Daily Brief

Researchers have identified a phishing-as-a-service platform, ONNX Store, aimed at Microsoft 365 accounts primarily within financial institutions. ONNX Store utilizes QR codes in PDF attachments to bypass traditional phishing defenses and two-factor authentication, targeting employees under the guise of HR communication. The platform, believed to be operated by the Arabic-speaking hacker MRxC0DER, provides a robust mechanism including real-time credential theft via phishing pages that replicate the Microsoft 365 login screen. ONNX allows its clients to manage phishing campaigns through Telegram bots, offering customizable Microsoft Office 365 phishing templates and support channels for operational assistance. Attacks observed include phishing emails impersonating HR departments with offers of salary updates to lure victims into scanning malicious QR codes and entering login credentials. Captured credentials and 2FA tokens are immediately transferred to the attackers, enabling potential unauthorized access to sensitive company information. ONNX’s infrastructure uses advanced deception techniques such as encrypted JavaScript and Cloudflare services to evade detection and ensure ongoing operations through bulletproof hosting. Protection against ONNX phishing involves blocking unverified PDF and HTML attachments, avoiding untrusted HTTPS sites, and implementing FIDO2 hardware for securing high-risk accounts.

VMware issued a security advisory for critical vulnerabilities in vCenter Server, affecting remote code execution and local privilege escalation. Affected versions include vCenter Server 7.0 and 8.0, along with VMware Cloud Foundation 4.x and 5.x. Three specific vulnerabilities were addressed: CVE-2024-37079, CVE-2024-37080, CVE-2024-37081. Updates are available in vCenter Server 8.0 U2d, 8.0 U1e, and 7.0 U3r; Cloud Foundation patches are accessible through KB88287. VMware states that updating vCenter Server will not impact running workloads or VMs, though temporary unavailability of management interfaces is likely during the upgrade. No active exploitation of these vulnerabilities has been detected, yet VMware urges updating immediately due to the risk of targeting by threat actors. The company also identified an issue with custom ciphers in version 7.0 U3r, recommending a precheck.

An investigative report by the Australian Information Commissioner revealed significant security oversights by Medibank, including unenforced multi-factor authentication (MFA), leading to a severe data breach. The breach occurred when a Medibank contractor's browser-stored work credentials were stolen from his home computer by malware. The attacker exploited these credentials to access Medibank's systems, including their Microsoft Exchange and VPN, allowing for extensive internal access. Between August 25 and October 13, 2022, the attacker extracted 520 GB of sensitive customer data, including personal and health information. Failure to act on generated EDR software alerts in late August allowed the breach to propagate undetected until mid-October. The breach revealed by Medibank in October 2022 effectively compromised the personal data of 9.7 million customers. The report underscores the necessity of robust security measures like MFA, especially for systems like VPNs, which are highly targeted by cyber actors.

The European Union has introduced a controversial proposal to scan users' private messages for child sexual abuse material (CSAM), raising significant concerns among privacy advocates. Meredith Whittaker, president of the Signal Foundation, criticized the proposal, stating that it severely undermines the integrity of end-to-end encryption (E2EE). The proposed measure, known as "upload moderation," would require messages to be analyzed before encryption, allowing for the detection of CSAM. The law excludes audio communications and requires user consent under service provider terms, offering alternatives for users who do not consent to scanning. Europol emphasizes the need for tech industry cooperation to balance public safety and privacy, suggesting the design of systems capable of reporting harmful activity without breaking encryption. The response from the tech community, including Apple, highlights concerns about privacy infringement and the potential for such measures to lead to broader surveillance practices. Signal warns that interfering with encryption algorithms or creating backdoors for scanning could lead to vulnerabilities, exploitable by both malicious actors and nation-state hackers.

The CHERI Alliance CIC has been established to promote the adoption of CHERI security technology, enhancing memory safety in CPUs. Founding members include notable organizations like the FreeBSD Foundation, University of Cambridge, and various security and chip design companies. CHERI technology focuses on preventing common memory vulnerabilities such as buffer overflows through fine-grained security controls. Despite significant involvement in developing CHERI, chip designer Arm is conspicuously absent from the alliance’s member list. The Alliance aims to stimulate industry collaboration, foster academic partnerships, and push for CHERI's broad implementation across different ISAs. The initiative is mentioned in a White House report emphasizing the importance of hardware support for robust memory safety. Efforts are being focused around the RISC-V ISA, suggesting a strategic pivot or broadening of technological foundations. The CHERI Alliance is set to formally launch in September and is currently open for new members.

