Daily Brief

Phishing campaigns are utilizing DarkGate and PikaBot malware, employing tactics similar to the deactivated QakBot trojan. Malware delivery is initiated through hijacked email threads with unique URL patterns, echoing methods previously seen with QakBot. DarkGate features antivirus evasion, keylogging, PowerShell execution, and reverse shell capabilities, allowing remote control of infected hosts. PikaBot was previously analyzed by Zscaler, who noted its resemblance to QakBot in terms of distribution and behavior. These campaigns target various sectors, using booby-trapped URLs in email threads to deploy a ZIP containing a JavaScript dropper or XLL files as the infection vector. Ultimately, a successful infection by these malware could pave the way for further attacks, including crypto mining, reconnaissance, and ransomware deployment. The coordinated takedown of QakBot, Operation Duck Hunt, took place in August, but cybercriminals continue to adapt and reuse its effective strategies.

Lumma Stealer malware has updated its evasion techniques, utilizing trigonometry to measure mouse movements and escape virtual environments used by security software. The malware targets user data on Windows 7-11, capturing passwords, cookies, credit card details, and cryptocurrency wallet information. Initially offered on cybercrime forums in December 2022, Lumma quickly became popular in the underground community. New features such as control flow flattening, encrypted strings, and dynamic configuration files are intended to prevent automated analysis. By calculating the vector magnitudes and angles from the mouse movement, Lumma determines if the activity is human or simulated; non-human patterns pause its malicious activities. A crypter is now required to protect the malware executable from unauthorized access, with built-in checks to ensure it's used. Lumma 4.0 includes code-level hurdles like opaque predicates and dead code blocks to disrupt reverse engineering efforts. These updates illustrate a concerted effort by Lumma's developers to make the malware more resilient against security analysis and to maintain its efficacy for malicious actors.

Rhysida ransomware group claims responsibility for the October cyberattack on the British Library, leaking stolen data as proof. Auction for the stolen British Library data was set up by Rhysida with a starting bid of 20 Bitcoin, approximately $745,000. The British Library suffered significant disruption due to the ransomware attack, including IT outages and service limitations. As of the date of the article, the library's website was still down, and services continued to face outages. The British Library was aware of the ransomware nature of the incident since November 14, but only learned of Rhysida's claim on November 20. Authorities, including the US Cybersecurity and Infrastructure Security Agency (CISA), have been alerted to the ransomware strain's activities targeting multiple sectors since May 2023. Rhysida uses a double extortion model and is known for exploiting old vulnerabilities, phishing attacks, and credential theft to gain access to victims' networks.

Today's security landscape demands agility and innovation from defenders due to an evolving attack surface and dynamic threats. Security leaders are encouraged to adopt a hacker mindset to understand exploitable pathways and prioritize remediation efforts. Traditional defense strategies often fail to consider the interconnectedness of vulnerabilities, unlike hackers who seek a single entry point to access high-value targets. Smaller organizations are also at risk, as indicated by Verizon's 2023 Data Breach Investigation Report, which shows substantial incidents in small businesses. To think like a hacker, defenders should understand attackers’ tactics, reveal complete attack paths, prioritize remediation based on impact, and validate security investments. Automated Security Validation, such as offered by Pentera, helps organizations to continually test and improve their security posture against real-world threats. Defender effectiveness should be communicated up to CEOs and boards in terms that reflect the true business impact, beyond conventional metrics like vulnerabilities patched.

LummaC2 malware now uses a sophisticated anti-sandbox trigonometry-based technique to avoid detection. This technique delays the malware's activation until it detects human-like mouse movement patterns. LummaC2, which is written in C, has been traded on underground forums and continues to receive updates to enhance its evasion capabilities. The malware calculates the angles between successive cursor positions to determine the presence of human interaction. If the mouse behavior meets the criteria, LummaC2 proceeds with execution; otherwise, it restarts the detection process. The rise of LummaC2 coincides with an increase in the appearance of various information stealers and remote access trojans targeting sensitive data. These developments underscore the ongoing threats posed by malware-as-a-service (MaaS) models that enable complex, damaging cyberattacks.

