Daily Brief

Patelco Credit Union experienced a ransomware attack on June 29, 2024, leading to the shutdown of its banking systems. The attack prompted the proactive closure of multiple customer-facing services to mitigate the incident's effects. Despite the operational impact, ATM withdrawals remain available for Patelco members. Patelco has enlisted the help of third-party cybersecurity specialists to help manage the crisis and facilitate system recovery. No current timeframe exists for when services will be fully restored, and customers are advised to expect delays in support. There has been no claim of responsibility from any ransomware groups yet, and the identity of the attackers remains unknown. The credit union has not confirmed if there was any data breach or customer information leakage following the attack. Customers are urged to monitor their accounts closely and be wary of unsolicited requests for personal information.

Affirm, a fintech firm offering alternative credit options, reports a data breach at Evolve Bank & Trust affecting its cardholders. Evolve Bank, providing services like payment processing and banking-as-a-service, confirmed a cybersecurity incident linked to a known criminal group. The breach resulted in unauthorized access to sensitive data including SSNs, bank account numbers, and contact details. Evolve responded by resetting passwords, reconstructing identity management components, and implementing network hardening measures. Other fintech firms such as Wise and Bilt, partners of Evolve, also reported potential exposure of their customer data. Wise and Bilt advised customers to remain vigilant for phishing attempts while maintaining that their platforms were secure. An ongoing investigation aims to define the full scope and impact of the breach, with further updates expected.

Evolve Bank & Trust suffered a LockBit ransomware attack in late May, leading to a significant data breach. The breach has affected several fintech companies including Wise and Affirm, which acknowledged the theft of customer data. Affirm, a buy-now-pay-later company, reported to the SEC that the personal data of Affirm Card holders might be compromised due to their partnership with Evolve. Affirm has initiated an independent investigation and ongoing remediation efforts, stating its other operations remain unaffected. Wise, having ended its partnership with Evolve in 2023, revealed that personal information of some users may have been involved, committing to direct notifications to affected customers. Evolve communicated to partners that the cybersecurity incident has been contained, though the full impact and scope of data accessed are still under assessment. The incident coincided with scrutiny from the US Federal Reserve Board and the Arkansas State Bank Department over deficiencies in Evolve’s risk management and compliance practices.

Researchers at Qualys identified a regression vulnerability, CVE-2024-6387, in OpenSSH affecting approximately 700,000 internet-facing Linux systems capable of granting root-level access to attackers. The vulnerability emerged as a regression from a previously patched issue and affects systems running glibc with OpenSSH versions prior to 9.8. The flaw, named regreSSHion, potentially allows unauthenticated remote code execution through exploiting a race condition in the SSHD server's signal-handling mechanism. Exploiting this bug is challenging and time-consuming, requiring several hours and multiple attempts to overcome protections like Address Space Layout Randomization (ASLR). OpenSSH versions from 8.5p1 up to but not including 9.8p1 are vulnerable unless patched for both CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not affected due to a security modification implemented back in 2001 that utilizes a safer version of the syslog() call. Organizations are urged to upgrade to the latest OpenSSH version and implement network-based controls and system monitoring to mitigate the risk of exploitation. Despite the severity of this vulnerability, the OpenSSH project was praised for its overall robust security practices and preventative design measures.

A South Korean ERP vendor's update server was compromised to distribute malicious software. Security firm AhnLab identified the tactics as similar to those used by the North Korea-linked Andariel group, known for its malware deployment methods. The malware, named Xctdoor, was installed via modified update files and can steal system information and execute remote commands. Xctdoor is a backdoor capable of transmitting user and computer identifiers to a command and control server and performing actions like screenshot capture, keylogging, and clipboard logging. This recent cyber attack targeted primarily the defense sector but follows recent attacks on manufacturing and other industries. ASEC emphasized the need for heightened vigilance regarding email attachments and downloaded executables, alongside improved monitoring and patching of vulnerabilities in asset management programs.

