Daily Brief

Password-related vulnerabilities are a significant security threat, with 80% of data breaches linked to weak or compromised passwords. The move to passwordless authentication, such as using biometrics or security keys, aims to mitigate these risks but introduces new challenges. Major hurdles to adopting passwordless systems include compatibility with legacy systems and resistance from users accustomed to traditional password methods. Enhancing current password protocols and implementing multifactor authentication are practical, cost-effective measures for improving security. Tools like Specops Password Policy can help strengthen password security by enhancing policies and integrating with existing systems like Active Directory. A balanced approach that develops robust password policies and deploys additional security measures is advisable while considering future passwordless options. Businesses are encouraged to enhance their password security as a more immediate and feasible solution while gradually preparing for passwordless technologies.

Global security workforce has stagnated at approximately 5.5 million, a mere 0.1 percent increase year-on-year, despite an existing gap of 4.8 million unfilled positions. ISC2's forthcoming 2024 Cybersecurity Workforce Study highlights budgetary limitations, not talent, as the primary hurdle in addressing cyber staffing needs. Survey reflects a significant uptick in budget cuts, layoffs, hiring freezes, and limited promotions contributing to the staffing shortfall. Security professionals prioritize skills like communications and cloud computing, whereas hiring managers demand different competencies, demonstrating a significant disconnect. Over 90 percent of organizations report experiencing a skills gap within their cybersecurity teams, with AI seen as the largest shortfall despite not being prioritized by hiring managers. Investing in security education and training is essential to bridge the gap between existing cyber skills and those required by the market. Other tech sectors like software development and telecoms observed modest growth despite overall tech employment downturns, indicating a focused but cautious approach to filling tech roles.

Cybersecurity experts have identified malicious Python packages that mimic coding assessments to target software developers. These packages are linked to North Korea's Lazarus Group and have been published on platforms such as npm, PyPI, and GitHub. Attackers use the pretense of job interviews and test coding tasks to trick developers into downloading and executing these malicious packages. The embedded code in these packages contacts a command-and-control server to download further instructions and execute malicious commands. Posing as reputable companies, attackers create urgency in their fake coding challenges to reduce the likelihood of security checks by the victims. Malware such as COVERTCATCH and Lilith RAT have been found within these challenges, compromising systems and enabling persistent access. The campaigns are part of a broader pattern of spear-phishing and malware deployment by North Korean groups, specifically targeting developers in multiple regions, including Russia and South Korea.

Microsoft's recent Patch Tuesday disclosed the patching of 79 vulnerabilities, including 3 actively exploited within the Windows platform. Seven vulnerabilities have been classified as Critical, 71 as Important, and one as Moderate. Highlighted exploits include CVE-2024-38226 and CVE-2024-38217, which allow bypassing security features that prevent the running of Microsoft Office macros. CVE-2024-38217, known as "LNK Stomping," has been active since February 2018, exploiting local access and user authentication requirements. CVE-2024-43491 involves a Servicing Stack vulnerability that has led to the rollback of previous fixes for vulnerabilities in Windows 10. Microsoft suggests installing specific 2024 updates in sequence to mitigate the vulnerabilities reintroduced by CVE-2024-43491. Additionally, security patches were released by various other vendors targeting separate security issues over the previous weeks.

Ivanti has issued updates to rectify multiple critical vulnerabilities in Endpoint Manager (EPM), affecting versions up to 2024 and 2022 SU5. These vulnerabilities, rated critical, mainly expose systems to potential remote code execution threats. Updates to mitigate these issues are available in EPM versions 2024 SU1 and 2022 SU6. Although there has been no evidence of these vulnerabilities being exploited as zero-day threats, their update and patching remain crucial. Ivanti has also updated its internal processes to enhance scanning, testing, and disclosure, aiming to identify and address vulnerabilities more promptly. The update also includes patches for seven high-severity issues in Ivanti Workspace Control and Ivanti Cloud Service Appliance. In a related industry incident, Zyxel has released fixes for a critical OS command injection flaw affecting its NAS devices, which could potentially allow unauthenticated attackers to execute commands.

