Daily Brief

HealthEquity, a U.S.-based fintech company in the healthcare sector, disclosed a data breach affecting approximately 4.3 million people. The breach, detected in June but originating in March, involved unauthorized access to stored personal information including addresses, telephone numbers, and payment data. Important to note, the breach did not involve malware or ransomware but was described as a straightforward data theft, classified as a "data smash-and-grab" incident. Attackers gained access through compromised vendor user accounts which had permissions for an online data storage location outside the company's core systems. Following the detection of unauthorized activities, HealthEquity engaged third-party experts for an investigation, disabled compromised accounts, and implemented a global password reset for the impacted vendor. The company has since enhanced its security measures, including blocking IPs linked to the threat actors and improving internal security controls and monitoring efforts. Despite the breach, HealthEquity reported no evidence of misuse of the stolen data as of their last update and has offered affected individuals two years of free credit monitoring and identity theft services through Equifax. This incident highlights a significant data breach within the healthcare sector without the utilization of malware or ransomware tactics.

An unknown threat actor systematically exploited a misconfiguration in Proofpoint's email routing to send millions of spoofed emails, impersonating legitimate businesses. The campaign, termed EchoSpoofing, began in January 2024, with daily email volumes peaking at 14 million in June as countermeasures were implemented. The phishing emails effectively bypassed standard authentication protocols like SPF and DKIM, making them appear as if they were genuinely sent from the spoofed companies. This exploitation involved configuring SMTP servers on leased virtual private servers to transmit spoofed messages through Microsoft 365 tenants to Proofpoint relays. Proofpoint identified the route of the attack as a "super-permissive misconfiguration flaw" that allowed unrestricted email relaying from Microsoft 365 tenants. Despite extensive spamming, there was no customer data exposure or data loss among Proofpoint clients, with rapid response measures and configuration adjustments being made. Proofpoint has since provided corrective instructions and improved administrative controls to prevent such misuse in the future and emphasized the shared responsibility of VPS and email providers in mitigating spam.

Google issued an apology for a Chrome update that disrupted its password manager, affecting millions of Windows users. The glitch occurred with version M127 of Chrome for Windows, preventing users from accessing saved passwords. The error lasted nearly 18 hours before being resolved on July 25, sparked by an improperly guarded product behavior change. Approximately 2% of Chrome users were affected by the update, potentially impacting over 17 million globally. Google's password manager is designed to store and suggest secure passwords, but the update rendered this feature unusable. This incident underscores the risks associated with relying on browser-based password managers for critical credential security. It highlights the importance of robust quality assurance and the potential consequences of erratic software updates in widely-used applications.

Searchable Encryption allows data to remain encrypted while still being usable, addressing the need to secure data in use beyond traditional methods. Traditional encryption practices have only focused on data at rest and in motion, neglecting the vulnerabilities when data is in use, often leaving sensitive data unencrypted. Common encryption methods involve complex processes that include decrypting data for use and re-encrypting it afterward, adding to operational complexities and security risks. Paperclip, a long-standing data management company, has developed a solution called SAFE, leveraging Searchable Symmetric Encryption to keep data secure while it remains operational. SAFE as a technology enables the encryption of active data at the database layer, simplifying the encryption process, and removing the need to repeatedly decrypt and re-encrypt data. According to analysts from Gartner and IDC, the capability to encrypt data while still processing it securely is critical, and searchable encryption is rapidly becoming essential for modern data security strategies. SAFE’s approach as a SaaS solution can be implemented quickly with minimal disruption, representing a significant advancement in protecting sensitive data across various industries.

Stargazer Goblin, a threat actor, created over 3,000 fake GitHub accounts for a Distribution-as-a-Service (DaaS) network termed "Stargazers Ghost Network". This network, active since August 2022, aids in distributing various malware, including Atlantida Stealer, Rhadamanthys, and RedLine, earning over $100,000 in illegitimate profits. The fake accounts engage in actions such as starring, forking, and subscribing to repositories to lend an appearance of legitimacy and avoid detection. Malicious links and password-protected archives masquerading as legitimate software or game cheats are employed to distribute malware. GitHub's attempts to combat this network include banning accounts; however, Stargazer rapidly adjusts by updating links and strategies to minimize disruption. The operation's sophistication allows it to bypass suspicion, as GitHub is generally viewed as a legitimate site. Check Point highlights that similar "ghost" account tactics are utilized across other platforms including Discord, Facebook, and YouTube, expanding the reach of the distribution network.

