Daily Brief

Court Services Victoria (CSV) detected and announced a cyberattack on December 21, 2023, that compromised video recordings of court hearings. Attackers gained access to CSV's audio-visual archive, potentially exposing sensitive information from hearings conducted between November 1 and December 21, 2023. The breach was later discovered to have occurred on December 8, 2023, raising concerns over the extent and duration of the exposure. CSV has isolated the affected system and notified relevant authorities, including Victoria Police and Australia's IDCARE. Individuals potentially impacted by the breach will receive notifications from the affected courts. Despite the cybersecurity incident, CSV ensures that court operations will continue as scheduled, with additional security measures being implemented. The Qilin ransomware group, previously known as "Agenda", is allegedly responsible for the attack on CSV according to sources, but this has not been officially confirmed. CSV has not disclosed whether a ransom demand was made or if any data was stolen and published by the threat actors.

Enterprise browsers are emerging as a key solution to address security challenges posed by the extensive use of web browsers in corporate environments. Traditional security solutions are insufficient to manage the risks associated with browsers, which are major targets for attacks and unintentional data leaks. The definitive Enterprise Browser Buyer’s Guide has been released to aid security teams in selecting the right enterprise browser with an actionable checklist. Enterprise browsers must protect against unintended data exposure and various types of malicious activity, including browser vulnerabilities and phishing. The guide emphasizes the importance of deployment, user experience, security functionalities, and user privacy when choosing an enterprise browser solution. The Enterprise Browser Buyer’s Guide provides a detailed breakdown of necessary security functionalities, presented in five primary pillars for comprehensive coverage. The guide concludes with a checklist of essential capabilities of an enterprise browser, facilitating a more straightforward evaluation and decision-making process for security professionals.

Google has settled a class-action lawsuit claiming it tracked users' browsing activities even in 'Incognito Mode.' The lawsuit filed in June 2020 accused Google of misleading users and violating federal wiretap laws. Plaintiffs argued that Google collected data from private browsing sessions without adequate user consent. A settlement has been reached, but the specific terms and financial details were not disclosed. Google's defense centered on user consent communicated through their Incognito warning, which was found insufficient by the court. The case emphasizes the complexities surrounding online privacy and the use of analytics and advertising APIs. Users were unaware that their private browsing activities could still be tracked by various online services despite using 'Incognito Mode'.

Law enforcement agencies around the world have conducted operations disrupting a wide array of cybercrimes, including cryptocurrency scams, phishing, and ransomware attacks. Operations included infiltration of the Hive ransomware gang, leading to the seizure of their infrastructure and a rebranding effort from the criminals. Dutch police hacked the encrypted communication platform Exclu to monitor criminal activities, resulting in 42 arrests after extensive investigations. Targeted efforts by German and Ukrainian law enforcement disrupted the DoppelPaymer ransomware group, apprehending core members. The FBI arrested the suspected administrator of NetWire RAT malware and seized related infrastructure, a tool used in various cybercrimes. Fake DDoS-for-hire websites were created by the UK's NCA to unmask would-be cybercriminals and collect data on illegal service purchasers. A significant amount of stolen cryptocurrency was seized by the DOJ from investment scammers, with plans to return the funds to victims. Genesis Market, a popular stolen credentials market, was taken down during Operation Cookie Monster, with massive amounts of digital fingerprints seized. Interpol's Operation HAECHI IV led to the arrest of 3,500 suspects and the seizure of $300 million linked to various cybercrimes. ALPHV ransomware servers were hacked by the FBI, leading to the creation of a decryption tool, while German police took down Kingdom Market, a significant dark web cybercrime marketplace.

Credential stuffing attacks compromised 23andMe, revealing the data of 6.9 million users, with some data leaked on a hacking forum, prompting class action lawsuits. Danish hosting providers CloudNordic suffered a crippling ransomware attack, resulting in a total customer data loss after unsuccessful recovery efforts. Hacktivists from Anonymous Sudan demonstrated their might by disrupting major tech firms, including Microsoft and Cloudflare, through DDoS attacks. Innovative acoustic attacks by researchers showcased the ability to capture keystrokes with up to 95% accuracy via machine learning algorithms. PayPal faced a large-scale credential stuffing attack, where 34,942 accounts were breached, exposing sensitive personal information. DISH Network was hit by a ransomware attack linked to Black Basta, causing significant outages and resulting in customer data theft. GoDaddy and MGM Resorts experienced severe cyberattacks, with GoDaddy's multi-year breach leaking code and customer information, and MGM's resort operations being disrupted by ransomware. North Korean hacking group Lazarus infiltrated 3CX with a unique supply chain attack, distributing previously unknown info-stealing malware. Barracuda's Email Security Gateway appliances were hacked using a zero-day vulnerability by Chinese actors, leading to the unusual recommendation of replacing the devices. A rampant ransomware campaign dubbed ESXiArgs targeted exposed VMware ESXi servers across the globe, causing swift encryption of numerous companies' virtual machines.

