Daily Brief

Zyxel has issued updates for critical vulnerabilities in two of its end-of-life NAS models, NAS326 and NAS542. The vulnerabilities affect firmware versions up to V5.21(AAZF.16)C0 for NAS326 and V5.21(ABAG.13)C0 for NAS542. Updated firmware versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0 have been released to patch these issues. Three out of the five detected vulnerabilities could allow unauthenticated attackers to run OS commands and arbitrary code. Security researcher Timothy Hjort from Outpost24 discovered and reported these flaws. Two privilege escalation flaws requiring authentication remain unpatched. No current evidence suggests these vulnerabilities have been exploited in the wild. Users are strongly recommended to update their devices to the newly released firmware versions to ensure security.

Microsoft determined that a reported Azure vulnerability was a feature misunderstanding, not requiring a fix but better documentation. The issue involved Service Tags in Azure, which could potentially allow unauthorized cross-tenant network access if misused. Tenable, a security firm, initially reported the flaw, which Microsoft acknowledged and initially labeled as an "elevation of privilege" issue before downgrading its severity. Despite offering a bug bounty, Microsoft opted to enhance guidance on using Service Tags rather than implement a direct patch. Microsoft stressed the importance of a multi-layered security strategy, advising customers against relying solely on Service Tags for security. Improved documentation now guides Azure users on secure utilization of Service Tags, alongside additional security measures. Tenable highlighted the risks associated with the misuse of Service Tags, pushing for changes that emphasize broader security practices. No exploitation of this flaw has been reported in real-world scenarios, according to Microsoft's investigations.

High-profile TikTok accounts have been targeted by a zero-click malware attack via direct messages, compromising account security without user interaction. The attack has affected a very small number of users, though specific details on the extent and nature of the breach remain unclear. TikTok has implemented preventive measures to halt the ongoing attack and is actively working with affected users to restore access to their accounts. Previous incidents highlight TikTok's vulnerability, including a flaw that could link user accounts to phone numbers and a one-click exploit on its Android app. The platform has also seen large-scale account compromises and malware distribution, such as the hacking of 700,000 accounts in Turkey and the exploitation of the Invisible Challenge. Ongoing global concerns about TikTok's potential data security risks due to its Chinese ownership have led to widescale bans in several countries and restrictions on the use of the app on government devices. TikTok is currently challenging a U.S. law that threatens a nationwide ban, defending its platform against allegations of being a conduit for Chinese data gathering and propaganda.

Northern Minerals, an Australian mining company, announced a significant cybersecurity breach with stolen data posted on the dark web. The breach involved critical corporate, financial, and personnel data and was first detected in late March 2024. The data theft included sensitive information about shareholders, employees, and corporate operations. BianLian ransomware group claimed responsibility for this attack, suggesting the company did not comply with their ransom demands. The incident has been reported to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. Personalized notifications are being sent to individuals affected by this breach. Despite the breach, Northern Minerals confirmed that their mining and business operations remain unaffected.

A zero-day vulnerability in TikTok's direct messages feature was exploited to hijack accounts of celebrities and major companies. High-profile victims of these attacks included accounts owned by Sony, CNN, and Paris Hilton, which had to be temporarily taken down. The exploited security flaw did not require victims to download anything or click on links; simply opening a malicious message triggered the hijack. TikTok's security team acknowledged the attacks and has taken steps to secure the platform and assist the impacted account owners. The exact number of affected users has not been disclosed, and details of the vulnerability remain confidential until fully rectified. TikTok had previously addressed other vulnerabilities that could lead to account takeovers or privacy breaches. The platform has significant reach, surpassing 1 billion users and downloads, underscoring the impact of such security flaws. Despite efforts to fix past issues, TikTok continues to face challenges with security vulnerabilities affecting its large user base.

