Daily Brief

Chinese state-backed group Volt Typhoon exploited a zero-day in Versa Director, affecting ISPs and MSPs. The vulnerability, tracked as CVE-2024-39717, allows uploading malicious Java files, enabling remote execution. Researchers at Black Lotus Labs discovered the malicious use of this flaw through a custom Java webshell named "VersaMem". Versa confirmed that securing the High Availability (HA) port as per guidelines could have prevented exploitation. The attacks involved stealing credentials to access corporate networks, significantly via devices like SOHO routers and VPNs. Black Lotus Labs have identified breaches related to this vulnerability in the US and India, impacting sectors like ISPs, MSPs, and IT. Critical steps to mitigate further attacks include upgrading Versa Director, checking for suspicious files, and restricting access to specific ports. This activity was linked to other Volt Typhoon operations, where they compromised various devices to mask their network infiltration.

Netskope Threat Labs detected a large-scale QR code phishing campaign targeting Microsoft 365 users via Microsoft Sway. Phishing attacks surged by 2,000 times in July 2024, mainly affecting sectors like technology, manufacturing, and finance primarily in Asia and North America. Attackers utilized Microsoft Sway to create legitimate-looking landing pages that encouraged users to scan QR codes redirecting them to malicious sites. These QR codes bypass email security scanners, as they are embedded in images and often scanned by less secure mobile devices. The campaign also involved sophisticated tactics like transparent phishing, simultaneously stealing credentials and multi-factor authentication codes during legitimate login displays. Attackers used Cloudflare Turnstile to mask phishing content, maintaining the domain’s reputation and evading blocks by web filtering services. Historically, Microsoft Sway was previously targeted in the PerSwaysion phishing campaign targeting high-ranking individuals in legal, financial, and real estate sectors.

Gartner’s Hype Cycle for Security Operations 2024 emphasizes the maturation of Continuous Threat Exposure Management (CTEM). CTEM framework helps businesses assess, prioritize, validate, and remediate security exposures continuously. New category definitions streamline vendor selection for implementing CTEM strategies within enterprises. Exposure Assessment Platforms (EAP) and Adversarial Exposure Validation (AEV) are pivotal in enhancing vulnerability management and operational efficiency. EAPs move beyond CVSS scores, offering contextualized data aligned with actual business risks and asset significance. AEV provides a practical perspective on security gaps by simulating real-world adversarial attacks to validate cyber resilience. Challenges persist in overcoming compliance-focused approaches and integrating encompassing technology solutions in AEV. Recommendations include adopting agentless technologies that integrate BAS and penetration testing for accurate, proactive security posture validation.

Microsoft recently patched a vulnerability in Microsoft 365 Copilot which could enable the theft of sensitive data using ASCII smuggling. ASCII smuggling involves using special Unicode characters that appear invisible to the user but can be embedded within clickable hyperlinks for data exfiltration. This security flaw could potentially allow for the theft of email contents and multi-factor authentication codes by sending them to an adversary-controlled server. A series of attack techniques were chained together to create a reliable exploit, which was disclosed responsibly in January 2024. Additional potential threats include using AI for spear-phishing by mimicking user communication styles and exploiting publicly exposed Copilot bots. Enterprises are advised to enable Data Loss Prevention and enhance security controls to mitigate risks associated with Microsoft Copilot and other AI applications. These discoveries underscore the persistent security threats and the need for ongoing vigilance in monitoring and protecting AI-driven tools from cyber exploits.

Google has disclosed a newly patched security vulnerability, CVE-2024-7965, actively being exploited in the wild affecting its Chrome browser. This security flaw concerns an inappropriate implementation in Chrome's V8 JavaScript engine, potentially leading to heap corruption. The vulnerability was initially identified and reported by a security researcher known as TheDog, who received an $11,000 bug bounty on July 30, 2024. While specific details of the attacks and the identities of the perpetrators remain unclear, Google acknowledges the flaw's active exploitation. The vulnerability is one of nine zero-days addressed by Google in Chrome since the beginning of 2024, with three others revealed during the Pwn2Own 2024 competition. Users of Google Chrome on Windows, macOS, and Linux are urged to update their browsers to version 128.0.6613.84/.85 to protect against potential exploits.

