Daily Brief

Landmark Admin experienced a significant data breach affecting over 800,000 individuals, detected initially due to suspicious activity on May 13th, 2024. The breach occurred following a cyberattack on the company's IT systems, which led to the shutdown of these systems and remote network access to mitigate further damage. Landmark Admin, a third-party service provider, manages back-office operations for various large insurance companies including American Monumental Life and Liberty Bankers Life Insurance Company. A third-party cybersecurity firm was engaged to manage the breach's remediation and to investigate the extent and nature of the data accessed by attackers. Compromised data could include sensitive personal information such as Social Security numbers, financial account details, and health insurance policy numbers. The company has started notifying affected individuals by mail regarding the potentially compromised information and continues to investigate further impacts of the breach. All impacted parties are advised to monitor their financial statements and credit reports for any unusual activity to prevent identity theft.

Cisco has released emergency patches for a security flaw in its ASA and FTD software, following reports of exploitation that targeted devices with enabled VPN services. The vulnerability, identified as CVE-2024-20481, has been used for brute-force attacks, attempting to cause denial of service through resource exhaustion. It has a 5.8 CVSS score indicating medium severity. Attacks have been primarily carried out via a flood of VPN authentication requests, trying both generic and valid credentials to disrupt services. No direct workaround is available; however, Cisco has advised users to update their software to protect against potential attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-20481 to its Known Exploited Vulnerabilities Catalog, signaling heightened concern and advising immediate updates. Cisco's threat intelligence team, Talos, has observed an increase in such attacks originating from TOR exit nodes and other anonymizing services. Along with the patches, Cisco has published recommendations and a list of indicators of compromise to assist in mitigating and identifying similar attacks moving forward.

Cisco has resolved a denial of service (DoS) vulnerability in its Cisco ASA and Firepower Threat Defense (FTD) software discovered during large-scale brute force attacks. The vulnerability, identified as CVE-2024-20481, can cause DoS by resource exhaustion when numerous VPN authentication requests are sent to affected devices. The flaw impacts all versions of Cisco ASA and FTD software prior to the latest updates, requiring a device reload to restore VPN services post-exploitation. Originally, the brute force attacks aimed to harvest VPN credentials for sale or ransomware use but inadvertently triggered DoS states on Cisco devices. Exploitation of this vulnerability is exclusive to devices with the Remote Access VPN (RAVPN) service enabled, which can be verified via specific Cisco command checks. Cisco also issued advisories for 42 other vulnerabilities, including three of critical severity, across various products advising immediate patching. No active exploitations have been observed for these additional vulnerabilities, but admins are urged to remain vigilant and update affected systems promptly.

Cybersecurity firm Halcyon has identified an advanced variant of Qilin ransomware, dubbed Qilin.B, with enhanced encryption methods and evasion tactics. Qilin.B supports AES-256-CTR encryption for systems equipped with AESNI and utilizes Chacha20 for others, along with RSA-4096 with OAEP padding to secure encryption keys. This variant demonstrates a strategic shift in cyberattack approaches, now targeting stored credentials in Google Chrome and customarily clearing Windows Event Logs and deleting itself post-attack. It disrupts system recovery by terminating security-associated services, killing backup and virtualization processes, and deleting shadow copies. Increase in ransomware attacks impacting U.S. healthcare, with significant financial losses reported up to $900,000 daily from operational downtime. The report highlights the broader issue of ransomware groups evolving and refining their tactics, underscoring the persistent threat within the cybersecurity landscape.

The new Qilin.B ransomware variant uses robust AES-256-CTR and ChaCha20 encryption methods, enhancing data encryption across different system capabilities. It features RSA-4096 with OAEP padding for additional security on encryption keys, significantly complicating decryption efforts without the private key. Designed to evade detection, Qilin.B terminates several critical processes and clears system logs to hinder forensic analysis and security measures. It deletes shadow copies and modifies system registries to prevent data recovery and maintain persistence in infected networks. The ransomware automatically spreads through local and network folders, generating customized ransom notes that include victim IDs. Previously, Qilin variants have been involved in significant breaches, targeting major institutions like London hospitals and global firms like Yanfeng. The malware’s ability to steal credentials and infiltrate entire networks poses a continuing threat, particularly to Windows systems.

