Daily Brief

Microsoft’s June Patch Tuesday addressed 49 CVE-tagged flaws, including a critical remote code execution (RCE) vulnerability in Microsoft Message Queuing (MSMQ), rated 9.8 out of 10 for severity. CVE-2024-30078 involves a Wi-Fi driver vulnerability impacting all supported versions of Windows, allowing remote code execution via adjacent Wi-Fi networks. Adobe's patch update remedied 166 CVE vulnerabilities, including a critical uncontrolled search path issue in Creative Cloud Desktop and significant flaws in Adobe Commerce. Active exploits against a critical PHP RCE vulnerability are facilitating the distribution of TellYouThePass ransomware, stressing the urgency of updates. Arm confirmed the exploitation of a flaw in its GPU kernel drivers, CVE-2024-4610, by malicious actors, affecting a range of versions. Apple and Google released patches for security issues in their respective systems, with Apple fixing 21 vulnerabilities in its VisionOS and Google addressing 37 issues in Android. SolarWinds and Fortinet also issued updates this month; SolarWinds patched a directory traversal flaw rated at 8.6 CVSS, and Fortinet resolved buffer overflow vulnerabilities in FortiOS. The reported exploit of a Webex Meetings flaw used to spy on government and military meetings has prompted Cisco to release urgent security updates.

JetBrains has disclosed a significant vulnerability in IntelliJ IDE applications, affecting the security of GitHub access tokens. The flaw, recognized as CVE-2024-37051, influences IntelliJ-based IDEs with versions starting from 2023.1 that employ an enabled JetBrains GitHub plugin. The security issue was discovered when malicious content included in GitHub pull requests was processed by the IDE, leading to the potential exposure of access tokens. JetBrains has responded by releasing updates to mitigate this vulnerability and has removed affected versions of the plugin from their marketplace. Users are urged to update their software and revoke any GitHub tokens used via the flawed plugin to prevent unauthorized access to their GitHub accounts. Despite enhanced security measures, the JetBrains GitHub plugin may not function correctly on older IDE versions due to compatibility and security modifications. JetBrains continues to enhance security, including addressing a previous critical authentication flaw in its TeamCity On-Premises servers earlier in the year.

Pure Storage confirmed a breach involving a Snowflake data analytics workspace; no customer data was compromised. Mandiant identified a pattern in Snowflake-related breaches: many lacked Multi-Factor Authentication (MFA), contributing to vulnerabilities. Cybersecurity firm Mandiant’s report notes 165 organizations possibly affected by breaches associated with UNC5537, who collected Snowflake credentials. The breached workspace contained telemetry information which includes company names and email addresses, but not passwords or customer data. Pure Storage ensures that its broader infrastructure is secure and continues to monitor for potential threats. No telemetry information from the breach can be used to access customer systems, reinforcing the limited nature of the breach. Pure Storage remains committed to transparency, continuing to update its customers on security developments and responses. A general rise in Snowflake-related security incidents has put the focus on ensuring better credential security and using MFA.

Microsoft released security updates for 51 flaws on June 2024 Patch Tuesday, including 18 Remote Code Execution (RCE) vulnerabilities. The patch includes fixes for a critical RCE flaw in Microsoft Message Queuing (MSMQ) and a publicly disclosed zero-day vulnerability known as 'Keytrap' in the DNS protocol. The zero-day had been disclosed previously without an available fix, potentially impacting DNS integrity and performance. Other notable fixes include multiple Microsoft Office-related RCEs, specifically vulnerabilities in Microsoft Outlook that could be exploited from the preview pane. The update also resolved seven Windows Kernel privilege elevation flaws, which could allow a local attacker to obtain SYSTEM privileges. Alongside Microsoft updates, other vendors have also released patches and advisories, however, SAP now restricts access to their updates behind a customer login. This Patch Tuesday did not address any actively exploited vulnerabilities but focused on previously known issues and enhancing overall system security.

The City of Cleveland has temporarily disabled its citizen-facing services following a cyberattack, impacting public offices and facilities such as Erieview and City Hall. Essential operations continue, with emergency services (911, police, fire), utilities, healthcare, and airport travel not affected by the incident. An ongoing investigation with third-party experts is in place; however, specific details regarding the nature of the abnormal IT activity remain undisclosed to prevent compromising the investigation. Publicly disclosed information assures that taxpayer and custom information has not been accessed during the cyberattack. Public services in non-essential departments have been curtailed, requiring residents in need of critical documents or services to exercise patience. City authorities are actively updating the public via platforms like X and have established a helpline (311) to field inquiries related to the incident. No ransomware groups have officially claimed responsibility for the attack as investigations continue.