The FBI has issued a warning concerning an increase in cryptocurrency frauds that exploit fake remote job listings in the U.S. Scammers impersonate legitimate businesses such as staffing or recruiting agencies, contacting victims through unsolicited calls or messages. These fake job ads often involve simple tasks, such as online business ratings or service optimizations, with a complex compensation scheme requiring victims to pay in cryptocurrency. Victims are misled with a fraudulent earnings portal, showing earnings they are unable to actually withdraw. Key scam indicators include requests for cryptocurrency payments as part of employment, overly simplistic job descriptions, and lack of reference checks during hiring. The FBI encourages those targeted by suspected job scams to report the incidents to the FBI Internet Crime Complaint Center (IC3) along with details like cryptocurrency addresses and transaction specifics. The FBI’s 2023 Internet Crime Report notes a 22% increase in reported losses compared to the previous year, totaling a record $12.5 billion lost to online crime.

The American Radio Relay League (ARRL) experienced a significant cyberattack in May, resulting in substantial disruption including the takedown of the Logbook of the World and communication services. ARRL, serving as the U.S. national association for amateur radio, witnessed a compromised network by a self-reported international cybercrime group. The impact of the attack caused concerns among members due to insufficient communication about the breach's details from ARRL's side. ARRL confirmed the involvement of the FBI and third-party cybersecurity experts to manage the investigation of the sophisticated network intrusion. Despite comprehensive FBI categorization of the incident as "unique," ARRL has not confirmed if the breach involved ransomware or if data was extracted and potentially held ransom. Member feedback highlighted dissatisfaction with ARRL’s communication policies regarding the incident, stressing the need for greater transparency. Questions remain unanswered by ARRL, raising lingering concerns about the extent of the damage and security of member data.

The US Navy demoted Command Senior Chief Grisel Marrero after she orchestrated the installation of an unauthorized Wi-Fi network on the USS Manchester combat ship. Marrero's actions included procuring, installing, and using the Wi-Fi system without approval, violating Navy protocols which typically ban such technology on vessels for security reasons. The illicit network was discovered in June when an attempt to inform the commanding officer was intercepted by Marrero, who subsequently withheld the information. To prevent disciplinary action against a crew member possibly linked to the Wi-Fi use, Marrero altered an image indicating reduced data usage via the ship’s Starlink connection. Marrero was tried and convicted of willful dereliction of duty, making false statements, and obstruction of justice, and was stripped of her rank from E-8 to E-7. Other sailors reportedly involved in the Wi-Fi network setup were also punished, though specific details of their penalties have not been disclosed. The Navy emphasized that senior enlisted leaders are expected to uphold the highest standards, and accountability is enforced when they fail to meet these expectations.

Cybercriminals are advertising a new phishing kit called 'V3B' on Telegram, targeting 54 major financial institutions in multiple European countries. The V3B phishing kit costs between $130-$450 per month, featuring options like localization, OTP support, and real-time interaction with victims. It utilizes heavily obfuscated JavaScript and a custom CMS for evasion from anti-phishing tools and to prevent detection by researchers. The phishing kit supports multiple languages and is compatible with both desktop and mobile platforms, aiming to steal banking credentials and credit card information. V3B allows criminals to interact directly with their targets using a live chat feature and can send custom alerts to phish for one-time passwords. It also integrates QR code login jacking and supports advanced authentication technologies like PhotoTAN and Smart ID, commonly used in German and Swiss banks. This phishing-as-a-service platform demonstrates the increasing sophistication of cybercriminal tools and poses significant challenges for fraud prevention efforts.

The Pentagon continues to heavily invest in Microsoft products despite past security failures that compromised U.S. national security. U.S. Senators Ron Wyden and Eric Schmitt expressed profound concerns over the DoD's cybersecurity strategy in a letter to DoD CIO John Sherman. The Cyber Safety Review Board identified "avoidable errors" by Microsoft that enabled Chinese spies to access thousands of U.S officials' emails. Despite identified security lapses, the U.S government has consistently increased spending on Microsoft services, raising concerns among some lawmakers. Upcoming legislation may mandate DoD offices to upgrade to Microsoft's expensive E5 software license, enhancing cybersecurity but limiting vendor diversity. Lawmakers urged the DoD to adopt a multi-vendor strategy to foster competition, reduce costs, and improve cybersecurity outcomes. Senators are seeking clarity on the DoD's commitment to supporting secure open source software, as outlined in its 2018 Cyber Strategy. Microsoft has pledged to provide free cloud security logs, a promise under scrutiny by Senators questioning its implementation by the Pentagon.

