Daily Brief

The US government's ARPA-H has committed over $50 million to develop an automated security technology for hospitals named UPGRADE. UPGRADE aims to automate the detection and patching of vulnerabilities in hospital IT systems to enhance cybersecurity without affecting clinical operations. The initiative invites tech experts to create tools that scan for security weaknesses, develop fixes, and deploy them with minimal disruption to hospital operations. This technology will also involve creating digital twins of hospital equipment and developing custom defense mechanisms tailored to specific vulnerabilities. ARPA-H was established by President Joe Biden and operates under the US Dept of Health and Human Services, focusing on breakthrough healthcare technologies. Deputy Secretary Andrea Palm emphasized the critical need for advanced cybersecurity to protect interconnected healthcare services from ransomware and cyberattacks. The development of UPGRADE is part of a broader strategy to secure healthcare infrastructures, potentially making currently voluntary cybersecurity practices mandatory.

A new crypto mining campaign named 'REF4578' has been identified deploying a malware called GhostEngine that disables security products using vulnerable drivers. GhostEngine starts its attack using a masqueraded Windows file, 'Tiworker.exe', which serves as a launcher for further malicious activities. The main payload, downloaded via a PowerShell script ('get.png'), kills endpoint detection and response (EDR) software and initiates crypto mining using XMRig. To disrupt EDR operations, GhostEngine employs vulnerable kernel drivers from Avast and Iobit to terminate process and delete executables. Researchers have not pinpointed the origin of the attacks or identified specific victims, leaving the scope and impact of the campaign unclear. Continuous updating mechanisms are implemented by downloading new versions of the malicious PowerShell script using scheduled tasks for persistence. Defense strategies against GhostEngine involve monitoring for unusual PowerShell usage, suspicious processes or network traffic, particularly to known crypto-mining pools, and blocking file creation from vulnerable drivers. Elastic Security Labs has provided YARA rules to aid defenders in detecting signs of GhostEngine infections in their networks.

Veeam has alerted customers about a critical vulnerability in its Backup Enterprise Manager product, urging immediate patching. The security flaw, identified as CVE-2024-29849, permits unauthenticated attackers to log into any account on the VBEM platform. VBEM, a web management tool, is not enabled by default, reducing the risk for some environments. The vulnerability scored a high 9.8/10 on the CVSS scale, indicating severe risk. Temporary mitigation involves stopping and disabling related Veeam services or uninstalling the vulnerable platform if not in use. In addition to CVE-2024-29849, Veeam also patched other high-severity vulnerabilities concerning account takeovers and NTLM hash stealing. Historical context: Veeam has been a target in past ransomware operations, with vulnerabilities exploited by known threat groups against U.S. critical infrastructure and Latin American IT firms. Globally, Veeam’s solutions are employed by over 450,000 customers, making security breaches particularly impactful.

LockBit ransomware group claims responsibility for an April cyberattack on Canadian pharmacy chain London Drugs. The attack led to the temporary shutdown of all London Drugs retail stores across Western Canada; however, stores have since reopened. London Drugs conducted a forensic investigation which found no evidence of compromised customer or health data. Despite this, LockBit threatens to publish stolen data online, allegedly including employee information, following failed $25 million ransom negotiations. London Drugs cannot confirm the extent of employee data breach yet, but has provided employees with complimentary credit monitoring and identity protection services. LockBit ransomware is still operational despite international law enforcement efforts, including recent Operation Cronos, which seized the gang's infrastructure in February 2024. The U.S. State Department offers significant rewards for information leading to the arrest of LockBit leadership and affiliates.

Mandiant uncovered a breach where plaintext AWS secrets were leaked through Atlassian Bitbucket artifact objects. Bitbucket artifact files accidentally exposed plaintext authentication secrets, risking unauthorized data access. Developers using Bitbucket’s CI/CD pipeline inadvertently stored sensitive authentication keys in public repositories. The exposure occurred when environment variables, intended to be encrypted, were stored in plaintext within artifacts for CI/CD processes. Threat actors exploited these exposed secrets to access AWS accounts, underscoring the risks of misconfigured CI/CD pipelines. Mandiant advises utilizing dedicated secret management tools and conducting thorough code scans to prevent similar incidents. Developers are encouraged to ensure that no plaintext secrets are included in artifacts and to regularly review and update security configurations.

