Executive Summary:

This threat intelligence report covers the geopolitical issues being seen as well as legal and regulatory issues and technical vulnerabilities and activities ongoing this week. Generally, there is a lot going on out there and on a macroscopic level, one has to look at what is happening in the world and assess how it may affect your own organization.

In this weeks look back, we have geopolitical issues that will touch on elections, disinformation being leveraged in the election cycle, but also, the technologies being used in those attacks, also being used by criminal actors to steal great quantities of money from orgs.

Additionally, the nation state incursions and incidents being carried out and detected are increasingly showing that infrastructures like power and water are a high value target for future warfare efforts in an already tense world.

As Sun Tzu wrote; “If you know neither the enemy nor yourself, you will succumb in every battle.” Take this information and consider your threatscape.

Geopolitical Issues:

This report provides an analysis of three significant cybersecurity developments that have occurred recently: a critical zero-day vulnerability addressed by Fortinet in FortiOS, a dramatic increase in ransomware payments in 2023, and the U.S. government’s announcement of a $10 million reward for information on the leaders of the Hive ransomware group. These incidents underscore the persistent and evolving threat landscape in cybersecurity, emphasizing the importance of proactive defense measures and international cooperation in mitigating these risks.

Ransomware Payments Surge in 2023-2024

Overview

In 2023, ransomware payments exceeded $1 billion, marking a significant increase in the financial impact of these attacks. This surge reflects the growing sophistication of ransomware operations and the increasing willingness of victims to pay ransoms in an attempt to recover encrypted data and avoid public exposure of stolen information.

Impact

The escalation in ransom payments fuels the ransomware economy, encouraging more cybercriminals to participate in these lucrative schemes. This trend also indicates a concerning shift in the cybersecurity landscape, with organizations facing increased risks of being targeted by ransomware actors.

U.S. Government Bounty on Hive Ransomware Group

Overview

The U.S. government has announced a $10 million reward for information leading to the identification and apprehension of the leaders of the Hive ransomware group. This initiative underscores the high stakes involved in combating ransomware and the government’s commitment to disrupting criminal networks responsible for these threats.

Impact

The bounty on Hive leadership signals a strategic approach to dismantling ransomware operations by targeting their command and control structures. It also reflects the increasing use of financial incentives as tools in cybercrime investigations, potentially encouraging informants to come forward with valuable intelligence.

Recommendations

• Support and engage in public-private partnerships aimed at sharing intelligence and resources to combat ransomware.
• Leverage government resources and rewards programs to enhance internal cybersecurity efforts and participate in collective defense initiatives.
• Monitor developments in ransomware tactics and adjust security strategies accordingly to protect against evolving threats.

Deepfake-Enabled Financial Fraud in Hong Kong

Executive Summary

A recent cybercriminal operation in Hong Kong has underscored the advanced threats facing multinational corporations, with scammers utilizing deepfake technology to orchestrate a theft of $25.6 million USD. This incident marks a significant escalation in the sophistication of cyber fraud, employing deepfake video and audio to impersonate senior company officials convincingly.

Incident Overview

• Date of Incident: The scam unfolded over several weeks, culminating in the fraudulent financial transfers.
• Target: A multinational finance firm based in Hong Kong.
• Method of Attack: Scammers created deepfake representations of the company’s Chief Financial Officer (CFO) and other staff members to deceive an employee into executing unauthorized financial transfers.
• Amount Stolen: $25.6 million USD, requested over 15 separate transactions to local bank accounts.
• Arrests: Hong Kong police have apprehended six individuals in connection to this scam, with ongoing investigations.

Technical Analysis

• Deepfake Technology: The attackers utilized deepfake technology, likely leveraging publicly available footage of company staff to create realistic video and audio simulations.
• Phishing: The initial contact with the target employee was made via a phishing email, posing as the company’s UK-based CFO, raising initial suspicion which was later alleviated by the convincing deepfake in a video call.
• Social Engineering: The scammers employed advanced social engineering tactics, using deepfakes in a multi-person video conference to create a false sense of legitimacy and urgency for the financial transfers.

Impact Assessment

• Financial Loss: The direct financial impact of the fraud is substantial, amounting to $25.6 million USD.
• Operational Disruption: While not detailed, the incident likely caused significant operational disruption and necessitated a thorough security review.
• Reputational Damage: The use of deepfake technology in this manner can have severe reputational consequences for the victim organization, highlighting potential vulnerabilities in their cybersecurity measures.

