Daily Brief

Cyber-physical systems (CPS), essential for linking computational functions with physical processes, are critical for the advancement of smart infrastructure and the Fourth Industrial Revolution. CPS and the Extended Internet of Things (XIoT) create opportunities for efficiency and manageability in sectors like manufacturing, transportation, utilities, and healthcare, but also introduce significant security risks. Traditional cybersecurity solutions are often incompatible with industrial environments, failing to adequately protect interconnected systems from cyber threats. Regulatory requirements for cybersecurity in industrial organizations have grown complex, necessitating robust protection measures for critical infrastructure. Claroty's Buyers Checklist aids IT managers in identifying key features and requirements for CPS security solutions, ensuring alignment with organizational needs. The ideal CPS security solution will encompass telemetry collection, advanced AI analysis, and seamless integration with existing security tools, adaptable to various industrial protocols and organizational demands. As XIoT continues to evolve, the security dimension is crucial for the safe and effective transformation of engineered systems interaction, warning of potential dangers if not addressed properly.

Russian and Belarusian aligned threat actors have exploited vulnerabilities in Roundcube webmail to breach over 80 organizations. The campaign, attributed to Winter Vivern, affected entities mostly in Georgia, Poland, and Ukraine, and is being tracked as TAG-70 by Recorded Future. Winter Vivern has demonstrated sophisticated social engineering and XSS exploitation tactics, targeting governmental and military organizations' email systems. The espionage activities included delivering JavaScript payloads through Roundcube to steal credentials and monitor European political and military movements. Security firm Recorded Future uncovered the attacks, which occurred in early to mid-October 2023, and continued to detect related activities against Uzbekistan in March 2023. TAG-70 is also suspected of spying on Iranian embassies and the Georgian Embassy to understand diplomatic stances on issues like Iran's support for Russia in Ukraine and Georgia's EU and NATO aspirations.

Iranian threat group Charming Kitten, associated with the Islamic Revolutionary Guard Corps, has initiated attacks against Middle East policy experts using a new backdoor, BASICSTAR. The group created a fraudulent webinar platform to build trust and lure victims, often targeting think tanks, NGOs, and journalists with prolonged social engineering tactics. Microsoft has reported related malware attacks targeting high-profile individuals engaged in Middle Eastern affairs, with malware capable of extracting sensitive data from a host system. Phishing activities use compromised legitimate email accounts and multiple threat actor-controlled accounts for Multi-Persona Impersonation (MPI). Attack methodologies include RAR archives with LNK files to distribute malware. Targets are prompted to join fake webinars on topics relevant to their interests, eventually deploying BASICSTAR and other malware like KORKULOADER. BASICSTAR gathers system information, executes remote commands from a C2 server, and can display decoy PDF files, while other backdoors like POWERLESS and NokNok are tailored for different operating systems. Recorded Future has identified a network of Iranian contracting companies closely linked to the IRGC, focused on exporting surveillance technologies to countries such as Iraq, Syria, and Lebanon while hiding their true affiliations through cyber centers.

The US government has announced up to a $15 million bounty for information on the ALPHV/Blackcat ransomware group. The State Department is offering $10 million for identification and location of ALPHV's leaders and $5 million for arrest-related information of affiliates. The group, which potentially has ties to Russia, continues to target critical infrastructure, including an attack on the Canadian Trans-Northern Pipelines. Siemens has disclosed several critical vulnerabilities needing urgent patching by those using its hardware. Encrypted communication service EncroChat's takedown continues to yield arrests, including a 30-year sentence for a former Scandinavian footballer. Colorado State Public Defender's office was disrupted by a ransomware attack affecting network access and online court systems. An unnamed US state government's network was compromised using credentials obtained from a former employee, prompting a warning to enable multifactor authentication (MFA).

The U.S. has been warned of various threats to the 2024 election security, ranging from AI-driven disinformation to physical safety concerns like handling hazardous substances such as fentanyl, anthrax, and ricin. Election officials are urged to revert to paper ballots where feasible and to prepare for potential disinformation campaigns that could employ advanced technologies like deepfakes and AI. While domestic sources can propagate disinformation, the U.S., UK, and Canada are particularly focused on combating foreign information manipulation that threatens to undermine democratic processes and human rights. These countries have endorsed a Framework to Counter Foreign State Information Manipulation, aiming to detect and counteract such threats through digital tools and multinational collaboration. Although electronic ballot return offers convenience, government agencies warn of "significant security risks" and recommend paper ballots instead, highlighting the difficulty in securing internet-voted ballots. The U.S. has released guidelines advising election offices on how to handle suspicious packages and equip staff with safety training and overdose medication for possible exposure to toxic substances.

