Daily Brief

SaaS adoption is increasing, yet many enterprises have not updated their security strategies or tools to address SaaS-specific threats. Traditional on-prem security controls are ineffective in the SaaS environment, where visibility is limited and security responsibilities are shared with vendors. Each SaaS application has unique security settings that often change, making it hard for security teams to monitor threats effectively. Threat actors use sophisticated techniques like session hijacking and lateral movements within interconnected SaaS platforms to exploit vulnerabilities. IBM states data breaches in 2023 have grown to cost an average of $4.45 million each, highlighting the financial impact of inadequate SaaS security. Continuous monitoring, inventive machine identity management, and the implementation of Zero Trust architecture in SaaS environments are crucial for enhanced protection. Proper hygiene, robust inventory of machine identities, and a SaaS-specific security review process are essential to detect and mitigate threats early.

Security researchers from Graz University of Technology have unveiled a new side-channel attack dubbed SnailLoad, capable of spying on individuals' web activities without direct system access. SnailLoad manipulates network latency, a common bottleneck in internet connections, to infer the webpages and videos accessed by a user. The technique does not require an adversary-in-the-middle position, physical proximity, or user interaction, relying solely on network packet timing to gather intelligence. Attackers induce a target to download a benign file from a controlled server, then measure delays in network response to analyze and infer user activities. A convolutional neural network (CNN) refined with data from similar network environments is used to translate latency variations into accurate predictions of the user’s online behavior, achieving up to 98% accuracy in video identification. This attack introduces no malicious code and operates by merely monitoring prolonged data transmission times ("snail pace"), highlighting vulnerabilities in how routers handle Network Address Translation (NAT). The findings also include a disclosure of router firmware issues involving TCP sequence randomization, potentially allowing attackers to manipulate web traffic or orchestrate denial-of-service attacks. Patches to address these vulnerabilities are being developed by router vendors and the OpenWrt community.

Researchers from the operational technology (OT) security firm Claroty have discovered multiple vulnerabilities in Emerson Rosemount gas chromatographs, specifically affecting models GC370XA, GC700XA, and GC1500XA (versions 4.1.5 and earlier). The vulnerabilities include two command injection flaws and two authentication and authorization issues, which could be exploited by unauthenticated attackers. These security gaps could potentially allow attackers to bypass authentication, execute arbitrary commands, access sensitive information, and induce a denial-of-service (DoS) state. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that exploitation of these flaws could lead to unauthorized access and control over the gas chromatograph systems. Emerson has released an updated version of the firmware to patch these security vulnerabilities and is advising users to adhere to cybersecurity best practices and ensure these devices are not directly accessible via the internet. Another report from Nozomi Networks unveiled similar vulnerabilities in AiLux RTU62351B, Proges Plus temperature monitoring devices, and related software, highlighting the pervasive risks in connected industrial devices. These other flaws remain unpatched and pose a significant risk, including the potential manipulation of medical monitoring systems and spoilage of temperature-sensitive pharmaceuticals due to DoS attacks.

Microsoft's latest findings reveal the 'Skeleton Key' attack, capable of coaxing AI models to generate harmful content, despite safety guardrails. Several prominent AI models, including Meta Llama3-70b-instruct and Google Gemini Pro, were tested and found susceptible to the Skeleton Key technique. Attackers can manipulate AI to produce forbidden content through simple textual prompts that subtly alter the AI's behavior guidelines. Microsoft's tests demonstrated that while most AI models honored the modified prompt with a warning, OpenAI's GPT-4 resisted direct prompts but succumbed to system message modifications. Microsoft, at a recent conference, shed light on emerging risks and their efforts to introduce tools like 'Prompt Shields' to prevent such vulnerabilities. Notably, the attack surface extends across various AI platforms demonstrating weaknesses in the current design and implementation of behavior guardrails in AI technologies. The University of Maryland's researchers suggest that attacks like Skeleton Key might be mitigated more effectively with robust input/output filtering or tailored system prompts.