Recommendations

1. Enhanced Verification Procedures: Implement multi-factor authentication and verification for all financial transactions, especially those requested in an unusual manner or for large amounts.
2. Deepfake Detection Tools: Invest in technology capable of detecting deepfakes, incorporating these tools into regular security assessments.
3. Employee Training: Conduct regular, updated training sessions for employees on recognizing phishing attempts, understanding the threat of deepfakes, and adhering to security protocols.
4. Incident Response Planning: Update incident response plans to include procedures for identifying and responding to deepfake-based attacks.

The Role of Deepfake Technology and Robocalls in Election Misinformation

The increasing sophistication of deepfake technology and the strategic use of robocalls have emerged as significant cybersecurity threats in the political domain, particularly in the lead-up to the 2024 U.S. Presidential election. These technologies pose challenges to electoral integrity through the dissemination of misleading or false information, with potential impacts on voter behavior and trust in democratic processes.

Incident Overview

Recent incidents have highlighted the use of deepfake technology to create misleading representations of political figures and robocalls to spread false messages. For example, AI-generated robocalls purportedly from Joe Biden urged New Hampshire Democrats to stay home instead of voting in the state’s primary​​. Such tactics underscore the evolving landscape of digital misinformation campaigns.

Technical Analysis

Deepfake technology leverages advanced AI algorithms to create or alter video and audio content, making it difficult to distinguish between real and synthetic media. The ease of access to generative AI tools has democratized the creation of convincing deepfakes, posing a challenge to content verification mechanisms on social media and digital platforms.

The use of robocalls for disseminating misinformation exploits the ubiquity of telecommunication, allowing for the rapid spread of false information directly to voters. These calls can be tailored to target specific demographics, exacerbating their potential impact.

Impact Assessment

• Misinformation Spread: The proliferation of deepfakes and robocalls can significantly influence public opinion by spreading false narratives about candidates or policies.
• Voter Suppression: Misleading robocalls may lead to voter suppression, discouraging participation through the dissemination of false information about voting processes.
• Erosion of Trust: The difficulty in distinguishing authentic from fabricated content can erode trust in information sources, including news media and official communications from political entities.

The misuse of deepfake technology and robocalls represents a critical threat to the integrity of electoral processes. Addressing this challenge requires a concerted effort from multiple stakeholders, combining technological solutions, public education, and regulatory measures to safeguard democratic institutions and maintain public trust in the electoral system.

The examples cited, such as the use of robocalls in New Hampshire, illustrate the tangible risks posed by these technologies. As the 2024 election approaches, proactive measures are essential to mitigate the impact of digital misinformation campaigns on the democratic process.

The US Treasury Department announced sanctions against Iranian government officials for their role in targeting ICS and PLC devices at a Pennsylvania water utility in November 2023

Incident Overview

In a significant cybersecurity event, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on six officials from the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) on February 2, 2024. This action was in response to their involvement in malicious cyber activities targeting critical infrastructure within the United States and elsewhere, marking a clear stance against state-sponsored cyber threats aimed at disrupting critical services​​​​​​.

The sanctioned individuals, identified as Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, are accused of executing cyber operations that compromised and displayed unauthorized content on programmable logic controllers (PLCs) manufactured by Unitronics, an Israeli company. This cyberattack specifically targeted the Municipal Water Authority of Aliquippa in Pennsylvania during November 2023. It was attributed to the Iranian hacktivist group known as Cyber Av3ngers, which has been active in various cyberattacks since 2020, including disruptive operations in Israel, the U.S., and other locations​​.

The sanctions aim to block any U.S. assets owned by these individuals and generally prohibit Americans from engaging with them. This measure reflects the serious implications of targeting critical infrastructure through cyber means, emphasizing the necessity of safeguarding these essential services from foreign cyber threats. The actions taken by the U.S. Treasury are part of broader efforts to counteract Iran’s cyber activities and procurement networks, demonstrating the ongoing tensions between the U.S. and Iran in the cyber domain​​.

This incident underscores the increasing risks to critical infrastructure from state-sponsored cyber activities and highlights the importance of robust cybersecurity measures to protect these vital systems from unauthorized access and potential disruption.

