Daily Brief

The webinar is centered around understanding the real-world applications of AI in the cybersecurity sector. Ravid Circus, an expert in both cybersecurity and AI, will lead the discussion and share insights. The event will showcase results and analyses from a survey involving 200 cybersecurity professionals. Participants will learn to distinguish between hyped AI technologies and those that provide genuine value. The session aims to assist attendees in refining or developing their cybersecurity strategies using AI insights. The interactive format encourages attendees to transform their cybersecurity approach based on peer experiences and expert advice. Registration is required for participation, with a strong indication of high demand and limited availability.

Akamai's Security Intelligence and Response Team reports a new variant of Mirai-based malware, dubbed Aquabotv3, which targets Mitel phones to create a botnet. Aquabotv3 exploits a command injection vulnerability, CVE-2024-41710, in certain Mitel phones, allowing full control over the device. This malware variant has unique features, including a signal handler that reports to its command-and-control (C2) server if an attempt is made to terminate the malware. This behavior is new in Mirai variants, possibly indicating a shift towards more resilient botnet structures to monitor and maintain the botnet's health. The vulnerability was patched in July of the previous year, but many devices remain at risk due to unchanged default usernames and passwords. Aquabot has been actively infecting devices since at least November 2023 and has several known versions, with Aquabotv3 being the latest. The threat extends beyond Mitel phones; similar Aquabot malware exploits have been detected targeting vulnerabilities in other devices and software.

GenAI tools and SaaS platforms are increasingly integrated into work environments, heightening risks of data exposure and identity vulnerabilities. Many security teams lack clarity on which browsing and SaaS platform risks to prioritize and might overlook potential threats. A new complimentary risk assessment service has been introduced to evaluate an organization's browsing environment and identify key security risks. The service provides a detailed report outlining risks such as insecure GenAI use, sensitive data leaks, and dangerous browser extensions, alongside mitigation recommendations. Key emphasis is placed on actionable insights tailored to specific organizational needs, aiming to enhance security measures and inform strategic decision-making. All organizations regardless of size, industry, or security program maturity can benefit from this free service to improve their security posture against modern web threats. Offered by LayerX Security, the service is designed to help organizations proactively understand and manage risks associated with their internet browser and SaaS usage.

Hackers are actively exploiting a critical vulnerability, CVE-2024-40891, in Zyxel CPE devices, which allows command injection without authentication. The vulnerability was identified and added to the VulnCheck database on July 12 of the previous year, and remains unpatched in the latest firmware updates. GreyNoise has detected recent exploitation attempts from multiple unique IP addresses, indicating that the vulnerability is being actively exploited in the wild. The flaw is related to the telnet protocol and enables attackers to execute arbitrary commands on affected devices, potentially leading to complete system compromise. Over 1,500 Zyxel CPE devices are exposed online across various countries, including the Philippines, Turkey, the UK, France, and Italy, increasing the potential impact of the flaw. In the absence of an official patch from Zyxel, recommended temporary mitigation measures include blocking IP addresses known to be sources of exploitation and monitoring unusual telnet traffic. Administrators are also advised to restrict access to device administrative interfaces and disable remote management features if they are unnecessary.

The Register, in partnership with Rubrik, hosted an on-demand webinar focusing on shifting from reactive to proactive data security measures. Titled "Proactive Data Security and Identity Management", the webinar aimed to deliver practical strategies for long-term protection of organizational data. Vileen Dhutia from Rubrik and Tim Phillips from The Register explored advanced security tools and approaches beyond traditional methods. Key strategies discussed included transitioning from a reactive security posture to proactive protection and outperforming legacy security methods. The session stressed the importance of driving lasting change in organizational security practices. By adopting these strategies, organizations can stay ahead of evolving cyber threats and secure their future. The webinar underscored the need for a paradigm shift in how organizations approach cybersecurity to effectively combat future challenges.

