Daily Brief

Cybersecurity researchers discovered significant flaws in SAP AI Core, a platform used for AI workflow development. These vulnerabilities, named SAPwned, allow unauthorized access to customer data and cloud credentials, including AWS, Azure, and SAP HANA Cloud. Attackers could manipulate Docker images and artifacts, potentially leading to a supply chain attack. Exploitable weaknesses also provided means to obtain cluster administrator privileges in Kubernetes, enabling further access to sensitive customer data. The issues stemmed from insufficient isolation and sandboxing of AI models and training routines. SAP patched these vulnerabilities after they were responsibly disclosed to them on January 25, 2024. The breaches underscore the need for stringent security measures in AI deployment, especially as generative AI's enterprise use expands. These events highlight ongoing cybersecurity concerns, emphasized by the rise of cybercriminal groups like NullBulge targeting AI and gaming sectors.

TAG-100, an unknown threat group, uses open-source tools for cyber espionage targeting various global entities. This adversary has likely attacked organizations in over ten countries, including entities in government, the private sector, and diplomatic circles. The attacks exploit multiple security vulnerabilities in widely used internet-facing products like Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks devices. Recorded Future's Insikt Group highlights TAG-100’s use of malware such as Pantegana and Spark RAT, as well as Cobalt Strike Beacon in their attack chains. The group conducted significant reconnaissance on internet-facing appliances in various sectors, especially targeting the U.S.-based organizations post-exploitation of a Palo Alto Networks GlobalProtect vulnerability. These activities are believed to facilitate initial access and enable long-term presence in the targeted networks. The use of Proof-of-Concept (PoC) exploits combined with open-source programs helps the attackers evade detection and complicates attribution efforts.

Significant updates to software applications are reviewed for security issues only 54% of the time by cyber security teams, as per a recent poll by CrowdStrike. The report indicates a comprehensive discrepancy in the frequency of security reviews, with 22% of security managers conducting reviews fewer than half the time. Security review processes are delayed primarily due to time constraints and the associated costs, with analysis estimating an average of $1.2 million in yearly expenses for these reviews. Many firms handle ten code reviews weekly, involving 16 to 17 team members each, underscoring the labor-intensive nature of the process. The diversity in coding languages and tools for threat detection adds complexity and potential misalignment in technology, with over half of the managers citing tool misalignment as a top challenge. Organizations use a mix of manual and automated processes for application security, but 71% still rely heavily on traditional methods like documentation and spreadsheets. CrowdStrike emphasizes the urgent need for improved security practices as methodologies of potential adversaries evolve rapidly.

Meta has ceased the use of generative AI technologies in Brazil in compliance with a preliminary ban from the country's National Data Protection Authority (ANPD). The ban was prompted by concerns over Meta’s new privacy policy, which allows the collection of user data for training its GenAI systems without clear consent. ANPD has imposed a daily fine of 50,000 reais should Meta fail to comply with the authority’s decision. The Brazilian data protection agency highlighted the risk of "serious and irreparable harm" to fundamental rights regarding the data privacy of citizens. Meta expressed disappointment, stating the decision as a hindrance to AI innovation and competition in Brazil. Global tech firms, including Apple, are similarly adjusting their AI tool offerings in regions with stringent data privacy regulations like the European Union. Human Rights Watch has raised alarms over the misuse of personal data, such as unauthorized use of children's photos in AI datasets, leading to potential exploitation.

Cisco released patches for a critical vulnerability in Smart Software Manager On-Prem, tracked as CVE-2024-20419 with a CVSS score of 10.0. The vulnerability allowed unauthenticated remote attackers to change user passwords, potentially accessing the system with administrative privileges. The flaw was due to an improper implementation of the password-change process and could be exploited via crafted HTTP requests. Affected versions were Cisco SSM On-Prem versions up to 8-202206; the issue has been fixed in version 8-202212. Cisco confirmed that version 9 of the software is not vulnerable and stated there are no current workarounds for the issue. No known exploitations of this vulnerability have been reported in the wild according to Cisco. The bug was discovered and reported by security researcher Mohammed Adel. Meanwhile, CISA has updated its KEV catalog with three other vulnerabilities noted for active exploitation, requiring federal agencies to comply with mitigation instructions by August 2024.

