Daily Brief

HPE and Zerto have developed an integrated approach to backup and disaster recovery that redefines data protection and safeguards various types of data round the clock. The collaboration offers a portfolio of solutions, including Zerto, HPE Greenlake for Disaster Recovery, HPE Greenlake for Backup, and Zerto Backup for SaaS. The aim is to ensure constant protection for enterprise IT operations and data assets across cloud-based, on-premises, and SaaS platforms. The upcoming webinar on 26 October will feature discussions about the new approach to data protection, ensuring business continuity amidst ransomware attacks, and adapting solutions to varied environments. The webinar will also highlight the Zerto Cyber Resilience Vault, which utilizes air gaps and immutability to offer high levels of data resilience. The audience for this webinar would benefit from understanding the integrated approach to data protection strategy that relies on a single vendor for comprehensive data resilience.

Taiwanese hardware manufacturer QNAP took down a rogue server used in broad brute-force attacks against network-attached storage (NAS) devices. QNAP's Product Security Incident Response Team (PSIRT) worked with cloud service provider Digital Ocean to detect and block the command-and-control server within 48 hours. QNAP successfully blocked hundreds of affected network IP addresses in just seven hours, protecting many internet-exposed QNAP NAS devices from further attacks. The company is urging its customers to secure their NAS devices by changing default access ports, deactivating port forwarding and UPnP, employing strong passwords, implementing password policies, and deactivating the admin account. Cybercriminals often target NAS devices in an attempt to steal or encrypt valuable information or to plant information-stealing malware. QNAP has been targeted in recent attacks like the DeadBolt, Checkmate, and eCh0raix ransomware campaigns, which have exploited security vulnerabilities to encrypt data. Another Taiwanese NAS manufacturer, Synology, also warned its customers about ongoing brute-force attacks from the StealthWorker botnet, which could potentially lead to ransomware infections.

Cybersecurity company Kaspersky has linked the threat actor known as DoNot Team to a new .NET-based backdoor named Firebird, targeting victims in Pakistan and Afghanistan. The attack is also configured to deliver a downloader named CSVtyrei, similar to Vtyrei, a first-stage payload and downloader strain previously used by the adversary. DoNot Team, suspected to be of Indian origin, is known for its spear-phishing emails and rogue Android apps to propagate malware. Kaspersky's latest assessment develops on an analysis of the threat actor's twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks. Concurrently, cybersecurity firm Zscaler ThreatLabz disclosed new malicious activity by Pakistan-based Transparent Tribe (aka APT36) targeting Indian government sectors using an updated malware arsenal. Alongside these actors, another nation-state actor from the Asia-Pacific region codenamed Mysterious Elephant (aka APT-K-47) is also focusing on Pakistan. The group is attributed to a spear-phishing campaign that uses a new backdoor called ORPCBackdoor. The Knownsec 404 Team has reported overlaps in tooling and targeting between APT-K-47 and other actors such as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.

The rapid popularity of AI productivity tools has led to the sudden, unchecked ubiquity of their use in the workplace, posing a potential data security risk. Nudge Security offers a way of monitoring the AI tools used by employees in a business, providing a summary view to assess their security quickly. This functionality includes identification of the original user, the user's security hygiene, and an overview of the tool's breach history, complete with their SaaS supply chain. To mitigate the security risk, the service will alert security teams to incidents affecting the applications your employees are using. Nudge Security also helps to identify and manage overly-permissive OAuth grants that might risk security. It enables real-time interventions through automatic nudges, either via email or Slack when employees sign up to an AI tool. In addition to offering security management, Nudge Security also collects usage feedback at scale, keeping a pulse on AI adoption and guiding corporate policies for managing AI tools in the workplace.

The City of Philadelphia is investigating a data breach in which unauthorized actors may have accessed City email accounts containing personal and protected health information. The breach was first discovered on May 24, yet the threat actors may have accessed emails up to two months after the discovery. The types of information exposed included a mix of personal and protected health information; the full extent of the breach is currently unknown. Investigations are ongoing and a comprehensive review of the potential affected accounts is being undertaken to determine the extent of the breach and who may have been impacted. Officials have encouraged individuals who may have been affected to remain vigilant against potential instances of identity theft and financial fraud. The details of the breach methodology and the reasons for the five-month disclosure delay have not been provided by city officials. This is not the first such data breach involving the Philly administration; in June 2020, the Department of Behavioral Health and Intellectual Disability Services also suffered a data breach from a phishing attack, revealing personal health information.