Cylance, owned by BlackBerry, reveals a data dump allegedly containing customer and employee information is on sale but asserts it poses no risk to customers. The compromised data, reportedly from a third-party platform used between 2015 and 2018, includes names, emails, and marketing information. BlackBerry asserts ongoing security of Cylance systems and products, with no current evidence suggesting compromise of sensitive customer or operational data. Incident response is active, with BlackBerry's security operations team closely monitoring the situation as part of the commitment to safeguarding customer data. A cybercriminal under the alias "Sp1d3r" claims to sell the data for $750,000, though Cylance denies being a customer of the mentioned breached service, Snowflake. Mandiant's latest report investigates Snowflake breaches, identifying 165 potentially affected organizations without implicating Cylance. Assertions by cybercriminals regarding the scale of data breaches, such as the high-profile claim against Christie's, are frequently disputed or inaccurate.

The Dutch Military Intelligence and Security Service (MIVD) reported a significant escalation in a Chinese cyber-espionage operation, affecting over 20,000 global FortiGate systems. Chinese hackers exploited the FortiOS/FortiProxy vulnerability (CVE-2022-42475) between 2022 and 2023, targeting governments, international bodies, and defense industry firms. The operation deployed the Coathanger RAT, enabling persistent access to infected devices, even after system updates and firmware upgrades. The malware was detected on a Dutch Ministry of Defence network, but attackers were contained due to network segmentation. The Chinese state-sponsored group leveraged this access for political espionage, focusing on the Netherlands and its allies. Despite security patches, the stealthy nature of the Coathanger malware means many systems likely remain compromised. The Dutch intelligence service highlighted similarities with another Chinese campaign targeting SonicWall appliances, underscording a broader strategy of leveraging firmware-resilient malware in espionage.

Managed service providers (MSPs) are increasingly relied upon for comprehensive cybersecurity services as cyber threats escalate. Cynet's All-in-One Cybersecurity Platform offers a unified solution encompassing a range of security capabilities, simplifying the tech stack for MSPs. The platform features Extended Detection and Response (XDR), Endpoint Protection (EPP), Managed Detection and Response (MDR), and other critical tools in a single system. Automation and expert support from Cynet's in-house team, CyOps, significantly reduce response times and manual intervention during security incidents. Cynet's performance in the recent MIT an indow MITRE ATT&CK Evaluations demonstrated 100% Detection and Analytic Coverage without configuration changes, establishing a strong competitive edge. The streamlined approach, efficiency, and comprehensive coverage provided by Cynet allow MSPs to increase their profit margins while enhancing service quality. Cynet's offerings enable MSPs to position themselves as top-tier providers in the cybersecurity market, effectively expanding their client base and business impact.

Elastic Security Labs discovered a new Windows malware, "Warmcookie," distributed via fake job offer phishing campaigns. Warmcookie is designed to infiltrate and persist in corporate networks, collecting extensive information about infected hosts. The malware is delivered through emails that mimic legitimate job offers, using personalized touches such as the recipient's name and employer. Victims are tricked into downloading a JavaScript file, which then downloads and executes the Warmcookie DLL via PowerShell and BITS. Upon installation, Warmcookie establishes routine communication with a C2 server and sets up a task to run every 10 minutes. The backdoor's capabilities include machine fingerprinting, screenshot capturing, and possible deployment of additional payloads. Elastic's analysts warn that despite being a new entry, Warmcookie poses significant risks due to its advanced functionalities and continuous development.

Chinese actor SecShow, linked to the China Education and Research Network, has been conducting DNS probing internationally since June 2023. The purpose of the DNS probes, aimed at open resolvers, remains uncertain but could potentially facilitate malicious activities. Strategies involve utilizing CERNET nameservers to identify open DNS resolvers and manipulate DNS response behaviors. Each DNS query generates a different random IP address, unintentionally amplified by Palo Alto Cortex Xpanse's query attempts. Previous disclosures by Dataplane.org and Unit 42 highlighted similar scanning activities by this actor. This DNS probing forms part of a pattern, following another China-linked actor, Muddling Meerkat, known for DNS queries blending with global traffic. SecShow nameservers ceased responding as of mid-May 2024, marking an endpoint to this particular probing activity.

