Daily Brief

Israeli researchers demonstrated a security gap in the Visual Studio Code Marketplace by "infecting" over 100 organizations with a trojanized extension. The experiment involved a fake version of the 'Dracula Official' theme, renamed 'Darcula,' which included hidden malicious code. The malicious script in the 'Darcula' extension collected system information and sent it to a remote server without being detected by endpoint security tools. Significant entities, including a major publicly listed company and national security organizations, inadvertently installed this compromised extension. Researchers developed 'ExtensionTotal,' a tool to identify and analyze suspicious extensions in the Visual Studio Code Marketplace. The findings underscore a dire need for improved monitoring and security measures on the platform as malicious actors can exploit these vulnerabilities. Microsoft has been notified about these security risks, but many malicious extensions remain available for download, posing ongoing threats to users.

Israeli researchers infected over 100 organizations by creating a trojanized copy of the popular 'Dracula Official' theme in Visual Studio Code Marketplace. The dubious extension improperly named 'Darcula' mimicked the original theme but included a script that harvested system information and transmitted it back to the creators. High-profile targets, including a major global company with a $483 billion market cap and significant institutions like national justice networks, were affected. The malicious extension evaded detection systems due to the lenient security protocols applied to development environments like VSCode. Security experts used a new tool, 'ExtensionTotal,' to identify high-risk extensions and reported their findings to Microsoft, though many suspicious extensions are still available. The absence of stringent code review mechanisms in the Visual Studio Code Marketplace facilitates ongoing exploitation by cybercriminals. The researchers are set to release 'ExtensionTotal' publicly, aiming to aid developers in identifying and mitigating potential threats in their VSCode environments.

Akira ransomware, though less known, poses a significant threat similar to major malware like BlackCat or LockBit. Scott Small, Tidal Cyber's director of cyber threat intelligence, notes Akira's capabilities and intent could notably impact many organizations. Akira targets both modest-sized and larger organizations, exploiting well-known vulnerabilities and using less common tactics such as FTP for data exfiltration. Core cyber-hygiene practices, such as timely security updates, can dramatically reduce the risk of Akira ransomware attacks. The group behind Akira demonstrates creativity and persistence, indicating ongoing and evolving threats from this malware. Small emphasizes the importance of comprehensive and proactive security measures beyond just updates to effectively mitigate potential ransomware attacks.

The New York Times confirmed internal source code and data were stolen and subsequently leaked on 4chan, traced back to a compromised GitHub account used by the company. A 273GB archive containing the stolen Times' source code and other data was shared on 4chan by an anonymous user, showcasing around 3.6 million files from approximately 5,000 GitHub repositories. The leaked data includes a variety of information such as IT documentation, infrastructure tools, and source code for several internal applications, including the popular Wordle game. The breach, occurring in January 2024, was enabled by an exposed GitHub token which allowed unauthorized access to the company's GitHub repositories. The New York Times stated the compromised GitHub credential was quickly discovered and secured, asserting that no unauthorized access to Times-owned systems nor an operational impact was evident. This incident marks the second major leak reported on 4chan in the same week, with the first involving stolen data from Disney's Club Penguin game. Continuous monitoring and other enhanced security measures have been highlighted by The Times as a response to prevent further incidents.

Joe Sullivan, former Uber chief security officer, was found guilty in 2022 of covering up a 2016 data theft incident at Uber. Federal prosecutors initially sought a 15-month jail term for Sullivan, but he ultimately received three years probation and 200 hours of community service. Sullivan's conviction is unprecedented, marking the first time a high-ranking CSO in the U.S. has been charged and convicted for actions related to their role. Post-conviction, Sullivan has emphasized the importance of accountability in corporate security roles and stressed that top executives should bear ultimate responsibility for cybersecurity breaches. Sullivan advocates for security leaders to remain driven and proactive, despite the challenging landscape, emphasizing their critical role in safeguarding organizational data. He has highlighted a need for CSOs and CISOs to have robust support and clear directives to effectively perform their duties and manage crises.

