Daily Brief

The New York Times experienced a data breach in January 2024 involving their GitHub repositories, affecting numerous freelancers. Sensitive personal information was accessed, including names, contact details, and additional personal and professional data. The compromised data involved about 273GB, and includes source code and internal documentation, which was leaked on 4chan. Affected data was primarily for freelance visual contributors; full-time staff was reportedly not impacted. The breach originated from exposed credentials that permitted unauthorized access to the GitHub repos. The Times has informed affected individuals and advised precautions to secure personal information and strengthen account security. This incident has raised concerns regarding the safeguarding of sensitive information within external development platforms like GitHub.

The Toronto District School Board (TDSB) experienced a ransomware attack on its technology testing environment, affecting Canada's largest school board. TDSB is investigating potential exposure of sensitive information following the unauthorized access by a third party. The attack was contained in the testing environment with no disruption to the board's operational systems or daily activities. TDSB, serving roughly 247,000 students and employing 40,000 staff, is working with law enforcement and cybersecurity experts to assess the breach's scope. All individuals potentially impacted by the data breach will be notified as the investigation progresses. No major ransomware groups have claimed responsibility for the incident so far. The incident has been reported to both the Toronto Police Service and the Information and Privacy Commissioner of Ontario.

Panera Bread experienced a ransomware attack in March, compromising employee sensitive data. The breach was detected by Panera, which then engaged external cybersecurity experts for investigation and containment. Notification letters were sent to affected employees, disclosing potential exposure of names, Social Security numbers, and other employment-related information. No evidence currently suggests that the stolen data has been publicly disclosed or misused. Impacted employees are offered a one-year subscription to identity and credit monitoring services. The attack caused significant disruptions to Panera’s operations, including a week-long IT systems outage affecting sales, employee scheduling, and customer rewards services. Details about the number of affected employees, the specific ransomware involved, and confirmation of a ransom payment remain undisclosed.

Google has issued patches for 50 security issues affecting its Pixel smartphones, including a high-severity zero-day being actively exploited. The exploited vulnerability, identified as CVE-2024-32896, allowed for elevation of privilege on Pixel firmware and was used in targeted attacks. GrapheneOS reported the vulnerability, originally tagged as CVE-2024-29748, was actively exploited by forensic companies to defeat security features like duress PIN/password systems. The flaw has been rectified in the June 2024 update for devices running Android 14, but older versions may not receive this critical fix unless upgraded to Android 15. Google emphasized the urgency of installing the latest update to prevent potential misuse of this and other critical vulnerabilities in their devices. To enhance security, Pixel users are advised to manually install the June security updates through their device settings. In related news, another significant vulnerability in Arm's GPU drivers, also exploited in the wild, has been identified and publicized earlier in the month.

A PoC exploit for CVE-2024-29855, a critical authentication bypass flaw in Veeam Recovery Orchestrator, has been published. The vulnerability allows unauthenticated attackers to gain administrative access via a hardcoded JWT secret used across installations. CVE-2024-29855 is critical with a CVSS v3.1 rating of 9.0, affecting versions 7.0.0.337 and 7.1.0.205 and earlier. Attackers can generate valid JWT tokens by deducing usernames from the SSL certificate’s CN field and iterating through a finite list of roles. The security researcher demonstrated that additional supposedly required conditions for exploitation could be bypassed or simplified. Veeam has released patched versions of the software and recommends immediate updates to mitigate the risk. The public availability of the exploit increases the urgency for affected organizations to patch vulnerable systems promptly.

Ukrainian police have arrested a 28-year-old Kyiv programmer linked to major Conti and LockBit ransomware attacks across Europe. The suspect, whose identity remains confidential, is accused of developing encryption tools that concealed viruses as harmless files, aiding in the evasion of popular antivirus software. If convicted under the Criminal Code of Ukraine for abusing computer systems, the individual could face up to 15 years in prison. The arrest is part of Operation Endgame, a broader Europol-led initiative aimed at dismantling cybercriminal networks and infrastructure such as malware loaders and botnets. Dutch authorities identified the programmer's involvement in specific ransomware attacks on a multinational corporation in 2021. The arrest occurred on April 18, but details were only recently publicized, highlighting ongoing international efforts to combat ransomware. Ukrainian and other international law enforcement agencies continue to target LockBit affiliates, with recent activities affecting the gang's operations although not completely disabling it.

