Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a critical GitLab vulnerability. Identified as CVE-2023-7028 with a CVSS score of 10.0, the flaw allows attackers to send password reset emails to unverified addresses, facilitating account takeovers. Originally introduced in GitLab version 16.1.0, the vulnerability affects all authentication mechanisms, including those with two-factor authentication, though these accounts cannot be fully taken over. Potential impacts of the exploit include unauthorized access to GitLab accounts, theft of sensitive data, and insertion of malicious code into source code repositories. Successful attacks could compromise entire supply chains by manipulating CI/CD pipeline configurations or inserting malware. Fixed versions of GitLab that address the vulnerability include 16.5.6, 16.6.4, 16.7.2, and backported versions for earlier releases. CISA has mandated federal agencies to apply the patches by May 22, 2024, to mitigate risks associated with the vulnerability.

Cuttlefish malware specifically targets SOHO routers to monitor traffic and steal authentication data from web requests. The malware performs DNS and HTTP hijacking, primarily affecting internal network communications. Initial evidence links Cuttlefish to a previously identified malware cluster, HiatusRAT, although they affect different victims. Active since July 2023, with recent campaigns impacting 600 IP addresses mainly from Turkish telecom providers through April 2024. Deploys a bash script to gather and exfiltrate detailed host data to a controlled domain before downloading the Cuttlefish payload. Capable of sniffing network packets for cloud service credentials (e.g., AWS, CloudFlare) and can act as a proxy or VPN to transmit captured data. Updated hijack rules and malware operations are managed via a command-and-control server with secure communication channels. Highlights a sophisticated approach to eavesdropping and data theft via network manipulation and passive traffic sniffing.

Over a million records of Australians who visited pubs and clubs are posted on a leak site by an anonymous party. The compromised data includes names, partial addresses, dates of birth, and venue details, all verified by The Register. The data leak is associated with a tech services company called Outabox, which provided a digital sign-in system for clubs. Outabox allegedly allowed offshore developers, who were not paid, access to personal data including facial biometrics and licencing info. Outabox’s website acknowledges a potential unauthorized data breach and an ongoing investigation in collaboration with law enforcement. ClubsNSW informs member clubs about a cybersecurity incident involving their commonly used third-party IT provider. Wests Tradies, a club, recognized that their IT provider is the focus of a cyber extortion campaign without their prior knowledge. Local authorities are investigating, and victims may face significant costs for replacing compromised credentials, such as drivers' licenses.

Dropbox disclosed a significant security breach affecting its Dropbox Sign service. The attack compromised personal data including emails, usernames, phone numbers, and hashed passwords. Additional sensitive details accessed include API keys, OAuth tokens, and multi-factor authentication info. Third-party individuals who interacted with Dropbox Sign but did not have accounts also had their names and email addresses exposed. Despite the breach, there is no evidence that the content of users' Dropbox Sign accounts or their payment information was accessed. Dropbox's other services were not affected; the infrastructure for Dropbox Sign operates separately. Following the breach, Dropbox reset passwords, logged out users from devices, and rotated all compromised authentication tokens. Dropbox believes the attack originated from a compromised automated system configuration tool used by a service account.

Block, the fintech company founded by Jack Dorsey, is under scrutiny following claims of massive compliance lapses that could have enabled terrorist financing. A former employee leaked around 100 documents outlining substantial shortcomings in compliance measures within services like Square and Cash App. These documents suggest that known compliance issues were overlooked by leadership, with little done to rectify extensive vulnerabilities. Independent consultants identified nearly 50 issues requiring attention to ensure adherence to U.S. laws, though Block maintains such findings are typical in complex operational reviews. It's alleged that Square continued servicing merchants even after identifying sanctions violations and that Cash App’s design makes compliance checks almost unfeasible. The leaked claims include reports that thousands of possibly illegal transactions went unreported to governmental authorities. Following the leak and the onset of legal scrutiny, Block's stock price suffered a significant decline, indicating market reactions to potential regulatory repercussions.

