Daily Brief

US and UK national security agencies warn of ongoing Iranian spearphishing campaigns targeting high-value individuals across various sectors. The Islamic Revolutionary Guard Corps (IRGC) is actively seeking access to sensitive data through social engineering and credential harvesting techniques. Government officials, journalists, activists, and senior researchers are identified as primary targets, vulnerable to impersonation attacks and deceitful tactics urging document access via malicious links. Spearphishing strategies by the IRGC include building rapport, impersonating trusted contacts, and manipulating two-factor authentication processes to gain unauthorized access. An advisory highlights the indicators of compromise and lists known malicious domains utilized by the IRGC, providing guidance on enhancing defensive measures. Individuals linked to Iranian and Middle Eastern affairs are especially urged to stay vigilant against suspicious activities and adopt robust cyber defense tools. The advisory coincides with the DoJ's indictment of three Iranian nationals for their roles in cyber breaches related to Donald Trump's 2024 re-election campaign, underscoring the severe implications of such infiltration. These incidents symbolize the broader strategic cyber threats posed by Iran, aligning with global intelligence concerns about election security in over 50 countries this year.

Discovered vulnerabilities in the Common Unix Printing System (CUPS) could potentially allow remote command execution on Linux systems. Google’s implementation of Rust programming has significantly reduced memory-related vulnerabilities in Android. Kaspersky's forced withdrawal from the U.S. market raises concerns and unanswered questions among its users. Security flaws highlighted that could allow hijacking of Kia vehicles through exploitation of license plate data. Red Hat classified the CUPS vulnerabilities as Important, noting a low real-world impact due to the complexity of exploitation. Advice given to prevent data leaks includes enforcing policies against sharing with external AI services and employing DLP tools. Stressed the importance of continuous vigilance and adaptation to counter evolving cybersecurity threats effectively. Emphasized cooperative efforts to forge a secure digital future by staying informed and prepared.

The US General Services Administration (GSA) found significant reliability and bias issues in five tested remote identity verification (RiDV) technologies. Only two of the tested products demonstrated equitable performance across all demographic groups; others had notably higher error rates for certain demographics, including Black participants and individuals with darker skin tones. The worst-performing technology had a 50% false negative rate, while the best still failed 10% of the time, indicating a significant challenge in the effectiveness of current RiDV solutions. The study extends beyond previous research by evaluating the complete end-to-end process of RiDV, including user interface and document verification checks. None of the vendors were explicitly named in the GSA study; however, the associated privacy impact assessment listed companies like TransUnion and LexisNexis. LexisNexis acknowledged the study, emphasizing the need for a multi-layered identification approach rather than relying solely on visual identification. The final peer-reviewed results of the study are expected in 2025, which will provide further insights into the causes of errors and product performance. The GSA plans to use these study findings to enhance equity in technology deployment and improve public service delivery.

Critical security flaws in Automatic Tank Gauge (ATG) systems could expose gas stations, airports, and military bases to severe risks of remote attacks, including physical and environmental damage. Six different ATG models from five manufacturers are affected by 11 new vulnerabilities, with eight classified as critical, allowing attackers full administrative and operating system access. Thousands of these ATGs are connected to the internet without adequate security, making these systems highly vulnerable to cyber threats. Additional vulnerabilities have been discovered in OpenPLC systems and the Riello NetMan 204 network card used in UPS systems, with some remaining unpatched. The AJCloud IP camera management platform also exhibited critical vulnerabilities that could compromise sensitive user data and camera control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of increasing threats to operational technology and industrial control systems that are accessible via the internet. New tools have been released by Claroty to aid in the forensic analysis of compromised programmable logic controllers (PLCs), which are frequently targeted in cyber-attacks. The exposure of operational technology (OT) systems to the internet is a significant risk, with many organizations employing multiple remote access tools that further complicate and extend attack surfaces.

PwC's cybersecurity report identifies cloud threats as the primary security concern for 42% of business leaders. Other major concerns include hack and leak operations (38%), third-party breaches (35%), attacks on connected products (33%), and ransomware (27%), with ransomware concern rising to 42% among CISOs. Despite high levels of concern, companies feel underprepared to tackle these threats, with cloud attacks ranking highest in terms of unpreparedness at 34%. The use of generative AI is expanding the attack surface, with 67% of leaders indicating it increases vulnerability to cyberattacks. Regulatory pressures are driving improvements in cybersecurity practices, with 96% of leaders acknowledging that regulatory demands have enhanced their security measures. Investment in cybersecurity is on the rise, with 32% of organizations reporting a significant increase in the past year. The report emphasizes the need for an agile, enterprise-wide approach to resilience to maintain security and business continuity amidst evolving cybersecurity threats.