Zyxel Networks issued an emergency patch for three critical vulnerabilities in their older NAS devices. The affected models, NAS326 and NAS542, are no longer supported as they reached end-of-life on December 31, 2023. The vulnerabilities allow for command injection and remote code execution but do not address privilege escalation and information disclosure issues. Security researcher Timothy Hjort from Outpost24 identified all five vulnerabilities and has published a detailed write-up along with proof-of-concept exploits. Zyxel has remediated three of the issues with firmware updates despite the models being out of the support period. While there are no known exploits of these vulnerabilities in the wild, the availability of public PoCs necessitates urgent patching by device owners.

A ransomware attack on Synnovis has severely impacted major NHS hospitals in London, compromising pathology and diagnostic services. Major facilities affected include King's College Hospital, Guy's Hospital, and St Thomas' Hospital among others. Healthcare procedures, including some surgeries and blood transfusions, have been canceled or redirected to ensure patient safety. Hospitals advise patients to continue attending appointments unless instructed otherwise, while emergency services remain operational. The attack has disrupted IT systems, rendering urgent and emergency care challenging due to unavailable quick-turnaround blood tests. UK's National Cyber Security Centre and hospital Cyber Operations teams are collaborating to mitigate the impact and understand the full extent of the breach. Synnovis, affected by the attack, is part of a partnership network that includes SYNLAB UK & Ireland and several NHS trusts.

Synnovis, a key provider of pathology and diagnostic services, suffered a cyberattack on June 3, significantly impacting NHS hospitals in London. The incident disrupted IT and clinical services across several hospitals including King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust. Blood transfusion services were particularly affected, causing cancellations and redirections of some medical procedures to other providers. Urgent and emergency care services are compromised due to unavailable timely blood test results. The hospitals’ leadership has described the situation as an "ongoing critical incident" with a major impact on healthcare service delivery. It was confirmed that the cyberattack involved ransomware, complicating the recovery of pathology results, expected to take weeks. Synnovis had previously changed names and is part of a larger network that also experienced similar ransomware attacks in other regions.

London hospitals are facing major disruptions in pathology services due to a ransomware attack targeting their service partner, Synnovis. Synnovis, a partnership between Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust, is critical in providing pathology and testing across multiple labs. The ransomware has significantly impacted blood transfusions and elective surgeries, leading to cancellations and redirections to alternative providers. NHS England's London region is working with the National Cyber Security Centre and their Cyber Operations team to assess and mitigate the impact. Emergency care remains operational; patients are advised to attend scheduled appointments unless informed otherwise. This incident is isolated to London and is not directly connected to the recent ransomware attack on Synlab Italia by the Black Basta group. NHS officials and Synnovis are part of a task force striving to restore services and communicate regularly with patients and the public about updates. Synnovis acknowledges the severity of the cyberattack and confirms ongoing efforts to bolster cybersecurity measures.

Microsoft has officially announced the deprecation of the NTLM authentication protocol in Windows, encouraging a shift to more secure alternatives like Kerberos and Negotiation. NTLM, launched in 1993, has been vulnerable to cyberattacks, including NTLM Relay attacks where attackers force authentication against malicious servers. Despite measures like SMB security signing to combat these vulnerabilities, NTLM's weaker encryption and lack of single sign-on support make it outdated by 2024 standards. Microsoft emphasizes the transition to Negotiate, which prefers Kerberos and reverts to NTLC only if necessary, to enhance security and performance. The company advises system administrators to use auditing tools to assess NTLM usage and develop a comprehensive transition strategy. For most applications, migrating from NTLM to Negotiate requires minimal modification, potentially as simple as a one-line code change. Microsoft provides resources such as a Kerberos troubleshooting guide to assist administrators during this transition period.