Daily Brief

Non-human identities such as API keys and passwords are crucial for modern software development but often neglected in the race to innovate. Developers may compromise security by taking shortcuts like hard-coding secrets due to pressure to deliver quickly. A predominant culture of speed over security and lack of robust training leads to the mishandling of sensitive information. The shift-left security approach is insufficient as it does not address ongoing security maintenance throughout the development lifecycle. Security best practices should be integrated into every stage of development, emphasizing it as a shared responsibility among all team members. Entro offers a solution for managing development-stage non-human identities discreetly, without hindering the R&D process. Entro's secrets management includes "secrets enrichment," providing detailed context for each secret to enhance security measures. Advocating for a balanced focus on both development speed and robust security practices is key to safeguarding confidential data.

Cybersecurity researchers from ETH Zurich have discovered a new attack method, called ZenHammer, which circumvents existing Rowhammer defenses in AMD CPUs. ZenHammer effectively induces bit flips in DDR4 memory on AMD Zen 2 and Zen 3 platforms, significantly expanding the attack surface given AMD's substantial market share. For the first time, this technique has also successfully triggered bit flips on DDR5 devices, which were previously thought to be resistant to such attacks. The RowHammer vulnerability arises from DRAM's physical memory cell layout and can lead to altered memory contents, system credential compromise, and overall system instability. Target Row Refresh (TRR) mitigations implemented by DRAM manufacturers have been bypassed by ZenHammer through reverse engineering and optimized hammering instruction sequences. ETH Zurich's research demonstrates the need for further investigation into DDR5's RowHammer defenses and security guarantees. AMD has acknowledged the issue and is assessing the vulnerability of RowHammer bit flips on DDR5 devices, with updates to follow upon conclusion of their investigation.

INC Ransom group claimed responsibility for a cyberattack on NHS Scotland, allegedly stealing 3TB of data and leaking sensitive files. The attack was contained to NHS Dumfries and Galloway, a regional branch, preventing wider spread across NHS Scotland. The Scottish Government, along with various agencies, is assessing the breach's impact and working with the police on the ongoing investigation. Leaked data includes patients' medical test results, medication information, and the personal information of both patients and medical staff. NHS Dumfries and Galloway has been addressing the issue since the initial incident was disclosed on March 15 but has not yet confirmed the nature of the data accessed. The attack highlights the ongoing risk to healthcare institutions, with a particular emphasis on the significant impact ransomware can have on this sector. Efforts are underway to increase cybersecurity in healthcare, including the ARPA-H's involvement in DARPA's Artificial Intelligence Cyber Challenge to secure critical infrastructure.

Telegram introduces Peer-to-Peer Login (P2PL), offering free premium membership in exchange for using user's phone numbers to send OTPs. P2PL is under trial for Telegram's Android users in select countries, allows sending up to 150 OTP SMS messages, including international, at a charge. Privacy concerns arise as recipients can view sender's phone number, increasing risks of spam or unauthorized contact. Telegram warns against personal sharing and interaction with OTP recipients but can terminate accounts that breach terms. With 900 million active users, Telegram Premium launched in June 2022, providing enhanced features to subscribers. Parallel to Telegram's move, Meta faces accusations of a "man-in-the-middle" traffic interception scheme concerning Snapchat, YouTube, and Amazon data for competitive analysis. The Meta incident involves a secret project named Ghostbusters, using Onavo-acquired VPN apps to track user behavior illicitly from 2016 to 2018. Legal and privacy implications are in focus, as Meta contends no wrongful gains from the intercepted user data per their statement.

The German Federal Office for Information Security (BIS) has issued an urgent warning concerning over 17,000 unpatched Microsoft Exchange Servers, constituting a significant cybersecurity risk. Approximately 37 percent of Germany's public-facing Exchange servers are vulnerable to critical exploits due to outdated or unpatched software, including versions that are no longer supported. The BIS emphasizes the importance of cybersecurity and the urgent need for action by organizations, citing potential threats to sensitive data and services if systems remain unpatched. A recent example of a critical vulnerability that needs patching is CVE-2024-21410, an elevation-of-privilege flaw that Microsoft addressed last month, but many servers remain unpatched. The BIS has started daily communications with network providers to encourage prompt remediation of any detected vulnerabilities. There is an increased concern about exploitation by criminals and state-sanctioned groups, with essential services like medical facilities, schools, and government entities being at high risk. BIS urges administrators to act swiftly and apply available security patches to prevent potential cyber attacks, even though the quality of the software is the responsibility of Microsoft.

