Daily Brief

Conor LaHiff, a previous IT manager at a New Jersey high school, pleaded guilty to a cyberattack following his termination in June 2023. He is charged with one count of unauthorized damage to protected computers under the Computer Fraud and Abuse Act (CFAA). In retaliation, LaHiff used his administrative access to delete thousands of Apple IDs and disable over 1,400 accounts, crippling the school's operations. His cyberattack left the school's phone service inoperable for a day and resulted in direct financial losses of at least $5,000. The incident highlights the risk of not promptly revoking access rights from dismissed employees, which can prevent such internal threats. Despite LaHiff's actions at the high school, he managed to obtain a similar job at a different school, which he is required to inform of his guilty plea. LaHiff's sentencing is set for March 20, 2024, with possible penalties including a 10-year prison sentence and fines up to $250,000.

SaaS applications have become central to corporate IT, with service and non-service businesses heavily relying on cloud-based software for data storage. The democratization of SaaS has empowered business units with direct software purchase and onboarding but necessitated new security collaboration and tools for customized application guidance. ITDR is emerging as a crucial strategy to mitigate risks of privileged account breaches in SaaS applications by detecting tactics and indicators of compromise. Global companies face challenges in meeting different regulatory requirements, leading to multiple SaaS tenants that must be individually secured without impacting software costs. SaaS application misconfigurations have led to significant data breaches, with organizations recognizing the importance of securing settings to prevent such exploits. The rise of third-party SaaS applications poses a risk due to high-level permissions requested, necessitating better visibility and management of these integrations by security teams. The prevalence of remote work has intensified the need for security protocols for multiple devices, especially when high-privileged users access SaaS apps from unsecured personal technology. Adoption of SaaS Security Posture Management (SSPM) tools is growing, providing automated monitoring, configuration baseline tools, third-party app risk assessment, and improved communication between business and security teams to safeguard SaaS stacks.

Rhadamanthys malware, known for its information-stealing capabilities, is being constantly updated with new features, including a customizable plugin system. Sold as malware-as-a-service (MaaS) since September 2022, Rhadamanthys can target web browsers, crypto wallets, email clients, VPNs, and messaging apps. Check Point's analysis indicates a clear trend towards modularity, allowing the malware to more effectively cater to the specific needs of its distributors. The malware includes active and passive components for information theft and adds capabilities such as clipboard data manipulation to hijack cryptocurrency transactions. New functionalities like keyloggers and system information collectors are transforming Rhadamanthys into a more versatile spyware tool. The article also notes an overlap in design and implementation with the Hidden Bee coin miner, demonstrating fast-paced development in malware technology. Trend Micro's research details unrelated RAT infections using code injection into aspnet_compiler.exe, highlighting another stealth tactic by another malware family. The use of Dynamic DNS (DDNS) by threat actors in these cases contributes to their ability to avoid detection by constantly changing their IP addresses.

Mortgage company Mr. Cooper fell victim to a cyberattack on October 30, 2023, compromising the data of 14.7 million individuals. Attackers accessed customer data; however, no financial information was reported as exposed. The breach prompted a shutdown of IT systems, affecting online payment portals and other services. A notification sent to affected users included an offer for 24 months of identity protection services. Mr. Cooper is actively monitoring the dark web for signs of misuse of the breached data but has not observed any as of the report. Regulatory authorities, such as the Office of the Maine Attorney General, have been notified of the incident scale and details. Ongoing investigation into the breach, with no specific details on the nature of the attack or attackers, and no claims of responsibility from any ransomware groups.

The National Grid is removing Chinese-manufactured equipment over cybersecurity concerns, after consulting with the UK’s National Cyber Security Centre. The contract with NR Electric UK, a subsidiary of China's Nari Technology, was terminated, though exact reasons were not publicly given. Both the National Grid and UK government bodies remained silent on the details, emphasizing the importance of security infrastructure. The removed components are crucial for the communication and stability of the UK's energy grid, which has implications for preventing blackouts. This move continues the trend of the UK removing Chinese technology from its critical national infrastructure, following the exclusion of Huawei from its 5G networks. Concerns about Chinese companies include legal obligations they may have to share data with the Chinese government, though no hard evidence of misconduct has been made public. China has been previously implicated in deploying malware in foreign power grids, according to cybersecurity firm Symantec.

