Daily Brief

Okta has issued a warning about a significant increase in credential stuffing attacks against its identity and access management services. These attacks, utilizing automated methods to test stolen credentials, have led to breaches in some customer accounts. Identified attack sources include the same infrastructure previously noted by Cisco Talos in similar cybersecurity threats. Attackers predominantly used the TOR network and various residential proxies to mask their activities. The most affected are organizations using Okta's Classic Engine in Audit-only mode and those allowing access via anonymizing proxies. Okta suggests robust countermeasures such as enabling 'Log and Enforce' mode, multi-factor authentication, and blocking IP addresses known for malicious activities. The company also advocates for passwordless authentication and stringent monitoring of anomalous sign-in attempts to further secure user accounts.

Ukraine has been targeted by cyberattacks leveraging a seven-year-old vulnerability in Microsoft Office to deploy Cobalt Strike malware. The attacks involved a PowerPoint file masqueraded as an old U.S. Army mine-clearing manual, suggesting that the attackers aimed at military personnel. The operation resulted in the remote execution of an obfuscated script that configured persistence through system registry modifications and mimicked a legitimate Cisco VPN client. Malware used in the attacks could detect virtual machine environments and avoid security software detection. The origin of the attacks is uncertain, with no concrete link to a specific threat actor; the possibility of a red teaming exercise was also noted but not confirmed. In a broader context, a Russian state-sponsored group, identified as Sandworm or APT44, has targeted about 20 Ukrainian critical infrastructure entities using various malware tools. Sandworm has been active since at least 2009 and is associated with multiple disruptive cyber operations against Ukraine and other global targets. This situation highlights the ongoing cyber warfare aspect of the broader geopolitical conflict involving Ukraine and Russia.

North Korean threat actors are conducting a social engineering campaign targeting software developers under the guise of job interviews to install malware. The campaign, named DEV#POPPER by Securonix, lures developers into downloading malicious npm packages containing a JavaScript file that acts as an information stealer. Palo Alto Networks' Unit 42 and Phylum reported that these attacks use npm packages to deliver malware families like BeaverTail and InvisibleFerret that siphon sensitive data. These attacks are distinct from Operation Dream Job, another campaign by the Lazarus Group targeting various professional sectors with malware-dressed job offers. The malware is first introduced to victims via a ZIP archive shared during the interview process, leading to system compromise upon execution. The malicious software can execute commands, enumerate files, and log keystrokes and clipboard data, indicating an advanced capability to siphon off sensitive information. Researchers emphasize the necessity of maintaining a security-focused mindset, particularly during situations that might lower one's guard, like job interviews.

Kaiser Permanente has notified 13.4 million individuals about the unintentional sharing of their data with external third parties such as Google and Microsoft Bing. Data shared included IP addresses, names, and information relating to user interactions with Kaiser’s websites and mobile apps. The information transmission occurred through tracking and analytics tools previously installed on Kaiser's digital platforms. No sensitive data such as Social Security numbers or financial information was disclosed to third parties. Kaiser has removed the identified technologies from its platforms and implemented additional security measures to prevent future incidents. This incident sheds light on broader issues of privacy with healthcare entities using third-party tracking technologies. Kaiser Permanente is conducting ongoing reviews and has reported the incident to the U.S. Department of Health and Human Services.

Private equity firm Thoma Bravo has completed the acquisition of UK-based cybersecurity company Darktrace for $5.3 billion. The deal marks Thoma Bravo's second attempt to buy Darktrace, following a failed bid in 2022 due to collapsed negotiations and subsequent fraud allegations. Darktrace's share price has significantly recovered, reaching $7.59, after dropping post the initial acquisition fallout and fraud claims. Shareholders of Darktrace are set to receive $7.75 per share, representing a 44 percent premium over the past three months' average share price. Thoma Bravo aims to leverage Darktrace's capabilities in AI and cybersecurity to enhance its extensive portfolio of cybersecurity companies. Darktrace is exiting the London Stock Exchange, citing undervaluation compared to peers and expressing optimism for future growth and innovation under private ownership. The acquisition has sparked discussions on the negative outlook for UK's public tech sector investments, emphasizing the dominance of larger US tech firms. Darktrace's earlier financial backing by Mike Lynch, currently on trial for fraud, remains a noteworthy part of its history, with his family set to gain substantially from the sale.

