Daily Brief

Rockwell Automation issued a warning to customers urging them to disconnect industrial control systems (ICS) not intended for online exposure to protect against rising malicious cyber activities. The guidance emphasizes the importance of keeping such devices off the internet to minimize organizational attack surfaces and prevent direct system access by threat actors. Increased global geopolitical tensions and cyber threats prompted this advisement, stressing immediate action for devices unnecessarily connected to the public internet. The advisory coincides with a CISA alert reinforcing the need for reduced ICS device exposure in light of current security vulnerabilities identified in Rockwell ICS devices. Historical context includes past advisories from the NSA and CISA focused on securing operational technology (OT) and ICS from cyberattacks, with escalating guidance over recent years. Recent federal alerts have also highlighted the activities of pro-Russian hacktivists and their impacts on critical infrastructure, noting that groups like the Cyber Army of Russia have government affiliations, increasing the threat level. Rockwell's proactive step aims to drastically curtail the risk of unauthorized access and enhance overarching cybersecurity resilience in critical infrastructure sectors.

Researchers at Tenable uncovered a critical vulnerability (CVE-2024-4323) in Fluent Bit, impacting all major cloud providers. This flaw can lead to denial of service (DoS), information leaks, and possibly remote code execution (RCE) under specific conditions. Fluent Bit is widely used with over 13 million Docker downloads and is utilized by major companies like Cisco, Dell, Walmart, and others. The vulnerability affects versions 2.0.7 through 3.0.3 and involves memory corruption triggered by passing non-string values into its monitoring API. Attackers can crash the service or potentially access sensitive information by manipulating integer values sent to the API. Although exploiting for remote code execution is complex and challenging, the immediate risks are primarily DoS and data leakage. Cloud services using Fluent Bit should urgently upgrade to version 3.0.4 or restrict access to the affected API endpoints. Tenable has notified major cloud services, including Microsoft, Amazon, and Google, to facilitate prompt mitigation and security enhancements.

GitHub updated GitHub Enterprise Server (GHES) to fix a high-severity authentication bypass vulnerability, identified as CVE-2024-4985. The vulnerability, with a maximum CVSS score of 10.0, could allow unauthorized access without prior authentication, especially in configurations using SAML SSO with encrypted assertions. Attackers could potentially forge a SAML response to gain administrative access or provision new users. The flaw affects all GHES versions prior to 3.13.0; patches have been released in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Encrypted assertions, which were vulnerable, are not enabled by default, thus limiting the overall exposure. GitHub recommends upgrading to the newest GHES version to prevent exploitation and secure systems. GHES is used by organizations worldwide for self-hosted software development and deployment, emphasizing the importance of this security update.

GitHub has patched a critical vulnerability in its Enterprise Server, identified as CVE-2024-4986, with a CVSS v4 rating of 10.0. The flaw affects instances that use Security Assertion Markup Language (SAML) single sign-on (SSO) with encrypted assertions. Attackers could exploit the vulnerability to forge a SAML response, allowing unauthorized administrative access to the server's contents. The vulnerability impacts only those GitHub Enterprise Server (GHES) instances where encrypted assertions have been enabled, not a default setting. GHES is aimed at large enterprises or teams requiring enhanced control over data, including those managing sensitive information or needing offline access. Affected versions have been updated: versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15 were all released to address this issue as of May 20. Instances using the vulnerable configuration should urgently upgrade to a secure version to mitigate risk.

A new malware campaign, CLOUD#REVERSER, utilizes Google Drive and Dropbox to distribute malicious payloads via cloud storage services. Attackers send phishing emails containing ZIP files disguised as Microsoft Excel documents using the Unicode right-to-left override (RLO) trick, deceiving users into executing harmful executables. The malware establishes persistence by creating scheduled tasks under the guise of Google Chrome browser updates and downloads additional PowerShell scripts for ongoing operations. These PowerShell scripts interact with Google Drive and Dropbox to download further malicious scripts and files, continuously updating their capabilities and actions. The VBScript and PowerShell used are heavily obfuscated, complicating detection and analysis while performing activities typical of a command-and-control infrastructure. The CLOUD#REVERSER campaign highlights an ongoing trend of cybercriminals exploiting legitimate cloud platforms to conduct stealthy operations and avoid detection.

