Daily Brief

Singapore's retail banks are mandated to phase out one-time passwords (OTPs) for online logins within three months, aiming to reduce phishing attack risks. This initiative, announced by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), promotes the use of more secure digital tokens over OTPs. Digital tokens will be used for authenticating bank account logins via browsers and mobile banking apps, without the vulnerabilities associated with OTPs. The use of OTPs has been exploited by cybercriminals using advanced phishing kits and banking trojans, undermining its effectiveness as a second-factor authentication method. OTP bots, often sold on platforms like Telegram, employ social engineering tactics to deceive users into providing their 2FA codes, facilitating unauthorized account access. Recent cybersecurity reports highlight new phishing tools like FishXProxy, which simplify launching phishing campaigns and evading security measures through techniques like HTML smuggling. In response to the rising threat from mobile malware, Google has started a pilot program in Singapore to prevent sideloading of apps on Android devices, which often aim to steal OTPs and sensitive data.

HardBit Ransomware 4.0 has introduced advanced obfuscation and passphrase protection features to avoid detection and complicate security analysis. The new HardBit version requires a passphrase during runtime for execution, complicating direct assessment and increasing the challenge for security researchers. The threat group remains financially driven, utilizing double extortion methods without operating a traditional data leak site, instead threatening further attacks to coerce victims into paying ransoms. Initial access is suspected through brute-forcing RDP and SMB services, followed by credential theft using Mimikatz and NLBrute, and system reconnaissance with tools like Advanced Port Scanner. HardBit uses the Neshta file infector for delivery, disables Microsoft Defender, and alters system settings to hinder recovery efforts and maximize damage. The ransomware has both command-line and GUI versions, with an added wiper mode feature that permanently deletes files, available through additional purchase by operators. The GUI version prompts for an encryption key after the decoded authorization ID is input, following which file encryption on the target machines is initiated. Ransomware attacks continue to rise with prevalent ransomware families like LockBit, Akira, and BlackSuit dominating and exploiting known vulnerabilities to deploy attacks.

Google is in advanced negotiations to acquire cybersecurity company Wiz for a reported $23 billion, potentially marking Alphabet's largest acquisition deal yet. Wiz, established in 2020 by former Microsoft employees, has gained prominence by identifying significant vulnerabilities in Microsoft Azure, including the ChaosDB and OMIGOD flaws. Acquiring Wiz would complement Google's recent purchase of Mandiant, significantly bolstering its security capabilities and offerings within the cloud sector. Both the New York Times and Wall Street Journal suggest that while the acquisition discussions are ongoing, the deal is not guaranteed to finalize. Competitors such as Palo Alto and Fortinet currently lead in security-specific revenues, but Google’s aggregation of Mandiant and Wiz could position it as a formidable player in the security market. The acquisition would enable Google Cloud to possibly claim near-leadership in security, a stark contrast to broader cloud services like AWS and existing controls like Microsoft's cloud security.

Commercial spyware firm mSpy experienced another data breach, exposing millions of buyer records, including support tickets via Zendesk. The leaked data, accumulating to 318GB, contains 2.4 million unique email addresses, IP addresses, names, photos, and screenshots of financial transactions. Previous breaches occurred in 2015 and 2018, with substantial customer information leaked, emphasizing recurring security issues. Have I Been Pwned listed the breach on July 11, 2023, indicating the scale and specifics of the exposed data. Other stalkerware companies like LetMeSpy and pcTattletale have also recently suffered breaches, leading to their shutdowns. This incident highlights the ongoing privacy and security risks associated with using stalkerware applications, given their sensitive data collection practices. Users of the mSpy app are urged to be cautious and consider the long-term implications of personal data exposure.

The UK's National Cyber Security Centre Interim CEO Felicity Oswald criticizes China's mandated vulnerability reporting laws, conflicting with global cybersecurity norms. Oswald highlights the activities of the Beijing-backed Volt Typhoon gang as a significant uptick in cyber threats from China. Despite not attributing a recent Ministry of Defence data breach to China, Oswald expresses concerns over Chinese cyber strategies impacting global security. AWS China counters claims of business difficulties and layoffs, emphasizing strong growth and ongoing recruitment. Japanese researchers identify a supernova remnant from 1181, possibly formed by the collision of two white dwarf stars. India's telecom manufacturing boosted by the Production-Linked Incentive scheme, achieving a 370% increase in sales and reducing dependence on imported telecom equipment. Singapore's Competition and Consumer Commission holds off on approving Grab's acquisition of Trans-cab, citing potential harm to drivers and passengers. Australia's government instructs reviews of technology assets for foreign influences and vulnerabilities, along with enhancing cyber threat information sharing.

