Daily Brief

Attackers infected the installer of widely used JAVS courtroom recording software with malware, impacting systems globally. The compromised software contained a malicious fffmpeg.exe binary, wrongly attributed to either JAVS or its associated third parties. JAVS removed the trojanized version from its website and verified the integrity of current available files, ensuring they are free from malware. Cybersecurity firm Rapid7 linked the malware, identified as CVE-2024-4978, to operations that sent system information to a C2 server and deployed additional harmful payloads. Customers are advised to reimage affected systems, reset all credentials, and update the JAVS Viewer software to the latest safe version (8.3.9 or higher). The incident is reminiscent of previous supply chain attacks, including the notorious SolarWinds breach attributed to the Russian APT29 group. JAVS has conducted a full system audit and ongoing monitoring in collaboration with cybersecurity authorities to mitigate further risks.

Scattered Spider, a cybercrime group suspected to involve young adults from the US and UK, has intensified its criminal activities by engaging in ransomware and high-profile cyber heists targeting Las Vegas casinos. The group's aggressive tactics, especially against MGM Resorts, managed to almost shut down operations for a week, significantly raising its profile among law enforcement agencies. Charles Carmakal of Mandiant Consulting highlighted that these casino attacks garnered the necessary attention for a more rigorous investigation by authorities. The evolution of Scattered Spider from SIM swapping and social engineering to severe ransomware attacks shows a distinct shift in their methods and level of threat. The FBI is reportedly closing in on the group, with ongoing investigations and some arrests already made, although exact timelines for court appearances are not specified. Experts predict that the actions of Scattered Spider will likely have a lasting impact on the landscape of cybercrime due to their high-profile target selection and evolving tactics.

Microsoft's "Cyber Signals" report highlights increased activity by hacking group Storm-0539, especially around major holidays, with notable spikes in gift card theft and fraud. The FBI categorizes Storm-0539’s sophisticated methods as akin to state-sponsored cyberespionage, focusing on organizations issuing gift cards. Storm-0539 employs advanced phishing, multi-factor authentication interception, and lateral movement within networks to generate fraudulent gift cards. Microsoft observed a 60% rise in Storm-0539's activities during the past winter holiday season and a 30% increase from March to May 2024. The group exploits cloud service free trials for large-scale operations and creates fake non-profit websites to facilitate their schemes. Microsoft recommends heightened security measures for gift card portals, including monitoring for anomalies and implementing conditional access. The report assures that these cyberattacks target corporate systems rather than end users, urging vigilance against potential scams around holidays like Memorial Day.

Google's security lead, Matt Linton, criticizes standard phishing tests for being ineffective and fostering resentment towards IT departments. Linton suggests overhauling phishing exercises to align with modern fire drill practices, which are better planned and announced in advance. The approach to cybersecurity should focus on infrastructure improvements rather than individual responsibility, similar to advancements made in fire safety like wider doors and fire sprinklers. Despite the existence of anti-phishing measures in products and email clients, phishing attacks have risen by 58 percent in the past year, fueled by AI advancements by cybercriminals. Linton argues for a shift towards 'secure-by-default' systems and engineering defenses such as unphishable credentials to reduce reliance on user detection of phishing. Current phishing tests often reduce or eliminate controls, misleading participants about real-world risks and potentially leaving security gaps post-test. The UK's National Cyber Security Centre (NCSC) supports the idea that phishing tests can erode trust and skew results based on personality traits and circumstances. Linton proposes that phishing drills should be transparent and educational, focusing on creating a culture that supports reporting and responding to phishing incidents effectively.

GitLab addressed a high-severity XSS vulnerability in its VS code editor (Web IDE), which could allow attackers to take over accounts. The flaw, identified as CVE-2024-4835, allows unauthorized attackers to steal information through maliciously crafted pages, requiring user interaction. Multiple software updates have been released by GitLab to mitigate this and other vulnerabilities, with an urgent call for installations to upgrade. The company also resolved additional security issues including a CSRF vulnerability and a DoS bug affecting GitLab web resources. An older, actively exploited, zero-click vulnerability (CVE-2023-7028) enabled unauthenticated account takeovers via password resets, prompting U.S. federal compliance directives. Less than half of the GitLab instances previously found vulnerable to this older flaw remain accessible online after mitigation efforts. GitLab accounts are particularly critical due to their role in hosting sensitive data like API keys and proprietary code, which can affect entire supply chains if compromised.