CocoaPods, an open-source dependency manager, used in over three million iOS and macOS applications, exposed thousands of packages due to unclaimed Pods left vulnerable for nearly a decade. Security firm EVA Information Security uncovered three significant vulnerabilities (CVE-2024-38368, CVE-2024-38366, CVE-2024-38367) affecting CocoaPods, potentially impacting millions of applications including those from major tech companies. CVE-2024-38368 allowed unauthorized claim and alteration of orphaned Pods without ownership verification, leading to possible insertion of malicious code. CVE-2024-38366 enabled remote code execution due to a flaw in mail exchange validation which allowed execution of arbitrary commands through specially crafted email addresses. CVE-2024-38367 exploited email scanning software to hijack session validation tokens automatically, facilitating unauthorized access without user interaction. These vulnerabilities, though patched, highlighted the serious implications of reliance on open-source components and third-party dependencies in software development. EVA Information Security recommends thorough review and validation of dependencies, and updating CocoaPods installations to safeguard against potential supply chain attacks.

The European Commission accuses Meta of breaching EU competition rules with its 'pay or consent' advertising model. Meta's model gives users a choice between allowing personal data usage for personalized ads or paying for an ad-free experience. This approach allegedly fails to provide a less personalized but equivalent service option for users who do not consent to data sharing. Meta introduced its ad-free subscription in response to stringent EU privacy regulations and a European Court ruling. Critics argue that Meta's model forces users into an unfair choice between privacy and payment, suggesting the cost is prohibitably high. Preliminary findings by the EU could lead to a fine of up to 10% of Meta’s worldwide turnover, increasing to 20% for systematic rule breaches. Meta insists its subscription model complies with the Digital Markets Act (DMA) and plans to engage in dialogue with the Commission. A Norwegian court recently fined the Grindr app for GDPR violations, highlighting ongoing privacy concerns in the EU.

Modern Intel CPUs are vulnerable to an attack codenamed Indirector, which affects Raptor Lake and Alder Lake processors. The vulnerability exploits shortcomings in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB), allowing leakage of sensitive data. Indirector enables attackers to use detailed Branch Target Injection (BTI) attacks, which are a type of Spectre v2 attack. Attackers with local user access can disclose information unauthorizedly via a side-channel by targeting the sensitive components of CPU architecture. Intel has notified affected hardware and software vendors about the vulnerability and recommended enhancements like using the Indirect Branch Predictor Barrier (IBPB) more aggressively and hardening the Branch Prediction Unit (BPU). Parallel research highlighted a similar speculative execution attack called TIKTAG affecting Arm CPUs, demonstrating a broader concern with speculative execution vulnerabilities in modern processors. Arm's response to the TIKTAG findings emphasized limited and probabilistic defenses available through Memory Tagging Extension (MTE), which are insufficient against determined adversaries.

The average ransom payment for ransomware attacks increased dramatically by 500% in recent years, reaching $2 million in 2024 from $400,000 in 2023. Outdated legacy Multi-Factor Authentication (MFA) systems are largely to blame for this rise, proving inadequate in preventing modern cyberattacks. Cybercriminals leverage Generative AI to create sophisticated phishing attacks that bypass conventional security measures and contribute to higher ransom demands. Reports highlight losses ranging into billions by major corporations, indicating a refocusing of criminal efforts towards higher ransom yields. Phishing-resistant, next-generation MFA technologies, including biometric recognition, are essential to combat these evolving cyber threats effectively. Organizations are encouraged to adopt these advanced MFA solutions to curb the increasing trend of ransomware-induced financial losses. Continuous monitoring, regular system updates, and ongoing security assessments are crucial for maintaining the effectiveness of these advanced security measures.

The Indirector attack targets modern Intel CPUs, including Raptor Lake and Alder Lake generations, exploiting hardware vulnerabilities to steal sensitive data. Discovered by researchers at the University of California, San Marcos, Indirector manipulates the Branch Target Buffer and Indirect Branch Predictor components. The attack uses high-precision techniques for speculative execution manipulation, combined with cache side-channel strategies to access data. Intel was notified about the vulnerability in February 2024, and the findings will be presented fully at the USENIX Security Symposium in August 2024. Suggested mitigations include enhancing the Indirect Branch Predictor Barrier and redesigning the Branch Prediction Unit with encryption and complexity increases. Implementation of mitigation measures, particularly the IBPB, can lead to a significant performance reduction, approximately 50% during certain operations. Intel has communicated with related hardware and software vendors to address this issue and researchers have released proof-of-concept code on GitHub.

