Daily Brief

The SEC has updated guidelines for public companies on disclosing ransomware and other cybersecurity incidents. Public companies must report "material" cybersecurity incidents using Form 8-K, Item 1.05, which affects decisions on investments. Companies face confusion when deciding if an incident is material and whether to file a report under Item 1.05 or Item 8.01 for less significant events. Erik Gerding, Director of SEC's Division of Corporation Finance, discussed the issues with voluntary disclosures leading to potential investor confusion. The distinction between filings helps investors discern the significance of cybersecurity incidents more effectively. Material incidents need to be disclosed immediately under Item 1.05, while non-material or undecided incidents should use Item 8.01. The SEC emphasizes transparency in disclosing cybersecurity incidents but aims to minimize confusion by clarifying the use of different forms.

Microsoft's new AI-powered Windows 11 Recall is designed to make previously viewed information easily accessible but has raised privacy and security concerns. The feature captures and stores window screenshots every few seconds on devices, storing this data for up to three months by default. All collected data is stored on the device in an encrypted form, safeguarded with BitLocker, and not shared externally according to Microsoft. Recall's extensive data collection includes potentially sensitive information, raising fears about both intentional misuse and incidental exposure. The Information Commissioner's Office (ICO) in the UK is contacting Microsoft to ensure the feature’s compliance with privacy regulations. Cybersecurity experts and users express concerns over the potential for this data to be accessed by other users or exploited by malware if devices are compromised. Microsoft asserts that they prioritize user control and privacy in design, but the cybersecurity community remains skeptical about the potential risks involved.

Zerto is hosting a live event in Boston to discuss ransomware protection in multicloud environments. The event will feature Anthony Dutra from Zerto, who will present survey findings on ransomware impact concerns. Attendees will learn about critical strategies and technologies to defend against ransomware. The live event aims to address security measures for sensitive data across various hosting platforms. Attendees can also explore additional resources like white papers on ransomware resilience and real-time encryption detection techniques. Opportunities for hands-on demonstrations with Zerto technology via Zerto Hands on Labs. The event highlights the growing need for specialized defenses in increasingly complex cloud architectures.

Researchers have identified a new threat group, Unfading Sea Haze, active since 2018, targeting military and government entities in the South China Sea region. Bitdefender’s report suggests these cyber attacks align with Chinese strategic interests, employing tactics similar to other China-linked groups. The attackers used sophisticated methods to maintain access within compromised systems, highlighted by poor credential management and lack of patching. The campaign utilized various malware including Gh0st RAT, with advanced techniques like fileless execution and scheduled tasks for persistence. Spear-phishing with malicious LNK files was a prominent initial attack vector, launching payloads to control affected systems remotely. Tools such as ITarian RMM were used to establish footholds, a tactic uncommon among nation-state actors except for certain groups like Iran's MuddyWater. The adversary demonstrated high sophistication with a wide array of custom tools and evasion techniques, focusing on in-memory execution to avoid detection. Aside from automation, manual techniques were also employed for data exfiltration, specifically targeting sensitive information from messaging applications.

AI SPERA announced the availability of its Criminal IP search engine on AWS Marketplace, meeting high technical and security standards. Criminal IP offers enhanced threat detection leveraging AI and machine learning capabilities, providing insights into risks associated with internet-connected devices. The tool's integration with AWS simplifies procurement and deployment processes, aligning with customers' existing cloud architectures. Users can integrate Criminal IP's threat intelligence data into pre-existing services and systems, such as SOAR and SIEM, through seamless API integration. Criminal IP features a rich repository of data including risk classifications, geographical insights, and graphs of vulnerable assets, facilitating robust cybersecurity management. Criminal IP now also features a payment flexibility option, enhancing user experience on the AWS platform. Additionally, AI SPERA has expanded its global collaboration, partnering with over 40 renowned security firms worldwide.

