Daily Brief

Threat actors increasingly exploit weak points in identity security, targeting user identities and multi-factor authentication (MFA) systems. New security solutions, such as Shared Signals and Identity Threat Detection and Response (ITDR) systems enhanced with machine learning, are being developed to counter these vulnerabilities. Upcoming frameworks and technologies, including digital, verifiable credentials, are poised to innovate the landscape of identity security. Cisco's upcoming webinar, featuring security strategists Sami Laine and Josh Green, will discuss the evolution of identity security and the integral components of Cisco Duo's solution, including Identity Intelligence and Risk-Based Access Policies. The webinar aims to educate on making MFA unobtrusive, thus improving the user experience without compromising security effectiveness. Attendees of the webinar, scheduled for 17 July 2024, can expect to gain insights into enhancing their organization’s security posture against identity threats.

AT&T disclosed a significant data breach resulting from a cyberattack on a third-party cloud platform, impacting approximately 110 million customers. The breach affected almost all AT&T wireless customers, including those on mobile virtual network operators using AT&T’s network, exposing call and text metadata. Personal information of customers was not compromised; however, geolocation data could potentially be accessed due to exposed cell tower identification numbers in the stolen records. The Federal Bureau of Investigation (FBI) has made at least one arrest in connection with the data theft and has been involved with the case since its discovery in mid-April. AT&T believes that stolen customer data has not been published online yet but remains cautious about the potential risks and exposure. The incident followed another major data leak disclosed in March, where data from 73 million customers was published online, signaling an alarming trend of data security challenges for the company. This breach is part of a broader incident affecting Snowflake's cloud storage instances, where attackers used credential-stuffing techniques to access data from approximately 165 companies. Snowflake has since mandated multifactor authentication for all customers, aiming to improve security measures post-breach.

AT&T confirmed a significant data breach from their Snowflake account affecting nearly all mobile customers, involving the theft of call and text records. Approximately 109 million customers' call logs from specified dates in 2022 and 2023 were exposed; however, personal identifiers like names or Social Security numbers were not included. The breach occurred between April 14 and April 25, 2024, with stolen data containing metadata that could potentially be used to identify individuals when correlated with other public data. The Department of Justice permitted AT&T to delay public notification twice to facilitate a law enforcement investigation into the sensitive nature of stolen records. AT&T has increased cybersecurity safeguards, collaborated with law enforcement, and apprehended at least one suspect in connection with the breach. Current and former customers will be notified by AT&T and can check if their information was compromised via an AT&T-provided FAQ page. There is no current evidence that the breached data has been publicly disclosed, and this breach is said to be unrelated to a previous incident in 2021. The breach is part of a broader trend of cyberattacks targeting Snowflake customers, leading the company to enforce stronger security measures such as mandatory multi-factor authentication.

A married couple, Australian Defence Force (ADF) Private Kira Korolev and her husband Igor, were arrested in Brisbane on charges of espionage for Russia. The operation, codenamed BURGAZADA, was triggered after Kira traveled to Russia and instructed Igor to access her ADF work account to send sensitive information to her private email. The couple face charges of preparing for an espionage offense, with penalties up to 15 years in prison. This marks the first use of Australia’s espionage laws updated in 2018. The Australian Federal Police (AFP) state that the accessed documents pertained to national security, though specifics on the documents remain undisclosed. Investigations continue into whether the information was actually conveyed to Russian authorities. Australian officials highlight the intensifying global espionage threats, emphasizing the ongoing risks to national security and sovereignty. This case is one of several recent charges in Australia related to espionage or foreign interference, illustrating a broader pattern of rising international espionage activities.

A significant vulnerability identified in Exim mail servers potentially exposes millions to malicious email attachments. Designated as CVE-2024-39929, this flaw has a critical severity rating of 9.1 and affects versions up to 4.97.1. The susceptibility stems from improper parsing of RFC 2231 multiline headers, allowing attackers to circumvent MIME filename extension filters. Over 4.83 million of approximately 6.54 million internet-accessible SMTP servers operate using the vulnerable Exim versions. The most impacted regions include the U.S., Russia, and Canada, with many servers still unpatched as of the latest reports. Successful exploitation requires a user to download and execute the malicious attachment, posing significant risks of system compromise. No active exploits have been reported yet; however, immediate update to version 4.98 is advised to mitigate this risk. The discovery follows a previous set of vulnerabilities found nearly a year ago, emphasizing continual security challenges for Exim.

