Daily Brief

Google announced it will stop trusting TLS server authentication certificates from Entrust in Chrome starting November 2024, due to non-compliance and security management issues. This change will affect Chrome versions 127 and higher, across Windows, macOS, ChromeOS, Android, and Linux, except for iOS and iPadOS due to Apple's policies. The decision follows a series of publicly disclosed incidents which have raised concerns about Entrust’s competence and reliability as a certificate authority. Chrome users and enterprise customers can manually override this setting if they choose to continue trusting certificates from Entrust. Website operators using Entrust certificates are advised to switch to another publicly trusted certificate authority by October 31, 2024, to avoid service disruptions. Chrome users attempting to access sites with Entrust certificates post-November 2024 will encounter warnings that their connections are not secure. Despite Entrust's wide use among major corporations like Microsoft and Visa, Google's move reflects growing scrutiny over digital certificate providers and internet security standards.

The new ransomware, dubbed Brain Cipher, recently targeted Indonesia's temporary National Data Center, causing significant disruptions to government online services. Brain Cipher's attack encrypted servers and affected services including immigration, passport control, and the issuance of permits, impacting over 200 government agencies. The ransomware group demanded $8 million in Monero cryptocurrency for a decryptor and threatened to leak stolen data. Brain Cipher has launched its own data leak site and engages in double-extortion tactics, threatening to release stolen data if their demands are not met. The ransomware was developed using a leaked version of the LockBit 3.0 builder but includes modifications such as encrypting file names and changing file extensions. Initial ransom notes linked to Tor-hosted negotiation and data leak sites, suggesting an organized operation aimed at maximizing pressure on victims. There have been numerous samples of Brain Cipher ransomware identified, pointing to its recent and growing use in global cyberattacks.

CISA, along with other Five Eyes cyber security agencies, reviewed 172 critical open source projects and found widespread use of memory-unsafe languages like C and C++. Over half of the projects examined contain memory-unsafe code, which is prone to security vulnerabilities such as buffer overflows and use-after-free errors. The report promotes the adoption of memory-safe programming languages, which automatically manage memory safety, reducing the risk of such vulnerabilities. Memory-safe languages recommended include C#, Go, Java, Python, Rust, and Swift, with Rust gaining popularity due to its neutrality compared to corporate-associated languages. Large-scale projects like Linux and web browser frameworks Chromium and Gecko predominantly use memory-unsafe languages for many critical components. Efforts to rewrite critical components in memory-safe languages are proposed to mitigate risks, as demonstrated by recent initiatives like Prossimo's Rust rewrite of NTP daemon. CISA urges the continuous evaluation and use of memory-safe languages to enhance the security and integrity of open source software, advising a strategic shift in software development practices. The report also highlights the importance of persistent use of static code analysis and fuzzing tools to manage memory-safety risks until broader adoption of memory-safe languages can be achieved.

TeamViewer confirmed a breach in its IT network attributed to Russia's APT29, also known as Midnight Blizzard. The intrusion was detected following unusual activity linked to a standard employee's login credentials. Investigation revealed that the breach was confined to TeamViewer's non-production systems, avoiding impact on its product environment or customer data. The attack did not result in unauthorized access to customer data or TeamViewer's product systems due to strong segregation between the company's corporate IT and production environments. TeamViewer utilized a "defense in depth" security strategy with multiple layers of protection to limit and contain the breach. No evidence suggests any lateral movement or expansion of the breach beyond the initial point of compromise. The incident has heightened awareness and response procedures at TeamViewer, ensuring strengthened security practices moving forward.

Infosys McCamish Systems (IMS) revealed a LockBit ransomware attack affected over six million individuals. Initially reported in February 2024, the attack occurred in November 2023, impacting sensitive data including 57,000 Bank of America customers. LockBit encrypted 2,000 computers within the IMS network during the incident. Following a detailed review by third-party eDiscovery experts, IMS confirmed the extensive unauthorized data access. Personal data compromised in the breach varies, necessitating personalized notification and identity protection services offered by IMS through Kroll. Only Oceanview Life and Annuity Company has been publicly named as one of the affected clients, with potential additional disclosures pending. IMS is a major service provider in the insurance and financial sectors, indicating a significant impact on these industries due to the breach.

