Daily Brief

The US Cybersecurity and Infrastructure Security Agency (CISA) has identified new vulnerabilities in Fortinet and Ivanti products that are actively being exploited. The Fortinet vulnerability, described as a critical format string issue (CVE-2024-23113), affects multiple products, allowing remote code execution via specially crafted packets. Fortinet has recommended applying patches or, as a temporary measure, removing fgfm access to reduce the attack surface. Ivanti's problems stem from an SQL injection (CVE-2024-9379) and an OS command injection (CVE-2024-9380) in its Cloud Services Application. These vulnerabilities are currently being exploited in the end-of-life version 4.6. Ivanti has advised customers to update to the latest version of their software, 5.0.2, to mitigate these vulnerabilities and suggested rebuilding compromised systems. Both companies have faced security challenges this year, prompting CISA to speed up its warning timeline to mitigate risks to federal agencies. Despite the known risks, the vulnerability's role in ransomware attacks is still considered "unknown," according to CISA.

OpenAI has halted over 20 global malicious campaigns involving its platform since the beginning of the year, primarily aimed at cybercrime and spreading disinformation. These activities included debugging malware, writing content for websites, creating biographies and AI-generated profile pictures for fake social media accounts. Specific operations targeted by OpenAI used AI technologies to generate fake content aimed at influencing audiences in relation to elections in the U.S., Rwanda, India, and the European Union, without gaining significant traction. An Israeli company, STOIC, was involved in creating AI-generated social media comments concerning Indian elections, as revealed previously by Meta and OpenAI. Novel influence operations identified include A2Z and Stop News, using AI to produce multilingual content and AI-generated imagery for social media and web distribution. The company also blocked misuse of its technology by entities such as Bet Bot and Corrupt Comment, which engaged users on social platforms in harmful activities like linking to gambling websites. The report coincides with findings from cybersecurity firm Sophos, highlighting the risks posed by generative AI in crafting tailored misinformation and malicious threats at scale.

Researchers have discovered a critical, unpatched vulnerability in Nice Linear eMerge E3 access control systems, allowing execution of arbitrary OS commands. This security lapse, identified as CVE-2024-9441, has a high severity rating with a CVSS score of 9.8 out of 10. Affected versions include multiple iterations from 0.32-03i to 1.00.07, exposing a wide range of systems to potential unauthorized access. Proof-of-concept exploits for this vulnerability have already been publicly released, increasing the risk of exploitation by malicious actors. Historical context indicates a sluggish vendor response to similar vulnerabilities, highlighted by a delayed fix to a previous critical flaw, CVE-2019-7256. SSD Disclosure and cyber experts urge organizations using the vulnerable systems to either take them offline or strongly isolate them to mitigate risk. Despite the severity, the vendor, Nice, has yet to release a patch and advises clients to adhere to security best practices, including network segmentation and firewalls.

Mozilla has issued an urgent patch for a critical vulnerability, CVE-2024-9680, in its Firefox browser. The flaw, related to Animation timelines, allows attackers to execute code remotely without user interaction. The vulnerability, classified with a severity rating of 9.8 by the NVD, signifies high risks to confidentiality, integrity, and availability. National cybersecurity agencies in Canada, Italy, and the Netherlands have released advisories due to the exploit's severity and existing attacks. The patch is available for Firefox versions 131.0.2, as well as Firefox ESR versions 115.16.1 and 128.3.1. Given the vulnerability's low complexity of execution and the potential for significant damage, rapid updating is advised. Alerts about the exploitation of this bug were also raised earlier, marking a rare occurrence of critical vulnerabilities in Firefox.

SOC analyst burnout is intensifying due to the growing volume of alerts and a high turnover rate. Organizations are experiencing severe staffing shortages, with millions of cybersecurity roles unfilled globally. Only 19% of alerts are typically addressed, leading to a rising backlog and escalating pressure on analysts. AI-driven automation can mitigate SOC workload by handling up to 90% of routine tasks, thus reducing human analysts' stress. Shifting the role of analysts from manual triage to overseeing and validating AI-generated analyses enhances job satisfaction and operational efficiency. Automated incident response and comprehensive training through AI integration can improve response times and upskill analysts. Improved tool integration and ensuring work-life balance are critical for reducing complexity and maintaining SOC operations without compromising personal time. Investment in both technology and human capital is essential to adapt to evolving cybersecurity threats and reduce analyst burnout.

