Daily Brief

Ukrainian pro-Ukrainian operatives reportedly destroyed 2 petabytes of data from the Russian "planeta" research center. Planeta, associated with Roscosmos, provides critical data for weather prediction and natural disaster monitoring to different sectors. The cyberattack is attributed to the "BO Team," focusing on Planeta's Far Eastern branch, deleting information from 280 servers. Ukrainian intelligence estimates a financial impact of $10 million due to the loss of meteorological, satellite data, and years of research. The breach purportedly disrupted not only data but also the operation of supercomputer clusters and HVAC/power supply systems. This cyber incident poses a significant restoration challenge for Russia, partly due to sanctions affecting their ability to replace advanced technology. Ukraine has previously admitted to conducting cyber operations against key Russian agencies, including transportation and taxation sectors.

23andMe failed to detect unauthorized access to user accounts for five months due to credential stuffing attacks. The breach was discovered not by internal security but from a Reddit post indicating the sale of stolen data. A total of 14,000 accounts with the DNA Relatives feature were compromised, potentially exposing data of 6.9 million individuals. Exposed information included profile details, DNA sharing percentages, family relationships, and optionally, detailed ancestry reports. The company has since mandated two-factor authentication (2FA), which was not the standard until after the breach was detected. 23andMe has been criticized for blaming users for the breach, citing their reuse of login credentials from other compromised sites. Users's ability to take legal action may be hampered by a new 60-day dispute resolution clause in 23andMe's terms of service.

Russian hackers, identified as the Midnight Blizzard group, breached Microsoft Exchange Online accounts of top executives and other organizations. The cyberespionage group, linked to the Russian Foreign Intelligence Service, engaged in a sophisticated attack using password spraying and residential proxies to evade detection. Microsoft's investigation uncovered that a "legacy, non-production test tenant account" without Multi-Factor Authentication (MFA) was compromised, enabling further access. The attackers exploited a legacy test OAuth application with elevated permissions to create new malicious OAuth applications and gain extensive access to Microsoft's corporate mailboxes. Microsoft recognized the breach by analyzing Exchange Web Services logs and familiar tactics synonymous with Russian state-sponsored groups. Microsoft's threat intelligence has notified other targeted organizations that might be victims of similar attacks by Midnight Blizzard. Hewlett Packard Enterprise also reported unauthorized access to its Microsoft Office 365 email environment by the same group, suggesting a wider pattern of targeted cyberespionage. Microsoft has released detailed guidance for defenders to detect and counteract APT29's malicious activities, including targeted hunting queries in Microsoft Defender XDR and Microsoft Sentinel.

Cybersecurity architecture is essential for protecting digital assets and requires a robust, multi-layered approach. Open Source Software, like Wazuh, offers a cost-effective, flexible alternative to proprietary security solutions. Wazuh is a free, open source security platform providing Unified XDR and SIEM protection for diverse environments. The solution offers real-time data collection and correlation, active response, compliance monitoring, and File Integrity Monitoring. Wazuh supports compliance with major standards (PCI DSS, HIPAA, GDPR, NIST SP 800-53, TSC) and enhances security data with contextual information. Its real-time detection and response capabilities prioritize and remediate high-priority incidents efficiently. Wazuh is widely adopted with over 20 million annual downloads and an active open source community providing extensive support. For detailed information on Wazuh's functionalities and integrations, the Wazuh documentation is recommended.

The first Pwn2Own Automotive contest concluded with participants earning $1,323,750 for unveiling 49 zero-day vulnerabilities in electric car systems. Tesla vehicles were hacked twice, with Team Synacktiv claiming $450,000 for multiple exploits, including gaining root access and escaping the infotainment system sandbox. The event took place during the Automotive World conference in Tokyo and focused on electric vehicle chargers, infotainment and car operating systems. After hacking, vendors are provided with a 90-day window to patch the reported vulnerabilities before public disclosure by Trend Micro's Zero Day Initiative. Synacktiv also earned significant winnings at the Pwn2Own Vancouver 2023 event and promoters have announced the Pwn2Own Vancouver 2024 with a prize pool of over $1,000,000. The competition showcases the increasing importance of cybersecurity in the automotive industry, particularly for electric vehicles and their connected systems.