TeamViewer disclosed a security breach in its internal corporate IT environment identified on June 26, 2024. The company activated its response team and has been collaborating with global cyber security experts to contain and remediate the issue. There is no evidence suggesting any customer data compromise, and the corporate IT environment is segregated from the product environment. The breach's origin and method remain unclear, but an ongoing investigation is expected to provide further insights. TeamViewer is widely used for remote monitoring and management by over 600,000 customers. The Health-ISAC has warned that APT29, a state-sponsored actor linked to the Russian SVR, is actively exploiting TeamViewer in broader cyber-attacks. APT29 historically breached major corporations like Microsoft and HPE, also impacting some customer communications according to Microsoft's recent statements.

Polyfill.io's domain has been shut down by Namecheap following accusations of incorporating suspicious code into users' websites, potentially harming a vast number of internet users. Cloudflare and security experts have warned about a supply chain risk involving Polyfill.io, alleging the service was altering its JavaScript offerings to include malicious scripts. Security firm Sansec detailed the malicious code, which targets mobile users with redirections to a fake sports betting site and includes features to avoid detection and analysis. Consequent to these security concerns, Cloudflare has introduced an automatic JavaScript URL rewriting service to protect sites by replacing potentially harmful Polyfill.io code. Despite the allegations, the owner of Polyfill.io denies any wrongdoing, attributing the claims to slander and malicious defamation, and has relaunched the site under a new domain. Following the initial sale of the Polyfill.io domain and related assets, various inconsistencies and suspicions about the new owner's actual location and legitimacy have surfaced. The controversy continues with Polyfill expressing intentions to develop and expand a new global CDN product, claiming substantial funding and competitive goals against Cloudflare.

TeamViewer detected an "irregularity" in its corporate IT network, indicating a security breach. The anomaly was discovered within TeamViewer’s corporate environment and immediate measures including incident response were activated. TeamViewer asserts that their product environments and customer data were not affected. Investigations are ongoing with a focus on system integrity, assisted by cybersecurity experts. NCCI Group has informed clients about an APT group's significant compromise of the TeamViewer platform. US Health Information Sharing and Analysis Center (H-ISAC) has issued a warning about active cyberthreats exploiting TeamViewer, particularly citing APT29, possibly linked to Russian intelligence. TeamViewer continues to withhold detailed information on the nature of the incident, citing ongoing investigations.

Geisinger, a major healthcare provider in Pennsylvania, announced a data breach involving unauthorized access by a former Nuance employee. The breach exposed data of over 1 million patients but did not include sensitive financial details like SSN or bank information. The unauthorized access occurred in November 2023, shortly after the employee was terminated from Nuance. Nuance acted swiftly to revoke the ex-employee's access and informed law enforcement, leading to the individual's arrest. The type of patient information compromised varied depending on the services utilized by each patient. Geisinger has advised potentially affected individuals to monitor their health statements and alert their insurers to any discrepancies. Law firm Lynch Carpenter is investigating the breach's extent, potentially leading to a class action lawsuit against Geisinger.

BlackSuit ransomware gang recently targeted KADOKAWA corporation, jeopardizing operations across its film, publishing, and gaming sectors. The cyberattack on June 8 disrupted multiple KADOKAWA websites and encrypted data across the company’s hosted services. Ransomware impact extended to subsidiaries including the Niconico video-sharing platform, still inoperative as per the latest updates. BlackSuit threatened to release stolen data including confidential documents and financial records by July 1 unless a ransom is paid. KADOKAWA is focusing on restoring key operational features like accounting and plans a secure overhaul of its network and server infrastructures. BlackSuit is identified as a rebranded continuation of the Royal ransomware operation, with suspected ties to the defunct Conti cybercrime group. The ransomware operation, implicated in global attacks on over 350 organizations since September 2022, has amassed substantial ransom demands.

Black Suit ransomware gang claimed responsibility for a cyberattack on KADOKAWA corporation, threatening to release stolen data unless a ransom is paid. KADOKAWA, a major Japanese media firm with interests in film, publishing, and gaming, reported service outages due to the cyberattack on June 8. The ransomware encrypted data in a data center affecting numerous KADOKAWA operations and subsidiaries, including the popular video-sharing platform Niconico. Despite ongoing recovery efforts, most KADOKAWA services remain disrupted, with a focus on restoring critical accounting and manufacturing functions by early July. BlackSuit, a rebrand of Royal ransomware linked to the defunct Conti group, published a sample of the stolen data and set a publish date for the rest on July 1. The FBI and CISA have identified BlackSuit ransomware in attacks on over 350 organizations globally since September 2022, accumulating over $275 million in ransom demands.

