Daily Brief

Credential stuffing attacks compromised 23andMe, revealing the data of 6.9 million users, with some data leaked on a hacking forum, prompting class action lawsuits. Danish hosting providers CloudNordic suffered a crippling ransomware attack, resulting in a total customer data loss after unsuccessful recovery efforts. Hacktivists from Anonymous Sudan demonstrated their might by disrupting major tech firms, including Microsoft and Cloudflare, through DDoS attacks. Innovative acoustic attacks by researchers showcased the ability to capture keystrokes with up to 95% accuracy via machine learning algorithms. PayPal faced a large-scale credential stuffing attack, where 34,942 accounts were breached, exposing sensitive personal information. DISH Network was hit by a ransomware attack linked to Black Basta, causing significant outages and resulting in customer data theft. GoDaddy and MGM Resorts experienced severe cyberattacks, with GoDaddy's multi-year breach leaking code and customer information, and MGM's resort operations being disrupted by ransomware. North Korean hacking group Lazarus infiltrated 3CX with a unique supply chain attack, distributing previously unknown info-stealing malware. Barracuda's Email Security Gateway appliances were hacked using a zero-day vulnerability by Chinese actors, leading to the unusual recommendation of replacing the devices. A rampant ransomware campaign dubbed ESXiArgs targeted exposed VMware ESXi servers across the globe, causing swift encryption of numerous companies' virtual machines.

Researchers have identified a new DLL search order hijacking variant that evades Windows 10 and 11 security features. The technique abuses executables in the trusted WinSxS folder, eliminating the need for elevated privileges to run malicious code. This exploitation method relies on placing a malicious DLL with the same name as a legitimate one in a non-standard directory. When a vulnerable binary from the WinSxS folder is executed, it triggers the malware without copying the legitimate executable. This subtle approach requires monitoring process relationships and the activities of binaries within the WinSxS folder closely. Security Joes, the cybersecurity firm, emphasizes the need for organizations to take preventive measures against this method. Additional binaries within the WinSxS folder might be vulnerable to this type of attack, increasing the urgency for protective actions.

A vulnerability named Terrapin (CVE-2023-48795) could let attackers downgrade the security of SSH connections. Researchers discovered the flaw allows removal of messages during handshake without detection. SSH uses cryptography to authenticate and secure connections but is vulnerable when using certain encryption modes. The attack requires an active adversary-in-the-middle (AitM) to intercept and modify TCP/IP traffic. Risk is high for organizations with large networks that access privileged data, and a patch is crucial. Many SSH client and server implementations are affected and maintainers have issued patches. Companies need to patch both servers and clients to fully mitigate the vulnerability across their infrastructures.

A new malware loader, JinxLoader, is being used in phishing attacks to distribute Formbook and XLoader malware. Cybersecurity firms Palo Alto Networks Unit 42 and Symantec have identified the multi-step attack strategies involving JinxLoader. JinxLoader was first advertised on hackforums[.]net and is available for purchase with subscription options ranging from $60 to $200. Attackers are employing phishing emails, purportedly from the Abu Dhabi National Oil Company, with password-protected RAR files to execute the malware. There has been a noticeable increase in loader malware campaigns, with infections delivering various information stealers, including a newcomer named Rugmi. The Meduza Stealer malware has been updated, offering new features targeting browser-based cryptocurrency wallets and improved credit card data theft. A new stealer family, Vortex Stealer, has emerged, designed to harvest browser data and other credentials and share them through Gofile, Anonfiles, Discord webhooks, and Telegram bots. These developments indicate that stealer malware remains a highly profitable enterprise for cybercriminals, fueling the continuous innovation in malware delivery methods.

Japanese game developer Ateam inadvertently exposed the personal information of around 935,779 individuals through a misconfigured Google Drive setting. For over six years, sensitive files were accessible to anyone with the link, including customer and employee data as well as business partner information. The exposed data varied but primarily affected customers, with over 700,000 Ateam Entertainment users' information made vulnerable. While there is no evidence that the data was maliciously accessed or stolen, the incident highlights the need for vigilant cloud service security practices. The Google Drive misconfiguration underscores the larger issue of cloud storage vulnerabilities, as similar incidents have occurred with Amazon S3 buckets leading to data breaches and leaks. The US Cybersecurity and Infrastructure Security Agency (CISA) provides guidance for securing cloud services to prevent such accidental exposures. Ateam has urged impacted individuals to be cautious of unsolicited contact that may result from the exposure.

