Daily Brief

Growth in corporate SaaS usage necessitates robust security measures, leading enterprises to adopt SaaS Security Posture Management (SSPM). SSPM solutions provide comprehensive coverage, including misconfiguration management and integration with SOAR/SIEM systems. Enhanced Identity Security Posture Management (ISPM) is crucial for managing human and non-human identities and permissions within SaaS environments. Device-to-SaaS relationship management ensures risk control through integration with Unified Endpoint Management systems. Generative AI applications in SaaS environments increase productivity but also broaden potential security vulnerabilities. SaaS security must include data leakage protections and visibility into document sharing practices to safeguard sensitive corporate information. Identity Threat Detection and Response (ITDR) systems play a critical role in identifying and mitigating threats based on user behavior and other indicators. The 2025 edition of the Ultimate SaaS Security Checklist aids organizations in choosing the right SSPM tools to safely expand their use of SaaS applications.

Cybersecurity experts have uncovered a cryptojacking campaign, dubbed REF4578, utilizing vulnerable drivers to bypass security measures and mine cryptocurrency covertly. The campaign leverages a Bring Your Own Vulnerable Driver (BYOVD) attack technique to disable Endpoint Detection and Response (EDR) solutions, facilitating the execution of the XMRig mining software. Attackers initiate the infection through a PowerShell script disguised as a PNG image, which downloads multiple malicious components from a command and control server. The malware disables Microsoft Defender Antivirus, clears Windows event logs, and ensures sufficient disk space on the C:\ volume for its operations. Scheduled tasks are created to maintain persistence of the malware and to periodically execute malicious activities. The primary tool in the attack, "smartsscreen.exe" or GHOSTENGINE, is designed to deactivate security processes and manage the cryptocurrency miner. The operation displays significant sophistication, incorporating multiple redundancy measures and fallback mechanisms to ensure its success and durability. Researchers highlight the increasing use of BYOVD attacks by cybercriminals to perform privileged actions by exploiting known flaws in system drivers.

An unidentified threat actor has exploited vulnerabilities in Microsoft Exchange Server to install keylogger malware targeting various entities in Africa and the Middle East. Positive Technologies identified over 30 victims, including government agencies, banks, educational institutions, and IT companies. The attacks exploited known ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), which Microsoft had patched in May 2021. The malware collects user credentials and stores them in a file accessible from the internet. Victims are located in several countries, including Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon. Following the discovery of this exploitation chain by DEVCORE’s Orange Tsai, it's suggested that organizations regularly update their Microsoft Exchange Servers and monitor for signs of compromise. Positive Technologies has so far been unable to attribute the attacks to any known threat actor or group due to lack of sufficient information.

GitHub Enterprise Server patched a critical vulnerability, scoring a maximum 10 CVSS severity. The flaw allowed full administrative access if exploited, affecting all pre-p3.13.0 versions. Vulnerability specifically impacted instances using SAML SSO with optional encrypted assertions. GitHub addressed the issue in recent patches for versions 3.9.x through 3.12.x, with no presence in the latest 3.13.x versions. The bug, identified as CVE-2024-4985, relied on encrypted assertions intended to enhance security. Discovery was made through GitHub's bug bounty program, rewarding the finder between $20,000 and $30,000, potentially more. This patch underscores ongoing challenges in securing enterprise software applications against evolving threats.

Taiwanese company QNAP released patches for several medium-severity vulnerabilities in its QTS and QuTS hero operating systems for NAS appliances. Vulnerabilities allowed for code execution but required authenticated access; addressed in the latest QTS and QuTS hero updates. Notable vulnerability involved misuse of the 'strcpy' function, exploitable via a specific 'ssid' parameter in shared NAS files. Some flaws, including authentication bypass and code execution, were patched following a coordinated disclosure with cybersecurity firm watchTowr. QNAP faced criticism for delayed response; however, it has committed to releasing critical fixes within 45 days and medium-severity fixes within 90 days. Despite having ASLR enabled, which complicates exploitation, QNAP advises users to update immediately to avoid risks associated with unresolved and past vulnerabilities. The public disclosure was forced by watchTowr after QNAP exceeded the standard 90-day disclosure period without fully resolving reported issues.

