Daily Brief

The FBI has issued a warning regarding a cybercrime group, known as Storm-0539, targeting retail companies' gift card departments through sophisticated phishing attacks. These attacks have been occurring since at least January 2024, involving the theft of employee credentials, including names, usernames, phone numbers, and sensitive SSH passwords and keys. Storm-0539 exploits these stolen credentials to create fraudulent gift cards and manipulate existing gift card balances, often changing associated email addresses to ones they control. The group successfully navigates around multi-factor authentication (MFA) by registering their devices for subsequent login attempts, thereby maintaining persistent access to the victim’s systems. Microsoft also highlighted a significant rise in these types of fraudulent activities by Storm-0539 during the holiday season. The FBI recommends retail companies strengthen their security protocols, update incident response plans, rigorously train employees to recognize phishing attempts, and implement robust password and authentication measures to mitigate such threats.

LockBit ransomware gang claimed responsibility for a cyberattack on Wichita, disrupting city IT systems, including online payment services. The attack, confirmed by Wichita on May 5, 2024, led to the shutdown of systems to prevent further spread, affecting services like court fines and water bill payments. LockBit threatened to publish stolen files by May 15, 2024, unless a ransom is paid, an unusually quick escalation post-attack. The quick listing on LockBit's extortion portal may be retaliation for a recent law enforcement operation targeting LockBit’s leadership. Essential city services, such as public safety and transportation, are heavily impacted, with some resorting to manual operations. The city is still assessing the extent of the data breach, with a high risk of data leakage if the ransom remains unpaid.

CISA director Jen Easterly emphasized the crucial need for 'secure by design' software to combat ransomware during the RSA Conference in San Francisco. Secure coding practices can greatly reduce the impact of cyberattacks and ransomware on critical infrastructure, potentially making such attacks rare. Easterly highlighted ongoing threats from ransomware groups and nation-state actors, including China's Volt Typhoon, which targets U.S. infrastructure for disruptive purposes. The U.S. government aims to leverage its procurement power to encourage tech companies to enhance security in their products. More than 60 tech companies, including giants like Microsoft and Google, pledged to develop more secure technology at the RSA Conference. Chris Krebs, former CISA chief, outlined additional strategies to promote tech security, including litigation, regulatory actions, and potential legislative measures. Krebs also noted the challenges in applying outdated regulatory frameworks to modern cybersecurity threats and the limited legislative time left due to the election year.

BogusBazaar, a vast network of 75,000 fake online stores, has defrauded 850,000 individuals across the US and Europe, stealing credit card information to attempt $50 million in fraudulent transactions. The operation involves resale of stolen credit card details on dark web marketplaces, enabling further unauthorized purchases by other criminals. Most victims are located in the United States and Western Europe, with no significant numbers reported in China, the suspected base of the operation. The fake shops are hosted on domains with previously good reputations to enhance their appearance of legitimacy, mainly pretending to sell discounted clothing and shoes. The fraud network is structured with a core team that provides infrastructure management and customized software for the franchisees who operate the majority of the fake webshops. SRLabs has identified and shared a list of related URLs and indicators of compromise with law enforcement and other stakeholders to help curb the operation. Measures to verify the legitimacy of online shops include checking for complete contact details, return policies, browsing content quality, and the presence of trust seals and active social media profiles.

Researchers have unveiled two new attack methods, named Pathfinder, that compromise high-performance Intel CPUs to extract AES encryption keys. Pathfinder attacks exploit the branch predictor features in CPUs, particularly the Path History Register (PHR), to induce errors and leak data. These techniques allow attackers to reconstruct the control flow of programs and execute high-resolution Spectre-style attacks. Demonstrations showed the ability to extract secret AES keys and leak images processed by the libjpeg library. Intel has acknowledged the vulnerability, noting that existing mitigations against Spectre v1 attacks partially address the issue. The attacks have been disclosed responsibly, with Intel releasing an advisory in response without current evidence of affecting AMD CPUs. The research highlights a significant vulnerability in CPU design that cannot be easily mitigated with existing techniques.