SolarMarker, an information-stealing malware, has evolved to use a multi-tiered infrastructure to resist law enforcement takedowns. This complex infrastructure has primary clusters for ongoing operations and secondary ones likely used for testing and targeting specific sectors. The malware is capable of stealing data from web browsers, cryptocurrency wallets, and affecting VPN and RDP configurations, predominantly affecting sectors like education, government, healthcare, hospitality, and SMEs. SolarMarker's infection techniques include hosting on fake downloader sites and using malicious emails with misleading links leading to executable files or Microsoft Installer files. The malware has adopted stealth features, such as increased payload sizes, the use of valid certificates, novel Windows Registry changes, and the ability to run directly from memory. Recent variations of SolarMarker have included a PyInstaller version using a decoy dishwasher manual and a Delphi-based backdoor named SolarPhantom for remote control without user knowledge. Recorded Future's report highlights that the malware's complex server architecture involves up to four tiers of command-and-control servers, complicating efforts to neutralize the threat. Although there is speculation about SolarMarker's origins, including a possible Russian connection, definitive attribution has not been established.

Zoom has globally launched post-quantum end-to-end encryption for its video meetings, planning expansions to Zoom Phone and Zoom Rooms. The implementation uses the Kyber768 quantum-resistant algorithm, enhancing security against potential future quantum computer threats. Current encryption ensures only meeting participants have access to encryption keys, with Zoom's servers unable to decrypt communications. The move prepares Zoom for future security challenges, addressing the "harvest now, decrypt later" threat posed by advancements in quantum computing. This proactive security upgrade aligns Zoom with other tech leaders like Signal and Google Chrome, which have also adopted quantum-resistant algorithms. Previously criticized for its encryption standards, Zoom has been proactive since 2020, advancing its security features amid increasing demands for secure communication solutions. Zoom claims leadership in the UCaaS space with this advanced quantum-resistant video conferencing capability.

Today’s software development incorporates DevSecOps practices to integrate security throughout the development lifecycle, addressing the increasing threats in the cyber landscape. Effective DevSecOps practices not only aim to secure applications but also maintain the speed and satisfaction level of the development processes. Establishing a collaborative, security-minded culture across all teams is crucial for minimizing resistance and enhancing cross-functional teamwork. DevSecOps emphasizes 'shifting security left'—integrating security early in the development process to identify and address vulnerabilities without overburdening developers. Governance and stringent guardrails are essential to prevent errors and enforce compliance, ensuring stakeholders can easily follow security protocols. Secure the entire software supply chain, not just the organization’s source code, to protect against vulnerabilities in open-source components and third-party artifacts. Incorporate automation and AI to achieve continuous security, keeping pace with rapid development cycles and enhancing the maturity of DevSecOps practices. The guidelines provided articulate clear methods to build a robust DevSecOps foundation, crucial for evolving DevOps technologies and ongoing security challenges.

File Integrity Monitoring (FIM) is essential for auditing and ensuring data integrity within IT systems, as mandated by various cybersecurity standards. Wazuh provides a comprehensive FIM capability, integrated within its open-source security platform, aiding in both detection and response to unauthorized file changes. FIM helps in meeting IT security compliance by monitoring changes such as file modifications, deletions, and additions, important for adhering to standards like PCI DSS, ISO 27001, and GDPR. The Wazuh platform not only offers FIM but also includes features like malware detection, vulnerability detection, and security configuration assessment, making it a robust tool for enhancing security posture. Implementing and configuring the Wazuh FIM capability properly allows organizations to keep track of critical changes in real-time, promptly addressing potential security incidents. Effective utilization of Wazuh’s FIM can prevent compliance-related issues and mitigate risks associated with data breaches and cyber-attacks. The flexibility of Wazuh allows it to secure diverse IT environments, including cloud-based, on-premises, and containerized platforms.

The number of new ransomware families introduced in 2023 dropped significantly to 43 from 95 in the previous year, indicating a consolidation in the ransomware landscape. Dominant ransomware groups like LockBit 3.0 and ALPHV/BlackCat have effectively stifled competition through successful and profitable attacks, reducing the incentive for new entrants. The evolution of ransomware tactics now focuses more on targeting business-critical systems and data exfiltration before deploying encryption, representing a strategic shift from early ransomware methods. Approximately 5,600 ransomware attacks were recorded between January 2023 and February 2024, but the real number is likely higher due to underreporting. The majority of ransomware attacks begin by exploiting vulnerabilities in public-facing applications or through compromised valid accounts, emphasizing the necessity of robust security measures like MFA and timely patching. Ransomware attacks primarily still involve data encryption, despite the prominence of high-profile pure-extortion attacks like the MOVEit MFT incident. Ineffective enforcement of Multi-Factor Authentication (MFA) and slow security updates are significant vulnerabilities that organizations need to address to prevent ransomware attacks. Zero-day vulnerabilities continue to be a lucrative market for cybercriminals, with increased focus on network edge devices as primary targets for future attacks.

