Daily Brief

UAC-0099, a threat actor, has been actively targeting Ukrainian employees with LONEPAGE malware by exploiting a flaw in WinRAR. Cybersecurity firm Deep Instinct reports that the malware is delivered through phishing messages with malicious attachments. CERT-UA first reported UAC-0099 in June 2023, citing espionage attacks against state organizations and media. Attacks include HTA, RAR, and LNK files leading to malware capable of stealing information and taking screenshots. The group has reportedly gained unauthorized remote access to multiple computers in Ukraine during 2022-2023. Attack methods also involve self-extracting archives and ZIP files exploiting CVE-2023-38831, a vulnerability in WinRAR. The attackers use simple yet effective tactics, employing PowerShell and scheduled tasks to execute malware. CERT-UA has also issued a warning about phishing messages related to Kyivstar dues used to distribute the Remcos RAT, attributed to UAC-0050.

Microsoft has identified a new cyber threat, a backdoor named FalseFont, aimed at the defense sector. The threat originates from an Iranian group known as Peach Sandstorm, also recognized as APT33, Elfin, and Refined Kitten. FalseFont enables remote system access, file launching, and data transmission to control servers, evading traditional security measures. The implant was first detected in November 2023, consistent with Peach Sandstorm's evolving tactics. Past activities of Peach Sandstorm include password spray attacks on various global sectors, indicative of intelligence-gathering for Iranian state interests. The threat actor has been operational since at least 2013, now showing more sophisticated techniques. Additionally, the Israel National Cyber Directorate reported attempts by Iran and Hezbollah to attack the Ziv Hospital and spread wiper malware using phishing tactics.

Arion Kurtaj, an 18-year-old member of the Lapsus$ cybercrime group, has been sentenced to an indefinite hospital detention due to mental health issues. Kurtaj's sentencing follows a spree of cyberattacks on high-profile targets such as Uber, Nvidia, Rockstar Games, and Revolut by the Lapsus$ gang. A court determined Kurtaj was unfit for trial and he will remain in the hospital until deemed suitable for release by a mental health tribunal. A 17-year-old Lapsus$ member was also sentenced, receiving a youth rehabilitation order, but cannot be named due to legal protections. The Lapsus$ group's criminal activities included blackmail, fraud, and intrusion into the computer networks of several companies like BT, Microsoft, Samsung, and Okta. Law enforcement warns of the online dangers and serious consequences of cybercrime for youth, as seen in this case. The US government has advised organizations to improve security measures, including moving away from voiceand SMS-based multi-factor authentication, to protect against tactics used by groups like Lapsus$.

First American Financial Corporation experienced a cyberattack, leading to some of their IT systems being taken offline to contain the incident. As the company manages sensitive personal and financial data, the attack has raised significant concern, especially following a previous breach. In November 2019, First American paid a $1 million penalty for a cybersecurity violation involving their EaglePro application which had exposed customer data. Similar attacks have affected other title insurance providers, with Fidelity National Financial disclosing their own cyber incident last month. After the Fidelity attack, the ALPHV/BlackCat ransomware gang claimed responsibility, but no attribution has been given for the First American breach yet. Both companies faced operational disruptions; First American is working on resuming normal business services, while Fidelity National continues its recovery process.

A cryptocurrency drainer called 'MS Drainer' has been promoted through Google and Twitter ads, and has stolen approximately $59 million from over 63,000 people within nine months. Over 10,000 phishing sites using this drainer were discovered, exhibiting activity spikes in May, June, and November. Victims are lured to authentic-looking phishing sites where they unintentionally approve malicious contracts, resulting in unauthorized fund transfers to the attacker's wallet. The MS Drainer's source code is being sold for $1,500 by 'Pakulichev' or 'PhishLab,' who also collects a 20% fee on the stolen funds, and offers additional malware features for extra costs. One victim on the Ethereum blockchain lost $24 million, with other significant losses ranging from $440,000 to $1.2 million. Advertisements on Google abused tracking template loopholes to appear legitimate, while on Twitter, ads often came from verified accounts likely compromised by malware or stolen credentials. Phishing ads on Twitter utilized various themes such as "Ordinals Bubbles" NFT collections and token launches, and employed geofencing to avoid detection. Users are advised to exercise extreme caution with cryptocurrency-related advertisements and to verify the legitimacy of new platforms and contracts before engaging with them.

