Daily Brief

Ransomware threats are increasingly targeting virtual machine platforms such as VMware ESXi, causing significant operational disruptions. Panera Bread experienced a week-long IT outage due to ransomware encryption of their virtual machines, with restoration from backups taking nearly a week. Omni Hotels also suffered a ransomware attack that led to a massive IT outage, affecting reservation and key card systems, with guest access to rooms impacted. Chilean hosting provider IxMetro Powerhost fell victim to SEXi ransomware, resulting in encrypted VMware ESXi servers and customer backups, with a demand for bitcoin payments. The Chilean government's CSIRT has issued an advisory urging enterprises to update VMware software and apply enhanced security measures to protect against these ransomware attacks. Security professionals are advised to apply the latest security updates, use unique administrative credentials, and implement strict access controls to safeguard virtual machine platforms. Virtual machine platforms' centralization of company servers makes them attractive targets for ransomware, underlining the need for improved, specific security practices in this area.

Ivanti Connect Secure and Poly Secure gateways face a critical RCE vulnerability that could impact around 16,500 internet-exposed instances. The vulnerability, identified as CVE-2024-21894, is a heap overflow in the IPSec component that could allow unauthenticated remote code execution or denial of service. Initial reports from Shodan and Shadowserver indicated between 18,000 to 29,000 exposed instances, with a subsequent Shadowserver report narrowing it down to 16,500 vulnerable gateways worldwide. Ivanti has released updates to mitigate the flaw and has not observed active exploitation against its customers but urges system administrators to apply the updates immediately. The majority of vulnerable instances are located in the United States, Japan, and the UK, with other countries also having significant exposure. Past Ivanti product vulnerabilities were exploited by state-sponsored actors and hacking groups to deploy custom web shells for unauthorized access to devices. A Mandiant report uncovers in-depth recent bug exploitation incidents involving Ivanti endpoints and details the 'SPAWN' malware family used by Chinese hackers in these attacks. Administrators are strongly advised to implement available mitigations and fixes for CVE-2024-21894 according to Ivanti's guidance.

Hackers used Facebook ads to lure users into downloading malware by impersonating popular AI services. Impersonated services include MidJourney, SORA, ChatGPT-5, and DALL-E, promising previews of new features. Malware types distributed include Rilide, Vidar, IceRAT, and Nova, targeting the theft of browser-stored data. The fake MidJourney Facebook page gathered 1.2 million followers before being shut down after almost a year of activity. Attackers targeted predominantly male users aged 25-55 in Europe, employing sophisticated social media-based malvertising strategies. Even after the shutdown of the original fake page, new pages quickly emerged, continuing the distribution of malware. Researchers stress the importance of being cautious with online ads and the ongoing challenges in moderating content on vast social networks like Facebook.

Acuity, a technology consulting firm and federal contractor, experienced a breach where hackers obtained non-sensitive government data from its GitHub repositories. The U.S. Department of State is investigating a purported cyber incident after threat actor IntelBroker leaked information suggesting the theft of U.S. government and military data. CEO Rui Garcia stated that Acuity swiftly applied security updates to address a zero-day vulnerability once detected, with subsequent analysis indicating no impact on sensitive client data. IntelBroker has released thousands of records from various U.S. agencies, such as the Justice Department and the FBI, and claims to have Five Eyes intelligence documents. The breach, carried out by threat actor Sangierro alongside IntelBroker, reportedly happened on March 7 by exploiting an Acuity Tekton CI/CD server vulnerability to steal GitHub credentials. IntelBroker has a history of targeting and leaking data from multiple U.S. government agencies and is also linked to cyberattacks on corporations like Hewlett Packard Enterprise and General Electric Aviation.

The US government has criticized Microsoft for inadequate security practices that enabled Chinese cyber espionage but continues to contract its services. Microsoft's security lapses have historically allowed nation-states like Russia and China to infiltrate government and corporate systems. Despite harsh criticism from the US Cybersecurity and Infrastructure Security Agency (CISA), there are no signs of reduced government spending on Microsoft products, with $498.5 million in payments recorded in FY 2023. Microsoft pledges to enhance security through its Secure Future Initiative, aiming to harden infrastructure and improve detection mechanisms. US Senator Ron Wyden advocates for strict cybersecurity standards for vendors and consequences for non-compliance, including holding senior executives accountable. Industry experts acknowledge the difficulty of replacing Microsoft as a primary government vendor but emphasize the need for the company to bolster internal security measures. Microsoft's significant revenue from the US government includes non-competitive and "limited sources" procurement processes, drawing criticism from cybersecurity professionals. Microsoft has been involved in several high-profile breaches over recent years, including the SolarWinds attack and compromises by Lapsus$ and foreign nation-state actors.

