Daily Brief

Traditional Privileged Access Management (PAM) systems are insufficient for managing SSH keys, handling only about 20% effectively. SSH keys, critical for secure connections in IT environments, outnumber passwords 10:1 and are often not centrally managed, leading to proliferation and security risks. The unique properties of SSH keys (like never expiring and the ability to access multiple servers) make them problematic to manage without specialized solutions. Legacy PAMs fail at SSH key management because they are designed primarily to vault passwords rather than handle the unique aspects of keys. SSH Communications Security advocates for a future-proof approach by transitioning to ephemeral secrets management, which eliminates the need for managing static passwords and keys. Implementing non-intrusive, ephemeral access methods can reduce attack surfaces, decrease complexity, and minimize risks, facilitating a significant shift in how access is managed in dynamic IT environments. The shift towards using ephemeral secrets management like SSH’s PrivX Zero Trust Suite can dramatically transform access management, moving towards a zero-trust model without static credentials.

Iranian APT group, UNC1860, likely linked to the Ministry of Intelligence and Security (MOIS), is now identified as an initial access facilitator in cyber intrusions across the Middle East. UNC1860 utilizes specialized tooling and passive backdoors to establish and maintain long-term access in high-value networks, including government and telecommunication sectors. The group first garnered attention in July 2022 during destructive cyber attacks in Albania, using malware like ROADSWEEP, CHIMNEYSWEEP, and a ZEROCLEAR wiper variant. Mandiant tracks UNC1860’s activities and its overlap with APT34, indicating shared targets and similar operational tactics are pivoting to Iraqi targets. UNC1860's toolset includes GUI-operated malware controllers TEMPLEPLAY and VIROGREEN, enhancing remote access capabilities via exploited SharePoint servers. The tactical application of UNC1860’s toolset provides post-exploitation capabilities and facilitates the execution of commands and management of compromised systems. Current geopolitical tensions in the Middle East heighten the strategic importance of UNC1860’s capabilities in the Iranian cyber-ecosystem, poised to meet evolving objectives.

High-end retailer Harvey Nichols has alerted customers about a data breach exposing names, contact details, and addresses. The breach was first detected on September 16; however, the exact date of initial network access by attackers remains undisclosed. No financial details or passwords were compromised, but the exposed data could potentially be used for phishing scams. Harvey Nichols has since secured the vulnerability that allowed the breach and engaged cybersecurity experts to fortify their systems. The company advises customers to remain vigilant for phishing attempts and to monitor their accounts for any unusual activities. Information about the breach was not easily accessible on the Harvey Nichols website, prompting concerns about transparency. Harvey Nichols issued formal apologies and reassurances of their commitment to data security in their communications to customers. The UK's Information Commissioner’s Office (ICO) has been informed and is assessing the situation, while the National Crime Agency (NCA) was not notified.

Google introduces a Password Manager PIN for Chrome users to securely sync passkeys across multiple operating systems, including Windows, macOS, Linux, ChromeOS, and Android. The PIN feature ensures end-to-end encryption of passkeys, providing an extra layer of security to prevent unauthorized access, where even Google can't access the encrypted passkeys. Users now have the option to create either a six-digit code or a custom alphanumeric PIN for added security. Previously, Google required Android users to scan a QR code to use passkeys on different platforms, a step that has been eliminated to simplify the process. The update is expected to be extended to iOS soon, requiring users to know their Password Manager PIN or Android screen lock to initiate the use of passkeys on new devices. More than 400 million Google accounts are using passkeys as of May 2024, with the feature also available to high-risk users through Google's Advanced Protection Program (APP) since July 2024.

Ivanti has identified a critical vulnerability (CVE-2024-8963) with a high severity score of 9.4 in its Cloud Service Appliance. Active exploitation of this flaw, along with another vulnerability (CVE-2024-8190), has been detected in the wild. Compromise allows unauthenticated remote attackers to bypass administrator authentication and execute arbitrary commands. Ivanti inadvertently resolved this issue in recent patches for CSA versions 4.6 and 5.0, but urges users to upgrade immediately. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, setting a compliance deadline for federal agencies. There have been reports of a limited number of customers being affected by these vulnerabilities. Ivanti stresses that CSA version 4.6 is now end-of-life and recommends upgrading to CSA version 5.0 as quickly as possible for security.