Zoom has introduced post-quantum end-to-end encryption (E2EE) to enhance meeting security. The new encryption standard uses Kyber-768 algorithm, selected by NIST for its quantum resistance. Post-quantum E2EE will only default when all users are on Zoom version 6.0.10 or newer; otherwise, standard E2EE applies. The upgrade aligns with growing concerns over quantum computing's potential to break traditional cryptography. Industry leaders like AWS, Apple, and Google are also adopting quantum-resistant standards. The move is particularly vital for entities managing critical infrastructure, as emphasized by HP Wolf Security. The Linux Foundation recently launched a Post-Quantum Cryptography Alliance to tackle quantum-related cryptographic security challenges.

A critical vulnerability in Veeam Backup Enterprise Manager allows authentication bypass. Tracked as CVE-2024-29849 with a CVSS score of 9.8, it enables unauthorized login as any user. Veeam has issued a fix in version 12.1.2.172, along with patches for three other related issues. Affected product is optional; environments without it installed remain unaffected. Additional fixes include a local privilege escalation in Veeam Agent for Windows and a critical remote code execution in Veeam Service Provider Console. Users are advised to update their software to mitigate potential cybersecurity risks.

The US government's ARPA-H has committed over $50 million to develop an automated security technology for hospitals named UPGRADE. UPGRADE aims to automate the detection and patching of vulnerabilities in hospital IT systems to enhance cybersecurity without affecting clinical operations. The initiative invites tech experts to create tools that scan for security weaknesses, develop fixes, and deploy them with minimal disruption to hospital operations. This technology will also involve creating digital twins of hospital equipment and developing custom defense mechanisms tailored to specific vulnerabilities. ARPA-H was established by President Joe Biden and operates under the US Dept of Health and Human Services, focusing on breakthrough healthcare technologies. Deputy Secretary Andrea Palm emphasized the critical need for advanced cybersecurity to protect interconnected healthcare services from ransomware and cyberattacks. The development of UPGRADE is part of a broader strategy to secure healthcare infrastructures, potentially making currently voluntary cybersecurity practices mandatory.

A new crypto mining campaign named 'REF4578' has been identified deploying a malware called GhostEngine that disables security products using vulnerable drivers. GhostEngine starts its attack using a masqueraded Windows file, 'Tiworker.exe', which serves as a launcher for further malicious activities. The main payload, downloaded via a PowerShell script ('get.png'), kills endpoint detection and response (EDR) software and initiates crypto mining using XMRig. To disrupt EDR operations, GhostEngine employs vulnerable kernel drivers from Avast and Iobit to terminate process and delete executables. Researchers have not pinpointed the origin of the attacks or identified specific victims, leaving the scope and impact of the campaign unclear. Continuous updating mechanisms are implemented by downloading new versions of the malicious PowerShell script using scheduled tasks for persistence. Defense strategies against GhostEngine involve monitoring for unusual PowerShell usage, suspicious processes or network traffic, particularly to known crypto-mining pools, and blocking file creation from vulnerable drivers. Elastic Security Labs has provided YARA rules to aid defenders in detecting signs of GhostEngine infections in their networks.

Veeam has alerted customers about a critical vulnerability in its Backup Enterprise Manager product, urging immediate patching. The security flaw, identified as CVE-2024-29849, permits unauthenticated attackers to log into any account on the VBEM platform. VBEM, a web management tool, is not enabled by default, reducing the risk for some environments. The vulnerability scored a high 9.8/10 on the CVSS scale, indicating severe risk. Temporary mitigation involves stopping and disabling related Veeam services or uninstalling the vulnerable platform if not in use. In addition to CVE-2024-29849, Veeam also patched other high-severity vulnerabilities concerning account takeovers and NTLM hash stealing. Historical context: Veeam has been a target in past ransomware operations, with vulnerabilities exploited by known threat groups against U.S. critical infrastructure and Latin American IT firms. Globally, Veeam’s solutions are employed by over 450,000 customers, making security breaches particularly impactful.