Two individuals, Sagar Steven Singh and Nicholas Ceraolo, admitted guilt for hacking a federal law enforcement database as part of a blackmail scheme. The hackers were part of "ViLE", a group that exploited stolen personal information to extort money by threatening to release it publicly. They used stolen credentials of a police officer to access a law enforcement database containing sensitive information about criminal activities and personal data. Ceraolo further impersonated officers to extract additional personal data from social media platforms under false pretenses. The exposed data was used in blackmail attempts, including threats to disclose personal details like social security numbers and addresses unless payment was received. In one incident, Singh demanded Instagram account credentials by threatening the target’s family safety. The U.S. Department of Justice is pursuing the case, with sentences for the crimes committed by Singh and Ceraolo ranging from two to seven years. Ongoing efforts are being made to apprehend and prosecute other members of the ViLE hacking group.

Threat actors are using free or counterfeit software to distribute Hijack Loader and Vidar Stealer malware. Compromised Cisco Webex Meetings app downloads lead to the execution of stealthy malware loaders via DLL side-loading. The malware leverages enhanced privileges to escape detection by adding itself to Windows Defender's exclusion list. Apart from stealing information, the malware also installs a cryptocurrency miner and other malicious payloads on victims' systems. Techniques involve PowerShell scripts and deceptive browser update prompts to entice victims into executing malicious code. Detection challenges arise due to malware’s ability to mask its association with any files and the reliance on user interaction. Multiple cybersecurity firms have reported on the diverse tactics and payloads utilized in recent sophisticated phishing and malware campaigns. Security experts emphasize the importance of vigilance when downloading software and clicking on links, even from seemingly legitimate sources.

The U.S. government will cease financial support on July 12 for healthcare providers impacted by the Change Healthcare ransomware attack in February. The Centers for Medicare & Medicaid Services (CMS) initiated support programs in March offering funding and relaxed rules for affected organizations to maintain operations. Over $3.2 billion in accelerated payments have been disbursed to nearly 9,000 Medicare providers to help manage cash flow disruptions caused by the cyberattack. The support measures included allowing Medicare Advantage and Medicaid plans to provide advanced funding, and the acceptance of paper claims by Medicare Administrative Contractors while electronic systems were offline. Though most of the emergency funding (96%) has been repaid, ongoing challenges persist for some providers beyond the July 12 cutoff. CMS continues to encourage all healthcare entities to prioritize cybersecurity enhancements and remains ready to address future cyber incidents. The ransomware attack has been one of the costliest for the healthcare sector, with estimated costs nearing $1 billion, including a $22 million ransom payment to the attackers.

NHS Dumfries and Galloway CEO confirms that cybercriminals accessed and copied sensitive data during a February cyberattack. Data from approximately 150,000 individuals leaked after the trust refused to comply with ransom demands. Victims are primarily residents from Dumfries and Galloway; targeted communications and general notices are being distributed. The leaked data raises concerns over identity theft, cybersecurity threats, extortion, and mental health impacts. The situation parallels the 2022 Medibank breach in Australia, which also faced a ransom demand that was not met. Efforts to analyze and prioritize the leaked data focus on identifying and assisting high-risk or vulnerable patients. CEO Julie White offers an apology and reiterates the organization's commitment to transparency and adherence to law enforcement advice. Dumfries and Galloway NHS has published a detailed FAQ and summary online to clarify the breach's context and implications.

Seventy percent of enterprises have initiated dedicated teams to bolster security for Software as a Service (SaaS) applications. Despite 2023's economic and job market challenges, organizations have markedly increased resources for SaaS security, including a 56% rise in staffing and a 39% increase in budget allocations. The survey reveals a significant shift in prioritization, with 80% of organizations now focusing on SaaS security, a sharp contrast to its historical position as an afterthought. Enhanced SaaS security strategies have led to better capability maturation and visibility into SaaS applications, with marked improvements in detection and configuration management. Major challenges persist, particularly in achieving visibility into business-critical applications and managing risks associated with third-party apps and SaaS misconfigurations. The survey points to the effectiveness of SaaS Security Posture Management (SSPM) tools, highlighting users experience better control and ease in managing SaaS security compared to other methods. Overall, the surveyed data indicates a positive trend in SaaS security outcomes and mitigation of security incidents, suggesting robust investment and strategic implementation are paying dividends.