Jen Easterly, head of CISA, criticized software developers for producing insecure code, inadvertently facilitating cybercrime. During the mWise conference, Easterly emphasized the need for non-glamorized naming of cybercrime gangs to avoid inadvertently romanticizing them. She suggested renaming "software vulnerabilities" to "product defects" to emphasize accountability in product quality. The focus was placed on the enduring issue of software needing frequent urgent patches, highlighting a systemic problem in software development and quality. Easterly remarked on the contradiction in user risk assumption between software use and other engineered products like cars or planes. The Secure by Design pledge by major tech companies, including AWS and Microsoft, remains voluntary with nearly 200 signatories but requires more rigorous enforcement. Easterly advocated for using procurement processes as leverage to ensure vendors prioritize secure software development practices. CISA has published guidance for organizations to help them question vendors about their commitment to security during the software development lifecycle.

A new cybercrime group named Valencia Ransomware has claimed responsibility for attacks on multiple international entities including a city in California and companies in the pharmaceutical and fashion industries. Valencia Ransomware emerged this month and has already listed five victims on their Tor-hidden "wall of shame", revealing extensive data breaches involving hundreds of gigabytes of sensitive data. The victims include the city of Pleasanton, California; Bangladeshi pharmaceutical company Globe Pharmaceuticals Limited; Indian paper manufacturer Satia Industries; Malaysian pharma firm Duopharma Biotech Berhad; and Spanish fashion retailer Tendam. None of the victimized organizations have confirmed the breaches following inquiries, but Valencia began leaking sensitive information, such as personal and financial data, on the dark web. Independent verification by cybersecurity firm HackManac appears to confirm the credibility of Valencia's claims, highlighting a potent operational capability in executing sophisticated ransomware attacks. Technisanct's CEO mentioned a potential link between Valencia and a known criminal on hacker forums, suggesting deeper involvement in the cybercrime network and access to significant corporate and personal data. The rise of such ransomware groups underscores the critical threat landscape of international cybersecurity, with vast amounts of money being paid in ransoms to such attackers.

CISA has listed a critical remote code execution flaw in Apache HugeGraph-Server, identified as CVE-2024-27348, in its KEV catalog. The vulnerability affects versions 1.0.0 to just below 1.3.0, with a CVSS score of 9.8 indicating a severe level of threat. Apache has addressed this vulnerability by releasing version 1.3.0 on April 22, 2024. Recommendations for users include upgrading to the latest version, using Java 11, enabling the Auth system, and activating the "Whitelist-IP/port" function for added security. Active exploitation of this vulnerability has been observed, prompting CISA to mandate federal agencies and critical infrastructure entities to implement mitigations or stop using the compromised versions by October 9, 2024. Apache HugeGraph-Server is widely utilized in sectors such as telecommunications, financial services, and social networking for critical functions like fraud detection and risk analysis due to its ability to manage large-scale graph data efficiently. The inclusion of other vulnerabilities in the KEV catalog highlights ongoing efforts to document and address security flaws that have been exploited in past attacks.

Two individuals were arrested in Miami for stealing and laundering over $230 million worth of cryptocurrency. Suspects Malone Lam and Jeandiel Serrano utilized crypto mixers, exchanges, and VPNs to obscure their identities during the heist. The theft involved more than 4,100 Bitcoin from a victim in Washington, D.C., and included tactics such as spoofing and social engineering. The criminals financed extravagant lifestyles, including international travel and luxury purchases, with the stolen funds. Crypto fraud investigator ZachXBT aided investigators leading to the identification of a third conspirator and crucial missteps by the perpetrators. Lavish expenditures and social media activity ultimately helped the FBI in locating and apprehending the suspects. The investigation revealed complex laundering using multiple cryptocurrencies to attempt to hide the stolen funds, which were eventually traced.

The FTC spent nearly four years investigating the data practices of nine major US social media and video streaming companies, revealing extensive personal data harvesting. FTC Chair Lina Khan highlighted that these companies monetize personal data heavily, posing significant risks to privacy and freedom. The report critiques the companies for inadequate data protection, particularly concerning data from children and teenagers. Findings indicate a lack of transparency in how user data is used for ads and AI training, with minimal user control over data retention and deletion. Concerns raised about the treatment of teenagers, whose data protection falls short after the age of 13 according to current laws. Some companies, such as Discord, argue that their business models significantly differ from those critiqued in the FTC report. The FTC calls for stricter federal privacy regulations, noting that self-regulation by the industry has failed to protect user privacy adequately. Despite the introduction of the American Privacy Rights Act, comprehensive federal privacy regulation remains stalled in committee.