Unfurling Hemlock, a new threat actor, employs a distinctive strategy termed a "malware cluster bomb" to deliver multiple malware types simultaneously. The primary distribution methods include malicious emails and malware loaders, with attacks beginning via a file named 'WEXTRACT.EXE'. The malicious executable is structured in nested levels, each containing a different malware payload, deploying between four to ten malware types per attack. Unfurling Hemlock has been active since at least February 2023, with a significant proportion of the attacks targeting the United States. KrakenLabs has identified over 50,000 files associated with these attacks, all featuring similar unique characteristics. The types of malware distributed include information stealers, botnets, and backdoors. Outpost24 advises users to employ up-to-date antivirus tools to scan downloaded files, underlining that the malware used is well-known and detectable by security software.

The U.S. Department of Justice has indicted Russian GRU operative Amin Timovich Stigal for launching cyberattacks on Ukrainian government networks and other entities. Stigal utilized WhisperGate malware, initially disguised as ransomware, to irreversibly corrupt and wipe data across numerous Ukrainian government systems. The attacks included theft and public exposure of sensitive data, such as health records, aimed at instilling panic and distrust among the Ukrainian population. These cyber operations, which began before the Russian invasion, also targeted countries supporting Ukraine and extended to probing U.S. federal agencies. The U.S. government is offering a $10 million reward for information leading to Stigal's arrest, available through a secure channel using the Tor network. If convicted, Stigal could face up to five years in prison for his involvement in these international cyberattacks against Ukraine, the U.S., and NATO allies.

TeamViewer's corporate network was compromised, suspecting involvement by the APT group, APT29. There is no current evidence of breach in TeamViewer’s product environment or customer data. Investigations in collaboration with global cyber security experts are underway, with remediation efforts already activated. TeamViewer aims to maintain transparency with ongoing status updates, despite search engine indexing restrictions. This incident raises global concern due to TeamViewer's extensive customer base and installation across over 2.5 billion devices. External alerts from NCC Group and Health-ISAC indicate the targeting of TeamViewer by APT29, known for its connections to Russian intelligence. TeamViewer emphasizes the separation of its internal corporate IT and product environments to reassure customers of product safety.

A severe vulnerability, identified as CVE-2024-5655 with a 9.6 CVSS score, has been found in GitLab Community and Enterprise Editions. Attackers could exploit this flaw to execute pipelines as any GitLab user, compromising both software integrity and data security. Affected versions include GitLab CE/EE from 15.8 through 17.1.0, with patches available in versions 17.1.1, 17.0.3, and 16.11.5. Users are urged to update immediately to mitigate risks, though they should be cautious of two breaking changes introduced with the patches. The update also rectifies additional 13 security issues, with three classified as high severity, enhancing overall platform security. GitLab is widely utilized with over one million active users, emphasizing the high impact of this security loophole. Comprehensive update resources and guidelines for GitLab Runner are publically available to aid users in securing their environments.

P2PInagect botnet, originally dormant, now actively targets misconfigured Redis servers, deploying ransomware and cryptocurrency mining modules. The malware has evolved to target multiple hardware architectures and incorporates a variety of attack techniques, including rootkits and SSH password spraying. New updates enable P2PInfect to scan for vulnerable servers across the internet, changing user passwords and escalating privileges to maintain control and prevent other attacks. The botnet operates on a peer-to-peer model, distributing updates via a gossip mechanism, allowing rapid propagation of new malicious binaries across the network. Recent changes include the addition of both miner and low-ransom demanding ransomware payloads, optimizing for low-value, widespread impact. The malware utilizes usermode rootkits leveraging the LD_PRELOAD variable to conceal its presence, a method also seen in other cryptojacking groups. The dual use of different wallet addresses for the miner and ransomware suggests potential use of the botnet for hire in broader cybercriminal activities. Security analysis indicates that while the miner is more profitable due to persistent resource usage, the effectiveness of the ransomware is limited by the nature of the targeted servers.