Four U.S. nationals have been indicted for running cryptocurrency scams, specifically pig butchering schemes, defrauding victims of over $80 million. Defendants are charged with money laundering-related offenses; two have been arrested, while two remain at large. The Department of Justice reports the scheme involved at least 284 transactions, victimizing multiple individuals. In a separate case, a Nigerian national was sentenced to three years for similar offenses affecting 34 victims across 13 countries. Nearly $9 million in Tether cryptocurrency was recently seized by the U.S. DoJ, linked to a Southeast Asia-based group conducting pig butchering scams. Pig butchering scams often originate on dating apps and lead victims to transfer funds to fraudulent investment platforms. Scammers are increasingly using group chats and leaked personal data from databases to target potential victims. The FBI's IC3 reported cryptocurrency investment scams resulted in losses of $2.57 billion in 2022, a 183% increase from the previous year.

Low-code/no-code (LCNC) applications and robotic process automation (RPA) increase business efficiency but introduce significant security challenges. Security teams may struggle with the new risks presented by citizen-developed applications due to their dynamic nature and volume. LCNC platforms, while enabling rapid digital transformation, may compromise security by not addressing potential vulnerabilities akin to traditional apps. Most organizations face inadequate security measures for LCNC apps, often resorting to manual and cumbersome security methods. LCNC and RPA environments are unique due to the increased likelihood of logical errors by non-traditional developers, lack of visibility for security teams, and minimal control over the app lifecycle. Governance, compliance, and security are major concerns for CISOs and security teams in the context of decentralized app development. Nokod Security has developed a centralized security solution specifically for LCNC and RPA applications, emphasizing the need for dedicated security solutions. As innovation progresses, enterprises must assess LCNC and RPA platforms for compliance, vulnerability to attacks, and potential malicious activities.

Microsoft detected a new phishing campaign distributing QakBot malware aimed at the hospitality industry, beginning on December 11, 2023. Attackers used phishing messages with a PDF allegedly from an IRS employee, containing a URL that downloads a signed Windows Installer with the malware. The campaign uses an updated version of QakBot, marked as version 0x500, which was generated on the same day the campaign was launched. QakBot's infrastructure was previously disrupted by law enforcement in Operation Duck Hunt, which neutralized infected computers by downloading an uninstaller. QakBot can steal sensitive information and deploy further malware, including ransomware; it is typically spread through spam emails with malicious attachments or links. Similar to the Emotet botnet's resurgence, QakBot's return highlights the persistent threat and the need for advanced security measures, such as Zero Trust, to protect against spam email attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises manufacturers to eliminate default passwords to protect against cyber threats. Default passwords on internet-exposed systems are being exploited by Iranian cyber actors affiliated with the Islamic Revolutionary Guard Corps (IRGC). CISA's alert highlights the vulnerabilities associated with devices and appliances that ship with preset username and password combinations. Threat actors use tools to locate internet-exposed devices and use default passwords for access, often gaining high-level privileges for further exploitation. Manufacturers are encouraged to either assign unique passwords or enforce users to set up new ones, including the adoption of multi-factor authentication (MFA). Product field tests are recommended to align security expectations with the actual usage of products by customers, promoting "secure by design" principles. The alert aligns with recent security concerns, including those acknowledged by the Israel National Cyber Directorate regarding attacks from a Lebanese group with Iranian intelligence ties. CISA, NSA, and ODNI have also released guidelines to help organizations harden their software supply chains and securely manage open-source software applications.

MongoDB issued an alert on Saturday about unauthorized access to its corporate systems, with customer contact information being exposed. There has been no indication that data stored by customers in MongoDB Atlas has been compromised. Customers are advised to be on the lookout for phishing attacks, enable phishing-resistant MFA, and regularly change their MongoDB Atlas passwords. A spike in login attempts to MongoDB’s systems was experienced, though it was not related to the security incident. Ransom letters demanding $50 were sent to patients of Seattle's Fred Hutchinson Cancer Center following a November breach. The Hunters International ransomware gang took responsibility for the breach, claiming to have stolen 533GB of files and personal data. Delta Dental reported a breach resulting from attacks on the MOVEit file transfer app, affecting nearly 7 million patients' sensitive data. Currently, the MOVEit attacks have impacted 2,686 organizations and around 91 million individuals, with Delta Dental offering credit monitoring services to those affected.