"Unfading Sea Haze," an undisclosed threat actor, has been actively compromising military and government targets in the South China Sea region since 2018. This group is believed to be operating in alignment with Chinese geopolitical interests and has connections to known Chinese threat group APT41. The attacks primarily used spear-phishing emails with malicious ZIP files leading to the deployment of fileless malware via MSBuild. Key tools employed include a backdoor named 'SerialPktdoor,' a keystroke logger, browser data stealers, and a novel use of Microsoft’s compiler to execute malware directly in memory. Initial access and persistence are maintained through local administrator account manipulation, scheduled tasks, and the inadvertent use of commercially available Remote Monitoring and Management tools. Recent tactics have evolved, leveraging more stealthy techniques like remote SMB shares for launching C# payloads, alongside the use of sophisticated malware like Gh0stRAT. Data exfiltration methods have also adapted with time, transitioning from custom-built tools to using mainstream software like curl and FTP with dynamically changing credentials. To defend against these sophisticated threats, organizations are advised to implement comprehensive security measures including patch management, multi-factor authentication, network segmentation, and sophisticated detection systems.

Rockwell Automation advises disconnecting internet-facing industrial control systems (ICSs) to protect against malicious cyber activity. Prompted by increased global geopolitical tensions and adversarial cyber activities, immediate action is requested to identify and disconnect vulnerable devices. Supported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), guidance includes mitigating known vulnerabilities and deploying patches. Historical exploitation of operational technology (OT) assets by malicious actors, including Advanced Persistent Threat (APT) groups seeking political, economic, or disruptive gains. Recent research highlights potential for high-impact attacks similar to Stuxnet via web-based interfaces of programmable logic controllers (PLCs). New malware techniques employing PLC web interfaces can achieve platform-independent, persistent, and covert operations. Recommended strategies include limiting exposure of system information, securing remote access points, and conducting periodic security audits to enhance OT and ICS network security.

LockBit was dethroned as the leading ransomware group, a position it held for eight months, after an effective takedown led by the National Crime Agency. In April, LockBit's activity significantly decreased with only 23 organizations reportedly attacked, including one duplicate, marking a 60% drop post-takedown. Rival ransomware groups such as Play, Hunters, and Ransomhub emerged as top threats due to LockBit's diminished capacity. Global ransomware attacks fell by 15% month-on-month, though there was a slight increase of 1% year-on-year, influenced by the use of AI by cybercriminals. The takedown of LockBit and the emergence of advanced AI technologies are reshaping the cybersecurity landscape, as emphasized by NCC Group’s Global Head of Threat Intelligence. The majority of ransomware attacks continued to target North America and Europe, with a notable shift of increasing attacks on developing nations, possibly as test grounds for new malware. Security experts warn against complacency in cybersecurity efforts despite recent successes, highlighting the need for continuous vigilance and global cooperation.

Growth in corporate SaaS usage necessitates robust security measures, leading enterprises to adopt SaaS Security Posture Management (SSPM). SSPM solutions provide comprehensive coverage, including misconfiguration management and integration with SOAR/SIEM systems. Enhanced Identity Security Posture Management (ISPM) is crucial for managing human and non-human identities and permissions within SaaS environments. Device-to-SaaS relationship management ensures risk control through integration with Unified Endpoint Management systems. Generative AI applications in SaaS environments increase productivity but also broaden potential security vulnerabilities. SaaS security must include data leakage protections and visibility into document sharing practices to safeguard sensitive corporate information. Identity Threat Detection and Response (ITDR) systems play a critical role in identifying and mitigating threats based on user behavior and other indicators. The 2025 edition of the Ultimate SaaS Security Checklist aids organizations in choosing the right SSPM tools to safely expand their use of SaaS applications.

