Daily Brief

French authorities have arrested a Russian national suspected of laundering money for the Hive ransomware gang. The arrest was made possible through the efforts of the French Anti-Cybercrime Office (OFAC), which linked the suspect to digital wallets connected to ransom payments. During the arrest, approximately €570,000 worth of cryptocurrency assets were seized by the police. The operation was a collaborative effort involving Europol, Eurojust, and Cypriot authorities, including a search of the suspect's residence in Cyprus. Prior to the arrest, Hive's Tor websites were taken down by an international law enforcement operation that also led to the FBI infiltrating Hive's servers. The FBI managed to provide over 1,300 decryption keys to victims, preventing significant ransom payments. The U.S. State Department is offering a reward of up to $10 million for information linking the Hive ransomware group or other cybercriminals to foreign governments. A new ransomware-as-a-service group, Hunters International, has emerged following Hive's takedown, with significant code overlap suggesting a possible rebirth of the Hive group under a new name, though this is contested by Hunters International.

LockBit ransomware operation is actively recruiting affiliates and developers from disrupted operations BlackCat/ALPHV and NoEscape. NoEscape affiliates claimed an exit scam by its operators, raising concerns of lost ransom payments and operations shutdown. The BlackCat/ALPHV ransomware's infrastructure faced a 5-day outage, leading to speculation about a possible law enforcement operation. LockBit is offering its data leak site and negotiation panel for BlackCat and NoEscape affiliates to use if they have backups of stolen data. There are already signs of BlackCat/ALPHV's victims appearing on LockBit's data leak site, suggesting movement between groups. LockBit, considered the largest ransomware operation currently, benefits from competitors' troubles and sees these events as opportunities for expansion. The ransomware landscape remains dynamic, with the potential for rebranding and relocation of affiliates and developers from disrupted operations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of APT29 (linked to Russia's SVR) exploiting TeamCity servers since September 2023. APT29 previously involved in the SolarWinds breach and targeting of NATO countries' Microsoft 365 accounts. The exploited TeamCity vulnerability is CVE-2023-42793, a critical remote code execution flaw allowing attackers unauthenticated access. CISA believes the SVR is likely in the preparatory phase, exploiting initial access to escalate privileges, move laterally, and deploy backdoors for sustained network control. Around 800 TeamCity servers remain unpatched and vulnerable to exploitation, with some incidents leading to malicious code injection into software releases. The attackers' tactics include potential software supply chain attacks, with past exploitation by ransomware gangs and North Korean hackers (Lazarus and Andariel groups).

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in Apache Struts, identified as CVE-2023-50164. The Shadowserver scanning platform detected a limited number of IPs trying to exploit the vulnerability using public proof-of-concept exploit code. Apache Struts is widely used in both private and public sectors, including government agencies, for developing Java EE web applications. The vulnerability affects a wide range of Struts versions and could allow attackers to upload malicious files, gain unauthorized access, and cause significant operational disruptions. Apache released updated Struts versions on December 7 to patch the critical path traversal flaw that permits the RCE if exploited. A security researcher published a technical explanation and a second write-up with exploit code, increasing the risk of widespread exploitation. Cisco is evaluating which of its products using Apache Struts are vulnerable, including widely used platforms such as Identity Services Engine and Unified Communications Manager.

Phishing campaign known as BazaCall is using Google Forms to create authentic-looking emails to deceive victims. Attackers send emails impersonating subscription services like Netflix and Norton, pressuring recipients to call a support number. Once on the call, victims are tricked into granting remote access to their computers. Google Forms is chosen for phishing because it comes from a trusted domain, potentially bypassing email security systems. The response receipt feature in Google Forms allows attackers to receive a copy of the form, reinforcing the scam's legitimacy. The phishing technique using Google Forms can evade traditional security measures due to dynamically generated URLs. Proofpoint has identified a separate phishing campaign targeting recruiters with the More_eggs JavaScript backdoor by a group tracked as TA4557.

