Daily Brief

A significant security update for the Jetpack WordPress plugin was recently launched after discovering a critical flaw. The vulnerability, found during an internal audit, involves the Contact Form feature that could potentially allow logged-in users to access forms submitted by site visitors. Patches have been issued for versions dating back to 2016, covering over 101 versions of the plugin. Despite no known exploitations in the wild, Jetpack developers anticipate potential exploits following the security disclosure. Jetpack is a widely used plugin installed on approximately 27 million WordPress sites, offering functionalities such as antispam filtering and site analytics. Automatic updates for the patch were pushed to affected sites, though manual verification of the plugin version is recommended. Other cybersecurity reports highlighted include a severe vulnerability in Veeam Backup & Replication software and new EU cyber incident reporting rules to tighten security across critical infrastructure sectors. In addition, the UK National Cyber Security Centre has expanded its free cybersecurity DNS service for educational institutions to enhance their cyber resilience.

Cisco took its DevHub portal offline following a data leak by a threat actor named IntelBroker. The hacker claimed access through an exposed API token in a third-party developer environment. Cisco asserts there was no breach of main systems and no personal or financial data compromised. Leaked data includes source code, technical documentation, and database credentials. Investigation ongoing to establish the full scope of accessed and leaked data. IntelBroker attempted to sell the stolen data and source code, showing proof of access to BleepingComputer. Cisco blocked all access to the compromised portal and related development environments following the incident.

ESET's exclusive partner in Israel, Comsecure, was breached to send phishing emails from the eset.co.il domain. The phishing campaign, initiated on October 8th, used ESET's branding to distribute data wipers disguised as antivirus software, named "ESET Unleashed." The emails claimed to protect against state-backed attackers and were sent directly from legitimate email servers, passing common email authentication tests. The malicious email contained links to download a ZIP file with a mix of legitimate DLL files and a malicious Setup.exe, responsible for the data wiping. Cybersecurity investigations revealed that the Setup.exe was related to known malware groups and behaved differently on physical machines versus virtual environments. The attack's exact scope and how the initial breach occurred remain unclear, with no responses from Comsecure's executives. While not specifically attributed, similar data wiper attacks have historical precedence in Israel, often tied to geopolitical motives and not financially driven.

Nidec Corporation experienced a ransomware attack, resulting in stolen and leaked data on the dark web. Hackers gained access using valid VPN credentials of a Nidec employee; around 50,694 files were compromised. Despite not meeting ransom demands, Nidec reported no direct financial damage or unauthorized use of the leaked information. The attack targeted Nidec Precision, a division in Vietnam specializing in manufacturing equipment for the photography industry. Post-incident, Nidec has implemented additional security measures and is conducting employee training to minimize future cyber risks. Both the 8BASE and Everest ransomware gangs were involved, with Everest publicizing the stolen data. Nidec has notified affected business partners and claims the situation is fully remediated.

Newly disclosed vulnerabilities in Intel and AMD CPUs allow bypassing Spectre mitigations on Linux systems. Affected Intel CPU generations include 12th to 14th for consumers and 5th to 6th for servers, alongside AMD’s Zen 1 to Zen 2 architectures. The vulnerabilities exploit flawed speculative execution, revealing sensitive data like password hashes. Intel has issued a microcode fix (CVE-2023-38575), though not yet universally applied across all operating systems. AMD recognizes the issue as a software bug under CVE-2022-23824, affecting additional architectures, including the Zen 3. ETH Zurich researchers are collaborating with Linux maintainers to develop a patch specifically for AMD processors. Both hardware manufacturers were informed of these issues as early as June 2024, indicating proactive but incomplete containment efforts.