Three British individuals operated OTP Agency, a fraudulent scheme providing access to victims' one-time passcodes (OTPs). The National Crime Agency (NCA) revealed that a 2021 investigation triggered panic among the fraudsters, leading to incriminating messages. OTP Agency charged £30 per week for basic services, escalating to £380 per month for advanced capabilities targeting banking and telecom platforms. Over 65,000 automated calls were made, targeting more than 12,500 people, by manipulating multi-factor authentication systems. The operators were arrested in March 2021, following an NCA investigation that began in June 2020. The main operator, Callum Picari, was sentenced to two years and eight months in prison, while his accomplices received community orders and fines. The NCA stresses the importance of vigilance in online banking and personal information security, emphasizing ongoing threats from similar fraudulent operations.

The UK National Audit Office (NAO) has reported significant delays in the government reaching its cybersecurity targets set for 2025, now viewing 2030 as an "ambitious" goal. As part of its 2022 Government Cyber Strategy, there were aims to enhance the cyber resilience of critical governmental functions; however, improvements are lagging considerably. There are 228 identified legacy IT systems across government departments assessed for vulnerabilities, with 63 of them being at high risk for security and operational failures. The report highlights a stark cybersecurity skills gap within the government, noting that one-third of cyber-related roles remain unfilled or are temporarily filled, costing significantly more than permanent staff. Fundamental cybersecurity measures such as asset management, protective monitoring, and response planning were found notably weak, leading to "extremely high" government cybersecurity risks. The NAO recommends developing a cross-government plan within six months to effectively implement the Cyber Security Strategy and to address the cyber skills shortfall within a year. Government reliance on outdated IT systems and lack of sufficient cybersecurity professionals are major factors hindering the advancement of national cyber resilience.

Two U.S. government employees have filed a lawsuit against the Office of Personnel Management (OPM), alleging that the introduction of a new centralized email system violates the E-Government Act of 2002. The lawsuit expresses concern over the lack of a privacy impact assessment for the new system, which is required by law to ensure the protection of employee data. The new email system, set up on an on-premises server, is intended to allow OPM to directly communicate with all civilian federal employees, potentially to issue mass firing notices. The legal complaint highlights past security breaches at OPM, including a significant data theft in 2014, intensifying worries about the safety of the new system. The implementation involves sending test emails to federal employees to confirm the system's capability to reach all employees, raising concerns about compiling a comprehensive list of government employee contacts. The complaint also mentions internal resistance, including the alleged firing of a CIO who opposed the system’s setup, suggesting possible political motivations behind the email system’s rapid deployment. Legal representatives for the plaintiffs emphasize the risk of hacking and data theft due to the centralized nature of the new email system, urging the need for transparency and compliance with required data protection measures.

Researchers identified two speculative-execution attacks, named SLAP and FLOP, targeting Apple's Silicon processors in devices like iPhones, iPads, and Macs. SLAP and FLOP leverage weaknesses in speculative logic within CPUs to steal sensitive data from memory such as emails, browsing history, and encryption keys. The attacks exploit Apple's Load Address Predictor (LAP) and Load Value Prediction (LVP), manipulating them to access and leak information from memory. SLAP allows an attacker to spy on another webpage's content within the same browser, while FLOP can trick the CPU to operate on incorrect data. Both attacks were demonstrated to extract information such as inbox content, location history, and calendar events through covert channels. Apple has been notified of these vulnerabilities. Researchers have proposed mitigation techniques, including applying a Data Independent Timing (DIT) bit to disable risky CPU behaviors. Apple is reportedly developing Site Isolation in Safari to enhance security, but current browser defenses like Chrome's Site Isolation are still susceptible to these attacks.

Hellcat, a ransomware group, has targeted sectors like government, education, and energy with ransom demands and data theft. The group employs a ransomware-as-a-service model and engages in double-extortion by stealing and then encrypting victims' data. During an attack on Schneider Electric, Hellcat stole 40GB of data and demanded $125,000 in baguettes as a form of mockery. The ransomware crew exploited a zero-day vulnerability in the Atlassian Jira system to gain initial access. Hellcat leverages psychological warfare, primarily humiliation, as part of their attack strategy. Recent compromises include sensitive documents from Jordan’s Ministry of Education and over 500,000 records from Tanzania's College of Business. The group also compromised Pinger, a US telecom company, threatening to release 9 million user records and other sensitive data. Hellcat's continued operations involve selling unauthorized access to servers, impacting entities from educational institutions to city governments.