Researchers have disclosed a critical flaw in the llama_cpp_python Python package, allowing for arbitrary code execution. The vulnerability, tracked as CVE-2024-34359 with a CVSS score of 9.7, is a result of server-side template injection facilitated by misuse of the Jinja2 template engine. The llama_cpp_python package has been downloaded over 3 million times, highlighting its widespread use for integrating AI models with Python. A separate high-severity flaw was found in Mozilla's PDF.js library, potentially enabling arbitrary JavaScript execution (tracked as CVE-2024-4367). Mozilla has patched the vulnerability in Firefox, Firefox ESR, Thunderbird, and the npm module pdfjs-dist, advising further checks for embedded PDF.js in node modules. These discoveries underscore the critical intersection of AI, software supply chain security, and the need for enhanced lifecycle management of AI systems and components. Security experts urge developers to update to the patched versions of the affected libraries to protect against potential data theft, system compromise, and operational disruptions.

Microsoft announced plans to deprecate NT LAN Manager (NTLM) in Windows 11, shifting to Kerberos for authentication to enhance security protocols, scheduled for the second half of 2024. NTLM identified as vulnerable to relay attacks, notably exploited by Russia-linked APT28; Microsoft cited NTLM's outdated cryptographic support as a reason for its deprecation. Enhanced security features in Windows 11 include Local Security Authority protection by default, virtualization-based security for Windows Hello, and AI-powered Smart App Control to block unsafe applications. Microsoft is launching Trusted Signing, an end-to-end solution simplifying app certification for developers and ensuring safer application execution. Upcoming security updates include Protected Print Mode as the default setting and no longer trusting TLS certificates with RSA keys under 2048 bits. Microsoft introduced Zero Trust Domain Name System (ZTDNS) for commercial customers, restricting Windows devices to pre-approved network destinations. In response to prior security breaches and criticism, Microsoft outlined significant strategic enhancements in its Secure Future Initiative (SFI), focusing on accountability in cybersecurity management at senior levels. Aligning with recent cybersecurity recommendations, Google emphasized the necessity for governments to adopt secure-by-design systems and encourage a multi-vendor strategy to mitigate risks associated with using a single vendor ecosystem.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a security flaw in NextGen Healthcare Mirth Connect. Identified as CVE-2023-43208, the vulnerability allows for unauthenticated remote code execution and stems from an incomplete fix of a previous issue. This flaw exploits insecure practices in the Java XStream library's handling of XML data, making it easy for attackers to exploit. CISA has mandated federal agencies to upgrade their Mirth Connect systems to version 4.4.1 or later by June 10, 2024, to mitigate risks. There are no details on who is behind the attacks or the specific nature of the attacks exploiting this vulnerability. The vulnerability was first disclosed by Horizon3.ai and further detailed by researchers in January 2023. Additionally, CISA also added an exploited vulnerability in Google Chrome to its KEV catalog, urging updates to patched versions. Mirth Connect is a critical integration platform used by healthcare organizations for data exchange between varied systems.

A critical security flaw, CVE-2024-4323, known as Linguistic Lumberjack, has been identified in the Fluent Bit logging utility. The vulnerability affects versions 2.0.7 through 3.0.3 and has been fixed in version 3.0.4. Exploitation of this flaw could lead to denial-of-service (DoS), information leakage, or even remote code execution. The issue arises from memory corruption due to improperly validated input types in the built-in HTTP server's API endpoints. Attackers could manipulate the server by sending maliciously crafted requests to certain API monitoring endpoints. It’s crucial for users to update to the latest software version to guard against potential exploits, particularly as a proof-of-concept (PoC) exploit is already available. The vulnerability's exploitability for remote code execution varies based on the host's architecture and operating system.

Myanmar’s military regime, seizing power in 2021, severely restricted internet access, banned social networks, and clamped down on digital communications. Activists in Myanmar face significant hindrances using Big Tech services due to required real-name registrations and the dominance of services like Facebook's "Free Basics" which limits privacy. FOSS (Free and Open Source Software) tools, though potentially beneficial, are complicated for activists with limited technical skills, reducing their practicality in high-risk environments. The study by Laura Gianna Guntrum at PEASEC highlights the need for more accessible, secure communication tools designed specifically for activists in oppressive regimes. Research suggests integration of peer-to-peer networking in popular apps like Signal and WhatsApp, to maintain connectivity during internet blackouts imposed by the government. Guntrum's findings urge developers to create user-centric technology solutions that are tailored to the unique challenges faced by global activists, especially during internet shutdowns and periods of heightened surveillance.