Daily Brief

Microsoft Outlook can be transformed into a command and control (C2) beacon for remote code execution through the Specula framework, exploiting the CVE-2017-11774 vulnerability. This Outlook security feature bypass vulnerability, patched in October 2017, still allows attackers to set up malicious home pages using registry values. Specula operates by modifying Outlook's WebView registry entries to direct to an attacker-controlled site that serves VBscript capable of arbitrary command execution. TrustedSec has successfully used this method for initial access and persistence on hundreds of client systems, effectively bypassing existing security measures. Despite being patched, attackers still exploit the vulnerability to establish persistence and laterally move across systems using registry modifications. The exploited vulnerability and technique were also previously used by Iranian-sponsored APT groups to target U.S. government agencies, as reported by FireEye and other cybersecurity firms.

Meta's Prompt-Guard-86M AI model, created to detect and neutralize prompt injection attacks in large language models (LLMs), is compromised by adding spaces between letters. The model was engineered to support Meta's Llama 3.1 generative model by mitigating risks from unsafe or misleading prompts that might expose sensitive data. A security researcher discovered that merely spacing out letters in a command, makes this sophisticated detection mechanism fail. This vulnerability presents a significant risk, as demonstrated when a dealership's chatbot was manipulated to agree to an unrealistic sale price due to a similar exploit. Despite being a robust AI line of defense against manipulative inputs, the Prompt-Guard's effectiveness against altered prompts is virtually negligible. This issue sheds light on the challenges and potential vulnerabilities in deploying AI systems in critical real-world applications. Meta is reportedly aware of the flaw and is working towards a resolution, though immediate comments were not provided by the company.

A federal judge in New York has ruled that US border agents must obtain a warrant to search electronic devices. The ruling by Judge Nina Morrison states that warrantless searches of phones and devices at borders infringe on Fourth and Fifth Amendment rights. The decision emerged from a case involving Kurbonali Sultanov, whose phone was searched without a warrant at JFK Airport. Although the initial search was deemed unconstitutional, subsequent evidence will remain as the search warrant was issued in good faith. The Knight First Amendment Institute and the Reporters Committee for Freedom of the Press supported the need for warrants to protect journalistic sources and personal privacy. This ruling currently impacts only the Eastern and Southern Districts of New York, with similar cases under consideration in other jurisdictions. The government has not yet indicated whether it will appeal the decision, which could potentially ascend to the Supreme Court due to the national relevance and conflicting lower court decisions.

Acronis has reported a critical vulnerability, CVE-2023-45249, in its Cyber Infrastructure product. The flaw, rated 9.8 on the CVSS scale, allows remote code execution due to default passwords. Affected versions include ACI 5.4 update 4.2, and other specified updates, patched in late October 2023. Active exploitation of this vulnerability has been confirmed, though details of the attackers remain unclear. Users are urged to update their software immediately to mitigate potential cybersecurity threats.

HealthEquity, a major U.S. health savings account provider, reported a data breach affecting 4.3 million individuals. Sensitive health and personal data were compromised due to cybercriminals exploiting a partner's compromised credentials. The initial breach occurred on March 9, 2024, but it was not confirmed by HealthEquity until June 26, 2024, after thorough investigations. The compromised data includes protected health information and personally identifiable information stored outside of the core system databases. Following the breach, HealthEquity secured the affected data repository by terminating unauthorized access and initiating a global password reset for the affected vendor. Impacted users will receive two years of complimentary credit monitoring and identity theft protection services provided by Equifax. HealthEquity has advised affected individuals to remain vigilant, monitor their account statements, and verify their account information for any discrepancies. As of now, no suspects have been identified, and there has been no evidence of the stolen data appearing online.

A large-scale phishing campaign named "EchoSpoofing" leveraged vulnerabilities in Proofpoint's email protection services to send millions of phishing emails, mimicking major corporations like Disney and IBM. Initially detected in January 2024, the campaign sent around 3 million spoofed emails daily, peaking at 14 million in June. Attackers used compromised or rogue Microsoft Office 365 accounts to bypass Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) checks via Proofpoint’s email relays. Via the manipulation of SPF records and DKIM signatures, emails appeared legitimate and bypassed traditional spam filters, directly reaching user inboxes. Guardio Labs identified and reported the security flaw to Proofpoint in May 2024, prompting security enhancements to mitigate the abuse. Proofpoint has since introduced tighter security measures and new settings, including more stringent Microsoft 365 connectors to prevent such misuse in the future. The ongoing threat affects various sectors, with major brands' reputations at risk as their identities were used in phishing emails to extract sensitive information.

