Daily Brief

SolarWinds addressed five remote code execution vulnerabilities in its Access Rights Manager solution, with three classified as critical. Critical vulnerabilities permit unauthenticated attackers to execute code on systems that have not been updated. The access rights tool is designed to manage and audit permissions within IT environments, aiming to reduce insider threats. Four of the bugs were identified by anonymous researchers via the Zero Day Initiative; the fifth by ZDI researcher Piotr Bazydło. Updates were released in the Access Rights Manager version 2023.2.3, which includes both bug and security fixes. This follows SolarWinds' history with the March 2020 supply-chain attack by APT29, affecting numerous U.S. government agencies and large corporations. The U.S. government attributed the 2020 SolarWinds cyberattack to Russia's SVR, with subsequent legal actions from the SEC for investor disclosure failures.

Vyacheslav Igorevich Penchukov, associated with the Zeus and IcedID malware, pleaded guilty, facing up to 40 years in prison. Once featured on the FBI’s Cyber Most Wanted List, Penchukov was arrested in 2022 in Geneva, Switzerland. He played a significant role in defrauding millions from victims, leveraging 'money mules' to transfer wired funds overseas. The Zeus malware operation, which Penchukov was involved in since 2009, was dismantled by the FBI in 2014. Zeus and its variants, including Gameover Zeus and SpyEye RAT, caused significant losses estimated at over $100 million. Penchukov returned to the cybercrime scene with IcedID after the takedown of Zeus, which transitioned to facilitate ransomware and was linked to a major attack on UVM Medical Center. The Department of Justice emphasizes the threat to national security and economy posed by such malware, reaffirming their stance on prosecuting cybercriminals.

Alpha ransomware, reminiscent of NetWalker, exhibits similar patterns and tools indicating a possible connection. NetWalker, a former ransomware-as-a-service operation, was taken down by law enforcement in January 2021. The newly emerged Alpha ransomware has been lowkey until it launched a data leak site showcasing its victims. Neterich's analysis reveals Alpha's growing sophistication and increased ransom demands ranging from 0.272 BTC to $100,000. Symantec's report identifies overlaps in the modus operandi of Alpha and NetWalker attacks, suggesting a potential revival or reuse of NetWalker code. Common living-off-the-land tools used by Alpha for evasion mirror techniques used by several ransomware groups. Despite not being a significant player currently, the cybersecurity community is advised to monitor the activities of the Alpha ransomware group.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Akira ransomware exploiting a known vulnerability in Cisco ASA and FTD software. The exploited flaw, CVE-2020-3259, was a high-severity information disclosure issue that Cisco patched in May 2020. Cybersecurity firm Truesec discovered evidence of the Akira ransomware group compromising Cisco AnyConnect SSL VPN appliances over the past year. Akira ransomware, first seen in March 2023, has nearly 200 victims and is potentially connected to the Conti ransomware group. Federal Civilian Executive Branch agencies must address this vulnerability by March 7, 2024, to safeguard against such threats. Other ransomware gangs, like BlackCat, have also been active, with the U.S. offering substantial rewards for information leading to the identification or capture of key members. The U.S. Government Accountability Office urges enhanced oversight to combat ransomware, particularly within vital sectors.

North Korean hacker collective Lazarus is utilizing the YoMix bitcoin mixer to launder stolen cryptocurrency. Sanctions on previous laundering services have pushed Lazarus to adapt its methods, according to Chainalysis. Despite crackdowns, Lazarus continues to fund North Korea's weapons program through crypto heists, including high-profile hacks like the Ronin Network and Harmony Horizon breaches. North Korean hacking entities have amassed roughly $3 billion from crypto thefts since 2017, evading sanctions and employing coin mixers. The U.S. Treasury has sanctioned several mixers used by Lazarus, like Blender, Tornado Cash, and Sinbad, causing the group to find alternatives like YoMix. Chainalysis observed a significant surge in YoMix funds due to money laundering activities, with about one-third of inflows linked to crypto hacks. In 2023, laundering operations saw high concentration in a few off-ramping services but diversifying trends at the deposit address level to avoid asset freezing and detection.