Increasing use of NFC and other implants could pose novel security risks in datacenters. Security expert Len Noe demonstrates how implants can clone access cards and allow seamless entry into secure buildings. Implants, often undetectable by standard scanners, contain information considered medical data, complicating legal challenges. Specially trained sniffer dogs can detect chemicals in implants, offering a potential security solution. Despite the low number of individuals using implants maliciously, the potential for increased cybercriminal activity exists. Current countermeasures include the implementation of multi-factor authentication methods in sensitive areas. The evolution of brain-computer interfaces and implant technologies necessitates new security considerations and strategies.

Exabeam and LogRhythm have completed their merger, resulting in significant job cuts and a lawsuit from shareholders. Reports indicate a 30% reduction in workforce by the newly merged entity, as announced during an internal company Zoom meeting. The merger remains private with no details disclosed on the deal's value or structure; Chris O'Malley, former LogRhythm president, is appointed CEO of the combined company. Exabeam aims to provide AI-driven security solutions, positioning itself against larger tech company offerings, according to CEO Chris O'Malley. Former Exabeam CEO Adam Gellar will depart the company with a considerable exit package. The merger has faced criticism from stakeholders, describing it as a survival attempt by two struggling companies under a private equity arrangement. An Exabeam investor tried to halt the merger by legally requesting to inspect Exabeam and LogRhythm's books, but the lawsuit was dismissed. Law firm Kahn Swick & Foti is investigating the fairness of the merger to Exabeam's shareholders, particularly concerning the cancellation of common stockholder's shares without compensation.

FIN7, a sophisticated Russian hacking group active since 2013, is selling a tool named "AvNeutralizer" which disables enterprise endpoint protection software. Initially involved in financial fraud through debit and credit card theft, FIN7 has evolved into ransomware operations including partnerships with DarkSide and BlackMatter. The "AvNeutralizer," also known as AuKill, aids in evading detection by disabling antivirus and EDR software and has been linked to multiple ransomware groups. Recent findings by SentinelOne reveal that "AvNeutralizer" utilizes legitimate system drivers to incapacitate security processes, thereby creating denial of service conditions. SentinelOne's analysis shows FIN7 continually updating their toolsets, emphasizing their adaptability and posing a persistent threat to global enterprises. Marketed on Russian hacking forums under various aliases, the tool ranges in price from $4,000 to $15,000, indicating a structured commerce in cybercrime solutions. Additional FIN 7-developed hacking tools and methods remain undisclosed in public trading, highlighting the group's deep reservoir of cybercrime resources.

Microsoft is introducing inbound SMTP DANE and DNSSEC in a public preview for Exchange Online to increase email security and integrity. These security protocols are designed to prevent downgrade and man-in-the-middle (MiTM) attacks by authenticating mail servers and validating TLS certificates. SMTP DANE uses a TLS Authentication (TLSA) DNS record for ensuring secure connections and verifying the identity of destination mail servers. DNSSEC extension offers cryptographic verification of DNS records to prevent spoofing, hijacking, and interception during email transit. The implementation aims to protect email domains from impersonation, ensure encryption-based delivery to the correct recipients, and boost email reputation. Microsoft plans to deploy this feature across all Outlook domains by late 2024, already enabled for some domains, and available to enterprise and home customers for free. The Exchange Team encourages other email providers and domain owners to adopt these standards to improve overall email security and safeguard against malicious activities.

Kaspersky, a Russian cybersecurity firm, is exiting the U.S. market due to a U.S. Commerce Department ruling stating the company poses a national security threat. As part of its departure, Kaspersky is offering U.S. customers six months of free security updates, despite announcing the cessation of its operations and distribution in the U.S. beginning July 20 for new users and September 29 for existing users. The U.S. government accuses Kaspersky executives of working with Russian military and intelligence in support of the Russian government's cyber objectives, claims the company disputes. In a letter to customers, Kaspersky expressed gratitude for their trust and emphasized its commitment to providing high-quality cybersecurity. The farewell gesture includes not just updates but also other unspecified security solutions for free. The company did not specify how it will ensure the security of these products after the September deadline when updates become prohibited. Kaspersky did not respond to inquiries about the specifics of the free product offerings to American customers.

