Daily Brief

North Korea's Kimsuky cybercrime group is adopting new tactics in cyber espionage, utilizing Windows Help files to deploy infostealers. These attacks primarily aim at gathering intelligence from government sectors and think tanks to benefit Kim Jong Un's regime. The threat actors, known for spear phishing, are now using Microsoft Compiled HTML Help (CHM) files to execute arbitrary commands on Windows systems. Their operations include stealing information about victim's computers, running processes, and recent Word documents, indicating a focus on obtaining sensitive data. Security vendor Rapid7, which reported the findings, has outlined the compromise indicators and is moderately confident the campaign is targeting South Korea, with potential expansion beyond Asia. The German federal infosec agency has reported Kimsuky activity within Germany, demonstrating the group's expanding geographic focus. The use of CHM files is known, but Rapid7 warns that some organizations' defenses might overlook them, highlighting the need for continued vigilance and adaptation to counter such threats.

Ivanti has disclosed a critical remote code execution (RCE) vulnerability in Standalone Sentry, designated as CVE-2023-41724 with a CVSS score of 9.6. The flaw allows an unauthenticated attacker to execute arbitrary commands on the appliance if they are on the same physical or logical network. All supported Standalone Sentry versions are affected, but Ivanti has issued a patch to address the issue. Versions 9.17.1, 9.18.1, and 9.19.1 of the software are available for download and customers are urged to update immediately. The vulnerability was discovered in collaboration with cybersecurity experts from the NATO Cyber Security Centre, though no known exploitations have been reported. Ivanti notes that to exploit the flaw on the internet, a threat actor would require a valid TLS client certificate enrolled through EPMM, adding an extra layer of security. The disclosure comes amid previous exploitations of Ivanti's vulnerabilities by suspected China-linked cyber espionage groups, highlighting ongoing concerns around cyber threats targeting Ivanti software.

Atlassian has released patches for over two dozen vulnerabilities, including a critical SQL injection bug in Bamboo Data Center and Server. The critical flaw, tracked as CVE-2024-1597 with a CVSS score of 10.0, could be exploited without user interaction. The vulnerability lies in the org.postgresql:postgresql dependency, potentially allowing an unauthenticated attacker to compromise confidentiality, integrity, and availability. Affected Bamboo Data Center and Server versions introduced the flaw, but products using default SQL database connection settings are not impacted. Security researcher Paul Gerste discovered and reported the issue, urging users to upgrade to the latest version of the software. It's recommended to immediately update affected Bamboo instances to mitigate the risk of exploitation.

Hackers compromised an official Spa Grand Prix email account to conduct a phishing scheme against fans. Unsuspecting recipients were directed to a fraudulent website through a €50 voucher offer for Formula 1 event tickets. The Spa Grand Prix organizer quickly alerted customers to the cyberattack and prompted them not to engage with the phishing emails. Following the incident, the organization upgraded security measures and filed a complaint with the Belgian cyber police and plans to file a civil claim. The extent of the data breach and the number of affected individuals remain unspecified as the organization has not yet disclosed these details. There was explicit reassurance that the Spa Grand Prix’s main website and ticketing system have not been compromised and remain secure. Ticketholders concerned about potential data exposure have been advised to get in touch with the Grand Prix’s secretariat for assistance.

A novel 'Loop DoS' attack could jeopardize over 300,000 online systems through an exploit in the User Datagram Protocol (UDP). The attack causes two network services to enter an endless loop, producing massive traffic and overwhelming resources. This denial-of-service (DoS) attack exploits CVE-2024-2169, a vulnerability that allows IP spoofing and lacks proper packet verification. Both outdated and crucial modern internet protocols including DNS, NTP, and TFTP could be affected by this security issue. Attackers can initiate the self-sustaining loop of error messages between two servers, leading to a drain on system resources. Despite no current evidence of exploitation, researchers have disclosed the vulnerability to vendors and the CERT Coordination Center. CERT/CC advises adopting the latest security patches, turning off unnecessary UDP services, and implementing anti-spoofing and traffic-limiting measures as countermeasures.

