Daily Brief

Microsoft has once again encountered issues with the expiration of TLS certificates, leading to security warnings in Microsoft 365 and Office Online. An Australian reader noted security software alerts about insecure connections on cdn.uci.officeapps.live.com, which is a key endpoint for Microsoft services. The TLS certificate in question was valid from August 18, 2023, to June 27, 2024, but it expired, causing disruptions and error messages for users. Users reported problems such as error codes when opening Microsoft Word, indicating issues with approximately 200 PCs. This is not the first instance of Microsoft failing to renew certificates timely; similar issues occurred in 2022 with the Windows Insider subdomain. Microsoft's Azure ECC TLS Issuing CA 01 has also expired, potentially complicating the situation further due to additional expired certificates issued by the service. There has been noticeable feedback on Microsoft's forums from affected users, and Microsoft is reportedly working on addressing the problem and improving their certificate management strategies. Microsoft's habitual certificate management errors stress the importance of diligent digital infrastructure maintenance to avoid service outages and security vulnerabilities.

A large-scale supply chain attack impacting CDNs including Polyfill.io, BootCDN, Bootcss, and Staticfile affected millions of websites. The attack traced back to a common operator due to exposed Cloudflare API keys in a public GitHub repository. The leak occurred due to negligent security practices, specifically the public upload of a .env file containing sensitive API keys and tokens. Researchers identified that all four affected domains were managed under a singular Cloudflare user account. MalwareHunterTeam and other researchers voiced concerns over the scope of impact, suggesting a wider attack than initially thought. Additional attacks have been traced back to at least June 2023, with primitive versions of the malicious code circulating since then. The article discusses ongoing actions and suggests the potential for future related attacks, given multiple domains still being registered under associated operators. Key stakeholders are advised to monitor and possibly replace their use of affected CDN services with safer alternatives provided by reputable organizations.

The 8220 Gang exploited vulnerabilities in Oracle WebLogic Server for cryptocurrency mining activities. Trend Micro has identified the cybercriminal group under the alias Water Sigbin. Exploited vulnerabilities included CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839. Attack involves complex fileless malware techniques that allow code execution directly in memory to avoid detection. Malware deployment stages include using PowerShell scripts, mimicking legitimate applications, and extracting system information. Malicious activities also encompass establishing persistence on the system and evading Windows Defender Antivirus. Additionally, the gang operates the k4spreader tool to spread botnet and mining malware using other server vulnerabilities. Security initiatives must continuously scan for and address vulnerabilities to mitigate such threats.

SaaS adoption is increasing, yet many enterprises have not updated their security strategies or tools to address SaaS-specific threats. Traditional on-prem security controls are ineffective in the SaaS environment, where visibility is limited and security responsibilities are shared with vendors. Each SaaS application has unique security settings that often change, making it hard for security teams to monitor threats effectively. Threat actors use sophisticated techniques like session hijacking and lateral movements within interconnected SaaS platforms to exploit vulnerabilities. IBM states data breaches in 2023 have grown to cost an average of $4.45 million each, highlighting the financial impact of inadequate SaaS security. Continuous monitoring, inventive machine identity management, and the implementation of Zero Trust architecture in SaaS environments are crucial for enhanced protection. Proper hygiene, robust inventory of machine identities, and a SaaS-specific security review process are essential to detect and mitigate threats early.

Security researchers from Graz University of Technology have unveiled a new side-channel attack dubbed SnailLoad, capable of spying on individuals' web activities without direct system access. SnailLoad manipulates network latency, a common bottleneck in internet connections, to infer the webpages and videos accessed by a user. The technique does not require an adversary-in-the-middle position, physical proximity, or user interaction, relying solely on network packet timing to gather intelligence. Attackers induce a target to download a benign file from a controlled server, then measure delays in network response to analyze and infer user activities. A convolutional neural network (CNN) refined with data from similar network environments is used to translate latency variations into accurate predictions of the user’s online behavior, achieving up to 98% accuracy in video identification. This attack introduces no malicious code and operates by merely monitoring prolonged data transmission times ("snail pace"), highlighting vulnerabilities in how routers handle Network Address Translation (NAT). The findings also include a disclosure of router firmware issues involving TCP sequence randomization, potentially allowing attackers to manipulate web traffic or orchestrate denial-of-service attacks. Patches to address these vulnerabilities are being developed by router vendors and the OpenWrt community.

