Daily Brief

Google has unveiled Project Naptime, a new AI framework designed to improve how vulnerabilities are discovered and analyzed. Project Naptime leverages a large language model (LLM) to mimic the processes used by human security researchers in recognizing and demonstrating security vulnerabilities. Key features include a Code Browser for code navigation, a sandboxed Python tool for script execution, a Debugger for behavior observation, and a Reporter for progress monitoring. The system allows for more continuous operations, affording human researchers the ability to "take regular naps" while the AI conducts its analyses. Project Naptime's architecture is built to support multiple models and backends, enhancing its versatility and effectiveness in identifying complex security issues like buffer overflow and advanced memory corruption. According to benchmarks from CYBERSECEVAL 2, Project Naptime achieved significantly higher scores in reproducing and exploiting security flaws compared to previous AI models like OpenAI GPT-4 Turbo. This initiative reflects Google's broader commitment to integrating advanced AI capabilities within cybersecurity practices.

CoinStats, a cryptocurrency portfolio management app, reported a security breach affecting 1,590 of its hosted wallets, which is about 1.3% of all such wallets on their platform. The breach, suspected to be executed by North Korean hackers, potentially linked to the notorious Lazarus Group, did not affect the externally connected wallets or centralized exchanges. Users whose wallets were hosted directly on CoinStats and appeared on the compromised list were advised to immediately transfer remaining funds to external wallets. Despite sharing a list of compromised wallets, there are reports from users indicating unauthorized withdrawals from wallets not included in the initial list, hinting at a possibly larger impact. Scammers are exploiting the situation by promoting fake refund programs through social media, aiming to deceive users into giving away access to their cryptocurrencies. CoinStats has currently shut down its website and app as it continues to investigate and address the security breach.

Critical vulnerabilities in end-of-life Zyxel NAS devices are being exploited by a Mirai-like botnet. Shadowserver Foundation detected active remote command execution attempts, signaling imminent threat to unpatched NAS devices. CVE-2024-29973, a command injection flaw, alongside two other severe vulnerabilities, were disclosed in early June with a severity rating of 9.8. Owners are urged to either apply patches immediately or replace outdated hardware to mitigate risks. Mirai botnet resurgence spotted with new exploits targeting IoT devices including Zyxel, highlighting the ongoing cybersecurity challenges. Botnet activities like these capitalize on minimal security defenses typical in older NAS devices. Patch details such as V5.21(AAZF.17)C0 for NAS326 and V5.21(ABAG.14)C0 for NAS542 provided, with recommendations for prompt application.

Cybersecurity vendors must prioritize robust security throughout the product lifecycle and continuously innovate and make improvements. Vendors' responses to discovered errors can range from public disclosure to silent fixes, which may leave users at risk or inadequately prepared. Organizations are encouraged to engage with vendors that demonstrate a commitment to responsible development and standardized ethical disclosure practices. Critical for vendors to conduct thorough internal and external testing to detect vulnerabilities before they can be exploited by malicious entities. The ratio of internally versus externally discovered vulnerabilities can indicate a vendor’s diligence and effectiveness in proactive security testing. Responsible disclosure practices are essential for cybersecurity, allowing efficient remediation of vulnerabilities and preemptive protective measures for users. Vendors should maintain transparent and documented processes for vulnerability disclosure to foster trust and ensure client security. Assessing a vendor's adherence to industry best practices and policies, like CISA’s Secure-by-Design, is crucial when choosing a cybersecurity provider.

A severe remote code execution (RCE) vulnerability, designated CVE-2024-37032, was discovered in the Ollama open-source AI infrastructure platform. The vulnerability, named Probllama, allows for path traversal attacks through inadequate input validation, enabling attackers to overwrite arbitrary files. Successful exploitation requires sending specially crafted HTTP requests to the Ollama API server, specifically targeting the "/api/pull" endpoint. Researchers identified that the lack of authentication and API server configuration in Docker deployments exacerbated the risk, facilitating remote exploitation. The issue was responsibly disclosed to the developers by the security firm Wiz on May 5, 2024, and patched two days later in version 0.1.34. Over 1,000 unprotected Ollama instances were reportedly exposed online, potentially offering attackers access to multiple AI models and self-hosted AI servers. The disclosure highlights ongoing security vulnerabilities in modern AI infrastructure, despite advancements in programming and deployment practices. The broader context includes 60 additional security defects found across various open-source AI/ML tools by AI security company Protect AI, underscoring the growing concerns in AI cybersecurity.