Generative AI mistakenly recommends non-existing software packages which are subsequently made real and installed by unwitting developers. Alibaba among businesses fooled into integrating a fake software dependency, potentially exposing systems to malware. Security researcher Bar Lanyado created a benign, fake Python package to demonstrate how genuine the threat could be. Lanyado's experiment revealed that generative AI models often reproduce the same hallucinated package names across different models and questions. The research indicates a viable attack vector where AI-recommended nonexistent packages could be registered and used to distribute malware. The Python and npm ecosystems are particularly vulnerable due to their lack of protections against the registration of such hallucinated names. The proof-of-concept fake package received over 15,000 downloads and was even included in the repositories of large companies. While there is currently no known occurrence of this attack method in the wild, its lack of traces makes it difficult to detect and prevent.

Two executives were arrested in Japan for creating a business that outsourced work to North Korean IT engineers, potentially violating international sanctions. Pak Hyon-il, a South Korean national, and Japanese citizen Toshiron Minomo allegedly facilitated this outsourcing without their customers' knowledge. Pak and Minomo are accused of inflating their company's registered capital and of unemployment benefit fraud; authorities are investigating the extent of these actions. There is concern that the outsourced work could fund North Korea's foreign currency acquisition schemes, including nuclear and missile development. Japanese government recently issued a warning about North Korean IT workers posing as Japanese nationals or working remotely, emphasizing the associated risks of malware, cybersecurity threats, and sanctions violations. The U.S. and South Korean governments have also cautioned against employing North Korean agents, outlining indicators such as threats over proprietary code and inconsistencies in communication or documentation.

China supported an armed offensive against the Myanmar military junta over the proliferation of online scams. Beijing had ties with Myanmar’s ousted administration and was upset by the coup which derailed infrastructure projects. The Three Brotherhood Alliance launched Operation 1027, named after the date of execution, targeting the military junta in response to the unchecked scam centers. The offensive disrupted trade and overran bases, with China's tacit approval due to concerns over the impact of scams on its citizens. A UN report identified Myanmar’s Kokang zone as a major hub for human trafficking linked to online scams, surpassing Cambodia. Global pressure has been mounting to dismantle such scam operations, leading to Interpol's involvement. Post-offensive, China's focus remained on repatriating scam suspects rather than ending the alliance's armed operations. Myanmar's military made concessions and accepted a China-mediated ceasefire, underlining China's leverage despite internal conflict dynamics.

'Darcula' PhaaS (phishing-as-a-service) exploits RCS and iMessage instead of traditional SMS for phishing attacks, impacting users globally. Over 200 customizable templates allow scammers to convincingly impersonate brands in 100+ countries, targeting various services including government and finance. Advanced technologies such as JavaScript, React, and Docker are used for dynamic updates and feature additions, bypassing the need for clients to reinstall phishing kits. Netcraft discovered 20,000 linked domains, with 120 new domains added daily, revealing Darcula's extensive scale. Darcula bypasses recent legislation targeting SMS-based phishing by using RCS and iMessage which enable end-to-end encryption and are perceived as more secure by users. Cybercriminals overcome platform restrictions such as high volume messaging bans by creating multiple Apple IDs and utilizing device farms. iMessage's safeguard requiring recipients to engage before accessing links is circumvented by instructing users to reply with a 'Y' or '1.' Netcraft advises suspicion towards unsolicited messages with URLs and recommends looking out for grammatical errors, attractive offers, and urgent calls to action as phishing indicators.

Apple device users are the target of a multi-factor authentication bombing campaign aimed to trick them into allowing a password reset. AI entrepreneur Parth Patel first reported the attack after experiencing over 100 system-level password reset requests and subsequently receiving a call from a scammer posing as Apple support. The attack tries to exploit user fatigue from repeated notifications to force a mistaken approval for a password reset. Attackers use sophisticated tactics, including caller ID spoofing and accurate personal information likely sourced from data brokers like PeopleDataLabs. The scam's success hinges on a possible rate-limiting oversight in Apple's iForgot system, enabling an onslaught of reset requests. Apple has not yet introduced protective measures against this specific type of abuse, though Microsoft has adjusted its MFA system to counter similar attacks. Apple recommends users to hang up on unsolicited calls claiming to be from Apple support and to be cautious with system alerts about password resets.

