Daily Brief

Sweden has reported "harmful interference" with its satellites, attributing this to Russia following its NATO membership initiation in March. The Swedish Post and Telecom Authority formally addressed the issue with Russia on March 21, two weeks after joining NATO. Complaints escalated to the International Telecommunications Union on June 4, concerning interference with three Sirius satellites serving Scandinavia and parts of Eastern Europe. Kremlin spokesperson Dmitry Peskov denied any knowledge of the incident. The European Union corroborated issues with satellite signal interference across several member states, though it stopped short of directly accusing Russia. The EU's statement linked the interference contextually with Russia's ongoing military actions in Ukraine. Further disruptive activities attributed to Russia in Europe include cyber-attacks on infrastructure and attempts to influence French national elections through cyber means.

An Australian telco Optus experienced a significant data breach revealing personal information of over 9 million customers due to a coding error in an API. The breach occurred because a redundant website's API, which had been left accessible online since 2017, had flawed access controls from a 2018 coding mistake. Optus recognized and corrected the error on their main domain in 2021, but failed to address the issue on the target domain that was compromised. The compromised API allowed unauthorized access simply through trial and error, indicating the breach did not require sophisticated hacking skills. Australia's Communications and Media Authority (ACMA) is pursuing legal action against Optus, demanding civil penalties for the negligence. Although the redundant website and API had no practical utility, they were not decommissioned, leading to the vulnerability. Singtel, owner of Optus, expressed to investors the inability to estimate potential financial penalties but plans to defend against the claims.

The U.S. Department of Commerce has officially banned Kaspersky Lab and its affiliates from selling their security software in the U.S., effective July 20, due to national security risks. The Bureau of Industry and Security (BIS) labels Kaspersky's operations as vulnerable to manipulation by the Russian government, potentially endangering U.S. data security and critical infrastructure. Kaspersky's software has allegedly provided the Kremlin with mechanisms for data theft, espionage, and potentially harmful manipulation of software functionalities. Existing customers will receive software and antivirus updates until September 29, during which time they should secure alternative security solutions to avoid protection gaps. Kaspersky has been added to the Entity List, highlighting its cooperation with Russian military and intelligence for cyber intelligence purposes. Historical tensions include a 2017 federal ban on Kaspersky products in U.S. federal networks, and allegations of Russian hackers using Kaspersky software to steal U.S. NSA tools. Kaspersky disputes the Commerce Department’s claims, citing them as geopolitical and theoretical rather than based on solid evidence of wrongdoing. The company warns that the ban might bolster cybercrime by hindering essential international cooperation among cybersecurity experts.

The Biden administration announces a ban on Kaspersky Labs, blocking sales and updates of its antivirus in the U.S. U.S. entities must cease using Kaspersky products by September 29, 2024, encouraging a transition to alternative security software. The ban targets the U.S. subsidiary of Kaspersky and related entities due to concerns over potential Russian exploitation for intelligence. Kaspersky has denied any wrongdoing or ties to the Russian government, attributing the ban to geopolitical strains rather than factual evidence. U.S. Commerce Department adds Kaspersky and related entities to the Entity List for alleged cooperation with Russian intelligence. Despite the ban, Kaspersky remains steadfast in its commitment to offering cybersecurity services and has seen an 11-percent increase in sales bookings in 2023. The closure of Kaspersky in the U.S. is expected to disrupt current customers and could theoretically enhance risks by limiting cybersecurity collaboration internationally.

Consulting Radiologists, a Minnesota-based healthcare provider, experienced a significant cyberattack in February, impacting 511,947 patients. The breach involved unauthorized access to personal and medical information, including Social Security numbers, health insurance details, and medical records. Two ransomware groups, LockBit and Qilin, have publicly claimed responsibility for the data theft, with Qilin stating the theft of over 70GB of data. Following the detection of the breach, Consulting Radiologists implemented enhanced security measures and partnered with a cybersecurity firm for further protection. The company has offered a year of free credit monitoring services to affected individuals to mitigate potential identity theft. There is currently no evidence that the stolen data has been misused, and the company continues to investigate the breach with assistance from cybersecurity experts. Global ransomware activities, including those by LockBit, are on the rise, with a significant increase in attack volume reported.