Rafel RAT, an Android malware, is being utilized in over 120 campaigns by various cybercriminals including known actors like APT-C-35. Major targets include outdated Android devices, particularly those running versions 11 and earlier, which are no longer supported with security updates. High-profile organizations in government and military sectors across the US, China, and Indonesia have been compromised. The malware spreads through deceptive tactics, mimicking popular apps like Instagram and WhatsApp to facilitate the download of malicious APKs. Rafel RAT requests invasive permissions during installation, allowing it to run persistently in the background and evade battery optimization measures. The ransomware module of Rafel RAT can encrypt files, change lock screen passwords, and display a custom ransom message, urging victims to contact via Telegram. In one example, an attack from Iran involved preliminary reconnaissance before executing the ransomware that altered device functionalities and demanded a ransom. Recommendations to mitigate the risk include avoiding downloads from untrusted sources, cautious engagement with unsolicited links in messages, and using Play Protect for app verification.

The UK Ministry of Defence has reportedly spent £174 million on external advice for the Morpheus radio system project. The Morpheus project, intended to replace the aging Bowman radio system, has been fraught with delays and has already cost £766 million. Originally set for deployment in 2025, the introduction of the Morpheus system is now postponed until after 2031 due to ongoing issues. A significant contract with General Dynamics, worth £395 million, was terminated in December after failing to meet project expectations. The Financial Times highlights concerns about the MoD's procurement strategy, citing excessive spending and lack of timely progress on key military technology projects. Despite setbacks, the MoD asserts that the Bowman system remains secure and capable, receiving updates to bridge the gap until Morpheus is ready.

Cybersecurity professionals are overstretched, handling larger workloads with limited resources and are considering career changes due to heightened stress levels. The effective utilization of Cyber Threat Intelligence (CTI) is hindered by various challenges, including interoperability issues, funding shortages, and a global skills gap of approximately 4 million cybersecurity positions. A significant portion of cybersecurity teams' time is consumed in producing detailed reports for stakeholders, mainly driven by media reports on emerging threats. The Cybersixgill IQ Report Generator attempts to alleviate these burdens by automating the generation of comprehensive CTI reports using generative AI technology. The tool customizes reports to meet specific needs, catering to different audiences from board members to technical teams, which enhances understanding and accelerates decision-making. Automation in report generation allows cybersecurity teams to dedicate more resources towards proactive cybersecurity measures and better manage existing skill shortages. Cybersixgill's tool ultimately seeks to empower security teams by efficiently communicating risk and required actions, thereby improving organizational cybersecurity posture.

Levi's disclosed a data breach affecting over 72,000 customers due to a credential stuffing attack, exposing personal and partial payment information. Financial Business and Consumer Solutions (FBCS) revised their breach impact up to 3.435 million people, including Social Security numbers and account info. LivaNova, a medical device manufacturer, reported a data breach affecting 129,219 individuals with sensitive personal and medical information stolen. All affected companies have notified victims and offered credit monitoring services in response to the breaches. Levi’s confirmed its systems were not compromised but were victim to stolen credentials from an external source. FBCS has made multiple notifications to state attorneys general as the extent of their breach expanded. LivaNova was targeted in a ransomware attack by the LockBit group; however, they did not directly use the term "ransomware" in public disclosures.

Meta complies with EU regulations to exclude European social media data from AI training, raising concerns about language processing and potential biases in AI models. Approximately 20% of Microsoft SQL Server instances are beyond their support end date, posing significant security risks due to lack of updates and patches. Outdated databases, crucial for holding sensitive and critical data, remain neglected, increasing the risk of data breaches and ransomware attacks. The article draws parallels between regulatory enforcement in food safety and the potential for similar approaches in software and services to ensure cyber hygiene. The lack of rigorous enforcement and regulation in cyber standards leads to significant vulnerabilities, much like lapses in food safety standards result in health risks. The insurance industry could play a role in enforcing cybersecurity measures by adjusting coverage based on software compliance status. Calls for a systematic application of risk control and evidence-based regulation in software to balance innovation with security.