Technical Details and Vulnerabilities:

The attack exploited vulnerabilities in programmable logic controllers (PLCs) supplied by Unitronics, an Israel-based company. These devices are integral to operating critical infrastructure but do not store customer information. The significance of this attack lies in the direct compromise of operational technology (OT) rather than traditional information technology (IT) networks, highlighting a strategic shift towards disrupting physical infrastructure operations.

This incident is part of a broader trend of cyberattacks focusing on supply chain vulnerabilities and design weaknesses within control systems, reminiscent of previous high-profile attacks like Stuxnet and the Russian-led attempt to sabotage a Saudi petrochemical plant. The Unitronics PLCs, used across various industries including water/wastewater management, feature cloud access capabilities, expanding the potential attack surface for malicious actors​​.

Impact Assessment:

While the attack on the Municipal Water Authority of Aliquippa did not disrupt water supply or pose a direct threat to public safety, it underscores the tangible risks to critical infrastructure from cyber threats. The attackers’ ability to gain control of operational equipment highlights the vulnerability of industrial control systems to state-sponsored cyber activities. This incident serves as a critical reminder of the need for enhanced security protocols and vigilance against cyber threats targeting critical infrastructure.

The public disclosure of default passwords and specific port numbers, as was done in the aftermath of this attack, raises concerns about cybersecurity management practices and the protection of sensitive operational information. This breach demonstrates the necessity for robust cybersecurity measures, including the safeguarding of access credentials and the implementation of secure communication channels to prevent unauthorized access to critical operational technologies​​​​.

Conclusion:

The cyberattack against the Municipal Water Authority of Aliquippa highlights the evolving landscape of cyber threats, particularly against critical infrastructure. It underscores the importance of securing industrial control systems against state-sponsored cyber actors and improving resilience against supply chain vulnerabilities. This incident calls for a reevaluation of cybersecurity protocols and the adoption of comprehensive defense strategies to protect critical infrastructure from future cyber threats.

Legal and Regulatory Issues:

New York Attorney General files a lawsuit against Citibank, alleging the big bank failed to do enough to protect and reimburse victims of scammers and hackers because of Citi’s weak security and anti-fraud measures

Incident Overview

The New York Attorney General, Letitia James, has filed a lawsuit against Citibank, accusing the financial institution of failing to adequately protect customers from fraud and refusing to reimburse victims of unauthorized account activities. The lawsuit alleges that Citibank’s security and anti-fraud measures are insufficient, leading to significant financial losses for New York consumers. The Attorney General’s office has highlighted cases where scammers were able to steal large sums of money from Citibank customers due to the bank’s alleged negligence in implementing robust data security protocols and procedures. These instances include unauthorized wire transfers and account takeovers facilitated through social engineering tactics rather than exploiting software vulnerabilities. The lawsuit seeks to compel Citibank to pay back defrauded customers with interest, in addition to paying penalties and improving its anti-fraud defenses.

Citibank’s response to these allegations has been to emphasize the steps it has taken to enhance security and reduce wire fraud incidents. However, the bank maintains that it has complied with all relevant laws and regulations concerning wire transfers. Citibank argues that banks are not obligated to compensate clients who follow fraudulent instructions when there is no apparent indication of deception to the bank.

This legal action by the New York Attorney General underscores the growing concerns over the security of online and mobile banking platforms and the responsibilities of financial institutions to protect their customers from cyber threats. It also raises questions about the adequacy of current regulatory frameworks and consumer protections in the face of evolving cybercrime tactics​​​​​​.

Impact Assessment of the Citibank Lawsuit

Financial Impact on Consumers:

The lawsuit against Citibank by the New York Attorney General Letitia James highlights a significant financial impact on consumers, particularly victims of electronic fraud. The allegations suggest that due to Citibank’s purportedly insufficient security measures, consumers in New York have suffered substantial financial losses, with some losing their life savings, college funds for their children, or funds necessary for daily living​​​​. These financial losses not only affect the immediate financial stability of the victims but also their long-term financial planning and security.

Reputational Damage to Citibank:

The lawsuit and its allegations could result in reputational damage to Citibank. Consumer trust is paramount for financial institutions, and accusations of failing to protect customers from fraud or refusing to reimburse victims could erode trust in Citibank’s ability to safeguard customer assets. This erosion of trust could potentially lead to a loss of customers or difficulty in acquiring new ones, impacting the bank’s market position and profitability​​.

