Daily Brief

79% of IT decision-makers have experienced a secrets leak, indicating a 4% increase from the previous year. There are over 12.7 million hardcoded credentials present in public GitHub repositories, with many remaining valid for over 5 days after discovery. The average time for organizations to remediate leaked credentials is 27 days. Non-human identities, which greatly outnumber human identities by at least 45:1, complicate the management and security of machine credentials. Lack of clarity on responsibility and ownership for managing these non-human identities adds to the challenges in security. Developers often face immense pressure to deploy quickly, leading to poor management of permissions which can cause broader access than necessary. A shared responsibility model between developers and security teams is suggested to enhance permissions management and speed up credential rotation. Effective secrets and permissions management can streamline operations and reduce the risk of data breaches through better oversight and collaboration.

Microsoft 365 Admin Portal is being exploited to send sextortion emails, bypassing usual email security filters. Scammers use sextortion claims to demand payments between $500 and $5,000, threatening to release compromising images or videos. The abuse targets Microsoft's legitimate "o365mc@microsoft.com" email, leveraging trust to deliver these scam messages directly to users' inboxes. The scam exploits the Message Center’s "Share" feature in the Microsoft 365 Admin Portal, where the personal message field's character limit can be altered using browser development tools. Despite email security platforms traditionally catching such scams, the Message Center's integration allows these emails to avoid detection and quarantine. Microsoft is currently investigating the issue but has not yet implemented server-side checks for message length, allowing the scam to persist. It is crucial for recipients of such emails to recognize them as scams, delete them, and not engage with any links or payment instructions contained within.

Palo Alto Networks has reported active exploitation of a zero-day vulnerability in their firewall management interface, prompting urgent security alerts to organizations. Additional critical vulnerabilities in Palo Alto Networks Expedition have been identified, hinting at potential targeted attacks by unspecified actors. The article emphasizes the importance of restricting access to management interfaces to trusted IP addresses to mitigate the risk from these vulnerabilities. Widespread critical vulnerabilities across various systems have also been highlighted, underscoring the global scale of cybersecurity risks. Recommendations for maintaining security include regular software updates, system upgrades, and continuous monitoring for potential cybersecurity threats. The use of canary tokens as a proactive defense measure is advised to detect early signs of intrusions in network systems. Cybersecurity remains a crucial part of organizational strategy, with a focus on education, vigilant practice, and staying abreast of new threats and defensive tools.

Google is developing a feature called Shielded Email to create email aliases that better protect user privacy while combating spam. The feature allows the generation of single-use email addresses that forward to a primary email, eliminating the need to share real email addresses for online forms or service registrations. Shielded Email mirrors similar functionalities introduced by Apple in 2021, called Hide My Email, which is part of the iCloud+ subscription service. Other companies, including Bitwarden and DuckDuckGo, have also launched similar features aimed at preserving user privacy by using email aliases. Google previously enabled users to generate virtual card numbers for secure online and app payments, though this service is currently available only to eligible U.S. cardholders. Additionally, Google released the Android System Key Verifier app, enhancing chat security by verifying parties through encryption keys and QR codes, similar to Apple's iMessage system. The new features and apps underscore Google's commitment to enhancing user security and privacy across its platforms.

A new phishing campaign is actively targeting e-commerce shoppers in Europe and the U.S., using false discount offers to steal personal and financial information. The campaign is linked to a Chinese financially motivated threat actor codenamed SilkSpecter, exploiting the high traffic of the Black Friday shopping period. Victims are deceived into entering sensitive data on fake e-commerce sites that mimic reputable brands like IKEA and North Face, using top-level domains such as .shop and .vip. These counterfeit websites employ advanced phishing kits with dynamic language translation and tracking technologies like Meta Pixel to enhance credibility and track effectiveness. The ulterior motive is to gather financial details through bogus transactions processed via Stripe, creating a false sense of security for users. Additional personal data, like phone numbers, are collected with the potential for subsequent smishing and vishing attacks aimed at obtaining two-factor authentication codes. The dissemination methods for these phishing URLs likely include manipulation through social media and search engine optimization poisoning. The incident follows other related schemes like Phish 'n' Ships, illustrating a broader trend of cybercriminals exploiting digital payment platforms and online shopping vulnerabilities.