RedJuliett, a state-sponsored cyber espionage group believed to be based in China, has targeted 75 Taiwanese organizations along with entities in several other countries including the U.S., South Korea, and Kenya. The campaign, active between November 2023 and April 2024, primarily hit government, academic, technology, and diplomacy sectors. The group employs techniques such as exploiting internet-facing devices, using SQL injections and directory traversal exploits, and utilizing SoftEther software for tunneling malicious traffic. Recorded Future’s Insikt Group identifies deployment tactics like the China Chopper web shell to maintain persistence in compromised networks and occasional use of Linux vulnerabilities such as DirtyCow. The espionage efforts are thought to be in service of Beijing’s intelligence collection aimed at gathering economic and diplomatic intelligence from Taiwan. RedJuliett leverages both threat actor-controlled servers and compromised infrastructure, including systems from Taiwanese universities, to orchestrate their attacks. The group's methodology includes a focus on internet-facing devices, leveraging their vulnerabilities due to typically weaker security measures which facilitates easier scaling of initial access.

A technical employee, Hugh, was working on updating scripts at a Florida call center using an Ubuntu system and ViciDial. The call center, described as selling unnecessary items and preventing cancellations, had no test environment, so all changes were made in production. Hugh, during idle time, was browsing adult humor websites and copied some jokes to his clipboard. Mistakenly, the inappropriate jokes were pasted into the live sales scripts, which were then read by 300 sales agents to potential customers. This resulted in an uproar and management demanded an explanation for the inappropriate content in the scripts. Hugh falsely blamed the incident on a technical issue supposedly caused by a previous admin’s negligent file management. Ultimately, Hugh avoided responsibility for the mishap by blaming it on an erroneous update and a former employee's misconduct. The incident inadvertently prevented hundreds of customers from receiving unwanted sales calls.

Multiple cyber espionage groups, including Iranian threat actors, are exploiting an open-source Android RAT named Rafel RAT disguised as popular apps like Instagram and WhatsApp. Rafel RAT enables attackers to perform various malicious tasks including wiping SD cards, deleting call logs, stealing notifications, and acting as ransomware. A significant cyber attack in April 2024 by DoNot Team utilized Rafel RAT, exploiting vulnerabilities in Foxit PDF Reader with military-themed PDF lures. Check Point Research identified around 120 different malicious campaigns using Rafel RAT targeting various international locations like the U.S., Australia, and China. Predominantly, victims with out-of-date Android phones from manufacturers like Samsung, Xiaomi, Vivo, and Huawei were targeted, comprising 87.5% of infected devices. Attack methods include social engineering to persuade victims to grant intrusive permissions, allowing theft of sensitive data such as SMS messages and contact info. Rafel RAT communicates with threat actors via HTTP(S) and Discord APIs, and features a PHP-based control panel for attackers. The surge in Rafel RAT incidents stresses the urgent need for increased vigilance and improved security practices to protect Android devices.

Snowflake's security breach has affected over 165 entities, including significant businesses like Ticketek and Advance Auto Parts. Ticketek recently alerted its customers to a security incident exposing personal details due to the breach. Advance Auto Parts confirmed unauthorized access to employee and applicant information, including SSNs. A hacker from ShinyHunters admitted to breaching Snowflake through third-party vendors, not direct system penetration. Snowflake is enforcing stricter security measures, pushing for mandatory multifactor authentication among its users. Related report highlights ongoing ransomware extortion impacting CDK, affecting their car dealership operations across the US. Global software threats continue, with notable vulnerabilities addressed in Juniper Secure Analytics products. IntelBroker's sale of alleged Apple internal tools turned out to be misinformation, with actual data pertaining only to Apple's SSO integrations for internal use.

Hackers are exploiting a vulnerability in the pkfacebook module for PrestaShop to deploy card skimmers on e-commerce sites. The flaw, identified as CVE-2024-36680, is an SQL injection vulnerability within the module's facebookConnect.php script. Despite claims by Promokit that the vulnerability was previously fixed, there is no supporting evidence and active exploitation is ongoing. The affected pkfacebook add-on, used by PrestaShop operators, allows users to engage via Facebook for comments and communications. Security analysts have exposed active instances where the bug is currently being exploited to steal credit card details from online shoppers. All versions of the module up to 1.0.1 are confirmed vulnerable, with uncertainty around patches as the latest version on Promokit’s website is 1.0.0. The National Vulnerability Database and security groups recommend that all versioning should be assumed vulnerable and advise urgent mitigation. There was a similar incident two years prior when PrestaShop issued warnings and fixes for modules vulnerable to similar SQL injection attacks.