A new cybercrimes campaign, coined “Dev Popper,” targets software developers through deceptive job interview offers to install a Python-based remote access trojan (RAT). Attackers contact potential developer candidates posing as employers, presenting coding tasks from a GitHub repository as part of the interview process. The malicious file downloaded by the candidates is a ZIP archive that includes an NPM package, which upon execution activates a hidden obfuscated JavaScript file designed to download further malware. The multi-stage infection ultimately installs a RAT that relays vital system information (OS type, hostname, network data) to the attacker's command and control server. While the exact perpetrators are uncertain, the tactics suggest a possible link to North Korean threat actors, although there is not enough evidence for definitive attribution. Securonix, the security firm analyzing the campaign, emphasizes the efficacy of this method due to its exploitation of professional trust and engagement in the job application process. This method is part of a broader pattern of North Korean hackers using job lures to target various sectors, including security researchers and aerospace employees.

Independent security researcher Pierre Barre identified 18 severe vulnerabilities in Brocade SANnav management software. The disclosed flaws affect all versions up to and including 2.3.0, encompassing issues like insecure root access, Docker misconfigurations, and inadequate firewall rules. Attackers could exploit these vulnerabilities to intercept credentials, overwrite files, and completely compromise the affected devices. Twice reported in August 2022 and May 2023, these vulnerabilities have been addressed in the latest SANnav version 2.3.1, released in December 2023. Broadcom, the parent company of Brocade, along with Symantec and VMware, issued advisories earlier this month. Hewlett Packard Enterprise also released patches for some vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024. Users and administrators are urged to update to the patched versions to protect against these potential security breaches.

The UK's Investigatory Powers (Amendment) Bill (IPB) 2024, often referred to as the "snooper's charter," has been approved by the King, making it law. The legislation enhances the digital surveillance powers of the Investigatory Powers Act 2016, allowing authorities such as intelligence services and the police to access more data. Government and security officials argue these enhancements are necessary to address contemporary threats including terrorism and child exploitation. The amendments include new provisions for gathering internet connection records and bulk datasets from publicly accessible sources like social media. Critics, including tech companies and privacy advocates, argue that the bill severely compromises privacy, lacks adequate safeguards, and was expedited through the legislative process without thorough scrutiny. Key concerns also include the potential undermining of security measures in tech products, as the bill requires companies to consult with the government prior to deploying security updates. Privacy International and other rights groups continue to express disappointment, stating that the bill worsens already insufficient privacy protections and broadens surveillance capabilities significantly. The future steps for the bill include consultations on its implementation, where stakeholders hope to influence a more balanced approach to its regulations.

70% of successful data breaches originate from endpoints, highlighting their vulnerability. Identifying and cataloging endpoints based on sensitivity ensures better focus on potential vulnerabilities. Implementing a proactive patch management strategy is crucial for keeping systems secure from known threats. Multi-factor authentication (MFA) significantly boosts security by requiring multiple verification methods. Adhering to the principle of least privilege minimizes unauthorized access risks by restricting user access levels. Defense-in-depth strategy involves multiple security layers including firewalls, antivirus, EDR, and intrusion detection to provide comprehensive protection. Real-time monitoring and endpoint detection and response (EDR) solutions are key for immediate threat detection and response. Regular cybersecurity training for employees fortifies the human element of endpoint security defenses.

A new Android malware named Brokewell is being distributed via deceptive browser update prompts. Brokewell has sophisticated functionalities including stealing data, remote control access, and recording user activities. The malware circumvents Google’s security measures for sideloaded apps by leveraging accessibility service permissions. Once installed, Brokewell can perform a variety of malicious activities such as stealing cookies, recording audio, capturing screen content, and intercepting SMS messages. The malware’s developer, identified as Baron Samedit Marais, operates under "Brokewell Cyber Labs" and offers a loader tool on Gitea that can bypass newer Android version restrictions. The existence of Brokewell and its associated loader tool lowers the entry barrier for other cybercriminals to deploy similar mobile malwares. Security experts are concerned about the growing ease with which cybercriminals can utilize dropper-as-a-service platforms to spread malware on Android devices.