DDoS attacks are targeting European political parties amidst the ongoing EU Parliament elections, with hacktivist group 'HackNeT' claiming responsibility. Cloudflare has successfully mitigated multiple DDoS attack waves directed at election-related websites in the Netherlands. Two significant attacks on June 5 and 6 disrupted websites of right-wing nationalist parties, which have expressed sympathies towards Russia. The first major attack peaked at 115 million requests per hour, while the second less severe incident reached 44 million requests per hour. Both targeted parties, PVV and FvD, are known for their critical stance on the EU and NATO, and oppose sanctions against Russia. In Germany, a "serious cyberattack" affected the Christian Democratic Union's network, leading to increased security measures across political platforms. These instances of cyberattacks highlight the intersection of international politics and cyber warfare tactics during critical election times.

A new critical vulnerability in PHP, identified as CVE-2024-4577, allows for remote code execution on Windows servers. The flaw involves a CGI argument injection that affects all PHP versions on Windows, bypassing protections added for an older vulnerability (CVE-2012-1823). DEVCORE security researcher disclosed the vulnerability responsibly on May 7, 2024, with patches released in subsequent PHP updates. Exploitation attempts have been detected soon after public disclosure, indicating active interest from malicious actors. DEVCORE advises moving away from PHP CGI to more secure alternatives such as Mod-PHP, FastCGI, or PHP-FPM. Patched PHP versions include 8.3.8, 8.2.20, and 8.1.29, addressing the vulnerability for users under affected configurations. Particularly vulnerable are XAMPP installations on Windows configured for locales like Traditional Chinese, Simplified Chinese, or Japanese. Immediate patch application is strongly recommended due to the simple exploit method and high potential for widespread exploitation.

Microsoft announced changes to its AI-powered Recall feature, making it opt-in instead of default due to privacy concerns. Recall captures and analyzes screenshots every five seconds to create a visual timeline, but faced criticism for inadequate privacy safeguards. Significant security updates include biometric authentication via Windows Hello for accessing Recall data, and encryption of stored snapshots. Microsoft highlighted that Recall snapshots are processed locally, not shared externally, and can be managed or deleted by the user at any time. IT administrators in enterprise environments can disable the Recall feature on managed devices, though user consent is required to enable it. Critics like Kevin Beaumont and Andy Greenberg have expressed concerns about privacy and likened the initial implementation to spyware. Microsoft's decision to alter Recall aligns with efforts to prioritize security, influenced by previous security challenges from nation-state actors.

A 4chan user has reportedly leaked 270GB of New York Times data, including its source code, on peer-to-peer networks. The leaked data supposedly contains around 5,000 repositories and 3.6 million files from The New York Times Company. Files in the leak may consist of various proprietary information, from software blueprints to email marketing campaigns. Of the leaked files, fewer than 30 are reportedly encrypted, exposing significant content to potential misuse. The authenticity of the leak has not yet been confirmed, and The New York Times has not commented on the issue. Previous incidents have targeted The New York Times and other media with cyberattacks, including efforts by the Syrian Electronic Army and suspected Russian operatives. The situation underscores ongoing security challenges faced by major news organizations in the digital age.

The FCC has voted unanimously for a new rulemaking notice demanding U.S. internet service providers (ISPs) to create, and annually revise, a confidential security plan addressing Border Gateway Protocol (BGP) risks. This regulatory action aims to prevent BGP hijacking, where rogue entities strategically misdirect internet traffic, which can lead to surveillance or data tampering. Providers, especially the top nine U.S. broadband companies, are also required to file quarterly public reports on their BGP security measures. This initiative aligns with national cybersecurity efforts under Initiative 4.1.5 of the National Cybersecurity Strategy Implementation Plan, focusing on enhancing secure Internet routing practices. The move involves adopting Resource Public Key Infrastructure (RPKI) to reinforce BGP security, although it's noted that even RPKI isn't completely foolproof against attack methods. Smaller ISPs won't be mandated to regularly submit BGP security plans, but must provide them if the FCC requests. Public comments are encouraged before finalizing the regulatory proposal, allowing stakeholders to voice perspectives or concerns.

