Daily Brief

AI SPERA has introduced paid cyber threat intelligence data from its Criminal IP search engine on the Snowflake Marketplace, enhancing cybersecurity capabilities. Criminal IP's intelligence offerings include detailed datasets for fraud detection, privacy protection, and incident response, sourced from its comprehensive Cyber Threat Intelligence Database (CTIDB). The data products are designed to identify and mitigate fraudulent activities and privacy breaches by analyzing malicious and masked IP addresses. The newly listed products empower organizations to proactively manage and respond to cybersecurity threats, protecting digital assets and streamlining incident response. Features include advanced detection capabilities for botnets, command and control (C2) software, and anonymizing services like VPNs and proxies. Snowflake Marketplace users can access a complimentary trial, with a subscription option for continuous daily updates. AI SPERA has expanded globally since 2023, forming alliances with top security brands and offering additional cybersecurity services on AWS and Azure Marketplaces.

Snowflake, a cloud data analytics firm, has decided to mandate multi-factor authentication (MFA) for its customers following security breaches involving the theft of extensive data from multiple customers including Ticketmaster and Santander. The breaches were initially identified by Hudson Rock analysts, prompting Snowflake to consider stronger security measures despite denying that the breaches stemmed from direct attacks on its own systems. Snowflake is also developing additional advanced security controls for customer accounts to prevent further incidents. There were reports of widespread availability of Snowflake customer credentials on cybercriminal forums, indicating a potentially more extensive problem. Snowflake has been communicating with clients, urging the activation of MFA and other security protocols as essential steps to safeguard their data. The U.S. White House is concurrently being urged by the industry to streamline cybersecurity regulations to enhance both cybersecurity outcomes and business competitiveness. Other related news mentioned includes vulnerabilities in the OT sector and attacks on container environments due to misconfigurations, emphasizing the need for continuous cyber threat assessments and stringent security measures within organizations.

Microsoft has alerted users to potential misuse of Azure Service Tags for bypassing firewall rules and unauthorized access to cloud resources. The vulnerability was highlighted by cybersecurity firm Tenable, which pointed out that Azure Service Tags could be exploited to impersonate trusted services. At least 10 Azure services, including Azure Application Insights, Azure DevOps, and Azure Machine Learning, have been identified as susceptible to this security flaw. Azure Service Tags are intended for routing network traffic but are not designed to act as a security boundary or replace input validation. Microsoft has revised its documentation advising Azure users that Service Tags alone are insufficient for securing traffic and emphasized the need for additional authentication and validation controls. Despite the vulnerability, there is no current evidence that the feature has been exploited in active attacks. Microsoft has recommended Azure customers to review their use of service tags and reinforce network traffic defenses to authenticate only trusted services.

Google removed 1,320 YouTube channels and 1,177 Blogger blogs linked to a China-based fake information campaign concerning U.S. and China foreign relations. Additional influence operations with connections to Indonesia and Russia were dismantled by Google, involving the termination of advertising accounts and content praising local governments or denigrating rivals. A separate network from the Philippines and India engaging in financially-motivated influence operations was also taken down by Google. Meta disrupted an operation by an Israeli marketing firm intended to influence U.S. and Canadian perspectives on Israel, amidst the Israel-Hamas conflict. Israel's Ministry of Diaspora Affairs was reported to have funded the covert Israeli influence operations, a campaign found out amid ongoing disinformation issues. Microsoft has warned of Russian disinformation efforts targeting the 2024 Summer Olympics in France, with fabricated threats to undermine public trust in the event. The international tactics observed include utilizing generative AI for spreading misinformation, raising concerns about the evolving complexity of info-ops technology use.

British police arrested two individuals linked to a homebrew phone mast facilitating a large-scale smishing operation. The homemade device, termed a “text message blaster,” bypassed traditional network filters to send fraudulent messages posing as banks or official entities. Thousands of fake SMS messages were sent, deceiving recipients into divulging personal information. The UK network operators have measures like forwarding suspicious messages to a dedicated shortcode 7726, enabling them to tackle similar spam messages. One suspect, Huayong Xu, was formally charged with possessing fraudulent articles, while the other unidentified suspect has been bailed. Ongoing collaboration between City of London Police, network operators, Ofcom, and the NCSC aims to prevent further unauthorized use of such technologies. Police speculate the technology used may be akin to an IMSI catcher, which can undermine network security protocols to send unsolicited texts. Enhanced network security measures have been adopted by operators such as EE to prevent the spread of scam messages.