AI-as-a-service providers face critical security risks with potential for privilege escalation and cross-tenant access exploits. Researchers identified Hugging Face as vulnerable to attacks allowing unauthorized access to customer's models and manipulation of CI/CD pipelines. Threats involve running untrusted models in pickle format and container escape techniques to compromise the service infrastructure. Findings show a risk for sensitive data leakage through shared environments and recommend using IMDSv2 with Hop Limit for mitigation. Hugging Face has rectified the vulnerabilities, advising users to rely on trusted model sources, enable MFA, and avoid pickle files in production. Research also highlights risks associated with generative AI models distributing malicious code and the need for caution using large language models for code solutions. A related issue is "many-shot jailbreaking," potentially bypassing safety protections in language models by inundating them with enlarged context windows for harmful queries.

Panera Bread experienced a week-long IT outage due to a ransomware attack that encrypted numerous virtual machines, disrupting access to data and applications. The specifics of the ransomware group responsible remain unknown, with no claims of responsibility, indicating the possibility of ongoing ransom negotiations or a settled payment. Despite attempts to reach out, Panera Bread has not publicly commented on the incident, leading to concerns among employees about transparency and data security. The ransomware attack had a widespread impact on Panera Bread’s operations, disabling internal systems, point-of-sale services, and customer-facing applications, and forcing cash-only transactions alongside disruptions to the reward program. The outage started on March 22, affecting 2,160 cafes in the U.S. and Ontario, which had to accommodate operational challenges like scheduling and payment processing. In a parallel case, Omni Hotels also suffered a sizable IT outage, with ransomware being the suspected cause behind problems with reservations, check-in procedures, and door lock systems. The cyberattack on Omni Hotels was confirmed without details on the incident, aligning with a similar lack of transparency observed in the Panera Bread attack.

A self-service check-in terminal at Ibis budget hotel leaked room keycodes. The security bug could allow attackers to obtain guest room access without technical skills. Martin Schobert from Pentagrid found the flaw, which could potentially affect hotels across Europe. By entering six consecutive dashes as a booking reference, booking details and room keycodes could be retrieved. The vulnerability was accidentally discovered in Hamburg and could impact personal safety and property. Accor Security validated and fixed the issue within a month of discovery. The article also mentions recent vulnerabilities in hotel door locks and IT issues at Omni Hotels.

Compliance frameworks are increasingly detailed and numerous, making adherence a complex task for CISOs, demanding exceptional communication and organizational skills alongside security expertise. CISO perspectives on compliance vary based on factors like company size, industry sector, and regulatory environment, with each requiring tailored approaches to meet specific security and privacy requirements. Some mature cybersecurity organizations consider compliance as a baseline, aiming to exceed requirements for enhanced protection. Effective compliance is integral to business strategy, entailing clear communication of the business value and risks of non-compliance, including reputational damage, financial penalties, and operational disruptions. CISOs often use compliance frameworks not only to fulfill legal obligations but as tools to guide their cybersecurity strategies, prioritizing actions based on regulatory models. Collaboration is key among CISOs, legal teams, privacy officers, and compliance committees to stay abreast of evolving regulations and effectively demonstrate adherence. Advanced compliance management tools like GRC systems, continuous compliance monitoring, and risk registers are leveraged to facilitate compliance and provide evidence to auditors. With overlapping requirements across compliance frameworks, organizations aim to 'comply once, apply to many,' streamlining the process and leveraging commonalities like PAM practices to satisfy multiple regulations.

Bogus Adobe Acrobat Reader installers are being used to distribute Byakugan, a new multifunctional malware. The malware campaign begins with a PDF file in Portuguese that, when opened, prompts the user to download a fake Reader application. Researchers at Fortinet discovered the campaign, which includes an attack chain that effectively bypasses Windows security features and deploys a legitimate PDF reader to obscure malicious activities. Byakugan is capable of collecting system data, executing commands from a C2 server, and includes functionalities like keystroke logging and desktop monitoring with OBS Studio. Security firm ASEC noted a growing trend where threat actors combine clean software with malicious components to complicate analysis and detection. Additionally, ASEC reported a separate campaign distributing the Rhadamanthys information stealer and the use of a tampered Notepad++ installer to spread WikiLoader malware.

