Daily Brief

Microsoft has officially deprecated the NTLM authentication protocol, urging a transition to more secure methods such as Kerberos or Negotiation authentication. NTLM, first introduced in 1993 with Windows NT 3.1, is criticized for its outdated security measures and susceptibility to various cyberattacks, including NTLM Relay attacks. Despite enhancements like SMB security signing, NTLM remains vulnerable to attacks where attackers can capture and utilize password hashes. The protocol's encryption is weaker compared to modern standards, and it lacks efficiency and support for single sign-on (SSO) technologies. Microsoft recommends that developers and system administrators audit their use of NTLM and plan for migration to the Negotiate protocol, which uses Kerberos as its primary method and NTLM as a fallback. NTLM will still function in the upcoming Windows Server release and next Windows annual release, but further support will gradually decrease. Transitioning from NTLM to Negotiate can typically be managed with minor coding changes, although some scenarios might require more substantial modifications.

Russian power companies, IT firms, and government agencies have been targeted by a malicious cyber campaign delivering a malware known as Decock Dog. The malware campaign, dubbed Operation Lahat, is attributed to an APT group called HellHounds, which has been active since at least 2021. Positive Technologies has documented significant breaches, including 48 compromised entities in Russia, involving critical industries such as space and telecommunications. Decoy Dog, initially targeting Linux systems, now confirmed to possess a Windows variant enabling attackers to efficiently maintain covert communications with infected hosts. The malware features capabilities of DNS tunneling for remote control and covert movement between different control servers to evade detection. HellHounds exploited vulnerabilities in web services and relationships, as well as compromised SSH credentials of contractors, for gaining initial access. Positive Technologies highlights that the attackers have efficiently modified open-source tools to craft their malware, ensuring persistence and avoidance of detection mechanisms.

Progress Software has issued updates for a critical vulnerability in Telerik Report Server, which could let attackers bypass authentication. Tracked as CVE-2024-4358, this flaw has a high severity score of 9.8 and affects versions up to 2024 Q1 (10.0.24.305). The vulnerability enables remote, unauthenticated attackers to create rogue administrator accounts and access restricted server functionalities. The updated version, Report Server 2024 Q2 (10.1.24.514), addresses this vulnerability. Progress Software advises customers to check their servers for unauthorized local users and update their systems immediately. As a part of the mitigation efforts, Progress Software recommends implementing a URL Rewrite technique on IIS servers to reduce vulnerability. This flaw was discovered a little over a month after another significant vulnerability in Telerik Report Server was patched. Given past exploits targeting Telerik servers, updating to secured versions and continuous monitoring are crucial for preventing potential breaches.

Christie's experienced a cyberattack, leading to unauthorized access to certain client data but not financial or transactional records. The attackers, known as RansomHub, initially demanded a ransom, then claimed to have auction-attributed the data to an anonymous buyer. Details exposed included client names and personal identity information from ID documents like passports and driving licenses. RansomHub failed to secure a ransom by the imposed deadline and opted to auction the data as a strategic pivot. Experts believe the actual success of this auction tactic in generating payouts is minimal and often serves more as a symbolic gesture or face-saving measure. There is skepticism about the scale of the breach and the effectiveness of auctioning off stolen data in the cybercrime community.

A privacy group has lodged a complaint with the Austrian data protection authority against Microsoft 365 Education for potential GDPR breaches. Noyb, the privacy organization, alleges that Microsoft imposes data protection responsibilities on schools while shirking its own obligations. The complaint emphasizes that Microsoft’s system lacks transparency in processing children’s data and does not comply adequately with the data access rights of individuals. It is claimed that schools are powerless in negotiating or altering how Microsoft processes user data, resulting in most decision-making and profit going to Microsoft. Additionally, noyb has filed a second complaint stating that Microsoft 365 Education installs cookies without consent, using them for behavioral analysis and advertising purposes. Noyb's actions follow historical successes by its honorary chairman, Max Schrems, in challenging inadequate data protection agreements between the EU and the US. The group is pressing for the Austrian data protection authority to enforce more stringent checks and penalties if GDPR violations are confirmed.

