Daily Brief

Ethereum blockchain analytics company Nansen has experienced a data breach due to a third-party vendor's security incident. Around 6.8% of Nansen users had their email addresses exposed, while a smaller number had their blockchain addresses and password hashes compromised. The compromised third-party vendor had their admin panel accessed, which controls Nansen customer access on their analytics platform. Nansen has asked impacted users to change their passwords due to the potential for brute-forcing encryption and the risk of targeted phishing attacks. While the investigation is ongoing, Nansen has advised all its users to update their passwords as a precautionary measure, as the number of impacted users may increase.

The Government of Bermuda has experienced a cyberattack, affecting all its departments' IT systems, and initial evidence points to Russian hackers as the source. Services disrupted by the attack include internet, email, and phone. The Department of Information and Digital Technology (IDT) is working to restore service. Premier David Burt stated the investigation has so far found no evidence of data theft; he also revealed that some other regional governments may have been affected by similar attacks. Additional service disruptions are expected as the investigation and recovery efforts continue. Both payroll and vendor payments have been initiated, but delays are expected; currently, only cash and checks are being accepted. The Bermuda Government is working closely with Government House on the issue, and a press briefing is scheduled to provide further information about the investigation's findings.

Security researchers from Citizen Lab and Google's Threat Analysis Group (TAG) recently disclosed that three zero-day vulnerabilities patched by Apple were exploited to install Cytrox's Predator spyware on devices. The vulnerabilities were exploited using fake SMS and WhatsApp messages to target a former Egyptian MP Ahmed Eltantawy, who had declared his intentions to participate in the 2024 presidential election. On iOS devices, the attack initiated with a remote code execution in Safari using malicious web pages, followed by avoiding signature validation and kernel privilege escalation. The researchers revealed the exploit chain was automatically initiated following redesignation, deploying a tool to determine if the spyware should be installed on the compromised device. A separate exploit chain was observed installing Predator spyware on Android devices in Egypt, exploiting a zero-day Chrome bug for remote code execution. Apple's Security Engineering & Architecture Team confirmed that the iOS lockdown mode would have neutralized the attack. All at-risk Apple users are highly advised to promptly install Apple's security updates and enable lockdown mode to counter potential attacks exploiting this vulnerability. Citizen Lab attributes this network injection attack to the Egyptian government based on the prevalence of Cytrox's Predator spyware in the country and its physical location.

Kosi Goodness Simon-Ebo, a 29-year-old Nigerian national, has pleaded guilty to wire fraud and money laundering in a business email compromise (BEC) scam amounting to nearly $7 million. Simon-Ebo was extradited from Canada to the U.S in April last year. During 2017, while residing in South Africa, Simon-Ebo conspired with U.S. accomplices to compromise business and employee email accounts, which they then used to contact businesses with fraudulent payment requests. The scammers utilized spoofed email addresses to imitate trustworthy partners, resulting in the victims sending money to a series of bank accounts controlled by Simon-Ebo and his associates. The scammers successfully stole approximately $1 million out of the attempted $7 million, obscuring the money trace by circulating the funds through several accounts before withdrawing in cash. Simon-Ebo is due to receive his sentence on November 29, 2023, and faces up to 20 years imprisonment. He will also have to pay restitution amounting to $1,072,306, which is equivalent to the total losses suffered by the victims. Business email compromise schemes have continued to pose a significant threat to organizations worldwide. In 2021 alone, BEC-related losses amounted to almost $2.4 billion in the U.S, with Verizon reporting that BEC attacks had almost doubled in 2023.

The Royal ransomware gang breached the City of Dallas's network using a stolen domain service account and maintained access from early April to early May. In this period, the threat actors collected and exfiltrated over 1 Terabyte of files; they also started distributing Cobalt Strike command-and-control beacons across the City's systems. The attackers launched ransomware payloads in early May, using legitimate Microsoft administrative tools for server encryption. The City responded by initiating mitigation efforts, taking high-priority servers offline, and kick-starting service restoration efforts; the restoration process took over five weeks. Personal information of over 30,000 individuals was potentially exposed due to the attack, with information types including names, addresses, social security, health and health insurance details. The Dallas City Council has earmarked $8.5 million for ransomware attack restoration efforts, and final costs will be shared in due course. The Royal ransomware gang, believed to be an offshoot of the Conti cybercrime gang, exploits security flaws in publicly accessible devices and uses callback phishing attacks for network access.

