Daily Brief

Ivanti has issued patches for critical vulnerabilities in Endpoint Manager (EPM) that allow for remote code execution. Six of the vulnerabilities are SQL injection flaws, enabling unauthenticated attackers on the same network to execute arbitrary code. The remaining four vulnerabilities require attacker authentication and affect the core server of Ivanti EPM versions up to 2022 SU5. A separate high-severity flaw in Avalanche, enabling remote code execution by uploading a malicious file, was also patched. Additional fixes include high-severity vulnerabilities in Neurons for ITSM, Connect Secure, and Secure Access clients for Windows and Linux. There is no current evidence that these flaws have been exploited in the wild or were introduced through a malicious supply chain attack. The announcement coincides with disclosures of critical vulnerabilities in other software, emphasizing ongoing cyber security risks.

The UK's Information Commissioner's Office (ICO) proposes a £750,000 fine against the Police Service of Northern Ireland (PSNI) following a significant data breach. In August 2023, a spreadsheet containing personal details of 9,483 PSNI officers and staff was accidentally released as a response to a Freedom of Information request. Information leaked included surnames, initials, ranks, roles, and workplaces, affecting every serving officer and civilian staff. The breach has caused severe personal impacts, including officers needing to relocate, changing daily routines, and increased personal security expenses. The ICO’s fine consideration includes the public sector nature of PSNI, leading to a lower fine compared to what would be imposed on a private sector entity under similar circumstances. PSNI acknowledges the breach's implications and is engaging with the ICO to implement recommended data protection measures. The aftermath of the breach saw an expanded investigation with numerous arrests, ongoing policy updates, and staff training to prevent future incidents. The ICO highlighted the breach to urge all organizations to enhance their data protection practices and secure personal information adequately.

Researchers from the University of Maryland identified vulnerabilities in Apple's Wi-Fi Positioning System (WPS) that could facilitate broad surveillance. Apple's WPS, unlike Google’s, returns the locations of both requested and non-requested Wi-Fi BSSIDs, potentially exposing extensive location data. This feature reportedly enabled the researchers to compile a database encompassing nearly 500 million worldwide BSSIDs. The WPS is not authenticated or rate limited, offering unrestricted access which has significant privacy implications. Apple has recently added support for users to opt-out of this tracking by using the "_nomap" suffix in their network names—a measure previously adopted by Google. The researchers engaged with major corporations like Apple and SpaceX, with SpaceX acting promptly by incorporating BSSID randomization. Future remediations are expected from Apple in response to this report’s findings, aiming to enhance user privacy. The findings are scheduled to be extensively discussed at Black Hat USA, a major cybersecurity conference.

Indian infosec company CloudSEK has exposed scam operations selling fraudulent versions of Pegasus spyware on platforms like Telegram. Scammers leverage the notoriety of Pegasus, created by Israel's NSO group, to sell fake tools masquerading as the powerful spyware. CloudSEK's investigation involved analyzing over 25,000 posts and interacting with 150 sellers, uncovering dozens of fake spyware samples. Some fraudulent offerings were priced aggressively, with one seller claiming to have made four sales of fake Pegasus access totalling $6 million in just two days. Despite stringent pricing, most of the fake spyware samples proved to be ineffective, consisting of randomly generated source codes and invalid operational demonstrations. The scammers took advantage of Apple's policy shift on attributing mercenary spyware attacks, using it to push more sales under the guise of Pegasus. CloudSEK warns buyers to be cautious of schemes exploiting the brand and reputation of known spyware entities to commit fraud.

Microsoft is set to phase out Visual Basic Script (VBScript) by the second half of 2024, transitioning towards JavaScript and PowerShell due to their advanced capabilities and suitability for modern tasks. VBScript, introduced in 1996, has been primarily used for automating tasks and developing interactive web pages with browsers like Internet Explorer and Edge. The deprecation plan will occur in phases, starting with VBScript becoming an on-demand feature in Windows 11 24H2 and eventually being fully retired in a later undetermined phase. This move mirrors Microsoft's broader strategy to minimize security vulnerabilities by discontinuing older technologies that are commonly exploited by threat actors, such as VBScript and NT LAN Manager (NTLM). Microsoft recently disabled outdated macro features across its platforms and introduced features to block risky file types, reflecting its ongoing commitment to enhancing security. Additionally, Microsoft's new AI-powered Recall feature in Windows raises privacy concerns as it periodically saves and processes snapshots of user activity without content moderation, creating potential risks for storing sensitive information. The UK Information Commissioner's Office is engaging with Microsoft to assess privacy safeguards associated with Recall, stressing the importance of transparency and rigorous data protection measures to protect user privacy.