In 2024, the FCC introduced a $200 million K-12 Cybersecurity Pilot Program aimed at enhancing cybersecurity in schools and libraries across the U.S. The program addresses the rising cyber threats encountered by educational institutions, notably ransomware and data breaches. Schools and libraries seeking to participate must demonstrate the need for better cybersecurity infrastructure and adhere to basic cybersecurity best practices. Preference is given to institutions in underserved or high-risk areas lacking the financial means to independently upgrade their cybersecurity measures. The application process involves assessing current cybersecurity status, conducting audits to find vulnerabilities, and submitting a detailed plan for using the funds to improve cybersecurity. Partnerships with cybersecurity firms like Cynet Security are recommended to assist schools in preparing for the application by providing audits, strategies, and support. Long-term support from Cynet and continuous monitoring and updates are necessary to maintain a secure educational environment beyond the initial funding period. The initiative emphasizes both immediate cybersecurity enhancements and ongoing resilience against future threats.

North Korean IT personnel, posing under false identities, have begun extorting Western companies by threatening to release stolen intellectual property. These personnel, often pretending to be freelancers or using stolen identities from the U.S., gain insider access and manipulate systems for financial gain, under orders from North Korea. The tactics include rerouting corporate laptop deliveries to intermediary locations where remote access software is installed, allowing further unauthorized network access. Secureworks Counter Threat Unit has linked these activities to a known threat group named Nickel Tapestry, indicating an organized, state-back strategy. The fraudulent activities have escalated to direct extortion, where terminated workers send emails threatening to leak proprietary information unless paid. In response to these threats, organizations are encouraged to enhance their hiring protocols, verify identities rigorously, conduct real-time interviews, and monitor IT equipment distribution and network access closely. These findings highlight a significant shift in the operational tactics of North Korean operatives, emphasizing quick profit through internal corporate extortion rather than long-term infiltration.

Eric Council Jr, 25, was arrested for attempting to manipulate Bitcoin prices by hacking the SEC's X account. The compromised account falsely announced the approval of Bitcoin ETFs, momentarily boosting Bitcoin’s price by over $1000. A retraction was issued by the SEC once they regained control, causing a significant drop in Bitcoin’s price. Council Jr and accomplices used SIM swapping to gain unauthorized access to the phone of an individual linked to the SEC account. They also created fake identity documents for further legitimization in the SIM swap attack. The incident reflects a broader issue with SIM swapping affecting high-profile organizations and leading to financial and data losses. The U.S. Department of Justice charges include conspiracy to commit aggravated identity theft and access device fraud, with a potential five-year sentence.

The webinar focuses on Data Security Posture Management (DSPM) as a critical tool for addressing complex data security challenges. Benny Bloch, a security expert from Global-e, will share insights on implementing DSPM in business practices. DSPM is presented as a solution to effectively locate, manage, and secure data scattered across various platforms. Attendees will learn strategies to enhance their company's data security and manage vulnerabilities effectively. The session aims to educate on building a robust data security posture to protect a company's most valuable asset—its data. Registration for the webinar is currently open, targeting professionals seeking to improve their organization's data security measures.

ESET confirmed that their infrastructure was not compromised following claims of a wiper attack disguised with ESET branding targeting Israeli organizations. The suspicious emails, resembling communications from ESET's Advanced Threat Defense Team, were flagged by Google Workspace yet passed DKIM and SPF authentications. The campaign involved sending a .ZIP file ostensibly from ESET, containing a mix of legitimate ESET files and a malicious executable that functioned as a wiper, not ransomware. Attack campaign linked to the pro-Palestine Handala group, known for similar attacks against Israeli targets, including high-profile individuals and organizations. ESET quickly responded to the incident, affirming that the malicious campaign was promptly blocked, and affirmed the security of their products and client systems. The incident coincides with the anniversary of the Iron Swords War, suggesting a potential hacktivist motive behind the timing of the attack. ESET is actively working with its affected partner in Israel to further investigate and manage the situation.