Cyber criminal using the moniker, USDoD, claimed to have accessed and shared a 3GB+ database from credit agency TransUnion, containing private financial information for over 58,500 people. The data, supposedly leaked on a cyber-crime forum, included names, passport information, dates and places of birth, financial transaction summaries, credit scores, and loan details among other classified data. VX-Underground reported the data theft occurred on 2nd March 2022. While TransUnion confirmed a 2022 security breach (which compromised data for five million customers and 600,000 businesses), the company refutes recent claims by USDoD. In a statement, they asserted that their systems did not show signs of a breach or subsequent data exfiltration. TransUnion's investigations, involving internal and third-party cybersecurity and forensic experts, have indicated that the data and its formatting do not match TransUnion's internal information, implying the data was sourced from a third party thus directing blame away from the credit giant. The USDoD character previously breached the FBI's InfraGard system and leaked contacts for approximately 80,000 members, and attacked Airbus, exposing personal data from 3,200 vendors on a cyber-crime forum.

Abraham Lemma, a Dept of State (DoS) IT help desk contractor, has been arrested and charged with spying for Ethiopia by sharing classified United States national defense information with Ethiopian intelligence. Lemma has held positions within various US government agencies since 2019. Lemma's alleged espionage activities were discovered during an investigation into the DoS's handling of national defense information. This investigation was initiated in the aftermath of a separate instance of leaked classified documents by Air National Guardsman Jack Teixeira. Lemma, a naturalized US citizen born in Ethiopia, was accused of copying, printing, and downloading classified and top-secret information from over 100 US intelligence reports, mostly related to Ethiopia, between December 2022 and August 2023. Lemma allegedly shared classified national defense data "including documents, photographs, notes, maps," via an encrypted messaging app. This included top-secret satellite images, photos of a military compound, and information relating to military activities in the region. Court documents revealed that Lemma received large deposits, totalling over $55,000, which escalated following his travels to Ethiopia and on dates coinciding with when he reportedly shared classified materials. Lemma faces charges of delivering national defense information to aid a foreign government, conspiracy to deliver such information, and the willful retention of national defense information. The two espionage charges attract potential punishments of death or life in prison, with the willful retention charge carrying up to 10 years imprisonment.

The European Space Agency (ESA) has agreed to construct and launch the European Union's IRIS2 satellite constellation aimed at providing secure space-based communications for EU members and mitigating dependability on other nations' infrastructure. Originally planned in 2022 with a budget of €2.4 billion, the IRIS2 project aims to secure high-speed communication for civilian and defence use with advanced technologies such as 5G and quantum encryption. Despite initial service goals set for 2024 and full operational capacity by 2027, both timelines appear unlikely due to ESA's ongoing issues with its heavy launch vehicles. ESA's Ariane 6 launch vehicle is undergoing hydraulic group anomaly repairs ahead of a critical testing deadline in October. If delays persist, Arianespace's Vega launchers could potentially be used if the IRIS2 satellites weigh less than 2,200kg. European companies Airbus and Thales could also contribute their expertise to the project.

The 2023 MITRE Engenuity ATT&CK Evaluation critically tested the competence of 31 cybersecurity solutions, including Cynet, to withstand attacks modeled after tactics from real-life advanced persistent threat (APT) group, Turla. MITRE does not score or rank vendors but instead supplies raw data and basic comparison tools. This allows organizations to assess the relevance of the solutions based on their unique needs and priorities. Key measures of the evaluation included Overall Visibility (total number of detected attack steps), Detection Quality (percentage of attack sub-steps that identified a tactic or technique), and pre-configuration threat detection. Cynet performed exceptionally well in the evaluation, claiming 100% visibility and perfect detection for all attack steps. Cynet also managed to provide 100% analytic coverage for all attack steps. The webinar featuring Cynet CTO Aviad Hasnis and ISMG SVP Editorial Tom Field will provide further insights into Cynet's performance and guidance for cybersecurity leaders on interpreting these results.

Iranian nation-state actor known as OilRig orchestrated two cyber attack campaigns, termed Outer Space and Juicy Mix, targeting Israeli organizations in 2021 and 2022. OilRig deployed two backdoors, Solar and Mango, purportedly through spear-phishing emails, to gather sensitive data from browsers and the Windows Credential Manager. OilRig, affiliated with Iran's Ministry of Intelligence and Security (MOIS) and active since 2014, has used various tools to carry out information theft. In February, Trend Micro discovered OilRig's use of a simple backdoor to steal user credentials, showing its "flexibility to write new malware based on researched customer environments and access levels". The latest findings indicate the group's continued focus on Israel, utilising spear-phishing lures to trick potential targets into installing malware through sabotaged attachments. The group continues to innovate, creating new implants with backdoor capabilities, finding new ways for remote command execution, and deploying post-compromise tools to collect credentials, cookies, and browsing history.