LastPass experienced a near 12-hour outage caused by a problematic update to its Chrome extension. The outage began at around 1 PM ET, with users unable to access their password vaults, receiving "404 Not Found" errors. User frustrations were voiced on social platforms like Reddit and Twitter, highlighting issues with accessing saved credentials. LastPass identified the cause as an update that inadvertently stressed their backend infrastructure. The company confirmed the resolution of the issue around 8 PM ET but faced ongoing login and functionality complaints from users. Performance stability and operations were reportedly restored, yet some users continued to face login issues and non-functional features. The problematic update was believed to have sent excessive requests to LastPass servers, resembling a DDoS attack.

Apple plans to introduce a new standalone password manager app, 'Passwords', during its next Worldwide Developers Conference. The app will be integrated into iOS 18, iPadOS 18, and macOS 15, leveraging the existing iCloud Keychain infrastructure to store and manage user passwords. iCloud Keychain, while already functioning as a password manager, is currently embedded within device settings and may not be easily accessible or widely used. The 'Passwords' app is designed to encourage the use of strong, unique passwords to enhance security and aid in protecting users against data breaches. With features for importing credentials from other password managers and categorizing passwords, the app aims to attract users from competitors such as Bitwarden, LastPass, and 1Password. Apple's inclusion of multi-factor authentication capabilities directly within the app positions it as a replacement for other authenticator apps like Google Authenticator and Authy. LastPass criticizes Apple's approach, suggesting that relying on a single vendor's system can restrict user freedom and flexibility across different devices and operating systems.

Microsoft decides to make its controversial Recall feature on Copilot+ Windows PCs an opt-in feature following significant backlash and criticisms regarding security. Initially, Recall was designed to automatically capture and store screenshots and user activities on local devices to enhance searchability and access to past activities. Security experts raised alarms about the potential for easy access to sensitive data due to the data being stored in non-encrypted databases. Following critique, enhancements include mandatory opt-in during setup, integration with Windows Hello for authentication, and improved data encryption. Critics, including former Microsoft threat analyst Kevin Beaumont, expressed severe concerns about the fundamental security risks posed by Recall. Recall's intended functionality includes capturing nearly all user activities, including screen content and app usage, to create a searchable archive of past actions. Microsoft plans to implement additional security measures such as just-in-time decryption, which will further protect the data consistency and access. The company emphasizes its commitment to evolving its products based on consumer and enterprise feedback to uphold privacy, security, and trust.

Christie's, a British auction house, experienced a security breach by the RansomHub ransomware gang, leading to stolen customer data. The data theft occurred between May 8 and May 9, 2024, and was discovered by Christie's on May 9. External cybersecurity experts were hired, and law enforcement was notified to assist in the investigation and response. Customer information, including names, addresses, and ID details, was extracted, affecting at least 500,000 clients. Christie's completed a review of the affected data and notified potential victims, offering them a free year of identity theft protection and fraud monitoring. There have been no reported attempts to misuse the information stolen despite RansomHub's claims of selling the data on their own platform. The company has taken additional security measures to prevent future incidents and continues to evaluate and enhance their cybersecurity framework.

Frontier Communications suffered a cyberattack in mid-April 2024, leading to unauthorized access of its IT systems. Personal data of approximately 750,000 customers, including full names and Social Security Numbers, were exposed in the breach. The RansomHub ransomware group claimed responsibility for the attack, threatening to sell or leak the information unless demands are met. Frontier has notified the affected customers and offered one year of free credit monitoring and identity theft services through Kroll to mitigate potential damage. No financial information of customers was compromised in the breach, according to Frontier. The company took immediate action by shutting down some systems to contain the attack and has since enhanced its network security. Customers experienced connectivity issues during the attack, illustrating the operational impact beyond data exposure. Frontier continues to investigate the full impact of the incident while advising customers to stay vigilant against unsolicited communications and to monitor their accounts closely.