A new macOS backdoor named RustDoor is actively targeting cryptocurrency firms with fake job offer schemes to carry out attacks. RustDoor is disguised as a Visual Studio update and is notably written in the Rust programming language. Initial infections occur through seemingly harmless PDF files that claim to offer employment but download and execute the RustDoor malware. Recent discoveries show that ZIP archives containing malicious shell scripts precede the RustDoor binaries and are also part of the attack mechanism. Four new Golang-based binaries associated with the malware gather extensive information about the infected macOS device and its network. Analysis of the command-and-control infrastructure of RustDoor exposed an endpoint leaking information about infected hosts, including registration timestamps and last activity data. South Korea's National Intelligence Service has identified a North Korean IT group selling malware-infected gambling websites for profit, but it's not established if there's a direct link to the RustDoor campaign.

A debate in the UK has emerged about children's access to the dark web, particularly following the murder of 16-year-old Brianna Ghey, which involved dark web exposure by one of the perpetrators. Ciaran Martin, former CEO of the National Cyber Security Centre, argues that technological solutions alone are not sufficient and emphasizes the need for educational approaches in schools concerning the dark web. The UK's strict laws against hosting and distributing harmful content, like child exploitation material, are highlighted as an existing measure against dark web misuses. The Tor browser, necessary for accessing the dark web, is used both for legitimate privacy reasons and malevolent activities, complicating the enforcement of restrictions. The UK's Online Safety Act is controversial due to its potential impact on end-to-end encryption and privacy. The National Crime Agency points to a significant proportion of UK children engaging in behaviors that violate the Computer Misuse Act and calls for proactive education and awareness for parents, teachers, and children to deter cybercrime. The NCA highlights young individuals' lack of awareness about the legality of certain actions, underlining the need to channel their technical interest into positive and legal avenues.

Threat actors are utilizing a Python script named 'SNS Sender' to conduct bulk smishing (SMS phishing) campaigns via Amazon's Simple Notification Service. SentinelOne attributes these smishing attacks to a threat actor with the moniker 'ARDUINO_DAS', who uses misleading prompts about missed package deliveries purportedly from USPS. The SNS Sender tool is notable for being the first observed method using AWS SNS for orchestrating SMS spamming attacks in the field. A trove of over 150 phishing kits linked to ARDUINO_DAS has been discovered for sale, primarily focusing on impersonating USPS to harvest personal and financial information. The malicious operation has potentially been active since July 2022, with traces found in shared bank logs on underground forums. There are indicators within the phishing kits that suggest a possible hidden backdoor exists to send collected data to another location, as noted by a security researcher. This incident is part of a broader trend where attackers are exploiting cloud services for smishing campaigns and is consistent with previous incidents involving AWS access keys. The misuse of legitimate platforms like Discord, along with innovations in deploying malware through advertising networks and spoofed documents, underscores the evolving strategies of cybercriminals.

Small to medium businesses (SMBs) struggle to find affordable and user-friendly cybersecurity tools despite increasing threat awareness. NTTSH, with over 20 years in threat intelligence, aims to democratize cybersecurity to protect SMBs. NTTSH's Global Threat Intelligence Center (GTIC) combines threat research with technology to provide actionable threat intelligence. GTIC leverages NTT's top-tier Internet backbone for unparalleled visibility into cyber threats and collaborates with major cybersecurity organizations. The annual Global Threat Intelligence Report offers insights for organizations to adapt to the threat landscape, highlighting specific sector vulnerabilities. SMBs facing SaaS adoption challenges must navigate shared responsibility for data and identity management, prone to credential stuffing and phishing attempts. The shift to hybrid IT has increased the attack surface for SMBs. The proprietary Samurai XDR product integrates multiple sources of telemetry into an accessible platform. Samurai XDR simplifies cybersecurity for SMBs with an easy-to-use interface, affordable pricing, and a free 30-day trial to encourage advanced SecOps capabilities.

An unnamed U.S. state government entity suffered a network breach via an admin account of a former employee. Compromised credentials, discovered in a public leak database, allowed threat actors to access a virtual private network and blend in with legitimate traffic. The attackers obtained additional credentials from a virtualized SharePoint server, further compromising the on-premises network and Azure Active Directory environment. While no lateral movement to the Azure cloud was detected, host and user data were accessed and posted on the dark web. Following the breach, immediate measures included password resets, the disabling of the compromised accounts, and reinforcement of privileged account security. The lack of multi-factor authentication (MFA) on the compromised accounts was a significant security oversight. The incident demonstrates the dangers of inadequately managed Active Directory accounts, including those of former employees. Recommendations include implementing the principle of least privilege, using separate admin accounts for on-premises and cloud environments, and altering default Azure AD application registration settings to prevent unauthorized privilege escalation.

