Daily Brief

MarineMax, a major yacht retailer, reported a data breach affecting 123,494 individuals. Initial SEC filings suggested no sensitive data was compromised; this was later corrected to acknowledge personal data theft. The breach occurred through unauthorized access from March 1 to March 10, 2024. The Rhysida ransomware gang claimed responsibility, publishing stolen data including personal IDs on their dark web site. The attack highlights the increasing threat of ransomware groups like Rhysida, which target various industries. MarineMax's notification to affected individuals came after concluding their investigation into the incident. The breach notification was filed with the Maine and Vermont Attorney Generals, indicating regulatory compliance.

Modern work environments with distributed teams and the adoption of cloud technologies have complicated maintaining IT compliance. Regular assessments are required to determine which systems and applications handle sensitive data and are thus "in scope" for compliance regulations. The rise of SaaS tools has both enhanced productivity and introduced complexities for IT compliance audits like SOC 2, HIPAA, or PCI DSS. SaaS sprawl and shadow IT have increased the difficulty in managing compliance, as organizations often lack a comprehensive view of all the software in use. Nudge Security provides a systematic approach to automate user access reviews, assisting in identifying and managing both known and unknown applications. The solution offers features to discover cloud and SaaS assets, automate access reviews, streamline compliance tasks, and generate audit-ready reports. Automation through tools like Nudge Security helps manage user access efficiently, reducing the burden of manual tasks and helping maintain compliance in a dynamic SaaS environment.

In 2020, Hackney Council suffered a ransomware attack, compromising personal data of approximately 280,000 residents and employees, and destroying some backup files. The UK's Information Commissioner's Office (ICO) issued a reprimand rather than a fine, citing insufficient cybersecurity measures including poor patch management and insecure passwords on dormant accounts. Hackney disputes the ICO’s findings, claiming exaggeration and misunderstanding of the attack's risks and their data security practices, but will not appeal due to resource constraints. The attack led to significant service disruptions, impacting council operations and the ability of staff to respond to information requests effectively for nearly two years. Despite Hackney’s disagreement with some findings, they acknowledged the severity of the breach and its impact on the community, while commending staff efforts during the recovery period. ICO appreciates Hackney's subsequent improvements in cybersecurity but highlights the severe consequences of the council's initial failings. No fines were issued following ICO’s recent policy shift, which prioritizes reprimands and guidance over monetary penalties for public sector data breaches.

Insider risks are becoming a critical challenge in modern cybersecurity frameworks, particularly due to both intentional and unintentional insider threats. Recent reports include cases where employees of well-known companies like T-Mobile and Verizon were approached to facilitate SIM swap attacks for financial gain. Accidental insiders, unlike malicious insiders, often jeopardize security through negligence or unawareness, inadvertently opening doors for external threats. These unintentional actions can lead to significant breaches, exposing sensitive information like email, bank accounts, and identity credentials. The FBI has highlighted the increase in such insider-assisted threats, particularly SIM jacking, urging organizations to enhance internal security measures. Proactive internal controls, thorough employee training, and a security-aware culture are essential to mitigating the risks posed by insiders. Implementing sophisticated insider risk solutions like those offered by Everfox can help organizations protect against both intentional and accidental insider breaches.

FIN7, an e-crime group known for its sophistication, has been advertising a tool called AvNeutralizer on underground criminal forums. This tool, developed by FIN7, enables security bypass and has been adopted by various ransomware groups, including Black Basta. FIN7 has a longstanding reputation for malware innovation and has previously targeted companies via phishing and malvertising tactics to distribute their ransomware. The group has evolved from primarily targeting point-of-sale systems to using ransomware and tools such as AvNeutralizer as part of a Ransomware-as-a-Service (RaaS) offering. AvNeutralizer employs anti-analysis techniques and leverages a Windows built-in driver to evade security solutions, a tactic also noted in other sophisticated cyber threats. The tool's sale not only highlights FIN7’s shift in operation tactics but also suggests a strategy to diversify and enhance their revenue streams through tool commercialization. Despite previous member arrests, FIN7 continues to function and innovate within the cybercriminal landscape,significantly impacting cybersecurity defenses through technological advancements and strategic market manipulation.

