Daily Brief

Microsoft's Exchange Online hack in 2023 potentially tied to Chinese cyberespionage group Storm-0558, with ongoing uncertainty about the theft of an Azure signing key. The Cyber Safety Review Board criticizes Microsoft's security measures and communication transparency, addressing how the signing key was compromised. The U.S. State Department detected the hack through advanced logging features, revealing a broader inability among other organizations to spot such breaches without similar tools. Microsoft admitted to ineffective key rotation practices and a software flaw that allowed the attackers to use a consumer MSA signing key for enterprise email account breaches. Investigators theorize the key could have been obtained via an engineer's laptop from a previously compromised acquisition without definitive evidence. Microsoft added telemetry data and extended log retention to bolster security post-attack, following the CSRB's call for improved measures. Storm-0558 is attributed to significant state-backed espionage efforts, focusing on high-level U.S. government email accounts related to national security. Connections are drawn between Storm-0558 and prior Chinese cyber operations, including the significant 2009 Operation Aurora.

City of Hope, a US cancer treatment and research organization, disclosed an IT security breach affecting approximately 827,149 individuals. Personal information, including financial and medical records, was accessed and potentially stolen from its systems between September 19 and October 12, 2023. The breach was detected as "suspicious activity" a day after the intrusion, prompting immediate mitigation measures and the implementation of enhanced security. City of Hope began notifying affected individuals in December and has offered two years of free identity monitoring services through Kroll. No incidents of identity theft or fraud have been reported as a result of the breach, according to a City of Hope spokesperson. The organization has engaged a cybersecurity firm to improve network and system security and has reported the incident to law enforcement and regulatory bodies. This breach is part of a larger trend of cyberattacks targeting healthcare facilities, with recent incidents affecting NHS Scotland and Change Healthcare. The US government is responding to the rise in cyberattacks on critical infrastructure by proposing new reporting requirements and indicating that voluntary cybersecurity practices for hospitals may soon be mandated.

SurveyLama, an online survey platform, experienced a significant data breach exposing personal details of 4.4 million users. Have I Been Pwned (HIBP) identified and verified the breach, initially informed by an affected user. Sensitive data involved includes varied personal information; the exact nature of the data has not been specified in the summary provided. SurveyLama confirmed the breach via email notifications to impacted individuals. Passwords were stored in salted SHA-1, bcrypt, or argon2 hashes, with SHA-1 considered vulnerable to brute force attacks. Users are urged to change their SurveyLama passwords and any others that are identical on different platforms. The compromised data has not been publicly disclosed as of now, which may limit immediate widespread exploitation. Vigilance is advised as the data could eventually be leaked to the cybercrime community, posing a risk for identity theft and fraud.

IxMetro Powerhost, a hosting firm, faced a ransomware attack which encrypted their VMware ESXi servers and backups, affecting numerous customers. The new ransomware, dubbed SEXi, specifically targeted the company’s servers that hosted virtual private servers, leading to widespread service disruptions. The attack was discovered early Saturday, with PowerHost announcing the incident and its ongoing attempts to restore services from encrypted backups. The SEXi ransomware gang demanded a ransom of two bitcoins per victim for decryption keys, which could potentially cost PowerHost $140 million. PowerHost is compensating affected customers by offering new VPS setups for those who still have their own website content to bring their operations back online. The SEXi ransomware operation is relatively new, emerging in March 2023, and has so far only been observed targeting VMware ESXi servers, but could potentially expand to Windows devices. There is no complexity in the ransomware’s infrastructure as per current knowledge, with all victims receiving the same contact address in the ransom notes – a departure from typical targeted victim communication. It is presently unclear whether the SEXi ransomware operators are engaging in double extortion tactics by stealing data and threatening leaks if payment is not made.

Omni Hotels & Resorts confirmed a cyberattack that led to a significant IT outage at their locations. The hotel chain quickly shut down systems to contain data and protect against further intrusion. Cybersecurity experts were engaged to conduct an ongoing investigation into the incident. Unspecified sources claim the cybersecurity issue stemmed from a ransomware attack as Omni works to restore encrypted servers from backups. Internal efforts are underway to manually recover affected systems, with anticipated system availability by Thursday. The cyberattack disrupted reservations, hotel room door lock systems, and point-of-sale operations, causing issues with credit card payments and reservations management. The impact follows a previous data breach in 2016 where malware on point-of-sale systems at Omni hotels exposed payment card information.