A new attack named "Sleepy Pickle" has been identified, targeting machine learning (ML) models through the Pickle serialization format. Sleepy Pickle injects malicious payloads into ML model files to manipulate model behavior, such as tampering with model weights or modifying input and output data. The attack utilizes techniques including adversary-in-the-middle attacks, phishing, supply chain vulnerabilities, and exploiting system weaknesses to deliver the payload. Once the malicious pickle file is deserialized, it can change the ML model in real-time, enabling backdoors or data tampering that can generate dangerous or misleading outputs. This represents a significant supply chain threat as the compromised ML model can affect downstream users unknowingly. Trail of Bits warns that such attacks can maintain access and control over ML systems without being detected, as the models are altered when the pickle files are loaded. Recommendations include only loading ML models from trusted sources, using signed commits, or relying on safer serialization formats like TensorFlow or Jax with enhanced security measures.

Multi-factor authentication (MFA) significantly increases security, protecting businesses and individuals from cyber threats. MFA, including two-factor authentication, involves multiple security steps beyond just passwords, such as biometric verification. Authorities like the US Cybersecurity & Infrastructure Agency support MFA, emphasizing its role in preventing unauthorized access even if a password is compromised. The global MFA market is expanding rapidly, projected to double by 2027, with strong adoption due to increasing regulatory requirements. New regulations like PCI-DSS 4.0 and PSD2 in the EU mandate MFA to enhance security in financial transactions and protect sensitive data environments. Despite its strengths, MFA can be compromised through tactics like prompt bombing, exploiting user fatigue from repeated login prompts. Regulatory bodies and organizations are pushing for phishing-resistant MFA to counteract sophisticated cyberattack techniques. Proper implementation and ongoing adaptation of MFA practices are essential for organizations to protect against evolving cyber threats and comply with tightening regulations.

Arid Viper, suspected to be affiliated with Hamas, has launched multiple mobile espionage campaigns using trojanized Android apps. The malware, known as AridSpy, has been embedded into apps that mimic messaging services and job opportunity apps, targeting users primarily in Palestine and Egypt. Trojanized versions of legitimate apps, including variants that replace functionality of apps available on official platforms, deploy AridSpy which then executes multifunctional spy activities. ESET researchers identified that these campaigns are still actively distributing malware through websites specifically crafted for this purpose, including a fake Palestinian Civil Registry site. AridSpy is a multi-stage trojan capable of downloading further malicious payloads from a command-and-control server once the initial breach is accomplished. Data exfiltration techniques include taking front-camera pictures under specific conditions, alongside other data harvesting methods driven by remote commands. Efforts to combat this threat have been hindered by the malware’s ability to continue functioning even after the initial host app is uninstalled, posing significant challenges to detection and removal.

Privacy group noyb filed a GDPR complaint against Google's Privacy Sandbox, alleging it deceives Chrome users by enabling disguised tracking. Introduced in 2023, the Privacy Sandbox API aims to replace third-party cookies with a system where ads are shown based on user interests directly through the browser. Despite claims of enhancing user privacy, the API instead facilitates Google to perform first-party tracking directly within the Chrome browser. Users opting into the feature under the premise of increased privacy were unknowingly consenting to Google's internal ad tracking. Legal concerns revolve around the lack of transparent, informed consent required by GDPR, with noyb accusing Google of outright lying to users. Google defended its consent mechanism, claiming it complies with legal standards under GDPR. The UK's Competition and Markets Authority has also expressed concerns over privacy issues with the Sandbox, prompting a delay in phasing out third-party cookies until 2025.

A medical student caused a data breach by improperly disposing of confidential NHS documents in household waste. The breached data, including sensitive patient information, was found scattered in a back alley in Jesmond, Newcastle. The incident involved personal details from at least two patients' records marked "Private and Confidential." The Cumbria, Northumberland, Tyne and Wear NHS Trust has recovered the documents and contacted the affected individuals. A full investigation has confirmed that all compromised data was retrieved, and measures are being taken to prevent future occurrences. The NHS provides training on information governance to all medical students, emphasizing the importance of data confidentiality. The trust is using the incident as a learning opportunity to enhance their policies on data protection and handling. The trust did not comment on any disciplinary actions against the student responsible for the data breach.