Agropur, a major North American dairy cooperative, has reported a data breach impacting its online shared directories. The breach was confined to certain parts of the cooperative's network and did not affect transactional systems or disrupt core operations. The company is currently investigating the extent of the breach with the help of external cyber security experts and law enforcement. Despite no current evidence of misuse, Agropur has notified customers about the breach as a precautionary measure. The exposed data types and the number of affected individuals are still under investigation. Agropur has implemented corrective measures to mitigate the risk and safeguard against future incidents. Customers of Agropur and its associated brands are advised to remain vigilant for potential phishing attempts using the exposed data.

Ticketmaster discovered unauthorized access to a cloud-based Snowflake database, resulting in a significant data breach. Hackers obtained millions of customers' personal information including full names, contact details, and credit card information between April 2 and May 18, 2024. The threat actor, ShinyHunters, began selling the stolen data, including detailed personal and payment information for 560 million users. Customers were advised to stay vigilant against potential identity theft and fraud, with Ticketmaster offering one year of free identity monitoring. Ticketmaster's internal security failed to enforce multi-factor authentication, which facilitated the unauthorized access. The breach was part of a larger pattern of attacks targeting Snowflake accounts with insufficient security measures, affecting several high-profile organizations. This incidence is one of many linked to ShinyHunters and other attackers focusing on exploiting vulnerabilities in cloud data storage.

Kimsuky, a North Korean hacking group, has deployed a malicious Google Chrome extension named TRANSLATEXT to steal sensitive data. The extension targets South Korean academics specializing in North Korean affairs, harvesting emails, passwords, cookies, and browser screenshots. This cyber espionage activity also involves exploiting a Microsoft Office vulnerability (CVE-2017-11882) to distribute a keylogger and deploy espionage tools in the aerospace and defense sectors. The malicious files were initially delivered via a ZIP archive, disguised as historical content on the Korean military, which contains malware-triggering components. Kimsuky utilizes spear-phishing and social engineering tactics to start the infection chain, further highlighted by the recent use of job-themed lures. The threat actor manages to maintain control and execute secondary payloads through a backdoor tool named Niki, allowing deep access and control over compromised machines. Stolen data and command retrievals are channeled through a GitHub account briefly used to host the TRANSLATEXT extension, which mimics a legitimate Google Translate extension. The focus of Kimsuky's attacks emphasizes intelligence collection from governmental and academic figures, aligning with North Korea's strategic objectives to gather international intelligence.

Industry experts will discuss the evolving digital landscape and the increasing importance of securing identities. The webinar, titled “The New GitHub Flavored Markdown Meaning of Identity Security,” aims to provide insights into the latest identity security technologies and trends. Participants will learn innovative strategies for protecting identities against emerging threats. Best practices for implementing effective identity security measures will be explored. Real-world case studies on successful security transformations will be highlighted. The event is scheduled for July 17 at various global times, emphasizing accessibility for a broad audience. Attendees are encouraged to secure their spots to gain valuable knowledge on navigating the complexities of modern identity security. The webinar is sponsored by tech giant Cisco, ensuring high-profile industry insights.

TeamViewer experienced a cybersecurity breach, attributed to the Russian state-backed group Midnight Blizzard. The intrusion involved the misuse of credentials from an employee's standard account within TeamViewer's corporate IT environment. Initial investigations suggest that the hackers did not access the production environment or customer data. TeamViewer has emphasized the separation between their corporate network and production systems as a protective measure. Cybersecurity measures, including multi-factor authentication and monitoring network connections, are recommended for TeamViewer users. The scope of the cybersecurity breach remains under investigation, raising concerns about potential undisclosed impacts. TeamViewer is working with external incident response experts to manage the situation and prevent further intrusions.