The District of Columbia Board of Elections (DCBOE) indicated that a hacking group may have gained access to the entirety of its voter roll, potentially exposing vast amounts of personal information. The affected data could include driver's license numbers, birth dates, partial social security numbers, and assorted contact details. The breach originated from a web server operated by the DataNet Systems hosting provider and not directly from the DCBOE's own servers or databases. The threat actor behind the breach, known as RansomVC, initially claimed to have stolen data pertaining to 600,000 U.S. voters including D.C. voter records. The DCBOE is working with external experts, the Department of Homeland Security (DHS), and the FBI to investigate and mitigate the situation. They have also contracted Mandiant to provide additional cybersecurity consulting. RansomedVC is selling the stolen data on the dark web. The group claims the data includes a range of personal details from D.C. voters. An earlier attempt to sell the stolen DCBOE database was spotted on other hacking forums with the user name "pwncoder". However, those posts have since been removed, leaving RansomedVC as the only group currently selling the data.

Quasar RAT, an open-source remote access trojan, has been using DLL side-loading to covertly extract data from compromised Windows servers. This technique relies on the inbuilt trust these files have within the Windows environment. Also known as CinaRAT or Yggdrasil, Quasar RAT is a remote administration tool capable of collecting system data, a list of active applications, files, keystrokes, screenshots, and executing arbitrary shell commands. DLL side-loading is frequently used by threat actors to execute their payloads by planting a spoofed DLL file with a name that a benign executable is known to be searching for. The attack starts with an ISO image file that contains three files: a legitimate binary file renamed, a MsCtfMonitor.dll file renamed, and a malicious MsCtfMonitor.dll. A hidden code initiates the loading of a file titled 'MsCtfMonitor.dll' with concealed malicious code. The trojan establishes connections with a remote server to forward system data and sets up a reverse proxy for remote access to the endpoint. The identity of the threat actor and the exact initial access vector used to pull off the attack is unclear; however, it's likely to be disseminated by phishing emails, emphasizing the need for users to be cautious of suspicious emails, links, or attachments.

Google is preparing to test a new "IP Protection" feature designed to mask users' IP addresses using proxy servers, which will boost user privacy on the Chrome browser. The purpose of Google's IP Protection is to strike a balance between ensuring users' privacy and preserving the essential functionalities of the web, while mitigating potential misuse of IP addresses for covert tracking. The IP Protection feature will be rolled out in stages, initially as an opt-in, to monitor behavior trends, and will first target domains believed to be involved in tracking user activities. The first phase will only involve Google domains and a group of users logged into Chrome with US-based IPs; in subsequent phases, Google plans to adopt a 2-hop proxy system to further enhance privacy. The move raises some cybersecurity concerns, such as making it harder for security and fraud protection services to block DDoS attacks or detect invalid traffic. They also note that in the event of a proxy server breach, a threat actor could potentially view and manipulate the traffic. To mitigate such risks, Google is considering requiring user authentication with the proxy, unlinking web requests from specific accounts, and introducing rate limiting to prevent DDoS attacks.

The number of Cisco IOS XE devices hacked with a malicious backdoor implant has unexpectedly dropped from 50,000 to a few hundred. Threat actors exploited two zero-day vulnerabilities to hack the devices, creating privileged user accounts and a malicious LUA backdoor implant, giving the hacker access to the highest privilege level on the devices. Since the news was released, cybersecurity researchers noted that approximately 60,000 out of 80,000 publicly exposed Cisco IOS XE devices carried this implant. A sudden drop to only a few hundred devices showing the implant was then observed. Over the weekend, this number further dropped to only 100-1,200 devices, baffling cybersecurity experts. Possibilities proposed to explain the decline include the original threat actors deploying updates to render their implants invisible to scans, a so-called “grey-hat” hacker automatically rebooting the affected devices to clear the implants, or a decoy scenario where the majority of breached devices were meant to distract from the real targets. Recommendations to disabled WebUI device owners include conducting investigations to ensure no illicit users have been added and no configuration changes have been made.

A sophisticated threat, TetrisPhantom, has been compromising secure USB drives with trojanized versions of the UTetris application to target government systems in the Asia-Pacific region. TetrisPhantom uses a range of tools, commands, and malware components, demonstrating the scale and resources of the threat group behind it. The attack starts with the execution of a payload named AcroShell on the targeted system, which establishes communication with the attacker’s command and control (C2) server. Armed with the ability to fetch and execute additional payloads, AcroShell can steal documents and sensitive files, as well as collect specific information about the targeted USB drives. The gathered data is useful for further infection as well as for the research and development of another malware called XMKR, which stays on the secure USB drives and is responsible for extensive data collection for espionage purposes. The compromised data is exfiltrated to the attacker's server when the infected USB drives are plugged into internet-connected computers. Kaspersky reports that these attacks have been ongoing for a few years and primarily focus on espionage, with a small number of infections suggesting a targeted operation.