Microsoft Copilot boosts employee productivity by integrating with Microsoft 365 tools like Word, PowerPoint, and Excel, acting as an analyst, copywriter, notetaker, and designer. While enhancing efficiency, there is a significant risk that Copilot could access and share sensitive corporate information unintentionally. Copilot generates content based on the data it can access within the Microsoft suite, potentially exposing sensitive data if not properly controlled. Organizations must implement stringent access controls and label sensitive data to prevent unwanted data exposure through Copilot. Employees with Copilot access should receive training on the risks of inadvertent data sharing and the importance of reviewing materials before sharing externally. Admins need to rigorously define user access and roles concerning file access on corporate drives to mitigate the risk of data leaks through GenAI use. Enterprises should take careful measures to establish security around GenAI tools like Microsoft Copilot to maintain confidentiality and data integrity in their operations.

Malware creators are increasingly leveraging BoxedApp, a legitimate commercial packer, to avoid detection by security systems. Jiří Vinopal from Check Point Research highlights a significant rise in malware using BoxedApp, most commonly with remote access trojans like Agent Tesla, AsyncRAT, and QuasarRat, as well as ransomware and infostealers. The use of BoxedApp allows malicious software to bypass static analysis and stay undetected longer, giving attackers more time to access sensitive data. Despite a spike in usage since March 2023, antivirus solutions show a high false positive rate when scanning applications packed with BoxedApp, sometimes leading to decreased alertness in security operations centers. Check Point Research's analysis of 1,200 malicious samples on VirusTotal revealed that 25% were flagged, indicating that while detections occur, they may not be consistently reliable. Security expert Sean Wright suggests limiting the use of BoxedApp applications and recommends signing applications to reduce false positives. Majority of the malicious samples submitted from Turkey, the US, and Germany were primarily targeting financial institutions and government sectors, exploiting advanced features like Virtual Storage offered by BoxedApp SDK. Check Point Research has developed Yara signatures to improve the detection of malicious use of BoxedApp, aiding in the identification and analysis of packed malware.

Traditional browser isolation has been foundational in protecting against malware and browser exploits but falls short against modern web threats like phishing. Limitations of traditional browser isolation include significant performance degradation, impacting business productivity. The necessity for more advanced solutions has led to the development of Secure Browser Extensions, enhancing both security and user experience. Secure Browser Extensions use machine learning to analyze web components in real-time, identifying threats such as malicious downloads and credential theft. These extensions integrate seamlessly into browsers, require minimal CPU resources, and do not impact browser performance. Easy deployment of Secure Browser Extensions on both managed and unmanaged devices caters to a variety of workplace environments. The shift towards these extensions represents an evolution in cybersecurity strategies, addressing both legacy and emerging threats effectively.

Sophisticated cyber attack in Ukraine using a Microsoft Excel file with a malicious VBA macro to deploy Cobalt Strike. Attack begins with the victim being urged to enable macros in an Excel document, which then triggers malware deployment. The malware, hidden within macro-enabled documents, downloads additional payloads if the system geo-location is confirmed as Ukraine. Malware includes evasion techniques such as process checking for security applications and conditional execution based on geographic location. Final payload involves a Cobalt Strike Beacon, establishing a remote command-and-control channel for further malicious activities. Attackers use encoded and obfuscated files to bypass security measures and ensure persistent presence on the infected systems. Microsoft has taken steps like blocking macros by default to mitigate such threats, impacting how the malware operates post-July 2022.

Snowflake reported a targeted credential theft affecting a limited number of customers. The company, along with CrowdStrike and Google-owned Mandiant, found no evidence of platform vulnerabilities or insider credential compromise. Attackers used credentials obtained from information-stealing malware to access databases set with single-factor authentication. Mandiant highlighted active threats where stolen credentials were used to compromise Snowflake's customer tenants. Snowflake has urged the implementation of multi-factor authentication (MFA) and restricting network traffic to trusted locations only. CISA and the Australian Cyber Security Centre have issued alerts advising organizations to monitor for unusual activity and secure access controls. Indicators of compromise identified include malicious connections from clients with suspicious identifiers. Independent research underlines the urgency of adopting robust multi-factor authentication due to the rising threat from infostealers.