Microsoft exposes an early-start phishing scam targeting tax filers with false tax return emails designed to steal sensitive information. Scammers are using social engineering techniques, including blurred documents to lure victims into installing malware on their machines. The info-stealer malware attempts to harvest user credentials upon clicking a fraudulent "download documents" button in the email. Microsoft warns of the increased risk during tax season as scammers use AI and deepfake technology to craft more convincing emails and target specific vulnerable groups. High-value data of millions of individuals and businesses are at risk due to the added stress and distractions of the tax season. Scammers often impersonate legitimate tax processors or the IRS and bait users with promises of hefty returns in exchange for personal information. Microsoft recommends safeguarding against tax-season phishing by verifying email sources, being cautious with sensitive information, and enabling multi-factor authentication (MFA). The IRS advises that it does not solicit personal or financial information through unsolicited emails, text messages, or social media.

GitHub introduces a new AI-powered feature, Code Scanning Autofix, in public beta to expedite the process of fixing vulnerabilities while coding. The tool, powered by GitHub Copilot and CodeQL, addresses over 90% of alert types for languages such as JavaScript, Typescript, Java, and Python. Code Scanning Autofix provides fix suggestions with natural language explanations and code previews, facilitating easier and faster developer response to vulnerabilities. This feature could significantly reduce the workload for security teams, allowing them to focus on overarching security concerns rather than frequent coding vulnerabilities. While the tool promises to address a substantial portion of found issues, developers are reminded to verify the effectiveness of the fixes to ensure full resolution and code function retention. GitHub plans to expand support to more programming languages, including C# and Go, and emphasizes the tool's role in managing "application security debt." The introduction of this feature follows recent GitHub enhancements such as push protection to prevent accidental exposure of sensitive secrets in public repositories.

The US EPA is forming a Water Sector Cybersecurity Task Force to combat escalating cyber threats. The initiative is a response to growing concerns over foreign adversaries targeting US water services. Recent cyber incidents, including an attack by an Iran-backed group and China's Volt Typhoon's activities, have heightened awareness. The task force will focus on plugging widespread security vulnerabilities and promoting industry-wide best practices. It builds upon existing efforts, such as the 2023 Roadmap to a Secure and Resilient Water and Wastewater Sector. There are instances where basic cybersecurity measures, such as changing default passwords and updating software, are not widely implemented. The EPA's previous attempt at mandating cybersecurity evaluations met with legal challenges from some states. With the Biden-Harris administration's support, the EPA's renewed effort aims to implement more effective protections for the water sector.

Ivanti has issued an immediate patch for a critical vulnerability in Standalone Sentry, reported by NATO Cyber Security Centre. The vulnerability, identified as CVE-2023-41724, affects all supported versions and could allow attackers to execute commands without authentication. A second critical vulnerability, CVE-2023-46808, found in Ivanti Neurons for ITSM, has been patched in cloud deployments but remains a risk for on-premises systems. Ivanti states there is currently no evidence of exploitation in the wild for these security issues. At least 13,000 Ivanti endpoints were exposed to potential attacks due to unpatched vulnerabilities earlier. CISA has previously ordered federal agencies to secure or disconnect vulnerable Ivanti VPN appliances following widespread targeted attacks. Historically, Ivanti vulnerabilities have been exploited by nation-state actors, including suspected Chinese threat groups targeting government and financial entities.

The London Clinic is investigating an alleged breach of Princess Kate's medical records by an employee. Kate Middleton, Princess of Wales and future Queen of the UK, had surgery at the clinic earlier this year. Al Russell, CEO of the London Clinic, emphasized the institution's commitment to patient confidentiality and the serious approach to any breach. The Information Commissioner's Office has received a report of the incident and is currently assessing the information provided. Joe Jones from the International Association of Privacy Professionals noted the severity of a potential breach, given the possible negative consequences of unauthorized data sharing. Rumors regarding the Princess's health circulated due to her absence from public events, but she was seen shopping recently, looking well.