Bitdefender has identified a previously unknown cyber espionage group called Unfading Sea Haze, likely backed by Chinese interests. Unfading Sea Haze has been active since at least 2018, targeting government and military entities with sophisticated data-stealing spyware. The group employs advanced evasion techniques and flexible tactics, including the use of spear phishing and memory-resident malware to minimize detection. The attackers primarily utilized malicious DLL files and keyloggers to harvest sensitive data from compromised systems and sent it via FTP using both hard-coded and dynamically generated credentials. Poor credential hygiene and inadequate patching practices were common vulnerabilities among the attacked organizations. The espionage group has continually evolved their methods and tools, a sign of strategic planning rather than reactive changes due to security incidents. Despite strong indications of ties to China, definitive attribution remains challenging due to potential deliberate obfuscation by the attackers. Key technical details, including indicators of compromise, have been published to help other organizations detect and block similar attacks.

The House Foreign Affairs Committee has approved a bill to broaden the White House's power to regulate AI system exports, focusing on national security. The bill, termed the ENFORCE Act, seeks to amend the 2018 Export Control Act, granting the BIS more authority to manage AI model exports that could threaten U.S. security. The legislation aims to prevent the unintentional aid of China’s technological and military advancement through the export of AI technologies from the U.S. The current iteration of the bill includes broad and somewhat vague definitions of restricted AI technologies, with specific updates anticipated within a year following enactment. The bill has drawn parallels between the significance of AI technology control and historic technological projects like the Manhattan Project. Concerns have been raised about the potential impact of such regulations on open source AI models and the chilling effect on developers fearing legal ramifications. Despite the committee’s approval, the bill must still pass both the House and Senate, with no guarantee of being signed into law, especially during an election year.

Over 100 medical associations have petitioned the U.S. Department of Health and Human Services (HHS) to hold UnitedHealth Group responsible for the notification of a recent ransomware breach. UnitedHealth's Change Healthcare, responsible for processing patient data, was compromised in February, risking vast amounts of private health information. The medical groups have stressed that Change Healthcare should bear the brunt of the breach notification and government investigation responsibilities. The breach, impacting a substantial but unspecified number of Americans, falls under HIPAA regulations, necessitating broad notification of the affected individuals. UnitedHealth has acknowledged their duty to comply with legal requirements for breach notification, and has been cooperating with HHS's Office for Civil Rights. On a related note, UnitedHealth's CEO announced a $22 million ransom payment to BlackCat/ALPH ransomware affiliates and projected the total costs related to the breach could significantly exceed $872 million.

Canadian pharmacy chain London Drugs suffered a ransomware attack orchestrated by the group LockBit, which demanded a $25 million ransom. The attack, which occurred on April 28, led to the temporary closure of 79 London Drugs locations across multiple provinces. Despite threats from LockBit to release stolen data, London Drugs has stated it is unable and unwilling to meet the ransom demands. No customer or patient data has been reported compromised; however, some employee files were exfiltrated. London Drugs is offering two years of free credit monitoring and identity-theft protection to all current employees while it assesses the extent of the data breach. The incident is still under investigation, and the company promises to keep affected parties informed as per privacy laws. LockBit's activity has reportedly dropped by 60% following recent law enforcement disruptions, indicating a potential decline in their operations.

The parent company of the New York Stock Exchange, Intercontinental Exchange (ICE), has been fined $10 million by the SEC for not properly notifying of a 2021 cyber intrusion. ICE failed to report a vulnerability and subsequent attack under the rules of Regulation Systems Compliance and Integrity (Regulation SCI), which demands immediate notification of such incidents. After detecting the potential for a cyber attack via a VPN zero-day, ICE did not externally report the incident for several days while internally investigating the scope of the breach. SEC alleges that ICE should have assessed the breach as significant sooner and informed them immediately as per regulatory requirements. Even though a substantial attack was not established after initial investigations, the legal and compliance teams were only informed five days post-notification of the vulnerability. The SEC criticized ICE for its significant delay in reporting, highlighting the importance of prompt communication in maintaining the integrity of global financial markets. The $10 million penalty is deemed minimal compared to ICE's quarterly revenue, pointing to the need for stiffer penalties for non-compliance to maintain effective cybersecurity measures in significant financial institutions.

