Daily Brief

The rise of non-human identities (NHIs) is expected to become the main vector for cyberattacks by 2025, coinciding with increased automation and the adoption of AI and IoT technologies. NHIs pose unique security challenges as they differ fundamentally from human users, thus traditional security measures like multi-factor authentication are less effective. Attackers exploiting NHIs can quickly move laterally across systems, identify vulnerabilities, and compromise additional NHIs, often before detection mechanisms can react. Entro has developed Non-Human Identity Detection and Response (NHIDR), designed to proactively identify, analyze, and respond to threats against NHIs in real-time. NHIDR establishes immediate baseline behavioral models for each NHI based on historical data, allowing for quick anomaly detection without extended data observation periods. Once anomalies are detected, NHIDR initiates automated responses such as revoking access, rotating credentials, or isolating compromised identities, while simultaneously alerting security teams. NHIDR's proactive capabilities are vital for addressing zero-day threats and significantly reduce the manual workload on security teams, allowing them to focus on strategic tasks. NHIDR technology enhances organizational security by offering a proactive, real-time, and automated approach to defending against breaches involving non-human identities.

Security vulnerabilities identified in Ubuntu's needrestart package by Qualys Threat Research Unit; potential for local attackers to gain root privileges. Needrestart, installed by default on Ubuntu Server since version 21.04, contains flaws dating back to its 2014 release. The vulnerabilities can be exploited by setting specific environment variables or by manipulating the Module::ScanDeps Perl module. Ubuntu has issued a fix for these flaws in needrestart version 3.8 and suggests immediate updating or disabling certain features as temporary mitigation. The vulnerabilities specifically allow execution of arbitrary code during times when needrestart is run, commonly during package installations or upgrades. The overall threat involves Local Privilege Escalation (LPE), enabling a significant elevation of privileges for local users on affected systems. Users are advised to apply the patch immediately or adjust needrestart settings to prevent interpreter scans until updates are secured.

Chief Information Security Officers (CISOs) increasingly find data management more burdensome than beneficial due to security challenges. Data volumes have exploded, with businesses now routinely managing multiple petabytes, making data nearly invisible until security issues arise. Marketing departments often intensify data security risks by continuously amassing vast amounts of data for analytics, heightening the potential for breaches. Many CISOs struggle to track all the data their organizations hold, creating gaps in security and raising concerns around the management of data liabilities. The escalating costs associated with securing vast data repositories are leading CISOs to muse about the feasibility of operating with less data. The debate on the overall value versus the costs of data management echoes historical shifts in computing paradigms, analogous to the cyclical centralization and decentralization debates. The analogy of data being the "new uranium", suggests potential high risks akin to the handling of toxic materials if not carefully managed. CISOs are in search of effective strategies to mitigate risks, comparing the need for stringent data management to using a 'glove box' for handling hazardous materials.

A China-backed cyber espionage group, named Liminal Panda, has been actively infiltrating telecom networks in South Asia and Africa since 2020. CrowdStrike, a cybersecurity firm, identified the group's use of sophisticated tools designed to exploit telecommunications protocols like SIGTRAN and GSM. Liminal Panda's operations include accessing and exfiltrating sensitive data such as subscriber information, call metadata, and SMS, primarily for intelligence gathering. The group utilizes bespoke malware and tools like SIGTRANslator, CordScan, and PingPong to breach networks, often leveraging weak passwords. Initially misattributed to another group in 2021, further review revealed Liminal Panda as a distinct actor, indicating the complexity and overlap in cyber adversary tactics. The attacks underscore vulnerabilities in global telecommunications networks, including those of major U.S. providers, highlighting the strategic targeting by state-sponsored entities. The Chinese cyber offensive ecosystem involves a blend of government units, civilian actors, and private entities, complicating efforts to attribute attacks and defend against them.

Apple has released critical security updates for various systems including iOS, iPadOS, macOS, visionOS, and Safari to combat two actively exploited zero-day vulnerabilities. The vulnerabilities, identified as CVE-2024-44308 and CVE-2024-44309, involved improved checks and state management to mitigate the risks. Details about the exploitation of these vulnerabilities are limited, but they were reported to be possibly used against Intel-based Mac systems. Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group discovered these flaws, suggesting they might be used in sophisticated spyware campaigns by governments or mercenaries. In response to these security threats, Apple recommends that all users update their devices immediately to avoid any risk. These patches add to a series of four zero-day vulnerabilities addressed by Apple this year, with another highlighted during the Pwn2Own Vancouver event. Active and swift update of devices by users is crucial for maintaining security and integrity against potential espionage or data breach efforts.