Recent data shows compromised credentials as the leading attack vector in 2024. Stolen passwords pose more of a threat than zero-day exploits or advanced malware. Many are unaware their credentials are stolen until significant damage occurs. Consequences include drained bank accounts, stolen identity, and damaged corporate reputations. The upcoming webinar hosted by Tim Chase focuses on prevention and awareness regarding password theft. Participants will gain insights into protecting sensitive information from credential compromise.

The U.S. Department of Justice seized internet domains and scrutinized numerous social media accounts used by Russian entities to disseminate disinformation. AI technology was employed by a bot farm to construct fake profiles purporting to be Americans to push narratives favorable to the Kremlin. An employee from Russian state media RT and an FSB officer orchestrated the bot network to influence public opinion in multiple countries including the U.S. and several European nations. The operation utilized an AI software named Meliorator for mass creation and management of these profiles on social media platform X, which has now suspended these accounts. Investigations remain active, with no criminal charges disclosed yet, highlighting the ongoing concerns over foreign influence in domestic affairs. Google, Meta, and OpenAI have flagged continuous misuse of their platforms by similar Russian operations, notably a disinformation network named Doppelganger. International collaborations, including agencies from the U.S., Canada, and the Netherlands, have been pivotal in addressing this cybersecurity threat.

The Monetary Authority of Singapore and the Association of Banks Singapore announced the phasing out of SMS-based OTPs for bank logins within three months, aiming to bolster security against phishing. This decision reflects growing concerns about scammers exploiting the vulnerabilities of SMS OTPs, driving a shift towards more secure digital tokens for authentication. Digital tokens, which generate OTPs on smartphones, are recommended as a safer alternative for securing bank account access. Legal expert Bryan Tan views the move as a logical step given the increasing frequency of OTP-related scams. Concerns have been raised about the inclusivity of this change, particularly affecting the elderly and those without smartphones, with no clear measures announced yet to address these issues. Despite potential inconvenience, this strategic shift is part of broader efforts to enhance digital security and minimize scam risks in Singapore's banking sector. Smartphone penetration in Singapore is high at 97% in 2023, yet challenges remain in ensuring all demographics maintain secure and up-to-date technology usage.

Chinese cyber espionage group APT41, linked to the Chinese Ministry of State Security, reportedly adds new tools, DodgeBox and MoonWalk, to its malicious software arsenal. Zscaler’s ThreatLabz identifies and analyzes the new malware, noting notable similarities and enhancements compared to APT41's previous tool, StealthVector. DodgeBox, characterized as a sophisticated shellcode loader, introduces advanced features for evading detection and maximizing system privileges, including environment checks and AES encryption. The malware uses novel hashing techniques and system checks to bypass static detection and security measures such as Windows Control Flow Guard. MoonWalk backdoor, deployed via DodgeBox, features evasion methods similar to the loader and uses Google Drive for command-and-control operations. Incidents of DodgeBox have been identified primarily in Southeast Asia, aligning with APT41's geographical focus in previous campaigns. The U.S. government has previously charged members of APT41 with global cyber attacks, suggesting both espionage and financially motivated activities.

Hacktivist group SiegedSec, identifying as "gay furry hackers," has disbanded after hacking The Heritage Foundation and leaking 2GB of its files. The group claims the disbandment was planned prior to the raid for reasons including stress and desire to avoid FBI attention. The leaked files were in retaliation against The Heritage Foundation's involvement with Project 2025, a blueprint for conservative presidential policies. Project 2025, linked to Donald Trump and the Republican National Committee, aims to reshape US government policies including significant cuts to healthcare and environmental regulations. The Heritage Foundation did not officially respond to inquiries about the security breach or leaked communications with SiegedSec. SiegedSec has a history of targeting organizations it perceives as threatening LGBTQ+ and abortion rights, including America's largest nuclear power lab and NATO. In a leaked conversation, Heritage Foundation's Mike Howell threatened the hacktivists with exposure and legal consequences, which clashed with the organization's Christian values.