Microsoft acknowledged that the previously estimated 8.5 million devices affected by CrowdStrike's software issues was an undercount. Crash reports, used by Microsoft to measure impact, represent only a portion of affected devices since not all customers share these reports. Microsoft criticized for OS vulnerabilities in the media, identified the cause as crashes from CrowdStrike's kernel drivers. David Weston of Microsoft emphasized the need for security vendors to balance the benefits of kernel drivers against their potential risks. Microsoft plans to encourage the security industry to reduce reliance on kernel drivers to avoid similar incidents in the future. Details on implementing reduced kernel driver dependence not fully disclosed but will likely require modifications to Windows architecture. Microsoft aims to work with its Virus Initiative members to integrate security enhancements and support more reliable anti-malware solutions.

China is contemplating the introduction of "cyberspace IDs" for citizens, aiming to safeguard personal information and streamline online authentication processes. The proposed IDs will be issued by a government platform, featuring both alphanumeric and encrypted online credentials directly linked to users' real identities. The system, still in the proposal stage, seeks public feedback and notes the IDs will be initially voluntary, requiring parental consent for those under fourteen. The initiative will reduce the necessity for individuals to disclose personal data to Internet service providers (ISPs) and is viewed as a method to prevent excessive data collection and retention. Real name registration currently mandatory for Chinese internet and social media users aids in accountability but raises concerns about free speech and privacy. Although the draft promotes this as protection against corporate data leaks, it may also centralize data under state control, which poses its own risks of data breaches and misuse. Internationally, similar national ID systems, like India's Aadhar and Japan's MyNumber, have faced significant security challenges and criticism.

The Gh0st RAT, a sophisticated remote access trojan, is being propagated through a fake Chrome download website targeting Chinese-speaking Windows users. Malicious installers from "chrome-web[.]com" disguise themselves as legitimate Chrome setup files to deceive users into downloading and installing the trojan. The malware campaign utilizes an evasive dropper, Gh0stGambit, which bypasses local security measures like 360 Safe Guard and Microsoft Defender before executing Gh0st RAT. The Gh0st RAT features a robust set of malicious capabilities, including process termination, keylogging, data exfiltration, and remote command execution. This malware can further compromise security by deploying Mimikatz, enabling Remote Desktop Protocol (RDP), and modifying various browsers and application data to obscure its presence. Cybersecurity firm eSentire detected the campaign and noted similarities with past China-linked cyberspying operations, reflecting the ongoing strategic alignment and evolution of this threat. The continued prevalence of Gh0st RAT in cyberespionage underscores the critical importance of robust security practices and user education to defend against such sophisticated threats.

Researchers from firmware security vendor Binarily discovered that PCs from Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo, and Supermicro, as well as components from Intel, have been using a 12-year-old leaked key for UEFI Secure Boot, making them vulnerable to attacks. The leaked key allows attackers to bypass Secure Boot protocols and run untrusted code during the boot process, compromising device security from firmware to operating system. More than 10% of firmware images analyzed by Binarily are susceptible to this vulnerability, named "PKFail," which poses a longstanding supply chain security risk. Despite clear labeling on the untrusted and not-to-be-shipped test keys, device manufacturers continued to utilize them in production environments. Binarily has released a free scanning tool for detecting systems vulnerable to this flaw, urging manufacturers to address and rectify the issue promptly. The report includes broader cybersecurity concerns, noting high reliance on traditional login credentials and the insufficient use of multi-factor authentication (MFA) across organizations, notably highlighted by Cisco Talos’s findings on ransomware attacks. The FCC fined TracFone $16 million following three data breaches caused by unsecured customer database APIs, emphasizing the need for enhanced cybersecurity measures across industries.

Threat actors are exploiting misconfigurations in Selenium Grid for Monero mining using a modified XMRig tool. Selenium Grid, lacking default authentication, allows for easy unauthorized access and command execution on exposed instances. The attackers manipulate the Chrome binary path via the WebDriver API to execute a malicious Python script. This script sets up a reverse shell for remote access and installs a Monero miner to run in the background. Compromised nodes are also used as C2 servers for further infections and as proxies for mining pools. Wiz research identifies over 30,000 publicly accessible Selenium Grid instances that could be vulnerable to similar attacks. The research warns that any version lacking proper authentication and network security is susceptible, advising updates and protective measures according to Selenium’s guidelines. Although currently used for cryptomining, the access could potentially be utilized to deploy more destructive malware if deemed profitable by the attackers.