Frequent network penetration testing is essential as it transcends mere compliance, actively boosting network security. Traditional pen testing methodologies, often consultant-led and manual, are costly and time-consuming, resulting in outdated reports due to the rapidly evolving network environment. Automated network penetration testing is highlighted as a cost-effective solution, reducing expenses by over 60% compared to traditional methods. Companies implementing automated testing benefit from quicker, continuous results and the ability to test as often as needed without scheduling issues. The push for more frequent testing is driven by the need to stay ahead of emerging threats and vulnerabilities which could be exploited by attackers. Frequent testing ensures ongoing protection and timely remediation of identified vulnerabilities, shifting from a compliance-check activity to a critical component of the security framework. vPenTest by Vonahi Security is promoted as an efficient, scalable, and budget-friendly automated pen testing platform, offering a substantial advantage for year-round network security management.

NSO Group used multiple exploits to deliver Pegasus spyware via WhatsApp, breaching Meta's legal defenses even after a lawsuit was filed. Despite Meta's countermeasures, NSO succeeded in installing Pegasus using WhatsApp vulnerabilities, including a zero-click exploit named Erised after legal actions commenced. NSO Group developed malware vectors like Heaven and Eden by reverse-engineering WhatsApp's code and manipulating messages to install Pegasus. Court documents reveal that NSO Group not only created these exploits but also controlled the entire data retrieval process, contradicting their claims of client-operated systems. NSO's spyware installation required minimal input from clients—just a target phone number—showcasing the ease and remoteness of their surveillance operations. Hundreds to tens of thousands of devices were compromised using these WhatsApp-based malware vectors, as admitted by NSO. Apple has integrated new security features like Lockdown Mode and an "inactivity reboot" to protect devices against such spyware attacks. Magnet Forensics highlighted the importance of timely data imaging due to the new iOS security measures that could hinder law enforcement access after device reboots.

A severe authentication bypass vulnerability identified in the Really Simple Security plugin for WordPress, affecting over 4 million sites. The vulnerability, designated as CVE-2024-10924 with a CVSS score of 9.8, could allow attackers administrative site access. Impacts observed from versions 9.0.0 to 9.1.1.1 of the plugin, which failed to handle user authentication checks securely. Two-factor authentication implementation weaknesses enable unauthorized access to any user account, including administrators. Patch released in version 9.1.2 following the responsible disclosure on November 6, 2024. WordPress enforced a forced update prior to public disclosure to mitigate risks. In parallel, another critical vulnerability in the WPLMS Learning Management System for WordPress was disclosed, further highlighting the risk landscape for WordPress plugins.

Alan Filion, an 18-year-old, has pleaded guilty to making over 375 fabricated threats, targeting various institutions and individuals across the U.S. Each charge against Filion could lead to a five-year prison term, with sentencing scheduled for February. Filion advertised his swatting services on social media, utilizing these threats as a method to extort ransom, including from a ransomware-affected cancer center. The swatting incidents mainly occurred between 2022 and 2024, many when Filion was only 16 years old. Concurrently, Halliburton reported a $35 million expense due to an August cyberattack, which affected their financial statements with stolen data. D-Link announced significant vulnerabilities in several of their NAS devices, affecting models like DNS-320 and DNS-325, with active exploitations underway. HackerOne criticized the current draft of the UN Convention Against Cybercrime, citing inadequate protections for cybersecurity researchers. Google has identified the top five online scams, including deepfake-based impersonation and crypto investment schemes, cautioning about increased sophistication in cybercriminal tactics.

Passkeys, based on public key cryptography, aim to replace traditional passwords for improved security against phishing attacks and eliminate the problems of password reuse across different sites. Despite the enhanced security, implementation complexities and user confusion could hinder widespread adoption of passkeys. User engagement in security, termed a 'systems approach', is key — it considers how users interact with security systems and aims to ease these interactions. The effectiveness of passkeys is limited by initial reliance on traditional authentication methods like passwords which are still prone to attacks. There exist different implementations of passkeys, ranging from hardware devices like USB keys to software-based password managers which synchronize credentials across devices. Inconsistent experiences across different platforms and confusion about the actual usage of passkeys as replacements or supplements to passwords may confuse typical users. The transition to passkeys could greatly enhance web security but remains complicated by several practical and technical challenges. Authors emphasize a need for simplified security technologies that integrate smoothly into user activities without sacrificing robust security principles.