Security researchers have developed a decryptor that exploits a flaw in the Black Basta ransomware to recover files without payment. The decryptor is effective for Black Basta ransomware victims targeted between November 2022 and a week before the recent fix by the cybercriminals. Larger files over 5,000 bytes and up to 1GB can be fully recovered, while the first 5,000 bytes of files larger than 1GB will be lost. The decryptor called "Black Basta Buster" uses a scripting approach to reverse the encryption, leveraging the mistake the ransomware made by writing the encryption key directly into files with zero-byte chunks. SRLabs, who discovered the flaw, indicates virtualized disk images have a high likelihood of being restored. Some digital forensics and incident response (DFIR) companies had been using the flaw to help clients avoid ransom payments for months before the decryptor was made public. Black Basta is linked to the FIN7 hacking group and has launched numerous attacks since April 2022, focusing on double-extortion tactics and targeting corporate victims.

Cybersecurity experts have detected an uptick in phishing campaigns targeting a variety of blockchain networks with methods designed to empty cryptocurrency wallets. The Angel Drainer phishing group is promoting a "scam-as-a-service" operation, taking a cut of the illicit proceeds for providing wallet-draining scripts to their partners. Inferno Drainer, another service implicated in stealing over $70 million in cryptocurrency from more than 100,000 victims, recently announced the cessation of its activities. These wallet-draining kits operate by deceiving users into connecting their wallets to fake websites, often via malvertising or misleading social media messages. Attackers trick victims into authorizing transactions that shift control over the funds, utilizing functions like "approve" or "permit" in malicious smart contracts. The stolen cryptocurrency is often laundered via mixers or split over multiple transfers to hide the culprits' tracks and allow for the illegal liquidation of the assets. Security recommendations for crypto users include using hardware wallets, verifying the legitimacy of smart contracts, and regularly checking wallet allowances for unauthorized activities.

LockBit ransomware affiliates have increased attacks on hospitals, despite the group's policy against such targets. LockBit provided a decryptor after attacking the Hospital for Sick Children in Toronto, yet recently targeted three German hospitals, disrupting ER services. Yakult Australia suffered a cyber incident leading to a 95GB data leak, affecting both Australian and New Zealand IT systems. The Ohio Lottery experienced a cyberattack on Christmas Eve, as claimed by the new DragonForce ransomware operation, leading to the shutdown of several internal applications. Two New York hospitals have initiated legal action to reclaim stolen data held on Wasabi Technologies' cloud servers following a LockBit ransomware attack. Microsoft has once more disabled the MSIX ms-appinstaller protocol handler due to its exploitation in malware campaigns, potentially leading to ransomware infections. New ransomware variants with unique file extensions and ransom notes have been identified, indicating ongoing developments in ransomware tactics.

Two New York not-for-profit hospitals are taking legal steps to retrieve data after a ransomware attack by the LockBit gang in August. The compromised data includes sensitive patient information such as names, social security numbers, and health records, currently held on Wasabi Technologies' servers. The hospitals, part of the North Star Health Alliance, provide services to over 220,000 residents and were forced to redirect urgent care patients elsewhere following the cyber attack. The breach not only compromised data but also disrupted patient care and emergency services. The hospitals are working in collaboration with the FBI and are seeking a court order for Wasabi to return the stolen data and for the ransomware group to destroy any copies made. LockBit's ransomware attacks have not only affected these hospitals but have a global reach, having disrupted emergency services in Germany and delayed treatments at a children's hospital in Toronto.

Multiple malware families are exploiting an undocumented Google OAuth endpoint to restore expired authentication cookies and access user accounts. Session cookies, which contain authentication data, are being hijacked, allowing cybercriminals persistent access even after passwords are reset. Researchers from CloudSEK uncovered that the exploit uses a Google endpoint called "MultiLogin" for synchronizing Google service accounts. The exploit, first disclosed by a threat actor named PRISMA, enables regeneration of Google Service cookies using stolen token:GAIA pairs from Chrome profiles. Malware developers are rapidly integrating this exploit, with at least six different information-stealing malware families currently utilizing it. Lumma, one of the malware utilizers, has updated its exploit to evade Google's abuse detection measures, indicating Google is aware of the issue. Google's lack of response on this actively exploited zero-day flaw leaves the current status of the exploitation and mitigation efforts uncertain.