The increasing adoption of multi-cloud environments introduces complex management processes and potential visibility gaps that could be exploited by hackers. The dynamic nature of cloud services provisioning can create new vulnerabilities, particularly through minor misconfigurations leading to significant security incidents. Cloud security risks are constantly evolving, necessitating adaptive and nuanced approaches rather than one-size-fits-all solutions. Tim Phillips of The Register will host a webinar featuring Nabil Zoldjalali from Darktrace to discuss strategies for improving cloud security. The webinar aims to educate on identifying normal versus abnormal behaviour patterns in cloud environments to strengthen security postures. Emphasis will be on leveraging AI to achieve real-time understanding of cloud ecosystems and to formulate autonomous responses to security threats. The event is designed to help IT professionals build more robust defenses against both human error and cyber intrusions in cloud computing. Registration for the webinar includes a reminder for the live event, underscoring the importance of continual learning and vigilance in cybersecurity.

Google employs Clang sanitizers to enhance security within Android's cellular baseband, mitigating certain types of vulnerabilities. The sanitizers, Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), help catch undefined behaviors and are suitable for various architectures. Although these tools increase security, they introduce significant performance overhead, prompting selective implementation in critical areas. Google's efforts are part of a larger initiative to secure firmware against remote code execution by collaborating with ecosystem partners. While sanitizers offer substantial protection, they do not address all vulnerability types, leading to a push for coding in memory-safe languages like Rust. Google revealed the rewriting of the Android Virtualization Framework firmware in Rust, strengthening the protected VM root of trust. Researchers suggest that as operating systems become more secure, attackers may shift focus to lower-level components like the baseband.

Malware analysis is critical for understanding and combating cyber threats, with network traffic examination playing a key role. Decrypting HTTPS traffic is essential for tracking malware communication, achieved using a man-in-the-middle (MITM) proxy to monitor and intercept data exchange. An example includes analyzing AxilStealer, which used Telegram to exfiltrate stolen browser passwords; the MITM proxy decrypted the traffic, revealing the malware's actions. Identifying a malware's family can be challenging, especially with inactive servers, but tools like FakeNET can simulate server responses to trigger identification rules. Analyzing geo-targeted or evasive malware requires the use of residential proxies, enabling analysts to bypass restrictions and disguise sandbox environments. The ANY.RUN sandbox streamlines this process, providing an interactive platform with tools such as MITM proxies, FakeNET, residential proxies, and more for detailed analysis. ANY.RUN encourages adoption of their cloud-based sandbox technology by offering a robust 14-day trial period to evaluate its comprehensive features.

A new cybercrime marketplace named OLVX has become increasingly popular amongst hackers, offering various tools for online fraud and attacks. Unlike traditional dark web marketplaces, OLVX is hosted on the clearnet, expanding its accessibility and being promoted through search engine optimization (SEO). ZeroFox researchers observed a significant increase in both sellers and buyers on OLVX, driven by effective SEO, ads on hacking forums, and a dedicated Telegram channel. OLVX marketplace features a wide range of products, including custom cybercriminal toolkits and specialized files, which attract and retain a large customer base. The platform operates on a "deposit to direct payment" system accepting multiple cryptocurrencies, which poses a risk of an exit scam by the operators. Products on OLVX include various low-cost digital items, software, and services aimed at facilitating cybercrime activities. ZeroFox emphasizes the need for buyers to remain cautious, especially during the holiday shopping period, to avoid potential scams on OLVX.

Microsoft has identified that hackers are misusing OAuth applications for cryptocurrency mining and phishing attacks. OAuth, an authorization framework, is being manipulated to deploy VMs and launch phishing campaigns by compromising user accounts. The compromised accounts are used to create or alter OAuth applications, increasing permissions and hiding malicious activities. Attackers use phishing or password-spraying to target accounts with the ability to configure OAuth applications; Microsoft highlights the group Storm-1283 as an example. Once they obtain access, these adversaries may engage in activities like financial fraud reconnaissance or the distribution of phishing emails. Microsoft observed instances where attackers maintained persistence and bypassed authentication by stealing and leveraging session cookies. Microsoft suggests defenses such as enabling multi-factor authentication, conditional access policies, and regularly auditing apps and permissions to counter such security threats.

