Daily Brief

The U.S. Cyber Safety Review Board (CSRB) reported that Microsoft's lax security practices facilitated a breach by China-based nation-state hackers, Storm-0558. Microsoft's corporate culture was flagged for not valuing security investments and risk management, in contrast to its central role in the tech ecosystem. The breach compromised 22 companies and over 500 consumer accounts by exploiting a Microsoft Azure Active Directory token forgery flaw. Microsoft's revelations about the breach changed over time, and the investigation into the hack is still ongoing. Around 60,000 unclassified emails from Outlook were reportedly exfiltrated during the campaign, which China has denied involvement in. The CSRB recommends updates to government cloud security frameworks and authorization processes to mitigate future cybersecurity risks. To aid federal agencies, Microsoft has expanded its Purview Audit logging capabilities, offering enhanced detection and response tools for cyber threats.

Google addressed two zero-day vulnerabilities, CVE-2024-29745 and CVE-2024-29748, actively exploited to unlock Google Pixel phones. The vulnerabilities pertain to the Pixel’s bootloader and firmware, allowing unauthorized access to device data without a PIN. GrapheneOS, a security-focused Android distribution, initially discovered the flaws, which forensic firms were exploiting. The flaws enabled forensic firms to dump memory from devices they physically had access to, but Google's fix now prevents this by zeroing memory on boot. One of the vulnerabilities, CVE-2024-29748, was only partially fixed, with GrapheneOS developing a more robust solution to prevent circumvention of factory resets. Google's April 2024 security update for Pixel phones resolved 24 vulnerabilities, including a critical severity privilege elevation flaw, CVE-2024-29740. Pixel users are advised to update their devices through the security settings to ensure protection against these vulnerabilities.

Microsoft Copilot is an integrated AI assistant in Microsoft 365 apps, augmenting productivity by using existing user permissions. Unrestricted permissions may lead to sensitive data exposure through Copilot, as users can query, summarize, or list internal information such as employee details, bonuses, and credentials. Varonis demonstrated how Copilot can inadvertently reveal confidential data through specific prompts, highlighting potential security risks when permissions are not tightly controlled. Ensuring proper data security settings and minimizing unnecessary permission grants is critical to prevent unauthorized access to sensitive information. Varonis, together with Microsoft, provides strategies and tools to companies for safe Copilot deployment, offering ongoing assessment and enhancements to Microsoft 365 data security postures. The Varonis Data Security Platform integrates with Microsoft 365, applying measures such as DLP, automated data security policies, and risk remediation to safeguard against data exposure. Varonis monitors every action in the Microsoft 365 environment, analyzing interactions with Copilot for unusual behavior and triggering alerts when needed. Varonis recommends a Copilot Readiness Assessment for organizations to address data security concerns and to maintain a secure AI tool adoption.

Google is beta testing a prototype feature called Device Bound Session Credentials (DBSC) in Chrome to protect against session cookie theft by malware. The purpose of DBSC is to bind authentication sessions to the user's device, rendering stolen cookies useless to attackers. The initiative comes as a response to the prevalent use of off-the-shelf malware for hijacking accounts by bypassing MFA and stealing cookies. DBSC leverages cryptographic keys stored in Trusted Platform Modules (TPMs) on the device, requiring proof-of-possession throughout a session. Google TAG has previously reported phishing campaigns using cookie-stealing malware targeting platforms like YouTube. Enhanced Safe Browsing in Chrome is recommended for additional protection against phishing and malware. Google plans to roll out support for DBSC initially to Chrome desktop users with compatible hardware and further aims to sunset third-party cookies altogether. Collaboration with server and identity providers, as well as other browser vendors, is ongoing, with origin trials expected to start by the end of the year.

Ross Anderson, a leading computer scientist and information security expert, unexpectedly passed away in his sleep at the age of 67. Anderson was a professor at the University of Cambridge and held prestigious accolades, such as the Lovelace Medal and fellowship at the Royal Society. His work covered diverse areas in the field of security including cryptography, cybercrime analysis, and security psychology, as well as influencing real-world technology like ATM design. Anderson authored the influential book "Security Engineering" and was committed to affecting information security policy through initiatives like the Foundation for Information Policy Research. He was recognized not only for his professional achievements but as a spirited and principled colleague and mentor, unafraid to challenge institutional policies. Friends, colleagues, and the wider security community remember Anderson as a brilliant, curious, and steadfast figure who significantly shaped the technology landscape. In addition to being remembered for his considerable academic contributions, he is survived by his family who have requested privacy.