Precise but complex permissions in SaaS platforms create significant management challenges for application admins. Administrators often struggle with tracking and modifying permissions due to lack of centralized visibility, resulting in administrative inefficiencies and potential security vulnerabilities. A centralized permissions inventory helps reduce the SaaS attack surface by controlling unnecessary user permissions, monitoring non-human access, and ensuring robust scrutiny of potential entry points. This permissions inventory can detect over-privileged accounts and privilege abuses, thus preventing unauthorized access and mitigating insider threats. The single view benefits multitenant management by allowing comparative assessments of user permissions across different environments, enhancing security operations. Helps organizations achieve regulatory compliance by supporting access recertification, facilitating segregation of duties, and enabling the implementation of role-based and attribute-based access controls. A centralized approach simplifies the management of user permissions, which is crucial for protecting sensitive data and ensuring compliance with data protection laws. Future tools in SaaS posture management solutions are expected to provide more comprehensive and integrative approaches to managing permissions, offering the potential for more streamlined and secure SaaS environments.

The University System of Georgia (USG) disclosed a data breach affecting 800,000 individuals due to a cyber attack on the MOVEit file transfer tool by the Cl0p gang. The breach, detected on May 31, 2023, involved sensitive data such as full and partial Social Security numbers, dates of birth, bank account details, and tax ID numbers. USG alerted affected individuals starting April 15, revealing potential publication of their data on the cybercriminal group’s website. The incident led to immediate and comprehensive updates to MOVEit Transfer software, following guidelines from software provider Progress Software and the Cybersecurity and Infrastructure Security Agency (CISA). A detailed investigation was initiated by USG to determine the scope of the impact and to enhance future data security measures. Victims were offered 12 months of credit monitoring services by Experian to mitigate potential identity theft. The larger scale of the MOVEit breach has affected nearly 95 million individuals globally, with significant breaches also reported by other major entities like the BBC and British Airways. Despite the vast impact of the breach, legal repercussions for late disclosure by USG are minimal due to vague state laws regarding breach notification timelines.

UK Ministry of Defence's payroll system was compromised, allowing unauthorized access to data including names, financial details, and addresses of current and some former personnel. The affected systems have been taken offline, and there is no confirmed data extraction, only unauthorized access. Shared Services Connected Ltd (SSCL), a contractor managed by Sopra Steria, was responsible for the system during the attack. SSCL handles HR services for significant parts of the UK government. Defence Secretary Grant Shapps has initiated a full review of SSCL's contracts across multiple government departments following the breach. While the number affected is initially estimated at 272,000, this number is expected to decrease as more accurate assessments are made. The breach has been compared to less severe but significant cybersecurity incidents, highlighting potential vulnerabilities in the government's outsourcing of critical IT functions. The UK officials are cautious about attributing the attack to any state or group at this stage, though some speculation points toward potential foreign involvement, specifically China. Despite concerns, April’s salary payments to MoD personnel were processed without issues, although some expenses faced minor delays.

John Lambert from Microsoft highlights the differing mindsets between defenders, who prioritize listing gaps, and attackers, who approach with a specific goal and use graphs to plot breaches. Cloud security must include penetration testing to mirror an attacker's perspective and identify potential vulnerabilities not immediately obvious from standard security procedures. The evolving architecture of cloud services, due to their programmable and rapidly changing nature, adds complexities that require specific penetration testing methods tailored for cloud environments. Penetration testing in the cloud should cover asset mapping, vulnerability assessment, privilege escalation, lateral movement, and data exfiltration, considering the hybrid cloud and on-premises networks for comprehensive security. The shared responsibility model in cloud services delineates security responsibilities, where service providers secure the infrastructure and clients are responsible for their data and applications. Regular, automated cloud penetration testing is crucial due to the fast pace of change in cloud technologies, which requires continuous validation to ensure effective defense against attacks. The article advocates for a systematic approach to cloud penetration testing, emphasizing continuous improvement and alignment with the organization's risk exposure and cloud service models.

