Daily Brief

With the integration of ChatGPT into Google Workspace, organizations face significant cybersecurity challenges due to the extensive permissions required, affecting both personal and shared drives. Newly enhanced features allow ChatGPT to access files directly from Google Drive and Microsoft OneDrive, presenting potential security risks despite the productivity benefits. Google Workspace's Admin Console allows users to track ChatGPT activities through Drive log and OAuth log events, providing a method to monitor accessed resources. Nudge Security offers comprehensive tools to identify and manage all genAI integrations and related OAuth grants, enhancing visibility and control over these applications. Through Nudge Security, organizations can proactively address AI security risks by monitoring AI tool adoption, reviewing OAuth grants, and setting custom alerts for new genAI integrations. Businesses are advised to understand the security implications of genAI tools and enforce strict governance to balance productivity gains with data security.

The U.S. Department of the Treasury has sanctioned five executives and one entity connected to the Intellexa Consortium for their roles in developing and distributing the Predator spyware. These sanctions reflect the U.S. government's policy against the dissemination of technologies that threaten national security and infringe on privacy rights. The sanctions target Thalestris Limited for processing transactions for the consortium and Aliada Group, led by Intellexa's founder, Tal Jonathan Dilian. This action follows previous sanctions against Dilian and other associates approximately six months earlier, indicating ongoing U.S. scrutiny of the group’s activities. Predator spyware recently saw a resurgence, with updates to its infrastructure intended to enhance user anonymization and operational security. Recorded Future noted that despite changes, Predator operators largely maintain their operational tactics, complicating efforts to attribute the spyware's use to specific countries. The development occurs alongside Apple's legal maneuvers regarding its lawsuit against NSO Group, highlighting broader challenges in the global fight against invasive spyware technologies.

Google has announced the transition of its Chrome web browser from KYBER to ML-KEM key exchange system to offer better protection against future quantum attacks. This change will take effect in Chrome version 131, scheduled for early November 2024, as the ML-KEM and KYBER systems are fundamentally incompatible. The U.S. National Institute of Standards and Technology (NIST) has recently finalized three new encryption algorithms to secure systems against quantum threats; ML-KEM (FIPS 203) is one of these algorithms. Microsoft is also updating its cryptographic library to include support for ML-KEM, aligning with the industry's shift towards quantum-resistant cryptography. The article also details a cryptographic flaw in Infineon's security microcontrollers found in devices like YubiKey, which has been undetected for 14 years and affects devices due to the inability to update firmware. The flaw, named EUCLEAK, demands physical access and specialized equipment for exploitation, underlying ongoing challenges in secure cryptographic implementations amidst hardware limitations. Google’s sustained efforts in enhancing encryption and Microsoft’s adoption illustrate a broader industry move towards preparing for the anticipated challenges posed by quantum computing.

Ransomware groups such as BianLian and Rhysida are increasingly utilizing Microsoft Azure Storage Explorer and AzCopy tools to exfiltrate data from compromised networks. Attacked data is stored in Azure Blob storage, benefiting from its large-scale handling capabilities and less likelihood of being blocked by corporate security due to its trusted status. While Azure facilitates stealthy and efficient data theft, attackers face challenges such as installing dependencies and upgrading software to utilize these tools effectively. Cybersecurity firm modePUSH has observed multiple instances of Azure Storage Explorer being used simultaneously by attackers to speed up data exfiltration processes. Key indicators of such ransomware exfiltration include default logging by the tools, which can assist incident responders by revealing data files uploaded or downloaded. Suggested defense measures include monitoring AzCopy executions, tracking outbound network traffic to Azure endpoints, and enabling settings that logout users automatically on application exit to minimize unauthorized access.

CISA and the FBI have called on tech manufacturers to eliminate cross-site scripting (XSS) vulnerabilities in software before it is released. XSS vulnerabilities allow threat actors to inject malicious scripts into web applications, leading to data manipulation, theft, or misuse. Despite the availability of preventive technologies, XSS flaws are still prevalent in newly released software, according to the joint agencies. The agencies recommend implementing a secure-by-design approach, rigorous input validation, and using modern web frameworks to minimize risks. Detailed code reviews and adversarial testing during the software development lifecycle are advised to maintain high security and quality standards. XSS vulnerabilities were ranked as the second most dangerous software weakness in MITRE's top 25 list for 2021-2022. This advisory is part of CISA’s Secure by Design series, which aims to highlight and mitigate well-documented, yet persistent software vulnerabilities.

