Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directive ED 24-02 to federal agencies due to a compromise in Microsoft systems by a Russian nation-state group, Midnight Blizzard. Midnight Blizzard accessed Microsoft's source code repositories and extracted sensitive email correspondences, although customer systems reported no breach. Federal agencies have been ordered to search for any sign of breaches, reset all compromised credentials, and secure authentication tools, specifically for privileged Microsoft Azure accounts. CISA has urged all affected entities to conduct a thorough cybersecurity impact analysis by the end of April 2024 and provide a status update by May 2024. The directive recommends implementing stringent security protocols, including strong passwords and multi-factor authentication, to guard against similar incidents. Microsoft account teams are to assist other impacted organizations in addressing and following up on any concerns related to this breach.

The US Space Force leader emphasized the urgent need for collaboration between military and commercial sectors to maintain US leadership in space, crucial to national security. General Chance Saltzman highlighted the accelerated efforts by China and Russia in developing space capabilities that threaten US dominance. Saltzman pointed out that without immediate advancements in technology through public-private partnerships, the US is at significant risk of falling behind its adversaries. The Space Force has established its first unit focused on space threat analysis and engagement, and seeks to enhance capabilities with the aid of companies like Booz Allen Hamilton. A new USSF strategy urges a fundamental shift toward harnessing commercial space innovations to boost the US's strategic position. The urgency is underscored by potential threats from adversaries' space weapons, including rumors of Russian nuclear anti-satellite armaments. The Space Force emphasizes the critical need for rapid program development to address these growing threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has publicly released its malware analysis tool, "Malware Next-Gen." Originally designed for government agency use, Malware Next-Gen now allows the public to submit and analyze suspicious malware samples. The analysis platform uses advanced static and dynamic analysis tools to scrutinize files for potential security threats. Since its limited release in November 2023, the system has processed over 1,600 submissions, identifying around 200 suspicious files and URLs. Users must register via a login.gov account to submit files; however, an option exists for anonymous submissions without return analysis results. The platform is designed to support and enhance national cybersecurity efforts by facilitating the rapid identification and analysis of new threats. CISA emphasizes the importance of ethical use and warns against submitting classified information to the platform. Malware analysis results are provided in secure PDF and STIX 2.1 formats, accessible only to CISA analysts and other authorized personnel.

OpenTable announced a policy change, effective from May 22, 2024, that will end full anonymity for reviews, displaying diners’ first names and profile pictures alongside their comments. This move aims to enhance the credibility of the review process and contribute to a community where diners can trust and transparently share their experiences. The change affects both new and past reviews, potentially tying reviewers with their historical feedback, which may include negative comments. Concerns are raised regarding privacy, as identifying diners based on their first names and the date of the restaurant visit becomes feasible. OpenTable has not provided options for users wishing to maintain anonymity; however, the reservation name can be changed, albeit with the caveat that the reservation would then be under the new name. Despite reaching out, OpenTable has not yet responded to queries regarding the possibility of introducing settings to keep reviewer identities private.

LastPass disclosed a failed cyberattack involving a deepfake audio impersonation of its CEO aimed at an employee via WhatsApp. The company employee recognized the unusual communication platform and characteristics of a social engineering scam, thus ignored and reported the incident. No company data was compromised or affected by the attempted security breach. The deepfake audio was likely created from public recordings of the CEO available online, demonstrating the feasibility of such attacks with accessible data. LastPass chose to publicize the incident to alert other organizations about the rising use of AI in cybersecurity threats, especially deepfake technologies used for executive impersonation. Similar warnings about the exploitation of AI-generated deepfakes in cyberattacks have been issued by other entities, including the FBI and Europol, highlighting a broader industry concern. The incident underlines the importance of employee training in recognizing and mitigating unconventional cyber threats.