TellYouThePass ransomware exploited the CVE-2024-4577 PHP vulnerability for server attacks less than 48 hours after fixes were issued. Researchers discovered the ransomware delivering webshells and running the encryptor via a Windows executable to breach systems. The ransomware leverages a VBScript within an HTA file to load and execute its payload, effectively encrypting files on the compromised server. Attackers demand a ransom payment in Bitcoin, specifically 0.1 BTC, which is roughly $6,700, for decryption keys. Over 450,000 exposed PHP servers remain potentially vulnerable, significantly in the U.S. and Germany, increasing the risk of further exploits. Security firms observed rapid use of publicly available exploit code immediately following vulnerability disclosures and patch releases. Victims report multiple website encryptors underlining the broad impact and effectiveness of the campaign on exposed servers.

The UK's Information Commissioner's Office and Canada's Privacy Commissioner are conducting a joint investigation into the 23andMe data breach impacting nearly 7 million users. The investigation will assess the harm caused to customers, the adequateness of security measures in place, and the transparency of the company with regulators. The breach was detected after five months when information appeared on Reddit, rather than through internal security efforts. Sensitive data, including genetic information, was accessed, possibly affecting user privacy and security on a large scale. The attackers targeted specific user groups and used credential stuffing to breach around 14,000 accounts, exploiting weak user security practices. The breach has raised concerns about the misuse of genetic data and the responsibility of companies in safeguarding user information. Following the breach, 23andMe enabled two-factor authentication by default, a security improvement that came after the breach was identified. 23andMe has pledged to cooperate with the regulatory bodies during the investigation, which remains ongoing with no further comments until its conclusion.

Pure Storage acknowledged a breach in its Snowflake workspace, leading to unauthorized access to telemetry data. The exposed information included customer names, LDAP usernames, and email addresses, but crucially no credentials for array access. Following the incident, Pure Storage implemented security measures to prevent future unauthorized access. The attack affected customer telemetry used for proactive support services, not involving broader customer infrastructure or stored data. Snowflake, alongside Mandiant and CrowdStrike, indicated attacks utilized stolen credentials targeting accounts without multi-factor authentication. Over 165 organizations have been potentially impacted by similar Snowflake account breaches initiated by threat actor UNC5537. The broader issue is linked to credentials stolen via infostealer malware since 2020, highlighting the need for credential rotation and updated security measures.

Vonahi Security's annual report reveals critical findings from over 10,000 network pentests conducted across more than 1,200 organizations. Key vulnerabilities identified include DNS spoofing vulnerabilities such as Multicast DNS (mDNS) and NetBIOS Name Service (NBNS) spoofing. Other severe threats involve outdated Microsoft Windows systems and the exploitation of Windows Remote Code Execution (RCE) vulnerabilities like BlueKeep and EternalBlue. Issues like IPMI authentication bypass and local administrator password reuse were highlighted, increasing the risk of widespread security breaches. Dell EMC iDRAC devices were found to have CGI injection vulnerabilities, potentially allowing root-level commands execution by attackers. Common root causes for these vulnerabilities include configuration weaknesses and patching deficiencies. The report emphasizes the need for more frequent penetration testing beyond the conventional annual schedule to identify and address vulnerabilities in a timely manner. Vonahi's vPenTest platform offers automated, continuous network penetration testing to help organizations proactively manage and mitigate cybersecurity risks.

Apple introduced a new AI processing cloud system called Private Cloud Compute (PCC), ensuring user privacy by processing AI tasks in a secure cloud environment. PCC, part of Apple Intelligence, supports new generative AI features in iOS 18, iPadOS 18, and macOS Sequoia, using both on-device and cloud computing. The system integrates ChatGPT into Siri and systemwide Writing Tools, with enhanced privacy measures including obscured IP addresses and non-retention of requests by OpenAI. Apple's security infrastructure for PCC includes a custom server node design with Apple silicon, and security protocols such as Secure Enclave, Secure Boot, and sandboxing. PCC requests are routed through Oblivious HTTP (OHTTP) relays managed by an independent party, hiding the source IP addresses to prevent potential attacks. Independent security experts can inspect the source code running on Apple’s servers, with all software images being published for public examination to verify privacy claims. New privacy control features are also introduced, including app lock options with Face ID or Touch ID, a dedicated Passwords app, and a refreshed Privacy & Security section in Settings. Apple Intelligence and its new features will be available on newer hardware models and are restricted to settings in U.S. English.