Attackers are increasingly adopting session hijacking to circumvent multi-factor authentication (MFA) due to its effectiveness over traditional methods. Modern session hijacking targets cloud-based apps over public internet, shifting from old Man-in-the-Middle (MitM) attacks that focused on local network traffic. This technique steals valid session elements like cookies and IDs to continue the session from an attacker-controlled device, effectively bypassing standard security controls such as encrypted traffic and VPNs. Attack motives include the ability to bypass authentication controls, navigate sprawling identities across multiple cloud apps, and utilize compromised sessions to access critical data or perform actions invisibly. Current phishing tools, Adjust-in-the-Middle (AitM) and Browser-in-the-Middle (BitM), and modern infostealers are popular in executing session hijacks, targeting both credentials and session cookies. The effectiveness of Endpoint Detection and Response (EDR) systems against infostealers varies, with many attackers managing to bypass these defenses, especially in BYOD scenarios. Organizations have limited capability in detecting unauthorized session use due to variable app-level controls, making the threat of session hijacking a challenging issue for IT security. New defensive tactics, such as using unique browser markers for session identification, are being developed to better detect and mitigate unauthorized session hijacking.

Microsoft 365 (M365) is crucial for productivity and collaboration, used by over 400 million users globally. M365's widespread adoption makes it a prime target for cyber threats such as ransomware, prompting the need for robust security measures. Cybercriminals exploit M365 via phishing, brute force attacks, and vulnerability exploitation, often targeting user accounts, including administrators, for greater access. To defend against these threats, organizations are recommended to implement multilayered security strategies, including Multi-Factor Authentication (MFA), user role-based access controls, regular vulnerability assessments, and penetration testing. User awareness training is essential to equip employees with knowledge on latest threats and prevention techniques. Real-time monitoring, logging activities, and the adoption of Zero Trust principles are suggested to enhance detection and prevention capabilities. Advanced phishing detection tools and automated backup and recovery solutions are crucial to mitigate and recover from ransomware attacks effectively. Backupify offers robust Microsoft 365 backup solutions, featuring daily automated backups and immutable storage, helping organizations ensure data integrity and swift recovery post-cyberattacks.

The Irish Data Protection Commission (DPC) has fined Meta €91 million for violating GDPR rules by improperly storing user passwords in plaintext. The security lapse occurred in March 2019, and Meta disclosed it had stored user passwords in plaintext which were accessible to internal systems. The probe revealed Meta failed to notify the DPC promptly, did not document the data breach properly, and lacked sufficient technical measures to protect user data. Initial reports claimed Facebook passwords were exposed, but it was later revealed that Instagram passwords were also affected, impacting millions of users. Krebs on Security reported that about 2,000 Meta employees made nine million queries containing plaintext passwords, dating back to 2012. Meta responded by taking immediate corrective actions and claimed to have proactively communicated the issue to the DPC. The DPC emphasized the extreme sensitivity of passwords as they provide direct access to user accounts, highlighting the severe privacy implications of the breach.

Recent studies highlight that AI models, particularly those used for generating code (LLMs), often invent names for software packages that do not actually exist. This issue presents significant risks as malicious actors could exploit these "hallucinated" package names by creating dangerous software laden with malware. The research involved generating 576,000 code samples from 16 popular LLMs which indicated an average hallucination rate of 5.2% in commercial models and 21.7% in open-source models. A concerning find was that out of 2.23 million packages analyzed, about 440,445 were determined to be hallucinations, illustrating the extent of the problem across different AI platforms. Mitigation strategies like Retrieval Augmented Generation and Supervised Fine-Tuning have shown to reduce the rate of hallucinations but at the cost of degrading the overall code quality. Another study noted that as LLMs increase in size, they tend to provide more plausible but incorrect answers, suggesting a trade-off between model reliability and accuracy. The findings from these studies suggest a critical need for redesign in AI systems to minimize errors, particularly in applications where accuracy and reliability are crucial.

