Daily Brief

A surge in advertisements on X (formerly known as Twitter) is leading users to malicious sites offering cryptocurrency scams. Scammers abuse the platform's advertising system to display crypto drainer scams, fake airdrops, and phishing operations, taking advantage of users' crypto-related interests. Security researcher MalwareHunterTeam has been documenting and alerting others of the prevalent scam advertisements, with many originating from verified accounts. Community warnings emerge as vigilant users try to alert others about the fraudulent ads and wallet draining schemes. A notable 'MS Drainer' scam was reported to have stolen $59 million from over 63,000 victims within nine months through deceptive ads on Google Search and X. User frustration is mounting over the platform's apparent lax ad vetting process amidst speculation that a sharp decline in ad revenue is leading to less scrutiny on ad content. X's diminished response rate to press inquiries underscores the growing concern regarding ad-related cybercrime on the platform.

Experts argue that a universal ransomware payment ban is impractical and could spur more targeted attacks on critical infrastructure. Criminals may exploit exceptions for critical infrastructure, knowing that hospitals and utilities cannot afford downtimes during crises. In 2023, ransomware gangs attacked 46 US hospital systems, affecting 141 hospitals and resulting in significant disruptions and data theft. Enforcement of a payment ban would require unprecedented international cooperation, which is challenging due to various geopolitical interests. Underfunded sectors like local governments and schools are increasingly targeted, and a ban without providing them with support would be detrimental. In the United States, there is nearly $375 million in available grants to help state and local governments enhance cybersecurity defense mechanisms. Despite challenges, there's a growing consensus around the non-payment of ransoms, with 50 countries pledging not to pay at a White House summit. The advice for organizations is to invest in proactive defenses: use strong passwords, encryption, zero-trust access, network segmentation, multi-factor authentication, regular software updates, and backups.

A threat actor named Sea Turtle, linked to Türkiye, has targeted Dutch IT and telecom companies for espionage. The group exploits supply chain vulnerabilities and uses DNS hijacking for credential theft and intelligence gathering. Victims include telecommunications, ISPs, IT service providers, media outlets, and Kurdish websites, with the aim of monitoring minority groups and political dissidents. Sea Turtle has been active since at least January 2017, with Microsoft connecting their operations to Turkish strategic interests in multiple countries. The group uses a Linux/Unix reverse TCP shell, SnappyTCP, with variants that include either secure TLS connections or cleartext communication for maintaining control and persistence. In a 2023 attack, Sea Turtle used a compromised cPanel account to deploy SnappyTCP and exfiltrate an email archive, though it's unclear how the initial credentials were obtained. Organizations are advised to adopt stronger passwords, enable 2FA, limit login attempts, monitor SSH traffic, and ensure timely updates of systems and software to mitigate the risk of such attacks.

A pro-Iranian group called Homeland Justice used a wiper malware named No-Justice to target Albanian organizations, including ONE Albania and Eagle Mobile. The cyberattacks were specifically directed at Albania after the group declared it would "destroy supporters of terrorists." The No-Justice malware is configured to make the operating system unrecoverable by tampering with the Master Boot Record. In the cyber campaign, a PowerShell script was deployed alongside the wiper for propagation within the network. The attacks have raised concerns, given the increased activity of Iranian hacktivist proxies like Cyber Av3ngers and Cyber Toufan across Israel and the U.S. These threat actors utilize double-retaliation strategies in their attacks, leveraging psychological warfare and targeting both Israeli and U.S. entities. Despite the efforts to curb such threats, several organizations remain severely affected, with some still inoperable over a month after being attacked. The Israel National Cyber Directorate is monitoring around 15 hacker groups exploiting Israeli cyberspace, employing tactics reminiscent of the cyber dimension of the Ukraine-Russia conflict.