AT&T agreed to a $13 million settlement with the FCC following a probe into their data protection practices and a January 2023 data breach involving a vendor. The breach exposed customer names, account numbers, and contact details of approximately 9 million wireless accounts, but sensitive financial data was not disclosed. The FCC also assessed AT&T’s supply chain controls and found AT&T did not adequately monitor vendor compliance with data security requirements. As part of the settlement, AT&T will enhance its data governance and information security practices to protect customer data and ensure vendor compliance. The consent decree requires AT&T to conduct annual compliance audits and improve data tracking shared with vendors. FCC emphasizes the carrier's obligation to protect consumer data, highlighting the importance of privacy and security in the digital age. Additional data breaches in 2024 involving AT&T indicated ongoing challenges with data security, affecting call logs and customer data management.

Hackers are conducting brute force attacks on exposed Foundation accounting servers, primarily used in the construction sector. These attacks exploit weak or default passwords on privileged accounts and have compromised networks in various sub-industries including plumbing and HVAC. Foundation accounting software unintentionally exposes MSSQL servers via TCP port 4243, which is intended to support mobile app connectivity. Once access is gained, attackers utilize the MSSQL 'xp_cmdshell' feature to execute system-level commands, extracting sensitive network and hardware information. Aggressive brute-force tactics recorded up to 35,000 password attempts per hour on a single host. Of the three million endpoints monitored by Huntress, 500 were found to be running the vulnerable software, with 33 having publicly exposed MSSQL databases with default admin credentials. Huntress has informed Foundation about the vulnerability; the software maker acknowledged the issue, stating it only affects on-premise software, not the cloud version. Recommendations for mitigating risk include changing default credentials and ensuring that MSSQL servers are not unnecessarily exposed to the internet.

Broadcom has issued a fix for a critical vulnerability in VMware vCenter Server, identified as CVE-2024-38812, allowing attackers remote code execution capabilities. The security loophole, originating from a heap overflow issue within the DCE/RPC protocol, was exposed during the 2024 Matrix Cup in China by TZL security researchers. The vulnerability impacts not only VMware vCenter but also extends to VMware vSphere and VMware Cloud Foundation, exposing multiple products to potential threats. Attackers can exploit the flaw remotely without authentication by sending a specially crafted network packet to the targeted server. VMware has released security patches accessible via vCenter Server's standard update mechanisms, urging immediate application to block potential exploits. Additional mitigations may be required depending on an organization’s specific security posture and infrastructure configurations. Broadcom has also patched another high-severity privilege escalation issue (CVE-2024-38813) that could be exploited in a similar manner. Furthermore, in earlier instances, Broadcom corrected similar vulnerabilities and reported active exploitations attributed to a Chinese hacking group using such weaknesses since 2021.

Apple has voluntarily dismissed its lawsuit against NSO Group to prevent exposure of vital threat intelligence. The lawsuit, initiated in 2021, aimed to hold NSO accountable for targeting users with the Pegasus spyware. A federal judge rejected NSO's dismissal request earlier, affirming the lawsuit's alignment with anti-hacking legislation. Key concerns include the potential risk of revealing tactics Apple uses to combat spyware, thereby undermining future defenses. Background events include a 2020 incident where Israeli officials seized NSO documents to prevent diplomatic and security repercussions. Developments in the commercial spyware industry and the emergence of new malicious actors influenced Apple's decision to withdraw. The Atlantic Council report highlights how sanctioned spyware operators like Intellexa have been adapting and evading detection through complex infrastructures.

Researchers from Palo Alto Networks identified a series of large-scale phishing attacks utilizing HTTP headers to deploy fake email login pages aimed at stealing credentials. These phishing campaigns specifically abuse the Refresh response in HTTP headers, causing browsers to auto-refresh to malicious URLs without user interaction. Targeted entities include major corporations in South Korea and educational and government bodies in the US, with detected activity peaking between May and July 2024. Over 2,000 malicious URLs were linked to these campaigns, significantly impacting sectors such as business and economy (36%), financial services (12.9%), and government (6.9%). The phishing strategies involved mimicry of legitimate domains and embedding of targeted recipients' email addresses in the Refresh response, enhancing the guise of legitimacy. This sophisticated method of attack underlines the continual evolution of phishing tactics, aiming to bypass conventional security measures and manipulate victims. The United States FBI has reported that Business Email Compromise (BEC) attacks, encompassing methods like those observed, have led to substantial financial losses estimated at $55.49 billion from 2013 to 2023. Additional scams identified include deepfake videos and a Czech-based cybercrime "enablement business" offering CAPTCHA-solving to facilitate broader illicit activities.

