Daily Brief

NIST has expanded its existing contract with Maryland-based Analygence to address a significant backlog in processing CVEs in the National Vulnerability Database (NVD). The extended contract, now encompassing aid for clearing the NVD backlog, is part of a broader five-year agreement valued at $125 million. Since February, there has been a notable increase in the backlog of unanalyzed vulnerabilities, with over 93 percent of submissions since then remaining untreated. NIST aims to return to its pre-February CVE processing rate in the upcoming months and expects to eliminate the backlog by the end of the fiscal year 2024. The agency attributes the backlog to several factors, including a general increase in software vulnerabilities and changes in interagency support. In response to the growing number of vulnerability reports, NIST is exploring long-term strategies such as forming a consortium to enhance NVD research and efficiency. The reduction in NIST’s budget by nearly 12 percent in the latest federal government budget will likely pose additional challenges to these efforts.

Cox Communications recently addressed an authorization bypass vulnerability affecting millions of modems. The vulnerability allowed attackers remote access to modems to reset configurations and steal personal data. Bug hunter Sam Curry discovered the flaw, which gave attackers permissions similar to ISP tech support. Attackers could exploit the flaw to access users' personal information, including names, addresses, and Wi-Fi passwords. The vulnerability involved over 700 exposed backend APIs with potential for executing unauthorized commands. Cox responded quickly by disabling the vulnerable API calls within six hours and patching the flaw the following day. Post-incident review by Cox found no evidence that the vulnerability had been exploited prior to its discovery and fix.

A collection of 361 million stolen credentials from various sources including data breaches and malware attacks has been added to the Have I Been Pwned (HIBP) service. These compromised credentials were sourced from cybercrime channels on Telegram and encompass emails, passwords, and associated URLs. The dataset is notable for its size, including around 151 million email addresses not previously recorded by HIBP. Troy Hunt, founder of HIBP, partially verified the dataset using password reset functions to confirm email address validity without illegally accessing any accounts. This incident underlines no online platform is secure, as credentials from a wide array of sites have been compromised. Users whose information was compromised by information-stealing malware are advised to reset all passwords stored in their browsers and consider all credentials compromised. The breach highlights ongoing challenges in cybersecurity, stressing the importance of vigilant internet usage habits to prevent malware infections and unauthorized access. This significant data compilation serves both as a resource for potential victims to check their exposure and a reminder of the extensive reach and impact of cybercrime.

A cybercriminal gang known as USDoD claims to have obtained nearly 3 billion personal records from National Public Data, a Florida-based background check company. The stolen database was put up for sale for $3.5 million on an underworld forum, allegedly containing comprehensive personal details including social security numbers. Information within the database spans across citizens of the U.S., Canada, and the UK, covering data accumulated over three decades including deceased relatives. Cybersecurity community VX-Underground verified some of the database contents and reported that the information appears accurate and real. The breached data is reported to not include information from individuals who opted out of data sharing, showing a potential benefit for data opt-out services. In the past, USDoD has been linked to similar significant breaches, including one involving TransUnion and another affecting Airbus vendors.

Security researchers at Tenable have identified a high-severity vulnerability in Microsoft Azure's Service Tags that could allow unauthorized access to private data. Service Tags, intended for network isolation and firewall filtering, can be manipulated to bypass firewall rules, potentially exposing sensitive Azure customer data. The vulnerability exploits the "availability test" feature within Azure Application Insights, allowing attackers to customize web requests. Tenable advises Azure customers to implement additional authentication and authorization measures over the Service Tags-based network controls to protect against unauthorized access. Microsoft has disputed the claim, stating that Service Tags are not designed as security boundaries but as part of a layered network security strategy involving multiple validation controls. There is currently no plan from Microsoft to issue a patch specifically for this vulnerability, and there have been no reported instances of exploitation.