BleepingComputer demonstrated a new decryptor for Black Basta ransomware that was used by professionals until the group fixed the flaw in December 2023. Despite the decryption capability, Black Basta's negotiation sites remain operational although their data leak site is facing technical difficulties. Xerox subsidiary XBS was targeted by a ransomware attack; the INC Ransomware group claimed to have significant access, which has not been independently verified. Australia's Court Services Victoria (CSV) experienced a ransomware incident, compromising the security of court hearing recordings. Sale of Zeppelin Ransomware source code on a hacking forum could indicate the potential rise of ransomware-as-a-service operations requiring close monitoring. Several new ransomware variants were identified, including Shuriken, a new Xorist variant, Mallox, and Empire, each with unique file extensions and ransom notes. A notable incident reported was the Russian hacker attack on Ukraine's largest telecom, Kyivstar, resulting in a complete wipe of the core network's systems.

Attackers infiltrated Seattle's Fred Hutchinson Cancer Center, stealing sensitive medical records and then threatening to swat patients unless a ransom was paid. Swatting involves making false reports to law enforcement, prompting an armed response at victims' locations—here, used as pressure to force payment. The center notified both FBI and local authorities; FBI investigated the cyber incident as well as the swatting threats. Integris Health in Oklahoma suffered a similar cyber incident, with patients informed about potential personal data breaches and subsequent threats. These crimes reflect a disturbing trend towards more aggressive extortion measures by cybercriminals, including threatening real-world violence. Security experts like Emsisoft advocate for a ban on ransom payments, citing an escalation in criminals' aggression. Miscreants have expanded extortion tactics from encryption to sending threatening texts, delivering flowers with demands, and leveraging clients of victim companies. There is an increase in ransomware attacks against hospitals, with the number of US hospital networks infected rising from 25 in 2022 to 46 in the previous year.

The U.S. Department of Justice, with international support, charged 19 suspects for involvement with the xDedic cybercrime marketplace. xDedic facilitated over $68 million in fraudulent activities and offered more than 700,000 compromised servers, including 150,000 in the U.S. The transnational operation seized xDedic's domains and infrastructure, with law enforcement from multiple countries participating. Two key figures in the operation, Moldovan Alexandru Habasescu and Ukrainian Pavlo Kharmanskyi, have been sentenced to prison terms. Marketplace seller Dariy Pankov and buyer Allen Levinson were also sentenced for their roles, with Pankov listing over 35,000 compromised servers and Levinson requesting over $60 million in fraudulent tax refunds. The operation is part of a broader international law enforcement effort that has taken down various dark web markets and arrested numerous cybercriminals.

Conor Fitzpatrick, admin of BreachForums, was arrested for breaking pretrial release terms. Initially detained for managing BreachForums, a platform for leaking stolen data, Fitzpatrick was known as Pompourin in cybercriminal circles. After RaidForums' seizure by the FBI, Pompourin founded BreachForums to continue similar activities. Fitzpatrick faced charges for theft and sale of sensitive information affecting millions and numerous entities. Released on a $300,000 bond, Fitzpatrick was barred from computer usage without monitoring software and from accessing VPN services. A court document reveals an additional arrest on January 2nd for violating these specific pretrial conditions. Fitzpatrick is to remain in custody pending a court appearance in the Eastern District of Virginia.

Security researchers have identified critical RCE vulnerabilities, CVE-2023-33246 and CVE-2023-37582, in Apache RocketMQ servers. Hundreds of IP addresses are scanning or attempting to exploit these vulnerabilities in Apache RocketMQ services daily. Initial patching efforts were incomplete, particularly failing to secure the NameServer component in RocketMQ versions 5.1 and older. Attackers can execute commands remotely on exposed NameServer components without proper permission verifications. Users are advised to update their NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x to avoid attacks. The ShadowServer Foundation is tracking hosts scanning for vulnerable systems, noting possible reconnaissance or exploitation attempts. The DreamBus botnet was observed using the CVE-2023-33246 exploit to install Monero miners on compromised servers as early as August 2023. CISA has issued alerts and patching directives to federal agencies to mitigate the risk posed by these vulnerabilities.