Google has announced it will no longer trust TLS server authentication certificates from Entrust starting November 1, due to a series of compliance failures and unmet improvement commitments. This decision will affect Chrome users on all major operating systems except iOS, where Chrome does not perform its own certificate verification. Previously, Mozilla also highlighted issues with Entrust's certificate management, noting procedural failures and a lack of tangible improvements. Entrust has acknowledged their failures and expressed commitment to addressing the issues and continuing their public TLS certificate services. Certificates issued before October 31 will remain trusted in Chrome as long as they comply with specified roots, and enterprises can manually trust these roots or override the constraints in their internal networks. The move serves as a broader industry reminder of the high standards expected of certificate authorities in maintaining secure and trusted internet encryption practices. Google emphasizes the role of certificate authorities in upholding encrypted connections and the necessity for adherence to security and compliance expectations.

GitLab has updated its software to address 14 different security vulnerabilities. One particularly critical flaw (CVE-2024-5655) with a CVSS score of 9.6, could allow attackers to impersonate users and trigger CI/CD pipelines. The vulnerabilities affected both the Community and Enterprise editions of GitLab, specifically versions: 17.1.1, 17.0.3, and 16.11.5. Two significant changes include the disabling of GraphQL authentication using CI_JOB_TOKEN and preventing automatic pipeline runs on merge request retargeting. There is currently no evidence of the vulnerabilities being exploited in the wild. Users are strongly encouraged to install the latest patches to secure their systems against potential exploitation.

Microsoft has once again encountered issues with the expiration of TLS certificates, leading to security warnings in Microsoft 365 and Office Online. An Australian reader noted security software alerts about insecure connections on cdn.uci.officeapps.live.com, which is a key endpoint for Microsoft services. The TLS certificate in question was valid from August 18, 2023, to June 27, 2024, but it expired, causing disruptions and error messages for users. Users reported problems such as error codes when opening Microsoft Word, indicating issues with approximately 200 PCs. This is not the first instance of Microsoft failing to renew certificates timely; similar issues occurred in 2022 with the Windows Insider subdomain. Microsoft's Azure ECC TLS Issuing CA 01 has also expired, potentially complicating the situation further due to additional expired certificates issued by the service. There has been noticeable feedback on Microsoft's forums from affected users, and Microsoft is reportedly working on addressing the problem and improving their certificate management strategies. Microsoft's habitual certificate management errors stress the importance of diligent digital infrastructure maintenance to avoid service outages and security vulnerabilities.

A large-scale supply chain attack impacting CDNs including Polyfill.io, BootCDN, Bootcss, and Staticfile affected millions of websites. The attack traced back to a common operator due to exposed Cloudflare API keys in a public GitHub repository. The leak occurred due to negligent security practices, specifically the public upload of a .env file containing sensitive API keys and tokens. Researchers identified that all four affected domains were managed under a singular Cloudflare user account. MalwareHunterTeam and other researchers voiced concerns over the scope of impact, suggesting a wider attack than initially thought. Additional attacks have been traced back to at least June 2023, with primitive versions of the malicious code circulating since then. The article discusses ongoing actions and suggests the potential for future related attacks, given multiple domains still being registered under associated operators. Key stakeholders are advised to monitor and possibly replace their use of affected CDN services with safer alternatives provided by reputable organizations.

The 8220 Gang exploited vulnerabilities in Oracle WebLogic Server for cryptocurrency mining activities. Trend Micro has identified the cybercriminal group under the alias Water Sigbin. Exploited vulnerabilities included CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839. Attack involves complex fileless malware techniques that allow code execution directly in memory to avoid detection. Malware deployment stages include using PowerShell scripts, mimicking legitimate applications, and extracting system information. Malicious activities also encompass establishing persistence on the system and evading Windows Defender Antivirus. Additionally, the gang operates the k4spreader tool to spread botnet and mining malware using other server vulnerabilities. Security initiatives must continuously scan for and address vulnerabilities to mitigate such threats.