Daily Brief

Microsoft's Digital Crimes Unit has seized domains from a Vietnam-based group, Storm-1152, which sold fraudulent Microsoft Outlook accounts. The cybercriminals were behind the creation of over 750 million bogus accounts, capitalizing on them by selling to other cyber actors. Storm-1152 also provided cybercrime-as-a-service tools, including an automatic CAPTCHA-solving service to facilitate the mass creation of fraudulent Microsoft email accounts. The fraudulent accounts have been used by various cybercrime gangs to infiltrate organizations and deploy ransomware, leading to damages in the hundreds of millions. Microsoft used a court order to shut down U.S.-based websites operated by Storm-1152 and sued individuals involved in the operations for their alleged roles. Microsoft aims to dismantle the broader cybercriminal infrastructure, attacking the tools and services that enable cyberattacks.

Volt Typhoon (Bronze Silhouette), a Chinese state-sponsored hacking collective, has been correlated with the malignant 'KV-botnet', infiltrating SOHO routers and VPN devices since 2022 to compromise high-value targets. The joint examination by Microsoft and the US government points to an intentional development of infrastructure that could potentially undermine US-Asia communications during future crises. The Black Lotus Labs investigation uncovered the botnet's attacks on specific network devices including Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, exploiting network edge vulnerabilities. The botnet has been utilized for a variety of incursions against telecoms, internet providers, US military entities, and others, with an observable surge in activity from August 2023 and a notable peak in mid-November 2023. KV-botnet operates distinctively based on the target value; the 'KV' cluster, presumably manual, focuses on high-value targets, whereas the 'JDY' uses broader, automated scans. The attack leverages multiple file types for the infection chain and the malware avoids detection by mimicking legitimate process names, predominantly residing in memory, complicating detection but diminishing persistence on hijacked devices. Lumen's Black Lotus Labs report correlates techniques, target preferences, and working times of KV-botnet with Volt Typhoon, further judging the reduction in botnet activity post-public disclosures as suspicious, hinting at the Chinese hackers' caution. Lumen has released indicators of compromise on GitHub to assist in the detection and prevention of KV-botnet infections, enhancing network security for threatened organizations.

A renewed BazarCall phishing campaign misuses Google Forms to send fake payment receipts. The emails imitate legitimate subscriptions and notification services to deceive users. Victims receive an email prompting them to cancel a non-existent expensive subscription. The typical approach instructs users to call a phone number, connecting them to fake customer support. Cybercriminals guide victims to unwittingly install BazarLoader malware on their systems. Google Forms' legitimacy allows attackers to bypass security tools, ensuring email delivery. The emails create urgency by requesting recipients to call within 24 hours to dispute charges. The BazarCall method has a history of facilitating initial access for subsequent ransomware attacks.

French authorities have arrested a Russian national suspected of laundering money for the Hive ransomware gang. The arrest was made possible through the efforts of the French Anti-Cybercrime Office (OFAC), which linked the suspect to digital wallets connected to ransom payments. During the arrest, approximately €570,000 worth of cryptocurrency assets were seized by the police. The operation was a collaborative effort involving Europol, Eurojust, and Cypriot authorities, including a search of the suspect's residence in Cyprus. Prior to the arrest, Hive's Tor websites were taken down by an international law enforcement operation that also led to the FBI infiltrating Hive's servers. The FBI managed to provide over 1,300 decryption keys to victims, preventing significant ransom payments. The U.S. State Department is offering a reward of up to $10 million for information linking the Hive ransomware group or other cybercriminals to foreign governments. A new ransomware-as-a-service group, Hunters International, has emerged following Hive's takedown, with significant code overlap suggesting a possible rebirth of the Hive group under a new name, though this is contested by Hunters International.