India plans to train 5000 "Cyber Commandos" over the next five years to tackle increasing cyber threats and enhance digital security. The Cyber Commandos will be part of the Indian Cyber Crime Coordination Centre (I4C) and work with state and national government forces to secure digital spaces. Additional initiatives include a Cyber Fraud Mitigation Centre and a centralized cybercrime data-sharing platform, Samanvay, to enhance the coordination among law enforcement agencies. A national cyber suspect registry will also be developed to catalog individuals involved in cyber and financial frauds, fostering inter-state collaboration. I4C is promoting a national cybercrime helpline and is involved in ongoing public awareness campaigns to educate on cybercrime prevention. India, leading in global digital payments, aims to bolster its defenses against digital fraud paralleling its rapid digitalization and internet connectivity growth. The minister highlighted that the cyber initiatives are crucial, given the significant rise from 600 internet-connected local governments in 2014 to 213,000 today. I4C has already issued over 600 advisories, blocking numerous malicious online entities and training over 1100 officers in cyber forensics.

Microsoft issued security fixes for over 70 vulnerabilities across multiple products, including Windows, Office, and Azure. Specific flaws in Windows 10 version 1507 led to a rollback issue, where the operating system undid previously applied security updates due to a bug. Patch Tuesday also brought critical updates from Adobe, addressing vulnerabilities in ColdFusion, Photoshop, Acrobat, and other applications. Intel released advisories to address potential security vulnerabilities in UEFI firmware and its RAID Web Console, which has reached end of life. SAP issued updates for its BusinessObjects platform and Commerce Cloud, focusing on resolving high-severity vulnerabilities. Citrix released fixes for high-severity flaws in its Workspace app that could allow privilege escalation. Ivanti's patch addressed severe vulnerabilities in its Endpoint Manager and other products, which could allow remote code execution. Government agency CISA has urged the installation of these updates due to the severity of the issues and potential for exploitation.

Ivanti has remediated a critical remote code execution (RCE) vulnerability in its Endpoint Management software, which could have allowed unauthenticated attackers to control the core server. The vulnerability, identified as CVE-2024-29847, stemmed from a deserialization issue in the agent portal and has been fixed in the latest service updates. Alongside this severe RCE flaw, Ivanti also resolved nearly two dozen other high and critical severity issues across various products including Workspace Control and Cloud Service Appliance. This patching effort follows a recent uplift in Ivanti's internal security processes, including enhanced scanning and testing, aimed at identifying and mitigating vulnerabilities more promptly. No known public exploits of this particular vulnerability have been reported at the time of the announcement, nor have there been any known impacts on customers. The company previously patched a similar RCE flaw in January and has experienced significant exploitation of multiple zero-day vulnerabilities in its products over recent years. Ivanti's global presence includes over 7,000 partners and its products are employed by more than 40,000 organizations worldwide for IT asset management.

Researchers have developed a novel acoustic attack named PIXHELL, which can extract sensitive data from air-gapped systems through LCD screens. The attack uses malware to modulate pixel patterns on screens creating acoustic signals undetectable to human ears but capturable by nearby devices like smartphones. Data can be exfiltrated up to a distance of 2 meters with a rate of 20 bits per second, sufficient for stealing passwords or conducting real-time keylogging. The attack was created by Dr. Mordechai Guri of Ben-Gurion University, who is renowned for uncovering data leakage methods from secure environments. Covert signals are generated by normal operation noises of the LCD such as coil whine or capacitor noise, which are manipulated to carry encoded data. Defensive measures against PIXHELL include banning devices with microphones in sensitive areas and using noise generation techniques to disrupt signal clarity. Monitoring for unusual pixel patterns on screens with a camera is also recommended as a proactive security measure.

The RansomHub ransomware group is actively exploiting the TDSSKiller tool from Kaspersky to circumvent endpoint detection and response (EDR) systems on affected machines. Post disabling the EDR services, RansomHub deploys the LaZagne tool to extract credentials from application databases aimed at facilitating lateral movement across networks. TDSSKiller is designed to detect rootkits and bootkits, making it a powerful utility for both legitimate and malicious purposes. Malwarebytes observed and reported on the abuse of TDSSKiller in recent RansomHub attacks where the tool is executed using command line scripts to disable critical security services. The legitimate status and valid certificate of TDSSKiller help prevent the detection of malicious activities by security programs. Malwarebytes recommends strengthening security by enabling tamper protection on EDR systems and monitoring specific TDSSKiller execution flags to mitigate this attack vector. The security firm also noted attempts to erase traces of the attack, highlighting the sophistication and stealth of RansomHub’s operations.