October is Cybersecurity Awareness Month, emphasizing collaboration on cybersecurity importance. Use of AI technology is increasing, raising concerns about potential risks to sensitive data. The UK National Cyber Security Centre identifies potential AI vulnerabilities. The SANS Institute has developed the SANS AI Toolkit to facilitate secure AI usage in organizations. The toolkit categorizes AI users into Trailblazers, Sceptics, or Pragmatists based on their access and management approval. Features of the toolkit include an Acceptable Use Policy, informative factsheets, and guidance for effective AI utilization. The AI Toolkit aims to align AI tool usage with company values and maximize user benefits from AI technology. The toolkit and more insights are available in conjunction with the observance of Cybersecurity Awareness Month.

Generative AI (GenAI) is becoming integral in industries such as customer service and content creation, enhancing efficiency and creativity. The rapid integration of GenAI in corporate environments poses significant security, privacy, and regulatory challenges. Key concerns include data privacy risks, compliance with data protection laws like GDPR, and the introduction of vulnerabilities that could be exploited by cybercriminals. Adversarial attacks and AI-powered malware present emerging threats, necessitating advanced cybersecurity measures. Chief Information Security Officers (CISOs) are advised to implement robust access controls, secure coding practices, and regular security assessments to safeguard AI systems. Monitoring AI operations for anomalies, establishing strong AI governance frameworks, and employee training are critical for addressing internal and external security threats. CISOs need to balance the opportunities presented by GenAI with proactive security strategies to ensure innovation does not compromise organizational safety.

Cybersecurity researchers at Jscrambler identified a sophisticated digital skimming campaign using Unicode to conceal malicious scripts. The campaign involves a skimmer known as Mongolian Skimmer, which targets e-commerce platforms to steal sensitive financial data from checkout pages. The skimmer uses JavaScript's ability to include Unicode characters in identifiers, making the malicious code difficult to read and analyze. Attempts to evade detection include disabling certain functions when a browser's development tools are activated, making debugging challenging. The skimmer employs both modern and legacy browser event-handling techniques to maximize compatibility and target a broad user base. An unusual loader variant was observed that initiates the skimmer script only after specific user interactions, serving as both an anti-bot measure and a performance optimization tactic. The Mongolian skimmer was delivered through compromised Magento sites, where multiple threat actors discussed profit sharing for their skimming operations. Despite appearing advanced, the obfuscation techniques used are older methods repurposed to seem more complex, yet they are still reversible by experienced analysts.

Dutch police have successfully dismantled the world's largest dark web markets, Bohemia and Cannabia, following a detailed investigation. Two suspected administrators were arrested attempting to flee with their earnings, after shutting down the marketplaces in an exit scam. The crackdown involved a collaboration among law enforcement agencies from the Netherlands, Ireland, the UK, and the USA. Investigations revealed that these sites facilitated approximately 67,000 transactions monthly, engaging primarily in the sale of cannabis and DDOS tools. In September 2023, these platforms reported a record turnover of €12 million, with the administrators pocketing about €5 million. Despite the perception of anonymity on the dark web, international law enforcement efforts have significantly undermined the reliability and credibility of such illegal marketplaces. The arrests emphasize the effectiveness of international cooperation in policing digital crime and curtailing the operations of online illicit marketplaces.

CISA has added a critical Fortinet vulnerability to its KEV catalog due to active exploitation, identified as CVE-2024-23113 with a high severity score of 9.8. The Fortinet vulnerability allows remote code execution on several platforms including FortiOS and FortiWeb, demanding urgent mitigation measures to be applied by October 30, 2024. Palo Alto Networks revealed serious vulnerabilities in its Expedition tool, capable of disclosing sensitive information like usernames and cleartext passwords. The affected Expedition tool flaws are present in all versions prior to 1.2.96, and mitigation includes restricting access and potentially shutting down the software. Cisco also issued a patch for a critical flaw in Nexus Dashboard Fabric Controller, tagged as CVE-2024-20432, which allows low-privileged authenticated users to perform command injections. The affected Cisco system versions have been pinpointed, and devices not within those versions are reported not vulnerable. The disclosures emphasize the ongoing challenges and importance of cybersecurity vigilance and prompt patch management in safeguarding sensitive IT infrastructure.