A significant buffer overflow vulnerability, CVE-2024-0762, impacts the UEFI firmware in numerous Intel CPUs across multiple device manufacturers. Discovered by Eclypsium, the vulnerability exists within the TPM configuration of Phoenix SecureCore UEFI firmware, affecting Secure Boot processes. The flaw could allow attackers to execute malicious code at the firmware level, potentially installing bootkit malware that is hard to detect and remove. Phoenix and Lenovo have confirmed the vulnerability affects a wide range of Intel processors including Alder Lake, Coffee Lake, and Comet Lake among others. Manufacturers such as Lenovo, Dell, HP, and Acer might see hundreds of their models impacted due to the widespread use of the vulnerable firmware. Lenovo has already started rolling out firmware updates to mitigate the flaw, covering over 150 device models, with more updates planned. This vulnerability highlights the escalating focus of threat actors on exploiting UEFI firmware because of its foundational role in system boot processes and security mechanisms.

The Biden administration has officially banned the sale and distribution of Kaspersky products in the United States. Starting July 20, Kaspersky will be prohibited from entering contracts with new U.S.-based customers; existing customers must transition by October. The Commerce Secretary cited national security risks due to potential exploitation by the Russian government. Kaspersky is also barred from distributing software updates and malware signatures to U.S. customers after September 29. Violations of the ban could result in fines or criminal charges against sellers or resellers. The decision reflects ongoing concerns about Russian cyber operations and their potential impact on American digital security. The U.S. government's investigations concluded that risks associated with Kaspersky’s operations could not be mitigated without a total ban.

CDK Global, a major software provider for nearly 15,000 US car dealerships, experienced a severe cyber incident, leading to repeated systems shutdowns. Initial system closure occurred early on June 19, with an attempt to restore services, including the Dealer Management System and other key platforms. Shortly after restoration, CDK Global was forced to shut down systems again due to a subsequent cyber incident, raising concerns about the security of restored services. The company has engaged third-party cybersecurity experts to assess the situation and has not provided a timeline for when services will be fully operational again. The cyber attacks were speculated to be timed with the Juneteenth public holiday to maximize disruption. There is an implication that the incident could involve ransomware, although CDK Global has not confirmed this detail. Dealerships have resorted to manual processes in response to the outage, with uncertainties around the duration of system downtime affecting business operations.

"CosmicSting" vulnerability remains largely unpatched in Adobe Commerce and Magento platforms, affecting 75% of sites. The vulnerability enables XML external entity injection (XXE) and Remote Code Execution (RCE), posing severe security threats. Rated with a critical CVSS score of 9.8, CosmicSting could lead to unauthorized data access and system control. Adobe released updates to mitigate the flaws, but many sites have not yet applied these critical patches. Sansec warns that the combination of CosmicSt while using the vulnerable glibc library on Linux escalates the risk of attack. Administrators are urged to apply the provided patches or implement suggested emergency measures to prevent exploitation. Sansec compares the potential impact of CosmicSting to notable past e-commerce breaches, indicating high severity and risk.

RansomHub, a ransomware-as-a-service (RaaS), now targets VMware ESXi environments with a specialized Linux encryptor, affecting global corporate sectors. The operation has associations with other major ransomware groups like ALPHV/BlackCat and Knight, and has impacted over 45 entities in 18 countries. RansomHub's new ESXi variant is crafted in C++ and features advanced functionalities such as execution delay, targeted VM exclusion, and targeted directory encryption. It employs a partial encryption method for efficiency, encrypting just the beginning of larger files and adding unique identifiers to the encrypted files. Recorded Future discovered a flaw in this variant that allows defenders to induce a perpetual loop, neutralizing the ransomware threat temporarily. The ransom message is displayed prominently on the system's login screens and web interfaces to ensure visibility immediately upon system compromise. The ESXi-specific ransomware disables critical system logs and can delete itself following execution to elude detection and forensic analysis.