Regulatory and Industry Implications:

This case underscores the importance of robust cybersecurity measures and consumer protection in the banking industry. It may prompt regulatory bodies to scrutinize the cybersecurity practices and fraud reimbursement policies of banks more closely. This could lead to stricter regulations and standards for cybersecurity and fraud protection in the financial sector, compelling banks to enhance their security protocols and procedures to prevent unauthorized access and fraud​​​​.

Legal and Financial Consequences for Citibank:

If the lawsuit results in a judgment against Citibank, the bank may face significant legal and financial consequences, including the requirement to disgorge profits, pay fines, and reimburse victims for their losses with interest. Additionally, the lawsuit seeks the appointment of a third-party monitor to ensure compliance with enhanced anti-fraud defenses, which could entail ongoing costs for the bank to maintain these heightened security measures​​​​.

Consumer Awareness and Behavior:

The publicity surrounding the lawsuit may raise awareness among consumers about the risks of electronic fraud and the importance of cybersecurity. This heightened awareness could lead consumers to demand better security features from their banks and to be more cautious in their online and mobile banking activities. It could also encourage consumers to actively seek out financial institutions that prioritize customer security and fraud protection.

Overall, the lawsuit against Citibank by the New York Attorney General could have far-reaching implications for both consumers and the banking industry, emphasizing the critical need for financial institutions to adopt robust security measures to protect against electronic fraud and to treat victims of such fraud fairly and responsibly.

Technical Reports: CVE’s / Attacks / Malware / Trends

CVEs and Vulnerabilities:

1. Ivanti Connect Secure VPN Vulnerabilities:
   • CVE-2024-21893: A high-severity vulnerability allowing unauthenticated access to restricted resources, exploited in the wild​​.
2. Google Chrome Vulnerabilities:
   • CVE-2024-0517: A high-severity flaw in Chrome’s V8 JavaScript engine that could enable heap corruption through a crafted HTML page​​.
   • CVE-2024-0519: A critical out-of-bounds memory access issue in Chrome V8 JavaScript engine, being actively exploited. This vulnerability allows attackers to access data beyond the memory buffer, potentially leading to sensitive information access or system crash​​.
3. GitLab Vulnerability:
   • CVE-2024-0402: A critical vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) allowing an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace​​.
4. FortiSIEM Vulnerabilities:
   • CVE-2024-23108 and CVE-2024-23109: Two new maximum-severity vulnerabilities in FortiSIEM product allowing for remote code execution​​.
5. Android Vulnerabilities:
   • The February 2024 Android Security Bulletin includes a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed​​​​.
6. JetBrains TeamCity Vulnerability:
   • CVE-2024-23917: A critical vulnerability in JetBrains TeamCity before 2023.11.3 enabling authentication bypass leading to remote code execution​​.

Attacks and Malware Trends:

• Generative AI for Cybercrimes: Cybercriminals are increasingly leveraging generative AI for sophisticated cybercrimes, including social media impersonation and spam campaigns​​.
• KB Botnet Disruption: The US Department of Justice has disrupted the KB botnet, used by China-affiliated APT Volt Typhoon, targeting critical infrastructure organizations in the US​​.
• APT28 (Pawn Storm/Forest Blizzard): Continues its traditional tactics combined with sophisticated TTPs, including NTLMv2 hash relay attacks​​.

Malware:

• FortiOS SSL VPN Exploit: The recently discovered critical remote code execution flaw in FortiOS SSL VPN, CVE-2024-21762, is being actively exploited. Fortinet has advised users to upgrade to the latest version to mitigate this risk​​​​.
• USB Malware Payloads via Legitimate Platforms: A new campaign has been uncovered where threat actors distribute malware through USB devices, leveraging legitimate platforms like GitHub and Vimeo to host malicious payloads. This tactic signifies an evolving approach in malware distribution, targeting unsuspecting users through seemingly benign content​​.
  • Capabilities:
  • Executing commands or scripts received from the C2 server
  • Executing Python code received from the C2
  • Altering clipboard content for cryptocurrency theft
  • Infecting USB/removable drives to spread malware on other systems
  • Capturing screenshots for information theft
  • Gathering detailed system and network information
  • Determining the geographical location of the infected system
• IOC’s and Analysis: https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

This summary provides an overview of the current threat landscape based on recent vulnerabilities, attacks, and trends. Organizations and individuals are advised to stay informed about these developments and apply necessary updates or patches to safeguard against potential threats.

Downloadable Report: