Daily Brief

Anna Jaques Hospital in Massachusetts suffered a ransomware attack on December 25, 2023, compromising the data of 316,342 patients. The breach was made public by the 'Money Message' ransomware group, which began extorting the hospital on January 19, 2024, and later leaked the data. Anna Jaques took immediate action to contain the breach by taking affected systems offline and alerting authorities. A thorough forensic investigation concluded only recently, revealing the full extent of data exposure, including sensitive health information. The hospital has begun notifying affected individuals and has offered them free identity protection and credit monitoring services for 24 months. Patients and employees are urged to monitor their account statements and credit reports for signs of unauthorized activity. Anna Jaques Hospital emphasizes that there has been no indication of fraud following the breach, though precautions are strongly advised.

Two versions (8.3.41, 8.3.42) of ultralytics, a Python AI library, were compromised to inject a cryptocurrency miner. The malware-laden versions were identified after unusual spikes in CPU usage by users, indicative of crypto mining activities. Compromise occurred during the PyPI deployment process, post code review, exploiting GitHub Actions Script Injection. Security vulnerabilities were reported, leading to the detection and removal of the tainted versions from the PyPI repository. ReversingLabs linked the attack to unauthorized GitHub pull requests from an account associated with the OpenIM SDK. The subsequent version of ultralytics has been released with a fix to prevent similar security breaches in the future. ComfyUI, dependent on ultralytics, updated its software to alert users of the compromised library versions. The incident highlights potential risks of more severe attacks if similar vulnerabilities are exploited in the future.

Privileged accounts are primary targets for cybercriminals, leading to significant risks like data theft and operational disruption. Traditional Privileged Access Management (PAM) solutions are often inadequate, leaving exploitable vulnerabilities. The upcoming webinar titled "Preventing Privilege Escalation: Effective PAS Practices for Today's Threat Landscape" focuses on improving the security of privileged accounts. Experts will discuss strategies and practices to prevent privilege escalation and secure critical assets against emerging threats. The session is designed for individuals responsible for the security of critical assets within their organizations. Attendees will gain valuable tools and insights into securing privileged accounts to mitigate business losses and enhance security. The webinar provides an opportunity to stay updated on the latest practices in the management and security of privileged accounts.

Cybersecurity researchers have identified a new threat where fake video conferencing applications are being used to deploy Realst infostealer malware targeting individuals in the Web3 space. The malware campaign, codenamed Meeten by researchers, employs artificial intelligence to create legitimate-seeming companies and websites to conduct supposed business meetings. Victims are contacted primarily via Telegram and encouraged to participate in a video call on a counterfeit platform, leading to a malware-laden app download. Once installed, the malware attempts to harvest various sensitive information from the victim's device, including credentials for cryptocurrency wallets, social media, banking info, and browser cookies. The malware affects both Windows and macOS systems, utilizing sophisticated methods to evade detection and extract user data to a remote server controlled by the attackers. This incident is part of a larger trend of using AI and fake brand fronts in cybercriminal schemes, complicating the detection of malicious websites and applications. Previous incidents have seen similar tactics using counterfeit meeting software to disseminate malware, showing a recurring trend in targeting cryptocurrency users and professionals with access to valuable digital assets.

Romania's constitutional court invalidated the first round of its presidential election due to alleged Russian interference. The court's decision, citing the need to maintain electoral fairness and legality, postpones the previously scheduled second round of voting. Declassified documents suggested a pro-Russian campaign utilized about 25,000 TikTok accounts to promote candidate Călin Georgescu. The U.S. and European Commission have expressed concerns about foreign influences in Romania's democratic processes and have increased scrutiny over platforms like TikTok. The Romanian Intelligence Service reported over 85,000 cyber intrusion attempts targeting election infrastructure. TikTok identified and disrupted smaller networks of inauthentic accounts linked to election manipulation in Romania. The annulled election results and subsequent investigation highlight significant challenges in safeguarding electoral integrity against coordinated inauthentic behaviors.

Acros Security discovered an unpatched NTLM hash leak vulnerability affecting Microsoft Windows from version 7 up to Windows 11 and Server 2022. The exploit triggers when a user views a malicious file via Windows Explorer, potentially allowing attackers remote access to user credentials. NTLM hashes can be used by cybercriminals to authenticate as the user or to crack and obtain plaintext passwords. Acros Security has developed a one-instruction micropatch to address this flaw temporarily until Microsoft provides an official solution. Despite notification, Microsoft has not yet commented on this issue or released an official patch. This type of vulnerability highlights the challenges of securing legacy systems and the reliance on third-party solutions like micropatches. The pricing and availability of extended support from Microsoft for older systems, including a new one-year extended support option for Windows 10 users, were also discussed.

A U.S. federal appeals court has upheld a law that bars foreign adversaries from controlling apps that collect data on Americans, endangering TikTok's operations in the U.S. TikTok, owned by China-based ByteDance, has been specifically targeted by the Protecting Americans from Foreign Adversary Controlled Applications Act (PFACAA), which could enforce a closure by January 19, 2025. Unless overturned, TikTok must either be sold or secure intervention from the White House; President Biden could potentially extend the deadline by 90 days. The U.S. Justice Department has accused ByteDance of using the internal tool Lark to facilitate potential espionage by enabling communication between U.S. TikTok employees and engineers in China. ByteDance challenged the constitutionality of the law, but the appeals court found the national security concerns raised by the Justice Department to be compelling. TikTok plans to appeal the decision to the U.S. Supreme Court, citing historical protection of free speech rights in similar cases. The upcoming administration change could influence TikTok's fate, as President-elect Trump has signaled potential leniency towards the app, contrasting his previous attempts to ban it.

The popular AI model, Ultralytics YOLO11, was compromised in a supply chain attack, specifically affecting versions 8.3.41 and 8.3.42 from PyPI. Users who installed these compromised versions experienced unauthorized deployment of a cryptominer, leading to abusive activity flags and bans on platforms like Google Colab. The malicious version installed an XMRig Miner in affected systems, connecting to a mining pool via a suspicious URL. Ultralytics CEO Glenn Jocher confirmed the compromise and promptly replaced the affected versions with a secure update, version 8.3.43. A full security audit and additional safeguards are being implemented by Ultralytics to prevent future incidents. The source of the compromise is suspected to be malicious PRs from an individual in Hong Kong, although the full details and implications are still under investigation. Ultralytics has advised users who downloaded the compromised versions to conduct a full system scan to ensure no residual threats remain.

Jessica Rosenworcel, outgoing FCC chair, proposes stricter network security for US telecoms after the Salt Typhoon cyberattacks attributed to Chinese state-backed actors. The FCC’s proposal requires telecom operators to enforce security measures to protect against unauthorized access and interception, revising section 105 of CALEA. Telecom operators would need to submit an annual certification demonstrating implementation of an updated cybersecurity risk management plan. The move aims to safeguard communications infrastructure, ensuring national security, public safety, and economic stability in face of advanced cyber threats. The proposal, if enacted, would take immediate effect and opens up for comments on further enhancing communication system resilience. The Salt Typhoon campaign showed significant vulnerabilities, affecting at least eight US operators and compromising wiretapping systems used by law enforcement. The urgency is underscored by a guidance from the US Cybersecurity and Infrastructure Security Agency advising the use of encrypted messaging to safeguard information.

The Termite ransomware gang has claimed responsibility for the November attack on SaaS provider Blue Yonder, affecting its managed services and causing widespread outages. Blue Yonder, a Panasonic subsidiary known for its global supply chain solutions, supports over 3,000 major companies including Microsoft, DHL, and Procter & Gamble. The attack impacted various customers, including Starbucks, which had to manually pay employees across 10,000 stores due to disrupted work schedule software. Other affected entities include BIC with shipping delays and UK supermarket Morrisons, which faced issues in warehouse management systems for fresh foods. Following the breach, Blue Yonder has been restoring services and collaborating with cybersecurity experts to resume normal operations for all impacted clients. Termite claims to have stolen 680GB of data from Blue Yonder, including databases, email lists for future attacks, and various sensitive documents. Termite uses a version of the Babuk encryptor, leaked in 2021, which has been identified as potentially flawed and still under development by cybersecurity experts.

A new zero-day vulnerability in Windows allows attackers to capture NTLM credentials without opening the malicious file, just by previewing it in Windows Explorer. This vulnerability affects all Windows versions from Windows 7 and Server 2008 R2 to the latest Windows 11 24H2 and Server 2022. Microsoft has not yet provided an official fix, though 0patch has released an unofficial micropatch to address the issue. The attack involves inducing an outbound NTLM connection to a remote share, resulting in the automatic transmission of NTLM hashes. These stolen NTLM hashes can be cracked to obtain users' login names and plaintext passwords. 0patch notes this is the third recent zero-day vulnerability reported to Microsoft that has not been immediately addressed. Users can apply the 0patch-provided micropatches for protection or disable NTLM authentication via Group Policy settings as a workaround. There has been no response from Microsoft regarding their plans to address this flaw officially.

Russian programmer detained by FSB accused of donating to Ukraine had spyware installed on his Android device. Spyware features included location tracking, phone call recording, keystroke logging, and access to encrypted messaging apps. The device, an Oukitel WP7 running Android 10, was tampered with during a 15-day custodial period. A fake version of a legitimate app was used to install the spyware, granting extensive intrusive permissions. Advanced capabilities of the spyware included file extraction, password retrieval, and adding new device administrators. Some functions and code of the spyware showed similarities with another known Android spyware, Monokle. Additional findings pointed to the possible development of an iOS version of the spyware. The incident underlines severe security risks when physical device custody is compromised by hostile security services.

Kirill Parubets, a Russian systems analyst and charity worker, was detained by the FSB for allegedly sending money to Ukraine, which Russia classified as treason post-invasion. During his 15-day detainment, he faced coercion to become an FSB informant, under threats of life imprisonment. Parubets managed to flee Russia with his wife after agreeing to cooperate with the FSB, subsequently noticing spyware, identified as Monokle, installed on his confiscated-and-returned phone. His phone's spyware had capabilities like location tracking, screen recording, and accessing messages, which he discovered after noticing abnormal notifications and unfamiliar apps. Parubets’ case was supported and publicized by Citizen Lab and First Department, emphasizing the risks and dangers of device confiscation by state authorities. This incident highlights severe security risks posed by nation state surveillance, especially in authoritarian regimes like Russia.

Cybersecurity researchers at JFrog have identified multiple vulnerabilities in various open-source machine learning frameworks including MLflow, H2O, PyTorch, and MLeap. The security flaws could potentially allow attackers to execute code by hijacking machine learning clients within organizations. Affected ML tools have inherent weaknesses in libraries that process model formats like Safetensors, increasing the risk of malicious interference. Attackers exploiting these vulnerabilities can access machine learning services, model registries, and MLOps pipelines to perform lateral movements and leak sensitive information. The disclosed flaws are part of a larger set of 22 security issues previously reported by JFrog, emphasizing the ongoing risks in machine learning supply chains. JFrog advises against loading ML models from untrusted sources, even from repositories considered 'safe,' as this can lead to remote code execution. Shachar Menashe, VP of Security Research at JFrog, highlights the importance of understanding which models are being used to prevent potential widespread damage through exploitation.

Modern businesses are facing increased complexities in data protection due to evolving technology and cyberthreats. Businesses must adopt more than periodic backups, integrating proactive disaster recovery and advanced ransomware protection into their BCDR strategies. The increase in hybrid and multicloud environments has added to the challenge of ensuring consistent security across diverse IT infrastructures. Legacy backup solutions are insufficient; modern enterprises need automated, scalable, and secure backup and disaster recovery solutions. Implementing robust BCDR solutions is essential for meeting stringent recovery time objectives (RTOs) and recovery point objectives (RPOs), ensuring minimal downtime. Unitrends Unified BCDR offers a comprehensive approach, integrating automated backups, disaster recovery testing, and ransomware detection to enhance resilience and security. Regular DR testing is advocated to confirm the effectiveness of recovery processes and to help in identifying and mitigating security gaps.