Arion Kurtaj, an 18-year-old member of the cybercrime group Lapsus$, has been sentenced to an indefinite stay in a secure UK hospital due to the risk he poses and his ongoing desire to engage in cybercrime. Kurtaj, diagnosed with autism and deemed unfit to stand trial, was involved in leaking content from the forthcoming Grand Theft Auto VI video game. A co-conspirator, a 17-year-old member of Lapsus$, received an 18-month Youth Rehabilitation Order and an online VPN ban after participating in breaches of NVIDIA and telecom companies. During his bail, Kurtaj circumvented restrictions using an Amazon Fire Stick to connect to cloud services and leak Grand Theft Auto VI assets, leading to his arrest. Lapsus$ is known for high-profile cyberattacks and data breaches against companies like Okta, Uber, Revolut, and Microsoft, opting for data extortion over ransomware. The court ruling highlights the ongoing threat posed by cybercriminals, even when those involved are relatively young or operating as part of smaller groups.

Arion Kurtaj, a key member of cybercrime group Lapsus$, has been sentenced to life in a secure hospital by a UK judge. Kurtaj was involved in the leak of assets from the highly anticipated video game Grand Theft Auto VI. Deemed a "high risk" due to his abilities and intent to commit cybercrime, Kurtaj will remain hospitalized until doctors determine he is no longer a danger. Another 17-year-old member of Lapsus$ was found guilty and received an 18-month Youth Rehabilitation Order with strict supervision, including a VPN usage ban. Kurtaj, who has autism, was deemed unfit for trial, and the jury had to assess if his actions were with criminal intent. The Lapsus$ group has been responsible for multiple high-profile cyberattacks on major tech firms, including Microsoft, Uber, Okta, and Revolut. Instead of encrypting data like ransomware groups, Lapsus$ engages in data extortion by stealing proprietary information and threatening to publish it if demands are not met.

Microsoft identified a cyber-espionage campaign by an Iranian group, APT33, targeting the Defense Industrial Base sector using FalseFont malware. FalseFont, a new backdoor, provides remote access capabilities, including file execution and data transfer to the attackers' servers. The APT33 group, also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, has been operating since 2013 and targets various industry sectors worldwide. These attacks were observed as part of a broader pattern of targeting U.S., Saudi Arabian, and South Korean sectors ranging from government to finance. Microsoft recommends network defenders reset passwords, revoke session cookies, and implement multi-factor authentication to mitigate the risk from such attacks. The attacks are consistent with APT33's activity over the past year, indicating the group's ongoing efforts to refine their methods and tools. Other nation-state hacking groups from Russia, North Korea, and China have also been targeting defense agencies and contractors globally.

First American Financial Corporation experienced a cyberattack, forcing some systems offline to contain the impact. Official company website was taken down and a separate website was set up to inform about the cyberattack. The company is the second-largest title insurance provider in the U.S., established in 1889, with over 21,000 employees. First American Financial was previously fined $1 million for a cybersecurity incident that occurred in May 2019. Personal and financial data collected and stored by the company was at risk due to a vulnerability in their application. Fidelity National Financial, another title insurance firm, disclosed last month that they were also targeted by a cybersecurity incident. The ALPHV/BlackCat ransomware gang has claimed responsibility for the breach of Fidelity National Financial on November 22.

Microsoft is retiring Defender Application Guard (MDAG) for Edge for Business, which ensures security by opening untrusted sites in an isolated container. MDAG uses hardware-based virtualization for a secure sandbox experience, aiming to render conventional attack methods ineffective. After the deprecation, enterprise admins are encouraged to refer to the Microsoft Edge For Business security whitepaper for alternative security features. Introduced in April 2019 for Windows 10, MDAG's deprecation follows the recent discontinuation of Defender Application Guard for Office. Users should consider other security measures such as Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control. In parallel, Microsoft plans to remove VBScript in future Windows updates and has delayed the deprecation of older TLS protocols and Exchange Online CARs.