LockBit ransomware group claims responsibility for an April cyberattack on Canadian pharmacy chain London Drugs. The attack led to the temporary shutdown of all London Drugs retail stores across Western Canada; however, stores have since reopened. London Drugs conducted a forensic investigation which found no evidence of compromised customer or health data. Despite this, LockBit threatens to publish stolen data online, allegedly including employee information, following failed $25 million ransom negotiations. London Drugs cannot confirm the extent of employee data breach yet, but has provided employees with complimentary credit monitoring and identity protection services. LockBit ransomware is still operational despite international law enforcement efforts, including recent Operation Cronos, which seized the gang's infrastructure in February 2024. The U.S. State Department offers significant rewards for information leading to the arrest of LockBit leadership and affiliates.

Mandiant uncovered a breach where plaintext AWS secrets were leaked through Atlassian Bitbucket artifact objects. Bitbucket artifact files accidentally exposed plaintext authentication secrets, risking unauthorized data access. Developers using Bitbucket’s CI/CD pipeline inadvertently stored sensitive authentication keys in public repositories. The exposure occurred when environment variables, intended to be encrypted, were stored in plaintext within artifacts for CI/CD processes. Threat actors exploited these exposed secrets to access AWS accounts, underscoring the risks of misconfigured CI/CD pipelines. Mandiant advises utilizing dedicated secret management tools and conducting thorough code scans to prevent similar incidents. Developers are encouraged to ensure that no plaintext secrets are included in artifacts and to regularly review and update security configurations.

Zoom has introduced post-quantum end-to-end encryption (E2EE) for its video conferencing platform, aiming to secure communications against future quantum computer threats. This update positions Zoom as the first UCaaS provider to implement a quantum-resistant encryption solution for video communications. The newly implemented Kyber 768 encryption algorithm is designed to protect against potential quantum computer decryption, ensuring that data remains secure through quantum-resistant encryption methods. Users must join meetings via the Zoom desktop or mobile app to utilize E2EE, with phone number verification required for hosts on free accounts. While enabling E2EE, users may experience limited functionality in some standard Zoom features, prompting individuals to consider their need for these features before activation. Kyber 768 is currently under standardization by the National Institute of Standards and Technology (NIST) to become a recognized post-quantum encryption standard. The update comes amid concerns over "harvest now, decrypt later" surveillance tactics, where encrypted data is stored until decryptable by future technology. Other tech giants like Apple and Signal have also begun integrating quantum-resistant algorithms to safeguard communications against emerging quantum technologies.

Western Sydney University notified students and staff of a data breach affecting its Microsoft 365 and SharePoint environment. The earliest unauthorized access occurred on May 17, 2023, compromising email accounts and SharePoint files. Approximately 7,500 individuals have been confirmed affected, though the investigation continues and this number may increase. The breach was identified much later in January 2024, prompting swift action by the university's IT team to close the breach and enhance security measures. NSW Police, CrowdStrike, and CyberCX have been involved in the ongoing investigation; no ransomware or extortion demands have been detected. The university's core operations such as classes, exams, and research programs remain unimpacted. Legal measures, including a court injunction, have been taken to prevent dissemination of accessed data. Impacted individuals are being contacted directly and offered support through a dedicated phone line, with further assistance available from IDCARE.

Threat actors exploited plaintext authentication secrets leaked in Atlassian Bitbucket artifact files to breach AWS accounts. Mandiant uncovered the data exposure while investigating a breach where AWS secrets used for access were leaked in plaintext. Bitbucket, used for version control and CI/CD, allows developers to store sensitive information such as AWS secrets in secured variables. Despite being encrypted in Bitbucket, secured variables were found exposed in plaintext within artifact files generated during pipeline operations. Developers were likely unaware that these secrets, crucial for security, were exposed in files readily accessible in public repositories. Mandiant warned that some developers' misconfigurations in pipeline settings or debug logs could lead to unintentional leaks of sensitive data. Mandiant recommended using dedicated secret management tools and implementing code scanning throughout development to prevent such exposures.