Zoom has introduced post-quantum end-to-end encryption (E2EE) for its video conferencing platform, aiming to secure communications against future quantum computer threats. This update positions Zoom as the first UCaaS provider to implement a quantum-resistant encryption solution for video communications. The newly implemented Kyber 768 encryption algorithm is designed to protect against potential quantum computer decryption, ensuring that data remains secure through quantum-resistant encryption methods. Users must join meetings via the Zoom desktop or mobile app to utilize E2EE, with phone number verification required for hosts on free accounts. While enabling E2EE, users may experience limited functionality in some standard Zoom features, prompting individuals to consider their need for these features before activation. Kyber 768 is currently under standardization by the National Institute of Standards and Technology (NIST) to become a recognized post-quantum encryption standard. The update comes amid concerns over "harvest now, decrypt later" surveillance tactics, where encrypted data is stored until decryptable by future technology. Other tech giants like Apple and Signal have also begun integrating quantum-resistant algorithms to safeguard communications against emerging quantum technologies.

Western Sydney University notified students and staff of a data breach affecting its Microsoft 365 and SharePoint environment. The earliest unauthorized access occurred on May 17, 2023, compromising email accounts and SharePoint files. Approximately 7,500 individuals have been confirmed affected, though the investigation continues and this number may increase. The breach was identified much later in January 2024, prompting swift action by the university's IT team to close the breach and enhance security measures. NSW Police, CrowdStrike, and CyberCX have been involved in the ongoing investigation; no ransomware or extortion demands have been detected. The university's core operations such as classes, exams, and research programs remain unimpacted. Legal measures, including a court injunction, have been taken to prevent dissemination of accessed data. Impacted individuals are being contacted directly and offered support through a dedicated phone line, with further assistance available from IDCARE.

Threat actors exploited plaintext authentication secrets leaked in Atlassian Bitbucket artifact files to breach AWS accounts. Mandiant uncovered the data exposure while investigating a breach where AWS secrets used for access were leaked in plaintext. Bitbucket, used for version control and CI/CD, allows developers to store sensitive information such as AWS secrets in secured variables. Despite being encrypted in Bitbucket, secured variables were found exposed in plaintext within artifact files generated during pipeline operations. Developers were likely unaware that these secrets, crucial for security, were exposed in files readily accessible in public repositories. Mandiant warned that some developers' misconfigurations in pipeline settings or debug logs could lead to unintentional leaks of sensitive data. Mandiant recommended using dedicated secret management tools and implementing code scanning throughout development to prevent such exposures.

Rockwell Automation issued a warning to customers urging them to disconnect industrial control systems (ICS) not intended for online exposure to protect against rising malicious cyber activities. The guidance emphasizes the importance of keeping such devices off the internet to minimize organizational attack surfaces and prevent direct system access by threat actors. Increased global geopolitical tensions and cyber threats prompted this advisement, stressing immediate action for devices unnecessarily connected to the public internet. The advisory coincides with a CISA alert reinforcing the need for reduced ICS device exposure in light of current security vulnerabilities identified in Rockwell ICS devices. Historical context includes past advisories from the NSA and CISA focused on securing operational technology (OT) and ICS from cyberattacks, with escalating guidance over recent years. Recent federal alerts have also highlighted the activities of pro-Russian hacktivists and their impacts on critical infrastructure, noting that groups like the Cyber Army of Russia have government affiliations, increasing the threat level. Rockwell's proactive step aims to drastically curtail the risk of unauthorized access and enhance overarching cybersecurity resilience in critical infrastructure sectors.

Researchers at Tenable uncovered a critical vulnerability (CVE-2024-4323) in Fluent Bit, impacting all major cloud providers. This flaw can lead to denial of service (DoS), information leaks, and possibly remote code execution (RCE) under specific conditions. Fluent Bit is widely used with over 13 million Docker downloads and is utilized by major companies like Cisco, Dell, Walmart, and others. The vulnerability affects versions 2.0.7 through 3.0.3 and involves memory corruption triggered by passing non-string values into its monitoring API. Attackers can crash the service or potentially access sensitive information by manipulating integer values sent to the API. Although exploiting for remote code execution is complex and challenging, the immediate risks are primarily DoS and data leakage. Cloud services using Fluent Bit should urgently upgrade to version 3.0.4 or restrict access to the affected API endpoints. Tenable has notified major cloud services, including Microsoft, Amazon, and Google, to facilitate prompt mitigation and security enhancements.