A pro-China influence operation named Shadow Play used AI-generated voiceovers and avatars on YouTube to promote narratives favorable to China and critical of the US. The Australian Strategic Policy Institute (ASPI) discovered the campaign involved over 4,500 videos across 30 channels, resulting in 120 million views and 730,000 subscribers. After being alerted by ASPI, YouTube removed 19 of the implicated channels, which had been active since mid-2022. Shadow Play, believed to be run by a Mandarin-speaking commercial actor, possibly under state direction, focused heavily on technological advancement and rare earth mineral competition narratives. Infosys CFO Nilanjan Roy resigned to pursue personal aspirations, marking the fourth significant executive departure from the company in 2023. China proposed strict data breach guidelines requiring a ten-minute reporting deadline by phone and the establishment of round-the-clock emergency response teams. TikTok received Indonesian government support for a strategic e-commerce partnership with local firm GoTo, on a trial basis. China showcased its domestic passenger jets, the C919 and ARJ21, in Hong Kong signaling ambitions for global market penetration.

Kinsta, a WordPress hosting provider, is alerting customers about phishing sites impersonating their service, which are promoted through Google ads. The phishing campaign is targeting users with the intent to steal login credentials for the MyKinsta management service. Customers are being directed to sponsored fraudulent websites that mimic Kinsta's official site, with the aim of collecting MyKinsta login details. Kinsta advises users to enable two-factor authentication as an additional security measure and to only access MyKinsta by typing the URL directly into their browsers. The company warns users against clicking on any links other than those from official Kinsta domains and advises disregarding any text messages purporting to be from Kinsta. This incident is part of a larger trend, with a notable increase in cybercriminals exploiting Google ads to promote phishing endeavors and distribute malware. In similar cases, attackers have used Google ads to lure users to fake tech support pages or to malicious software downloads posing as reputable applications.

Rhadamanthys, a C++ information-stealer malware, has launched major updates including new stealing capabilities and sophisticated evasion techniques. Initially targeting credentials for email, FTP, and online banking, Rhadamanthys is now more modular and customizable, sold via subscription to cybercriminals. Distribution channels for the malware include malvertising, torrent downloads, emails, YouTube videos, and more, utilizing a diverse range of infection methods. Researchers from Check Point have analyzed the latest versions, highlighting a new plugin system for targeted attacks and additional spying functions. Added features include a 'Data Spy' plugin for RDP credential theft, improved cryptocurrency wallet targeting, and enhanced browser data theft abilities. The redesigned malware loader incorporates anti-analysis checks, configuration embedding, and a package of modules for advanced evasion and data exfiltration. Check Point reports Rhadamanthys developers are rapidly iterating versions, with the latest showing signs of active and continuous development to attract more cybercriminal users.

QakBot malware has resumed distribution through phishing campaigns after a disruption by law enforcement during the summer. A multinational police operation had previously infiltrated the QakBot network, leading to the deployment of a module that neutralized the malware on infected devices. The new campaign, which began this Monday, targets the hospitality industry with emails masquerading as IRS communications, containing malicious PDFs. Microsoft detected a new version of QakBot, indicating that the malware continues to evolve, despite showing signs of ongoing development and bugs. The latest phishing campaign utilizes sophisticated lures such as reply-chain emails, which are particularly challenging for users and administrators to recognize and filter out. Originating as a banking trojan, QakBot has diversified into offering malware delivery services for activities ranging from ransomware to espionage and data theft. Security experts highlight the need for vigilance against the QakBot's delivery methods, including malicious documents in various formats and possible exploitation of zero-day vulnerabilities.

The Rhadamanthys information-stealing malware has been updated significantly, enhancing both its data theft and evasion capabilities. First seen in August 2022, it targets credentials from various services and is distributed to cybercriminals on a subscription basis using different channels. Check Point's research highlighted new features in Rhadamanthys version 0.5.0 including a plugin system allowing customized attacks based on targeted vulnerabilities. A 'Data Spy' plugin can capture RDP credentials following successful login attempts, signaling focus on post-breach espionage. Version 0.5.0 has improved several attack mechanisms, including those targeting cryptocurrency wallets and the acquisition of Discord tokens. The loader now includes anti-analysis checks and a revised execution process, and version 0.5.0 introduced five new modules aimed at increased evasion. Cybercriminals announced version 0.5.1 with further enhancements, showcasing the rapid pace of the malware's development and suggesting its growing appeal to threat actors.