Daily Brief

A newly identified exploitation method, SMTP smuggling, allows attackers to send spoofed emails that bypass typical security checks. Threat actors can exploit vulnerable SMTP servers to send emails from seemingly legitimate sender addresses, facilitating targeted phishing campaigns. SMTP smuggling works by exploiting inconsistencies in handling end-of-data sequences between outbound and inbound SMTP servers, enabling command injection. The technique is similar to HTTP request smuggling and affects servers from Microsoft, GMX, Cisco, Postfix, and Sendmail, allowing attackers to bypass DKIM, DMARC, and SPF email authentication systems. Microsoft and GMX have addressed the vulnerabilities; however, Cisco treats the issue as a feature and has not altered default configurations, leaving systems potentially exposed. SEC Consult advises Cisco users to adjust settings from "Clean" to "Allow" to mitigate the risk of receiving spoofed emails that pass DMARC validation.

Emsisoft has suggested a complete ban on ransom payments following a significant rise in ransomware attacks. At least 2,207 US hospitals, schools, government organizations, and private-sector businesses were affected by ransomware in 2023. Ransomware incidents typically cost around $1.5 million per attack for recovery, with the average ransom demand hitting this amount. High-profile victims in 2023 included Boeing and MGM Resorts, with disclosures of such attacks expected to rise due to SEC rules. MOVEit attacks by the Clop ransomware gang, which caused over $15 billion in damages, were not included in Emsisoft's 2023 statistics. The International Counter Ransomware Initiative's member countries agreed not to pay ransom, but this does not apply to private-sector companies. Experts are divided on an outright ban due to potential implications and the current cyber resilience maturity across the economy. US government advises against paying ransoms and emphasizes the need for resilience and the implementation of preventive measures.

The U.S. Department of Justice (DoJ) has fined XCast Labs $10 million for operating an extensive illegal robocall service. XCast violated the Telemarketing Sales Rule (TSR) since at least January 2018 by transmitting billions of robocalls, including ones falsely claiming to be from government agencies. The robocalls included pre-recorded messages sent to numbers on the National Do Not Call Registry, contained deceptive or false information, and sometimes mimicked official agencies to solicit payments from victims. The financial penalty is suspended due to XCast's inability to pay, but the company must comply with stringent future regulations, including the establishment of a customer screening process. The order requires XCast to terminate relationships with any company that does not comply with U.S. telemarketing laws and implement technologies to prevent calls with invalid caller ID numbers. The FTC has separately banned Response Tree from conducting or aiding in robocall operations and has accused them of using misleading tactics to collect personal information, which was sold to telemarketers for making illegal calls.

Steam has officially ended support for Windows 7, 8, and 8.1 as of January 1, urging users to upgrade to more recent versions of Windows for enhanced security. The gaming platform will no longer provide software or security updates for installations on these older operating systems, and technical support will be unavailable for related issues. Microsoft has already ceased support for Windows 7 in January 2020, and its extended security updates for Windows 8.1 expired in January 2023. This shift may not significantly affect the user base since only 0.89% of Steam users were on these versions as per the latest hardware survey. Steam's dependency on an embedded version of Google Chrome, which is incompatible with older Windows versions, necessitates this move to ensure access to essential Windows feature and security updates. There's a risk associated with using outdated Steam versions on unsupported OS, including vulnerability to malware designed to steal credentials, heightening the importance of the transition for security reasons. Valve has introduced SMS-based security checks for developers releasing game updates, but stronger multi-factor authentication methods are suggested to protect against more sophisticated threats like SIM swapping attacks.

U.S. prosecutors have decided not to proceed with a second trial against Sam Bankman-Fried (SBF), the disgraced cryptocurrency entrepreneur. The decision to forgo the second trial was based on the fact that the evidence for the eighth charge, related to unlawful campaign contributions, was largely considered during the first trial. Any additional trial would likely delay SBF's scheduled sentencing in March 2024 and require complicated extradition negotiations with The Bahamas. SBF had already been extradited from The Bahamas to face seven criminal charges in the U.S., which he was found guilty of in his first trial. The seven convictions include conspiracy to commit wire fraud, commodities fraud, securities fraud, and money laundering, with a maximum combined sentence of 110 years. It was revealed that SBF used FTX customer deposits to bail out his other enterprise, Alameda Research, leading to a defrauding of stakeholders of approximately $10 billion. Although the campaign finance charge will not be pursued in court, it may still influence SBF's sentencing, including potential orders of forfeiture and restitution for his crimes' victims. Allegations against SBF include living a lavish lifestyle on stolen funds, bribing Chinese officials, witness tampering, and using over $100 million in embezzled funds for political campaign contributions.