The "Downfall" mod for the Slay the Spire game was compromised, distributing Epsilon information stealer malware. The malware harvests cookies, saved passwords, credit card information from browsers, and details from Steam and Discord accounts. Users who launched the mod during the Christmas Day breach window are advised to change all important passwords. The attack utilized the game's Steam and Discord update mechanisms, appearing to be a Unity library installer. Information stolen by the malware can be used for further account breaches or sold on the dark web. Valve, the owner of Steam, has instituted SMS security checks for developers updating games to combat such threats. The breach believed to occur via token hijacking rather than direct password theft; no developer emails were compromised.

The Albanian Parliament and the telecom company One Albania were victims of cyber attacks, with the incidents being officially confirmed by Albania's National Authority for Electronic Certification and Cyber Security (AKCESK). One Albania, which services around 1.5 million subscribers, reported handling the incident smoothly, claiming no disruption to its mobile, landline, and IPTV services. AKCESK identified the attacks in real-time and noted that they did not originate from within Albania, focusing on tracing the source and safeguarding systems against future breaches. The Iranian hacker group Homeland Justice has taken credit for these cyber attacks as well as for hacking the national airline Air Albania, declaring a mission against "supporters of terrorists." The attacks have provoked AKCESK to re-evaluate and reinforce the nation's cybersecurity strategies, although the full extent and details of the cyber attacks are still undisclosed. This series of incidents follows similar cyber attacks that occurred in mid-2021, after which the United States imposed sanctions on Iran's Ministry of Intelligence and Security for its involvement in cyber activities against the U.S. and allied nations.

CERT-UA identified a phishing campaign by the Russia-linked APT28 group deploying new malware strains OCEANMAP, MASEPIE, and STEELHOOK. The attacks, observed between December 15-25, 2023, target government entities, urging them to click malicious document links that initiate malware infection. MASEPIE, a Python-based malware, downloads/uploads files, executes commands, and communicates with its C2 server over an encrypted TCP channel. STEELHOOK, a PowerShell script, collects web browser data and sends it to the hackers' server in Base64-encoded format. OCEANMAP, a C#-based backdoor, facilitates command execution and uses the IMAP protocol for its control channel, with persistence achieved via a URL file in the startup folder. The attacks include penetration tools like Impacket and SMBExec for swift reconnaissance and lateral movement within an hour after initial breach. APT28 also exploits critical vulnerabilities such as CVE-2023-23397 for unauthorized account access on Exchange servers, expanding their campaign reach.

North Korean hacking group Kimsuky has been reported using spear-phishing to deploy malware including AppleSeed, Meterpreter, and TinyNuke. South Korean cybersecurity firm AhnLab attributes these detailed attacks to Kimsuky, noting that their use of AppleSeed malware has been consistent for years. Kimsuky was sanctioned by the U.S. due to intelligence gathering activities supporting North Korea's strategic goals, including a shift in target focus from South Korea to global entities since 2017. Malicious documents sent through spear-phishing allow the malware to take control of systems, steal sensitive data, and drop additional payloads. AppleSeed, a notable backdoor used by Kimsuky since 2019, has iterated into an Android version and a Golang variant named AlphaSeed which uses the chromedp library for command-and-control server communication. Kimsuky's espionage tactics include phishing along with online presence on platforms like LinkedIn and GitHub to secure remote IT jobs, which serves as a revenue source for the North Korean regime. The evolving and aggressive nature of these cyber campaigns reflects North Korea's broader strategy to bypass international sanctions and illicitly profit from digital assets and intellectual property theft.

A consultant, "Jack," worked for a managed security services provider (MSSP) serving an African bank hit by a state-sponsored cyber attack. Incident sparked bank's "panic purchase" of cybersecurity tools and services. CEO of the bank was not fully satisfied with the MSSP, questioning the value for money. Tensions between the CEOs of the bank and MSSP increased after an unauthorized security test instigated by the bank's CEO. The test involved the CEO's preferred cybersecurity provider and was not communicated to the MSSP, causing a false alarm in the security monitoring system. The incident resulted in a formal assessment of the MSSP's work, likened to "meeting an unhappy proctologist" by Jack. Four months passed before the working relationship between the bank and the MSSP normalized.