Daily Brief

The Cynomi AI-driven vCISO platform is designed to help MSPs, MSSPs, and consulting firms offer scalable vCISO services without overextending resources. Cynomi models its services on the expertise of top CISOs, providing tools for security assessments, compliance readiness, policy creation, and task management. The platform supports multi-tenancy, allowing service providers to manage separate accounts for each client, centralizing client management and maintaining high-level control. New client onboarding involves detailed questionnaires that assess their current security posture and create custom policies and remediation plans. The platform performs both internal and external scans to identify vulnerabilities, which are then integrated into the client’s task list for remediation. Cynomi offers continuous compliance assessments against various frameworks and dynamically updates client profiles based on regulatory changes and threat intelligence. Security policies and tasks generated by Cynomi are actionable and prioritized, designed to streamline processes and cut down task completion time. Cynomi’s continuous optimization helps maintain up-to-date risk assessments and demonstrates the value of strategic cybersecurity services to clients.

Threat actors are exploiting GitHub's automation features to distribute a new variant of Keyzetsu clipboard-hijacking malware. Malicious Visual Studio project files on GitHub infect users with malware that substitutes copied cryptocurrency addresses. GitHub repositories involved are artificially boosted in popularity using high-frequency updates and fake account endorsements. The malware is often embedded in Visual Studio build events, executing harmful scripts during the build process. On April 3, 2024, the campaign started using an encrypted payload too large for security scanners like VirusTotal to analyze efficiently. The Keyzetsu malware monitors the Windows Clipboard for cryptocurrency addresses, replacing them with addresses controlled by the attackers. To avoid detection, the malware establishes a scheduled task in Windows, executing without user interaction at predetermined times. Organizations are advised to scrutinize GitHub repositories for signs of tampering, such as frequent updates and suspicious account activity.

Elon Musk's company X (formerly Twitter) corrected a significant error that transformed URLs within posts improperly, potentially facilitating phishing attacks. The flawed implementation on the iOS app changed all mentions of "Twitter" in URLs to "X," misdirecting users to different websites than what appeared as legitimate, branded URLs. This bug allowed for postings such as netflitwitter.com to appear as netflix.com, misleading users to unauthorized and potentially harmful websites. Fortunately, an attentive "Xeeter" registered the misleading domain netflitwitter[.]com, preventing its exploitation by malicious entities. The vulnerability was active for potentially more than nine hours, based on user reports, and has since been corrected to display actual URLs. Despite the fix, X did not comment publicly on the blunder or provide details on how long the issue was present, maintaining a low profile. This incident raises concerns about brand trust and user safety on the platform, potentially leading to data theft or malware if exploited by cybercriminals.

Researchers from VUSec at Vrije Universiteit Amsterdam have revealed a new Spectre v2 exploit targeting the Linux kernel on Intel systems, capable of reading sensitive data from memory. The exploit, termed Native Branch History Injection (BHI), effectively bypasses existing mitigations and allows leakage of kernel memory at a rate of 3.5 kB/sec. Unlike previous techniques, Native BHI does not rely on unprivileged eBPF, showing that it can circumvent countermeasures that involve disabling unprivileged eBPF. The flaw, identified as CVE-2024-2201, impacts all Intel systems vulnerable to BHI, enabling attackers to manipulate speculative execution paths to extract data. CERT/CC issued an advisory stating that conventional mitigation strategies like disabling privileged eBPF and enabling (Fine)IBT are insufficient in preventing exploitation. The vulnerability was confirmed to affect multiple platforms including Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen, while AMD reported no impact on its products. These findings follow other significant disclosures, including the GhostRace and Ahoi Attacks, which similarly exploit speculative execution vulnerabilities to compromise security.

Upcoming webinar focuses on the often-ignored Identity Threat Exposures (ITEs) in digital security systems. ITEs include misconfigurations, forgotten accounts, and outdated settings that allow hackers to breach security unnoticed. The session will leverage real-world examples and insights from Silverfort's latest report to illustrate vulnerabilities. The webinar aims not only at tech professionals but also at business leaders seeking to enhance their security posture. Participants will gain critical knowledge on how to protect their digital identity, a crucial asset, against sophisticated threats. The event promises actionable insights and tools to identify and rectify ITEs to fortify digital defenses. Emphasis on comprehensive understanding as an "X-ray vision" for digital security.

