Daily Brief

Geisinger, a major US healthcare provider, announced that over a million patient records may have been stolen following a security breach tied to Microsoft-owned Nuance Communications. The breach was attributed to a former Nuance employee who retained access to sensitive files after being terminated, leading to unauthorized data extraction two days post-dismissal. The compromised data included birth dates, addresses, hospital admission and discharge records, and other personal medical details, although no financial information was reportedly taken. Nuance and Geisinger collaborated with law enforcement, leading to the arrest of the ex-employee facing federal charges, although specific charges are still not disclosed. This incident surfaces amid previous accusations against Nuance for similar security failings, including an incident in 2018 involving the San Francisco Department of Public Health. Jonathan Friesen, Geisinger's chief privacy officer, expressed regret over the incident and reassured ongoing cooperation with authorities to address the data breach. The incident casts a negative light on Microsoft, reflecting broader criticisms regarding its subsidiary's lax security measures and raising concerns about national security implications.

More than 100,000 websites are affected by malware due to a takeover of the polyfill.io domain by Chinese CDN operator Funnull. Security experts urge immediate removal of all scripts sourced from polyfill.io to prevent further malicious attacks. Google has started blocking ads on affected websites to minimize victim count and has notified site owners of the security risks. The domain was originally intended to offer JavaScript polyfills for enhancing functionality on older browsers, but now serves malicious code. Funnull's acquisition of the polyfill.io domain and its GitHub account in February has led to a substantial web supply chain attack. Websites like JSTor, Intuit, and the World Economic Forum, which used this service, may be compromised. Alternative CDN links from providers like Fastly and Cloudflare have been created to replace the compromised service without risks. Malware injection is dynamic, based on HTTP headers sent by user devices, resulting in various potential attack vectors.

Neiman Marcus's customer data stolen from their Snowflake storage and offered for sale for $150,000 on the dark web. An intruder accessed the personal information of 64,472 customers including names, contact details, birth dates, and gift card numbers. Multi-factor authentication (MFA) may not have been enabled, a common oversight in recent Snowflake breaches. Upon discovery, Neiman Marcus disabled the compromised database access, initiated a cybersecurity investigation, and informed law enforcement. The spokesperson confirmed the data did not include credit card details but included some Social Security number digits and extensive customer transaction data. Neiman Marcus vows to enhance security measures following the breach. The breach is part of a larger pattern, with at least 165 organizations affected by similar Snowpike-linked data thefts.

Plugins on WordPress.org were modified to include backdoors as part of a supply chain attack, compromising at least five plugins. Malicious PHP scripts were injected to create unauthorized admin accounts and inject SEO spam. The attack was detected by Wordfence who promptly notified plugin developers; Most affected products have since been patched. Over 35,000 websites could be affected, with immediate malware scans recommended for sites with suspicious admin accounts or network traffic. The compromised plugins were identified between June 21 and June 22, though the exact method of the breach remains under investigation. The specific backdoor allows attackers to create admin accounts named "Options" and "PluginAuth" and send data to an attacker-controlled IP. Some impacted plugins were temporarily removed from WordPress.org, potentially leading to user warnings even on updated and secured versions.

The FBI reported that crypto scammers stole approximately $10 million by posing as attorneys who could help recover lost cryptocurrencies. Between February 2023 and 2024, these criminals targeted U.S. victims already impacted by previous scams, offering fraudulent recovery services for a fee. Fake law firms contacted victims through social media and messaging platforms, falsely claiming authority to conduct fraud investigations and sometimes impersonating government agencies. Scammers required victims to pay initial fees for services, taxes, and other charges, often ceasing communication after payments were received. The FBI's Internet Crime Complaint Center (IC3) specifically warns against these types of fraud, advising to verify any such recovery service and confirm any claimed affiliations with legitimate agencies. Consumers and businesses are advised to be cautious and refrain from sharing personal or financial information with unverified parties. The Department of Financial Protection and Innovation provides resources like a crypto scam tracker to help the public identify known scams. This scam is part of a larger trend where crypto-related crimes have resulted in substantial financial losses, exceeding those caused by ransomware in terms of damage to the U.S. economy.