Security researchers at Synactiv reverse-engineered Apple's iOS 17.5.1 to address a bug causing old photos to reappear on devices. The investigation revealed that the photos were not stored in iCloud but were remnants on local filesystems reindexed by a flawed migration routine. The issue, first noticed in iOS 17.5 public beta, resulted in user complaints of photos deleted years ago suddenly reappearing. Despite user reports and speculations, Apple did not communicate the cause, leaving room for concerns about data privacy. The issue has been fixed in the iOS 17.5.1 update, which removed the problematic routine. The persistence of deleted files in device memory underscores the importance of understanding data handling and deletion processes in digital devices.

Cybersecurity firm Sygnia's report notes a consistent pattern in ransomware attacks exploiting VMware ESXi's vulnerabilities across various malware families including LockBit, HelloKitty, and BlackCat. Virtualization platforms, crucial to IT infrastructure, often have inherent misconfigurations and vulnerabilities that make them attractive targets for cybercriminals. Symptomatic actions in ransomware campaigns include misusing virtual environments, necessitating robust security measures like improved monitoring, strong authentication, and enhanced backup solutions. Recent malvertising campaigns have been targeting IT professionals with trojanized installer versions of popular software like WinSCP and PuTTY, which serve as initial access points for ransomware attacks. These malvertising methods lead to the deployment of additional payloads including Cobalt Strike Beacons and post-exploitation toolkits like Sliver. A notable decrease in global ransomware attacks occurred in April 2024, with a 15% decline, despite the emergence of new ransomware groups targeting considerable ransoms, especially from Russian companies. The report emphasizes the increasing role of initial access brokers and ransomware operators in facilitating high-impact attacks and lowering cost barriers for cybercriminal activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified an actively exploited vulnerability within Apache Flink. The vulnerability, assigned CVE-2020-17519, allows attackers to read any file on the Apache Flink JobManager's local filesystem via its REST interface. Attackers can exploit this flaw through directory traversal requests, potentially accessing sensitive data without authentication. Affected versions include 1.11.0, 1.11.1, and 1.11.2, with fixes available in versions 1.11.3 and 1.12.0 since January 2021. Palo Alto Networks' Unit 42 observed significant exploitation of this flaw from November 2020 to January 2021. In addition to CVE-2020-17519, other vulnerabilities such as CVE-2020-28188 and CVE-2020-29227 were also exploited around the same period. CISA has mandated federal agencies to update their systems with the latest patches by June 13, 2024, to mitigate this risk.

The Police Service of Northern Ireland (PSNI) is set to be fined £750,000 by the UK's Information Commissioner Office (ICO) for a significant data breach. A spreadsheet containing personal details of 9,483 PSNI officers and staff was mistakenly published online following a Freedom of Information request. Exposed information included surnames, initials, ranks, and roles, which posed a severe safety risk to the individuals affected. Many affected staff were forced to change addresses, sever family contacts, and alter daily routines to ensure safety. ICO criticized PSNI for inadequate internal procedures and protocols for safely disclosing information. The proposed fine is much lower than the initial provisional figure of £5.6 million, considering PSNI's status as a public entity with limited budget. PSNI has responded positively to the enforcement notice and penalty, committing to implementing the required data security improvements. Ongoing investigations and efforts are in place to determine possession of the leaked data, including multiple searches and arrests.

Veeam reported a critical vulnerability in its Backup Enterprise Manager (VBEM), rated 9.8 out of 10, allowing unauthorized logins. Despite severe access risks, the flaw does not permit the deletion of backups due to immutable backup systems and multi-factor authorization. Veeam has released a patch for CVE-2024-29849 and urges customers to update promptly to prevent potential exploitation. The vulnerability impacts only those customers using VBEM, which is an optional tool not deployed by all Veeam clients. Alongside the critical flaw, Veeam disclosed three other vulnerabilities in VBEM and recommended immediate patching. For those unable to upgrade immediately, Veeam advises stopping VBEM's services or uninstalling the software if it is not required. The company emphasized the importance of keeping software up-to-date as attackers often target known vulnerabilities in unpatched systems.