Cybersecurity agencies from Australia, Canada, and the U.S. have issued warnings regarding a year-long Iranian cyber campaign targeting critical infrastructure sectors. The Iranian actors employed methods such as brute-force attacks, password spraying, and multi-factor authentication prompt bombing to infiltrate systems in healthcare, government, IT, engineering, and energy sectors. "Push bombing" or MFA fatigue tactics are used to manipulate users into accepting multi-factor authentication requests, raising concerns over user-based security weaknesses. The attackers aim to steal credentials and network information for reselling purposes, facilitating further cybercrimes by other actors. After initial access, attackers conduct thorough reconnaissance using techniques like living-off-the-land (LotL) tools, privilege escalation through known vulnerabilities, and maintaining persistence by registering their own devices. Identity systems with "number matching" are advised as a countermeasure to prevent unauthorized device registration and continued access by threat actors. The intelligence from these attacks is often traded on cybercriminal forums, indicating a blend of nation-state activity with traditional cybercrime. Recent global advisories focus on protecting Active Directory services from compromises that facilitate these attacks, in response to the evolving threat landscape involving nation-state actors and cybercriminals.

Threat actors have launched a malware campaign called ClickFix, using fake Google Meet web pages to distribute infostealers targeting Windows and macOS systems. The campaign employs social engineering by presenting fake error messages that trick users into manually executing malicious PowerShell code, effectively bypassing common security measures. On Windows systems, the malware deploys StealC and Rhadamanthys stealers; macOS users encounter a malicious disk image that installs the Atomic stealer. The fake pages not only mimic Google Meet but also other services like Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, with potential expansions to Zoom. Sekoia has linked the misleading Google Meet component of ClickFix to trafficker groups within the broader entities of markopolo and CryptoLove, suggesting shared resources and infrastructure between these cybercriminal groups. These developments are part of a broader trend of rising open-source infostealer usage, which is reducing the barriers for cybercriminal entry and escalating the threat landscape. The increase in accessible infostealer tools is seen as a significant shift in cyber threats, potentially leading to more widespread computer infections and heightened risks for both individuals and organizations.

Intel has responded to accusations from the Cybersecurity Association of China (CSAC) that its CPUs contain security backdoors installed under NSA guidance since 2008. CSAC claims that Intel's chips not only have backdoors but also contain vulnerabilities and frequently fail, indicating serious quality and security management issues. The accusations have led CSAC to demand a cybersecurity review of Intel products in China to safeguard national security and consumer rights. Intel, deriving about 25% of its revenue from China last year, responded via WeChat, stating its commitment to product safety and adherence to local laws, but did not directly address the backdoor allegations. Intel's vague response includes mentions of ongoing communication with relevant departments to demonstrate its commitment to product safety and quality. Concurrently, China’s Ministry of State Security highlighted cybersecurity threats and potential state security risks from AI and foreign data collection through smart car technologies. The dispute reflects broader tensions and cybersecurity concerns between the U.S. and China, including U.S. sanctions limiting chip exports to China.

Microsoft disclosed details about a vulnerability in macOS that potentially allows unauthorized access to a user's privacy preferences. The vulnerability, named HM Surf, was found in the macOS Transparency, Consent, and Control (TCC) framework and was patched in macOS Sequoia 15. Exploitation of the flaw could permit access to sensitive user data such as location services, camera, microphone, and browsing history through Safari without user consent. The exploit involves removing TCC protections and modifying Safari's local configuration files, enabling wide access to the device's resources. Microsoft also noted an observed link between the vulnerability and suspicious activities related to macOS adware threat AdLoad, although the exact exploit technique by AdLoad remains uncertain. Microsoft is collaborating with other browser vendors to enhance security measures concerning local configuration files. Apple has implemented a new security mechanism, Hardened Runtime, alongside the browser entitlements to mitigate such risks, though vulnerabilities still persist.

Intel has firmly denied allegations from the Cybersecurity Association of China that its chips contain NSA-directed security backdoors. The accusations, asserted by China's cybersecurity industry group, claim Intel has included backdoors in nearly all CPUs since 2008 as part of a security defense initiative. Intel responded on WeChat, asserting its commitment to law compliance in its operations in China and emphasizing its focus on product safety and quality. The dispute is part of broader tensions between the U.S. and China over cybersecurity and technology transfers, including U.S. sanctions limiting chip exports to China. China's Ministry of State Security has also issued warnings about cybersecurity threats and the misuse of AI technology, emphasizing national security concerns. This conflict occurs amidst other accusations by the U.S. against China regarding cyber-espionage aimed at U.S. infrastructure.