Polyfill.io service, essential for enabling modern JavaScript functionality on older browsers, was corrupted after acquisition by Chinese company Funnull. Sansec cybersecurity warned the domain and associated Github account were purchased by Funnull, which then modified the script to inject malicious code. The malicious script redirects users to scam sites, such as fake Sportsbook sites, via a deceptive Google analytics domain and specific URL redirects. Cloudflare and Fastly have established trusted mirrors of the Polyfill.io service to mitigate risks and ensure continuity for users depending on its functionality. Original Polyfills service developer indicated that most modern web platforms swiftly adopt new features, reducing the need for such polyfills. Google has started notifying advertisers of the potential risks posed by these redirects, which may affect landing page traffic and integrity. The security research community has found it challenging to fully analyze the script due to its protection against reverse engineering and targeted activation criteria.

Medusa banking trojan, also known as TangleBot, actively targets Android users in France, Italy, the US, Canada, Spain, the UK, and Turkey with sophisticated malware variants. Recent activity since May shows the malware requires fewer permissions but includes advanced features such as full-screen overlays and screenshot capabilities to facilitate fraudulent transactions. The malware distribution is associated with five different botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) and uses phishing techniques through SMS to install malicious dropper apps. Dropper apps masquerade as legitimate applications like Chrome browser, 5G apps, and a streaming app named 4K Sports, especially exploiting the UEFA EURO 2024 as bait. Medusa’s infrastructure leverages public social media profiles to dynamically fetch command and control server URLs, centralizing campaign coordination. Enhanced Medusa variants have minimized their footprint on devices while retaining essential permissions to exploit Android's Accessibility Services, crucial for executing malicious tasks undetected. Recent improvements include the removal of 17 commands from the malware, supplemented by five new ones, increasing the malware’s stealth and functionality. Although not yet observed on Google Play, the broadening participation in the malware-as-a-service (MaaS) indicates increasing threat levels and sophisticated distribution methods.

Neiman Marcus confirmed a data breach impacting 64,472 individuals due to unauthorized access to their Snowflake database platform. Hackers accessed personal information including names, contact details, dates of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers. The breach discovery followed an online attempt to sell the stolen data, with the data thief associated with the recent wide-scale Snowflake data thefts. Despite the exposure of gift card numbers, the data breach did not expose gift card PINs, preserving the usability of the cards. Neiman Marcus disabled access to the compromised database and collaborated with cybersecurity experts and law enforcement in their response. The incident is linked to UNC553337, a financially motivated threat actor known for using stolen credentials to breach accounts and extort organizations. Multi-factor authentication absence in impacted accounts facilitated the unauthorized access, highlighting the importance of stronger security measures.

Neiman Marcus confirmed a data breach impacting 64,472 individuals, following attempts by hackers to sell the stolen data. Unauthorized access to a database was gained between April and May 2024 by a third party, exposing personal details such as names, contact information, dates of birth, and gift card numbers. The breach is connected to a larger series of data thefts involving Snowflake database platforms, with a threat actor named "Sp1d3r" attempting to sell the data. Although gift card numbers were exposed, the PINs were not compromised, ensuring the gift cards remain valid. Neiman Marcus has responded by disabling the affected database platform, conducting an investigation with cybersecurity experts, and contacting law enforcement. "Sp1d3r", the involved threat actor, reportedly tried to extort Neiman Marcus before offering the data on a hacking forum, which was later removed possibly due to negotiation talks. A broader investigation involving Snowflake, Mandiant, and CrowdStrike has linked the so-called UNC5537 threat actor to breaches affecting at least 165 organizations.

The FBI has issued a warning against cybercriminals pretending to be law firms offering cryptocurrency recovery services to victims of investment scams. Scammers have fooled victims into believing their legitimacy by falsely claiming associations with legitimate government agencies like the FBI and financial institutions. Fraudulent outfits often ask for personal information and payment, falsely promising to recover lost digital assets. From February 2023 to February 2024, victims have paid over $9 million to these fake recovery services, according to IC3 data. Government and state-level authorities can actually track and potentially recover stolen cryptocurrency, but they do not charge fees or proactively contact victims for personal information. The public is advised to thoroughly investigate any service claiming they can recover cryptocurrency and report any suspicious interactions to the IC3. No private company is authorized to issue seizure orders for digital assets, indicating that many social media and internet ads are scams targeting new victims.