The Randstorm exploit impacts Bitcoin wallets created between 2011 and 2015, potentially affecting 1.4 million bitcoins. Weak cryptographic keys generated due to subpar random number quality in older web browsers render these wallets vulnerable. The issue was rediscovered in January 2022 by cryptocurrency recovery firm Unciphered while assisting a customer. The vulnerability is linked to the BitcoinJS library's use of the SecureRandom() function and the Math.random() function's cryptographic weaknesses. Wallets generated before March 2012 are at the highest risk, with the exploit allowing brute-force attacks to recover private keys. BitcoinJS stopped using the JSBN library in March 2014, which was responsible for the vulnerability. The situation highlights the broader risks associated with supply chain vulnerabilities in open-source dependencies. Funds within compromised wallets remain at risk unless transferred to a new wallet created with updated, secure software.

Indian hack-for-hire group, Appin Security, involved in a decade-long global espionage operation, targeting the U.S., China, and other countries. SentinelOne analysis uncovers Appin Security's origins as a security training startup while conducting covert hacking since 2009, despite company denials. Appin's operations included cyber attacks with information-stealing malware and services allowing clients to access campaign data and conduct trojan campaigns. Evidence links Appin to the macOS spyware known as KitM and domestic cyber-espionage targeting Sikhs in India and the U.S. The group used third-party infrastructure for phishing and exfiltrated data, leveraging private spyware and exploit vendors like Vervata, Vupen, and Core Security. Appin reportedly used platforms like Elance (now Upwork) to hire external developers for malware creation and developed custom hacking tools in-house. The expose of Appin's activities coincides with Israeli PI Aviram Azari's sentencing for a similar hack-for-hire scheme, highlighting the use of Indian hackers like BellTroX Infotech in international cyber espionage operations.

NordPass has released its yearly list showcasing the most commonly used passwords, revealing persistent use of weak and easily guessable passwords such as "123456". Despite minor shifts in password choices, like "password" moving to number seven, users continue to favor simple numeric sequences, which can severely compromise security. In certain regions like the US, generic passwords prevail, with unique entries like "shitbird" appearing in the top 20. UK users frequently use football team names and other common words as passwords. The report indicates that streaming services accounts are particularly vulnerable due to especially weak passwords compared to other accounts maintained by users. NordPass emphasizes the importance of using long, complex passwords that incorporate a mix of characters and advises against reusing passwords to enhance cybersecurity. The US Federal Communications Commission has introduced regulations to protect against SIM swap and port-out fraud, requiring wireless providers to authenticate customers more securely. A new ransomware named Rhysida is exploiting old vulnerabilities, particularly ZeroLogon from 2020, to attack sectors like education, healthcare, and government, underscoring the necessity for timely software updates and patch management.

Russian APT29, also known as Cozy Bear, targeted embassies with malware using a WinRAR exploit (CVE-2023-38831). Using a BMW car sale lure, APT29 delivered a malicious ZIP file containing a script that disguised its presence while executing a payload. The attacks affected multiple European countries, exploiting WinRAR versions prior to 6.23, allowing hidden execution of malicious code. APT29 utilized the Ngrok service's new feature of free static domains to stealthily communicate with the command and control server without detection. Previously, similar tactics were observed being used by other Russian groups, including APT28, to target political entities in the EU and Ukraine. The Ukrainian National Security and Defense Council report provides indicators of compromise to aid in the detection and prevention of similar attacks.

A group of academic researchers discovered a flaw that allows extraction of RSA keys from faulty SSH server signatures. SSH, a secure communication protocol, and RSA, a public-key cryptosystem, can have vulnerabilities stemming from hardware errors during signature computations. The Chinese Remainder Theorem (CRT), which optimizes RSA computations, can leak key information if an error occurs during signature creation. The issue resembles an already addressed vulnerability in older TLS versions, but it was previously believed that SSH was immune to such attacks. The researchers' lattice-based attack methodology had a 100% success rate in uncovering private keys from SSH servers with erroneous signatures. Devices with the largest number of exposed signatures came from Zyxel, although Cisco had already introduced mitigations in some of their software. The paper recommends signature validation before transmission as a countermeasure, noting that OpenSSH's reliance on OpenSSL for signature generation is safer.

