Daily Brief

Microsoft paused the November 2024 Exchange security updates after discovering they caused email delivery issues. The updates affected servers with custom transport (mail flow) and data loss prevention (DLP) rules. Admins reported a complete stop in email flow, prompting Microsoft to withdraw the updates from distribution. They are investigating for a permanent solution and advised admins experiencing issues to uninstall the impacted updates. Microsoft also warned of a high-severity Exchange Server vulnerability that could enable attackers to forge email sender identities. Despite the email spoofing flaw, affected servers will now show a warning for emails with suspicious sender information. In addition to the mail flow problems, the November updates addressed several critical security issues including zero-day attacks.

Palo Alto Networks has discovered active exploitation of a critical zero-day Remote Code Execution (RCE) vulnerability in Next-Generation Firewalls (NGFW). The vulnerability, identified as 'PAN-SA-2024-0015', affects firewalls with Internet-facing management interfaces. Devices not adhering to recommended security practices are at heightened risk. Attackers can execute commands remotely without authentication to control the firewall, potentially modifying rules and intercepting network traffic. Despite discovering the vulnerability, Palo Alto Networks has yet to release security updates or patches. Approximately 8,700 exposed interfaces were identified by The Shadowserver Foundation. The company has provided mitigation steps and recommends securing access to management interfaces as an immediate action until fixes are available. Customers are urged to check their firewall interfaces for exposure and apply recommended security measures to mitigate risks.

Ilya Lichtenstein was sentenced to 5 years for the 2016 hack of crypto exchange Bitfinex, where he stole approximately 120,000 Bitcoin valued then at $69 million. Lichtenstein and his wife, Heather Morgan, also known as rapper "Razzlekhan," both pleaded guilty to laundering the stolen Bitcoin funds using sophisticated techniques. The crime involved using fake IDs, automated transaction software, crypto mixer services, and laundering through genuine U.S. business bank accounts. Over $10.7 billion worth of assets at today's exchange rates were seized by the U.S. government, including various cryptocurrency tokens, fiat currencies, and gold coins. Heather Morgan, who met Lichtenstein at a venture capital tech accelerator, faces her own sentencing on November 18, having been under house arrest for 33 months. The couple forfeited all assets related to their criminal activities as part of their guilty plea agreement. An additional cybercrime occurred during the government’s asset conversion process, resulting in a temporary theft by another cybercriminal, who subsequently returned most of the stolen funds after intervention by U.S. authorities.

Ilya Lichtenstein was sentenced to five years in prison for stealing approximately 120,000 Bitcoins from the Bitfinex crypto exchange in 2016, valued at $69 million at the time. Following a bitter professional breakup, Lichtenstein carried out thousands of transactions to transfer stolen Bitcoin into his wallet and employed advanced techniques to erase his digital trace. Both Ilya Lichtenstein and his wife, Heather Morgan, pleaded guilty to charges of conspiracy to launder monetary instruments; Morgan also pleaded guilty to defrauding the United States. The laundering operations included using fake IDs, automated software transactions, using dark web marketplaces, crypto mixers, and legitimate U.S. bank accounts to disguise their financial activities. The couple agreed to forfeit all assets related to their criminal activities, with the U.S. government seizing an assortment of assets including cryptocurrency, fiat currency, and gold coins. During conversion of some seized cryptocurrency by U.S. authorities, an external cybercriminal attempted to steal the funds, managing to briefly divert $20.7 million in virtual currency tokens. Heather Morgan, who performed under the rapper alias "Razzlekhan," is under house arrest and awaits her sentencing scheduled for November 18.

Cybersecurity specialists identified two critical vulnerabilities in Google’s Vertex AI that could enable privilege escalation and data exfiltration. Attackers can escalate privileges by exploiting custom job permissions in Vertex AI, gaining unauthorized access to all data services within a project. A poisoned model deployed within the platform can initiate a reverse shell, leading to the unintended export of all fine-tuned models and large-language models. This exploit utilizes the interconnected permissions of GCP and Kubernetes through IAM Workload Identity Federation, facilitating wider access within cloud environments. Returned access allowed threat actors to not only view but also extract highly sensitive models and data externally using container identification tactics. Google has since patched these vulnerabilities following responsible disclosure by the researchers. The implications of these flaws point to potential severe data breaches involving sensitive machine learning models if unverified or malicious models are deployed. It highlights the increasing need for rigorous deployment controls and permission audits in cloud and AI environments to prevent similar security lapses.