Akira ransomware gang claims to have stolen 110 GB of data from Lush, a global cosmetics brand, including passport scans and company documents related to accounting, finances, tax, projects, and clients. The data theft potentially involved access to staff-related data systems during the hiring process, with no evidence of customer data exposure at this stage. Akira operates a "name-and-shame" website categorizing victims into those who have and have not paid the ransom, with threats to publish stolen data. Lush has acknowledged an "incident" on January 11, taking steps to secure systems and has engaged forensic experts for investigation, in line with typical responses to ransomware attacks. Insider posts in Lush's unofficial Reddit community suggest staff were instructed to send in laptops for "cleaning," consistent with mitigating a cybersecurity breach. Sophos researchers are unsure whether Lush's incident involved encryption-based ransomware or simple extortion, but the group is known for attacking using vulnerable network components and lacking multifactor authentication. Akira has established a reputation for targeting various industries in multiple countries, demanding sizable ransoms, and is possibly linked to the defunct Conti ransomware group.

Defense-in-Depth, or multi-layered defense, is an established cybersecurity strategy aiming to protect assets through multiple redundant layers of security controls. Despite its widespread adoption, organizations are facing increased cyber threats and breaches, revealing gaps in the multi-layered approach. Breach and Attack Simulation (BAS) tools have emerged as automated solutions to regularly test and improve the effectiveness of each security layer. Automation in cyber threat intelligence (CTI) is crucial, using Large Language Models (LLMs) to handle and analyze the abundance of threat intelligence reports. BAS tools are used to mimic real-life cyber attacks, allowing organizations to assess and bolster defenses at the network, host, application, and data layers. Security teams can now continuously validate their defenses with BAS, proactively identifying vulnerabilities and ensuring readiness against evolving threats. The article underscores the importance of regular testing and adaptation of security strategies to match the dynamic nature of cyber threats, as championed by Picus Security.

Chinese-speaking users have been targeted with malicious ads that falsely offer messaging apps like Telegram, WhatsApp, and LINE. The ads direct users to download fake versions of these apps, which are actually Remote Administration Trojans (RATs) giving attackers full machine control. This campaign, named FakeAPP, exploits Google advertiser accounts to display fraudulent ads that redirect to malware-laden downloads via Google Docs and Google Sites. The fake apps associated with the campaign can deploy dangerous trojans like PlugX and Gh0st RAT. Two advertiser accounts from Nigeria, Interactive Communication Team Limited and Ringier Media Nigeria Limited, have been identified as sources of the fraudulent ads. PhaaS platform Greatness is highlighted for its role in targeting Microsoft 365 users for credential harvesting, offering tools for phishing email attacks. Email phishing lures have been used to distribute malware, such as AsyncRAT, to South Korean companies, employing false urgency and spoofed identities of trusted entities.

Microsoft has identified expanding espionage activities by state-sponsored Russian hacking group APT29 targeting various organizations worldwide. The attacks focus on governments, diplomatic entities, NGOs, and IT service providers, predominantly in the U.S. and Europe, aiming to extract sensitive information for Russia's strategic interests. APT29, also known as The Dukes or Cozy Bear, utilizes compromised accounts and OAuth applications to evade detection and maintain long-term access to target environments. Microsoft's notification follows an admission by Hewlett Packard Enterprise (HPE) of their systems being compromised by the same group. In the November 2023 attack on Microsoft, the threat actors executed a password spray attack through residential proxies, compromising a non-production account lacking multi-factor authentication. Microsoft stresses the importance of defense measures against rogue OAuth applications and password spraying to counter the sophisticated tactics employed by APT29.

Russian cybercriminal Vladimir Dunaev is sentenced to 5 years and four months in prison for his involvement with TrickBot malware. Dunaev provided technical skills for the TrickBot scheme, which impacted hospitals, schools, and businesses with significant financial losses. TrickBot evolved from a banking trojan to a multi-purpose tool, ultimately becoming part of the Conti ransomware operation. The TrickBot network fragmented after leaks exposed its activities, leading to a multitude of other cybercrime efforts. Dunaev developed tools to harvest sensitive data, enable remote access, and evade detection by security software. His sentencing follows the recent conviction of another TrickBot developer, Latvian national Alla Witte. Governments from Australia, the U.K., and the U.S. have sanctioned Alexander Ermakov, affiliated with REvil, signifying ongoing international cybersecurity collaborations and enforcement.

