Daily Brief

The Federal Trade Commission (FTC) has reported that Americans lost at least $2.7 billion to social media scams since 2021, a figure projected to be greater due to under-reporting. Research indicated that only 4.8% of scam victims lodged complaints with the Better Business Bureau or a government agency. A range of tactics is employed by scammers, including advertising fake products, offering false investment opportunities, and posing as romantic prospects. The FTC advised consumers to be cautious and safeguard themselves against such scams, limiting their social media posts, scrutinizing unsolicited contacts, and checking the credibility of companies before making online purchases. The FTC revealed that online shopping scams constituted the most frequently reported scams on social media, accounting for 44% of reports. The warning follows an earlier FTC report of a surge in social media fraud during 2021, with a record $8.8 billion losses to varied scam types reported by consumers in 2022.

U.S. biotechnology firm 23andMe has confirmed that user data from its platform was stolen in a credential-stuffing attack. Data including full names, usernames, photos, sex, date of birth, genetic ancestry results, and geographical location was posted on hacker forums. The sensitive data was accessed using credentials exposed from other breaches; there is no indication of a security incident within 23andMe's own systems. Threat actors offered to sell data profiles at a rate of $1-$10 per account, depending on the quantity purchased. The initial data leak involved 1 million lines of Ashkenazi people's data. The breached accounts had all opted into the 'DNA Relatives' feature, leading to additional data being exposed as the actor was able to scrape data of their DNA Relative matches. 23andMe encourages all users to enable two-factor authentication as an additional protection measure and to employ strong, unique passwords for all online accounts.

MGM Resorts has revealed that the cyberattack it suffered in September is expected to cost the company at least $100 million. The impact of the attack will significantly affect the firm's third-quarter earnings and will continue to influence its Q4 although this is predicted to be "minimal." The attack borked MGM's room-booking systems, took slot machines offline, and other elements of the firm's operations were disrupted. MGM has confirmed that personal data belonging to customers such as social security numbers, driving license numbers, passport numbers, contact details, and dates of birth was stolen during the hack. However, there's no evidence to suggest that financial information, including bank numbers and cards were compromised. The company expects its cyber insurance to cover the financial impact of the attack and is also hopeful that its rooms will be filled to near-normal levels starting this month. Cybercrime group Scattered Spider claimed responsibility for the attack and was allegedly responsible for a similar attack on Caesars Entertainment during the same period.

North Korea's Lazarus Group is reportedly responsible for laundering nearly $900 million in stolen cryptocurrency. The theft was part of a larger $7 billion in cryptocurrency illicitly laundered through cross-chain crime by various actors. Cross-chain crime, a method used to quickly convert crypto assets from one token or blockchain to another to obscure their origin, has been increasingly used by crypto thefts for money laundering. The Lazarus Group is estimated to have stolen approximately $240 million in cryptocurrency since June 2023, targeting several crypto platforms including Atomic Wallet and CoinsPaid. The group has also been linked to a number of risky transactions made through the Avalanche Bridge, which deposited over 9,500 bitcoin. South Korea's National Intelligence Service has recently issued warnings about North Korean cyber-attacks targeting its shipbuilding sector.

A ransomware attack by an affiliate of the BlackCat/ALPHV ransomware gang led to a loss of $100 million for MGM Resorts. The threat actor, identified as Scatteed Spider, infiltrated MGM's network, stole sensitive customer data, and disrupted services like online reservations, slot machines, credit card terminals, and ATMs. While MGM stated that this incident would not significantly impact its annual financial performance, it led to an estimated $10 million in one-time expenses for risk remediation, legal fees, and incident response measures. The hospitality giant has resolved the cybersecurity issue, restoring all customer-facing systems, and expects the remainder of its systems to resume normal operations soon. Concerning the data breach, customer information dating back to March 2019 was stolen. Although customer passwords, bank account numbers, and payment card information weren't unveiled as exposed, MGM has rolled out free credit monitoring and identity protection services for the affected customers. The company urges customers to be vigilant against unsolicited communications and incidents of fraud or identity theft, advising that they regularly monitor their account statements and credit reports.