Iranian cyber operators stole files from Trump's campaign and sent excerpts to Biden's team, who did not respond. The stolen data targeting involved unsolicited emails sent to Biden's campaign associates around June and July. This cyber activity aims to sow discord and undermine trust in the electoral process, amidst other nation-state interventions. A report from Microsoft pointed out Iranian spear-phishing attacks targeted a top official in a presidential campaign. The cyber operation's disclosure followed allegations that Russian groups were also pushing disinformation to influence the election process. U.S. agencies, including the ODNI, FBI, and CISA, acknowledged the foreign interference but noted no reply from Biden's team to the Iranian emails. The overall strategy of these cyber campaigns from Iran, Russia, and China is to exploit U.S. electoral vulnerabilities for their benefit.

The Tor Project confirms the safety of its network amidst reports by German investigators and the CCC revealing law enforcement's use of timing attacks to deanonymize users. The report disclosed successful identification of users of the illegal "Boystown" platform through Tor, utilizing court-operated Tor nodes for timing attacks. Timing attacks involve analyzing the time data takes to travel through the network to link entry and exit points back to the user, without any exploitation of software flaws. Despite these findings, Tor maintains that its current protections and newer updates largely mitigate such attack risks. Specifically, they highlighted improvements post-2019 which include enhanced network size and security measures making such attacks significantly more challenging. Tor also emphasized the obsolete status of the vulnerable Ricochet version used by one deanonymized user, replaced by an updated version with better security features. The Tor Project is encouraging the community to participate in diversifying and expanding the network's relay and bandwidth capabilities to further enhance user security.

Ivanti has issued a warning regarding a new critical vulnerability, identified as CVE-2024-8963, being exploited in CSA (Cloud Services Appliance) products. The flaw allows unauthenticated attackers to access restricted functionality via path traversal and execute arbitrary commands by combining it with another vulnerability, CVE-2024-8190. The vulnerabilities were found during an investigation into previous exploits, and some issues were incidentally addressed in a recent patch. Ivanti recommends customers to review security alerts, change configurations, and patch to version 5.0 where possible, especially as the CSA 4.6 version is now end-of-life and will no longer receive updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that Federal Civilian Executive Branch agencies must patch affected appliances urgently, with strict deadlines. Ivanti is enhancing its internal security measures and responsible disclosure processes after recent exploits of other security flaws in its VPN and gateway products.

Service accounts, crucial for machine-to-machine communication in Active Directory environments, have become prime targets for ransomware attacks due to their high privilege levels and low visibility. Over 70% of ransomware incidents involve compromised service accounts, aiding attackers in lateral movement to gain control over network resources. Traditional security measures like Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) are ineffective for service accounts, leaving a significant gap in defenses. Silverfort's Unified Identity Security Platform offers innovative solutions by providing automated discovery, continuous risk analysis, and behavioral monitoring of service accounts. The platform's AI-driven technology enables proactive defense strategies, including virtual fencing that blocks compromised service accounts from accessing unauthorized network areas. Companies of all sizes and across various sectors are vulnerable to these attacks, emphasizing the universal need for improved service account security measures. This heightened risk landscape calls for immediate action to secure service accounts against potential breaches and minimize ransomware risks.

10% of German organizations affected by the CrowdStrike outage are changing their security vendors, with 4% already having switched and an additional 6% planning changes. The July incident caused operational disruptions, with 48% of surveyed organizations experiencing temporary downtime averaging ten hours. The outage damaged collaborations with customers, impacting 40% of organizations and causing service delivery issues. Despite the significant impact, 66% of the affected organizations are planning to enhance or have already improved their incident response strategies. A majority of respondents will revise their selection criteria for future security vendor decisions, emphasizing the lasting effect of the outage on purchasing behaviors. More than half of the surveyed organizations intend to apply security updates more frequently, even though update speed was not a factor in this incident. The German Federal Office for Information Security (BSI) and other entities emphasize the need for improved cybersecurity practices and resilience to prevent similar occurrences.