Cisco has patched a critical flaw (CVE-2024-20253) in its Unified Communications and Contact Center Solutions, which could allow hackers to execute arbitrary code remotely. The vulnerability, with a CVSS score of 9.9, arises from incorrect processing of user input that can be exploited via specially crafted messages. An attacker leveraging this flaw could gain privileges equivalent to the web services user and potentially obtain root access to the device. Julien Egloff, a security researcher at Synacktiv, is recognized for identifying and reporting the issue. Affected Cisco products do not have direct workarounds; however, Cisco recommends using access control lists to restrict access to vulnerable systems as a temporary mitigation. The flaw's announcement comes after recent fixes for another critical Cisco security issue (CVE-2024-20272) affecting Unity Connection. Cisco advises users to apply the updates immediately and to enforce access control lists if immediate patching isn't feasible.

Vladimir Dunaev, a former Trickbot malware developer, was sentenced to over five years in prison for his involvement in cybercrimes. Dunaev's activities included creating infections to steal banking credentials and facilitate further malware attacks against US hospitals and businesses. His offenses caused substantial financial damage, with tens of millions of dollars in losses reported by victims. The Trickbot gang has extorted at least $180 million from global organizations according to the UK National Crime Agency. Dunaev's role extended from writing malicious code and browser modifications to laundering the proceeds of the cybercriminal operation. One of Dunaev’s cohorts, Alla Witte, has already been sentenced as the US continues its crackdown on international cybercriminals. Trickbot started as a banking trojan but evolved into a comprehensive malware-as-a-service operation before being shut down in 2022. The US and UK have sanctioned several individuals associated with distributing various ransomware and the Trickbot trojan.

Genetic testing company 23andMe confirmed a data breach resulting from a credential stuffing attack, impacting customer accounts over five months. Health reports and raw genotype data of millions were compromised, some of which appeared on hacking forums and a subreddit. Stolen login credentials from other breaches were used to access 14,000 user accounts, downloading data of almost 6.9 million customers. Affected features included DNA Relatives and Family Tree, potentially exposing detailed profile information. 23andMe implemented mandatory password resets and two-factor authentication to strengthen account security following the breach. The company faces multiple lawsuits and updated its Terms of Use to limit customer participation in class action lawsuits, claiming improvements to the arbitration process.

A previously unidentified threat actor, named Blackwood, has been conducting sophisticated cyberespionage attacks since at least 2018. Blackwood employs a complex malware termed NSPX30 to target companies and individuals, aligning with perceived Chinese state interests. NSPX30 malware distribution is achieved through the update mechanisms of legitimate software such as WPS Office, Tencent QQ, and Sogou Pinyin. ESET researchers indicate that Blackwood may intercept traffic to disguise command and control (C2) server communications and collaborate with other Chinese APT groups. NSPX30 has evolved from a basic backdoor created in 2005 to a multilayered malware with capabilities including system information collection, keylogging, and anti-detection techniques. The malware's backdoor functionality includes stealing of chat logs and sensitive information, remote control features, and the evasion of Chinese anti-malware solutions. The group uses adversary-in-the-middle (AitM) attacks to hijack legitimate update processes, a method that differs from traditional supply-chain attacks. ESET has provided detailed technical insights and indicators of compromise for organizations to detect and defend against NSPX30 infections.

Russian national Vladimir Dunaev sentenced to 64 months in prison for participating in the Trickbot malware operation that targeted hospitals, companies, and individuals. Dunaev developed a component of the TrickBot malware that facilitated browser injections to siphon sensitive information from victims. Arrested in South Korea and extradited to the U.S., he pleaded guilty to charges including computer fraud and identity theft. Prosecutors highlighted the significant disruption and financial damage caused by the malware attacks orchestrated by Dunaev and co-defendants. The TrickBot malware has evolved from stealing banking credentials to becoming a sophisticated tool used by cybercriminals to launch ransomware attacks. Despite takedown attempts, the Conti group continued its operations using TrickBot, which had links to Russian intelligence. Internal communications of the Conti group were leaked, leading to the exposure of their association with TrickBot and contributing to the group's disbandment into new ransomware entities.