Daily Brief

Atos refuted claims by the Space Bears ransomware group of a direct cyber intrusion into their systems, affirming the security of their managed infrastructures. The French tech giant acknowledged that while their systems were secure, third-party infrastructure, not under their control, was indeed compromised. Space Bears had earlier claimed responsibility for the attack and threatened to release Atos' data unless a ransom was paid by January 7. Despite the third-party breach, Atos maintains that no direct compromise of their systems or ransomware has been detected, and they have yet to receive a ransom demand. Atos holds a robust cybersecurity framework with a global network of over 6,500 specialists and 17 security operations centers that operate continuously. The aforementioned third-party infrastructure contained data related to Atos, though specifics about the nature of this data or how it pertains to Atos customers remain unclear. This incident closely follows a similar claim in March 2023 by the Cl0p ransomware group, which Atos also denied, attributing the data exposure to external factors associated with acquired entities and software vulnerabilities.

PLAYFULGHOST malware, identified by Google's Managed Defense team, exhibits capabilities similar to the infamous Gh0st RAT. The malware spreads through phishing emails and SEO poisoning, using trojanized VPN applications like LetsVPN as a guise. Delivery methods include deceptive .jpg files in emails and misleading installer downloads from manipulated search engine results. PLAYFULGHOST employs sophisticated techniques for execution and persistence, including DLL hijacking, side-loading, and multiple system integration methods. Once active, it can capture keystrokes, screenshots, and audio; access QQ accounts and clipboard content; and manipulate files and system settings. It includes additional harmful features such as Mimikatz for credential theft, a rootkit for hiding activities, and tools like Terminator to disable security software. The specific focus on Chinese-speaking users is indicated by targeted applications and language-specific data collection points.

The U.S. Treasury Department has sanctioned Integrity Technology Group, a Beijing-based cybersecurity firm, for involvement in state-sponsored cyber attacks. These cyber attacks have been linked to the Chinese threat actor Flax Typhoon, also known as Ethereal Panda and RedJuliett. Flax Typhoon has been operational since mid-2021, employing IoT botnet Raptor Train and targeting entities in North America, Europe, Africa, and Asia. The attacks commonly exploit known vulnerabilities for initial access, then use legitimate remote software for persistence. The U.S. describes these Chinese cyber actors as among the most persistent threats to national security, frequently targeting government systems. The sanctioned firm, also known as Yongxin Zhicheng, allegedly provided infrastructure support for Flax Typhoon’s activities from mid-2022 to late-2023. The U.S. vows to use all tools at its disposal to disrupt these threats and strengthen both public and private sector cyber defenses. Integrity Technology Group has been linked to the PRC Ministry of State Security and has operated since September 2010, serving various governmental security departments.

Tenable acknowledged an issue with Nessus vulnerability scanner agents going offline after receiving differential plugin updates on December 31st. The disruption affected Nessus Agent versions 10.8.0 and 10.8.1 across multiple global regions including the Americas, Europe, and Asia. Tenable halted further plugin updates and withdrew the problematic versions to mitigate the situation. Customers are required to manually update to Nessus Agent version 10.8.2 or downgrade to version 10.7.3 to restore functionality. A separate plugin reset is necessary for recovery if agent profiles are utilized during software changes. Tenable plans to resume regular plugin feed updates by the end of the day after the issue is resolved. The incident is reminiscent of a July 2024 event where a faulty CrowdStrike Falcon update caused severe outages and affected various major services worldwide.

The U.S. Treasury Department sanctioned Beijing-based cybersecurity company Integrity Tech due to its involvement with the Chinese state-sponsored Flax Typhoon hacker group. Flax Typhoon used Integrity Tech’s infrastructure to execute cyberattacks targeting European and U.S. networks from Summer 2022 to Fall 2023. The hackers employed VPN software and remote desktop protocols, compromising multiple servers and workstations, including those in a California-based entity. A related operation, named Raptor Train, involved a botnet used for DDoS attacks and stealthy operations against sectors including military, government, and IT, primarily affecting the U.S. and Taiwan. The botnet controlled by Integrity Tech had infected over 260,000 devices globally, establishing a significant, multi-tiered network system. Integrity Tech, identified as a major contractor for the Chinese government's Ministry of State Security, employs hackers who target critical infrastructure under government direction. Following the sanctions, any U.S. transactions with Integrity Tech are prohibited, and their assets within the U.S. are frozen. Additional breaches by another Chinese state-backed group, Salt Typhoon, have impacted major U.S. telecom entities, signaling continuing cybersecurity threats.