LockBit ransomware operation is actively recruiting affiliates and developers from disrupted operations BlackCat/ALPHV and NoEscape. NoEscape affiliates claimed an exit scam by its operators, raising concerns of lost ransom payments and operations shutdown. The BlackCat/ALPHV ransomware's infrastructure faced a 5-day outage, leading to speculation about a possible law enforcement operation. LockBit is offering its data leak site and negotiation panel for BlackCat and NoEscape affiliates to use if they have backups of stolen data. There are already signs of BlackCat/ALPHV's victims appearing on LockBit's data leak site, suggesting movement between groups. LockBit, considered the largest ransomware operation currently, benefits from competitors' troubles and sees these events as opportunities for expansion. The ransomware landscape remains dynamic, with the potential for rebranding and relocation of affiliates and developers from disrupted operations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of APT29 (linked to Russia's SVR) exploiting TeamCity servers since September 2023. APT29 previously involved in the SolarWinds breach and targeting of NATO countries' Microsoft 365 accounts. The exploited TeamCity vulnerability is CVE-2023-42793, a critical remote code execution flaw allowing attackers unauthenticated access. CISA believes the SVR is likely in the preparatory phase, exploiting initial access to escalate privileges, move laterally, and deploy backdoors for sustained network control. Around 800 TeamCity servers remain unpatched and vulnerable to exploitation, with some incidents leading to malicious code injection into software releases. The attackers' tactics include potential software supply chain attacks, with past exploitation by ransomware gangs and North Korean hackers (Lazarus and Andariel groups).

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in Apache Struts, identified as CVE-2023-50164. The Shadowserver scanning platform detected a limited number of IPs trying to exploit the vulnerability using public proof-of-concept exploit code. Apache Struts is widely used in both private and public sectors, including government agencies, for developing Java EE web applications. The vulnerability affects a wide range of Struts versions and could allow attackers to upload malicious files, gain unauthorized access, and cause significant operational disruptions. Apache released updated Struts versions on December 7 to patch the critical path traversal flaw that permits the RCE if exploited. A security researcher published a technical explanation and a second write-up with exploit code, increasing the risk of widespread exploitation. Cisco is evaluating which of its products using Apache Struts are vulnerable, including widely used platforms such as Identity Services Engine and Unified Communications Manager.

Phishing campaign known as BazaCall is using Google Forms to create authentic-looking emails to deceive victims. Attackers send emails impersonating subscription services like Netflix and Norton, pressuring recipients to call a support number. Once on the call, victims are tricked into granting remote access to their computers. Google Forms is chosen for phishing because it comes from a trusted domain, potentially bypassing email security systems. The response receipt feature in Google Forms allows attackers to receive a copy of the form, reinforcing the scam's legitimacy. The phishing technique using Google Forms can evade traditional security measures due to dynamically generated URLs. Proofpoint has identified a separate phishing campaign targeting recruiters with the More_eggs JavaScript backdoor by a group tracked as TA4557.

The increasing adoption of multi-cloud environments introduces complex management processes and potential visibility gaps that could be exploited by hackers. The dynamic nature of cloud services provisioning can create new vulnerabilities, particularly through minor misconfigurations leading to significant security incidents. Cloud security risks are constantly evolving, necessitating adaptive and nuanced approaches rather than one-size-fits-all solutions. Tim Phillips of The Register will host a webinar featuring Nabil Zoldjalali from Darktrace to discuss strategies for improving cloud security. The webinar aims to educate on identifying normal versus abnormal behaviour patterns in cloud environments to strengthen security postures. Emphasis will be on leveraging AI to achieve real-time understanding of cloud ecosystems and to formulate autonomous responses to security threats. The event is designed to help IT professionals build more robust defenses against both human error and cyber intrusions in cloud computing. Registration for the webinar includes a reminder for the live event, underscoring the importance of continual learning and vigilance in cybersecurity.

Google employs Clang sanitizers to enhance security within Android's cellular baseband, mitigating certain types of vulnerabilities. The sanitizers, Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), help catch undefined behaviors and are suitable for various architectures. Although these tools increase security, they introduce significant performance overhead, prompting selective implementation in critical areas. Google's efforts are part of a larger initiative to secure firmware against remote code execution by collaborating with ecosystem partners. While sanitizers offer substantial protection, they do not address all vulnerability types, leading to a push for coding in memory-safe languages like Rust. Google revealed the rewriting of the Android Virtualization Framework firmware in Rust, strengthening the protected VM root of trust. Researchers suggest that as operating systems become more secure, attackers may shift focus to lower-level components like the baseband.