Ukrainian cyber police arrested a 31-year-old individual for hacking and selling access to U.S. and Canadian bank accounts. The suspect used trojanized software disguised as free resources on websites he controlled, distributing it through online ad campaigns. Compromised software affected both desktop and mobile (Android) devices, leading to theft of sensitive data. Hacker sold stolen bank and Google account information on the dark web using Bitcoin and communicated with buyers using a Russian phone number. The investigation is ongoing to identify potential accomplices who maintained darknet accounts related to this scheme. Since 2017 the hacker has been involved in cybercrime activities and shifted to phishing attacks in 2021, making at least $92,000 from the operations. During the arrest, authorities seized items including a luxury vehicle; the suspect faces up to 8 years in prison and asset forfeiture. Users are advised to exercise caution when searching for software tools online, verifying official vendor sites and considering the use of ad-blockers to prevent malware risk.

Vyacheslav Igorevich Penchukov, a Ukrainian national, pleads guilty for his lead role in Zeus and IcedID malware attacks. Originally arrested by Swiss authorities and extradited to the U.S., Penchukov faced charges for actions spanning from May 2009 to February 2021. Penchukov, part of the Jabber Zeus gang, was involved in schemes that defrauded millions via banking trojan malware, leading to unauthorized fund transfers. Using "money mules," the ill-gotten funds were moved to overseas accounts, obscuring the cybercriminals' financial trail. The defendant also contributed to attacks involving IcedID malware, functioning as an information stealer and a vehicle for delivering additional malicious payloads. Despite previous connections to Ukrainian political figures, Penchukov's evasion of local law enforcement ended with international cooperation leading to his extradition and guilty plea. Penchukov is set to be sentenced on May 9, 2024, potentially facing a maximum of 40 years in prison, aligned with two counts of conspiracy. The article also covers the extradition of another Ukrainian, Mark Sokolovsky, associated with the Raccoon malware, reinforcing the ongoing international efforts to curb cybercrime.

A serious design issue in DNSSEC, dubbed KeyTrap and tracked as CVE-2023-50387, enables attackers to cause a prolonged denial-of-service condition in DNS resolvers with just a single packet. KeyTrap exploits the DNSSEC requirement to send all relevant keys and signatures, including misconfigured or unsupported ones, which can greatly increase CPU load and delay response. Vulnerable resolvers can be forced into a DoS state lasting from 56 seconds to 16 hours, disrupting essential internet services such as web browsing, email, and instant messaging. Researchers have warned that the KeyTrap vulnerability has existed in the DNSSEC standard since 1999, and its discovery highlights the need to rethink DNSSEC’s design. Patches to mitigate KeyTrap have been issued by several vendors, with Google and Cloudflare already implementing fixes in their DNS services. Akamai, noting that approximately 30-35% of global internet users could be affected, has developed and released mitigations for their DNS infrastructure, limiting cryptographic failures to prevent resource exhaustion. Despite the deployment of fixes, the fundamental DNSSEC design vulnerabilities exposed by KeyTrap suggest a reevaluation of underlying DNS security approaches may be necessary.

The FBI has dismantled a botnet composed of SOHO routers infected with Moobot malware operated by GRU Military Unit 26165, known as APT28 or Fancy Bear. The botnet facilitated malicious activities including spearphishing and credential theft against U.S. and international targets, such as government and military institutions. GRU did not initially create the Moobot botnet but repurposed it after it was deployed by non-state cybercriminals who exploited Ubiquiti routers. FBI agents undertook "Operation Dying Ember" to remotely wipe malicious data, delete the Moobot malware, and block the GRU's remote access to the routers. The takedown operation temporarily modified firewall rules to prevent GRU from regaining access, while router functionality and user data remained unaffected. The actions taken by the FBI are reversible by users through a router factory reset or through local network access but warned against resetting without changing default passwords due to reinfection risks. The FBI's disruption of Moobot follows a similar takedown of the KV-botnet used by Chinese state-sponsored hackers earlier in the year.

University of Illinois Urbana-Champaign (UIUC) researchers have shown that large language models (LLMs), such as GPT-4, can independently compromise web applications. LLMs were equipped with APIs, automated web browsing, and feedback-based planning to autonomously perform complex tasks like SQL union attacks. Experiments were carried out in a sandboxed environment on test websites to ensure no real-world harm, utilizing tools like OpenAI Assistants API, LangChain, and the Playwright browser testing framework. GPT-4 demonstrated a 73.3 percent success rate in hacking attempts, substantially outperforming other models, including its predecessor GPT-3.5. The success of GPT-4 is attributed to better response adaptation and processing of large context prompts required for hacking tasks. Cost analysis illustrated that using LLM agents for attacks could be significantly cheaper than employing a human penetration tester, with GPT-4 costing around $9.81 per website compared to a human's $80. Concerns arise about the potential for malicious use of LLMs in cybersecurity, emphasizing the need for careful consideration of the capabilities of LLMs and the development of robust safety measures.