Microsoft has divulged plans to gradually phase out VBScript from Windows, beginning in the second half of 2024. VBScript will transition to an optional feature in its first phase of deprecation during the Windows 11 24H2 release. By around 2027, VBScript will no longer be pre-installed but will remain accessible on demand, with its removal entirely planned for a later date. Microsoft aims to replace VBScript with more modern and secure scripting languages such as JavaScript and PowerShell to enhance web development and automation capabilities. The retirement of VBScript, historically a vector for malware attacks via Internet Explorer and Office macros, reflects Microsoft's broader initiative to mitigate security risks. Previous Microsoft efforts to curb malware include disabling Excel 4.0 macros, enhancing protections against untrusted Office macros, and extending support for the Antimalware Scan Interface in Office 365 applications. The complete removal of VBScript from future Windows OS iterations will eventually end the usability of VBScript-dependent projects, with all related dynamic link libraries (.dll files) also being eliminated.

Georgia resident Malachi Mullings has been sentenced to a decade in prison for money laundering involving $4.5 million from scams. Mullings' criminal activities included business email compromise (BEC) attacks targeting healthcare providers and romance scams exploiting individuals. His operations, running from 2019 to July 2021, involved impersonating officials to misdirect funds to accounts he controlled. Among the victims were state Medicaid programs and elderly citizens, with one elder alone defrauded of $260,000. Fraudulent funds were used to purchase luxury items, including a Ferrari and jewelry, to launder the proceeds of the scams. He utilized 20 bank accounts under his company’s name, The Mullings Group, to facilitate the laundering process. Mullings pleaded guilty to eight charges of money laundering and conspiracy to commit money laundering. He was one of ten individuals charged, with allegations involving fraud against multiple state healthcare programs.

China-affiliated state hackers are increasingly utilizing vast proxy server networks called operational relay box (ORBs) for cyberespionage, complicating detection and attribution efforts. ORBs, managed by cybercriminals, blend compromised devices and commercial virtual private servers, allowing state-sponsored groups like APT5 and APT15 access. These networks enable anonymous internet activity across multiple geographic regions by cycling through a broad range of nodes, masking malicious traffic's origin. Mandiant has identified specific ORBs, such as SPACEHOP and FLORAHOX, which are employed by Chinese threat actors for reconnaissance and exploiting vulnerabilities like CVE-2022-27518. ORBs' varied infrastructure, including cloned Linux-based images and networks consisting of TOR nodes and hacked routers, heightens their utility and complexity for both offensive and defensive cyber operations. The short lifespan of an ORB node’s IPv4 address and its use across different Autonomous System Number (ASN) providers make tracking and defending against ORBs particularly challenging for cybersecurity professionals. As ORB usage grows, enterprise defense strategies must adapt to account for increased stealth and resilience in cyber attack methodologies.

The Intercontinental Exchange (ICE) has agreed to pay a $10 million penalty to resolve SEC charges following a VPN security breach in April 2021. ICE, a major financial services company managing entities like the New York Stock Exchange, was cited for failing to report the breach promptly as mandated by Regulation Systems Compliance and Integrity (Regulation SCI). The SEC criticized ICE for taking four days to evaluate the breach’s impact and internally declaring it minor, though immediate notification was required. The breach was attributed to sophisticated nation-state threat actors who exploited a vulnerability in ICE’s VPN system to deploy malware. The attackers managed to install webshell code on the VPN device, potentially accessing sensitive data such as employee passwords and multi-factor authentication codes. Despite limited access to a single device, the hackers still exfiltrated VPN configurations and some user metadata. ICE’s internal communication failures extended the delay in reporting the breach to both legal and compliance officials within the company's subsidiaries. ICE and its subsidiaries received a cease-and-desist order from the SEC alongside the penalty, requiring adherence to all Regulation SCI rules going forward.

LastPass is now encrypting URLs within password vaults to improve security and user privacy, moving toward a comprehensive zero-knowledge architecture. This encryption aims to protect sensitive details encapsulated in URLs that could hint at the nature of the stored accounts, such as banking or email services. The improvement comes after LastPass experienced two significant breaches in 2022, where encrypted password vaults were accessed and weaker encrypted master passwords were compromised. The breaches exposed unencrypted URLs in password vaults, which helped attackers target and steal over $4 million from cryptocurrency exchanges. The first phase of the new encryption feature rolls out next month, automatically encrypting primary URL fields for all existing and new accounts. Subsequent phases will include encryption of additional URL-related fields, like equivalent domain URLs and URLs stored in user notes, with full implementation expected in the second half of the year. Users currently do not need to take any action; LastPass will provide step-by-step instructions to impacted accounts as the deployment progresses.