HealthEquity, a U.S.-based fintech company in the healthcare sector, disclosed a data breach affecting approximately 4.3 million people. The breach, detected in June but originating in March, involved unauthorized access to stored personal information including addresses, telephone numbers, and payment data. Important to note, the breach did not involve malware or ransomware but was described as a straightforward data theft, classified as a "data smash-and-grab" incident. Attackers gained access through compromised vendor user accounts which had permissions for an online data storage location outside the company's core systems. Following the detection of unauthorized activities, HealthEquity engaged third-party experts for an investigation, disabled compromised accounts, and implemented a global password reset for the impacted vendor. The company has since enhanced its security measures, including blocking IPs linked to the threat actors and improving internal security controls and monitoring efforts. Despite the breach, HealthEquity reported no evidence of misuse of the stolen data as of their last update and has offered affected individuals two years of free credit monitoring and identity theft services through Equifax. This incident highlights a significant data breach within the healthcare sector without the utilization of malware or ransomware tactics.

An unknown threat actor systematically exploited a misconfiguration in Proofpoint's email routing to send millions of spoofed emails, impersonating legitimate businesses. The campaign, termed EchoSpoofing, began in January 2024, with daily email volumes peaking at 14 million in June as countermeasures were implemented. The phishing emails effectively bypassed standard authentication protocols like SPF and DKIM, making them appear as if they were genuinely sent from the spoofed companies. This exploitation involved configuring SMTP servers on leased virtual private servers to transmit spoofed messages through Microsoft 365 tenants to Proofpoint relays. Proofpoint identified the route of the attack as a "super-permissive misconfiguration flaw" that allowed unrestricted email relaying from Microsoft 365 tenants. Despite extensive spamming, there was no customer data exposure or data loss among Proofpoint clients, with rapid response measures and configuration adjustments being made. Proofpoint has since provided corrective instructions and improved administrative controls to prevent such misuse in the future and emphasized the shared responsibility of VPS and email providers in mitigating spam.

Google issued an apology for a Chrome update that disrupted its password manager, affecting millions of Windows users. The glitch occurred with version M127 of Chrome for Windows, preventing users from accessing saved passwords. The error lasted nearly 18 hours before being resolved on July 25, sparked by an improperly guarded product behavior change. Approximately 2% of Chrome users were affected by the update, potentially impacting over 17 million globally. Google's password manager is designed to store and suggest secure passwords, but the update rendered this feature unusable. This incident underscores the risks associated with relying on browser-based password managers for critical credential security. It highlights the importance of robust quality assurance and the potential consequences of erratic software updates in widely-used applications.

Searchable Encryption allows data to remain encrypted while still being usable, addressing the need to secure data in use beyond traditional methods. Traditional encryption practices have only focused on data at rest and in motion, neglecting the vulnerabilities when data is in use, often leaving sensitive data unencrypted. Common encryption methods involve complex processes that include decrypting data for use and re-encrypting it afterward, adding to operational complexities and security risks. Paperclip, a long-standing data management company, has developed a solution called SAFE, leveraging Searchable Symmetric Encryption to keep data secure while it remains operational. SAFE as a technology enables the encryption of active data at the database layer, simplifying the encryption process, and removing the need to repeatedly decrypt and re-encrypt data. According to analysts from Gartner and IDC, the capability to encrypt data while still processing it securely is critical, and searchable encryption is rapidly becoming essential for modern data security strategies. SAFE’s approach as a SaaS solution can be implemented quickly with minimal disruption, representing a significant advancement in protecting sensitive data across various industries.