Cyberattacks targeting business communication channels have surged, highlighting a critical area of vulnerability for companies. On average, companies take 277 days to identify a breach, with each occurrence costing around $4.35 million, accentuating the need for robust safeguards. Secure communication channel selection, rigorous password audits, and strict access permissions are vital first steps in fortifying against cyber threats. Investment in comprehensive cybersecurity tools, including antivirus systems, VPNs, and monitoring services, is pivotal to detect and mitigate breaches swiftly. Organizations must continually enhance their teams' abilities to recognize and respond to sophisticated phishing strategies to lessen the risk of successful cyber incursions. Development of clear standard operating procedures (SOPs) for cybersecurity and routine protocols can aid in prompt breach detection and response. By maintaining vigilance and staying abreast of evolving cybersecurity threats through regular update routines, organizations can protect their communication systems and preserve customer trust. These measures require concerted effort and resources, but are necessary to prevent significant financial losses and erosion of client confidence, ensuring the business's longevity and reputation.

Google has open-sourced Magika, an AI-powered tool that enhances identification of binary and textual file types, improving overall accuracy and precision. Magika's sophisticated deep-learning model can pinpoint file types in milliseconds and operates using the Open Neural Network Exchange (ONNX). Internally, Google leverages Magika for routing files across Gmail, Drive, and Safe Browsing to appropriate security and content policy scanners for improved user safety. The release aligns with Google's strategy to strengthen digital security, exemplified by their release of RETVec, and emphasizes the importance of AI in tilting cybersecurity dynamics in favor of defenders. Google advocates for a regulatory balance that encourages AI's positive potential in security while recognizing the risk of misuse by nation-state hackers from countries like Russia and China. The tech giant underscores the crucial role of AI in scaling threat detection, incident response, and other security operations, aiming to resolve the Defender's Dilemma, which traditionally favors attackers. Wider ethical discussions are ongoing regarding generative AI models' training on web-scraped data, potential privacy violations, and AI's 'backdoor' tendencies highlighted by new research.

Google has open sourced Magika, an AI tool designed for accurate file type identification, to aid in cybersecurity. Magika is being used by key Google services such as Gmail, Google Drive, Chrome's Safe Browsing, and VirusTotal to optimize data processing. Designed to identify the true contents of files, Magika addresses the challenge of correctly classifying documents which may masquerade as different file types. Google is promoting the use of AI in cybersecurity and believes it can shift the advantage from attackers to defenders. Magika claims 50% more accuracy than previous rule-based systems and has an alleged 99% accuracy rate, with a 3% failure to classify files. As part of the AI Cyber Defense Initiative, Google partners with numerous startups and expands cybersecurity education through seminars and university grants. The AI tool is expected to play a pivotal role in malware analysis, intrusion detection, and the broader scope of cybersecurity.

ALPHV/Blackcat ransomware group claims responsibility for breaches at Prudential Financial and loanDepot. The group has threatened to sell loanDepot's data and publish Prudential's data due to failed negotiations. loanDepot experienced a breach impacting 16.6 million individuals; the company has offered credit monitoring and identity protection. Prudential Financial's breach on February 4 involved employee and contractor data; customer data has not been confirmed as compromised. Prudential Financial, a leading life insurance company, employs 40,000 people worldwide with revenues over $50 billion. The U.S. State Department is offering rewards totaling $15 million for information leading to ALPHV gang leaders and associates. The FBI attributes over 60 global breaches and $300 million in ransoms to ALPHV within a year and has been tracking and combating the gang's operations. Despite previous disruptions by the FBI, ALPHV continues to operate a new Tor leak site hosting stolen data.

Wyze Labs is investigating a security issue in parallel to dealing with an ongoing service outage affecting their cameras and user login capabilities. The service disruption, which began in the morning, has been attributed to a connectivity problem with their AWS (Amazon Web Services) infrastructure. Wyze is actively working with AWS to address the connection problems and has instructed customers to restart any devices still facing issues after their attempts to restore service. Notably, the "Events" feature in the Wyze app has been disabled as the company looks into what it suspects to be a security vulnerability. Wyze's CMO Dave Crosby communicated to customers via the official forum, apologizing and committing to a full recovery and transparency about the incident's findings. There have been isolated customer reports of the app mistakenly displaying video feeds from other users, sparking privacy and security concerns. A Wyze spokesperson was requested for a statement but was unavailable to respond to inquiries from the press at the time of the report.