Hoya Corporation experienced a major cyberattack orchestrated by the ransomware group Hunters International, who demanded a $10 million ransom. The ransomware attack resulted in significant IT disruptions, impacting production and order processing across multiple business units of Hoya. During the attack, the threat actors allegedly exfiltrated approximately 1.7 million files, equivalent to 2 TB of data. Hunters International threatened to release the stolen data unless their ransom demands were met, enforcing a strict "No Negotiation / No Discount Policy." The ransomware group has not yet released any files nor have they publicly acknowledged their responsibility for the attack. Hoya Corporation has paused updates regarding their operational status since the cyberattack, indicating ongoing struggles with production and remediation efforts. Hunters International is identified as a Ransomware-as-a-Service operation, previously linked to Hive ransomware, and is known for indiscriminate targeting across various sectors. Investigation into the full extent of the data breach at Hoya continues, with significant concerns over the potential exposure of sensitive company data.

CISA issued Emergency Directive 24-02 to U.S. federal agencies after Russian APT29 hacked Microsoft email accounts. Agencies are mandated to examine affected emails, reset compromised credentials, and secure Microsoft Azure accounts. The directive targets Federal Civilian Executive Branch agencies, requiring a cybersecurity impact analysis by April 30, 2024. Microsoft and U.S. cybersecurity authorities alerted federal entities whose emails were extracted by the hackers. Russian hackers accessed Microsoft's systems using a password spray attack on a non-production test tenant account. The breached account allowed unauthorized access to data, including emails of Microsoft’s leadership and key departments. The incident adds to APT29’s history of significant cyber-attacks, including the notorious 2020 SolarWinds supply chain attack. All organizations, regardless of the direct impact, are advised to adopt enhanced security measures.

A six-year-old vulnerability in the Lighttpd web server impacts Intel and Lenovo Baseboard Management Controllers (BMCs). The flaw could allow attackers to exfiltrate process memory addresses, undermining Address Space Layout Randomization (ASLR) protections. Originally patched in 2018, Lighttpd maintainers did not publicly disclose this, leading to oversight by device firmware developers. Binarly firmware security discovered the vulnerability was still present in devices, affecting nearly 2000 in the field, potentially more. Impacted devices include, but are not limited to, Intel and Lenovo systems, some of which were released as recently as February 2023. Vendors indicated that affected models are end-of-life and will not receive further security updates, remaining susceptible until decommission. The case highlights significant challenges and potential long-term security risks due to gaps in the firmware supply chain and transparency.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is currently investigating a data breach at Sisense, a significant business intelligence software provider. The breach has implications for critical infrastructure sector organizations across the United States, highlighting potential national security concerns. Sisense, established in 2004 and based in New York City, serves prominent clients including Nasdaq and Verizon, which underscores the breach's potential reach and impact. CISA is actively working with private industry partners to assess and mitigate the effects of the breach and safeguard vulnerable systems. In response to the breach, CISA has advised all Sisense customers to reset any potentially compromised credentials used to access the platform and its services. The incident is reminiscent of last year's supply chain attack involving 3CX, which similarly affected various critical infrastructure entities. This situational parallel raises concerns about the recurring vulnerabilities in supply chain security. Customers are urged to report any suspicious activity or unauthorized access involving their Sisense accounts directly to CISA to aid in the ongoing investigation and response efforts.

A study from the University of Pennsylvania found 96% of US non-federal acute care hospital websites share visitor data with third parties like Google and Meta. Previous research showed a slightly higher rate at 98.6%, indicating a small improvement. Only 71% of the analyzed hospital websites had a privacy policy, and of those, 56% disclosed the specific third parties receiving data. Common data collected includes IP addresses, browser details, visited pages, and referral sites. Some hospitals also share data with less known entities such as Adobe and various data brokers and marketing firms. There is a significant risk to individuals’ privacy as personal browsing information could be used without their explicit consent. No federal law mandates hospitals to maintain website privacy policies, posing potential regulatory risks if not properly managed.