MGM Resorts International, a prominent hospitality and entertainment company, underwent a significant cyberattack last month, costing the firm an estimated $100 million and resulting in the theft of customers' personal data. The hackers, found to be an affiliate of the BlackCat/ALPHV ransomware gang known as Scattered Spider, breached MGM's network and encrypted over a hundred ESXi hypervisors. This caused a disruption to in-casino services, online reservations systems, and the company's main website. In addition to the considerable direct loss, MGM also incurred less than $10 million in one-time expenses due to the cyberattack, which will be reportedly covered by the company's cybersecurity insurance. MGM states that despite the significant disruption experienced, it anticipates the financial impact to be predominantly confined to Q3 2023 and does not foresee any considerable effect on its annual financial performance. The company asserts that the incident has been contained, with all customer-facing systems having been fully restored. Notably, the data stolen did not include customer passwords, bank account numbers or payment card information. MGM Resorts is offering free credit monitoring and identity protection services to those affected by the breach and warns customers to watch out for incidents of fraud and unsolicited communications involving their personal information.

Ransomware group, LockBit, suggests CDW data will be leaked after the IT reseller refused to offer a satisfactory payment in ransom negotiations. CDW, a global market player, has not yet issued a comment regarding the incident; the UK Information Commissioner's Office confirm no breach report has been received from CDW. Repeated posting to LockBit’s blog, a tactic designed to prompt faster responses from the victim, indicates a breakdown in negotiations. LockBit’s aggressive tactics, including setting deadlines, have been previously used to create a sense of urgency in victims and for negotiation leverage. Despite the risk of posts being scare tactics without behind the substance, historical activity such as the Royal Mail International case reflects established ransomware operations, including potential staged data leaks. The National Cyber Security Centre discourages paying ransoms, with less than 50% of businesses regaining all of their data following payment, according to a CyberEdge study. LockBit has been accused of using "PR stunts" to increase its notoriety, often involving fake attacks or mistaken association to illicit groups. The ransomware group's previous claims about breaching other businesses have sometimes turned out to be partially true, indicating a complex strategy for exerting pressure on targets.

An identity theft attack on Anthony Cusimano, director of technical marketing at storage company Object First, was a catalyst for the company's focus on data protection, particularly against ransomware. Recognising the need for indelible backup solutions, Object First developed Ootbi a new system designed to provide a highly resilient data protection solution for use with Veeam backup software. The Ootbi solution combines the immutability of a WORM (write once, read many) disk with the convenience of constantly connected online backup storage. Object First's creation operates based on the idea of resiliency domains, whereby if one software stack is compromised, others can still be relied upon for recovery. The storage approach followed by Object First is the 3-2-1-1-0 backup rule: three copies of data, two media types, one copy off-site, one offline copy, and zero errors. The company's hardware solution, optimised for Veeam, also ensures data isn’t compromised by using a hardened version of Linux OS and storing data as uniquely identifiable units, preventing unauthorised alterations. Object First has prioritised user convenience, creating a system where once backup data is stored, there are no digital ways for it to be removed. The system is designed with expandability in mind, allowing users to build clusters of up to four Ootbi appliances, with capacity to increase this further as customer demand rises.

Google has committed to changing its data processing operations and granting users better control of their data following proceedings by the German Federal Cartel Office. The adjustments are in accordance with a 2021 revision of German competition law that gives regulators enhanced powers over large digital companies and matches the EU's Digital Markets Act. Free and informed consent will be necessitated from users before their data can be shared between different services. Commitments do not apply to services already covered by the European Commission's Digital Markets Act. They cover operations such as News, Android Auto, and Workspace that were not previously addressed. Google must present an implementation plan within three months, and the conditions must be met for Assistant and Contacts by March 6, 2024, and for other services by September 30, 2024. While these changes specifically target the German marketplace, they could potentially be rolled out in other regions. Google has yet to specify its plans for other areas.

A China-linked group, known as Lucky Mouse and other aliases, has been associated with a campaign targeting semiconductor companies in East Asia, using a backdoor named HyperBro to deploy Cobalt Strike beacons. The attack used malware disguised as Taiwan Semiconductor Manufacturing Company (TSMC) and sophisticated social engineering techniques to infiltrate targets, according to Dutch cybersecurity firm EclecticIQ. An alternate sequence of the attack utilized an undocumented malware downloader to deploy Cobalt Strike, indicating the group had multiple methodologies for infiltrations. The group is also connected to another cluster tracked as RedHotel, known to overlap with Earth Lusca, also a hacking group. Reportedly, the group used compromised Cobra DocGuard web server to host the second-stage binaries, including a Go-based implant called ChargeWeapon, disseminated via the downloader. Notably, the C2 server address hardcoded in the Cobalt Strike beacon was disguised as a legitimate jQuery CDN to bypass firewall defenses. These discoveries align with recent reports by the Financial Times and the U.S. Department of Defense (DoD), highlighting increasing cyber espionage threat from China.