Malware analysis is critical for understanding and combating cyber threats, with network traffic examination playing a key role. Decrypting HTTPS traffic is essential for tracking malware communication, achieved using a man-in-the-middle (MITM) proxy to monitor and intercept data exchange. An example includes analyzing AxilStealer, which used Telegram to exfiltrate stolen browser passwords; the MITM proxy decrypted the traffic, revealing the malware's actions. Identifying a malware's family can be challenging, especially with inactive servers, but tools like FakeNET can simulate server responses to trigger identification rules. Analyzing geo-targeted or evasive malware requires the use of residential proxies, enabling analysts to bypass restrictions and disguise sandbox environments. The ANY.RUN sandbox streamlines this process, providing an interactive platform with tools such as MITM proxies, FakeNET, residential proxies, and more for detailed analysis. ANY.RUN encourages adoption of their cloud-based sandbox technology by offering a robust 14-day trial period to evaluate its comprehensive features.

A new cybercrime marketplace named OLVX has become increasingly popular amongst hackers, offering various tools for online fraud and attacks. Unlike traditional dark web marketplaces, OLVX is hosted on the clearnet, expanding its accessibility and being promoted through search engine optimization (SEO). ZeroFox researchers observed a significant increase in both sellers and buyers on OLVX, driven by effective SEO, ads on hacking forums, and a dedicated Telegram channel. OLVX marketplace features a wide range of products, including custom cybercriminal toolkits and specialized files, which attract and retain a large customer base. The platform operates on a "deposit to direct payment" system accepting multiple cryptocurrencies, which poses a risk of an exit scam by the operators. Products on OLVX include various low-cost digital items, software, and services aimed at facilitating cybercrime activities. ZeroFox emphasizes the need for buyers to remain cautious, especially during the holiday shopping period, to avoid potential scams on OLVX.

Microsoft has identified that hackers are misusing OAuth applications for cryptocurrency mining and phishing attacks. OAuth, an authorization framework, is being manipulated to deploy VMs and launch phishing campaigns by compromising user accounts. The compromised accounts are used to create or alter OAuth applications, increasing permissions and hiding malicious activities. Attackers use phishing or password-spraying to target accounts with the ability to configure OAuth applications; Microsoft highlights the group Storm-1283 as an example. Once they obtain access, these adversaries may engage in activities like financial fraud reconnaissance or the distribution of phishing emails. Microsoft observed instances where attackers maintained persistence and bypassed authentication by stealing and leveraging session cookies. Microsoft suggests defenses such as enabling multi-factor authentication, conditional access policies, and regularly auditing apps and permissions to counter such security threats.

Nearly one million records containing sensitive donor information were exposed in an online database that was not secured. The database belonged to DonorView, a provider of fundraising platforms used by various non-profit entities such as schools and charities. Personal information exposed included donor names, addresses, phone numbers, emails, payment methods, and more. Children's names, medical conditions, and other sensitive details were found among the exposed data, raising severe privacy concerns. The database was secured within days after a disclosure report by security researcher Jeremiah Fowler, but there was no response from DonorView. It is unknown whether the data was accessed by unauthorized parties or how long it was exposed before being discovered. The incident highlights the risks associated with data breaches, including potential phishing attacks targeting donors using their exposed information.

Ukraine's largest telecom provider, Kyivstar, has been hit by a significant cyber attack that compromised mobile and internet service access across the country. The attack caused notable disruptions to the air raid alert network and has affected the banking sector, with efforts ongoing to restore full connectivity. Kyivstar has approximately 25 million mobile subscribers and over a million home internet customers, all potentially affected by the service outage. The company has reported the incident to law enforcement and believes the attack is linked to the ongoing war with Russia, although no customer data breach evidence has surfaced yet. Kyivstar also confirmed plans for compensation to its subscribers and corporate clients once the network is stabilized and cautioned customers about potential scams. The pro-Russia group KillNet claimed responsibility for the cyber attack on Kyivstar, amidst changes in its own leadership, with new recruitment and more attacks planned. Concurrently, Ukraine's Defence Intelligence claims to have hacked the Russian Federal Taxation Service, affecting over 2300 servers, which Russian officials vehemently deny, suggesting it is a deflection from Ukraine’s telecom troubles.