CISA is actively investigating a data breach at Sisense, a data analytics company with key customers in critical infrastructure sectors. The breach potentially affects numerous critical infrastructure organizations across the U.S. with Sisense having over 2,000 customers worldwide. Sisense, founded in 2004 and headquartered in New York, offers business intelligence software and has considerable reach globally. CISA has partnered with private industry experts to gauge the full scope of the incident and to formulate a response. Impacted parties are advised to reset all potentially compromised credentials and report any suspicious activities linked to this breach. Detailed information and mitigation strategies from Sisense regarding the incident remain undisclosed to the public. Comparably, the breach mirrors the pattern of last year’s 3CX supply chain attack which also targeted critical infrastructure providers.

Ineffective IT offboarding can lead to security incidents, unexpected costs, and loss of critical resources due to accounts that are not properly deprovisioned. Automation can reduce the time and effort involved in offboarding by up to 90%, ensuring efficient handling of tasks such as revoking OAuth grants and resetting passwords. Nudge Security, a SaaS management platform, enables comprehensive offboarding by identifying and managing all cloud and SaaS accounts created by departing employees. The platform’s automated processes involve revoking access to SSO-managed accounts, transferring ownership of critical resources, and reviewing app-to-app integrations. Nudge Security aids in revoking access to unmanaged accounts and OAuth authenticated apps, and systematically cleans up these accounts post-offboarding. Final offboarding steps include automated notifications for account cleanup and reallocation of resources, followed by documentation of all offboarding activities in a detailed report. This tool not only saves considerable time but also secures corporate data and prevents disruption by seamlessly integrating with existing IT frameworks and best practices.

Apple has issued warnings to iPhone users across 92 countries about targeted mercenary spyware attacks aimed at compromising devices remotely. The company advises affected users to activate lockdown mode, update their devices, and seek assistance from the Digital Security Helpline. Attacks involve sophisticated spyware like the NSO Group’s Pegasus, targeting individuals such as journalists, activists, and political figures. Apple's support page on spyware protection was recently updated to emphasize the ongoing global threat of these well-funded attacks, refraining from attributing them to specific state actors or regions. Despite these threats, Apple reaffirms its commitment to detecting such attacks, alerting users, and helping them secure their devices. Notifications of threats are sent through email, iMessage, and seen upon Apple ID portal login, enhancing the authenticity and urgency of the issue. Apple acknowledges the extreme cost and sophistication of these attacks which contribute to their difficult detection and short operational duration.

GitGuardian's 2024 report highlights 12.8 million new exposed secrets on public GitHub and over 11,000 on Python's PyPI repository. PyPI, a major repository used by developers worldwide, added 1,000 secrets in 2023, indicating vulnerabilities despite its smaller size compared to GitHub. Persistent vulnerabilities highlighted as nearly 100 secrets from 2017 remain valid after 6-7 years, posing a sustained security risk. Commonly exposed credentials include OpenAI API keys, Google API keys, and Google Cloud keys, easily identifiable with proper scanning tools. Honeytokens tested in GitHub were accessed by bots within minutes, suggesting immediate risk upon accidental exposure of real secrets. The study emphasizes the critical importance of revoking any secret immediately once its accidental publication is identified, to prevent potential misuse. The advice underlines a strong need for vigilance and proactive measures to secure confidential information in source code repositories.

DuckDuckGo has introduced a premium service named 'Privacy Pro,' offering a VPN, personal data removal, and identity theft restoration. Originating as a privacy-centric search engine in 2008, DuckDuckGo has increasingly expanded into privacy-focused tools and services. The VPN part of Privacy Pro adheres to a strict no-logs policy, using WireGuard protocol, and integrates directly into the DuckDuckGo browser for up to five devices. The Privacy Pro service costs $9.99 per month or $99.99 annually, aiming to provide a cost-effective bundle compared to purchasing these services individually. The VPN does not currently support payments in cryptocurrency and has a limited selection of server locations in the US, Canada, and Europe. The Personal Information Removal service automates the deletion of user data from data broker sites, helping to reduce identity theft risks. The partnership with Iris for the Identity Theft Restoration service includes personalized assistance for recovery from identity theft incidents. Initially, Privacy Pro is available only to U.S-based customers, with no specific expansion timeline provided in the announcement.