Daily Brief

Japanese tech giant Fujitsu reported a cyberattack involving malware which compromised several of its IT systems and resulted in unauthorized access to customer data. The company, a leading international IT services provider, confirmed that personal information and sensitive customer details may have been stolen during the breach. Following the detection of malware, Fujitsu isolated the impacted computers and has strengthened monitoring to prevent further incidents. An internal investigation is ongoing to ascertain the scope of the breach and identify the specific data that was exfiltrated by the attackers. Fujitsu has informed Japan's Personal Information Protection Commission and is preparing to notify affected customers, though it notes that no misuse of the data has been reported thus far. The article references a previous security incident in May 2021, where Fujitsu's ProjectWEB tool was exploited, compromising data from Japanese government agencies, including sensitive information and potentially air traffic control data from the Narita International Airport. After the 2021 breach, ProjectWEB was discontinued and replaced with a more secure, zero-trust based information-sharing platform.

Japanese technology company Fujitsu has confirmed a malware infection on some of its systems, resulting in a data breach. Cybercriminals have reportedly stolen sensitive customer data during the breach. Fujitsu, a leading IT services provider with a significant global presence, is involved in various sectors, including government projects. The firm has responded by isolating affected computers, enhancing monitoring, and initiating a thorough investigation. There have been no reports of the stolen data being misused, but Fujitsu has notified authorities and is preparing communications for affected customers. The breach's scale, specifically whether it affects corporate clients or consumers, is still unclear as details are yet to be disclosed. The incident follows a previous breach in May 2021 that impacted Japanese government agencies and resulted in the theft of proprietary data and email addresses.

The explosion of SaaS use has prompted an update in the NIST Cybersecurity Framework (CSF) to version 2.0, addressing the unique security challenges of SaaS applications. The new NIST CSF 2.0 includes a 'Govern' function, highlighting the need for preventive and detective controls in SaaS security. Implementing SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR) is recommended for comprehensive SaaS threat monitoring. Recent attacks on Microsoft Azure environments and an US telecom operator's HR software underscore the necessity of adherence to NIST guidelines. NIST 2.0 emphasizes the importance of detecting anomalous activities through log analysis and correlating information from multiple sources to protect against breaches. NIST's 'Protect' function stresses limiting access to authorized users and maintaining a clear understanding of employee permissions to ensure robust SaaS application security. SaaS security aligned with NIST 2.0 involves robust user inventory management, authentication, role-based access control, and effective incident detection and response strategies.

Apex Legends Global Series Pro League tournament matches were disrupted by a suspected cyberattack, causing forced implementation of cheats onto players' accounts. Professional players Noyan "Genburten" Ozkose and Phillip "ImperialHal" Dosen received unauthorized enhancements in-game, including wallhacks and aimbots, compromising the integrity of the competition. The affected players were subsequently banned by the automated anti-cheat system, though there is no suspicion that they intentionally used the cheats. The gaming community suspects an unpatched remote code execution (RCE) vulnerability in either the Apex Legends client, Easy Anti-Cheat, or the Source game engine may have been exploited. Apex Legends' developer Respawn Entertainment and publisher EA have yet to provide technical details or a timeline for updates following the incident. The esports account for Apex Legends announced the postponement of the NA finals to maintain the competitive integrity of the series. Cyberattacks on esports are rare but can cause significant reputational damage, financial implications, and disruptions to the entertainment value of streaming events. There is an increased awareness among gaming companies and tournament organizers regarding security threats, leading to the development of new anti-cheat technologies and services.

Fortra has fixed a critical remote code execution (RCE) vulnerability in its FileCatalyst file transfer software, tagged CVE-2024-25153 with a 9.8 CVSS score. The flaw allowed attackers to upload files outside the 'uploadtemp' directory through a directory traversal issue, potentially executing code via specially crafted JSP files. Security researcher Tom Wedgbury of LRQA Nettitude identified the vulnerability, which Fortra patched two days after the initial report on August 9, 2023. A proof-of-concept exploit demonstrated by Fortra shows the vulnerability could be used to upload a web shell for arbitrary system command execution. Alongside, two other vulnerabilities in FileCatalyst Direct were addressed in January 2024, preventing information leakage and further code execution risks. Users of Fortra's products are urged to update to the latest versions immediately, especially in light of last year's heavy exploitation of similar flaws in Fortra GoAnywhere by threat actors like Cl0p.

Cybersecurity researchers have unveiled a malware campaign using fake Google Sites pages to deliver AZORult malware. The attack employs HTML smuggling to bypass traditional security measures and deliver encoded malicious scripts. The phishing campaign's objective appears to be the collection and sale of sensitive data on the dark web, without a specified threat actor. AZORult, also known as PuffStealer or Ruzalto, can gather various types of sensitive information, including credentials and cryptocurrency wallet data. Attackers have added a CAPTCHA system to lend credibility to the phishing attempt and deter automated URL scanners. The attack method involves a complex chain of scripts and executables that evade detection and facilitate the silent running of the AZORult infostealer. Related campaigns have used malicious SVG files to distribute other malware like Agent Tesla and LokiBot, using advanced smuggling techniques. In Latin America, phishing campaigns impersonating government agencies are spreading RATs through booby-trapped emails with malicious PDF attachments.