Mozilla has disclosed a critical security vulnerability in Firefox and Firefox ESR, actively exploited in the wild. The flaw, designated CVE-2024-9680, involves a use-after-free error in the Animation timelines, allowing attackers to execute code remotely. Security expert Damien Schaeffer of ESET identified and reported the vulnerability. Mozilla urges users to upgrade their browsers immediately to the latest version to mitigate risk. Details on methods of exploitation and information about the attackers remain undisclosed. Potential exploitation could involve complex attacks such as drive-by downloads or watering hole strategies targeting specific user groups. The update fixing the issue is now available, and users are advised to install it without delay to protect against ongoing exploitation threats.

The Internet Archive faced a double security incident, including a DDoS attack and a significant data leak affecting 31 million users. User information exposed includes usernames, email addresses, and salted-encrypted passwords. The DDoS attack rendered the Archive unavailable for up to five hours, displaying only an incident notification to visitors. Breach details were alerted by haveibeenpwned, confirming the exposure of email addresses, screen names, and bcrypt password hashes. In response to the breach, the organization disabled a compromised JS library and initiated system security upgrades. Archive founder Brewster Kahle confirmed both the defacement of the website and the subsequent data breach but offered limited details. It remains uncertain whether the DDoS attack and the data breach are directly connected. This incident adds to a series of challenges faced by the Internet Archive in 2024, including legal issues and previous DDoS disruptions.

The cyberespionage group GoldenJackal successfully penetrated air-gapped systems in European and South Asian diplomatic entities using custom malware. Researchers identified two distinct cyber attacks conducted by GoldenJackal; one targeting a European government organization from May 2022 to March 2024, and the other a South Asian embassy in Belarus in 2019. These attacks involved sophisticated toolsets, including malware named GoldenDealer, GoldenHowl, and GoldenRobo, specifically designed to breach and operate within air-gapped environments. Initial vectors for malware delivery included deceptive methods such as fake Skype installers and malicious Word documents exploiting the Follina vulnerability. ESET, the cybersecurity firm that uncovered these activities, noted a possible connection between GoldenJackal’s command-and-control protocols and those used by Turla, a group known to be backed by Russia's Federal Security Service (FSB). Despite extensive analysis, researchers have not definitively traced the initial delivery methods for some tools, suggesting the possible use of an unknown worm component. GoldenJackal has demonstrated persistent and advanced capabilities in targeting and breaching secure government networks, highlighting significant resourcefulness and strategic planning.

Internet Archive's "The Wayback Machine" experienced a significant data breach compromising 31 million user records. A JavaScript alert on the archive.org website first notified visitors of the breach, stating a catastrophic security incident had occurred. The stolen database, a 6.4GB SQL file named "ia_users.sql," includes email addresses, screen names, bcrypt-hashed passwords, and other authentication details. Data breach notification service Have I Been Pwned (HIBP) will soon add the stolen data, allowing users to check if their information was exposed. Troy Hunt of HIBP confirmed the authenticity of the data by contacting affected users directly, including cybersecurity researcher Scott Helme, who verified his own data breach. The method used by attackers to access Internet Archive's systems remains unknown, and further information about potential additional data theft is not yet available. Following the breach, Internet Archive sustained a DDoS attack claimed by BlackMeta, a hacktivist group that threatened more attacks.

Smart TVs use advanced ad technologies to track and profile viewers, much like online advertising practices. The Center for Digital Democracy (CDD) issued a report exposing commercial surveillance systems in connected TVs and streaming services. Personalized advertising in smart TVs involves technologies such as cookieless IDs, identity graphs, and AI-based ad targeting. The report criticized FAST channels like Tubi for engaging viewers with targeted ads embedded directly into content. Various entities, including the FTC and California privacy regulators, have been alerted about these privacy invasions by the CDD. Despite awareness sessions and regulations, minimal action has been undertaken to combat this issue effectively. Data collection practices in smart TVs have been under scrutiny, yet comprehensive federal privacy laws in the U.S. remain absent. The lack of stringent privacy rules provides a continuous challenge in safeguarding consumer data from exploitation by advertisers and data brokers.