Daily Brief

Today’s software development incorporates DevSecOps practices to integrate security throughout the development lifecycle, addressing the increasing threats in the cyber landscape. Effective DevSecOps practices not only aim to secure applications but also maintain the speed and satisfaction level of the development processes. Establishing a collaborative, security-minded culture across all teams is crucial for minimizing resistance and enhancing cross-functional teamwork. DevSecOps emphasizes 'shifting security left'—integrating security early in the development process to identify and address vulnerabilities without overburdening developers. Governance and stringent guardrails are essential to prevent errors and enforce compliance, ensuring stakeholders can easily follow security protocols. Secure the entire software supply chain, not just the organization’s source code, to protect against vulnerabilities in open-source components and third-party artifacts. Incorporate automation and AI to achieve continuous security, keeping pace with rapid development cycles and enhancing the maturity of DevSecOps practices. The guidelines provided articulate clear methods to build a robust DevSecOps foundation, crucial for evolving DevOps technologies and ongoing security challenges.

File Integrity Monitoring (FIM) is essential for auditing and ensuring data integrity within IT systems, as mandated by various cybersecurity standards. Wazuh provides a comprehensive FIM capability, integrated within its open-source security platform, aiding in both detection and response to unauthorized file changes. FIM helps in meeting IT security compliance by monitoring changes such as file modifications, deletions, and additions, important for adhering to standards like PCI DSS, ISO 27001, and GDPR. The Wazuh platform not only offers FIM but also includes features like malware detection, vulnerability detection, and security configuration assessment, making it a robust tool for enhancing security posture. Implementing and configuring the Wazuh FIM capability properly allows organizations to keep track of critical changes in real-time, promptly addressing potential security incidents. Effective utilization of Wazuh’s FIM can prevent compliance-related issues and mitigate risks associated with data breaches and cyber-attacks. The flexibility of Wazuh allows it to secure diverse IT environments, including cloud-based, on-premises, and containerized platforms.

The number of new ransomware families introduced in 2023 dropped significantly to 43 from 95 in the previous year, indicating a consolidation in the ransomware landscape. Dominant ransomware groups like LockBit 3.0 and ALPHV/BlackCat have effectively stifled competition through successful and profitable attacks, reducing the incentive for new entrants. The evolution of ransomware tactics now focuses more on targeting business-critical systems and data exfiltration before deploying encryption, representing a strategic shift from early ransomware methods. Approximately 5,600 ransomware attacks were recorded between January 2023 and February 2024, but the real number is likely higher due to underreporting. The majority of ransomware attacks begin by exploiting vulnerabilities in public-facing applications or through compromised valid accounts, emphasizing the necessity of robust security measures like MFA and timely patching. Ransomware attacks primarily still involve data encryption, despite the prominence of high-profile pure-extortion attacks like the MOVEit MFT incident. Ineffective enforcement of Multi-Factor Authentication (MFA) and slow security updates are significant vulnerabilities that organizations need to address to prevent ransomware attacks. Zero-day vulnerabilities continue to be a lucrative market for cybercriminals, with increased focus on network edge devices as primary targets for future attacks.

Researchers have disclosed a critical flaw in the llama_cpp_python Python package, allowing for arbitrary code execution. The vulnerability, tracked as CVE-2024-34359 with a CVSS score of 9.7, is a result of server-side template injection facilitated by misuse of the Jinja2 template engine. The llama_cpp_python package has been downloaded over 3 million times, highlighting its widespread use for integrating AI models with Python. A separate high-severity flaw was found in Mozilla's PDF.js library, potentially enabling arbitrary JavaScript execution (tracked as CVE-2024-4367). Mozilla has patched the vulnerability in Firefox, Firefox ESR, Thunderbird, and the npm module pdfjs-dist, advising further checks for embedded PDF.js in node modules. These discoveries underscore the critical intersection of AI, software supply chain security, and the need for enhanced lifecycle management of AI systems and components. Security experts urge developers to update to the patched versions of the affected libraries to protect against potential data theft, system compromise, and operational disruptions.