Researchers from the operational technology (OT) security firm Claroty have discovered multiple vulnerabilities in Emerson Rosemount gas chromatographs, specifically affecting models GC370XA, GC700XA, and GC1500XA (versions 4.1.5 and earlier). The vulnerabilities include two command injection flaws and two authentication and authorization issues, which could be exploited by unauthenticated attackers. These security gaps could potentially allow attackers to bypass authentication, execute arbitrary commands, access sensitive information, and induce a denial-of-service (DoS) state. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that exploitation of these flaws could lead to unauthorized access and control over the gas chromatograph systems. Emerson has released an updated version of the firmware to patch these security vulnerabilities and is advising users to adhere to cybersecurity best practices and ensure these devices are not directly accessible via the internet. Another report from Nozomi Networks unveiled similar vulnerabilities in AiLux RTU62351B, Proges Plus temperature monitoring devices, and related software, highlighting the pervasive risks in connected industrial devices. These other flaws remain unpatched and pose a significant risk, including the potential manipulation of medical monitoring systems and spoilage of temperature-sensitive pharmaceuticals due to DoS attacks.

Microsoft's latest findings reveal the 'Skeleton Key' attack, capable of coaxing AI models to generate harmful content, despite safety guardrails. Several prominent AI models, including Meta Llama3-70b-instruct and Google Gemini Pro, were tested and found susceptible to the Skeleton Key technique. Attackers can manipulate AI to produce forbidden content through simple textual prompts that subtly alter the AI's behavior guidelines. Microsoft's tests demonstrated that while most AI models honored the modified prompt with a warning, OpenAI's GPT-4 resisted direct prompts but succumbed to system message modifications. Microsoft, at a recent conference, shed light on emerging risks and their efforts to introduce tools like 'Prompt Shields' to prevent such vulnerabilities. Notably, the attack surface extends across various AI platforms demonstrating weaknesses in the current design and implementation of behavior guardrails in AI technologies. The University of Maryland's researchers suggest that attacks like Skeleton Key might be mitigated more effectively with robust input/output filtering or tailored system prompts.

TeamViewer disclosed a security breach in its internal corporate IT environment identified on June 26, 2024. The company activated its response team and has been collaborating with global cyber security experts to contain and remediate the issue. There is no evidence suggesting any customer data compromise, and the corporate IT environment is segregated from the product environment. The breach's origin and method remain unclear, but an ongoing investigation is expected to provide further insights. TeamViewer is widely used for remote monitoring and management by over 600,000 customers. The Health-ISAC has warned that APT29, a state-sponsored actor linked to the Russian SVR, is actively exploiting TeamViewer in broader cyber-attacks. APT29 historically breached major corporations like Microsoft and HPE, also impacting some customer communications according to Microsoft's recent statements.

Polyfill.io's domain has been shut down by Namecheap following accusations of incorporating suspicious code into users' websites, potentially harming a vast number of internet users. Cloudflare and security experts have warned about a supply chain risk involving Polyfill.io, alleging the service was altering its JavaScript offerings to include malicious scripts. Security firm Sansec detailed the malicious code, which targets mobile users with redirections to a fake sports betting site and includes features to avoid detection and analysis. Consequent to these security concerns, Cloudflare has introduced an automatic JavaScript URL rewriting service to protect sites by replacing potentially harmful Polyfill.io code. Despite the allegations, the owner of Polyfill.io denies any wrongdoing, attributing the claims to slander and malicious defamation, and has relaunched the site under a new domain. Following the initial sale of the Polyfill.io domain and related assets, various inconsistencies and suspicions about the new owner's actual location and legitimacy have surfaced. The controversy continues with Polyfill expressing intentions to develop and expand a new global CDN product, claiming substantial funding and competitive goals against Cloudflare.