Cisco has patched a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) affecting license servers, potentially enabling attackers to change any user's password, including administrators. The vulnerability, identified as CVE-2024-20419, stemmed from an unverified password change flaw within SSM On-Prem's authentication process. Attackers could exploit the bug by sending specially crafted HTTP requests to the vulnerable system, allowing them to reset passwords without needing the original user credentials. This flaw affects both the current SSM On-Prem and older versions known as SSM Satellite, specifically those installations earlier than Release 7.0. There are no available workarounds for this issue; Cisco urges all users to update their systems to the latest patched version to mitigate risk. Though Cisco's Product Security Incident Response Team has not yet observed any public proof of concept or actual exploitation, the severity of this flaw necessitates immediate updates. Additionally, Cisco recently patched another vulnerability and issued warnings about state-backed hacking groups exploiting zero-day vulnerabilities targeting government networks.

Craig Wright, an Australian, has officially declared he is not the creator of Bitcoin, following a series of lost legal battles in the High Court of England and Wales. The British judge in the case accused Wright of extensive and repeated lies during the trial and found his evidence claiming him to be Satoshi Nakamoto was forged. Judge Mr Justice James Mellor has recommended the UK's Crown Prosecution Service consider prosecuting Wright for perjury and document forgery. Wright has been ordered by the court to pay more than £6 million in legal costs to the Crypto Open Patent Alliance (COPA), a group backed by significant industry players including Jack Dorsey and Coinbase. He has complied with parts of the court's orders by publicly admitting on his personal website and social media that he is not Bitcoin's creator, Satoshi Nakamoto. The court's decision reconfirms earlier rulings from March and May that dismissed Wright's claims of being the digital currency's originator. No current appeals have been filed by Wright against the judgment.

Over 442,519 Life360 customer data, including phone numbers, were exposed due to an API flaw. A hacker known by the handle 'emo' exploited this flaw to verify user details such as emails, names, and phone numbers. The exposed login API on Android would display users’ first names and phone numbers, and obscured verified phone numbers were shown in a partial format. Life360 has reportedly fixed the API issue, and additional data requests now return a placeholder rather than real phone numbers. Simultaneously, the same hacker claims to have leaked over 15 million Trello email addresses by exploiting another unsecured API. BleepingComputer confirmed the authenticity of the leaked Life360 data by verifying multiple entries. Life360 also revealed an extortion attempt following another breach involving their Tile customer support platform. The Tile breach involved unauthorized access to names, addresses, email addresses, phone numbers, and device IDs, though more sensitive information like credit card numbers and passwords were not exposed.

North Korean cyber actors have updated BeaverTail malware to target MacOS users through a deceptive disk image mimicking MiroTalk video service. The BeaverTail malware steal important data from web browsers, cryptocurrency wallets, and delivers additional malicious payloads including a backdoor named InvisibleFerret. The newly discovered macOS variant follows the exploitation pattern of social engineering, where users are lured to fake job interview downloads. The malware also executes additional Python scripts from remote servers, enhancing its intrusion capabilities. Researchers warned about a related npm package "call-blockflow" that imitates legitimate software to conceal malicious activities, downloaded 18 times before being unpublished. Persistent efforts by DPRK-linked hackers have been observed in various cyber espionage campaigns, including those targeting software supply chains and foreign organizations. JPCERT/CC raised alarms about similar malicious activities by North Korean actors against Japanese targets, leveraging phishing and malicious executables to harvest and exfiltrate valuable information.

Ransomware attack costs on critical infrastructure have dramatically increased, with median ransom payments rising to $2.54 million, up from last year's $62,500. The average cost to recover from these attacks is now approximately $3 million per incident, with certain sectors like energy and water experiencing a fourfold increase to $3.12 million. Recovery times are lengthening, with only 20% of affected organizations recovering in a week or less, down from 41% the previous year. The high costs and prolonged recovery times are occurring despite an increasing number of organizations (61%) choosing to pay ransoms. Legal and regulatory measures, such as the proposed UK Cyber Security and Resilience Bill and the US CIRCIA, are being considered to improve disclosure and enhance cybersecurity measures across critical sectors. Sophos' report highlights that exploited vulnerabilities remain the top cause of ransomware attacks, urging an improvement in cybersecurity practices across the board.