Google is tackling cookie theft by developing Device Bound Session Credentials (DBSC), which render stolen cookies useless. DBSC uses cryptographic keys to link a session cookie to the user's specific device, making the cookie inoperative if stolen and used elsewhere. The Chrome browser will leverage facilities like Trusted Platform Modules (TPM) to safely store private keys, with initial support for about half of desktop users. DBSC does not allow session correlation on the same device, ensuring privacy by using unique keys for each session. Google is working to make DBSC an open web standard and is already seeing interest from others in the industry, including Microsoft for the Edge browser. Google is experimenting with DBSC in Chrome Beta to protect Google Account users and plans to extend it to Google Workspace and Google Cloud customers. DBSC will align with Google's phase-out of third-party cookies, aiming to enhance security for both consumers and enterprise users without impacting user privacy.

Attack surface management (ASM) and vulnerability management (VM) are distinct yet related areas in cybersecurity with differing scopes; ASM includes discovering unknown assets, while VM focuses on known assets. Vulnerability management involves using automated tools to identify, prioritize, report, and patch known vulnerabilities within a defined IP range in an organization's digital infrastructure. ASM extends the concept of VM by beginning with the discovery of all digital assets, whether known or unknown, across various environments including on-premises, cloud, and third-party services. Through ASM, organizations aim to minimize exposure and prevent potential attacks by reducing their attack surface, which can include eliminating unnecessary services and monitoring for emerging risks. Combining ASM and VM provides a holistic security posture, allowing organizations to identify all assets and vulnerabilities and allocate resources for more effective protection against cyber threats. Solutions like Intruder offer both VM and ASM services to better manage and secure an organization's attack surface and can provide additional visibility, such as monitoring network changes and SSL/TLS certificate expirations.

The Mispadu banking trojan, initially targeting Latin America, has broadened its attacks to Europe, specifically Italy, Poland, and Sweden. Thousands of credentials have been stolen from various sectors, including finance, law firms, and manufacturing, with Mexico still as the primary focus. The trojan captures sensitive information through fake pop-ups, screenshots, and keystroke logging, and uses phishing techniques to expand its impact. Recent attacks have exploited a Windows SmartScreen security flaw (CVE-2023-36025) to infect users through malicious PDFs in spam emails that lead to a multi-stage deployment of the malware. The malware performs anti-VM checks to avoid detection and uses obfuscation techniques and command-and-control servers for operations. Over 60,000 files containing stolen data have been identified on the Mispadu command-and-control server. Related research from Proofpoint reveals that YouTube channels promoting cracked video games are distributing malware like Lumma Stealer and Vidar via video description links. General security advice is provided, including steps to secure cloud environments and the importance of updating security processes amidst business growth.

"Gesture jacking," a variant of clickjacking dubbed as "cross window forgery," targets web users by manipulating keypresses. Attackers create malicious OAuth prompts that capture key actions in a hidden browser window, potentially leading to account takeovers. Popular websites like Coinbase and Yahoo are vulnerable due to static or predictable authorization button IDs that can be targeted. Microsoft's Eric Lawrence explained that this attack method is effective because of how browsers handle URL fragments, transferring keypress inputs to targeted webpage elements. While not considered a browser bug, the technique exploits intended browser behavior, challenging browser makers to find a solution. Web developers are encouraged to adopt defensive measures such as randomizing ID tags on sensitive buttons and implementing Content Security Policies. Browsers continually implement changes to reduce clickjacking risks, with Chromium browsers offering policies against Scroll-to-Text-Fragment and Firefox considering similar features.