Researchers have identified a new DLL search order hijacking variant that evades Windows 10 and 11 security features. The technique abuses executables in the trusted WinSxS folder, eliminating the need for elevated privileges to run malicious code. This exploitation method relies on placing a malicious DLL with the same name as a legitimate one in a non-standard directory. When a vulnerable binary from the WinSxS folder is executed, it triggers the malware without copying the legitimate executable. This subtle approach requires monitoring process relationships and the activities of binaries within the WinSxS folder closely. Security Joes, the cybersecurity firm, emphasizes the need for organizations to take preventive measures against this method. Additional binaries within the WinSxS folder might be vulnerable to this type of attack, increasing the urgency for protective actions.

A vulnerability named Terrapin (CVE-2023-48795) could let attackers downgrade the security of SSH connections. Researchers discovered the flaw allows removal of messages during handshake without detection. SSH uses cryptography to authenticate and secure connections but is vulnerable when using certain encryption modes. The attack requires an active adversary-in-the-middle (AitM) to intercept and modify TCP/IP traffic. Risk is high for organizations with large networks that access privileged data, and a patch is crucial. Many SSH client and server implementations are affected and maintainers have issued patches. Companies need to patch both servers and clients to fully mitigate the vulnerability across their infrastructures.

A new malware loader, JinxLoader, is being used in phishing attacks to distribute Formbook and XLoader malware. Cybersecurity firms Palo Alto Networks Unit 42 and Symantec have identified the multi-step attack strategies involving JinxLoader. JinxLoader was first advertised on hackforums[.]net and is available for purchase with subscription options ranging from $60 to $200. Attackers are employing phishing emails, purportedly from the Abu Dhabi National Oil Company, with password-protected RAR files to execute the malware. There has been a noticeable increase in loader malware campaigns, with infections delivering various information stealers, including a newcomer named Rugmi. The Meduza Stealer malware has been updated, offering new features targeting browser-based cryptocurrency wallets and improved credit card data theft. A new stealer family, Vortex Stealer, has emerged, designed to harvest browser data and other credentials and share them through Gofile, Anonfiles, Discord webhooks, and Telegram bots. These developments indicate that stealer malware remains a highly profitable enterprise for cybercriminals, fueling the continuous innovation in malware delivery methods.

Japanese game developer Ateam inadvertently exposed the personal information of around 935,779 individuals through a misconfigured Google Drive setting. For over six years, sensitive files were accessible to anyone with the link, including customer and employee data as well as business partner information. The exposed data varied but primarily affected customers, with over 700,000 Ateam Entertainment users' information made vulnerable. While there is no evidence that the data was maliciously accessed or stolen, the incident highlights the need for vigilant cloud service security practices. The Google Drive misconfiguration underscores the larger issue of cloud storage vulnerabilities, as similar incidents have occurred with Amazon S3 buckets leading to data breaches and leaks. The US Cybersecurity and Infrastructure Security Agency (CISA) provides guidance for securing cloud services to prevent such accidental exposures. Ateam has urged impacted individuals to be cautious of unsolicited contact that may result from the exposure.

Security researchers have developed a decryptor that exploits a flaw in the Black Basta ransomware to recover files without payment. The decryptor is effective for Black Basta ransomware victims targeted between November 2022 and a week before the recent fix by the cybercriminals. Larger files over 5,000 bytes and up to 1GB can be fully recovered, while the first 5,000 bytes of files larger than 1GB will be lost. The decryptor called "Black Basta Buster" uses a scripting approach to reverse the encryption, leveraging the mistake the ransomware made by writing the encryption key directly into files with zero-byte chunks. SRLabs, who discovered the flaw, indicates virtualized disk images have a high likelihood of being restored. Some digital forensics and incident response (DFIR) companies had been using the flaw to help clients avoid ransom payments for months before the decryptor was made public. Black Basta is linked to the FIN7 hacking group and has launched numerous attacks since April 2022, focusing on double-extortion tactics and targeting corporate victims.