Palo Alto Networks has issued remediation steps for a critical vulnerability in PAN-OS, identified as CVE-2024-3400 with a CVSS score of 10.0. This security flaw allows for unauthenticated remote shell command execution and affects multiple PAN-OS versions including 10.2.x, 11.0.x, and 11.1.x. The vulnerability has been actively exploited since at least March 26, 2024, by an unnamed state-backed hacker group known as UTA0218. The exploit, part of Operation MidnightEclipse, involves the deployment of a Python-based backdoor named UPSTYLE, which executes commands from specially crafted requests. Palo Alto Networks advises a private data reset or a factory reset based on the level of compromise to prevent further misuse. The overall incident highlights the sophisticated nature of the attack, suggesting involvement by a state-sponsored entity considering the methods and targets involved.

Kaiser Permanente disclosed a data breach potentially impacting 13.4 million current and former members in the U.S. Personal information was inadvertently shared with third-party trackers on the company’s websites and mobile apps. Data exposed includes IP addresses, names, and details about user interactions, but did not include SSNs or financial details. Third-party trackers involved were linked to Google, Microsoft Bing, and X (formerly Twitter). The organization has removed the trackers and implemented measures to prevent future incidents. Kaiser Permanente will notify individuals potentially affected by the breach as a precaution. There have been no indications that the exposed data has been misused. This incident follows a June 2022 breach at Kaiser exposing health information of 69,000 people due to an email hack.

The Los Angeles County Department of Health Services recently announced a significant data breach affecting 6,085 individuals, following a phishing attack on 23 of its employees. The phishing incident occurred between February 19 and February 20, 2024, during which hackers stole employee login credentials through deceitful emails. Compromised email accounts contained sensitive personal and health information of patients due to unauthorized access, although Social Security Numbers and financial data were reportedly not included. In response to the breach, affected e-mail accounts were disabled, compromised devices were reset, and an email quarantine was implemented to manage suspicious messages. L.A. County Health Services has initiated a series of precautionary measures, including widespread employee training on email security, and has informed federal and state health authorities about the breach. Even though there was no detected misuse of the disclosed information, L.A. County Health Services has advised patients to verify their medical records' integrity with their healthcare providers. Notifications of the breach were sent to potentially impacted individuals, highlighting the importance of vigilance in safeguarding personal health information against phishing schemes.

The professionalization of cybercrime demands CISOs to upgrade and maintain vigilant security measures on a continuous basis. SANS CISO Primer highlights four critical areas for CISO focus: Generative AI, Zero Trust, Cloud Security, and Cybersecurity Complexity. Generative AI poses both opportunities and challenges in cybersecurity, necessitating strategies to harness its benefits while mitigating risks. Zero Trust architecture is emphasized for its role in quickly detecting breaches and restricting lateral movements by attackers within networks. Despite the maturity of cloud technology, cloud security continues to be a prominent concern due to persistent vulnerabilities. The increasing complexity of cybersecurity is a significant hurdle, compounded by a shortage of qualified professionals. The SANS guide provides actionable advice and best practices for CISOs to effectively navigate and respond to evolving cyber threats.

Threat actors are exploiting a severe SQL injection flaw in the WP-Automatic plugin, identified as CVE-2024-27956, which affects all versions prior to 3.9.2.0. The vulnerability allows attackers to perform unauthorized database queries, create admin-level accounts, upload malicious files, and potentially control entire WordPress sites. The critical security flaw has a CVSS score of 9.9, indicating its high severity and impact potential. Attackers have been observed modifying the vulnerable plugin file to evade detection and maintain persistent unauthorized access by renaming it. Over 5.5 million attempts to exploit this vulnerability have been detected since its public disclosure by Patchstack on March 13, 2024. The widespread exploitation efforts include installing additional malicious plugins and creating backdoors for sustained access. WPScan and Patchstack emphasize the urgency of updating the WP-Automatic plugin to the latest version to mitigate this significant security risk.