Sam Curry uncovered a remote exploitation vulnerability affecting Kias, allowing hijackers to control aspects of the car using just a smartphone and the owner's license plate number. The exploit enabled attackers to track vehicles, start engines, unlock doors, and access onboard cameras remotely by registering as secondary invisible users through a dealer web portal. Despite the severe implications, Kia has fixed the vulnerability, confirmed by Curry, making the exploit inoperative with their latest updates. Separate incidents included a UK citizen charged by the SEC for hacking into companies to steal financial secrets, accumulating around $3.75 million. Ransomware attack on Monaco-based domain registrar Namebay disrupted mail and web hosting services. An unnamed cyberattack targeting a Kansas water treatment facility temporarily disrupted operations but failed to compromise the safety of the drinking water or steal customer data. TikTok and Meta responded to allegations of Russian influence in upcoming U.S elections by banning accounts linked to Russian government media outlets. The articles highlight multiple facets of cyber threats from car hijackings to ransomware and nation-state interventions in infrastructure and social media.

Binance, a global cryptocurrency exchange, contributed to an investigation led by India's Enforcement Directorate, which resulted in the arrest of individuals involved in a crypto-related scam. The scam involved a gaming app named Fiewin, promoted as a legitimate platform for gamers to win real money but was primarily used for money laundering. The perpetrators, including one named Joseph Stalin, utilized Binance accounts to obscure the origins and movements of illicit funds by deploying numerous complex transactions. Binance's "deep cooperation" was pivotal in revealing the app's role within a broader cross-border criminal network. In related global tech news, SpaceX disclosed plans for a substantial investment in Vietnam totaling $1.5 billion, aiming to overcome previous regulatory challenges. Singapore introduced new Invincible-class submarines tasked with safeguarding its waters and protecting essential submarine communication cables connecting the island to the global network.

Alethe Denis, senior security consultant at Bishop Fox, specializes in physical security assessments by impersonating various characters to reveal vulnerabilities. Denis successfully infiltrated a corporate building, utilizing credentials found from dumpster diving to install a device and exfiltrate data over the corporate Wi-Fi network for over a week undiscovered. Her role involves extensive social engineering, mainly through in-person interactions, taking advantage of lax physical security measures. Red team operations highlight the effectiveness of human-based social engineering over AI-assisted methods in current scenarios. Denis employs tactics like email phishing disguised as company policies or surveys which lead to credential harvesting sites. Despite preparation, Denis and her team occasionally face setbacks, as illustrated by an encounter with an experienced security manager who foiled their plan. Denis emphasizes the importance of questioning and verification in preventing voice-phishing and other social engineering attacks. The red team's goal, according to Denis, is not only to test system vulnerabilities but also to improve awareness and defense against actual malicious attacks.

A severe vulnerability in NVIDIA Container Toolkit, CVE-2024-0132, permits potential container escape attacks, allowing attackers full access to the host system. Impacts all AI platforms using the toolkit for GPU resource management in cloud or on-premise environments, affecting upwards of 35% of these environments. Attack vectors include exploitation via shared GPU resources or malicious container images sourced from untrusted origins. Vulnerable versions include NVIDIA Container Toolkit up to v1.16.1 and GPU Operator up to v24.6.1; all users urged to upgrade to patched versions immediately. Researchers from Wiz Research identified and reported the flaw to NVIDIA, leading to a prompt acknowledgment and subsequent fix by the manufacturer. Technical details regarding the exploitation of this flaw are withheld to allow time for widespread mitigation among affected services.

The Data Protection Commission (DPC) in Ireland imposed a €91 million fine on Meta Platforms Ireland Limited for insecure storage of user passwords. In 2019, Meta inadvertently stored the passwords of hundreds of millions of users in plaintext within its internal systems. Although the plaintext passwords were not exposed to external parties, the practice violated several GDPR articles concerning data security. Meta had originally discovered the issue during a routine security review and subsequently notified the DPC, leading to an investigation. The affected accounts included hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and millions of Instagram users. Despite no evidence of improper access or abuse, the DPC issued both an official reprimand and a substantial monetary fine to Meta. Meta's failure to protect user data with sufficient encryption and access controls led to significant GDPR compliance penalties.

Cybersecurity researchers unveiled a malicious Android app on Google Play that stole about $70,000 in crypto from users over five months. The app, appearing as the legitimate WalletConnect, deceived over 10,000 downloaders with fake reviews and branding. Primarily popular in Nigeria, Portugal, and Ukraine, the app's victims were tricked into signing transactions that drained their crypto wallets. Besides evading Google Play's review processes, the scam app redirected unsuspecting users to a fraudulent website to finalize the theft. The malware, labeled MS Drainer, operated by prompting users to connect wallets and sign transactions, which then transmitted funds to attacker-controlled wallets. A similar malicious app related to this scheme was available on the Google Play Store as recently as February 2024. The incident underscores the increasing complexity of cyberattacks, particularly in decentralized finance, relying not on traditional methods but on smart contracts and deceitful tactics.