China-linked APT17 targeted Italian companies and government entities with spear-phishing attacks using 9002 RAT malware on June 24 and July 2, 2024. The attacks involved deceptive emails that prompted the installation of a seemingly legitimate Skype for Business application via fraudulent government-like domains. The malware was delivered through a downloadable MSI file that secretly executed a Java archive file, deploying the 9002 RAT while also installing genuine chat software. 9002 RAT, known for its role in Operation Aurora and other major cyber attacks, is a sophisticated modular trojan capable of network monitoring, screenshot capture, file management, process management, and executing remote commands. TG Soft analysis highlights the malware's continuous updates and modular nature, which help in avoiding detection and enhancing persistence on infected systems. APT17, also known as multiple other names including Bronze Keystone and Hidden Lynx, has historical ties to espionage operations exploiting critical vulnerabilities.

Scattered Spider, a sophisticated cybercrime group, has incorporated RansomHub and Qilin ransomware into its operations, as reported by Microsoft. The group is known for advanced social engineering, targeting VMWare ESXi servers, and previously using BlackCat ransomware. RansomHub, identified as a rebrand of the Knight ransomware strain, is becoming a prevalent tool among various cybercriminal groups. Microsoft has also noted that RansomHub was deployed by Manatee Tempest following initial access facilitated by Mustard Tempest through FakeUpdates infections. Connections have been made between these activities and notorious groups like Evil Corp, emphasizing the collaborative and overlapping nature of modern cybercriminal enterprises. The arrest of a prominent member of Scattered Spider in Spain last month highlights ongoing efforts to combat such cybercrime networks. The rise of new ransomware families such as FakePenny, Fog, and ShadowRoot signals an expanding and evolving threat landscape. Microsoft advises adherence to security best practices like credential hygiene, least privilege principle, and Zero Trust framework to combat these threats.

A critical vulnerability in Apache HugeGraph-Server, identified as CVE-2024-27348, is actively being exploited, posing a severe risk of remote code execution. This flaw affects all software versions prior to 1.3.0 and is found in the Gremlin graph traversal language API with a high CVSS score of 9.8. The Apache Software Foundation has advised users to upgrade to HugeGraph version 1.3.0 with Java11 and to enable the Auth system to mitigate the risk. Additionally, implementing a 'Whitelist-IP/port' feature is recommended to bolster RESTful-API execution security. SecureLayer7 revealed more technical details about the vulnerability, highlighting how attackers can bypass sandbox protections to execute code and gain full server control. The Shadowserver Foundation has observed active exploitation attempts in the wild, stressing the urgency for users to update their systems. Information regarding the exploitation of this vulnerability and similar ones in other Apache projects underscores their attractiveness as targets for both nation-state and financially driven cyber attackers.

MuddyWater, an Iranian cyber espionage group, has intensified attacks on Israeli organizations using a custom backdoor named BugSleep, following recent geopolitical tensions. The campaign employs phishing methods, sending emails from compromised corporate accounts that lure victims with webinar and class invitations, impacting multiple economic sectors in Israel. Over 50 phishing emails have been documented since February by Check Point Research, targeting various sectors including municipalities, airlines, and journalists across countries like Turkey, Saudi Arabia, India, and Portugal. BugSleep, the deployed malware, enhances MuddyWater's tactics by replacing some of its use of legitimate remote monitoring tools and includes features to evade detection like modifying system policies to block non-Microsoft signed processes. The malware operates by creating scheduled tasks for persistence, sending stolen data to command-and-control servers, and employing encryption to conceal its configurations. The broadened phishing strategy aids MuddyWater in launching higher-volume attacks while continuing to focus on specific industry sectors, posing a significant threat to international cybersecurity.

Kaspersky is ceasing operations in the U.S. following its addition to the U.S. government's Entity List, citing national security concerns. As part of its exit strategy, Kaspersky is offering U.S. customers six months of free security software and safety tips. The company's decision comes after a prohibition on sales and distribution in the U.S., effective from September 29, enforced by the Department of Commerce. Post-September, U.S. users will not receive automatic updates or antivirus definitions and must manually install such updates if available. Kaspersky plans to shut down its U.S. business on July 20, which involves employee layoffs and winding down operations. Despite the ban in the U.S., Kaspersky products remain in use globally with significant demand for vulnerability disclosures in its products. Pressures are also mounting in Europe, with recommendations to avoid using security products from Russian and Chinese vendors in sensitive sectors. Kaspersky is redirecting its business focus towards markets in Asia and South America following these developments.