Security researchers reveal that malware can still access Google accounts even after password changes, due to an exploit in Google's OAuth system. A cybercriminal introduced the existence of a zero-day exploit in Google's security, allowing regaining access to victims' accounts by generating new session tokens. At least six malware families, including Lumma and Rhadamanthys, have incorporated this vulnerability, with others like Eternity Stealer planning updates. The exploit involves stealing web browser session tokens from an infected PC, which the malware then uses to access the victim's account despite password resets. The root of the exploit is an undocumented Google OAuth endpoint called "MultiLogin," which synchronizes accounts across services and can be manipulated with stolen tokens. The threat demonstrates a heightened level of cybercriminal sophistication, shifting to more stealthy and advanced cyber threat capabilities. Google has yet to respond to inquiries regarding countermeasures for this security issue, but logging out seems to invalidate the malicious use of session tokens.

Orbit Chain, a blockchain infrastructure project, has been compromised, resulting in a theft of $86 million in various cryptocurrencies. The security breach occurred on December 31, 2023, with the platform's balance plummeting from $115 million to $29 million following the incident. The attackers, potentially state-sponsored and possibly from North Korea, executed a sophisticated series of unauthorized transactions. Orbit Chain is collaborating with South Korean authorities, including the Korean National Police Agency and KISA, to investigate the breach. North Korean hacker groups like Lazarus have been suspected of conducting multiple crypto heists throughout 2023 to fund the country's sanctioned programs. The hack may be linked to previous attacks on related projects, hinting at an ongoing pattern of sophisticated, targeted cybercrime involving blockchain protocols. International efforts are in place to track and freeze the stolen funds, with warnings issued about phishing scams exploiting the event to victimize users further. Scam Sniffer's data shows wallet drainers have stolen $295 million from over 320,000 victims in 2023, indicating a widespread issue with crypto theft and scams.

Gallery Systems, a provider of museum software solutions, has been hit by a ransomware attack resulting in IT outages. The attack occurred on December 28, leading to the encryption of systems and taking them offline to halt further damage. Over 800 museums are affected, including MoMA, the Met, and SFMOMA, disrupting access to the eMuseum platform used for public online viewing. Gallery Systems is working to restore data from backups and has informed law enforcement and launched an internal investigation. The identity of the ransomware group responsible for the attack remains unknown and Gallery Systems hasn't provided further details on the extent of the breach. eMuseum.com subdomains, used by museums and colleges for online exhibitions, are currently offline due to the cyberattack.

Xerox Business Solutions (XBS) U.S. division has experienced a data breach after a ransomware gang leaked sensitive information. The breach involved possible exposure of personal data and was confirmed by Xerox Corporation. INC Ransom ransomware group claims to have stolen data and added XBS to its extortion portal on December 29. The attack was contained by Xerox cybersecurity personnel with no reported impact on Xerox's or XBS' operations. An investigation has been launched with the help of third-party cybersecurity experts, focusing on further securing XBS's IT environment. Samples of data shared by the ransomware group on its leak site included emails, payment details, and purchase orders. The extent of the breach is not yet fully known, but Xerox assured it will notify all individuals confirmed to be impacted. Xerox removed from INC Ransom's leak portal, potentially indicating resumed negotiations with the cybercriminals.

Google announces the discontinuation of Usenet support on Google Groups due to increasing spam and decline in legitimate use. The change will take place on February 22, 2024, preventing new posts, subscriptions, or viewing of Usenet content via Google Groups. Historical Usenet data prior to the cutoff will still be accessible for search and view on the platform. The use of Usenet has shifted from text-based discussions to mainly file sharing and spam, prompting Google's decision. Google's cessation of support includes shutting down its NNTP server services and content peering with other NNTP servers. Non-Usenet groups on the Google Groups platform will not be affected by this update. Google provides guidance for users to transition to alternative Usenet platforms, including advice on selecting new Usenet clients and public NNTP servers.