23andMe has agreed to a $30 million settlement following a class action lawsuit due to a significant data breach in 2023. Approximately 6.4 million U.S. customers were affected, with stolen data subsequently sold on the dark web. The breached data targeted specific ethnic groups, namely Ashkenazi Jewish and Chinese descent customers. The settlement includes three years of privacy, medical, and genetic monitoring for the affected customers. The data breach went unnoticed for five months until it was discussed on a Reddit post, revealing the depth of system vulnerabilities. 23andMe finds itself in a precarious financial condition with a considerable market capital value drop and a 34% decrease in revenue year-over-year. An estimated $25 million of the settlement costs are expected to be covered by insurance.

The CVE-2024-43461 vulnerability in Windows MSHTML was exploited by the Void Banshee APT to install the Atlantida info-stealer. Microsoft initially identified this vulnerability during its September 2024 Patch Tuesday but later confirmed it had been exploited prior to the fix. Void Banshee, a recognized APT group, targets organizations across North America, Europe, and Southeast Asia for data theft and financial gain. The CVE-2024-43461 zero-day flaw enabled attackers to disguise malicious HTA files as PDFs using encoded braille whitespace, making them appear less suspicious to users. This exploit was part of a larger attack chain that also involved CVE-2024-38112, allowing malicious Internet Explorer launches from specially crafted Windows shortcuts. Despite the security update, the whitespace used in the exploit is not stripped by Windows, continuing the risk of misidentification. The Windows MSHTML spoofing vulnerability fix is part of Microsoft's broader effort to patch several actively exploited vulnerabilities, including CVE-2024-38217 related to LNK stomping attacks.

The FBI and CISA have issued a public service announcement debunking false claims that U.S. voter registration data has been compromised by cyberattacks. These agencies report that malicious actors are using publicly accessible voter data to falsely claim that the U.S. election infrastructure has been hacked. The false information campaign aims to manipulate public opinion and reduce trust in the democratic process. Voter registration information is publicly accessible; possession of such data should not be construed as evidence of election tampering or infrastructure compromise. According to the FBI and CISA, there is no evidence to suggest that any foreign actors holding voter data have impacted the voting process or election outcomes. Previous notices also clarified that DDoS attacks, while they can disrupt certain election services, do not affect the actual voting process. With general elections nearing, the public should be cautious of efforts by external entities trying to undermine confidence in electoral integrity.

A malware campaign targets users by locking their browser in kiosk mode, specifically on Google's login page, to steal Google credentials. The attack disables typical escape methods like 'ESC' and 'F11', compelling victims to enter their login information to regain control. Once the Google credentials are saved in the browser's credential store, the StealC malware, a lightweight information stealer, extracts and sends them to the attackers. This attack method has been used since August 2024 and involves Amadey, a known malware loader and information-stealer first seen in 2018. Kiosk mode, intended for public or demonstration setups, limits user control, but in this attack, it forces interaction with a potentially malicious login page. If trapped in kiosk mode, users should try alternative key combinations to terminate the affected browser or perform a hard reset to prevent data theft. Users are advised to reboot in Safe Mode and conduct a full antivirus scan to ensure all malware components are removed post-incident. This scheme reflects an evolving tactic where attackers exploit legitimate system tools for malicious purposes, complicating detection and response.

Ivanti disclosed active exploitation of a recently patched vulnerability, CVE-2024-8190, in its Cloud Service Appliance. The vulnerability, which allows remote code execution, affects versions of Ivanti CSA up to 4.6 Patch 518. The flaw was addressed in CSA 4.6 Patch 519, but with CSA 4.6 now at end-of-life, Ivanti urges upgrading to CSA 5.0. CSA 5.0 users are safeguarded against this vulnerability, requiring no further action. Exploitation has been observed against a limited number of customers, with no specific details about the attackers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, setting a compliance deadline for federal agencies. Horizon3.ai also detailed a separate critical vulnerability (CVE-2024-29847) in Ivanti's Endpoint Manager, highlighting ongoing security challenges.