Researchers have developed a proof-of-concept (PoC) exploit for critical vulnerabilities in the Progress Telerik Report Server. The primary vulnerability, CVE-2024-4358, is an authentication bypass that enables the creation of admin accounts without proper authorization procedures. Sina Kheirkhah, along with collaborators, found a second flaw, CVE-2024-1800, which is a deserialization issue allowing remote code execution (RCE) with authenticated access. These vulnerabilities were identified sequentially, with Telerik issuing fixes on two separate occasions in March and May 2024. Exploits leverage a complex mechanism in Telerik’s custom deserializer to execute arbitrary commands through specially crafted XML payloads. Company advises applying updates immediately and monitoring the server user list for unauthorized entries. While there are no reports of active exploitation, similar vulnerabilities in Progress products have previously been leveraged in significant cybercriminal activities.

Russia is conducting an extensive disinformation campaign targeting the upcoming Olympic Games and the host nation, France. Microsoft has identified multiple Russia-affiliated cyber groups, including Storm-1679, actively spreading fabricated news and media to undermine trust in the Olympics. Techniques employed include the use of deepfake videos featuring Tom Cruise, fake terrorism alerts, and counterfeit endorsements from reputable news outlets. Additional efforts by Storm-1099 involve creating bogus French news websites to spread misinformation about the French President and the security of the Games. The campaign also seeks to stoke fears of terrorism to possibly reduce attendance at the Games by distributing fake warnings and news reports. Microsoft notes an increase in French language discontents as the Olympics approach, signaling a targeted attempt to stir local unrest. The historical context shows Russia's repeated engagement in cyberattacks on Olympic events, dating back to the 2014 Sochi Games, with continued efforts despite international condemnation.

Allowlisting software provides robust control and enhances cybersecurity posture by controlling application execution. While effective against malware and unauthorized software, allowlisting implementation poses user experience and management challenges. Common pitfalls include incomplete application inventories, overly permissive allowlisting policies, and insufficient policy updates and maintenance. Neglecting regular updates, lack of user education, and insufficient policy testing can diminish the effectiveness of allowlisting solutions. Deployment should involve thorough testing and validation to avoid false positives and unintended blocking of critical applications. Continuous monitoring and auditing are crucial to ensuring adherence to allowlisting policies and identifying security violations. Allowlisting should be part of a diversified defense strategy, complemented by other security measures like intrusion detection and endpoint protection. To maximize cybersecurity effectiveness, a balanced, well-maintained, and thoroughly tested allowlisting strategy is recommended.

Cybersecurity firm Phylum detected a malicious package named glup-debugger-log on the npm registry, designed to mimic a logging tool for gulp users. The package, downloaded 175 times, contains obfuscated files meant to deploy a remote access trojan (RAT) on targeted systems. It includes initial checks for specific Windows OS types, network interfaces, and the count of desktop items, aiming to target actively used developer machines. The RAT sets up persistence on the compromised machine, can execute commands remotely, and relays command outputs back to the attacker. This malware exemplifies the ongoing evolution and sophistication in malicious software developments within open-source ecosystems. The RAT’s design integrates user activity indicators as a deployment tactic, highlighting a strategic approach to avoid detection and enhance infection success. Phylum's findings stress the need for heightened security awareness and measures among developers using open-source libraries and tools.

Global law enforcement, under Operation Endgame, is actively seeking information on "Odd," the alleged mastermind behind the Emotet malware. Emotet, initially a banking trojan, has evolved into a versatile malware delivering platform for various payloads like TrickBot and QakBot. Recent activities include distributing an updated version of Emotet via Microsoft OneNote email attachments to bypass security measures. The resurgence of Emotet in late 2021 followed a temporary disruption after a significant law enforcement operation dismantled its infrastructure. In a coordinated crackdown, authorities recently arrested four individuals and seized over 100 servers linked to malware operations such as IcedID and TrickBot. This operation is part of a broader initiative to target the initial access broker ecosystem that fuels ransomware attacks across various sectors. The National Police of Ukraine highlighted the role of Russian cybercrime organizations in using these malware tools for attacks on Western entities, including healthcare providers. Underground forums have seen heightened alertness among cybercriminals, concerned about law enforcement infiltration and international cooperation on cybercrime crackdowns.