CertiK's Twitter account, followed by over 343,000 users, was hijacked in a social engineering attack. Attackers posed as journalists to phish for CertiK employees' credentials through a fraudulent scheduling website link. After gaining access, the attackers posted a tweet from CertiK's account directing followers to a crypto wallet drainer under the guise of a security warning. Revoke.cash responded quickly, alerting the public that CertiK's account was compromised and warning against the fake website. The malicious post was removed 15 minutes after being published, with CertiK acknowledging that this event was part of a larger, ongoing social engineering campaign targeting numerous accounts. Government and business entities with verified Twitter accounts have been increasingly targeted by similar cryptocurrency scam tactics. The ongoing issue raises concerns about the effectiveness of current security measures, such as two-factor authentication (2FA), in protecting against sophisticated phishing schemes.

Researchers have identified a new macOS backdoor dubbed SpectralBlur, linking it to North Korean cyber threat actors. SpectralBlur shares traits with another malware, KANDYKORN, used by North Korea-linked Lazarus sub-group BlueNoroff. The malware enables various back-end functions like file management, shell command execution, and evasion techniques. The discovery indicates an escalating focus by North Korean hackers on macOS systems, especially those associated with cryptocurrency and blockchain. This year has seen a significant rise in macOS-targeted malware families, with 21 new types found compared to 13 in the previous year. Security experts are raising an alarm about the potential increase in macOS malware in the backdrop of the operating system's growing popularity in enterprise environments.

The Memorial University of Newfoundland (MUN) suffered a cyberattack on December 29 that led to IT service disruptions. This incident resulted in the delay of the winter semester's start at Grenfell campus, with classes pushed from January 4 to January 8. While Marine Institute campus services are back online, Grenfell Campus is still facing outages, including a lack of internet and WiFi for resident students, as well as inoperative payment terminals. The university has required all staff and students to reset their MUN login passwords as a preventative measure. MUN has engaged law enforcement but has not yet confirmed whether student data was compromised in the attack. No ransomware group has claimed responsibility for the incident at the time of the report. Additional IT specialists from other campuses have been deployed to help restore systems at the affected campus.

Conor Brian Fitzpatrick, alias Pompompurin, was arrested for breaching pretrial conditions, including the use of VPN and violation of computer restrictions. Fitzpatrick, with ties to cybercrime forum BreachForums, pled guilty to charges including access device fraud and possession of child sex abuse material. Initially granted pretrial release on a $300,000 bond, he violated multiple conditions and will now remain in custody until his sentencing. He faces up to 10 years for each count of access device fraud, and a further 20 years for the child sex abuse material charge. The sentencing hearing was postponed to January 19 following a request by his legal team for further psychological evaluation. BreachForums, founded after similar site RaidForums was shut down, became a marketplace for cybercriminals where Fitzpatrick acted as an escrow agent. BreachForums is still operational under a new domain despite Fitzpatrick's legal challenges and law enforcement crackdown on similar platforms.

Bill Lou, co-founder of Nest Wallet, mistakenly lost $125,000 in a phishing scam while trying to participate in a cryptocurrency airdrop. The scam involved a fake giveaway website that imitated a legitimate airdrop promotion, tricking Lou into signing a message that led to the loss. Lou criticized the popular Metamask wallet for not catching the scam and claimed his own wallet startup's product would have provided better security. The fraudulent website (lessfeesandgas[.]io) was designed to mimic the legitimate domain (lessfeesandgas.org) and targeted unsuspecting crypto users. Social media users had mixed reactions, with some expressing sympathy and others ridiculing Lou for not using his own wallet and for claiming his product's superiority. The incident highlights the ongoing issue of cryptocurrency-related scams and emphasizes the need for heightened security awareness in the blockchain community.

The Ultimate 2020 White Hat Hacker Certification Bundle offers a $70 discount on courses aimed at improving ethical hacking capabilities. The bundle includes ten comprehensive courses delivered by cybersecurity professionals such as Nathan House and Joe Parys. Instruction covers a wide range of topics, from understanding hacker tactics to network security, endpoint protection, and hands-on ethical hacking practice. Python programming for security purposes, both defensive and offensive, is a specific area of focus within the course materials. Participants will receive in-depth training on using Nmap for network security and preparing for CompTIA's PenTest+ and CySA+ certification exams. The bundle is marketed as essential for IT workers in any role, seeking to bolster their skills against emerging cybersecurity threats. While the listed price of the bundle is $110, it's currently being offered for $39.99, representing a significant savings opportunity.