IxMetro, a division of Chile-based PowerHost, was targeted by SEXi ransomware, leading to encrypted VMware ESXi servers and backups. SEXi ransomware is a new threat, first observed in March 2023, primarily targeting VMware ESXi servers with the .SEXi file extension. PowerHost is struggling to restore service after the ransomware encrypted both their servers and the backups meant for disaster recovery. The cybercriminals demanded an exorbitant ransom of two bitcoins per victim, which would amass to a total of $140 million if paid by PowerHost. PowerHost has offered to set up new VPS servers for customers who can independently provide their website content. It is currently unclear whether the SEXi ransomware group is engaging in double extortion tactics by stealing data and threatening to leak it, as this has not been observed yet. The ransomware's infrastructure is not sophisticated at this time, using identical Session messaging app contact addresses for communication with all victims.

Jackson County, Missouri, declared a state of emergency following a ransomware attack that disrupted county services on Tuesday. Key county departments like Assessment, Collection, and Recorder of Deeds are expected to be closed for the week as systems are being restored. The incident affected tax payment, marriage license, and inmate search systems, but did not impact the local Boards of Elections. Law enforcement including the FBI and the Department of Homeland Security have been notified, and external IT security experts are assisting with the investigation. County Executive Frank White, Jr. has authorized emergency measures to protect resident data and ensure continuation of essential services. Officials stated that residents' financial information is safe, as it is managed by the external payment service provider Payit, which was not affected by the attack. Jackson County is a significant jurisdiction in Missouri, encompassing the largest city of Kansas City and 17 other municipalities.

The Cybersecurity and Infrastructure Security Agency (CISA) called for urgent security reforms at Microsoft following a breach attributed to a Chinese-linked group. Microsoft's outdated key rotation practices allowed unauthorized access to Outlook Web Access and further escalation to enterprise email accounts. Approximately 60,000 emails from the US State Department were stolen, including sensitive diplomatic discussions and a complete list of employee email addresses. Microsoft's slow response in correcting misinformation regarding the breach’s cause and the failure to detect key compromises has been highlighted as a major concern. The report by the Cyber Safety Review Board emphasized the need for Microsoft to prioritize security risk management and update legacy infrastructure. Microsoft's recent "Secure Future Initiative" was noted to require supervision by top executives, following the company's overreliance on AI for security solutions without a clear understanding of the incident's cause.

Omni Hotels & Resorts suffered a major IT systems disruption starting Friday, impacting bookings, payments, and door lock systems. The luxury hotel chain has over 50 properties in the US and Canada and has acknowledged the outage on social media, apologizing to guests. Specific details regarding the cause of the IT outage, including whether it was ransomware-related, were not provided by Omni or TRT Holdings. Hotel guests across the country have experienced significant disruptions, with reports of paper check-ins, non-operational card machines, and the need for staff to escort guests to their rooms. A self-identified Omni employee described the situation as chaotic and stressful, both for guests and staff unsure of their income during the server downtime. Comparisons have been drawn to the MGM Resorts ransomware incident, raising suspicions of a possible cyberattack, but no confirmation from Omni has been made. Separately, Meta platforms including WhatsApp, Facebook Messenger, Instagram, and the Ads Transparency suite experienced outages, with services gradually being restored.

The U.S. Department of State is investigating a possible cyber incident following claims by a threat actor of leaking documents from a government contractor. The alleged breach targeted Acuity, a technology consulting firm providing critical services to federal agencies, with claims of compromised classified information. The hacker, known as IntelBroker, claims the data leak includes contact details of government, military, and Pentagon personnel linked to the Five Eyes alliance. IntelBroker has a track record of similar data leaks from various government entities, including the U.S. Army and the Department of Defense. Details of the breach methodology have not been disclosed, though IntelBroker has already leaked data from other government agencies, suggesting potential links among the incidents. A previous significant breach attributed to IntelBroker involved DC Health Link, affecting members and staff of the U.S. House of Representatives. Neither the NSA nor Acuity has commented on the breach, and the Cybersecurity and Infrastructure Security Agency (CISA) has declined to comment on the ongoing investigation.