Predator spyware now offers a reboot survival feature to clients, confirming its advancement and persistence capabilities for infected Android devices. Produced by the Intellexa Alliance, including firms like Cytrox and Nexa Technologies, Predator targets both Android and iOS systems with high-cost licensing. The U.S. added Cytrox and Intellexa to the Entity List in July 2023 for trafficking in cyber exploits to access information systems. Exploit chains in mobile OS and browsers are used by spyware tools like Predator and Pegasus to infiltrate devices covertly. Security measures are adapting to counter such threats, driving exploit developers to continually seek new vulnerabilities or purchase them from brokers. Intellexa's business model separates itself from direct attack involvement by having clients set up their infrastructure, masked by shipping jargon for deniability. Although exposure of such surveillance tools has impacted the spyware market, companies like Intellexa adapt by acquiring new exploit chains, maintaining their operational capabilities. Cisco Talos emphasizes the need for public technical disclosures to improve malware detection and impose development costs on private-sector offensive actors.

OpenAI applied a mitigation for a data exfiltration flaw in ChatGPT, a popular conversational AI platform. A security researcher, Johann Rehberger, identified that the platform could potentially leak user conversation data to unauthorized external URLs. Despite OpenAI's efforts, the fix is partial, and attackers may still exploit the vulnerability under certain conditions. The safety measures to prevent data leakage are not yet implemented in the iOS mobile app version of ChatGPT, leaving iPhone and iPad users exposed. The flaw involves prompt injection and image markdown rendering, allowing theft of metadata, technical data, and conversation details from victims. The security researcher publicly disclosed the threat after OpenAI did not respond to his reports, demonstrating the issue with a custom AI model, 'The Thief!' OpenAI's client-side checking is not fully transparent, as the service is not open source, leading to unknown variances in the effectiveness of the fix. The vulnerability's remediation on Android is unclear, potentially affecting the significant user base of ChatGPT’s mobile app on the Google Play platform.

Cybersecurity researchers have identified a new variant of the Chameleon Android banking malware with expanded targeting to U.K. and Italy users. The malware utilizes Android's accessibility service for Device Takeover attacks, harvesting data, and conducting overlay attacks. Chameleon is distributed via Zombinder, a dropper-as-a-service that binds malware to legitimate apps and can now bypass Android 'Restricted Settings'. The updated Chameleon Trojan can manipulate biometric authentication by switching the lock screen to a PIN, allowing unauthorized device access. ThreatFabric's report follows Zimperium's findings of 29 malware families, including 10 new ones, targeting 1,800 banking apps in 61 countries. Most targeted financial apps include those of major banks and services such as PhonePe, WeChat, Bank of America, Wells Fargo, Binance, and Barclays. Banking apps remain the primary target for such malware, with FinTech and trading apps increasingly being targeted as well.

The darkweb marketplace BidenCash has released for free 1.9 million stolen credit cards to promote its platform among cybercriminals. BidenCash began operations in early 2022, offering stolen credit and debit card data accrued through phishing or skimming on e-commerce sites. The released card data includes numbers, expiration dates, and CVVs, with most cards expiring between 2025 and 2029, although some expired cards from 2023 were also found. This is the fourth such data dump by BidenCash since October 2022, cumulatively amounting to over 5 million cards, although previous dumps have included duplicates and invalid cards. Valid cards in the dump are at risk of fraudulent transactions and could also facilitate scams targeting bank employees. BidenCash’s reputation for genuine data raises concerns over the authenticity of the pack despite lacking some of the data quality seen in prior releases. To counteract payment data risks, the recommendation is to shop with reputable outlets, utilize digital payments or single-use cards, and secure accounts with two-factor authentication.

The Chameleon Android trojan has evolved, now capable of disabling fingerprint and face unlock features to compel users to enter their PINs, which it then steals. This newest variant can infect devices running Android 13 and later by tricking users into manually enabling Accessibility permissions through an HTML page. Initially impersonating Australian entities, the malware distributes through the Zombinder service as a fake Google Chrome application. Zombinder is designed to attach malware to seemingly legitimate apps, bypassing runtime detection, Google Protect alerts, and antivirus software. Chameleon uses its access to interrupt biometric security features and capture PINs, enabling attackers to unlock devices and perform malicious operations without detection. ThreatFabric, which tracks Chameleon's development, notes added functionality for task scheduling to optimize the trojan's attack effectiveness. Users are advised to download apps only from official sources, ensure Play Protect is enabled, and perform regular device scans to prevent and detect malware infections.