TeamViewer detected an "irregularity" in its corporate IT network, indicating a security breach. The anomaly was discovered within TeamViewer’s corporate environment and immediate measures including incident response were activated. TeamViewer asserts that their product environments and customer data were not affected. Investigations are ongoing with a focus on system integrity, assisted by cybersecurity experts. NCCI Group has informed clients about an APT group's significant compromise of the TeamViewer platform. US Health Information Sharing and Analysis Center (H-ISAC) has issued a warning about active cyberthreats exploiting TeamViewer, particularly citing APT29, possibly linked to Russian intelligence. TeamViewer continues to withhold detailed information on the nature of the incident, citing ongoing investigations.

Geisinger, a major healthcare provider in Pennsylvania, announced a data breach involving unauthorized access by a former Nuance employee. The breach exposed data of over 1 million patients but did not include sensitive financial details like SSN or bank information. The unauthorized access occurred in November 2023, shortly after the employee was terminated from Nuance. Nuance acted swiftly to revoke the ex-employee's access and informed law enforcement, leading to the individual's arrest. The type of patient information compromised varied depending on the services utilized by each patient. Geisinger has advised potentially affected individuals to monitor their health statements and alert their insurers to any discrepancies. Law firm Lynch Carpenter is investigating the breach's extent, potentially leading to a class action lawsuit against Geisinger.

BlackSuit ransomware gang recently targeted KADOKAWA corporation, jeopardizing operations across its film, publishing, and gaming sectors. The cyberattack on June 8 disrupted multiple KADOKAWA websites and encrypted data across the company’s hosted services. Ransomware impact extended to subsidiaries including the Niconico video-sharing platform, still inoperative as per the latest updates. BlackSuit threatened to release stolen data including confidential documents and financial records by July 1 unless a ransom is paid. KADOKAWA is focusing on restoring key operational features like accounting and plans a secure overhaul of its network and server infrastructures. BlackSuit is identified as a rebranded continuation of the Royal ransomware operation, with suspected ties to the defunct Conti cybercrime group. The ransomware operation, implicated in global attacks on over 350 organizations since September 2022, has amassed substantial ransom demands.

Black Suit ransomware gang claimed responsibility for a cyberattack on KADOKAWA corporation, threatening to release stolen data unless a ransom is paid. KADOKAWA, a major Japanese media firm with interests in film, publishing, and gaming, reported service outages due to the cyberattack on June 8. The ransomware encrypted data in a data center affecting numerous KADOKAWA operations and subsidiaries, including the popular video-sharing platform Niconico. Despite ongoing recovery efforts, most KADOKAWA services remain disrupted, with a focus on restoring critical accounting and manufacturing functions by early July. BlackSuit, a rebrand of Royal ransomware linked to the defunct Conti group, published a sample of the stolen data and set a publish date for the rest on July 1. The FBI and CISA have identified BlackSuit ransomware in attacks on over 350 organizations globally since September 2022, accumulating over $275 million in ransom demands.

Unfurling Hemlock, a new threat actor, employs a distinctive strategy termed a "malware cluster bomb" to deliver multiple malware types simultaneously. The primary distribution methods include malicious emails and malware loaders, with attacks beginning via a file named 'WEXTRACT.EXE'. The malicious executable is structured in nested levels, each containing a different malware payload, deploying between four to ten malware types per attack. Unfurling Hemlock has been active since at least February 2023, with a significant proportion of the attacks targeting the United States. KrakenLabs has identified over 50,000 files associated with these attacks, all featuring similar unique characteristics. The types of malware distributed include information stealers, botnets, and backdoors. Outpost24 advises users to employ up-to-date antivirus tools to scan downloaded files, underlining that the malware used is well-known and detectable by security software.

The U.S. Department of Justice has indicted Russian GRU operative Amin Timovich Stigal for launching cyberattacks on Ukrainian government networks and other entities. Stigal utilized WhisperGate malware, initially disguised as ransomware, to irreversibly corrupt and wipe data across numerous Ukrainian government systems. The attacks included theft and public exposure of sensitive data, such as health records, aimed at instilling panic and distrust among the Ukrainian population. These cyber operations, which began before the Russian invasion, also targeted countries supporting Ukraine and extended to probing U.S. federal agencies. The U.S. government is offering a $10 million reward for information leading to Stigal's arrest, available through a secure channel using the Tor network. If convicted, Stigal could face up to five years in prison for his involvement in these international cyberattacks against Ukraine, the U.S., and NATO allies.