A severe unauthenticated SQL injection vulnerability in LayerSlider, a WordPress plugin, potentially affects over one million websites. Discovered by researcher AmrAwad, the security flaw, with a CVSS score of 9.8, could enable attackers to access site databases and extract sensitive data. Wordfence, a WordPress security firm, was alerted to the flaw, CVE-2024-2879, by AmrAwad through its bug bounty program, prompting swift action. The vulnerability stems from improper sanitization within the 'ls_get_popup_markup' function, risking complete site takeovers or data breaches. Attackers could carry out a time-based blind SQL injection, using response times to siphon off password hashes and user information, exploiting the lack of prepared SQL queries in WordPress. Swift developer response resulted in a security update released within two days, with users urged to update to version 7.10.1 to mitigate the risk. WordPress site admins are reminded to maintain updated plugins, use strong passwords, and manage account access meticulously to enhance security.

Ivanti has issued security patches for multiple vulnerabilities affecting Connect Secure and Policy Secure gateways. The high-severity flaw tracked as CVE-2024-21894 allows unauthenticated remote code execution (RCE) and denial of service (DoS) attacks. The vulnerability arises from a heap overflow in the IPSec component, impacting all supported versions of the gateway products. While there has been no reported exploitation, over 29,000 Ivanti gateways are exposed online, with nation-state actors previously targeting Ivanti vulnerabilities. The critical flaw, along with three other vulnerabilities, could be exploited without requiring user interaction. US Cybersecurity and Infrastructure Security Agency (CISA) has responded by issuing emergency directives to federal agencies to patch or disconnect vulnerable Ivanti VPN appliances. Ivanti has previously been targeted by suspected Chinese threat groups using zero-day vulnerabilities for malicious activities.

Google has repaired a high-severity Chrome zero-day vulnerability, CVE-2024-3159, discovered during the Pwn2Own hacking contest. The flaw lies in the V8 JavaScript engine and permits heap corruption through specially crafted HTML pages. Attackers could exploit this out-of-bounds read issue to crash the browser or access sensitive data. Security researchers Edouard Bochin and Tao Yan successfully executed code on Chrome and Edge, receiving a $42,500 prize for their double-tap exploit. The updated Chrome versions carrying the fix are rolling out globally on various operating systems, including Windows, Mac, and Linux. Google has also rectified two other Chrome zero-days and two Android zero-days, with fixes released shortly after disclosure. Mozilla quickly addressed two Firefox vulnerabilities unveiled at the same Pwn2Own event. Generally, zero-day vulnerabilities disclosed during Pwn2Own are publicly detailed by Trend Micro's Zero Day Initiative after 90 days, although some vendors patch the issues sooner.

AT&T acknowledges a major data breach impacting 73 million current and former customers, leading to multiple class-action lawsuits. Sensitive customer data leaked includes names, addresses, Social Security Numbers, and passcodes for customer support interactions. The breach was first reported in 2021 by Shiny Hunters but only confirmed by AT&T after a secondary leak by 'MajorNelson' in 2024. Plaintiffs accuse AT&T of negligence, breach of implied contract, and unjust enrichment, demanding compensation, credit monitoring, and improved security measures. Despite initial denials, AT&T admits the data belonged to millions of their customers and that the breach likely occurred in 2019 or earlier. Law firm Morgan & Morgan alleges AT&T had prior knowledge of system vulnerabilities and delayed breach acknowledgment, increasing fraud risks. The company has been criticized for its belated response and potential underestimation of the threat, leaving customers unknowingly at risk for years.

Google disclosed two high-severity zero-day vulnerabilities in Pixel phones that are being exploited by forensic companies. The exploited vulnerabilities have allowed attackers to extract data and potentially spy on users when the devices are in an unlocked state. CVE-2024-29745 involves a vulnerability within the fastboot firmware which supports various device state changes like unlocking or flashing. Forensic firms have been taking advantage of these vulnerabilities by rebooting devices into fastboot mode to exploit them and dump memory. CVE-2024-29748 allows local attackers to disrupt a factory reset, posing significant risk to device security and data integrity. The GrapheneOS team had previously alerted that similar exploits were being used to compromise Google Pixel and Samsung Galaxy phones. GrapheneOS has suggested that an auto-reboot feature could mitigate the risks associated with firmware vulnerability exploitation. Google's advisory and the recommendation for heightened security measures come amidst increasing concerns about device and data security.