DarkGate malware, active since 2018, shifts from AutoIt to AutoHotkey in its latest update to improve evasion from cybersecurity defenses. The malware update was first observed in version 6 released in March 2024 by its developer RastaFarEye and marketed to around 30 subscribers. This malware variant specializes as a remote access trojan (RAT) with functionalities including command control, rootkits, credential theft, keylogging, and more. Newly added features in version 6 include audio recording and advanced mouse and keyboard control while removing previous features like cryptomining and privilege escalation to reduce detection risks. The switch to AutoHotkey was documented by McAfee Labs in April 2024, exploiting vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen. Attack methods include phishing emails with Excel attachments using macros to execute scripts that trigger the malware payload retrieval and launch. Cyber criminals also leverage Docusign to create legitimate-looking phishing templates sold on underground forums, aimed at facilitating phishing and business email compromise scams.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a security flaw in Oracle WebLogic Server, identified as CVE-2017-3506 with a CVSS score of 7.4. The vulnerability allows attackers to perform an OS command injection, enabling unauthorized access and full control over affected servers through a malicious HTTP request containing a malicious XML document. Although details of the attacks remain undisclosed by CISA, it's noted that the China-based 8220 Gang has used this flaw for cryptojacking activities by running a cryptocurrency miner filelessly within compromised systems. The 8220 Gang utilizes obfuscation techniques such as hexadecimal encoding of URLs and leveraging HTTP over port 443 for stealthy payload delivery, further complicating detection and mitigation efforts. Attackers are using a combination of shell and PowerShell scripts, depending on the targeted operating system, to execute the crypto-mining malware directly in memory. Federal agencies are urged to apply the latest security fixes by June 24, 2024, to safeguard their networks against ongoing and potential exploits of this nature. The continued exploitation highlights the necessity for continuous attack surface discovery, penetration testing, and adherence to updated security measures.

Hudson Rock retracted its report stating malfeasants accessed Snowflake's customer data through an employee's credentials, following legal pressure from Snowflake. Snowflake insists no breach occurred within their systems, arguing that compromised customer accounts were likely due to targeted phishing or malware. Snowflake confirmed that a threat actor accessed only non-sensitive demo accounts using a former employee’s credentials without affecting corporate or production systems. Ticketmaster and Santander Bank, among Snowflake's clients, confirmed unauthorized access to their data; specifics of the breach remain under investigation. Snowflake and cybersecurity experts like CrowdStrike and Mandiant are actively investigating these incidents, urging customers to enable multi-factor authentication (MFA). Snowflake is dealing with security alerts but has not found evidence indicating that their employees' compromised credentials led to the data theft. Security experts warn that other Snowflake customers might soon report data breaches, highlighting ongoing vulnerabilities in secure data management.

Debt collection agency Financial Business and Consumer Solutions (FBCS) experienced a significant data breach impacting 3.2 million individuals. Originally reported in April, the breach occurred on February 14, 2024, with initial estimates affecting around 1.9 million U.S. residents. Compromised information includes sensitive personal data, exposing victims to potential phishing, fraud, and social engineering attacks. FBCS has begun distributing new data breach notifications and is offering free 24-month credit monitoring and identity restoration services. The company has since upgraded its security infrastructure, establishing a new system designed to strengthen safeguards and prevent future breaches. As of now, no cybercriminal groups have publicly claimed responsibility for the breach.

Microsoft India's official Twitter account was hijacked by cryptocurrency scammers impersonating "Roaring Kitty," a known meme stock trader. The hijackers used the verified account to direct users to a fake site offering a fraudulent presale of GameStop cryptocurrency. Victims connecting their wallets to the fake site would have their assets stolen by a wallet drainer service. The scam is part of a broader trend where verified Twitter accounts are exploited to promote cryptocurrency scams and malware. The SEC's official account also recently fell victim to a similar scheme after a SIM-swapping attack compromised its security. X platform faces ongoing issues with malicious cryptocurrency ads and an increase in account hijackings targeting verified users. Scammers have reportedly stolen approximately $59 million in cryptocurrency through similar schemes over eight months.