The Court Services Victoria (CSV) audiovisual network faced a cybersecurity incident, suspected to be a ransomware attack, compromising court hearing recordings. The incident was detected on December 21, and recordings from November 1 to December 21 were potentially accessed, along with a small number of earlier files. This breach impacted various levels of the court system, with some courts, such as the Supreme Court of Victoria, only affected for a limited time. CSV has assured that its other systems, including employee and financial data, were unaffected, and the administration of justice continued uninterrupted. The CSV is working with justice agencies to identify sensitive cases, notifying parties involved, and offering support in partnership with IDCARE. Currently, there are no confirmed releases of the recordings, but CSV has established a contact center for additional support concerning the incident. CSV is enhancing the security of its IT infrastructure as part of the system restoration process, with cybersecurity experts from the Department of Government Services assisting. While the CSV has not officially confirmed ransomware or identified the attackers, experts suggest the Russia-based Qilin group may be involved, employing a double extortion tactic.

Court Services Victoria (CSV) detected and announced a cyberattack on December 21, 2023, that compromised video recordings of court hearings. Attackers gained access to CSV's audio-visual archive, potentially exposing sensitive information from hearings conducted between November 1 and December 21, 2023. The breach was later discovered to have occurred on December 8, 2023, raising concerns over the extent and duration of the exposure. CSV has isolated the affected system and notified relevant authorities, including Victoria Police and Australia's IDCARE. Individuals potentially impacted by the breach will receive notifications from the affected courts. Despite the cybersecurity incident, CSV ensures that court operations will continue as scheduled, with additional security measures being implemented. The Qilin ransomware group, previously known as "Agenda", is allegedly responsible for the attack on CSV according to sources, but this has not been officially confirmed. CSV has not disclosed whether a ransom demand was made or if any data was stolen and published by the threat actors.

Enterprise browsers are emerging as a key solution to address security challenges posed by the extensive use of web browsers in corporate environments. Traditional security solutions are insufficient to manage the risks associated with browsers, which are major targets for attacks and unintentional data leaks. The definitive Enterprise Browser Buyer’s Guide has been released to aid security teams in selecting the right enterprise browser with an actionable checklist. Enterprise browsers must protect against unintended data exposure and various types of malicious activity, including browser vulnerabilities and phishing. The guide emphasizes the importance of deployment, user experience, security functionalities, and user privacy when choosing an enterprise browser solution. The Enterprise Browser Buyer’s Guide provides a detailed breakdown of necessary security functionalities, presented in five primary pillars for comprehensive coverage. The guide concludes with a checklist of essential capabilities of an enterprise browser, facilitating a more straightforward evaluation and decision-making process for security professionals.

Google has settled a class-action lawsuit claiming it tracked users' browsing activities even in 'Incognito Mode.' The lawsuit filed in June 2020 accused Google of misleading users and violating federal wiretap laws. Plaintiffs argued that Google collected data from private browsing sessions without adequate user consent. A settlement has been reached, but the specific terms and financial details were not disclosed. Google's defense centered on user consent communicated through their Incognito warning, which was found insufficient by the court. The case emphasizes the complexities surrounding online privacy and the use of analytics and advertising APIs. Users were unaware that their private browsing activities could still be tracked by various online services despite using 'Incognito Mode'.

Law enforcement agencies around the world have conducted operations disrupting a wide array of cybercrimes, including cryptocurrency scams, phishing, and ransomware attacks. Operations included infiltration of the Hive ransomware gang, leading to the seizure of their infrastructure and a rebranding effort from the criminals. Dutch police hacked the encrypted communication platform Exclu to monitor criminal activities, resulting in 42 arrests after extensive investigations. Targeted efforts by German and Ukrainian law enforcement disrupted the DoppelPaymer ransomware group, apprehending core members. The FBI arrested the suspected administrator of NetWire RAT malware and seized related infrastructure, a tool used in various cybercrimes. Fake DDoS-for-hire websites were created by the UK's NCA to unmask would-be cybercriminals and collect data on illegal service purchasers. A significant amount of stolen cryptocurrency was seized by the DOJ from investment scammers, with plans to return the funds to victims. Genesis Market, a popular stolen credentials market, was taken down during Operation Cookie Monster, with massive amounts of digital fingerprints seized. Interpol's Operation HAECHI IV led to the arrest of 3,500 suspects and the seizure of $300 million linked to various cybercrimes. ALPHV ransomware servers were hacked by the FBI, leading to the creation of a decryption tool, while German police took down Kingdom Market, a significant dark web cybercrime marketplace.