X has started using public posts from its members to train its Grok AI platform without initial user consent. The new setting enabling this use is turned on by default and was only recently made visible to users. This training method supports the platform's goals in a competitive AI market but raises privacy concerns due to lack of transparency. Users noticed the change on July 25, leading to clarification and guidance from X's Safety team via social media. The web version already includes this setting, with plans to extend it to mobile platforms soon. Users can opt out by adjusting their settings on the web version under the "Data sharing and personalization" section. The option to use data for training is part of broader controls over user interaction with Grok, aiming to enhance user experience despite privacy worries.

WhatsApp for Windows allows Python and PHP script execution upon recipient opening the file, without any prior warning. Only users with Python installed—typically software developers, researchers, and power users—are susceptible to the Python script execution. Meta, WhatsApp’s parent company, has been informed but remains inactive in adding the risky .pyz, .pyzw, and .php file extensions to the block list. This vulnerability is similar to a previous one found in Telegram, which allowed remote code execution through Python files. The testing revealed that while WhatsApp blocks direct execution of some file types like .EXE and .DLL, it permits others like Python ZIP apps and PyInstaller programs. Security researcher Das, who discovered the flaw, reported it to Meta, but the issue was closed as not applicable, indicating an oversight in addressing file execution vulnerabilities. There appears to be a general attitude at WhatsApp to not view this type of susceptibility as significant, despite its implications for user security.

French judicial authorities and Europol initiated a "disinfection operation" targeting PlugX, a malware compromising systems across several EU countries. This response follows Sekoia's sinkholing of a command-and-control server for PlugX in September 2023, revealing daily connections from nearly 100,000 IPs. PlugX, identified as a tool frequently utilized by groups linked to the Chinese government, has been active since 2008, facilitating remote access and data theft. The malware has evolved to include wormable traits that enable spread through USB drives, making it capable of infiltrating even air-gapped networks. Cleanup efforts already benefited victims in France, Malta, Portugal, Croatia, Slovakia, and Austria, with the operation set to continue for several months. Current removal techniques can delete the malware from workstations but not from USB devices, with decisions on further actions deferred to national CERTs and cybersecurity authorities. Europol is assisting in deploying Sekoia's removal tool among its partner nations, highlighting the international collaboration against this persistent cyber threat.

Cybersecurity researchers identified a harmful package, "lr-utils-lib," on the Python Package Index (PyPI) designed specifically to target Apple macOS systems to steal Google Cloud credentials. The malware was programmed to check if it was installed on a macOS system and then check the system's UUID against a list of 64 predefined hashes to target specific devices. Upon successful identification, the package attempted to steal authentication data from files within the macOS's Google Cloud configuration directory. The stolen credentials were transmitted to a remote server through HTTP, indicating a sophisticated method of exfiltration. The package, before being removed, was downloaded 59 times, suggesting a relatively limited but focused attack. Associated with the package was a fake LinkedIn profile, which indicates a possible use of social engineering in the attack's strategy. The motives and actors behind this targeted attack remain unknown, but it highlights the risks to both individuals and enterprises due to the potential access to enterprise systems via developer machines. This incident underlines continuous threats in the software supply chain, especially targeting specific systems using disguised packages.

Gemini, a U.S. cryptocurrency exchange, reported a data breach affecting its customers' banking details through a third-party vendor. Unauthorized access occurred between June 3 and June 7, 2024, compromising names, bank account numbers, and routing numbers used for ACH transfers. The breach was localized to the Automated Clearing House (ACH) service provider, and no other sensitive personal information was exposed. Gemini has contained the incident and initiated an investigation with the help of external cybersecurity experts. Affected users are advised to enable multi-factor authentication on their bank accounts and monitor for any signs of unauthorized or fraudulent activity. Gemini has informed the affected individuals and recommended placing fraud alerts or security freezes on their credit reports. This breach follows a significant 2022 incident involving another third-party vendor that impacted 5.7 million users.