Microsoft announced plans to deprecate NT LAN Manager (NTLM) in Windows 11, shifting to Kerberos for authentication to enhance security protocols, scheduled for the second half of 2024. NTLM identified as vulnerable to relay attacks, notably exploited by Russia-linked APT28; Microsoft cited NTLM's outdated cryptographic support as a reason for its deprecation. Enhanced security features in Windows 11 include Local Security Authority protection by default, virtualization-based security for Windows Hello, and AI-powered Smart App Control to block unsafe applications. Microsoft is launching Trusted Signing, an end-to-end solution simplifying app certification for developers and ensuring safer application execution. Upcoming security updates include Protected Print Mode as the default setting and no longer trusting TLS certificates with RSA keys under 2048 bits. Microsoft introduced Zero Trust Domain Name System (ZTDNS) for commercial customers, restricting Windows devices to pre-approved network destinations. In response to prior security breaches and criticism, Microsoft outlined significant strategic enhancements in its Secure Future Initiative (SFI), focusing on accountability in cybersecurity management at senior levels. Aligning with recent cybersecurity recommendations, Google emphasized the necessity for governments to adopt secure-by-design systems and encourage a multi-vendor strategy to mitigate risks associated with using a single vendor ecosystem.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a security flaw in NextGen Healthcare Mirth Connect. Identified as CVE-2023-43208, the vulnerability allows for unauthenticated remote code execution and stems from an incomplete fix of a previous issue. This flaw exploits insecure practices in the Java XStream library's handling of XML data, making it easy for attackers to exploit. CISA has mandated federal agencies to upgrade their Mirth Connect systems to version 4.4.1 or later by June 10, 2024, to mitigate risks. There are no details on who is behind the attacks or the specific nature of the attacks exploiting this vulnerability. The vulnerability was first disclosed by Horizon3.ai and further detailed by researchers in January 2023. Additionally, CISA also added an exploited vulnerability in Google Chrome to its KEV catalog, urging updates to patched versions. Mirth Connect is a critical integration platform used by healthcare organizations for data exchange between varied systems.

A critical security flaw, CVE-2024-4323, known as Linguistic Lumberjack, has been identified in the Fluent Bit logging utility. The vulnerability affects versions 2.0.7 through 3.0.3 and has been fixed in version 3.0.4. Exploitation of this flaw could lead to denial-of-service (DoS), information leakage, or even remote code execution. The issue arises from memory corruption due to improperly validated input types in the built-in HTTP server's API endpoints. Attackers could manipulate the server by sending maliciously crafted requests to certain API monitoring endpoints. It’s crucial for users to update to the latest software version to guard against potential exploits, particularly as a proof-of-concept (PoC) exploit is already available. The vulnerability's exploitability for remote code execution varies based on the host's architecture and operating system.

Myanmar’s military regime, seizing power in 2021, severely restricted internet access, banned social networks, and clamped down on digital communications. Activists in Myanmar face significant hindrances using Big Tech services due to required real-name registrations and the dominance of services like Facebook's "Free Basics" which limits privacy. FOSS (Free and Open Source Software) tools, though potentially beneficial, are complicated for activists with limited technical skills, reducing their practicality in high-risk environments. The study by Laura Gianna Guntrum at PEASEC highlights the need for more accessible, secure communication tools designed specifically for activists in oppressive regimes. Research suggests integration of peer-to-peer networking in popular apps like Signal and WhatsApp, to maintain connectivity during internet blackouts imposed by the government. Guntrum's findings urge developers to create user-centric technology solutions that are tailored to the unique challenges faced by global activists, especially during internet shutdowns and periods of heightened surveillance.

Open Source Security Foundation (OpenSSF) introduces a new initiative called Siren to improve security in free and open-source software (FOSS). Siren is designed to aggregate and disseminate threat intelligence, providing real-time security bulletins and a community-driven knowledge base. The initiative aims to bridge the information gap between FOSS developers and enterprise security teams. Siren will share tactics, techniques, procedures used against open-source projects, and indicators of compromise from recent security incidents. Siren is intended as a post-disclosure tool to keep the community informed, rather than a platform for initially disclosing new vulnerabilities. The importance of securing open source software has risen after high-profile supply chain attacks exposed significant vulnerabilities. Synopsys' recent research highlighted that 96% of analyzed code bases used open source components, with 84% containing at least one vulnerability. OpenSSF emphasizes the critical need for centralized threat intelligence sharing to protect the integrity of open source software.

Julian Assange granted permission by the High Court in London to appeal his extradition to the US. Assange faces charges including 17 counts of espionage and one of computer misuse in the U.S., with potential 175-year prison term. Charges relate to WikiLeaks' publication of US diplomatic and military documents shared by Chelsea Manning. Legal grounds for appeal include potential discrimination and exclusion from First Amendment protections. In 2022, the UK government approved Assange's extradition to the US, triggering ongoing legal challenges. Assange's defense argues his journalistic activities, including the mass dissemination of classified data, should be protected as free speech. US gave assurances of constitutional protections and non-prejudiced sentencing, deemed insufficient by British courts. Speculation exists around potential US motives to avoid a high-profile trial amidst free-speech activist support for Assange.