Satori has developed a Universal Data Permissions Scanner (UDPS) which aims to strengthen data security and streamline data governance. The tool scans and analyses the permissions model of various data platforms, producing a comprehensive list of users and their access level to data assets. By offering universal visibility, the UDPS enables organisations to quickly detect overprivileged users or unauthorized access and track unusual behaviour in real time. It simplifies the auditing process and ensures data access remains compliant with security and privacy regulations. The solution is easy to implement without requiring modifications to existing data structures or user interactions. This feature makes Satori's UDPS an attractive solution for organizations looking to improve their overall data security posture. Satori's UDPS is available as an open-source tool on GitHub, indicating the developers' commitment to offering solutions to real-world challenges faced by data engineers in managing data access permissions.

GitHub has expanded its secret scanning feature, which alerts users to whether exposed tokens are active, to include popular services such as AWS, Microsoft, Google, and Slack. This allows users to take prompt remediation measures. The expansion means that validity checks, initially limited to GitHub tokens, now cover more tokens, with the company planning to extend support further. To activate this feature, administrators and owners can navigate to the code security and analysis section and select "Automatically verify if a secret is valid by sending it to the relevant partner." GitHub has been focused on improving its code security capabilities, having earlier provided secret scanning alerts for all public repositories and introduced push protection to flag identifiable secrets before they are pushed to the repository. This update comes as Amazon plans to beef up protection requirements for AWS Organization account privileged (root) users, mandating multi-factor authentication (MFA) by mid-2024. The U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have also highlighted the vulnerabilities of weakly configured MFA methods and misconfigurations as prevalent security threats, advising organizations to eliminate default credentials, implement secure access controls, and prioritize system patching.

Multiple security vulnerabilities have been uncovered in Supermicro's baseboard management controllers (BMCs) firmware that could permit privilege escalation and execution of harmful code on impacted systems. The seven flaws have been tracked and their severity varies from high to critical, allowing unauthorized individuals to gain root access to the BMC system. Supermicro has released a BMC firmware update to rectify these vulnerabilities. BMC chips, used for remote server management, are potential attack vectors for the deployment of persistent malware as they remain operational even if the host is offline. One of the identified vulnerabilities is particularly critical, allowing authenticated attackers to gain root access and thoroughly compromise the BMC system. By exploiting some of the other vulnerabilities, an attacker could potentially create an admin account for the web server component of the BMC IPMI software, paving the way for remote control and compromise of servers. Currently, there's no evidence of any malicious exploitation of these vulnerabilities, though over 70,000 instances of internet-exposed Supermicro IPMI web interfaces were identified in early October.

Singapore-based infosec firm Group-IB has discovered an Android trojan exploiting the operating system's accessibility features to pilfer personal information for identity theft. The trojan, GoldDigger, has been observed primarily targeting Vietnamese banking apps, with the discovery of 51 targeted financial organization apps between June and August 2023. It is unclear how many devices have been affected or the extent of the monetary losses. The malware is introduced to devices through fake websites that trick users into downloading the app, after which it gains access to Android’s Accessibility Service to monitor and manipulate device functions and steal banking credentials and content from SMS messages. GoldDigger further has the ability to bypass two-factor authentication, suggesting attempts to convince banking apps it is conducting authentic transactions. The trojan's code hints towards the malware developers' plans to expand their operations outside Vietnam, as suggested by included translations in Chinese and Spanish. Prevention measures aside from usual updates, avoiding suspicious permissions, and fraud protection services, would involve keeping the "Install from Unknown Sources" setting disabled by default on Android devices, preventing the installation of APKs from sources outside Google Play Store.

The GNU C Library's dynamic loader in Linux has a significant security flaw dubbed 'Looney Tunables' (CVE-2023-4911), which allows attackers to gain root privileges. Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38 are among the affected distributions. Attackers can deploy the flaw using a malicious GLIBC_TUNABLES environment variable by the ld.so dynamic loader leading to arbitrary code execution with root privileges. Several proof-of-concept (PoC) exploits have been released online, demonstrating the potential for widespread malicious deployment of the flaw. Threat experts from Qualys have noted the severity and significant threat posed by the flaw, and have called for prompt action from system administrators in affected Linux systems. The flaw can provide complete root access to systems running the latest Linux platforms, including Fedora, Ubuntu, and Debian, so priority must be given to patching to ensure system security. Qualys has withheld its own exploit code for the time being, but has warned the extent of glibc usage across various Linux distributions could expose numerous systems to risk.