GitHub updated GitHub Enterprise Server (GHES) to fix a high-severity authentication bypass vulnerability, identified as CVE-2024-4985. The vulnerability, with a maximum CVSS score of 10.0, could allow unauthorized access without prior authentication, especially in configurations using SAML SSO with encrypted assertions. Attackers could potentially forge a SAML response to gain administrative access or provision new users. The flaw affects all GHES versions prior to 3.13.0; patches have been released in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Encrypted assertions, which were vulnerable, are not enabled by default, thus limiting the overall exposure. GitHub recommends upgrading to the newest GHES version to prevent exploitation and secure systems. GHES is used by organizations worldwide for self-hosted software development and deployment, emphasizing the importance of this security update.

GitHub has patched a critical vulnerability in its Enterprise Server, identified as CVE-2024-4986, with a CVSS v4 rating of 10.0. The flaw affects instances that use Security Assertion Markup Language (SAML) single sign-on (SSO) with encrypted assertions. Attackers could exploit the vulnerability to forge a SAML response, allowing unauthorized administrative access to the server's contents. The vulnerability impacts only those GitHub Enterprise Server (GHES) instances where encrypted assertions have been enabled, not a default setting. GHES is aimed at large enterprises or teams requiring enhanced control over data, including those managing sensitive information or needing offline access. Affected versions have been updated: versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15 were all released to address this issue as of May 20. Instances using the vulnerable configuration should urgently upgrade to a secure version to mitigate risk.

A new malware campaign, CLOUD#REVERSER, utilizes Google Drive and Dropbox to distribute malicious payloads via cloud storage services. Attackers send phishing emails containing ZIP files disguised as Microsoft Excel documents using the Unicode right-to-left override (RLO) trick, deceiving users into executing harmful executables. The malware establishes persistence by creating scheduled tasks under the guise of Google Chrome browser updates and downloads additional PowerShell scripts for ongoing operations. These PowerShell scripts interact with Google Drive and Dropbox to download further malicious scripts and files, continuously updating their capabilities and actions. The VBScript and PowerShell used are heavily obfuscated, complicating detection and analysis while performing activities typical of a command-and-control infrastructure. The CLOUD#REVERSER campaign highlights an ongoing trend of cybercriminals exploiting legitimate cloud platforms to conduct stealthy operations and avoid detection.

SolarMarker, an information-stealing malware, has evolved to use a multi-tiered infrastructure to resist law enforcement takedowns. This complex infrastructure has primary clusters for ongoing operations and secondary ones likely used for testing and targeting specific sectors. The malware is capable of stealing data from web browsers, cryptocurrency wallets, and affecting VPN and RDP configurations, predominantly affecting sectors like education, government, healthcare, hospitality, and SMEs. SolarMarker's infection techniques include hosting on fake downloader sites and using malicious emails with misleading links leading to executable files or Microsoft Installer files. The malware has adopted stealth features, such as increased payload sizes, the use of valid certificates, novel Windows Registry changes, and the ability to run directly from memory. Recent variations of SolarMarker have included a PyInstaller version using a decoy dishwasher manual and a Delphi-based backdoor named SolarPhantom for remote control without user knowledge. Recorded Future's report highlights that the malware's complex server architecture involves up to four tiers of command-and-control servers, complicating efforts to neutralize the threat. Although there is speculation about SolarMarker's origins, including a possible Russian connection, definitive attribution has not been established.

Zoom has globally launched post-quantum end-to-end encryption for its video meetings, planning expansions to Zoom Phone and Zoom Rooms. The implementation uses the Kyber768 quantum-resistant algorithm, enhancing security against potential future quantum computer threats. Current encryption ensures only meeting participants have access to encryption keys, with Zoom's servers unable to decrypt communications. The move prepares Zoom for future security challenges, addressing the "harvest now, decrypt later" threat posed by advancements in quantum computing. This proactive security upgrade aligns Zoom with other tech leaders like Signal and Google Chrome, which have also adopted quantum-resistant algorithms. Previously criticized for its encryption standards, Zoom has been proactive since 2020, advancing its security features amid increasing demands for secure communication solutions. Zoom claims leadership in the UCaaS space with this advanced quantum-resistant video conferencing capability.