Hijack Loader malware, also known as IDAT Loader, has been updated with advanced anti-analysis capabilities to improve stealth and evade detection. New functionalities include bypassing User Account Control (UAC), evading inline API hooking, and employing process hollowing tactics. The updated loader decrypts and parses a PNG image to load subsequent payloads, a technique targeting specific entities as previously reported. Since its initial documentation in September 2023, Hijack Loader has been involved in delivering diverse malware families such as Amadey and Racoon Stealer V2. Recent versions have added up to seven new modules to assist in creating processes, performing UAC bypass, and excluding from Windows Defender Antivirus using PowerShell. Another critical update includes the use of the Heaven's Gate technique to circumvent user mode hooks for enhanced undetectability. The loader is part of broader malware distribution efforts featuring other families like DarkGate and GuLoader, often spread through malvertising and phishing. Additional observations indicate a rise in information stealer malware like TesseractStealer, capitalizing on the open-source Tesseract engine to extract text from images for data theft.

Ransomware first began targeting businesses significantly about ten years ago, marking a shift from individual to corporate victims. Mikko Hyppönen discussed the evolution and persistence of ransomware threats in a keynote at the RSA Conference. The rise in cryptocurrency values, like Bitcoin, has financially empowered cybercriminals, creating highly profitable criminal enterprises. Despite ongoing efforts, the cybersecurity industry struggles to fully prevent or resolve ransomware attacks. Extortionists often target sectors with significant vulnerabilities, such as government and healthcare, but also attack any poorly secured IT systems. The situation has forced many victimized companies to pay ransoms due to the threat of their data being leaked online. The ongoing threat of ransomware provides job security for professionals within the cybersecurity field.

A critical vulnerability (CVE-2023-40000) in LiteSpeed Cache for WordPress has been exploited to create unauthorized admin accounts. Attackers are setting up admin profiles with specific usernames like wpsupp-user and wp-configuser to gain complete control of sites. The vulnerability enables unauthenticated users to execute stored cross-site scripting (XSS) attacks via crafted HTTP requests. Despite a fix in version 5.7.0.1 released in October 2023, many sites remain at risk, with vulnerable versions still widely used. Malicious actors have exploited the flaw to inject harmful JavaScript into WordPress websites, compromising web integrity and user safety. Additional threats like the Mal.Metrica redirect scam leverage similar vulnerabilities in WordPress plugins, misleading users with fake CAPTCHA verifications. Website owners are urged to update to the latest plugin versions, scrutinize installed plugins, and remove any suspicious files. As a preventative measure, enabling automatic updates and exercising caution with suspicious links are recommended for all WordPress users.

The 33rd RSA Conference is taking place this week, led by SVP Linda Gray Martin. Linda Gray Martin oversees major aspects of the event, including keynote speeches and security measures for over 40,000 attendees. In addition to logistical responsibilities, she enjoys selecting the music heard during keynote entrances. The conference features both inspiring events and unexpected incidents, such as a past encounter with a skunk. Gray Martin emphasizes the importance of community and the powerful energy from gathering in person. The RSA Conference team prepares to surprise attendees, aiming for engaging rather than disruptive events.

UnitedHealth's Change Healthcare experienced a significant ransomware attack by ALPHV aka BlackCat, leading to compromised patient services. The attack exploited insufficient cybersecurity measures, namely the absence of multi-factor authentication and lack of network segmentation. Tom Kellermann, SVP at Contrast Security, highlighted the company's failures in threat hunting and robust cybersecurity practices. Sensitive health data was stolen, and the attackers demanded a $22 million ransom, which UnitedHealth paid. Despite the ransom payment, additional threats and data leaks occurred, exacerbating the situation. Kellermann criticized the decision to pay the ransom and suggested the U.S. government should prohibit such payments to deter future attacks. The breach not only resulted in financial loss but also disrupted essential medical services, affecting pharmacies and hospitals.

US Homeland Security is exploring AI to enhance effectiveness against crimes like child exploitation and critical infrastructure attacks. AI technologies can automate defenses within computer networks, improving national security and infrastructure protection. Potential misuse of AI in surveillance and inherent biases pose significant concerns; measures are being implemented to combat these issues. Homeland Security's Office for Civil Rights and Civil Liberties plays a crucial role in ensuring AI respects civil rights and privacy. The establishment of an AI Safety and Security Board aims to oversee AI implementations responsibly amidst critiques of Big Tech influence. Secretary Alejandro Mayorkas highlights three pilot AI programs aimed at improving criminal investigations, disaster relief funding, and training with refugee officers. Critics remain wary of the privacy implications and the risks of bias in AI use within governmental operations.