Google has addressed its tenth Chrome zero-day vulnerability identified in 2024, designated as CVE-2024-7965, described as an issue in the V8 JavaScript engine allowing heap corruption. The vulnerability was exploited through a specially crafted HTML page, enabling remote attackers to target users. Another related high-severity zero-day, CVE-2024-7971, was also recently patched, involving a type confusion issue in the same V8 engine. Both vulnerabilities have confirmed exploits in the wild, although specific details about the attacks remain undisclosed. Patches have been issued for Windows, macOS, and Linux under Chrome version 128.0.6613.84/.85, with updates rolling out in the Stable Desktop channel. Users are advised to update their Chrome browsers immediately by manually triggering the update process if automatic updates have not yet been applied. Google has been actively restricting detailed information about these vulnerabilities to protect users until the majority has updated their browsers. This year, including these, Google has patched a total of eight other zero-days that were exploited either in the wild or during the Pwn2Own hacking contest.

Microsoft experienced a software issue that misclassified legitimate emails as malware, causing false alerts. Administrators reported receiving a high volume of these false malware notifications, complicating their workload. The problem was first noticed and reported by users on reddit before Microsoft issued an official notification on its service channel. Microsoft acknowledged the issue on Xitter and their service alert, citing difficulties with their malware detection systems and implemented a mitigation strategy. The fix involves manually unblocking the legitimate emails which were incorrectly quarantined, a process that could be time-intensive due to the volume and security risks. Microsoft's communication stated that a replay of impacted emails was underway, although the resolution to the issue was still incomplete. Further updates are anticipated from Microsoft to confirm the resolution of the problem, which began affecting users around 0900 ET.

Patelco Credit Union suffered a ransomware attack compromising the personal data of 726,000 customers. The RansomHub group executed the attack and publicly released data on August 15, 2024, after failing to negotiate with Patelco. Attackers initially breached Patelco's network on May 23, 2024, and subsequently accessed customer databases on June 29, 2024. The breach led to a two-week system shutdown as Patelco worked to contain the situation and restore IT functions. Exposed customer information varies per individual, which aligns with data posted by RansomHub on their extortion portal. Patelco has confirmed the breach and is offering affected customers two-year complimentary access to identity protection and credit monitoring services. Customers are warned to be cautious of potential phishing and scam attempts following the breach.

The Department of Justice Office of the Inspector General audited the FBI and found severe lapses in handling and destroying electronic storage media. Classified and sensitive data, including national security and Foreign Intelligence Surveillance Act information, were found improperly labeled and unsecured. Storage media such as hard drives and thumb drives were left in open, unattended boxes at destruction facilities, accessible to numerous staff and contractors. To enhance security, the FBI plans to install wire cages and surveillance cameras at the media destruction facility, although implementation has been delayed. Current procedures lack proper tracking and inventory controls for electronic media, increasing the risk of loss or theft of sensitive data. The FBI has acknowledged the issues and is finalizing a new policy directive aimed at improving the marking and secure destruction of sensitive electronic devices and materials.

A potential cyberattack on Seattle-Tacoma International Airport caused significant disruptions, impacting flight operations and causing delays. Outages affecting the airport's internal internet and web systems began early Saturday, with ongoing issues through the weekend. The Port of Seattle has isolated critical systems to safeguard against further damage and is working vigorously to restore full functionality. Due to system failures, terminal screens malfunctioned, and airlines resorted to issuing tickets manually, leading to extensive lines and traveler delays. As of Monday following the incident, the Port of Seattle's website was still down, indicating continued challenges in recovery efforts. The federal government has joined the investigation, with agencies like TSA and Customs and Border Protection lending their expertise. This incident highlights a broader trend of ransomware attacks targeting critical infrastructure, with transportation being a prime target due to its operational importance. The unscheduled downtime this month follows another significant disruption linked to a faulty update from cybersecurity firm CrowdStrike last month, reflecting ongoing vulnerability in airport operations to cyber events.

