Daily Brief

German battery manufacturer VARTA AG was the victim of a cyberattack leading to a shutdown of IT systems and halting production across five plants. The incident occurred on the night of February 12th, 2024, with the company taking proactive measures to shut down and disconnect IT systems for security. VARTA's history spans over a century, and the company's products are known globally, contributing to over $875 million in annual revenue. The full extent and damage of the cyberattack are currently being assessed; VARTA's primary focus is on maintaining data integrity. An emergency plan was activated, including the formation of a task force with cybersecurity experts for system restoration. The nature of the cyberattack remains unclear, with no confirmation of it being a ransomware attack or any group claiming responsibility. The company's share price experienced a 4.75% drop after news of the cyberattack became public. VARTA has yet to release further details on the cyberattack, including whether data encryption was involved.

Hackers exploited PlayDapp, a blockchain-based gaming platform, by minting 1.79 billion PLA tokens using a stolen private key. The intruders initially minted 200 million PLA tokens valued at $36.5 million and later added 1.59 billion tokens worth approximately $253.9 million. Security firm PeckShield suggested the compromise involved a leaked private key, prompting PlayDapp to move all tokens to a new secure wallet. PlayDapp offered a $1 million "white hat" reward for the return of stolen assets, threatening legal action; the hackers declined and continued their attack. Due to the excess minting, the total number of PLA tokens created exceeded the number in circulation, devaluing the currency from $0.18 to $0.14 per token. PlayDapp paused all PLA trading, suspended deposits and withdrawals, and is working to freeze the hacker's wallets on exchanges to contain the situation. Token holders have been advised to halt transactions and be cautious of phishing attempts during the migration to a secure system. Although no specific threat actors are identified, the nature of the attack is reminiscent of those conducted by the North Korean "Lazarus Group."

Ubuntu's 'command-not-found' utility has a logic flaw that can promote malicious snap packages, posing a serious security threat. Attackers could impersonate legitimate packages due to a lack of validation when the utility suggests snap packages for missing commands. Approximately 26% of APT commands could be mimicked by malicious snaps, significantly raising supply chain risks for Linux and WSL users. The issue isn't exclusive to Ubuntu and affects any Linux distribution using 'command-not-found' and the Snap package system. Malicious snaps can exploit system features or deliver new exploits via auto-update, even potentially escaping sandboxing when kernel flaws are present. Attackers can use typo-squatting, unclaimed snap names, or unreserved aliases for existing APT packages to trick users into installing malware. The exact scale of exploitation is unknown; however, some incidents have already been reported, indicating the risk is not merely theoretical. Users and developers must be vigilant, ensuring package authenticity and securing associated package names to mitigate these risks.

Over 100 Romanian hospitals have been affected by a ransomware outbreak, linked to a breach at a third-party service provider. The ransomware attacks are believed to have originated through the Hipocrate Information System (HIS), used by the compromised hospitals for healthcare management. Romania's national cybersecurity agency (DNSC) reports that 26 hospitals had data encrypted, while 79 were disconnected from the internet as a precaution. Hospitals are advised to isolate affected systems, retain attack evidence, not shut down systems hastily, and restore from backups after thorough cleanup. Most hospitals have recent backups to facilitate recovery, but one hospital's data backup was 12 days old, posing a more significant restoration challenge. The ransom note did not specify a known ransomware group but requested a relatively low ransom of 3.5 Bitcoin (approximately $180,000). Authorities recommend not contacting the attackers or paying the ransom, noting the malware identified as 'Backmydata,' a variant of the Phobos ransomware.

Trans-Northern Pipelines Inc. (TNPI) has acknowledged a cybersecurity breach by ALPHV/BlackCat ransomware gang. The incident, which occurred in November 2023, supposedly led to the theft of 183GB of company data. TNPI, responsible for transporting vast quantities of refined petroleum across Canada, has ensured the continued safe operation of its systems post-attack. The ransomware group has publicly shared the stolen documents on its data leak site, including TNPI employee contact information. ALPHV, associated with prior DarkSide and BlackMatter operations, has a history of high-scale, profitable attacks, amassing over $300 million in ransoms from more than 1,000 victims. In December, the FBI intervened, disrupting ALPHV operations temporarily, but the group has since regained control over its data leak platform.