IT service desks are vulnerable to cyber attacks through social engineering, particularly targeting password resets. In 2022, 71% of IT departments experienced vishing attacks, a significant increase from previous years. Case studies: EA Games and MGM Resorts both suffered substantial data breaches and financial losses due to service desk exploits. EA Games hackers accessed internal systems by tricking a service desk employee via Slack, stealing 750GB of data including game source codes. MGM Resorts faced a devastating breach after attackers used social engineering to obtain system access, leading to significant operational disruptions and losses approximated at $100 million. Key defensive strategies include regular cybersecurity training for service desk staff and automating the password reset process. Implementing robust user verification methods can significantly reduce the risks of social engineering attacks on service desks.

Chinese cyber espionage group Sharp Panda, now termed Sharp Dragon, targets governmental organizations in Africa and the Caribbean to expand its intelligence gathering. Sharp Dragon utilizes sophisticated tools such as Cobalt Strike Beacon for backdoor access and command execution, adopting strategies to minimize detection of their custom tools. Original operations focused on Southeast Asian governments using VictoryDLL and Soul modular malware to facilitate long-term reconnaissance. Recent activities demonstrate a refined approach, involving high-profile government entities from G20 nations and employing 1-day security flaws for initial infiltration. The cyber attacks align with China's broader agenda to increase its influence in critical sectors across the targeted regions, suggesting strategic geopolitical motivations. Sharp Dragon uses increasingly deceptive tactics, including phishing emails with malicious attachments and executables disguised as documents to initiate infections. Reports indicate the potential use of operational relay box networks (ORBs) by Chinese actors to obscure origins and maintain access to high-value networks, showing a trend toward more covert operations.

70% of CISOs globally anticipate their organizations could face a significant cyber attack within the next year, slightly up from 68% the previous year. Top concerns among these security leaders include ransomware, malware, email fraud, and threats from compromised cloud accounts and insider attacks. A substantial 43% admit their organizations are not adequately prepared to handle such an attack, noting some improvement from 61% the previous year. Despite ongoing risks, 62% would consider paying ransom in the event of a ransomware attack, reflecting consistent sentiment from last year. The burden and stress on CISOs are evident with 66% expressing concerns about unrealistic expectations and personal liability, which has significantly increased over the past few years. Encouraging trends include increased cybersecurity representation at the board level and better alignment between CISOs and board members. Overall, burnout and legal accountability concerns remain significant, with over half of the CISOs experiencing or observing professional burnout.

A Chinese advanced persistent threat (APT) group has targeted several governmental entities in the Middle East, Africa, and Asia since late 2022 as part of Operation Diplomatic Specter. Palo Alto Networks’ Unit 42 highlighted the use of sophisticated techniques including rare email exfiltration tactics against compromised servers for espionage. Targets included diplomatic missions, military operations, and high-ranking officials, with the attacks aimed at intelligence gathering on a large scale. The APT group utilized previously undocumented backdoors, dubbed TunnelSpecter and SweetSpecter, to maintain stealth and exfiltrate data. Initial infiltration leveraged known vulnerabilities in Exchange servers, with subsequent actions focused on keyword searches within mail servers to exfiltrate sensitive information. Overlaps in techniques and tools suggest ties between earlier tracked activities and known China-nexus groups such as APT27 and Mustang Panda. Researchers observed daily efforts by the threat actor to monitor geopolitical developments and extract relevant information, indicating highly strategic espionage objectives.

Many organizations use over 400 SaaS applications, with critical business data often not adequately secured. Approximately 56% of IT professionals are unaware of their specific responsibilities concerning SaaS data backups. SaaS backups pose unique challenges due to lack of ownership over the operating and data environments, necessitating complex backup processes. Insecure backup solutions can lead to significant risks, including intellectual property theft and exposure of sensitive operational details. Despite the rise of SaaS usage, many IT leaders lack a full understanding of the Shared Responsibility Model, increasing the risk of data mishaps. Common vulnerabilities in SaaS include user permission issues, data exposure, and susceptibility to specific cyberattacks. It's essential to scrutinize potential backup service providers for robust security measures aimed at protecting against complex SaaS-specific threats. As SaaS becomes integral to daily operations, ensuring the availability and security of backups is paramount to prevent loss and exploitation.