Cybersecurity experts have detected an uptick in phishing campaigns targeting a variety of blockchain networks with methods designed to empty cryptocurrency wallets. The Angel Drainer phishing group is promoting a "scam-as-a-service" operation, taking a cut of the illicit proceeds for providing wallet-draining scripts to their partners. Inferno Drainer, another service implicated in stealing over $70 million in cryptocurrency from more than 100,000 victims, recently announced the cessation of its activities. These wallet-draining kits operate by deceiving users into connecting their wallets to fake websites, often via malvertising or misleading social media messages. Attackers trick victims into authorizing transactions that shift control over the funds, utilizing functions like "approve" or "permit" in malicious smart contracts. The stolen cryptocurrency is often laundered via mixers or split over multiple transfers to hide the culprits' tracks and allow for the illegal liquidation of the assets. Security recommendations for crypto users include using hardware wallets, verifying the legitimacy of smart contracts, and regularly checking wallet allowances for unauthorized activities.

LockBit ransomware affiliates have increased attacks on hospitals, despite the group's policy against such targets. LockBit provided a decryptor after attacking the Hospital for Sick Children in Toronto, yet recently targeted three German hospitals, disrupting ER services. Yakult Australia suffered a cyber incident leading to a 95GB data leak, affecting both Australian and New Zealand IT systems. The Ohio Lottery experienced a cyberattack on Christmas Eve, as claimed by the new DragonForce ransomware operation, leading to the shutdown of several internal applications. Two New York hospitals have initiated legal action to reclaim stolen data held on Wasabi Technologies' cloud servers following a LockBit ransomware attack. Microsoft has once more disabled the MSIX ms-appinstaller protocol handler due to its exploitation in malware campaigns, potentially leading to ransomware infections. New ransomware variants with unique file extensions and ransom notes have been identified, indicating ongoing developments in ransomware tactics.

Two New York not-for-profit hospitals are taking legal steps to retrieve data after a ransomware attack by the LockBit gang in August. The compromised data includes sensitive patient information such as names, social security numbers, and health records, currently held on Wasabi Technologies' servers. The hospitals, part of the North Star Health Alliance, provide services to over 220,000 residents and were forced to redirect urgent care patients elsewhere following the cyber attack. The breach not only compromised data but also disrupted patient care and emergency services. The hospitals are working in collaboration with the FBI and are seeking a court order for Wasabi to return the stolen data and for the ransomware group to destroy any copies made. LockBit's ransomware attacks have not only affected these hospitals but have a global reach, having disrupted emergency services in Germany and delayed treatments at a children's hospital in Toronto.

Multiple malware families are exploiting an undocumented Google OAuth endpoint to restore expired authentication cookies and access user accounts. Session cookies, which contain authentication data, are being hijacked, allowing cybercriminals persistent access even after passwords are reset. Researchers from CloudSEK uncovered that the exploit uses a Google endpoint called "MultiLogin" for synchronizing Google service accounts. The exploit, first disclosed by a threat actor named PRISMA, enables regeneration of Google Service cookies using stolen token:GAIA pairs from Chrome profiles. Malware developers are rapidly integrating this exploit, with at least six different information-stealing malware families currently utilizing it. Lumma, one of the malware utilizers, has updated its exploit to evade Google's abuse detection measures, indicating Google is aware of the issue. Google's lack of response on this actively exploited zero-day flaw leaves the current status of the exploitation and mitigation efforts uncertain.

The "Downfall" mod for the Slay the Spire game was compromised, distributing Epsilon information stealer malware. The malware harvests cookies, saved passwords, credit card information from browsers, and details from Steam and Discord accounts. Users who launched the mod during the Christmas Day breach window are advised to change all important passwords. The attack utilized the game's Steam and Discord update mechanisms, appearing to be a Unity library installer. Information stolen by the malware can be used for further account breaches or sold on the dark web. Valve, the owner of Steam, has instituted SMS security checks for developers updating games to combat such threats. The breach believed to occur via token hijacking rather than direct password theft; no developer emails were compromised.