Microsoft has announced the early access of its Security Copilot AI assistant that aids security teams in countering threats using global threat intelligence expertise. It offers features such as instant incident summaries, rapid guided responses, simplified natural language queries, and real-time malware analysis. The tool is capable of detecting new threats by analyzing attack data and correlating threat activity signals. Microsoft's 365 Defender Extended Detection and Response (XDR) platform integrates with the AI assistant. Early Access Program participants will have complimentary access to Microsoft Defender Threat Intelligence data. The firm claims that Security Copilot is already assisting its preview clients in saving up to 40% of their time on essential security operations tasks. Microsoft encourages customers interested in enrolling in the Early Access Program to reach out to their Microsoft sales representative and visit the official website for detailed information. Security Copilot is designed to enable security teams to respond to incidents within minutes, therefore accelerating the investigation and response process.

Insurance company American Family Insurance (AmFam) has confirmed that a cyberattack caused outages in part of their IT system. The $14.4bn revenue company noticed unusual activity in its network and promptly shut down several business systems as a precautionary measure to protect data and resources. The move has resulted in service interruptions for customers, employees and agents, with several reporting inability to pay bills, file claims online or connect to the internet. As part of the response, the company has launched an investigation with the help of third-party experts to probe the underlying cause of the unusual network activities. There is currently no evidence of compromises to critical business or customer data processing or storage systems. While it remains unclear as to the exact nature of the cyberattack, its tactics mirrors that of a ransomware attack. While significant, the company joins a growing list of corporations suffering from ransom attacks, with analysis from Chainalysis suggesting that ransomware gangs have received about $449.1 million as of 2023.

The International Criminal Court (ICC) has revealed that a cyber breach five weeks earlier was part of a targeted espionage operation. The incident was disclosed on September 19 after the ICC detected unusual activity in its information systems. Following an analysis of the incident, the organisation revealed that the attack was "sophisticated" and aimed at undermining its role of investigating international criminal activities. The Dutch law enforcement is currently leading the criminal investigation and the perpetrator has not yet been identified. There is no current evidence suggesting that data belonging to individuals, organisations, or states has been compromised. However, the organisation pledged that it would contact affected parties immediately if evidence emerges. The ICC said that it would further bolster its risk management framework to address any potential security risks to witnesses or victims. It too emphasized that plans to enhance digital security measures have been accelerated following the incident. This incident occurred during a period of heightened concerns for the court system due to regular attempts to disrupt the ICC's operations and criminal proceedings.

Revamping the game of two significant ransomware gangs, Trigona and RagnarLocker have been challenged with a data breach and international law enforcement crackdown respectively. The Trigona ransomware gang's servers were penetrated by Ukrainian hacktivists dubbed the Ukrainian Cyber Alliance using a vulnerability in the Confluence server. This breach resulted in the loss of data, internal chats, and website source code. Trigona, after acknowledging the breach, promised to launch new sites by October 22. RagnarLocker had its data leakage site and negotiation site seized in a joint law enforcement operation by France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the US. An associate malware developer of the RagnarLocker ransomware gang was also apprehended. RagnarLocker, notorious for attacks on 168 international firms worldwide since 2020, belongs to the oldest, consistently active ransomware operations. The TV advertising agency Ampersand suffered an attack by BlackBasta, and Kwik Trip experienced a cyberattack, though ransomware was not conclusively identified as the source. The week saw an array of important reports released on ransomware, including details about new variants of the STOP, MedusaLocker, and Dharma ransomware, and new entrants like EarthGrass, KeyLock, and GhostLocker ransomware.

The International Criminal Court (ICC) disclosed more details of the cyberattack it suffered five weeks ago, indicating it was a targeted operation with the objective of espionage. Despite the targeted and sophisticated nature of the attack, there is currently no sufficient evidence to attribute the attack to a particular actor. Dutch law enforcement authorities are conducting an investigation into the breach. The ICC claimed that the effect of the attack remains unclear and there is no evidence as yet that data entrusted to the Court has been compromised. In response to the attack and potential security risks to victims and witnesses, the ICC is enhancing its risk management framework and accelerating steps for improving digital security. This attack comes at a time of broader and heightened security concerns for the ICC, with daily attempts to disrupt its systems and proceedings.