A new variant of the BBTok banking Trojan is actively targeting users in Latin America, specifically in Brazil and Mexico, affecting more than 40 banks. The Trojan tricks victims into submitting 2FA codes to their bank accounts or payment card numbers by replicating the interfaces of Mexican and Brazilian banks. The malware payloads, unique for each victim based on their operating system and country, are generated by a custom server-side PowerShell script and delivered through phishing emails. BBTok is a Windows-based Trojan, initially detected in 2020, equipped with typical Trojan features such as process enumeration and termination, remote command issuance, keyboard manipulation, and fake bank login page presentation. The attacks employ deceptive links or ZIP file attachments to stealthily introduce the Trojan retrieved from a remote server, and show a decoy document to the target. The attacks are diversified for Windows 7 and Windows 10 systems, using methods to evade advanced detection systems. Once launched, BBTok establishes connections with a remote server to receive commands to simulate security verification pages for various banks, harvesting user credential and authentication information for account takeovers. According to Check Point's analysis, more than 150 users are estimated to have been infected by BBTok. The source code and phishing emails are in Spanish and Portuguese, suggesting that the threat actors are likely based in Brazil. Despite its regional targeting and evasion techniques, Check Point has warned that BBTok still poses a significant threat to organizations and individuals in the region due to its multiple capabilities and unique delivery method.

Apple has released emergency security updates to tackle three zero-day vulnerabilities that have been exploited in attacks against iPhone and Mac users. Two of the identified bugs were found in the WebKit browser engine and the Security framework. These allowed for arbitrary code execution via maliciously crafted webpages and signature validation bypass using harmful apps. The third vulnerability was spotted in the Kernel Framework and could potentially enable local attackers to escalate privileges. Apple addressed the flaws in several operating systems, including macOS, iOS, iPadOS, and watchOS. The company confirmed it was aware of previous exploitation against older versions of iOS. These zero-day vulnerabilities were discovered and reported by researchers from the Citizen Lab at The University of Toronto's Munk School and Google's Threat Analysis Group. In the past, similar flaws have been abused in spyware attacks on high-risk individuals. Citizen Lab disclosed two other zero-days that had also been abused previously to infect fully patched iPhones with NSO Group's Pegasus spyware. These vulnerabilities were patched by Apple earlier in the month. So far this year, Apple has also addressed a total of 16 zero-day vulnerabilities.

GitHub has announced the widespread introduction of passkeys to allow secure and passwordless logins for all users, further reducing the risk of data breaches. Passkeys, which are linked to specific devices, provide added protection against phishing attacks and unauthorized access attempts. The feature enhances user security and experience by negating the need to memorize separate passwords for different websites or applications. The move follows GitHub's public beta testing of passwordless authentication, started in July, which has been adopted by tens of thousands of developers. Users can register for one or more passkeys via their account's security settings. This development follows Microsoft, Apple, and Google's efforts to improve passkey support across their platforms. GitHub has taken several steps towards enhancing account security over the years, including making two-factor authentication mandatory for all active developers and implementing sign-in alerts.

The 'Sandman' threat actor is targeting telecommunications providers in Middle East, Western Europe, and South Asia using a new info-stealing malware called 'LuaDream'. The actor was identified by SentinelLabs in collaboration with QGroup GmbH. 'Sandman' typically gains access to networks using stolen admin credentials, then uses “pass-the-hash” attacks to move laterally within the network and maintain access for long-term cyberespionage operations. The LuaDream malware, named after the LuaJIT compiler it uses, is a modular malware deployed via DLL hijacking on targeted systems. It collects data, manages plugins to extend functionality, and is being actively developed, as indicated by version strings observed. The malware uses a sophisticated seven-step in-memory staging process to evade detection. Anti-analysis measures include custom-creating DLL files close to the time of attacks, suggesting these are tailored for specific intrusions. ATT&CK evidence points to the presence of 34 components, including 13 core and 21 support components, which utilize the LuaJIT bytecode and Windows API via the ffi library. LuaDream connects to a command and control (C2) server upon initialization and sends information about malware versions, IP/MAC addresses, and OS details. SentinelLabs have identified specific plugins deployed in each attack but believe there may be others. While parts of 'Sandman's' custom malware and its C2 server infrastructure have been exposed, the actor's origin is still unknown. Sandman is one of several advanced attackers targeting telecom companies for espionage with unique, stealthy backdoors.

Cybersecurity researchers have identified a multi-step hacking campaign targeting the hospitality industry (hotels, booking sites, travel agencies) to steal customer financial data. The campaign involves infecting hotel systems with info-stealing malware, and then using this access to set up phishing schemes against customers. Once the system is infected, the hackers can manipulate official communications with genuine customers, sending them messages appearing to come from the compromised hotel or booking service. Such messages include requests for additional credit card verification and are written professionally in order to avoid arousing suspicion. The customer is then directed to a fake Booking.com payment page, which looks legitimate but is designed to steal credit card information. Users are cautioned to avoid clicking on unsolicited links and to contact the company directly for more information if they receive an unusual request, particularly one requiring immediate action.