Microsoft Exchange Online is experiencing a service issue where emails with images are incorrectly marked as malware. The problem leads to these emails being quarantined, affecting both outbound and inbound communications. The issue, identified under tracking number EX873252, appears to be widespread, impacting numerous users and system administrators. Microsoft has acknowledged the issue and is utilizing service monitoring telemetry to determine the root cause and formulate a remediation plan. The false positives include emails that are replies and forwards of previous external communications, as well as intra-organizational messages. This incident resembles a previous error in October 2023, where an ineffective anti-spam rule caused mislabeling of emails as spam. Microsoft is currently working towards resolving the problem, indicating the situation is still developing.

Criminal groups IntelBroker and EnergyWeaponUser claimed responsibility for the latest breach of AMD's security, reportedly occurring on the same day they announced it. The breached data was listed for sale on the dark web site BreachForums and includes a variety of internal communications reportedly from sources such as idmprod.xilinx.com and amdsso.okta.com. The stolen data includes user credentials, case descriptions, resolutions, and assignment groups, posing significant privacy and security risks. IntelBroker had previously breached AMD in June, selling source codes and sensitive internal data, indicating a pattern of targeted attacks against the company. AMD has been made aware of the breach and is currently investigating with the help of law enforcement and a third-party hosting service. IntelBroker not only targets AMD but has claimed responsibility for several other high-profile breaches, including those involving Europol, the Pentagon, and other major institutions. The cybercriminal group's repeated successes underline the challenges businesses face in protecting sensitive information against determined and skilled adversaries.

Versa Networks has patched a high-severity zero-day vulnerability (CVE-2024-39717) in their Versa Director platform. The vulnerability was actively exploited, permitting attackers to upload malicious files disguised as PNG images. Exploitation was possible due to an unrestricted file upload flaw within the 'Change Favicon' feature for users with elevated privileges. The flaw only affected customers who failed to implement recommended system hardening and firewall guidelines. Versa alerted its customers and partners to review and enhance firewall protocols and upgrade their systems following the discovery. The Cybersecurity and Infrastructure Security Agency (CISA) has added the zero-day to its Known Exploited Vulnerabilities catalog, urging federal agencies to secure affected systems by September 13. Versa confirms the vulnerability was exploited by an Advanced Persistent Threat (APT) actor at least once.

SonicWall has identified a critical access control flaw in its SonicOS, labeled as CVE-2024-40766 with a CVSS v3 severity score of 9.3. The vulnerability allows unauthorized access to resources and can cause firewall crashes without requiring user interaction or authentication. Affected models include SonicWall Firewall Gen 5, Gen 6, and some Gen 7 devices running older firmware versions. Administrators are urged to download security updates from mysonicwall.com to mitigate the risks associated with this flaw. As a temporary measure, restricting firewall management access to trusted sources or disabling WAN management is recommended. SonicWall products are essential in many industries and are often targeted by hackers; a recent example involved suspected Chinese hackers using custom malware. The US Cybersecurity & Infrastructure Security Agency (CISA) has previously warned about the exploitation of vulnerabilities in SonicWall appliances.

SonicWall has issued security updates for a critical flaw in its firewall devices that could allow unauthorized access. The vulnerability, identified as CVE-2024-40766, features a CVSS score of 9.3 and is classified as an improper access control issue. Affected products include SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices running firmware versions up to SonicOS 7.0.1-5035. The issue has been resolved in the latest firmware updates, and it is not reproducible in versions higher than SonicOS 7.0.1-5035. There is no evidence that the flaw has been exploited in the wild, but users are urged to install the patches promptly to mitigate potential risks. In the past, SonicWall devices have been targeted by threat actors, including a China-linked group using unpatched vulnerabilities to deploy malware and maintain remote access. Security professionals highlight the increasing focus of threat actors on exploiting vulnerabilities in edge infrastructure devices like firewalls and switches for deeper network intrusion.