation involves swift mitigation efforts, establishing policies to prevent future exposures, and regular monitoring and auditing of secrets. Technology, particularly automation and advanced platforms like Entro, plays a crucial role in managing exposed secrets more effectively by providing essential context and easy integration with existing security workflows. Proactive and strategic management of exposed secrets is vital to protect sensitive data and maintain an organization's security posture, with Entro offering comprehensive tools to assist in these efforts.

Orange Spain experienced a BGP traffic hijack causing an internet outage after an account was compromised using stealer malware. The incident led to significant disruptions and a loss of 50% of network traffic, but no personal data was reported as breached. Suspected perpetrator Ms_Snow_OwO obtained access to the RIPE account and altered Orange's AS number, which caused the outage. The compromised admin account was linked to an Orange Spain employee whose computer was infected with Raccoon Stealer malware. RIPE does not currently enforce two-factor authentication or strong password policies, a situation they plan to change following the incident. RIPE is investigating the breach and will contact affected accounts; also urging users to update passwords and enable multi-factor authentication. The event underlines the importance of robust cybersecurity measures to protect against initial attack vectors such as malvertising and phishing.

Ivanti has deployed security updates for a critical vulnerability in its Endpoint Manager, labeled CVE-2023-39336, with a CVSS score of 9.6. The flaw affects certain versions of EPM 2021 and EPM 2022 and can lead to remote code execution on servers running vulnerable software. An attacker with internal network access could exploit an SQL injection flaw to execute arbitrary SQL queries and control machines with the EPM agent. This vulnerability disclosure follows a recent patch of 21 security flaws in Ivanti's Avalanche enterprise MDM, including 13 critical buffer overflow issues. Ivanti previously dealt with zero-day vulnerabilities in their products that were exploited by state-backed actors to attack Norwegian government networks. While no current exploits of the newly discovered vulnerability have been reported, the past incidents underline the importance of applying the security updates promptly.

Russia-linked Sandworm hacking group is believed to have compromised Kyivstar, Ukraine's largest telecom provider, impacting 24 million users and critical services. Sandworm hackers had infiltrated Kyivstar's network for at least six months, gaining full access by November 2023 and executing a disruptive attack in December. The attack not only affected the telecommunication services but also compromised air raid alerts and banking operations in Kyiv, coinciding with physical missile strikes on the city. Ukrainian officials, including the SBU cyber chief, and private-sector analysts attribute the attack to Sandworm, which operates as part of Russia's GRU military intelligence. The breach highlights the use of cyberattacks in hybrid warfare, potentially monitoring Ukraine’s military movements and compounding the psychological impact on civilians. Western experts hint at the broad implications of the attack for global cybersecurity as Sandworm's capability extends beyond Ukraine, previously targeting the US and other countries. Mandiant Intelligence group warns of similar telecom vulnerabilities in the United States and urges Western nations to consider the Kyivstar hack as a global threat signal.

The Russian state-sponsored hacking group Sandworm accessed systems of Ukrainian telecom provider Kyivstar since May 2023. Kyivstar's services were disrupted last month, affecting millions; Russia-linked group Solntsepyok claimed responsibility. Solntsepyok is affiliated with Russian military intelligence and has been involved in past disruptive cyberattacks. The cyberattack on Kyivstar resulted in the substantial destruction of virtual servers and computers, with the attackers having full access for several months. The head of the SBU's cybersecurity department noted the meticulous planning over many months that went into the attack. While Kyivstar has resumed operations, no evidence suggests customer personal data was compromised. The method of the network breach remains unclear. The SBU took down two hacked surveillance cameras used by Russian intelligence for spying on Ukrainian defense and infrastructure.

A new variant of the Bandook Remote Access Trojan (RAT) has been identified targeting Windows machines through phishing campaigns. Fortinet FortiGuard Labs reported the malware's distribution method: a phishing email containing a PDF file that leads to a password-protected .7z archive. Upon opening the archive using the password from the PDF, the Bandook malware injects its payload into the legitimate Windows system file msinfo32.exe. Originally detected in 2007, Bandook is a commercial malware that provides attackers with extensive remote control capabilities over infected systems. The latest version of Bandook has been implicated in a cyber espionage campaign, according to research from ESET in 2021, with attacks focusing on Spanish-speaking countries. Once installed, the malware alters Windows Registry settings for persistence and connects to a command-and-control server for further malicious instructions and payload downloads. The abilities of this RAT include file and registry manipulation, data theft, downloading additional payloads, executing files, and even uninstalling itself remotely.