DigiCert is hosting a webinar focused on the importance of rapid certificate replacement and crypto agility. The event will address the impact of certificate revocations on security, customer confidence, and business continuity. The webinar aims to equip participants with best practices and automation strategies to handle certificate revocations effectively. It positions itself not just as an informative session but as a crucial roadmap to mastering digital trust and certificate management. Attendees will learn to transform certificate revocation challenges into opportunities for resilience and growth. Registration is required for the webinar, highlighting its exclusive nature with limited seats available. The session is designed to prepare businesses to lead through disruptions and future-proof their certificate management processes.

A Vietnamese-speaking threat actor has initiated an information-stealing campaign directed at government and educational bodies across Europe and Asia. The campaign utilizes a new Python-based malware known as PXA Stealer, designed to harvest sensitive data including credentials, financial information, and browser cookies. PXA Stealer demonstrates advanced capabilities such as decrypting victim's browser master passwords to access various online account credentials. Evidence linking the malware to Vietnam includes Vietnamese comments within the code and the presence of national icons in the program. Attackers have been observed actively selling stolen Facebook and Zalo account credentials, SIM cards, and other digital tools on a known Vietnamese Telegram channel. The malware propagation involves sophisticated phishing techniques using a ZIP file containing a Rust-based loader which later deploys the stealer after disabling antivirus software. PXA Stealer focuses particularly on Facebook cookies to infiltrate business and advertisement accounts, a common target among Vietnamese cyber threats. This report coincides with increased global activity around similar stealer malware, highlighting a trend of growing sophistication and prevalence of these threat types.

AI in IAM leverages analytical capabilities to continuously monitor and detect anomalies in access patterns, enhancing security against sophisticated threats. Machine learning shapes a proactive IAM system, learning from environment interactions to enforce security policies effectively and adaptively. AI’s role-mining capabilities and risk-based authentication aid in enforcing the principle of least privilege and improving access governance in real-time. Enhanced user experience via AI includes streamlined access management processes, adaptive authentication, and just-in-time access, reducing friction and risks. Customization through AI allows for tailored permissions and audit trails based on user roles and behaviors, significantly improving personalization in IAM. AI reduces false positives in threat detection by analyzing massive datasets, improving operational efficiency and response times to genuine threats. Practical applications of AI in IAM extend to privileged access management, identity governance, administration, and secrets management, ensuring robust security. AI-powered simulations of attack patterns on non-human identities help identify and strengthen potential vulnerabilities, maintaining defensive effectiveness.

Iranian state-sponsored actors are using the newly identified WezRat malware for reconnaissance and data theft, targeting compromised systems to execute malicious commands. Developed by Cotton Sandstorm, also known as Emennet Pasargad or Aria Sepehr Ayandehsazan, WezRat can keylog, take screenshots, upload files, and steal clipboard content and cookies. The malware uses modular DLL files from its command and control (C&C) server to remain less detectable. It is distributed via phishing emails impersonating the Israeli National Cyber Directorate, with malware-laced Google Chrome installers. The earlier versions of WezRat were simpler and lacked advanced capabilities like screenshot capturing, which have been integrated over time. Analysis reveals at least two different development teams are involved in the evolution of WezRat, suggesting a dedicated effort to maintain an effective espionage tool. WezRat's operations primarily target entities across the United States, Europe, and the Middle East, indicating its use in broader geopolitical cyber espionage.

A critical vulnerability has been identified in PostgreSQL, impacting its security by potentially allowing unauthorized code execution or data leakage. The bug, registered as CVE-2024-10979, has a high threat level with a CVSS score of 8.8. Hackers could manipulate environment variables like PATH to execute arbitrary code or access sensitive information, exploiting the PL/Perl environment within PostgreSQL. PostgreSQL has mitigated this vulnerability in multiple versions, including 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. The discovery was made by researchers Tal Peleg and Coby Abrams from Varonis, who has detailed potential severe security implications. PostgreSQL and security experts recommend restricting permissions and controlling extension loading to bolster system defenses against such vulnerabilities. Details on the exact nature of the exploit remain undisclosed currently to allow users time for patch implementation.