Twenty malicious npm packages impersonating the Hardhat development environment have been designed to steal private keys and sensitive data from Ethereum developers. The infected packages, downloaded over a thousand times, employ typosquatting techniques to mimic legitimate versions, duping users into installing them. Once installed, the malicious code harvests Hardhat private keys, mnemonics, and configuration files, encrypts them with a hardcoded AES key, and transmits them to attacker-controlled endpoints. The exfiltrated data could provide attackers unauthorized access to Ethereum wallets and production systems, potentially leading to unauthorized transactions and compromised smart contracts. Recommendations for developers include verifying package authenticity, inspecting source code before installation, and securing private keys in protected vaults. Further security measures suggested include using lock files, defining specific versions for dependencies, and minimizing the number of dependencies to reduce risk exposure.

French tech giant Atos has denied allegations by the ransomware group Space Bears about compromising their database. Space Bears, known for double extortion tactics, threatened to publish stolen Atos data on their dark web site. Atos, a major cybersecurity provider for France's military and secret services, found no evidence of compromise in their systems. The company claims Space Bears instead accessed data from an unconnected "external third-party infrastructure" not managed by Atos. As of the last update, Atos reported no source code or proprietary data was accessed, and their managed infrastructure was secure. The ransomware group has been active since April 2024 and has threatened various global industries, aiming to extract ransom payments.

Apple has agreed to pay $95 million to settle a class action lawsuit over Siri's accidental recording and sharing of private conversations with third parties. The settlement covers U.S.-based owners of Siri-enabled devices from September 17, 2014, through December 31, 2024, who had their communications shared without consent. Class members may receive up to $20 per device for up to five devices; lead plaintiffs could receive up to $10,000. The settlement demands the permanent deletion of all improperly obtained Siri audio recordings and mandates clearer user controls and disclosures for managing Siri settings. A preliminary approval hearing for the settlement is scheduled for February 14, 2025, with a claims submission deadline set for June 29, 2025. Apple is also required to improve transparency and provide users with options to manage Siri settings to avoid unintentional activations and data sharing. The final approval of the settlement could vary, depending on upcoming objections and court rulings.

Vercel CEO Guillermo Rauch developed a unique CAPTCHA where users must defeat three monsters in the game Doom on its most challenging setting, nightmare mode. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) traditionally protects websites from bot traffic using puzzles that are difficult for computers. Originally featuring distorted text, CAPTCHA has evolved into image verifications and more complex background processes under Google's reCAPTCHA. A 2023 study indicated that CAPTCHA may no longer be effective as advanced bots can solve these tests faster and more accurately than humans. Rauch, also known for creating Next.js and other open source projects, used Vercel's AI-powered web development agent v0 to build the Doom CAPTCHA as a WebAssembly app. Despite being an engaging tech demo, the practical application of Doom CAPTCHA is limited, potentially seen as annoying or as a humorous tool by developers. The use of game data from Doom raises legal concerns, as only the engine is open source, not the game content like maps and textures. The evolving capabilities of AI, such as OpenAI's GPT-4, suggest that bots may soon overcome even sophisticated CAPTCHA variants like this one.

Researchers from France's Inria and Microsoft have developed Mini-C, a subset of the C programming language, designed for safer automatic conversion to Rust. This initiative addresses the high prevalence of memory safety errors in software, which have been a major source of vulnerabilities in systems like Google's Android OS. Unlike typical C code, which offers no inherent memory safety, Mini-C avoids unsafe C patterns like pointer arithmetic, enabling more secure applications. The conversion process using the KaRaMeL compiler framework requires minimal adjustments to fit the supported C subset, after which it can produce safe Rust code. The translation has been tested on two major code bases, with successful conversions indicated by minimal changes needed for the HACL* cryptographic library and none for the EverParse library. The resultant Rust code maintains performance levels comparable to the original C implementations, with enhanced security features such as runtime bounds checks. The improved security and compatibility of the converted Rust code have led to its integration into notable cryptographic libraries used by organizations such as Mozilla and OpenSSH, contributing to broader application security improvements.