Stargazer Goblin, a threat actor, created over 3,000 fake GitHub accounts for a Distribution-as-a-Service (DaaS) network termed "Stargazers Ghost Network". This network, active since August 2022, aids in distributing various malware, including Atlantida Stealer, Rhadamanthys, and RedLine, earning over $100,000 in illegitimate profits. The fake accounts engage in actions such as starring, forking, and subscribing to repositories to lend an appearance of legitimacy and avoid detection. Malicious links and password-protected archives masquerading as legitimate software or game cheats are employed to distribute malware. GitHub's attempts to combat this network include banning accounts; however, Stargazer rapidly adjusts by updating links and strategies to minimize disruption. The operation's sophistication allows it to bypass suspicion, as GitHub is generally viewed as a legitimate site. Check Point highlights that similar "ghost" account tactics are utilized across other platforms including Discord, Facebook, and YouTube, expanding the reach of the distribution network.

Microsoft acknowledged that the previously estimated 8.5 million devices affected by CrowdStrike's software issues was an undercount. Crash reports, used by Microsoft to measure impact, represent only a portion of affected devices since not all customers share these reports. Microsoft criticized for OS vulnerabilities in the media, identified the cause as crashes from CrowdStrike's kernel drivers. David Weston of Microsoft emphasized the need for security vendors to balance the benefits of kernel drivers against their potential risks. Microsoft plans to encourage the security industry to reduce reliance on kernel drivers to avoid similar incidents in the future. Details on implementing reduced kernel driver dependence not fully disclosed but will likely require modifications to Windows architecture. Microsoft aims to work with its Virus Initiative members to integrate security enhancements and support more reliable anti-malware solutions.

China is contemplating the introduction of "cyberspace IDs" for citizens, aiming to safeguard personal information and streamline online authentication processes. The proposed IDs will be issued by a government platform, featuring both alphanumeric and encrypted online credentials directly linked to users' real identities. The system, still in the proposal stage, seeks public feedback and notes the IDs will be initially voluntary, requiring parental consent for those under fourteen. The initiative will reduce the necessity for individuals to disclose personal data to Internet service providers (ISPs) and is viewed as a method to prevent excessive data collection and retention. Real name registration currently mandatory for Chinese internet and social media users aids in accountability but raises concerns about free speech and privacy. Although the draft promotes this as protection against corporate data leaks, it may also centralize data under state control, which poses its own risks of data breaches and misuse. Internationally, similar national ID systems, like India's Aadhar and Japan's MyNumber, have faced significant security challenges and criticism.

The Gh0st RAT, a sophisticated remote access trojan, is being propagated through a fake Chrome download website targeting Chinese-speaking Windows users. Malicious installers from "chrome-web[.]com" disguise themselves as legitimate Chrome setup files to deceive users into downloading and installing the trojan. The malware campaign utilizes an evasive dropper, Gh0stGambit, which bypasses local security measures like 360 Safe Guard and Microsoft Defender before executing Gh0st RAT. The Gh0st RAT features a robust set of malicious capabilities, including process termination, keylogging, data exfiltration, and remote command execution. This malware can further compromise security by deploying Mimikatz, enabling Remote Desktop Protocol (RDP), and modifying various browsers and application data to obscure its presence. Cybersecurity firm eSentire detected the campaign and noted similarities with past China-linked cyberspying operations, reflecting the ongoing strategic alignment and evolution of this threat. The continued prevalence of Gh0st RAT in cyberespionage underscores the critical importance of robust security practices and user education to defend against such sophisticated threats.

Researchers from firmware security vendor Binarily discovered that PCs from Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo, and Supermicro, as well as components from Intel, have been using a 12-year-old leaked key for UEFI Secure Boot, making them vulnerable to attacks. The leaked key allows attackers to bypass Secure Boot protocols and run untrusted code during the boot process, compromising device security from firmware to operating system. More than 10% of firmware images analyzed by Binarily are susceptible to this vulnerability, named "PKFail," which poses a longstanding supply chain security risk. Despite clear labeling on the untrusted and not-to-be-shipped test keys, device manufacturers continued to utilize them in production environments. Binarily has released a free scanning tool for detecting systems vulnerable to this flaw, urging manufacturers to address and rectify the issue promptly. The report includes broader cybersecurity concerns, noting high reliance on traditional login credentials and the insufficient use of multi-factor authentication (MFA) across organizations, notably highlighted by Cisco Talos’s findings on ransomware attacks. The FCC fined TracFone $16 million following three data breaches caused by unsecured customer database APIs, emphasizing the need for enhanced cybersecurity measures across industries.