Cybersecurity experts have discovered a new malware targeting openly accessible Docker API endpoints to deploy cryptocurrency miners. The malware utilizes a variety of tools, including a remote access capability that allows further malicious software downloads and distribution through SSH. The attackers focus on Docker servers with open port 2375, conducting a multi-stage attack including reconnaissance, privilege escalation, and exploitation. A complex chain of scripts and binaries, including scripts named “b.sh” and “ar.sh,” are employed to configure remote access, scan for other vulnerable hosts, and install additional payloads. The malware incorporates a Go-based binary, "chkstart," enhancing the complexity of the malware and making analysis more difficult compared to previous versions written in shell script. Additional payloads like "exeremo" for lateral movement and "fkoths," a Go-based binary to erase traces, signify an advanced attempt to maintain persistence and avoid detection. These findings indicate continuous improvement and adaptation by the attackers, highlighting persistent security risks associated with misconfigured Docker hosts.

VMware has released critical security updates for Cloud Foundation, vCenter Server, and vSphere ESXi. The updates address vulnerabilities that could lead to privilege escalation and remote code execution. Identified vulnerabilities include two discovered by researchers at QiAnXin LegendSec and one by Deloitte Romania. Affected versions are specifically vCenter Server versions 7.0 and 8.0; patches are available in newer subversions. Prior similar issues were patched in October 2023, involving the DCE/RPC protocol. VMware advises users to apply these critical patches promptly despite no current active exploitation reports.

Singapore Police Force has extradited two Malaysians linked to an Android malware scam targeting Singapore citizens. The suspects allegedly used phishing campaigns to install malicious apps on victims' devices to steal personal data and banking credentials. In collaboration with Hong Kong and Malaysian police, a lengthy investigation linked the suspects to a criminal syndicate. The malware disguised as discounted goods apps allowed remote access to victims' devices, capturing sensitive data and enabling unauthorized transactions. Assets including cryptocurrency and real estate worth over $1.33 million have been seized in related arrests, with 16 criminals captured so far. The malicious operations have affected over 4,000 victims, highlighting the extensive impact of the scam. One suspect faces up to ten years in prison and $500,000 in fines, underlining the severity of the penalties for such cybercrimes.

VMware, now owned by Broadcom, has disclosed two critical vulnerabilities in its vCenter Server product, used to manage virtual machines and hosts. Identified as CVE-2024-37079 and CVE-2024-37080, both vulnerabilities are rated 9.8 out of 10 for severity and involve heap-overflow issues in the DCE/RPC protocol implementation. A malicious actor could exploit these vulnerabilities by sending a specially crafted network packet, potentially leading to remote code execution. Although patched versions of vCenter Server and Cloud Foundation are available, there is no information about the applicability of these fixes to older vSphere versions 6.5 and 6.7, which are widely used but no longer supported. VMware also reported a third, less critical vulnerability, CVE-2024-37081, related to local privilege escalation due to sudo misconfiguration, scoring it as important (7.8). There are currently no known exploits of these vulnerabilities "in the wild," according to VMware. The discovery of these vulnerabilities was credited to Matei "Mal" Badanoiu from Deloitte Romania.

Researchers from Seoul National University, Samsung Research, and Georgia Institute of Technology have discovered vulnerabilities in ARM's Memory Tagging Extensions (MTE). The vulnerabilities allow attackers to breach memory tags 95% of the time through speculative execution techniques. MTE was designed to protect against commonly exploited memory safety vulnerabilities in C/C++ programming, like buffer overflows and heap-use-after-free attacks. The effective bypass raises concerns about MTE’s ability to secure applications on Arm processors, despite Arm’s reassurances. Findings challenge earlier works, including those by Google's Project Zero, which did not identify side-channel attacks capable of breaking MTE. Researchers demonstrated their technique's efficacy by extracting MTE tags from Google Chrome on Android and Linux, using proof-of-concept code now available on GitHub. The suggested mitigation involves placing speculation barriers and limiting gadget construction in affected software like Chromium and Linux kernel code. Despite acknowledging the issue, Arm insists the value of MTE stands, although they recommend additional mechanisms to prevent speculative execution oracles.