The FCC has announced new rules to protect consumers from SIM-swapping attacks and port-out fraud. New regulations were introduced to prevent scammers from accessing personal data through unauthorized SIM changes or number porting. SIM swapping involves tricking carriers into redirecting a victim's service to a device controlled by the fraudster, leading to potential financial losses and identity theft. The FCC now requires wireless service providers to use secure authentication before transferring phone numbers and to alert customers of SIM changes or port-out requests. Providers must also implement additional measures to protect customers from unauthorized SIM swapping and port-out attempts. This regulatory response follows an increase in consumer complaints and FBI warnings regarding the financial and personal impact of these types of cybercrimes. According to the FBI's Internet Crime Complaint Center, there has been a significant rise in reported SIM-swapping incidents and financial losses since 2018.

The FCC has adopted new rules to protect consumers from SIM-swapping attacks and port-out fraud. SIM swapping involves tricking carriers to redirect a victim's phone service to a fraudster's device. Port-out fraud occurs when a scammer unauthorizedly transfers a victim's phone number to a new carrier. These types of fraud can lead to significant financial loss, identity theft, and unauthorized access to personal accounts. The FCC now requires wireless service providers to implement secure authentication before porting numbers and to alert customers of any SIM change requests. The updated regulations are a response to an increasing number of consumer complaints and financial harm related to SIM swapping and port-out fraud. The FBI reported a sharp increase in SIM-swapping incidents and losses, highlighting the rapidly growing threat to consumers.

A critical remote code execution vulnerability, CVE-2023-43177, was found in the CrushFTP enterprise suite. Unauthenticated attackers can exploit this vulnerability to access files, execute code, and obtain plain-text passwords. Converge security researchers discovered the vulnerability and the developers released a patch in CrushFTP version 10.5.2. Converge has now published a proof-of-concept exploit, highlighting the urgency for users to update their software. The exploit process involves using unauthenticated mass-assignment to gain control over user session properties and establish admin-level access. It is estimated that around 10,000 public-facing CrushFTP instances may be affected, with additional instances likely behind corporate firewalls. Ransomware actors, particularly Clop, have shown interest in exploiting such vulnerabilities in file transfer products. Despite the patch, further security measures are recommended to fully mitigate the risks associated with CrushFTP vulnerabilities.

Cybersecurity firm Cisco Talos has highlighted increased activity from the 8Base ransomware group, using a new variant of Phobos ransomware distributed by SmokeLoader malware. The Phobos variant is embedded in SmokeLoader payloads, which are decrypted and executed within the host's memory, a method that makes detection and analysis more difficult. 8Base's Phobos ransomware employs techniques to ensure persistence, neutralize data recovery options, and uses a configuration with over 70 options, including a UAC bypass. For enhanced speed, the malware fully encrypts files smaller than 1.5 MB and partially encrypts larger files, while an embedded RSA key offers a potential avenue for decrypting affected files. Connections between 8Base and RansomHouse have been noted, and Phobos is thought to be closely managed by a central authority and distributed as ransomware-as-a-service (RaaS). The report also mentions new developments in ransomware activity, including the advertising of the UBUD ransomware with anti-detection capabilities, and LockBit's updated negotiation tactics to streamline ransom demands based on victim company revenues. These findings come amidst reports of ransomware groups attempting to leverage government regulations to their advantage, as demonstrated by the BlackCat ransomware group's complaint to the SEC regarding a victim's delayed disclosure of a cyber attack.

Russian FSB-affiliated cyber espionage group deploys a USB worm, LitterDrifter, targeting Ukrainian entities. LitterDrifter spreads through USB drives and connects to Russian operatives’ command-and-control servers. The worm is an evolution of a previously reported PowerShell-based USB worm and uses decoy LNK files for distribution. Check Point reported possible infections outside Ukraine, with evidence from multiple countries detected on VirusTotal. The malware aids in rapid and large-scale sensitive data exfiltration, following up on successful infiltration. The NCSCC has linked similar state-sponsored campaigns targeting European embassies to Russian group APT29, which exploits a WinRAR vulnerability. Ukraine's CERT-UA has also reported a phishing campaign distributing Remcos RAT, part of a continuing pattern of Russian cyber attacks against Ukrainian state authorities.