On day two of Pwn2Own Ireland 2024, hackers disclosed 51 zero-day vulnerabilities. Competitors vied for the "Master of Pwn" title and a share of $1,000,000 in cash and prizes, totaling $358,625 for the day. Viettel Cyber Security's team led the competition, with notable achievements in multiple categories. Key exploits included a Canon printer hack by ANHTUD team members, and a Samsung Galaxy S24 hack by NCC Group's Ken Gannon. Dungdm of Viettel Cyber team managed to take control of a Sonos Era 300 using a Use-After-Free vulnerability. Attempts to exploit other devices like the Sonos Era 300, and the Lexmark CX331adwe printer faced challenges, with several failed attempts. The competition will continue for two more days, with researchers aiming to increase their standings. After two days, the event has awarded $847,875 for exploiting 103 zero-day vulnerabilities.

A security flaw in Amazon Web Services (AWS) Cloud Development Kit (CDK) poses risks of account takeover under specific scenarios. The flaw was responsibly disclosed and patched in CDK version 2.149.0 following its discovery. The vulnerability stems from predictable naming conventions used during the initial setup process of AWS environments, enabling attackers to potentially compromise user accounts. Attackers could manipulate AWS S3 bucket names to execute S3 Bucket Namesquatting, affecting the integrity and availability of cloud resources. Exploitation could alter CloudFormation templates, granting an attacker administrative privileges within the compromised AWS account. AWS urges users to update to the latest CDK version and adopt unique identifiers for naming AWS resources to mitigate risks. Findings indicate that approximately 1% of CDK users were vulnerable; ongoing user vigilance and proactive security practices are recommended. The disclosure is part of broader concerns about cloud security, including reported issues with mobile apps storing unencrypted cloud service credentials.

Cisco has issued updates for a security flaw, CVE-2024-20481, in its ASA and FTD software that is currently being exploited, leading to potential denial-of-service (DoS) incidents. The vulnerability, with a CVSS score of 5.8, affects the Remote Access VPN service and can cause service disruption by resource exhaustion. Attackers can exploit this issue by flooding the VPN with excessive authentication requests, overwhelming the system and necessitating a device reload. There are no direct workarounds for this vulnerability; however, Cisco advises on measures to prevent password spraying attacks. The flaw is part of a broader pattern of brute-force attacks targeting VPNs and SSH services, beginning from March 18, 2024, that involve multiple vendors. These brute-force campaigns have utilized generic and organization-specific usernames, originating from TOR exit nodes and other anonymizing services. Alongside this fix, Cisco released patches for three other critical vulnerabilities across its FTD Software, Secure Firewall Management Center Software, and ASA. Given the prevalence of these vulnerabilities in critical infrastructure, rapid application of these patches is vital to safeguard against potential nation-state attacks and other malicious activities.

Bitwarden, an online credentials storage service, has implemented a new SDK requirement for building its software, causing controversy about its FOSS status. A new license for the SDK restricts developers from using it with any software other than Bitwarden, violating the GNU's first essential freedom of free software. Critics argue that these restrictions mean Bitwarden's desktop version 2024.10.0, and potentially other versions, are no longer genuinely open source. Community discussions on GitHub were limited as Bitwarden CTO Kyle Spearrin closed and locked the debate, stating that the Bitwarden tools and SDK are separate entities. The change in licensing and restrictions has drawn comparisons with other companies that have similarly moved away from purely open-source models. Alternatives to Bitwarden, like Vaultwarden (a Rust-based server), exist, but their independence is questionable after their lead developer joined Bitwarden. Historical context shows skepticism, as noted when Bitwarden received $100 million in venture capital funding in 2022, and the community predicted a shift away from FOSS principles.

DHS/CISA and the FBI have emphasized the necessity for organizations to adopt phishing-resistant MFA to counter rampant ransomware attacks. The average ransom payment has increased to $2 million in recent reports, signaling a critical peak in cyber threats and the vulnerability of legacy security systems. Legacy MFA methods such as SMS-based OTPs have proven ineffective against modern cyberattacks, making them susceptible to phishing, SIM swapping, and other tactics. Advanced phishing techniques fueled by Generative AI have become sophisticated, dodging traditional detection methods by mimicking trusted sources and crafting realistic communications. The proliferation of Ransomware-as-a-Service and accessible AI tools on the dark web has lowered the entry barrier for executing complex cyberattacks. Next-generation MFA solutions, including biometric authentication and hardware-based FIDO2 compliant technologies, offer significantly improved security against these elevated threats. Organizations are urged to adopt these advanced, phishing-resistant MFA systems to mitigate the risk of substantial financial losses due to cyberattacks. Implementing robust and user-friendly next-generation MFA technologies not only enhances security but also reduces the likelihood of user error and phishing susceptibility.