A zero-day vulnerability in Cisco’s NX-OS software was exploited by the Chinese state-sponsored group Velvet Ant to deploy custom malware. This exploit allowed attackers to gain root access on vulnerable Cisco Nexus switches and execute arbitrary commands. The vulnerability, identified as CVE-2024-20399, involved inadequate validation of CLI command inputs. Once access was gained, attackers could remotely connect to devices, upload files, and execute malicious code without detection. Cisco has issued patches for the vulnerability and recommends regular credential updates and monitoring for network administrators. Sygnia, the cybersecurity firm that discovered the breach, was originally investigating Velvet Ant's espionage activities when they detected the exploit. Apart from NX-OS, Velvet Ant has targeted F5 BIG-IP appliances and tested exploits on ASA and FTD firewalls under campaigns like ArcaneDoor.

An Australian man was charged by the AFP for committing 'evil twin' WiFi attacks across various domestic flights and airports. He employed a deceptive tactic by setting up fake WiFi access points using the same SSIDs as legitimate networks to harvest credentials. His activities were detected after airline employees reported suspicious WiFi networks in April 2024, leading to AFP seizing his devices. The captured data from his devices revealed fraudulent pages at Perth, Melbourne, and Adelaide airports, among other locations. Investigations are ongoing to ascertain the full extent of the cybercrimes and the data misuse. The suspect's technique involved creating portals that appeared legitimate but were designed to steal users' email and social media logins. The incident highlights the risks posed by unsecured public WiFi networks and the importance of using VPNs and avoiding sharing sensitive information. Cybersecurity experts emphasize that while 'evil twin' attacks are rare, they exemplify potential vulnerabilities in public network security protocols.

CDK Global's dealer management system was crippled by a ransomware attack on June 18, affecting operations across North American car dealerships. The company promises to restore full functionality to all dealers by Thursday, post multiple IT system shutdowns to contain breaches. Affected applications also include Customer Relationship Management (CRM), ONE-EIGHTY, and service solutions, currently being restored in phases. Over 15,000 car dealerships had been forced to revert to manual operations, disrupting sales and services significantly. CDK Global has faced a second cyberattack during the recovery phase, further complicating restoration efforts. The BlackSuit ransomware group, a probable evolution of the Royal ransomware operation, is believed to be behind the attacks. CDK is reportedly negotiating with the attackers for a decryptor to prevent the leak of stolen data.

Prudential Financial reported that a data breach in February compromised the personal information of over 2.5 million people. Initially, the breach was detected on February 5, a day after attackers accessed significant user and employee data. The breach initially seemed to impact 36,000 individuals, but later filings with the Maine Attorney General expanded the number to over 2.5 million. The ALPHV/Blackcat ransomware gang, which claimed responsibility, is known for multiple high-profile attacks and has been linked by the FBI to numerous global incidents. Following the breach, Prudential has engaged cybersecurity experts to ensure the unauthorized parties no longer have access to corporate systems. Prudential, a leading global financial services firm, reported revenues of over $50 billion in 2023, highlighting the scale and impact of the breach. The breach is part of a troubling trend involving significant data compromises through corporate and third-party platforms, as evidenced by an additional breach affecting 320,000 Prudential customers via a third-party service in May 2023.

Hackers are exploiting a severe vulnerability, CVE-2024-0769, in D-Link DIR-859 WiFi routers, targeting user account data. The flaw is due to a path traversal issue in "fatlady.php," affecting all firmware versions and allowing data leakage and control over devices. Despite the D-Link DIR-859 model being end-of-life and not supported with updates, D-Link has issued an advisory without a patch. Threat monitoring has detected active exploitation, where attackers use modified public exploits to access sensitive files like 'DEVICE.ACCOUNT.xml'. Attackers use a malicious POST request to 'hedwig.cgi' to exploit the vulnerability and access user credentials stored in configuration files. The devices' vulnerabilities remain a significant risk since no patches will be issued and the devices will continue to be at risk as long as they are internet-connected. GreyNoise identifies other potentially vulnerable configuration files, advising defenders to monitor these to prevent additional exploit variations.