Oracle has issued a warning about a high-severity vulnerability in Agile PLM Framework, actively exploited in the wild. The security flaw, identified as CVE-2024-21287 with a CVSS score of 7.5, allows unauthenticated remote exploitation. Exploitation enables unauthorized file disclosure from the affected systems without needing username and password. The exact perpetrators, their targets, and the scope of the attacks remain unknown as of the advisory. CrowdStrike researchers Joel Snape and Lutz Wolf are credited with the discovery and reporting of this vulnerability. Oracle strongly recommends that users immediately implement the latest patches to mitigate risks associated with this vulnerability. There is limited data on how extensive these attacks are, with ongoing investigations by Oracle and additional comments sought from CrowdStrike.

Equinox, a health services organization, has started informing 21,565 patients and employees about a data security incident where personal and medical information was compromised. The LockBit ransomware gang, previously thought to be shut down, claimed responsibility for stealing 49GB of data from Equinox, which affected individuals' sensitive information including Social Security numbers and health records. The breach was first detected on April 29, significantly disrupting Equinox's network access and leading to an immediate security lockdown and investigation by a top-tier cybersecurity firm. By September 16, Equinox concluded the review of the potentially stolen files, confirming that certain personal and protected health information was at risk. Letters were sent out to affected parties, and there may be potential lawsuits due to the breach involving protected health information. Despite international efforts to dismantle the LockBit operation earlier in the year, the group remains active, evidencing the ongoing challenge of curbing ransomware activities globally.

Chinese government-associated hackers, referred to as “BrazenBamboo”, are exploiting a zero-day vulnerability in Fortinet’s VPN software to steal user credentials. The vulnerability in Fortinet’s VPN remains unresolved, and currently, there is no assigned CVE number to this specific flaw. Volexity, a memory forensics company, discovered the zero-day while analyzing the modular malware “DeepData” which includes a plugin targeting FortiClient VPN client. The malware, DeepData, is capable of extracting credentials and other data from process memory and has at least 12 plugins for various malicious activities. In addition to credential theft, DeepData’s capabilities extend to capturing keystrokes, audio, and video, as well as providing a remote shell for persistent access. BrazenBamboo has also developed another tool known as DeepPost for exfiltrating files from compromised systems. Potential impact includes unauthorized access to sensitive information alongside broad control over affected systems. Volexity recommends organizations to employ specific rules to detect and block indicators of compromise due to the ongoing threat from this vulnerability.

A Russian citizen, Evgenii Ptitsyn, was extradited from South Korea to the United States on charges of operating the Phobos ransomware scheme. Ptitsyn is accused of acting as an IT administrator for the ransomware gang, providing technical support and facilitating the extortion of approximately $16 million. The Phobos ransomware was distributed for free to criminals who would then extort $12,000 to $300,000 from victims per incident. The criminals involved were required to pay $300 per decryption key, with funds transferred to a cryptocurrency wallet controlled by Ptitsyn. Over multiple incidents, the Phobos ransomware targeted various entities including large corporations, schools, hospitals, and nonprofit organizations. U.S. federal authorities have charged Ptitsyn with 13 criminal counts, including wire fraud and computer fraud, attributing significant cybercriminal activity to his involvement. The Justice Department praised international cooperation in the arrest and extradition of Ptitsyn, highlighting the global effort to combat ransomware threats.

Apple has released emergency updates for macOS to address two zero-day vulnerabilities exploited in attacks. The updates rectify flaws in the macOS Sequoia JavaScriptCore and WebKit components, identified as CVE-2024-44308 and CVE-2024-44309. CVE-2024-44308 allows remote code execution via specially crafted web content, while CVE-2024-44309 enables cross-site scripting attacks. The security fixes were also applied to iOS, iPadOS, and visionOS across multiple versions to ensure broad protection. These vulnerabilities were discovered by Google's Threat Analysis Group, highlighting collaboration between tech giants. This update marks Apple's response to six zero-day exploits in 2024, showing reduced incidents compared to the 20 addressed in the previous year. Details on the exact nature of the exploits have not been fully disclosed, with ongoing inquiries for more information.