Cybersecurity experts have uncovered a cryptojacking campaign, dubbed REF4578, utilizing vulnerable drivers to bypass security measures and mine cryptocurrency covertly. The campaign leverages a Bring Your Own Vulnerable Driver (BYOVD) attack technique to disable Endpoint Detection and Response (EDR) solutions, facilitating the execution of the XMRig mining software. Attackers initiate the infection through a PowerShell script disguised as a PNG image, which downloads multiple malicious components from a command and control server. The malware disables Microsoft Defender Antivirus, clears Windows event logs, and ensures sufficient disk space on the C:\ volume for its operations. Scheduled tasks are created to maintain persistence of the malware and to periodically execute malicious activities. The primary tool in the attack, "smartsscreen.exe" or GHOSTENGINE, is designed to deactivate security processes and manage the cryptocurrency miner. The operation displays significant sophistication, incorporating multiple redundancy measures and fallback mechanisms to ensure its success and durability. Researchers highlight the increasing use of BYOVD attacks by cybercriminals to perform privileged actions by exploiting known flaws in system drivers.

An unidentified threat actor has exploited vulnerabilities in Microsoft Exchange Server to install keylogger malware targeting various entities in Africa and the Middle East. Positive Technologies identified over 30 victims, including government agencies, banks, educational institutions, and IT companies. The attacks exploited known ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), which Microsoft had patched in May 2021. The malware collects user credentials and stores them in a file accessible from the internet. Victims are located in several countries, including Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon. Following the discovery of this exploitation chain by DEVCORE’s Orange Tsai, it's suggested that organizations regularly update their Microsoft Exchange Servers and monitor for signs of compromise. Positive Technologies has so far been unable to attribute the attacks to any known threat actor or group due to lack of sufficient information.

GitHub Enterprise Server patched a critical vulnerability, scoring a maximum 10 CVSS severity. The flaw allowed full administrative access if exploited, affecting all pre-p3.13.0 versions. Vulnerability specifically impacted instances using SAML SSO with optional encrypted assertions. GitHub addressed the issue in recent patches for versions 3.9.x through 3.12.x, with no presence in the latest 3.13.x versions. The bug, identified as CVE-2024-4985, relied on encrypted assertions intended to enhance security. Discovery was made through GitHub's bug bounty program, rewarding the finder between $20,000 and $30,000, potentially more. This patch underscores ongoing challenges in securing enterprise software applications against evolving threats.

Taiwanese company QNAP released patches for several medium-severity vulnerabilities in its QTS and QuTS hero operating systems for NAS appliances. Vulnerabilities allowed for code execution but required authenticated access; addressed in the latest QTS and QuTS hero updates. Notable vulnerability involved misuse of the 'strcpy' function, exploitable via a specific 'ssid' parameter in shared NAS files. Some flaws, including authentication bypass and code execution, were patched following a coordinated disclosure with cybersecurity firm watchTowr. QNAP faced criticism for delayed response; however, it has committed to releasing critical fixes within 45 days and medium-severity fixes within 90 days. Despite having ASLR enabled, which complicates exploitation, QNAP advises users to update immediately to avoid risks associated with unresolved and past vulnerabilities. The public disclosure was forced by watchTowr after QNAP exceeded the standard 90-day disclosure period without fully resolving reported issues.

Zoom has introduced post-quantum end-to-end encryption (E2EE) to enhance meeting security. The new encryption standard uses Kyber-768 algorithm, selected by NIST for its quantum resistance. Post-quantum E2EE will only default when all users are on Zoom version 6.0.10 or newer; otherwise, standard E2EE applies. The upgrade aligns with growing concerns over quantum computing's potential to break traditional cryptography. Industry leaders like AWS, Apple, and Google are also adopting quantum-resistant standards. The move is particularly vital for entities managing critical infrastructure, as emphasized by HP Wolf Security. The Linux Foundation recently launched a Post-Quantum Cryptography Alliance to tackle quantum-related cryptographic security challenges.

A critical vulnerability in Veeam Backup Enterprise Manager allows authentication bypass. Tracked as CVE-2024-29849 with a CVSS score of 9.8, it enables unauthorized login as any user. Veeam has issued a fix in version 12.1.2.172, along with patches for three other related issues. Affected product is optional; environments without it installed remain unaffected. Additional fixes include a local privilege escalation in Veeam Agent for Windows and a critical remote code execution in Veeam Service Provider Console. Users are advised to update their software to mitigate potential cybersecurity risks.