Continuing Professional Education (CPE) credits are essential for cybersecurity professionals to maintain and enhance their industry knowledge and skills. CPE activities include attending workshops, online courses, and conferences, focused on updating professionals about the latest cybersecurity threats and defenses. Certifications from bodies like (ISC)², ISACA, and CompTIA require a specific number of CPE credits within set periods to retain credentials. CPEs not only aid in career advancement but also significantly boost job performance by keeping individuals updated on new hacking techniques and security measures. The process of earning and tracking CPE credits is regulated by certifying bodies that specify the type and amount of activities required. Regular participation in CPE activities strengthens an organization's security posture, reduces risks of breaches, and supports professional growth and excellence in the cybersecurity field. The benefits of CPEs extend beyond mere compliance; they are a strategic investment in enhancing an individual's and an organization's defensive capabilities against evolving cyber threats.

Cybersecurity researchers have revealed ongoing cyber attacks by a group known as Sticky Werewolf, targeting organizations in Russia and Belarus. Targets include a pharmaceutical company, a Russian microbiology research institute, and the aviation sector, expanding Sticky Werewolf's focus from previous governmental targets. The recent phishing campaigns utilize RAR archives with malicious LNK files which, upon extraction and execution, deploy malware bypassing security measures. The malware delivered includes commodity Remote Access Trojans (RATs) and information stealers like Rhadamanthys and Ozone RAT, exploiting the CypherIT crypter variant. Sticky Werewolf's exact national affiliation remains uncertain, though some indicators suggest potential ties to pro-Ukrainian groups or cyber-activists. Other related cyber activities in Russia include the discovery of attack clusters such as Sapphire Werewolf and Fluffy Wolf, targeting various sectors with different malicious software. These revelations highlight the escalating cyberespionage activities amidst geopolitical tensions, underscoring the need for enhanced cybersecurity vigilance in the involved regions.

Israeli researchers successfully infiltrated over 100 organizations by creating a trojanized 'Dracula Official' theme in the VSCode Marketplace. The malicious extension, mimicking the popular Dracula theme, gathered system information and sent it to a remote server. Despite posing significant risks, the malicious code within these extensions went undetected by endpoint detection and response (EDR) tools. The compromised extensions impacted high-value entities, including a $483 billion company and a national justice court network. The researchers' investigation uncovered thousands of risky extensions with millions of installs on the VSCode Marketplace. In addition to their findings, the researchers developed 'ExtensionTotal', a tool to identify and analyze high-risk extensions which they plan to release freely. Microsoft has been notified about these security issues, but the majority of malicious extensions are still available for download. These findings highlight critical vulnerabilities and lack of stringent security measures in the VSCode extensions marketplace.

Israeli researchers demonstrated a security gap in the Visual Studio Code Marketplace by "infecting" over 100 organizations with a trojanized extension. The experiment involved a fake version of the 'Dracula Official' theme, renamed 'Darcula,' which included hidden malicious code. The malicious script in the 'Darcula' extension collected system information and sent it to a remote server without being detected by endpoint security tools. Significant entities, including a major publicly listed company and national security organizations, inadvertently installed this compromised extension. Researchers developed 'ExtensionTotal,' a tool to identify and analyze suspicious extensions in the Visual Studio Code Marketplace. The findings underscore a dire need for improved monitoring and security measures on the platform as malicious actors can exploit these vulnerabilities. Microsoft has been notified about these security risks, but many malicious extensions remain available for download, posing ongoing threats to users.

Israeli researchers infected over 100 organizations by creating a trojanized copy of the popular 'Dracula Official' theme in Visual Studio Code Marketplace. The dubious extension improperly named 'Darcula' mimicked the original theme but included a script that harvested system information and transmitted it back to the creators. High-profile targets, including a major global company with a $483 billion market cap and significant institutions like national justice networks, were affected. The malicious extension evaded detection systems due to the lenient security protocols applied to development environments like VSCode. Security experts used a new tool, 'ExtensionTotal,' to identify high-risk extensions and reported their findings to Microsoft, though many suspicious extensions are still available. The absence of stringent code review mechanisms in the Visual Studio Code Marketplace facilitates ongoing exploitation by cybercriminals. The researchers are set to release 'ExtensionTotal' publicly, aiming to aid developers in identifying and mitigating potential threats in their VSCode environments.