HPE Aruba Networking released a security advisory for ArubaOS, highlighting critical remote code execution vulnerabilities. Four critical-severity vulnerabilities were identified, all of which are unauthenticated buffer overflow issues with a CVSS v3.1 score of 9.8. These vulnerabilities impact multiple versions of ArubaOS and could allow attackers to remotely execute code. The advisory also mentioned six other medium-severity vulnerabilities related to potential denial of service attacks. To protect against these security flaws, HPE Aruba recommends enabling Enhanced PAPI Security and updating to patched versions of ArubaOS. Updated versions of ArubaOS address all ten reported vulnerabilities, improving system security. As of now, there are no known active exploitations or proof-of-concept exploits for these vulnerabilities. System administrators are urged to install the updates immediately to prevent potential breaches and operational disruptions.

DropBox has confirmed a significant breach of its DropBox Sign eSignature platform, formerly known as HelloSign. Hackers accessed authentication tokens, MFA keys, hashed passwords, and customer information including emails, usernames, and phone numbers. The breach was detected on April 24; unauthorized access was through an automated system configuration tool with elevated privileges. Fortunately, there is no evidence that customer documents or agreements were accessed, nor were other DropBox services affected. DropBox has reset all passwords, logged out sessions, and imposed restrictions on API key usage pending customer rotation. Users of DropBox Sign are advised to update MFA configurations and stay vigilant against potential phishing attempts using the stolen data. DropBox is contacting all affected customers and has issued a security advisory with guidelines on how to handle the situation securely.

The US government has issued a warning about pro-Russian hacktivists targeting operational technology (OT) systems in critical infrastructure sectors, especially water facilities. A joint advisory from several US agencies including CISA, FBI, NSA, and others, alongside international partners like CCCS (Canada) and NCSC-UK, emphasizes the threat to industrial control systems. These hacktivist activities mainly deploy unsophisticated methods but pose potential physical threats due to insecure and misconfigured OT environments. Recent incidents reported include targeted but non-breached attacks on water treatment facilities in Indiana and an overflow issue at a Texas water facility. The Cyber Army of Russia, linked to these attacks, has been connected to the Sandworm group, identified as APT44 under Russia’s GRU. Recommendations from the advisory stress the importance of securing and hardening OT devices including updating software, changing default passwords, and implementing multi-factor authentication. NSA has emphasized the expanded scope of these hacktivist operations impacting North American and European infrastructure, urging heightened cybersecurity measures.

Jack Blount, former CEO of Intrusion, settled with the SEC regarding false statements about his background and the company’s product, Intrusion Shield. Blount was charged with breaking anti-fraud rules under the Securities Exchange Act and the Securities Act, yet faces no financial penalty due to claimed financial inability. Misrepresentations included falsified claims about Blount’s roles as a director of public companies and as a CIO of the US Department of Agriculture. Under Blount’s direction, Intrusion allegedly exaggerated the success of their product Intrusion Shield and its adoption by several supposed beta testing companies. Only six out of thirteen beta testers purchased the product, despite claims of broader success and adoption by notable customers. Legal filings revealed Intrusion had given the product for free to a key customer and were instructed by Blount to conceal this fact. The misleading disclosures under Blount’s leadership resulted in a temporary surge in Intrusion’s stock price and trading volume. Blount was removed from his role in July 2021 following these incidents, and now faces a bar from serving as an officer or director in any public company.

Panda Restaurant Group disclosed a data breach affecting its corporate systems but not its in-store operations. The breach, detected on March 10, 2024, involved unauthorized access between March 7-11, leading to the theft of personal information. The breach impacted the parent company of popular chains including Panda Express, Panda Inn, and Hibachi-San. An undisclosed number of individuals' data, including names and driver's license numbers, was exposed. Panda has engaged third-party cybersecurity experts and law enforcement to investigate and respond to the breach. Additional technical safeguards have been implemented to enhance data security and prevent future breaches. The specifics regarding whether customers, employees, or both were affected remain unclear as investigations continue.