The Monetary Authority of Singapore (MAS) mandates phasing out one-time passwords (OTPs) for major retail banks within three months. This measure, developed in collaboration with the Association of Banks in Singapore (ABS), aims to enhance protection against phishing and other scams. OTPs, effective in online security since the 2000s, have become vulnerable to sophisticated phishing attacks, Android malware, and man-in-the-middle tactics. Recent measures include Google's crackdown on SMS permission abuses, influencing improvements in Singapore's cybersecurity landscape. Nearly 60% to 90% of customers at major banks like DBS, OCBC, and UOB are already using the more secure digital tokens. The MAS and ABS urge customers to switch to digital tokens promptly to avoid the risks associated with OTPs. Customers reluctant to switch will continue receiving OTPs, but this group is expected to shrink as digital token adoption increases.

Threat actors are weaponizing proof-of-concept (PoC) exploits within minutes of their release, as observed by Cloudflare in their 2024 security report. An example included the deployment of an exploit just 22 minutes after the disclosure of CVE-2024-27198, an authentication bypass flaw in JetBrains TeamCity. The most frequently targeted vulnerabilities were in Apache, Coldfusion, and MobileIron products. Cloudflare processes an average of 57 million HTTP requests per second, and has noticed an increase in CVE scanning, command injections, and PoC weaponizations. AI and ML are being utilized by Cloudflare to enhance the speed and accuracy of developing detection rules and WAF Managed Rulesets to combat rapid exploitation. The report also highlights that 6.8% of all daily internet traffic comprises DDoS attacks, marking an increase from the previous year and intensifying the focus on mitigation efforts. Cloudflare's report further includes strategies for defenders and comprehensive analysis of the current cybersecurity landscape with recommendations to improve overall security posture.

AT&T's Snowflake storage account suffered a significant security intrusion impacting over 100 million people. The incident highlights rising concerns around data security and breaches. The breach was discussed on "The Kettle," a weekly discussion show featuring journalists and cybersecurity experts. AI's potential to defend against malware and improve system security was skeptically debated among the experts. The discussion was hosted by Iain Thomson with experts including Tobias Mann, Brandon Vigliarolo, and Jessica Lyons. The show is also accessible through various platforms like RSS, MP3, Apple, Amazon, and Spotify.

American telecom giant AT&T confirmed a massive data breach affecting virtually all wireless customers and multiple MVNO partners due to unauthorized access on a third-party cloud platform. The breach occurred between April 14 and April 25, 2024, and involved exfiltration of AT&T records of customer calls and texts from mid-2022 and early 2023, including interaction counts and call durations. Threat actors obtained call data records which could potentially reveal customer locations and were used in conjunction with prior data to map phone numbers to identities. The compromised data included interactions with AT&T landlines and other carriers but did not comprise personal information like Social Security numbers or the content of communications. AT&T plans to notify affected current and former customers and has advised them to be vigilant against potential phishing and smishing scams. The breach is linked to other high-profile breaches of companies like Ticketmaster and Santander, all traced back to hackers exploiting vulnerabilities in Snowflake's cloud services. Law enforcement has made at least one arrest in connection with the breach, and investigations are ongoing with collaborative efforts from security agencies. Snowflake has introduced mandatory multi-factor authentication for all users to prevent future unauthorized access.

CDK Global reportedly paid $25 million in Bitcoin to resolve a ransomware attack that disrupted its operations and affected approximately 15,000 car dealerships nationwide. The cyberattack caused significant operational delays, halting sales and vehicle registrations at major dealerships for two weeks. Recovery efforts involved possibly restoring from backups and dealing with encrypted critical data, extending system downtime even after the ransom payment. The attackers, identified as the BlackSuit group, also responsible for previous high-profile ransomware incidents, received a transaction of 387 Bitcoins. The economic impact from the outage on dealerships is estimated to exceed $600 million, a figure that contrasts sharply with the ransom amount but may still underestimate the total losses including reputational damage. Sonic Automotive reported to the SEC ongoing issues with some systems and third-party applications, indicating potential extended disruptions beyond initial recovery efforts. This incident highlights an upward trend in ransom payments despite a general decline in the proportion of victims choosing to pay ransoms.