Microsoft and OpenAI report that nation-state actors from Russia, North Korea, Iran, and China are incorporating AI into their cyber warfare tactics. The collaborative efforts between the tech giants have led to the disruption of five state-affiliated cyber groups by terminating their AI service usage. Misuse of large language models (LLMs) by attackers focuses on social engineering and deceptive communications that exploit professional relationships. Although no breakthrough AI-driven cyberattacks have been observed, these actors are testing AI across multiple phases of cyber operations, including reconnaissance and malware development. Notably, Russia's Forest Blizzard group used OpenAI's resources for research on satellite communications and scripting assistance, showcasing the diverse applications of AI in cyber espionage. Microsoft is proactively developing principles to counteract the harmful use of AI tools by advanced persistent threats and cybercriminal organizations, emphasizing identification, notification, collaboration, and transparency.

Cybersecurity researchers identified a vulnerability in Ubuntu's command-not-found tool that could lead to the installation of rogue packages. The utility, meant to suggest packages for non-existent commands, could be manipulated to recommend malicious snaps from the snap repository. Attackers could register snap names corresponding to APT packages and trick users into installing counterfeit snaps instead of legitimate software. Up to 26% of APT package commands are susceptible to this potential exploitation, which includes typosquatting to dupe users into downloading malicious versions of intended packages. The example given includes the 'jupyter-notebook' APT package, which had its snap name unclaimed, leaving a gap for attackers to publish a malicious snap under the same name. Researchers are urging users to scrutinize the source of package installations and for developers to secure associated snap names for their packages. While the extent of the exploitation is unknown, the findings highlight the need for increased security awareness and preventative measures within the software supply chain.

DuckDuckGo has introduced an end-to-end encrypted Sync & Backup feature for securely syncing bookmarks, passwords, and settings across devices. The feature ensures privacy as users don't need an account to use it, and DuckDuckGo cannot access any synced data due to encryption. The new Sync & Backup is compatible with DuckDuckGo browser versions on Windows, macOS, iOS, and Android. DuckDuckGo's browser prioritizes user privacy with features like HTTPS upgrading, tracker blocking, and a 'Fire' button to delete browsing history. To use the new sync feature, users navigate to the Sync & Backup settings in the browser to connect devices through a QR code or alphanumeric code. A PDF with recovery codes is generated for users, providing access to their synced data if their devices are lost or stolen. DuckDuckGo is adding a password requirement for accessing Sync & Backup settings for additional security. The browser is currently in beta, with potential for occasional instability or performance hiccups.

UK utility provider Southern Water experienced a cyberattack in January, with data from 5-10% of its customers stolen. The intrusion was initially claimed by the Black Basta ransomware group but ransomware involvement hasn't been confirmed by Southern Water. Compromised data includes names, birth dates, national insurance numbers, banking details, and HR files, inadvertently verified by an initial data dump. Affected individuals are offered a year of free credit monitoring as Southern Water works with government and the National Cyber Security Centre. Operations have not been affected, and enhanced monitoring is in place to detect any further suspicious activity. Southern Water declined to comment on the removal of their data from Black Basta's leak site, which often indicates a paid ransom. Cyber attacks on critical infrastructure, including water and wastewater sectors, have been rising, with advisories from national cybersecurity agencies.

Bumblebee malware has reappeared in a new phishing campaign after a four-month hiatus, targeting U.S. businesses using voicemail-themed lures. Attackers are distributing a malicious Word document via OneDrive links, which uses VBA macros to execute a PowerShell script that downloads the Bumblebee loader. The malware, suspected to be linked to the Conti and TrickBot cybercrime syndicate, is known for downloading and executing ransomware and other payloads. Threat actors have adapted their methods due to Microsoft's default blocking of macros in Office files downloaded from the internet since July 2022. Concurrently, QakBot, ZLoader, and PikaBot malware variants have resurfaced with enhanced encryption and tactics, like evading detection in virtual machine environments. A separate phishing campaign has been discovered where attackers mimic financial institutions to trick victims into installing remote desktop software, enabling unauthorized machine control. The industry is observing a trend where cybercriminals adjust their strategies to navigate new security protocols and continue their attacks with sophisticated methods.