Researchers discovered a new denial-of-service (DoS) attack, termed Loop DoS, targeting application-layer protocols over UDP, affecting a large number of systems. Loop DoS attacks function by inducing two servers to continuously communicate with each other, unwittingly participating in a traffic loop that leads to a service disruption. User Datagram Protocol (UDP) is vulnerable due to its inability to authenticate source IP addresses, which allows attackers to exploit IP spoofing and reflect attacks back to the victim server. Protocols at risk include DNS, NTP, TFTP, and others that can execute infinite error response loops when interacting with another compromised service. An estimated 300,000 hosts are susceptible to Loop DoS attacks, which can be initiated by a single spoofing-capable host, making the threat relatively easy to execute. Notable companies with vulnerable products include Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel, although no active exploits have been reported yet in the wild. Researchers emphasize the importance of initiatives like BCP38 to filter spoofed traffic and mitigate the risk of such DoS attacks.

Robert Purbeck pleads guilty to federal computer fraud and abuse, affecting over 132,000 individuals. Purbeck targeted at least 18 organizations across the U.S., including medical clinics, using aliases for extortion. He threatened to sell personal information of a child of a Florida orthodontist unless a ransom was paid. In one case, Purbeck purchased credentials off the dark web to access and steal data from a Georgia medical clinic's server. Purbeck also penetrated the server of a Newnan, Georgia police department, extracting files and additional personal data. U.S. attorney emphasizes the risk of cyberattacks on healthcare and local governments and committed to combatting cyber threats. Purbeck’s attempts to regain access to seized devices and sue authorities were denied; allegations of excessive force during his arrest are mostly dismissed. As part of the guilty plea, Purbeck agrees to pay $1 million in restitution; sentencing is scheduled for June 18.

Canadian government proposed a ban on "consumer hacking devices" like Flipper Zero due to car theft concerns. Car thefts in Canada have reportedly increased to 90,000 annually, with lawmakers linking this rise to hacking tools. Flipper Zero is a multifunctional pen-testing tool, used for experimenting and debugging hardware and digital devices. Flipper Devices, the producer of Flipper Zero, argues the device can't effectively be used for car thefts like keyless entry system hacks. The real issue, according to Flipper Devices, is outdated and vulnerable access control systems in automobiles, not the tools used to expose their weaknesses. Flipper Zero is a low-powered device, which is not suitable for the signal repeater strategies typically employed by car thieves. The team urges the security research community to support the opposition to the ban through petitions and spreading awareness.

Kaspersky's annual report shows a 6% increase in people affected by stalkerware, with 31,031 cases documented in 2023. Europe and North America have seen significant cases, but Russia, Brazil, and India are the top three affected countries. The most prevalent stalkerware app globally is TrackView, impacting over 4,000 users; other notable apps include Reptilic, SpyPhone, Mobile Tracker, and Cerberus. Stalkerware is often marketed as legitimate tools like anti-theft or parental controls when they're used for invasive tracking without victim consent. Victims may find themselves at greater risk if they attempt to remove stalkerware, especially those in abusive relationships. A commissioned survey found that 23% of respondents experienced online stalking, with women reporting higher instances of violence and abuse than men. While the majority are against monitoring a partner without consent, a worrying 46% of survey participants find it acceptable, indicating a decline in privacy norms. The normalization of sharing personal information and account access among younger generations may contribute to the increasing acceptance and use of stalkerware.

Threat actors are exploiting vulnerabilities in JetBrains TeamCity software to launch ransomware and implant cryptocurrency miners and Trojans. These attacks are primarily based on the CVE-2024-27198 flaw which allows administrative control over affected servers without authentication. Following the public disclosure of the flaw, BianLian and Jasmin ransomware families, among others, have weaponized it for malicious purposes. The ransomware ecosystem is evolving with new strains appearing and existing groups like LockBit recruiting affiliates despite law enforcement efforts. Adjusted losses from reported ransomware infections in 2023 exceed $59.6 million in the U.S., with critical infrastructure sectors heavily targeted. Collaboration among ransomware groups is increasing, leading to shared tools, tactics, and operational partnerships, which may complicate detection and attribution efforts. Sophisticated evasion techniques such as exploiting public-facing application vulnerabilities and "living-off-the-land" strategies are growing trends among cybercriminals. Security experts call for persistent strategic efforts to weaken the regenerative power of ransomware-as-a-service (RaaS) operations to combat this surge in ransomware crime.