A critical vulnerability identified in Fluent Bit potentially impacts all major cloud service providers including Amazon AWS, Google GCP, and Microsoft Azure. The flaw, tracked as CVE-2024-4323 and nicknamed "Linguistic Lumberjack," permits denial-of-service attacks and remote code execution through heap buffer overflows. Fluent Bit, a widely used logging and metrics tool embedded in numerous Kubernetes distributions, was downloaded over 13 billion times by March 2024. Security researchers at Tenable discovered the vulnerability, which was introduced in Fluent Bit version 2.0.7, within the tool's HTTP server parser. Immediate risks associated with CVE-2024-4323 include relatively easy-to-execute DoS attacks and potential information leaks due to its exploitation. Fixes for the vulnerability have been committed in the main branch of Fluent Bit and are expected to be released in version 3.0.4. Tenable has informed major service providers through their vulnerability disclosure platforms and advised limiting access to Fluent Bit’s monitoring API as a temporary mitigation measure.

OmniVision suffered a data breach following a Cactus ransomware attack between September 4 and September 30, 2023. The company, a subsidiary of Will Semiconductor and a manufacturer of imaging sensors, reported the breach to California authorities. The breach resulted in the encryption of some of OmniVision's systems and theft of personal information. The internal investigation, completed on April 3, 2024, confirmed unauthorized access and theft of data. OmniVision has implemented enhanced security measures, including faster detection of suspicious activities. The Cactus ransomware gang, known for using VPN vulnerabilities, claimed responsibility and released stolen data freely online. Impacted individuals are being offered 24 months of credit monitoring and identity theft restoration services. The company advises affected individuals to remain vigilant against unsolicited communications and to monitor their financial accounts regularly.

Rui-Siang Lin, the operator of Incognito Market, was arrested at JFK Airport on charges relating to drug sales over $100 million. Incognito Market used cryptocurrency to facilitate illegal narcotics transactions totaling about 1,000 kilograms, including cocaine and methamphetamine. Three servers used by Incognito Market were seized, revealing transactions and accounts of over 200,000 customers and 1,000 vendors. At its peak, the marketplace amassed substantial revenue, generating over $83 million and earning Lin at least $4 million from commissions. Lin faces several severe charges including life imprisonment for narcotics conspiracy and money laundering. The final acts of operation included shutting down the marketplace, withholding funds, and threatening users with exposure unless additional payments were made. Homeland Security Investigations noted the extensive damage and risk caused by these operations, highlighting the mixture of narcotics sold, including potentially lethal fentanyl.

Google has published a white paper criticizing Microsoft's security practices, particularly after recent breaches involving Microsoft software. The paper highlights the Cyber Safety Review Board's critique of Microsoft's handling of a June 2023 attack by Storm-0558, a group with China affiliations. Google contrasts Microsoft's security failures with its own practices in Google Workspace, advocating that Microsoft customers switch to their platform. The report details how Microsoft's security missteps include outdated key security and incorrect public statements about source of breaches. Google is promoting Workspace to federal agencies with discounts and a bonus year of service in an attempt to capture part of Microsoft’s client base in the public sector. The white paper also references Google's own past security breach in 2009, using it as an example of how the company has learned and improved from such incidents. Google’s aggressive marketing includes discount offers to agencies with over 500 workers for Google Workspace Enterprise Plus.

Police departments in several U.S. cities have sidestepped local bans on facial recognition technology by requesting assistance from agencies in areas without these prohibitions. Documents and reports indicate that the San Francisco Police Department (SFPD) and Austin Police Department (APD) have both engaged in this practice, albeit with varying degrees of success. SFPD attempted facial recognition searches through other agencies five times since 2019 without successful matches, while APD has conducted at least 13 searches since 2020, some resulting in arrests. Both police departments claim these searches were conducted without official authorization, and there have been no reported consequences for SFPD officers involved. Former San Francisco District Attorney Chesa Boudin expressed concerns about the legality and admissibility of evidence obtained through such methods, highlighting the potential for cases to be dismissed if the technology's use is proven. The widespread use of facial recognition technology by law enforcement—including unauthorized sharing of data—raises significant privacy and racial bias concerns among advocates. Despite improvements to address biases, instances like the Metropolitan Police in London demonstrate ongoing issues with high rates of false positives in facial recognition systems. The interaction between local bans and federal use of facial recognition technology reflects a complex landscape of regulatory and ethical challenges surrounding surveillance practices.