A significant 29% of security breaches are facilitated by third parties, either by data theft from vendors or using vendor systems to access sensitive information. Breaches involving third-party vendors are likely under-reported, highlighting the critical need for robust third-party risk management. Many organizations utilize threat intelligence platforms; however, the effectiveness of these tools in identifying and managing third-party risks can vary. The webinar hosted by Silobreaker features CISO Andy Grayland discussing how to leverage threat intelligence to mitigate third-party security threats. The discussion will focus on practical tips for security teams on data collection, risk correlation, and proactively managing third-party vulnerabilities. Real-time insights on emerging third-party risks and their management will be provided, crucial for organizations looking to safeguard sensitive data against indirect exposure. The event aims to equip attendees with enhanced strategies and tools for identifying and mitigating potential third-party risks impacting their operations.

Google has introduced Chrome Enterprise Premium, a paid version of its browser, priced at $6 per user per month, offering advanced security features. The new service includes AI-driven security enhancements capable of mitigating data exfiltration risks in both sanctioned and unsanctioned applications. Chrome has historically differentiated itself by emphasizing robust security features as a core component of its browser offer. Additional benefits of Chrome Enterprise Premium include enterprise controls for policy management, software updates, and support for protocols such as RDP, SCP, and SSH. Nick Reva from Snap reported a 50% reduction in sensitive content transfer with the implementation of data loss prevention measures aimed at generative AI platforms. The release reflects a broader trend where browsers are increasingly becoming central platforms for enterprise software distribution, intelligence gathering, and remote work security. Chrome's decision to introduce a premium service aligns with Gartner's prediction that browsers will play a more pivotal role in enterprise computing by 2030.

Microsoft has addressed a record 149 vulnerabilities in its latest April 2024 security update, incorporating patches for two zero-day flaws actively exploited. Critical vulnerabilities fixed include severe issues in Microsoft Azure Kubernetes Service and bypasses in Microsoft Defender Smartscreen. One of the actively exploited vulnerabilities, CVE-2024-26234, involved a malicious executable signed by an official Microsoft certificate, acting as a network backdoor. This security flaw traces back to a software published by Hainan YouHu Technology, although there is no evidence suggesting intentional malicious embedding. Another significant threat, CVE-2024-29988, enables attackers to bypass security features through specially crafted files, requiring user interaction to be activated. In total, the vulnerabilities remediated span across remote code execution, privilege escalation, security feature bypass, and denial-of-service categories. The patch release follows critical observations by the U.S. Cyber Safety Review Board on Microsoft's past inadequacies in handling cybersecurity threats and espionage campaigns.

A critical vulnerability in the Rust standard library, labeled CVE-2024-24576, allows command injection on Windows systems. The flaw, equipped with a maximum severity CVSS score of 10.0, affects versions of Rust prior to 1.77.2. Specifically, the vulnerability stems from improper argument escaping when invoking batch files with '.bat' or '.cmd' extensions via Rust's Command API. An attacker can exploit this flaw by manipulating the arguments in the batch file execution process, leading to arbitrary command execution. Rust's inadequate validation of command invocation in the Windows environment is identified as the core issue. Security expert RyotaK, who reported the issue, advises developers to segregate batch files from common directory paths as a preventative measure. The broader implications of the flaw suggest potential risks in other programming languages that have not yet addressed similar weaknesses.

Microsoft addressed 149 security vulnerabilities, including an actively exploited Windows proxy driver spoofing vulnerability described as CVE-2024-26234. Another critical flaw under exploitation, CVE-2024-29988, allowed attackers to bypass the SmartScreen security feature, crucial for defending against untrusted sites and malware. The Patch Tuesday update highlighted necessary actions against vulnerabilities, showing only three out of 70 remote code execution flaws considered critical in Microsoft Defender for IoT. Adobe, VMware, Cisco, and other tech giants also issued significant security patches focusing on closing dozens of vulnerabilities to prevent potential threats. SAP patched notable security notes including vulnerabilities that could allow simple passwords, reveal sensitive information, or enable directory traversal. Fortinet resolved critical bugs in its products that could allow unauthorized administrative access or information disclosure under specific conditions. This collective effort by major software companies emphasizes the ongoing challenges and critical need for timely updates in cybersecurity defenses.