Check Point has detected targeted attacks exploiting a zero-day vulnerability, CVE-2024-24919, in their VPN products. Affected products include CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gates, and Quantum Spark Appliances, impacting users with the Remote Access VPN enabled. The exploitation involves old VPN accounts using password-only authentication, which Check Point advises against due to security weaknesses. Patches have been issued for all affected systems to mitigate the risk, and users are urged to update their software immediately to protect sensitive information. Mnemonic, a threat intelligence firm, confirmed the vulnerability has been exploited since late April, leading to possible file system access including password hashes and SSH keys. Check Point recommends additional security measures such as enabling multifactor authentication and removing unnecessary local VPN accounts. Users are also advised to update their Linux systems due to a known exploited vulnerability, CVE-2024-1086, affecting versions from 5.14 to 6.6.14. Other cybersecurity issues highlighted include a significant advanced fee fraud scam involving “free pianos” and a data breach at Cooler Master exposing sensitive customer information.

Cato CTRL has launched its first SASE Threat Report, providing a detailed analysis of current enterprise and network threats. The report utilizes the MITRE ATT&CK framework and covers a range of issues from malicious activities to the tools and protocols in use across networks. Key points include widespread use of AI tools like Microsoft Copilot and OpenAI ChatGPT in enterprises, as well as challenges like spoofing of major brands. The report reveals that unpatched systems and known vulnerabilities, rather than zero-days, pose significant ongoing threats. Detailed analysis shows that attackers can easily exploit unsecured protocols to navigate laterally across enterprise networks. Industries face varying security exploitations, highlighting the need for sector-specific defense strategies. Despite the crucial role of DNS in enterprise operations, there is only a 1% adoption rate of DNSSEC, indicating a critical area of vulnerability. Cato CTRL combines expertise from former military intelligence, security professionals, and data scientists to provide strategic, operational, and tactical intelligence to enterprises.

Security researcher Sam Curry revealed serious flaws in Cox modems that could allow attackers to gain unauthorized access and control. The vulnerabilities were related to an authorization bypass which enabled attackers to execute commands and modify modem settings. These issues posed a risk of accessing private information of Cox's business customers and performing actions typically reserved for ISP support teams. Cox addressed the flaws within 24 hours following a responsible disclosure on March 4, 2024, with no evidence that the vulnerabilities were exploited in the public. Curry’s findings also highlighted the extensive internal access ISPs have to customer devices, which could be potentially compromised. The researcher provided insights into previous cybersecurity engagements, uncovering similar risks in automotive and customer rewards systems. The examination of Cox’s modems pinpointed approximately 700 vulnerable API endpoints that could be manipulated to gain administrative privileges.

Claroty webinar focuses on enhancing cybersecurity in critical infrastructure sectors like energy, transport, and water management. Traditional methods and tools are insufficient to mitigate the increasing cybersecurity risks. The expanded scope of the Network and Information Security 2 Directive (NIS2) intensifies the pressure on managing cyber risks effectively. The webinar will explore how NIS2 can be applied to proprietary protocols, legacy systems, and complex cyber-physical systems (CPS) environments. Emphasis on the importance of exposure management over vulnerability management in sizing, managing, and mitigating risks. Experts from Claroty will discuss strategies to address vulnerabilities in Extended Internet of Things environments using Claroty xDome. Webinar scheduled for 10 June 2024, aimed at guiding organizations on how to safeguard their critical infrastructure against cyber threats.

North Korea-linked threat actor Andariel has deployed a new malware, Dora RAT, targeting South Korean educational, manufacturing, and construction sectors. The cyberattacks utilized a vulnerable Apache Tomcat server to distribute the malware, exploiting a version from 2013 prone to multiple vulnerabilities. Andariel, operational since at least 2008 and part of the Lazarus Group, is known for using spear-phishing and exploiting software vulnerabilities to disperse malware. The malware used includes a keylogger, infostealer, reverse proxy, reverse shells, and file management capabilities, aiming to control and extract data from compromised systems. Dora RAT was notably signed with a valid certificate from a UK software developer, increasing its chance of bypassing security measures. ASEC reports that alongside the new Dora RAT, Nestdoor variants and tools similar to those used in Lazarus Group’s 2021 campaigns were also employed. The group's motive has expanded from national security espionage to include attacks for financial gains as well.