CISA has identified the CVE-2024-36401 vulnerability in GeoServer's GeoTools plugin as actively exploited, necessitating immediate patches. The vulnerability, rated at a critical severity of 9.8, allows for remote code execution due to unsafe XPath expression evaluations. GeoServer disclosed this flaw on June 30th, after which researchers released multiple proof of concept exploits demonstrating the potential attacks. Updated patch versions 2.23.6, 2.24.4, and 2.25.2 have been released to address this issue, and users are urged to upgrade immediately. The exploitation of this vulnerability has been confirmed by threat monitoring services like Shadowserver, which observed active attacks starting July 9th. An approximate count of 16,462 GeoServer instances are exposed online, predominantly in the United States, China, Romania, Germany, and France. Federal agencies are required by CISA to patch their servers by August 5th, 2024, but the urgency extends to private organizations due to the severity of the flaw.

Scattered Spider, a major cybercrime group, has switched to using RansomHub and Qilin ransomware tools. This change follows significant disruptions in the cybercrime landscape, including the takedown of previous market leaders ALPHV/BlackCat and LockBit. Microsoft, tracking the group's activities, notes a rising adoption of RansomHub by various cybercriminal entities. RansomHub, emerging from the rebranded Knight ransomware crew, has quickly gained prominence with attacks on major companies. The emergence of new ransomware variants like Fog and FakePenny indicates ongoing evolution and competition among cybercriminal groups. Ransomware-as-a-Service (RaaS) remains a popular business model, with new groups and variants continuously entering the market. Microsoft has tracked less than a year the activity of Moonstone Sleet, a group using the new FakePenny ransomware to generate significant ransom payments.

Over 15 million email addresses from Trello accounts were released on a hacking forum, collected via an unsecured API. The breach was first reported in January when a threat actor named 'emo' sold data on 15,115,516 Trello members. Trello, owned by Atlassian, is used widely by businesses to manage projects and organize tasks. The leaked information mostly consisted of Email addresses and public profile details but also included non-public email addresses. The data was extracted using a REST API that allowed querying of public Trello profile information by inputting any email address, leading to potential misuse. Atlassian has since secured the API to prevent unauthenticated requests for user information, balancing security with user functionality. The exposed email addresses pose risks such as phishing and doxxing, targeting individual users by associating their emails with specific Trello accounts. Previous incidents have seen similar misuse of unsecured APIs, highlighting an ongoing challenge for tech companies to secure public interfaces against exploitation.

DarkGate malware has gained prevalence following the FBI's disruption of the Qbot botnet, exploiting the vacuum in criminal cybersecurity activities. Originally identified in 2018, DarkGate has evolved into a versatile tool capable of keylogging, data theft, credential stealing, and deploying ransomware. Notable for its multifunctionality, DarkGate allows criminals comprehensive control over infected systems with various infection vectors including social engineering, phishing, and compromised websites. Security research firms such as Proofpoint and enSilo noted significant upticks in DarkGate deployment, with over 14,000 documented campaigns targeting more than 1,000 organizations. Enhanced by evasion tactics like encryption and environment scanning, DarkGate effectively avoids detection and analysis by security technologies, presenting attribution challenges for defenders. The malware checks for the presence of 26 anti-malware products, further underscoring its sophistication in evading security measures. Recommendations for corporations include instituting layered security defenses and conducting employee training to recognize and respond to phishing attempts effectively.

A UK-based privacy organization, Open Rights Group (ORG), has filed a complaint with the Information Commissioner's Office (ICO) concerning Meta's updated privacy policy. Meta's revised policy allows for the scraping of personal data from Facebook and Instagram users to develop AI models. This policy update was communicated to users in late May with an impending policy effective date of June 26. ORG argues that Meta's data usage under the guise of 'legitimate interests' could violate the UK's GDPR rules, particularly regarding user consent and data usage for AI training. Previously, Meta faced similar pushback in the EU, which led to a temporary halt in its AI development plans involving user data. Despite Meta's assertions of legal compliance and transparency, concerns persist about the non-binding nature of user objections to data usage and lack of clarity in consent mechanisms. The ICO has yet to formally respond to the complaint as the regulatory and legal review process unfolds.