Akira ransomware, though less known, poses a significant threat similar to major malware like BlackCat or LockBit. Scott Small, Tidal Cyber's director of cyber threat intelligence, notes Akira's capabilities and intent could notably impact many organizations. Akira targets both modest-sized and larger organizations, exploiting well-known vulnerabilities and using less common tactics such as FTP for data exfiltration. Core cyber-hygiene practices, such as timely security updates, can dramatically reduce the risk of Akira ransomware attacks. The group behind Akira demonstrates creativity and persistence, indicating ongoing and evolving threats from this malware. Small emphasizes the importance of comprehensive and proactive security measures beyond just updates to effectively mitigate potential ransomware attacks.

The New York Times confirmed internal source code and data were stolen and subsequently leaked on 4chan, traced back to a compromised GitHub account used by the company. A 273GB archive containing the stolen Times' source code and other data was shared on 4chan by an anonymous user, showcasing around 3.6 million files from approximately 5,000 GitHub repositories. The leaked data includes a variety of information such as IT documentation, infrastructure tools, and source code for several internal applications, including the popular Wordle game. The breach, occurring in January 2024, was enabled by an exposed GitHub token which allowed unauthorized access to the company's GitHub repositories. The New York Times stated the compromised GitHub credential was quickly discovered and secured, asserting that no unauthorized access to Times-owned systems nor an operational impact was evident. This incident marks the second major leak reported on 4chan in the same week, with the first involving stolen data from Disney's Club Penguin game. Continuous monitoring and other enhanced security measures have been highlighted by The Times as a response to prevent further incidents.

Joe Sullivan, former Uber chief security officer, was found guilty in 2022 of covering up a 2016 data theft incident at Uber. Federal prosecutors initially sought a 15-month jail term for Sullivan, but he ultimately received three years probation and 200 hours of community service. Sullivan's conviction is unprecedented, marking the first time a high-ranking CSO in the U.S. has been charged and convicted for actions related to their role. Post-conviction, Sullivan has emphasized the importance of accountability in corporate security roles and stressed that top executives should bear ultimate responsibility for cybersecurity breaches. Sullivan advocates for security leaders to remain driven and proactive, despite the challenging landscape, emphasizing their critical role in safeguarding organizational data. He has highlighted a need for CSOs and CISOs to have robust support and clear directives to effectively perform their duties and manage crises.

DDoS attacks are targeting European political parties amidst the ongoing EU Parliament elections, with hacktivist group 'HackNeT' claiming responsibility. Cloudflare has successfully mitigated multiple DDoS attack waves directed at election-related websites in the Netherlands. Two significant attacks on June 5 and 6 disrupted websites of right-wing nationalist parties, which have expressed sympathies towards Russia. The first major attack peaked at 115 million requests per hour, while the second less severe incident reached 44 million requests per hour. Both targeted parties, PVV and FvD, are known for their critical stance on the EU and NATO, and oppose sanctions against Russia. In Germany, a "serious cyberattack" affected the Christian Democratic Union's network, leading to increased security measures across political platforms. These instances of cyberattacks highlight the intersection of international politics and cyber warfare tactics during critical election times.

A new critical vulnerability in PHP, identified as CVE-2024-4577, allows for remote code execution on Windows servers. The flaw involves a CGI argument injection that affects all PHP versions on Windows, bypassing protections added for an older vulnerability (CVE-2012-1823). DEVCORE security researcher disclosed the vulnerability responsibly on May 7, 2024, with patches released in subsequent PHP updates. Exploitation attempts have been detected soon after public disclosure, indicating active interest from malicious actors. DEVCORE advises moving away from PHP CGI to more secure alternatives such as Mod-PHP, FastCGI, or PHP-FPM. Patched PHP versions include 8.3.8, 8.2.20, and 8.1.29, addressing the vulnerability for users under affected configurations. Particularly vulnerable are XAMPP installations on Windows configured for locales like Traditional Chinese, Simplified Chinese, or Japanese. Immediate patch application is strongly recommended due to the simple exploit method and high potential for widespread exploitation.