Recent increases in cyber-attacks on supply chains are driving stricter cybersecurity laws, notably within the finance sector, with expectations for similar regulatory adoption across additional industries. Many organizations lack effective ways to handle the urgent security and compliance demands associated with SaaS and AI technologies, even though free tools offer basic help for managing SaaS sprawl and shadow IT. Emerging regulations demand extended SaaS risk lifecycle management from discovery to incident reporting, which must happen within strict deadlines (e.g., 72 hours for reporting supply chain incidents). Effective SaaS security encompasses identifying all third-party services, assessing risks, setting clear usage policies, enforced continuously due to rapid application turnover. There's a focused effort on reducing the attack surface by limiting approved SaaS providers and improving security configurations, evidenced by implementing tougher measures like multi-factor authentication. Incident detection and response readiness is critical, with regulatory requirements pushing for rapid reporting of third-party breaches. Tools like Wing Security's new tiered offerings help organizations incrementally build their SaaS security capabilities, from basic risk assessments to comprehensive policy enforcement, suitable for various business sizes and maturity levels.

Threat actors associated with Pakistan have been actively conducting a malware campaign known as Operation Celestial Force, targeting platforms including Windows, Android, and macOS. The campaign, operational since at least 2018, utilizes a growing suite of malware tools such as GravityRAT and HeavyLift, managed by a standalone tool called GravityAdmin. GravityRAT, first identified in 2018 targeting Indian entities, has evolved from a Windows malware to a multi-platform tool also functioning on Android and macOS. Recent findings tie continuous use of the Android version of GravityRAT in attempts to compromise military personnel in India, disguised as various legitimate applications. The overarching operations are managed by Cosmic Leopard, leveraging spear-phishing and social engineering tactics to distribute malware through malicious links. GravityAdmin, documented since August 2021, facilitates orchestration of the malware attacks, interacting with command-and-control servers to manage infected systems. The newly identified HeavyLift malware, targeting Windows and macOS, focuses on extracting system metadata and receiving commands from a central server, indicating persistent and evolving cyber espionage activities linked to nation-state interests.

The SSLoad malware is distributed using PhantomLoader, a new type of loader that employs binary patching and self-modifying code to evade detection in legitimate software. Researchers identified that PhantomLoader compromises systems by masquerading as a DLL file for antivirus products, specifically 360 Total Security. SSLoad is utilized in phishing campaigns to perform initial reconnaissance and subsequently download additional malware payloads. The malware operates under a Malware-as-a-Service model, suggesting it is available for use by various threat actors. SSLoad has capabilities for system fingerprinting and sending gathered data to a command-and-control server, which then further instructs the malware to deploy more malicious content. The use of a Telegram channel as a dead drop resolver highlights advanced tactics for remote command and control communication. SSLoad incorporates sophisticated evasion techniques including dynamic string decryption and anti-debugging measures, indicating a high level of complexity and adaptability in its operations. Aside from SSLoad, other types of malware like JScript RAT and Remcos RAT have also been noted as part of phishing efforts aiming for long-term access and control over compromised systems.

Ukrainian Cyber Police arrested a 28-year-old man suspected of developing encryption tools for LockBit and Conti ransomware groups. The suspect from Kharkiv allegedly created crypters to evade detection by security software, subsequently used in ransomware attacks in the Netherlands and Belgium. During raids in Kyiv and Kharkiv, authorities seized computers, mobiles, and notebooks; the man faces up to 15 years imprisonment if convicted. The arrest was part of Operation Endgame, an international effort among law enforcement agencies aimed at dismantling cybercriminal infrastructure. Recent global law enforcement activities included the arrest of a Taiwanese national running a dark web narcotics market and a blockchain analysis website. The crackdown signifies intensified international cooperation to combat cybercrime, addressing botnets and ransomware distribution networks. Cybercrime tactics involve using social engineering and credential theft for lateral movement and account takeovers, highlighting the need for enhanced verification processes.