Cybersecurity challenges for financial institutions have escalated with more advanced cyber-attacks, including state-sponsored and AI-powered threats. Community banks are particularly vulnerable as they face the same sophisticated threats as larger institutions but have fewer resources. The trend of targeting financial service providers reflects the need for strong vendor management and governance within these banks. Financial institutions must adopt advanced cloud security strategies, such as comprehensive data encryption and robust identity management systems. A multi-layered defense strategy against ransomware is essential, involving advanced threat intelligence, regular security audits, and proactive threat hunting teams. Effective vendor risk management is crucial, necessitating continuous monitoring and regular security audits of third-party services. Navigating the complex regulatory compliance landscape requires dedicated teams and regular training to align cybersecurity practices with regulations. The cybersecurity talent gap can be bridged through internal training programs, collaboration with educational institutions, and outsourcing specific security operations. An effective cybersecurity framework includes strategic alignment with business goals, risk-centric action and deployment, and continuous recalibration and optimization to adapt to the changing threat landscape.

The Bumblebee malware loader, thought to have disappeared, has reemerged using an outdated method of attack VBA macros in Word documents. Previously associated with high-profile ransomware groups and the Russian-tied Conti, the malware's new tactics hint at less sophisticated operators. Targeting US organizations, the campaign uses "Voicemail February" themed emails from a seemingly legitimate business to lure victims into downloading a malicious OneDrive-hosted document. Microsoft had disabled VBA macros by default to prevent such attacks, making this tactic largely obsolete. Security trends had shifted towards different, more sophisticated methods of attack. Indicators of compromise are evident, and while this attack is considered easy to identify and should not pose a significant threat, it signals an uptick in threat actor activity in 2024. Proofpoint advises organizations to train employees to recognize suspicious activity and maintain security best practices, including keeping macros disabled by default.

Advanced threat actor Water Hydra used a zero-day vulnerability in Microsoft Defender SmartScreen to infect financial traders with DarkMe malware. CVE-2024-21412, a bypass flaw affecting Internet Shortcut Files, was exploited, prompting a Microsoft patch in February. Targets were lured to a malicious URL posted on forex forums disguised as a stock chart image shortcut file. The exploitation chain included several steps, using nested internet shortcut files and abusing the 'search:' protocol to evade SmartScreen protections. The DarkMe malware maintains stealth, downloads further instructions, and communicates with a command-and-control server while gathering system information. This incident highlights a growing trend of cybercrime groups leveraging zero-days, previously a hallmark of nation-state actors, in their attack methodologies. Trend Micro has been tracking the campaign since its inception and detailed the complex infection process to raise awareness and aid in defense.

Microsoft released patches for 73 security flaws, including 2 actively exploited zero-days. The updates address 5 Critical, 65 Important, and 3 Moderate severity vulnerabilities, plus 24 issues in the Chromium-based Edge browser. CVE-2024-21351 and CVE-2024-21412 zero-days enable attackers to bypass SmartScreen protections through malicious files. Water Hydra, an APT group targeting financial markets, employed CVE-2024-21412 in a sophisticated zero-day attack chain. Microsoft also patched five critical vulnerabilities, including an elevation of privilege flaw in Microsoft Exchange Server (CVE-2024-21410). CVE-2023-50387, a DNSSEC specification design flaw known as KeyTrap, can lead to DNS resolver DoS attacks, with fixes now available. CISA urges federal agencies to apply recent updates to combat these vulnerabilities by a specified deadline.

The Australian Taxation Office (ATO) investigated 150 staff for participating in a tax refund scam, involving identity fraud reaching $1.3 billion. Scammers defrauded the ATO by creating fake businesses, obtaining ABNs, and making fraudulent claims for Goods and Services Tax (GST) refunds. Operation Protego was launched in April 2022, dedicating 470 people to address fraudulent claims after a significant increase in GST fraud tip-offs. The scam affected over 57,000 people who lodged false claims between April 2022 and June 2023, facilitated by easily accessible online registration and refund tools. ATO's internal audit rated GST fraud detection operations as "partly effective" and identified the need for a centralized control register to improve detection methods. Despite the scam, the ATO's measures prevented an additional A$2.7 billion in suspect refunds and recovered A$123 million, implying some success in fraud control efforts. The majority of the ATO officials investigated were not current employees, with some being victims of identity theft themselves, but 12 active staff members were found guilty of fraud.