Microsoft Power Pages misconfigurations have led to the exposure of sensitive data, affecting millions globally, including 1.1 million NHS employees. Security researcher Aaron Costello from AppOmni identified the issue, noting that misconfigured access controls allowed public access to private information. The most significant exposure involved email addresses, phone numbers, and home addresses of NHS employees; this issue has since been resolved. The platform’s security oversight is due to improper handling of "authenticated users," granting them permissions intended for internal users. The layered access control system of Power Pages often lacks adequate setup, especially at the table and column access levels, leading to broader data exposure. Many organizations skip essential security steps like data masking due to the complexity of configuration processes. Microsoft provides warnings for potentially dangerous configurations, yet breaches occur due to organizations not reducing excessive external access levels. Costello utilized the Burp Suite tool to demonstrate how misconfigurations could be exploited, underscoring the potential risk of data leaks.

Ilya Lichtenstein was sentenced to 5 years for hacking Bitfinex in 2016, leading to the theft of nearly 120,000 bitcoins. The stolen bitcoins were valued at over $10.5 billion at the time of the judgment. Lichtenstein used advanced hacking tools and techniques to execute fraudulent transactions transferring the bitcoins to his controlled wallet. Both Lichtenstein and his wife, Heather Rhiannon Morgan, who also pleaded guilty, employed various schemes to launder the stolen bitcoins, including using darknet markets, chain hopping, and converting them into fiat currency. Blockchain analytics revealed their use of Walmart gift cards purchased with the stolen bitcoins led to their identification and arrest. The couple had obscured their trail by using fake identities and bank accounts but were caught through details found in their cloud storage accounts, leading to full fund traceability. Heather Morgan is scheduled for sentencing on November 18. She was portrayed as a less active participant in the hacking operation. The report also covered a related sentencing of Roman Sterlingov, who facilitated such laundering activities through Bitcoin Fog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities in Palo Alto Networks Expedition to its KEV catalog due to active exploitation. These vulnerabilities allow an unauthenticated attacker to execute arbitrary OS commands or access sensitive data including usernames, passwords, and API keys. Exploited vulnerabilities could lead to the exposure of database contents or unauthorized access to device configurations. Affected FCEB agencies are mandated to apply security patches by December 5, 2024, following guidance from CISA. Palo Alto Networks released updates on October 9, 2024, to address these vulnerabilities and revised their advisory following CISA’s exploitation reports. Another related critical flaw (CVE-2024-5910) was recently discovered, also under active exploitation, further highlighting ongoing security risks. Palo Alto has detected a separate critical remote command execution vulnerability targeting a limited number of firewall interfaces, with fixes in progress.

SilkSpecter, a Chinese cybercriminal group, has created 4,695 fake shopping domains to illicitly gather payment card data from U.S. and European online shoppers. This fraudulent campaign was initiated in October 2024 and aggressively targets consumers during the high-traffic Black Friday sales period by mimicking popular brands such as The North Face, IKEA, and Lidl. These phishing sites use legitimate-sounding domain names with top-level domains such as '.shop' and '.store' to appear credible and exploit reputable payment processors like Stripe to enhance their appearance of legitimacy. Fraudulent activities involve redirecting users to a payment page on these phishing sites where they are prompted to input sensitive information including credit card details and phone numbers. SilkSpecter uses advanced tracking tools (OpenReplay, TikTok Pixel, Meta Pixel) to monitor visitor behavior and optimize their fraudulent strategies. The stolen phone numbers are believed to be used in secondary phishing operations for voice or SMS scams, particularly targeting two-factor authentication processes. It is recommended that shoppers verify the authenticity of online stores, avoid suspicious discounts promoted through unverified links, and employ strong security measures like multi-factor authentication on their financial accounts.

Fortinet fixed a high-severity vulnerability (CVE-2024-47574) in its FortiClient VPN software, affecting multiple versions on Windows. The flaw allowed low-privilege users or malware to gain higher privileges, execute unauthorized code, and potentially take over a computer. The vulnerability also enabled attackers to delete log files, elevate malware privileges, and alter system connections to attacker-controlled servers. Alongside, a second vulnerability (CVE-2024-50564) was addressed, which allowed unauthorized editing of SYSTEM-level registry values. Both vulnerabilities were reported by Pentera Labs; the higher-severity being publicly disclosed and patched, and the lower pending in a future advisory. Fortinet has released version 7.4.1 of FortiClient, which resolves these vulnerabilities. No evidence suggests these vulnerabilities were exploited in the wild.