CISA has added a critical OS command injection flaw in Progress Kemp LoadMaster to its KEV catalog, indicating active exploitation. The vulnerability, identified as CVE-2024-1212, was initially patched on February 21, 2024, marking its first report of exploitation in the wild. CVE-2024-1212 allows unauthenticated, remote attackers to execute arbitrary system commands via the LoadMaster management interface. Affected LoadMaster versions include specific ranges within 7.2.48.1, 7.2.54.0, and 7.2.55.0, which large organizations use for application delivery and load-balancing. U.S. federal organizations are mandated to apply the security updates and mitigations by December 9, 2024, or discontinue using the impacted products. Active exploitation details or connections to ransomware campaigns are currently undisclosed. Also identified were additional vulnerabilities within Palo Alto Networks PAN-OS and another severe flaw in LoadMaster products, CVE-2024-7591, related to improper input validation.

Ford is probing an alleged data breach after 44,000 customer records were reportedly leaked on a hacker forum. The data leak, attributed to threat actors "EnergyWeaponUser" and "IntelBroker," was disclosed on BreachForums. Exposed information includes customers' full names, addresses, purchase details, and dealer interactions. The leaked data, while not highly sensitive, poses a risk for phishing and social engineering attacks. Threat actors offered the data on the hacking forum for a nominal fee rather than selling it, indicating possible motivations beyond financial gain. Ford has acknowledged the potential breach and is currently conducting an in-depth investigation. The credibility of the breach's report is supported by IntelBroker's track record of verified breaches at several high-profile organizations. Individuals are advised to exercise caution with unsolicited contacts and reject unwarranted information requests to mitigate risks from the breach.

Over 100 million Americans depend on vulnerable drinking water systems, according to the EPA's Office of Inspector General. The EPA OIG identified cybersecurity deficiencies in 308 of the 1,062 drinking water systems it examined. Key vulnerabilities, both medium and critical, were found across systems serving approximately 109 million people. The EPA lacks a dedicated system for tracking and responding to cyber incidents, relying instead on the Department of Homeland Security. There are no solid documented policies for how the EPA coordinates with other federal and state bodies on cybersecurity responses and strategies. The agency recently rescinded cybersecurity evaluation rules, exacerbating the issue due to legal and political pressures. An EPA spokesperson confirmed their commitment to enhancing water sector cybersecurity through various support measures. Global concerns echo in the UK, with its largest water and wastewater treatment company also facing significant cybersecurity challenges due to outdated infrastructure.

Oracle has addressed a critical file disclosure vulnerability, coded CVE-2024-21287, within its Agile Product Lifecycle Management (PLM) software. This security flaw allows unauthenticated attackers to remotely download files accessible under the privileges used by the PLM application. The issue was identified and reported by cybersecurity experts from CrowdStrike, highlighting its active exploitation "in the wild." Oracle's security update comes after direct exploits of the vulnerability were confirmed, urging customers to install the latest patches immediately. The vulnerability carries a CVSS Base Score of 7.5, signifying a high severity level due to its potential implications including unauthorized access and data leakage. Details about the specific attackers or whether the exploits are attributed to certain threat actors remain undisclosed. Both Oracle and CrowdStrike have been approached for additional comments, though responses are pending.

D-Link has alerted users to cease using specific VPN router models due to a critical, unpatched remote code execution vulnerability. Affected models include DSR-150, DSR-150N, DSR-250, and DSR-250N, with certain firmware versions ranging from 3.13 to 3.17B901C. These devices have reached end-of-life status as of May 1, 2024, and will not receive further firmware updates or security patches. The vulnerability was reported by a security researcher known as 'delsploit,' who has not publicly disclosed technical details to prevent widespread exploitation. D-Link advises replacing the vulnerable devices immediately and cautions that using third-party firmware could void warranties and pose additional risks. Despite available firmware on D-Link’s Legacy Website, no current version protects against the discovered flaw. D-Link’s policy involves not issuing patches for end-of-life products, despite ongoing use by consumers and the existence of active threats as observed in similar past incidents with other D-Link devices.