Hackers reportedly exploit vulnerabilities in SimpleHelp RMM software to penetrate networks. Vulnerabilities identified include CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, which enable file manipulation and privilege escalation. Horizon3 initially discovered these flaws, and SimpleHelp addressed them in January with updates to versions 5.5.8, 5.4.10, and 5.3.9. Arctic Wolf observed a campaign potentially exploiting these flaws, beginning about a week after the vulnerabilities were publicly disclosed. Despite uncertainty about the exact cause, Arctic Wolf advises updating to the latest SimpleHelp versions and removing unnecessary installations of the software. Shadowserver Foundation noted 580 vulnerable SimpleHelp instances still accessible online, with 345 in the U.S. Attackers leveraged previously installed SimpleHelp software to control target devices, gathering system intelligence and testing network defenses.

Researchers at Georgia Institute of Technology and Ruhr University Bochum discovered new vulnerabilities in Apple CPUs that exploit side-channel attacks, named FLOP and SLAP. These vulnerabilities are found in processors starting from the M2/A15 to the M3/A17 generations, affecting modern Apple devices. The FLOP attack exploits mispredictions in Load Value Prediction, allowing attackers to steal sensitive data like emails and location histories by manipulating web browsers. The SLAP attack misuses Speculative Load Address Prediction to gain unauthorized access to data such as Gmail inbox details and user activity on Amazon and Reddit. Both attacks manipulate speculative execution, a process designed to enhance CPU performance, which can accidentally process and leak incorrect data. These attacks can be triggered remotely via a malicious website containing JavaScript or WebAssembly, bypassing traditional browser and memory protections. Apple has been informed of these issues but has yet to release fixes, leaving devices vulnerable to data theft. Until Apple patches these vulnerabilities, disabling JavaScript could serve as a temporary mitigation, albeit at the loss of functionality on many web platforms.

Smiths Group, a major London-based engineering firm, has disclosed a security breach following unauthorized system access. The company, employing over 15,000 people in 50 countries and generating £3,132 million in revenue, is now investigating the incident. Immediate actions included isolating affected systems and implementing business continuity plans to mitigate impact. Smiths Group is collaborating with cybersecurity experts to restore affected systems and assess broader business impacts. Efforts are ongoing to comply with regulatory requirements, with a promise to update stakeholders as more details become available. The exact date of the breach detection and whether customer or business data was compromised remains unclear. This incident follows recent cybersecurity issues faced by other firms like Conduent and Hewlett Packard Enterprise, highlighting a trend of increasing cyber attacks on corporations.

Signal is introducing a feature to sync old messages to new devices using end-to-end encryption. The new feature will facilitate users in transferring their chat history to desktops and iPads securely via a QR code verification. Message synchronization includes texts, stickers, call history, and other forms of media from the last 45 days. Transferred data will utilize a one-time 256-bit AES key for encryption, enhancing security during the transfer process. The feature supports Signal’s commitment to user privacy by not storing messages on their servers and is locally stored on devices only. A direct channel facilitates the transfer, with Signal servers acting briefly as a relay to prevent data breaches. Signal is exploring possibilities to extend the media retention period and improve restoration options for lost or damaged devices. Users interested in early access can participate by installing Signal Beta to assist in finalizing the feature.

Microsoft is testing a new scareware blocker feature in its Edge browser, designed to combat tech support scams using machine learning. The scareware blocker, revealed at the 2024 Ignite conference and now in preview for Edge users, detects malicious tech support schemes in real-time. This AI tool runs locally on users' computers using a machine learning model that utilizes computer vision to compare web pages against a database of known scam samples. When potential scam pages are detected, Edge alerts users, exits full screen, halts any loud audio, and presents a warning along with a page thumbnail. Users have the option to bypass the warning if they believe the page is safe and are encouraged to report scam sites to enhance collective security measures. Reporting of false alarms is also encouraged to help refine the feature and reduce false positives. Beyond the blocker, Microsoft plans more comprehensive cybercrime prevention measures and has announced an upcoming brand impersonation protection feature for Teams Chat.