A new form of JSOutProx malware is targeting financial organizations across the Asia-Pacific (APAC) and Middle East and North Africa (MENA) regions. The malware leverages JavaScript and .NET for attacks and utilizes various plugins for data exfiltration and other malicious operations. Spear-phishing campaigns with malicious JavaScript attachments disguised as PDFs or ZIPs with rogue HTA files are used to deploy this heavily obfuscated malware. JSOutProx is capable of a wide array of functions, including capturing clipboard content, accessing Microsoft Outlook details, and intercepting one-time passwords. The malware uses a unique mechanism for C2 communications, transmitting data via the Cookie header field. A spike in malicious activity was observed from February 8, 2024, with the attack infrastructure hosted on GitHub and GitLab, which both have since taken measures against it. The threat actor's origins are suspected to be China or an affiliated group, based on the sophistication of the attacks and victim profiles. The article details concerns over a new dark web-promoted software, GEOBOX, that enables fraud and anonymization through spoofed GPS and network settings, heightening the risk of various cybercrimes.

Mandiant has identified multiple China-nexus threat actors exploiting security flaws in Ivanti appliances, specifically three zero-day vulnerabilities. These threat actors, labeled with various UNC designations, have used the vulnerabilities for espionage and potentially cryptocurrency mining. Some of the hacker groups have reportedly utilized custom malware, such as Sliver C2 framework and TERRIBLETEA backdoor, to enable sophisticated post-exploitation activities. Groups UNC5330 and UNC5337 have been observed using a combination of vulnerabilities to install custom malware tools to obtain persistent backdoor access. UNC5221, a group linked with sophisticated web shells including ROOTROT, has been implicated in network reconnaissance and lateral movement within victim networks. UNC5291 is reportedly associated with an additional hacking group, UNC3236, and has shifted its focus to Ivanti appliances after exploiting Citrix Netscaler ADC vulnerabilities. The exploitation of Ivanti’s edge appliance vulnerabilities highlights the need for heightened security measures and vigilance in protecting against nation-state cyber threats.

Aalto University researchers claim Apple's privacy settings for native apps are confusing and ineffective. Despite Apple's reputation for security, the study finds default app settings often do not align with user preferences. The complexity of Siri's privacy settings requires navigating five submenus to fully disable data tracking. A survey revealed that most Apple users are unaware of the extent of data collection by native apps like Safari and are surprised by the details. Users struggle with inconsistent privacy settings across devices and resort to internet searches over Apple's complex documentation. Researchers suggest centralizing privacy options and providing clearer descriptions within settings to improve user understanding. Apple faces lawsuits accusing it of not being transparent about data tracking, despite its public emphasis on privacy. There is a noted discrepancy between Apple's privacy claims and its substantial revenue from its online ads business.

Japan's Hoya Corporation experienced a significant cyber incident, disrupting production and sales activities. The IT system anomaly was first detected in one of Hoya's overseas offices on March 30, 2024. Immediate measures included isolating affected equipment and hiring forensic experts to assess the damage and aid in recovery. The company is currently unable to confirm if any confidential or personal information has been breached or accessed. A full analysis of the incident is anticipated to take several days, with no clear timeline for system restoration. Hoya's business performance impact remains uncertain; however, the incident led to a 5% drop in share value over the week. Disruptions in deliveries from Hoya's Vision Care unit have prompted an apology to consumers. Hoya is now among notable Japanese organizations, including NTT, LINE, Fujitsu, and JAXA, that have been targeted by cyber attacks recently.

Researchers have identified a new malware, Latrodectus, believed to be an evolution of the IcedID loader used in malicious email campaigns since November 2023. IcedID, initially a banking trojan from 2017, had expanded to a sophisticated loader for various malware, including ransomware. A sharp shift in tactics occurred after a key figure behind IcedID pleaded guilty in the US in February 2024, with initial access brokers switching to distribute Latrodectus. Latrodectus, observed more frequently since February 2024, uses a phishing approach involving fake copyright infringement notices and links to a malicious JavaScript file. This malware performs sandbox evasion checks to avoid detection and runs initialization protocols upon successful environment verification. Latrodectus can download additional payloads as instructed by its command and control server, posing an adaptable threat in cyber-attacks. Proofpoint warns that Latrodectus could be increasingly used by various threat actors, echoing the distribution patterns of its predecessor, IcedID.