Passphrases are becoming preferred over complex passwords due to easier memorability and equivalent security enhancements. Verizon reports 83% of cyberattacks begin with stolen credentials, emphasizing the need for stronger authentication methods. Traditional complex passwords, often based on predictable user behavior patterns, are vulnerable to brute-force and hybrid dictionary attacks. A study by Bitwarden shows that 84% of users admit to reusing passwords across multiple platforms, increasing the risk of security breaches. The National Institute of Standards and Technology (NIST) and the FBI advocate for passphrases that are longer than 15 characters as they offer better security against breaches. UK’s National Cyber Security Centre and Canadian Centre for Cyber Security recommend passphrases consisting of at least three or four random words. Specops Software offers solutions like Specops Password Policy and Authentication Client, which facilitate the transition to passphrase use while enhancing the user experience. Transitioning to passphrases can simultaneously improve security and user convenience, reducing the frequency of password resets with longer phrase usage.

CISA has issued an urgent call to high-risk chemical facilities to secure their online platforms following a breach facilitated by exploiting vulnerabilities in Ivanti products. The Chemical Security Assessment Tool (CSAT) portal was compromised, potentially exposing sensitive security data of facilities that house dangerous chemicals. Three specific vulnerabilities in Ivanti devices (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893) were utilized by attackers; these issues were urgently added to CISA's KEV catalog with a 48-hour deadline for patching. While malicious activity was detected and an advanced webshell was installed by attackers, CISA confirmed that there was no evidence of data exfiltration and that all sensitive data remained encrypted. Exposed data included Top-Screen surveys and security vulnerability assessments from chemical facilities, which could have revealed detailed information on the chemicals stored and facility vulnerabilities if not encrypted. CISA has encouraged those with CSAT accounts to change passwords and is setting up identity protection services for individuals vetted under the CFATS Personnel Surety Program from December 2015 to July 2023. No evidence was found of malicious use of accessed data, but notifications were sent to potentially affected entities and individuals as a precautionary measure.

UK and US law enforcement agencies are collaborating to tackle the Qilin ransomware group, which has targeted global healthcare systems, including the NHS. In June, Qilin launched a significant ransomware attack on Synnovis, a provider for NHS's London hospitals, causing widespread disruption including surgery cancellations. Following the attack, Qilin leaked sensitive patient data online, despite ongoing investigations revealing no evidence of the main patient database being published yet. Qilin's cybercriminal activities have extended internationally, having stolen substantial amounts of data from over half a million US radiology patients. The ransomware gang demanded a ransom of $50 million, which was not paid, leading them to release millions of patients' records on the dark web. The UK's National Crime Agency and international partners, including the FBI, are intensifying efforts to mitigate the damage and pursue the perpetrators. Recent warnings from the US Department of Health have identified multiple attacks by Qilin on varied healthcare services across the US since October 2022.

Group-IB researchers identified a new threat actor, Boolka, using SQL injection to compromise websites. Boolka employs malicious JavaScript scripts on victim websites to intercept and collect user data, which is then encoded in Base64. A command-and-control server named "boolka[.]tk" is contacted by the JavaScript to orchestrate data exfiltration. Fake browser extension downloads are used to further infect visitor systems with the BMANAGER trojan. BMANAGER trojan installs and utilizes additional malicious modules like BMBACKUP, BMHOOK, BMLOG, and BMREADER for data theft and surveillance. The malware establishes persistence on infected hosts using scheduled tasks and operates a local SQL database for data storage. Boolka has noticeably advanced in sophistication since starting attacks in 2022, now developing proprietary malware distribution frameworks. Continuous mitigation efforts are emphasized due to the increasing sophistication and adaptability of threats like Boolka.

Threat actors have developed a new technique using Microsoft Management Console (MMC) files to bypass security measures and execute malicious code. The approach, named GrimResource, involves specially crafted management saved console (MSC) files that exploit vulnerabilities in MMC libraries. When combined with DotNetToJScript, this technique allows for arbitrary code execution, leading to unauthorized system access and control. This method exploits a known XSS flaw in the apds.dll library, which remains unpatched since its report to both Microsoft and Adobe in late 2018. A recent example involves the North Korea-linked Kimsuky hacking group using a malicious MSC file to deliver malware. Elastic Security Labs discovered this technique after analyzing an uploaded artifact on the VirusTotal platform, highlighting the ongoing evolution of cyber attack methods. Despite Microsoft's efforts to restrict malware dissemination via commonly abused file types, attackers continue to find alternative methods like MSC files to deploy attacks.