Researchers at Palo Alto Networks Unit 42 have unveiled a new AI exploit technique, known as "Bad Likert Judge," that manipulates large language models (LLMs) to bypass safety measures and generate harmful content. The method involves using the LLM to assess and score the harmfulness of responses on a Likert scale, then pushing it to generate increasingly harmful content by exploiting these ratings. This advanced form of prompt injection attack, called many-shot jailbreaking, effectively nudges the LLM through a series of prompts, increasing the likelihood of a malicious output without triggering internal safety protocols. The technique was tested against six leading LLMs, including those from Amazon Web Services, Google, Meta, Microsoft, OpenAI, and NVIDIA, showing an average increase in attack success rate by over 60% compared to simpler attack prompts. The research underscores the importance of implementing robust content filtering mechanisms, noting that effective filters can reduce the attack success rate by approximately 89.2% across all models tested. The discovery highlights a growing trend of security vulnerabilities in AI tools, which could be exploited maliciously in various contexts such as spreading misinformation, digital harassment, or other illegal activities.

A new proof-of-concept (PoC) exploit, LDAPNightmare, can force reboots and crash Windows domain controllers by exploiting a vulnerability in Windows Lightweight Directory Access Protocol (LDAP). The vulnerability, identified as CVE-2024-49113, has a CVSS score of 7.5 and can trigger a denial-of-service condition through out-of-bounds reads. CVE-2024-49113 was patched in Microsoft's December 2024 updates alongside a more critical vulnerability, CVE-2024-49112, which allows remote code execution. The exploit operates by sending a DCE/RPC request that causes the Local Security Authority Subsystem Service (LSASS) to crash through a specially crafted CLDAP referral response packet. The same exploit chain could potentially facilitate remote code execution by altering the CLDAP packet, as detailed in CVE-2024-49112. Microsoft advises immediate application of the December 2024 patch and implementing detections for suspicious CLDAP referral responses and other related suspicious activities to mitigate this risk. The issues were discovered and reported by independent security researcher Yuki Chen, and the PoC was developed by SafeBreach Labs.

Microsoft is relocating .NET installers from Azure Content Delivery Network domains that might shut down after January 15, 2025, due to the bankruptcy of Edgio. If developers do not update their DevOps infrastructure by January 7, 2025, Microsoft will automatically migrate customers' workloads to Azure Front Door CDNs, except for certain endpoints. Users intending to switch to a non-Azure CDN must set a specific Feature Flag by January 7, 2025, to avoid automatic migration. Microsoft cannot ensure service availability on the Edgio platform after January 7, 2025, urging swift migration to another CDN by January 14, 2025. Starting January 3, 2025, no further configuration updates to Azure CDN profiles on the Edgio platform will be allowed, though services will continue until the shutdown. Microsoft also controls the azureedge[.]net domain to prevent potential misuse for malware distribution or other malicious activities. It is recommended to adopt custom domains to minimize dependency and reduce the risk of service disruption and security threats.

Apple has agreed to pay $95 million to settle a class action lawsuit alleging privacy violations through its Siri voice assistant. The lawsuit covers U.S.-based individuals who owned Siri-enabled devices and experienced unintended activations that led to private conversations being recorded and potentially shared with third-parties. Eligible class members, encompassing owners of devices like iPhones, iPads, and MacBooks, can receive $20 per device, with claims allowable for up to five devices. This legal action was initiated after a 2019 report by The Guardian exposed that third-party contractors heard private conversations via Siri to enhance service quality. Complaints included accusations that these recordings were shared with third-party advertisers without user consent. Apple has implemented changes, including an opt-in feature for audio sample learning and updated settings to disable analytics collection, following public backlash. Apple denies wrongdoing but has apologized for falling short of privacy expectations and taken steps to prevent future breaches. Google faces a similar lawsuit concerning its voice assistant, indicating broader issues of privacy concerns with technology companies.

The Brain Cipher ransomware gang began leaking documents stolen during an attack on Rhode Island’s RIBridges social services platform. Deloitte, the vendor for RIBridges, initially detected the breach on December 5, with confirmation of data theft provided on December 10. Stolen data includes personal identifying information (PII) of both adults and minors, distributed through the gang's data leak site. The breach has potentially impacted around 650,000 individuals, exposing sensitive information such as Social Security numbers and banking details. Rhode Island's Governor McKee advised residents to take protective actions like freezing credit and monitoring for fraud. Cybersecurity researcher Connor Goodwolf confirmed the availability of the data, which includes extensive databases and backups. The leaked data has raised concerns about targeted phishing scams using the breached information. Brain Cipher uses a data leak site for ransom extortion but faced possible DDoS attacks making the leaked data temporarily inaccessible.