The American Radio Relay League (ARRL) confirmed a data breach by a ransomware attack on May 14, affecting employee personal information. The breach was initially described as a "serious incident" and later identified as a "sophisticated ransomware incident." External forensic experts were hired to analyze the breach, and systems were taken offline to contain the spread. ARRL identified the attackers as a "malicious international cyber group" and has engaged federal law enforcement for further investigation. Personal data stolen includes names, addresses, and social security numbers of 150 employees. ARRL has provided 24 months of free identity monitoring to impacted individuals out of caution, even though there is no evidence of misuse of the stolen data. It is speculated that the Embargo ransomware group, newly active since May, is responsible for the attack; however, ARRL has not confirmed this link. ARRL hinted that reasonable steps were taken to prevent further distribution of the data, implying a possible ransom payment to avoid data leakage.

Signal is updating its desktop client to better secure encryption keys, addressing a flaw first reported in 2018. Originally, Signal Desktop stored encryption keys in plain text, accessible to any user or program on the same device. The security community criticized Signal for ignoring the flaw, despite the company's focus on user privacy and security. Recent public scrutiny, especially from notable figures like Elon Musk and researcher Tommy Mysk, reignited concern over this vulnerability. Signal plans to utilize Electron's SafeStorage API to improve key security on supported platforms, adding platform-specific encryption. A temporary fallback mechanism will ensure users can access data during the transition, aiming to mitigate potential data loss. While some solutions will be platform-dependent, the update reflects a commitment to enhancing user data protection amidst increased scrutiny.

A new signal handler race condition vulnerability in OpenSSH, CVE-2024-6409, affects Red Hat Enterprise Linux 9 and Fedora versions 36 and 37. Alexander Peslyak of Openwall discovered the flaw, which impacts sshd daemon versions 8.7p1 and 8.8p1. AlmaLinux has proactively issued a patch for the vulnerability, acting ahead of other distributions like RHEL or CentOS Stream. The affected sshd daemon runs with reduced privileges, potentially limiting the scope of attacks but still allowing remote code execution. The bug arises from a function, cleanup_exit(), being called within a signal handler where it should not be, a coding mistake related specifically to patches made by Red Hat. This vulnerability is separate from the previously identified CVE-2024-6387 "regreSSHion" bug, although both involve OpenSSH. Ubuntu users and non-RHEL-based distributions are reportedly not affected by this specific vulnerability issue.

Google has raised the payouts for its Vulnerability Reward Program, now offering up to $151,515 for the discovery of critical bugs. The new top bounty amount reflects a fivefold increase from previous payout levels, addressing the increased effort required to find vulnerabilities as Google’s systems have advanced. The new payout structure takes effect for vulnerabilities reported starting July 11th, and includes the possibility of receiving payments via Bugcrowd. Google launched kvmCTF to target security enhancements for the Kernel-based Virtual Machine (KVM) hypervisor, with rewards up to $250,000. In addition to the recently improved bounty terms, last year Google tripled the reward sum for Chrome sandbox escape exploits, maintaining this increased level until December 1, 2023. Since initiating the VRP in 2010, Google has paid out over $50 million for more than 15,000 reported vulnerabilities. A notable top payment of $605,000 was made to a researcher in 2022 for uncovering a critical chain of security bugs in Android.

Dallas County, Texas, alerted over 200,000 individuals about a data breach following a ransomware attack by the Play ransomware gang in October 2023. Personal data, including Social Security numbers and taxpayer IDs, were compromised, affecting residents, employees, and users of county services. Victims are being offered two years of credit monitoring and identity theft protection services to mitigate potential fraud. In response, the county has enhanced its network security, including the implementation of Endpoint Detection and Response solutions, mandatory password changes, and blocking of suspicious IP addresses. Additional recent cybersecurity incidents have troubled Dallas County, including a business email compromise that cost $2.4 million and another ransomware attack on the City of Dallas. Dallas County established a dedicated call center and published an update in January 2024 to address public concerns and provide information on the breach's impact.