A critical SQL injection vulnerability was found in the WordPress LayerSlider plugin, potentially allowing unauthorized database access. The vulnerability is identified as CVE-2024-2879 with a high severity CVSS score of 9.8. Affected versions ranged from 7.9.11 to 7.10.0, with the issue resolved in the 7.10.1 version released on March 27, 2024. The security flaw was a result of insufficient escaping of user-input parameters and the lack of wpdb::prepare() usage. The flaw could enable attackers to retrieve sensitive data such as password hashes from websites with the vulnerable plugin installed. The LayerSlider plugin is popular, with millions of users around the world trusting it for creating website animations and visual effects. This incident is among several recent security disclosures affecting WordPress plugins, including WP-Members and Tutor LMS, pointing to an ongoing concern for web security. WordPress site administrators are urged to regularly update plugins and core software to mitigate these risks.

Microsoft's Exchange Online service was compromised, impacting senior US officials due to substandard security. Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board urges Microsoft to implement significant cultural and security changes. The China-linked group "Storm-0558" exploited a stale key from Microsoft's outdated identity management system to access enterprise email accounts. Around 60,000 emails from the US State Department were stolen, along with employee email addresses, risking diplomatic security and enabling future phishing attacks. Investigators found Microsoft did not uphold key rotation practices, leaving them vulnerable compared to other cloud providers who are more diligent. Microsoft criticized for not acknowledging the severity of the situation promptly and failed to provide accurate information about the attack's cause. The report also suggests Microsoft's current security initiatives are inadequate and require high-level executive oversight.

The FCC is addressing security weaknesses in SS7 and Diameter protocols, which are crucial for network interconnections but prone to surveillance misuse. Foreign governments and surveillance companies have reportedly exploited these vulnerabilities to spy on individuals. SS7, dating back to the 1970s, and Diameter, from the 1990s, have exploitable flaws that could allow location tracking and interception of communications. The FCC has requested telecom carriers to report any incidents exploiting these vulnerabilities since 2018, including details of the attacks, techniques used, and identity of the attackers if known. Carriers are required to submit their responses by April 26th, with the FCC to follow up within a month. U.S. Senator Ron Wyden has raised concerns about carriers' cybersecurity practices and demanded government action to secure phone networks and establish minimum cybersecurity standards. The focus on SS7 and Diameter vulnerabilities is part of a wider effort to enhance national security against foreign surveillance and protect human rights and journalists.

Chinese hacking group Winnti is using a new malware named UNAPIMON to run malicious processes undetected. Also known as APT41, Winnti is a state-sponsored actor with a history of sophisticated cyberespionage since 2012. The Trend Micro report unveils UNAPIMON, involving the SessionEnv service to load malware via DLL side-loading. UNAPIMON uses Microsoft Detours to unhook critical API functions in child processes, helping it evade security monitoring tools. Most malware uses hooking mechanisms; however, UNAPIMON uniquely employs unhooking to avoid detection by security software. The malware’s simplicity and creative use of Microsoft Detours highlight the coding skills of the malware developers. Winnti's history includes innovative techniques for evasion, such as hiding a backdoor in Windows print processors and fragmenting Cobalt Strike beacons.

Omni Hotels & Resorts has suffered a nation-wide IT systems outage, impacting reservations, room access, and POS systems. The official website was offline on Friday and displayed an alert upon its return, advising customers of technical difficulties. Guests experienced significant disruptions including delayed room access, difficulty with new reservations, and credit card payment issues. Omni's IT team is actively working to restore the affected systems, with an estimated return to normal operations by Thursday. The company has restricted comments on its social media updates, allowing only likes and reposts, while its phone helpline remains down due to technical difficulties. Specific details regarding the origin of the outage have not been disclosed by Omni Hotels, but the impact suggests a possible cyberattack. History of a previous data breach in July 2016 involving PoS malware at Omni Hotels raises concerns about cybersecurity practices and vulnerabilities.

The OWASP Foundation suffered a data breach due to a misconfigured MediaWiki web server. Member resumes dating from 2006 to around 2014 were exposed, potentially affecting tens of thousands of individuals globally. Exposed personal details include names, email addresses, phone numbers, physical addresses, and employment information. OWASP has urged affected members to exercise caution with unsolicited emails and calls, to prevent phishing and identity fraud. The organization has since ceased collecting resumes, implemented two-factor authentication, and taken steps to prevent future breaches. The incident has been addressed by disabling directory browsing, securing the server, removing the resumes, and purging caches. OWASP is attempting to notify impacted individuals, although the task is challenged by the age of the resumes.