Ransomware impacted 389 U.S. healthcare organizations this year, compromising patient safety and incurring significant costs. Facilities affected by ransomware face up to $900,000 daily in operational losses; with average payments to attackers reaching $4.4 million. In one case, UnitedHealth spent over $2.1 billion on network restoration and additional medical care costs after a ransomware attack, including a $22 million ransom payment. Nearby hospitals experience increased strain due to diverted resources and patients, with significant increases in stroke and cardiac arrest cases when a local hospital is attacked. Survival rates for certain emergency conditions have drastically fallen, from 40% to 4.5%, during ransomware incidents. Ransomware as a Service (RaaS) and safe harbors provided by countries like Russia have facilitated a 300% increase in healthcare-targeted attacks. Notably, Iranian groups pose the highest threat this year, actively attempting to breach healthcare networks in conjunction with ransomware campaigns; China and Russia also play significant roles in these cyberattacks.

North Korean threat actor Lazarus Group exploited a Google Chrome zero-day vulnerability, CVE-2024-4947, to hijack devices. The attack was executed via a fake game website targeting individuals in the cryptocurrency sector, beginning in February 2024. The malicious website appeared professional, promoting a downloadable trial for a DeFi NFT-based game, but secretly ran a script to exploit browsers and gain control of PCs. Discovered by cybersecurity firm Kaspersky, the attack introduced the Manuscrypt backdoor upon visiting the decoy site. The scheme involved social engineering tactics, including the use of X (formerly Twitter) and LinkedIn to promote the deceptive game to crypto influencers. Kaspersky believes that Lazarus also committed intellectual property theft by stealing source code from a legitimate blockchain game in March 2024, repurposing it for their attack. Google patched the exploited vulnerabilities in Chrome by mid-May 2024 after acknowledging reports from cybersecurity entities.

University of Illinois researchers tested OpenAI's Realtime API for potential misuse in phone scams, successfully automating numerous fraudulent activities. Scammers can utilize voice-enabled AI models to impersonate officials or company employees, tricking victims into revealing personal data like bank details. The cost of conducting a successful phone scam using AI is remarkably low, averaging about $0.75 per incident. The simplistic design of the AI scamming agents involved only 1,051 lines of code, highlighting the ease of creating dual-use AI technologies. OpenAI's detection systems reportedly flagged the researchers' experiments, demonstrating some level of oversight and safety measures on misuse. Despite safety protocols, the overall success rate of these AI-powered scams was around 36%, with varied success depending on the complexity of actions needed. The study underscores the urgent need for comprehensive solutions across AI providers, telecommunications, and regulatory bodies to mitigate voice scam impacts.

Fortinet reported a critical vulnerability, CVE-2024-47575, in FortiManager with a high severity rating of 9.8. The vulnerability, dubbed FortiJump, affects FortiManager and FortiAnalyzer versions and is exploited via the FGFM protocol. Attackers can execute arbitrary code or commands by sending specially crafted requests without authentication. Attackers require a valid Fortinet device certificate for exploitation, which can be obtained from an existing device. The exploit has been used to automate the exfiltration of sensitive data such as IP addresses, credentials, and system configurations from compromised systems. Fortinet has not observed the vulnerability being used to deploy malware or modify databases; the focus appears to be on data exfiltration. Two specific workarounds and patch updates have been provided by Fortinet, with a requirement for federal agencies to comply by November 13, 2024. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the need for urgent addressing of this issue.

Hong Kong's government has prohibited the use of WeChat, WhatsApp, and Google Drive on its computers due to security concerns. Innovation, Technology and Industry Secretary Sun Dong announced the policy update, which follows cyber security incidents and adopts practices similar to the US and China. The Digital Policy Office explained that encryption in these apps could bypass government cyber defenses, making monitoring for malicious links or attachments difficult. There are concerns that not controlling these platforms may lead to challenges in tracing information and increases the risk of data leaks. Exceptions to the restrictions may be granted with department head approval, reflecting a nuanced approach to the ban. The ban is set to begin at the end of October as part of broader efforts to enhance cyber security across government systems. Hong Kong, while part of China, operates under a "one country, two systems" framework, yet this measure aligns more closely with mainland policies on technology.