US prosecutors have charged 16 individuals for orchestrating grandparent scams, defrauding elderly Americans out of millions. The scams involved impersonating relatives of elderly victims, falsely claiming they were in urgent need of money for legal and medical emergencies. The accused are based in the Dominican Republic and the US, with ages ranging from 21 to 59. Scammers used various roles within the scheme, including "openers" who initiated contact and "closers" who impersonated legal and law enforcement officials to solidify the scam. Tactics included manipulating phone numbers to appear local, creating elaborate stories of car accidents or legal troubles, and demanding payment through cash or precious metals. The FBI noted that couriers involved in the scam transported over $55 million in assets, often unknowingly, between May and December 2023. Those charged face up to 20 years in prison and significant fines for each count of mail and wire fraud, with additional penalties for money laundering. This indictment highlights ongoing efforts by US law enforcement to protect elderly citizens from financial scams and exploitation.

The Hôpital de Cannes Simone Veil (CHC-SV) in France rejected a ransom demand from the Lockbit 3.0 ransomware gang. The hospital faced a severe cyberattack on April 17, disrupting operations and leading to the rescheduling of non-emergency procedures. LockBit 3.0 threatened to publish stolen data on the darkweb if their ransom demands were not met. CHC-SV alerted both local law enforcement and the National Agency for Information Systems Security (ANSSI) about the ransom demand. The hospital communicated through social media that it would not pay the ransom and would notify affected individuals if any data leakage occurs. Hospital IT staff are actively working to restore all affected systems to full functionality. The incident demonstrates LockBit’s indifference to disrupting healthcare services, despite previous claims of avoiding such actions. LockBit operations had briefly suffered after FBI disruptions but resumed with new tactics shortly after.

CISA has issued a warning about active exploitation of a high-severity GitLab vulnerability, tracked as CVE-2023-7028, allowing unauthorized account takeovers. The flaw exists due to improper access control, enabling attackers to initiate password reset emails and change passwords without user interaction. This vulnerability significantly impacts GitLab Community and Enterprise editions but does not affect accounts secured with two-factor authentication (2FA). GitLab has already released patches for affected versions, reducing the number of vulnerable online instances from 5,379 to 2,394. The U.S. cybersecurity agency has mandated federal agencies to secure their systems against this exploit by May 22 and recommends private organizations using GitLab to do the same. Despite current exploitations, there is no evidence of the vulnerability being used in ransomware attacks. Organizations potentially affected should consult GitLab’s incident response guide and check for signs of compromise immediately.

Qantas Airways encountered a data mishap where boarding passes and personal details were erroneously shown on other users' mobile app accounts. Issues included exposure of names, airline points, and boarding passes, affecting multiple customers' privacy. The airline attributed the error to a technological glitch potentially linked to recent system updates, not cybercrime. No financial data was disclosed during the incident, and airline points displayed were non-transferable. Qantas reassured that no fraudulent boarding or security breaches occurred due to built-in safeguards. The company has issued an apology and pledged continuous monitoring to prevent further glitches. Customers were recommended to stay vigilant against potential phishing attacks exploiting the incident, simulating previous patterns observed in the Thomas Cook collapse.

Elliptic and researchers from MIT-IBM Watson AI Lab uncovered illicit clusters in the Bitcoin blockchain. Using a 26 GB graph dataset known as Elliptic2, the analysis identified 122K labeled Bitcoin subgraphs among 49M node clusters. Research utilized machine learning to effectively predict criminal proceedings involving money laundering. Detected suspicious activities linked to crypto exchanges, a cryptocurrency mixer, and a Russian dark web forum. Identified money laundering techniques such as peeling chains and nested services, common in crypto laundering. Future research aims to enhance machine learning accuracy and extend techniques to other blockchains. Forensic tools used differ from traditional methods by analyzing shapes and patterns within transaction subgraphs for clues of illicit activity.