Over 52% of American internet users now utilize ad blocking software, up from 34% based on 2022 data. The adoption rate of ad blockers is notably higher among tech-savvy professionals with over five years of experience: 66% of advertisers, 72% of programmers, and 76% of cybersecurity experts. The primary motivation for the general public to use ad blockers is privacy protection (20%), over simply blocking ads (18%). Tech professionals prioritize privacy even more when using ad blockers, with advertisers, developers, and security pros citing it as the main reason at rates of 27%, 30%, and 29% respectively. Trust in companies regarding data collection varies, with Google still deemed trustworthy despite being a major data collector; TikTok and Meta are among the least trusted. The report highlights a general lack of awareness about extensive third-party data collection and its implications for privacy and personal data security.

A severe remote-code-execution vulnerability, dubbed ShadowRay, has been discovered in the Ray AI framework, impacting thousands of businesses. Exploits of the flaw, CVE-2023-48022, have been seen in the wild for seven months, targeting sectors like healthcare, education, and video analytics. The vulnerability allows unauthorized job submissions via an exposed API, leading to data theft and illicit cryptocurrency mining. Ray's overseeing body, Anyscale, considered the vulnerability a design decision rather than a bug but plans to add authorization checks in a future release. Attackers have accessed sensitive data such as OpenAI, Stripe, and Slack credentials, with potential for ransomware attacks on compromised servers. With many affected systems running with root privileges, entire cloud environments are at risk, including those hosted on AWS, Google, and Microsoft Azure platforms. Anyscale is developing a script to help users verify configurations and has informed customers of the security issue, claiming they are not affected.

Google updated Chrome to address two zero-day vulnerabilities exploited at the Pwn2Own 2024. The fixed flaws include a high-severity WebAssembly type confusion issue (CVE-2024-2887) and a use-after-free in WebCodecs (CVE-2024-2886). Security researchers demonstrated remote code execution exploits using crafted HTML pages on both Chrome and Edge. Chrome updates released for Windows, Mac, and Linux users, with a global rollout planned. Mozilla also swiftly patched Firefox zero-days showcased by the same researcher. Despite a 90-day grace period to fix Pwn2Own-exposed bugs, Mozilla and Google took one and five days respectively. The Pwn2Own 2024 event in Vancouver saw researchers earning over $1 million for 29 zero-day exploits. Manfred Paul won the highest prize for exploiting vulnerabilities in Safari, Chrome, and Edge.

INC Ransom has targeted NHS Scotland, threatening to release 3TB of sensitive data unless a ransom is paid. Leaked images exposing medical information suggest a significant breach of the National Health Service of Scotland system. NHS Dumfries and Galloway, one part of Scotland’s NHS, has been confirmed as the affected party by a government spokesperson. This data extortion group known as INC Ransom has a track record of attacking various sectors including healthcare and government entities. A recent cyberattack incident on March 15th is likely tied to this data theft and extortion attempt. Authorities including Police Scotland, National Crime Agency, and National Cyber Security Centre are collaborating with the government to assess the damage. NHS Dumfries and Galloway assure that patient services remain unaffected; meanwhile, they are cooperating fully with law enforcement and cybersecurity specialists. The healthcare provider promises to notify and support all individuals whose information has been disclosed.

CISA has identified active exploitation of a Microsoft SharePoint vulnerability (CVE-2023-24955) allowing remote code execution. Attackers can leverage a second vulnerability (CVE-2023-29357) to gain administrative privileges on SharePoint servers without authentication. A $100,000 reward was given to STAR Labs researcher Nguyễn Tiến Giang for demonstrating an exploit chaining these vulnerabilities at Pwn2Own 2023. Proof-of-concept (PoC) exploit code has been released on GitHub, increasing the risk of widespread exploitation by less skilled attackers. Following the discovery, CISA added CVE-2023-29357 to its Known Exploited Vulnerabilities Catalog, with a deadline set for U.S. federal agencies to patch by January 31. CVE-2023-24955 was later added to the list, with a directive for federal agencies to secure their SharePoint servers by April 16. While no evidence suggests the vulnerabilities have been used in ransomware attacks, CISA emphasizes the need for both federal and private organizations to promptly patch to prevent potential cyber-attacks.