Nearly one million records containing sensitive donor information were exposed in an online database that was not secured. The database belonged to DonorView, a provider of fundraising platforms used by various non-profit entities such as schools and charities. Personal information exposed included donor names, addresses, phone numbers, emails, payment methods, and more. Children's names, medical conditions, and other sensitive details were found among the exposed data, raising severe privacy concerns. The database was secured within days after a disclosure report by security researcher Jeremiah Fowler, but there was no response from DonorView. It is unknown whether the data was accessed by unauthorized parties or how long it was exposed before being discovered. The incident highlights the risks associated with data breaches, including potential phishing attacks targeting donors using their exposed information.

Ukraine's largest telecom provider, Kyivstar, has been hit by a significant cyber attack that compromised mobile and internet service access across the country. The attack caused notable disruptions to the air raid alert network and has affected the banking sector, with efforts ongoing to restore full connectivity. Kyivstar has approximately 25 million mobile subscribers and over a million home internet customers, all potentially affected by the service outage. The company has reported the incident to law enforcement and believes the attack is linked to the ongoing war with Russia, although no customer data breach evidence has surfaced yet. Kyivstar also confirmed plans for compensation to its subscribers and corporate clients once the network is stabilized and cautioned customers about potential scams. The pro-Russia group KillNet claimed responsibility for the cyber attack on Kyivstar, amidst changes in its own leadership, with new recruitment and more attacks planned. Concurrently, Ukraine's Defence Intelligence claims to have hacked the Russian Federal Taxation Service, affecting over 2300 servers, which Russian officials vehemently deny, suggesting it is a deflection from Ukraine’s telecom troubles.

Cybersecurity has become increasingly complex, leading to difficulties in management and a potential security problem itself. Organizations now use a staggering number of security tools, averaging 50-60 for medium-sized businesses and over 130 for larger enterprises. The cybersecurity workforce shortfall in the UK has expanded to 367,000, highlighting the challenges in hiring skilled personnel. Managed Security Service Providers (MSSPs) have emerged as a solution to this complexity, offering outsourced security management as an operational cost. SecurityHQ, an established MSSP, offers an integrated security service with a variety of protections and tools, such as real-time incident response and digital forensics. A major benefit of MSSPs is their real-time insight into evolving criminal techniques, like ransomware attacks, which often stem from credential compromise. Advanced analytics and incident management platforms used by MSSPs enable a proactive approach to threat detection and response. Despite advances in AI for security, human SOC analysts continue to play a crucial role in interpreting anomalies and understanding network risks.

A report from the Observer Research Foundation defines notorious cyber groups like Lazarus and firms like NSO Group as 'cyber mercenaries.' Cyber mercenaries are seen as actors who are financially motivated and offer their hacking services to states, providing them with plausible deniability. The report emphasizes that these groups are not just criminals, but part of a growing sector that states use to enhance their cyber offensive capabilities affordably. It argues that hiring cyber mercenaries is cost-effective for nations, as it eliminates the need for HR and training associated with in-house cyber-ops teams. The report calls for international legislation to ensure that intelligence and digital forensic tools comply with human rights obligations. Peaceful nations sometimes exploit legislative loopholes to shelter cyber mercenary operations that could potentially misuse or leak sensitive information. In the case of the infamous Pegasus malware by NSO Group, its use has been left unregulated by the EU, leading to its deployment against a broad spectrum of targets by member states. The Observer Research Foundation's report concludes with a call for citizen demand for accountability from governments and corporations employing cyber mercenaries and notes the role of civil society in legal challenges for greater transparency.

Microsoft's final Patch Tuesday for 2023 addressed 33 software vulnerabilities, with 4 rated Critical and 29 deemed Important. The company has patched over 900 flaws throughout the year, reflecting a busy period for their cybersecurity efforts. Among the fixes were CVE-2023-36019, which prevented the execution of malicious scripts via crafted URLs in victims' browsers. Added security measures were implemented for Dynamic Host Configuration Protocol (DHCP) servers to prevent denial-of-service and information disclosure. A report by Akamai highlighted new attacks against Active Directory domains via Microsoft DHCP servers, capable of leading to full domain compromises. Microsoft suggests disabling DHCP DNS Dynamic Updates when unnecessary and avoiding DNSUpdateProxy to mitigate certain risks. Other vendors have also issued security updates for various vulnerabilities since the beginning of the month.