The U.S. disrupted a botnet operated by the Russian-linked APT28, known for engaging in cyber espionage. The botnet targeted routers in small office/home office (SOHO) environments and was used for credential harvesting and spear-phishing campaigns. APT28, associated with Russia's GRU Unit 26165, employed MooBot malware to co-opt Ubiquiti routers and obscure their cyber operations. The FBI identified the botnet's use of default credentials to plant SSH malware on routers, allowing persistent remote access. The botnet was turned into a cyber espionage platform that repurposed routers to relay malicious traffic and mask threat actors' locations. Spear-phishing efforts included exploiting an Outlook zero-day and creating fake web pages to capture credentials. The U.S. government initiated Operation Dying Ember to issue commands to infected devices, copy/delete stolen data, and block APT28's access. The operation is part of ongoing efforts to combat state-sponsored cyber threats, following recent disruptions of Chinese and other Russian hacker campaigns.

Quest Diagnostics has agreed to a $5 million settlement for improperly disposing of confidential patient health information and hazardous waste in California. This settlement is a minor financial setback for the corporation, which posted $994 million in annual profit. The settlement will be divided among ten California counties, with additional funds allocated to environmental projects and legal fees. Quest Diagnostics will also appoint an independent environmental auditor to oversee improvements in waste-disposal practices at over 600 California facilities. The settlement came about after district attorneys conducted thorough inspections, finding numerous violations including the improper disposal of personal health information. Quest's actions were not only a violation of hazardous waste law and the California Medical Waste Management Act, but also posed risks to personal health information security. The settlement aims to enhance the protection of patient data and ensure the proper management of hazardous and medical waste in the future.

Ukrainian national Vyacheslav Igorevich Penchukov, also known as 'tank' and 'father,' has pleaded guilty in the United States to charges related to the leadership of the Zeus and IcedID malware groups. Penchukov was arrested in Switzerland in October 2022 and extradited to the U.S. in 2023; he faced initial charges from 2012 for his involvement in the Zeus malware operation. The Zeus and IcedID cybercrime groups, under Penchukov's leadership, were responsible for the theft of millions of dollars using information stolen from infected devices. Penchukov was also linked to the Maze and Egregor ransomware operations known for double-extortion attacks. He successfully evaded arrest by Ukrainian police in 2021 due to his alleged political connections despite his association with high-profile ransomware activities. Penchukov entered a guilty plea to one charge of racketeering and one charge of wire fraud conspiracy; he faces up to 40 years in prison, with sentencing scheduled for May 9.

The US government disrupted a Russian GRU military intelligence unit's botnet, which targeted various strategic entities. Over a thousand home and small business routers infected with Moobot malware—a Mirai variant—were neutralized. Non-GRU cybercriminals originally installed Moobot using default passwords; GRU agents then repurposed the network for cyber espionage. The botnet engaged in phishing, spying, credential harvesting, and data theft against governments and military, security, and corporate organizations. The operation involved deleting malicious files and stolen data from the routers and modifying firewall rules to block remote access. This preventive action allows for temporary collection of routing information to expose GRU attempts to interrupt the operation. The Justice Department emphasized the importance of changing default administrator passwords to prevent reinfection. This disruption follows a previous takedown of China's Volt Typhoon botnet and serves as a defensive measure ahead of elections vulnerable to interference by groups like Fancy Bear.

The Pentagon launched six missile-detection satellites as concerns increase over Russia's potential placement of nuclear weapons in space. The deployed satellites include two for the Missile Defense Agency's Hypersonic and Ballistic Tracking Space Sensor (HBTSS) program and four for the Space Development Agency's Proliferated Warfighter Space Architecture (PWSA) communication constellation. The launch, executed using a SpaceX Falcon 9 rocket, was confirmed successful by L3Harris, the defense contractor responsible for designing five of the six satellites. These new satellites are designed to enhance the U.S. military's missile tracking, data transport, targeting, navigation, and encrypted communication capabilities. The MDA specified that these two HBTSS satellites are the only ones planned for now, and they are prototypes for future advanced missile threat detection. Concerns arise from a cryptic statement by House Intelligence Committee chairman Mike Turner about a "serious national security threat," which may refer to Russian plans for space-based nuclear weapons, though official evidence is not confirmed. The Kremlin has denied such accusations, framing it as U.S. manipulation to secure funding for Ukraine amidst ongoing conflicts. Despite Senate approval for a $95 billion defense assistance bill, there is no immediate plan for a House vote.