A critical security vulnerability in the Rust standard library, identified as CVE-2024-24576, allows threat actors to perform command injection attacks on Windows systems. The flaw is due to OS command and argument injection weaknesses, enabling attackers to execute unexpected and potentially harmful commands without user interaction. GitHub has assigned this vulnerability a maximum severity rating of 10/10, emphasizing its critical nature for unauthenticated and remote exploitation. All versions of Rust prior to 1.77.2 on Windows are at risk, particularly if they employ batch files (.bat and .cmd) with untrusted arguments. The Rust Security Response WG improved the Command API to deal with cmd.exe's complexity after failing to find a universally safe method for argument escaping. In certain cases, if argument escaping is not possible, the Rust Command API now returns an InvalidInput error, encouraging developers to handle escaping on their own or use trusted inputs. Additional vulnerabilities were revealed by Flatt Security engineer Ryotak, affecting other programming languages, though not all have issued patches. Ryotak also advised moving batch files to a directory outside the PATH environment variable to mitigate risks of unintended execution.

Group Health Cooperative of South Central Wisconsin (GHC-SCW) suffered a ransomware attack in January, leading to unauthorized access by a ransomware gang. The incident resulted in the theft of personal and medical data of 533,809 individuals, including sensitive information such as social security numbers and Medicare details. Although the attackers failed to encrypt the data, they successfully isolated and stole data, which they later confirmed by contacting GHC-SCW. GHC-SCW responded swiftly by isolating their system with the help of external cybersecurity professionals, which prevented further damage. The organization is taking additional security measures and advises affected individuals to monitor communications from healthcare providers for any suspicious activity. Following an investigation, the BlackSuit ransomware gang, a suspected successor to the Conti cybercrime group, claimed responsibility for the attack. FBI and CISA have linked this gang to numerous global attacks and significant ransom demands.

Security vulnerabilities in LG smart TVs running WebOS versions 4 through 7 enable attackers to gain unauthorized root access. Over 91,000 devices potentially exposed online, allowing remote attackers to execute commands and access TV controls. Root access facilitates various malicious activities including spying, malware distribution, utilizing TVs in botnets, and tampering with home network security. The vulnerabilities were initially detected by Bitdefender Labs researcher Alexandru Lazăr, who identified four critical flaws requiring effective patching. Flaw CVE-2023-6317 allows attackers to bypass PIN verification during account setup on the TV, escalating privileges without owner consent. LG has issued a software update to patch these vulnerabilities following a delay after researchers disclosed them responsibly. Users are urged to check their TVs for the latest WebOS updates to ensure protection against potential exploitation of these security gaps.

Microsoft's April 2024 Patch Tuesday included updates for 150 security vulnerabilities, with a focus on correcting 67 remote code execution (RCE) flaws. Over half of the RCE issues pertained to Microsoft SQL drivers exhibiting a potentially shared vulnerability. Notably, this update cycle addressed two zero-day vulnerabilities that were being actively exploited in malware attacks, which Microsoft initially failed to report as exploited. One of the zero-days involved a driver spoofing vulnerability signed with a valid Microsoft Hardware Publisher Certificate, used to deploy a known backdoor. Another zero-day allowed attackers to bypass Microsoft Defender SmartScreen prompts, aiding the deployment of the DarkMe RAT in spearphishing campaigns targeting financial trading platforms. The patch also included fixes for 26 Secure Boot bypass issues, with contributions from other vendors like Lenovo. Microsoft faces ongoing challenges with unpatched vulnerabilities in SharePoint, which allow covert file access and exfiltration.

Romanian hacker group RUBYCARP operates a sophisticated botnet targeting corporate networks, primarily exploiting vulnerabilities for financial gain. Over 600 compromised servers are controlled via IRC channels, with 39 Perl-based shellbot variants identified, showing low detection rates. The botnet, active for at least a decade, occasionally shares tactics with the Outlaw APT group but remains distinct in its operations. Recent attacks focus on brute-forcing SSH servers, exploiting Laravel applications, and deploying phishing schemes using credential dumps. Compromised servers are utilized for DDoS attacks, financial fraud, phishing, and cryptocurrency mining, affecting multiple digital assets. RUBYCARP employs advanced evasion techniques, frequently rotating their command and control infrastructure to avoid detection. The group’s activities include the sale of cyber weapons and tools, indicating a significant threat capability beyond typical botnet operations.