Microsoft has addressed a significant vulnerability in Windows Smart App Control and SmartScreen, exploited since at least 2018. The vulnerability, identified as CVE-2024-38217, allowed attackers to bypass security features by manipulating file formats, specifically LNK files, to evade Smart App Control and the Mark of the Web security. Attackers exploited the flaw by creating malicious files which, when downloaded and opened by the target, compromised web-based security markers. Smart App Control, integral to Windows 11, along with SmartScreen, helps detect and block potentially harmful applications but was circumvented due to this flaw. Elastic Security Labs uncovered the flaw, terming the exploitation method as LNK stomping, which involved modifying link files to bypass security checks. Despite discovery, the flaw was actively exploited for years, with evidence of malicious activity dating back over six years as found in multiple samples on VirusTotal. Microsoft’s recent security update remedies this issue, enhancing the integrity and availability of Smart App Control and SmartScreen security features.

Microsoft's September 2024 Patch Tuesday addressed 79 vulnerabilities, with seven classified as critical. Four zero-day vulnerabilities were actively exploited, and one was previously disclosed but not fixed. Notable vulnerabilities include breaches allowing remote code execution and elevation of privileges. CVE-2024-38014 is an elevation of privilege flaw in Windows Installer, allowing SYSTEM access without detailed exploitation information. CVE-2024-38217, a Windows Mark of the Web bypass issue, detailed for use in evading security measures since 2018. CVE-2024-38226 involves bypassing security in Microsoft Publisher to execute embedded macros. CVE-2024-43491, a servicing stack flaw in older Windows 10 versions, allowed previously-fixed vulnerabilities to be exploited again. Updates related to resolving these issues impact various Microsoft platforms, including older and still-supported editions of Windows 10.

CosmicBeetle has introduced a new ransomware called ScRansom, targeting SMBs across various global regions including Europe, Asia, Africa, and South America. The threat actor has shifted from using its earlier ransomware, Scarab, to the new ScRansom, which is more refined and equipped with partial encryption and an "ERASE" mode for more destructive attacks. ScRansom has been deployed across multiple sectors such as manufacturing, pharmaceuticals, and financial services, with attacks leveraging known security vulnerabilities and brute-force techniques. CosmicBeetle also appears to affiliate with RansomHub, as payloads from both were found on the same machines within short intervals, suggesting a collaborative or opportunistic relationship. The group previously tried to forge an association with the notorious LockBit ransomware gang to possibly enhance its credibility in the cybercrime ecosystem. Investigations hint that the encryption schemes used by CosmicBeetle may have been adapted from legitimate sources, diminishing earlier theories of its origins. Enhanced tools like Reaper, Darkside, and RealBlindingEDR are utilized by CosmicBeetle to terminate security processes before deploying ransomware, indicating sophisticated attack preparations.

The FBI reported that losses from crypto-related cybercrime in the US exceeded $5.6 billion in 2023, a 45% increase from the previous year. Over 69,000 complaints about crypto scams were filed to the Internet Crime Complaint Center (IC3), primarily from individuals aged 60 and above. Investment scams, promising huge returns on crypto investments, were identified as the primary contributors to this increase in cybercrime losses. These scams often involve intricate social engineering and trust-building tactics through social media and dating apps. The most significant financial losses from crypto fraud, reaching $3.9 billion, were linked to investment scams with connections to cryptocurrency. The FBI emphasized the importance of reporting scams to ic3.gov to aid in tracking and mitigating emerging fraudulent schemes. Victims are frequently lured into fraudulent liquidity mining operations and other complex schemes, resulting in substantial financial theft. The report also briefly touched on ransomware, stating that while significant, the reported losses from such attacks are considerably lower than those from investment scams.

Endpoint privilege management (EPM) is crucial for minimizing cybersecurity risks by controlling administrative access on endpoint devices. The principle of least privilege is central to EPM, ensuring users have only essential permissions to reduce the attack surface for threats. A longstanding debate exists on whether users should have local administrative rights, balancing between operational efficiency and security risks. From the user perspective, administrative rights facilitate workflow and reduce disruptions caused by frequent software updates. IT administrators highlight the dangers of local administrative rights, which include potential unauthorized system modifications and disabled security features. Removing local administrative rights does not completely prevent untrusted software execution but restricts key system changes and disables security programs. There is a need for a balanced approach to privilege management, considering new risks such as pretexting attacks targeting IT staff. Implementing effective endpoint privilege management strategies can help reconcile user productivity with robust security, protecting against high-profile breaches.