Threat actors are using SVG (Scalable Vector Graphics) files in phishing emails to bypass security measures and deploy malware. SVG files differ from standard pixel-based images by using lines and shapes described by mathematical formulas, allowing seamless resizing and high-quality display at any resolution. Recent security findings indicate a rise in the use of SVG attachments for phishing, capable of displaying graphics, HTML content, and executing JavaScript upon opening. These SVG files can create deceptive login forms or act as bait for downloading malicious content, tricking users into providing sensitive data. Security software often fails to detect malicious activities from SVG files due to their textual nature, showing minimal recognition on platforms like VirusTotal. Phishing campaigns leveraging SVG files have included pretenses such as official document requests, increasing their chance of deceiving recipients. Users are advised to be wary of unsolicited emails with SVG files, especially if they are not in a profession that typically handles such file types.

A critical vulnerability (CVE-2024-10924) was found in the 'Really Simple Security' WordPress plugin, affecting versions 9.0.0 to 9.1.1.1. The flaw allows unauthorized administrative access due to mishandling of two-factor authentication responses in the plugin. Over four million sites using the free version alone are susceptible; the issue is heightened when 2FA is enabled. Automated scripts can exploit this vulnerability at scale, raising concerns about mass website takeovers. Fixes were issued in version 9.1.2 of the plugin; however, sites with outdated plugins or expired licenses remain at risk. Wordfence, who discovered the flaw, urges hosting providers to forcefully update the plugin on hosted websites. Users and administrators are encouraged to update to the patched version promptly to mitigate exposure to potential exploits.

Fake AI image and video generator websites are infecting Windows and macOS users with Lumma Stealer and AMOS infostealers. These malwares steal sensitive data including cryptocurrency wallets, credentials, and browsing histories primarily from popular browsers like Google Chrome and Firefox. Cybercriminals promote these fake sites through search results and ads, using deepfake content such as humorous political videos to lure users. Upon clicking download links on these legitimate-looking sites, users unintentionally download malware-infected executables. The downloaded files for Windows and macOS are disguised as applications from a fake AI editor platform, EditProAI, and include stolen software certificates to appear trustworthy. Data stolen by these malwares is compiled, archived, and sent back to the attackers' servers for further illicit use or sale on cybercrime marketplaces. Security professionals warn that any interaction with these fake sites should prompt users to reset their passwords and enable multi-factor authentication across sensitive accounts. The rise in information-stealing malware is part of broader global cybercrime trends targeting personal and corporate data.

T-Mobile confirmed it was part of a recent wave of breaches targeting U.S. telecom companies, attributed to Chinese threat actors named Salt Typhoon. Despite the breach, T-Mobile reports no significant impact on its systems or customer data, continuing to monitor the situation closely. Salt Typhoon, active since 2019, typically infiltrates government and telecom sectors in Southeast Asia but has expanded its activities to include U.S. national security and policy officials. The hacking campaign by Salt Typhoon enabled unauthorized access to call logs, text messages, and some audio from senior U.S. officials' cellphones. Joint FBI and CISA statements revealed that the breach compromised not only private communications but also information regarding law enforcement requests to telecom companies. These breaches were facilitated by vulnerabilities in Cisco routers, although Cisco found no evidence of direct compromise of their equipment. This incident marks the ninth breach T-Mobile has suffered since 2019, highlighting ongoing security challenges within the telecom sector.

GitHub projects have been attacked with malicious commits aiming to implant backdoors, notably affecting the project of AI startup Exo Labs. The attack involved subtle code changes submitted through a deceptive pull request that could introduce remote executable code. The commits were traced to a GitHub user "evildojo666," which was later linked to Mike Bell, a Texas-based security researcher, who denies involvement and suggests impersonation. Bell highlighted the absence of any payload from the linked domain, asserting the potential smearing of his reputation. Other GitHub projects including "yt-dlp," a video downloader tool, have experienced similar malicious commits from accounts that are likely fabricated. Cybersecurity experts recommend rigorous review of code changes using both automated tools and thorough human examination to prevent stealthy insertions of malicious code into open source projects. The incident serves as a reminder of the persistent threat to software supply chains and the necessity of careful monitoring of contributions to public repositories.