Over 1.5 million Exim mail servers are at risk due to an unpatched critical vulnerability identified as CVE-2024-39929. The vulnerability allows remote attackers to bypass security filters and deliver malicious executable attachments by exploiting multiline RFC2231 header filenames. Exim versions up to and including 4.97.1 are affected, with an urgent patch released by developers to address the flaw. While no active exploitations are currently known, a proof of concept (PoC) is available, increasing the risk of potential attacks. The flaw predominantly affects servers in the United States, Russia, and Canada, exposing them to the risk of compromised systems if the malicious attachments are executed. Exim's widespread use as the default Debian Linux MTA and its popularity as the world's most prevalent MTA software highlight the critical nature of timely upgrades and patches. Administrators are advised to restrict remote Internet access to vulnerable servers as an immediate protective measure against potential exploitation attempts.

U.S. House Committee chairs have publicly urged the White House to scrutinize a Microsoft-G42 partnership involving significant U.S. AI technology investments. Microsoft plans to invest $1.5 billion into UAE-based AI firm G42, raising alarms about potential AI tech transfer to China. Representatives McCaul and Moolenaar expressed concerns regarding national security due to G42's historical ties with China and current deepening relationships between UAE and China. Both G42 and Microsoft assert that they have implemented stringent security measures, including a "vault within a vault" to safeguard AI technologies. Despite assurances, skepticism remains among U.S. lawmakers about the adequacy of safeguards against the transfer of sensitive technologies. The bipartisan concern underlines the strategic importance of the partnership and calls for thorough governmental reviews to assess and mitigate potential security risks.

Rite Aid experienced a cyberattack in June, claimed by the RansomHub ransomware group, resulting in a significant data breach. Over 10 GB of customer information was reportedly stolen, which may include names, addresses, and other personal details. Rite Aid has restored its systems with the assistance of third-party cybersecurity experts and is now fully operational. The pharmacy chain is currently finalizing its investigation into the attack and has begun notifying affected customers. No financial data, health information, or social security numbers were compromised in the breach. Rite Aid has emphasized its commitment to safeguarding personal information and treating the data breach as a top priority. RansomHub specializes in data theft for extortion, threatening to leak stolen data if their ransom demands are not met.

Coordinated DNS hijacking attacks have targeted decentralized finance (DeFi) cryptocurrency domains registered with Squarespace, directing users to phishing sites. Attackers modified DNS records, leading users to sites that used wallet drainers to steal cryptocurrencies and NFTs from connected wallets. Affected platforms include Compound Finance, Celer Network, and Pendle, all of which confirmed that the integrity of their protocols remains uncompromised. Squarespace recently acquired the affected domains from Google Domains, during which crucial security features like multi-factor authentication were disabled. Attack mechanisms may involve exploiting reseller access and newly created accounts due to the domain migration process. Users affected by the phishing sites are urged to revoke smart contract approvals, change passwords, and transfer funds to secure wallets. Ongoing investigation into the full scope and method of attacks with Squarespace yet to provide official comments or remedies.

CISA's covert red team operation revealed critical security failures within an unnamed federal agency, undetected for five months. The team exploited an unpatched CVE in Oracle Solaris, resulting in a full system compromise and unauthorized third-party exploitation. The agency delayed patching the known vulnerability for over two weeks and failed to conduct a thorough investigation or incident response. Entry restrictions in part of the network initially thwarted further access, but the red team succeeded through a phishing attack leading to a full domain compromise. Sensitive username and passwords found in plaintext highlighted severe mismanagement and outdated security practices. Following the assessment, CISA's engagement with the agency's security team led to significant improvements in incident detection and response. Recommendations emphasized the importance of defense-in-depth, network segmentation, and moving away from reliance solely on known IoCs for detecting threats.