UNC3886, a suspected Chinese threat actor, utilizes open-source Linux rootkits 'Reptile' and 'Medusa' on VMware ESXi virtual machines for stealth and persistence. Mandiant has closely followed UNC3886, noting their focus on critical sectors such as government, telecom, tech, aerospace, defense, and energy. The attackers deploy the rootkits after exploiting zero-day vulnerabilities, gaining profound control over VMs to conduct espionage and maintain long-term access. 'Reptile' provides backdoor access with capabilities for command execution and file transfers, while 'Medusa' is used for credential logging and command execution logging. UNC3886 has customized these rootkits for enhanced evasion and persistence, adjusting configuration settings and deployment scripts. In addition to rootkits, UNC3886 employs custom malware tools like 'Mopsled' and 'Riflespine', leveraging platforms like GitHub and Google Drive for command and control. The group's recent targets include organizations across North America, Southeast Asia, Oceania, Europe, Africa, and other parts of Asia. Detailed technical information on UNC3886’s tools and methods, including VMCI backdoors, will be disclosed by Mandiant in future reports.

Kraken, a major cryptocurrency exchange, has charged three security researchers from CertiK with exploiting a vulnerability to steal $3 million and then attempting extortion. The alleged security breach involved a UX update that improperly credited user accounts before deposits were confirmed, creating potential for false account value inflation. Kraken’s CSO, Nicholas Percoco, claims the issue was quickly identified internally, yet the researchers involved exploited it rather than reporting it responsibly. Despite initial cooperative discussions on the vulnerability, tensions escalated with CertiK allegedly demanding further compensation beyond the return of the stolen funds. CertiK has denied withholding the funds deliberately and has highlighted aggressive demands and threats from Kraken's security team. The dispute has stirred significant attention on social media, where further allegations about CertiK’s activities involving sanctioned entities have surfaced. Kraken is treating the incident as a criminal case and is coordinating with law enforcement, asserting that the actions of the researchers were not in line with ethical hacking practices.

The CVE-2024-28995 vulnerability in SolarWinds Serv-U is being exploited, risking sensitive data through unauthorized file access. Exploits and a proof-of-concept are publicly available, notably published by Rapid7 and an independent researcher. The vulnerability allows unauthenticated attackers to read arbitrary files on the system using specific HTTP GET requests. Over 5,500 to 9,500 internet-exposed instances may be vulnerable to this high-severity directory traversal flaw. SolarWinds has released a hotfix (version 15.4.2.157) to address this vulnerability by enhancing validation mechanisms. Attack attempts vary from manual to automated, with attackers adapting techniques based on server responses. Files most targeted in these attacks are crucial for gaining elevated privileges or further network compromise. SolarWinds urges system administrators to install the available updates promptly to mitigate the vulnerability.

CDK Global, a SaaS provider for car dealerships, experienced a second cyberattack while recovering from an earlier breach. The initial cyberattack caused CDK to shut down its data centers and IT systems, severely disrupting operations for car dealerships. Restoration attempts were underway when a subsequent cyber incident prompted another shutdown of most systems. The company is assessing the impact of the breaches with the help of external cybersecurity experts. Industry professionals have expressed concerns that CDK may be rushing to restore services, potentially increasing security risks. The repeated outages have impacted both car dealerships and customers, affecting vehicle sales and servicing capabilities. CDK is engaging with its customers minimally, with plans to bring systems back online by June 21. There is ongoing worry that not fully resolving security issues before resuming operations could lead to additional cyberattacks and data theft.

Cybersecurity experts have identified a significant vulnerability in Phoenix SecureCore UEFI firmware, impacting numerous Intel CPU families. The flaw, known as CVE-2024-0762, is a buffer overflow issue in the TPM configuration that could allow attackers to execute malicious code. This vulnerability enables local attackers to escalate privileges and manipulate UEFI firmware, a foundational component for system security. The exploitation of such vulnerabilities is akin to firmware backdoors, enabling attackers to maintain persistence and bypass OS-level security measures. Phoenix Technologies released a patch in April 2024, with additional updates provided by Lenovo to address the affected systems. The CPUs affected include AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. This vulnerability underscores the critical nature of securing UEFI firmware due to its high-level privileges and role in the initial system boot process. These vulnerabilities pose significant risks to the supply chain, potentially impacting numerous devices and vendors globally.