WordPress users are urged to delete miniOrange's Malware Scanner and Web Application Firewall plugins due to a severe security flaw. The flaw, with a 9.8 CVSS rating, allows unauthorized attackers to gain admin privileges by updating user passwords. Plugins affected are permanently closed as of March 7, 2024, with Malware Scanner and Web Application Firewall having over 10,000 and 300 active installations, respectively. Attackers with admin access can upload malicious files, modify content, and redirect users to harmful sites. A similar critical vulnerability in RegistrationMagic plugin (CVE-2024-1991) was patched on March 11, 2024, in version 5.3.1.0. Security companies warn that flaws in these popular plugins could lead to complete site compromise. Users are reminded of the importance of regular updates and security best practices for WordPress installations.

Gartner analysts stress the importance of recovery over the unrealistic expectation of preventing all infosec incidents. Asserting "adrenalin does not scale," they argue against a culture of persecution where infosec teams are driven by fear of personal consequences. Most organizations’ incident response capabilities are immature; developing and rehearsing recovery plans is crucial for improvement. Recovery playbooks and mock drills can alleviate the need for "heroic action" and practice makes infosec teams more effective in real situations. Preparing business stakeholders for impactful recommendations like system takedowns and aligning on tolerable impacts aid in smoother incident management. Measures should be taken to combat burnout and stress in infosec professionals, including shift work and mental health support systems. Gartner suggests normalizing the reporting of all incidents, big or small, to foster a culture of continuous improvement and resilience. Behavioral psychologists might be beneficial for understanding both the mental state of security staff and attackers, potentially easing the infosec skills shortage.

APT28, a Russian-linked cyber espionage group, is conducting extensive phishing campaigns across continents. The phishing schemes use fake documents from government and NGOs to lure victims in Europe, Asia, and the Americas. IBM X-Force has identified the campaigns, which exploit vulnerabilities such as CVE-2023-23397 in Microsoft Outlook. The campaigns employ malware like MASEPIE, OCEANMAP, and STEELHOOK to steal sensitive information and execute malicious commands. Recently, APT28 has used compromised Ubiquiti routers to host their payload-delivering servers, though a botnet was recently disrupted by U.S. authorities. Impersonated countries in the phishing attacks include Argentina, Ukraine, Georgia, Belarus, and the U.S., among others. APT28 has displayed adaptability in their operations by using new infection methodologies and commercially available infrastructure. Malware like OCEANMAP is identified as an evolution of CredoMap, signifying the group's ongoing development of their cyber tools.

Filipino police raided a firm falsely posing as an online gaming company, freeing 875 individuals forced to partake in romance scams. The individuals, including 504 foreigners from various countries, were deceived with job promises, only to be enslaved and coerced into scamming. Victims were subjected to physical harm for not meeting quotas and had their passports confiscated to prevent escape. A tip from a tortured Vietnamese worker led to the raid, where authorities found weapons, falsified vehicle information, and evidence of the scam operation. Of the nine individuals arrested, charges include anti-trafficking violations; the majority are not Filipino nationals. The operation, Zun Yuan Technology Incorporated, presented itself deceptively as an online gaming industry player but primarily recruited staff for scams. Southeast Asia has seen a rise in scam operations with trafficked labor, prompting regulatory responses and regional shifts in cyber fraud activities.

As ransomware attacks increase globally, the UK House of Commons/House of Lords Joint Committee on the National Security Strategy highlights ransomware as a grave security threat. Huawei's HiSec SASE Solution offers integrated protection for enterprise branches and headquarters to guard against ransomware. The solution promises rapid threat handling, with 99% of security events addressed within seconds, and up to 50% higher threat detection performance. HiSec SASE features intelligent operations to reduce OPEX, intelligent orchestration for efficient resource use, intelligent lossless communication, and intelligent response for real-time backup and recovery. The solution delivers an on-demand loading of key security capabilities, synchronized threat detection results network-wide, and 99.5% automatic threat handling. Huawei's All-in-One Intelligent Security Gateway integrates multiple security functions, supporting LTE and PoE to cut CAPEX by up to 30%. iMaster NCE-Campus is part of the solution, providing network management, control, and AI-based automation and analysis. The launch of Huawei's HiSec SASE comes in response to costly ransomware attacks on high-profile targets, emphasizing the need for businesses to strengthen cyber defenses.

Cloudflare researchers have developed a fix for a side-channel vulnerability in AI chat sessions after a paper revealed the flaw. The vulnerability allowed attackers to intercept and reconstruct parts of AI chat responses transmitted sequentially. By adding a 'p' property with variable random string value, Cloudflare successfully obfuscated the token size, thereby padding the data and protecting against the attack. A new infostealer malware campaign is targeting Roblox users, designed to steal sensitive information while improving game performance. Former telecommunications manager Jonathan Katz pleaded guilty to orchestrating SIM swap attacks, resulting in unauthorized account access, and faces significant legal repercussions. With new operational tech vulnerabilities emerging, companies are reminded to stay vigilant and safeguard against potential cyber threats. Parents are warned to monitor the applications being used by their children on Roblox due to the risk posed by the camouflaged malware campaign.

AT&T denies that the leaked data of 71 million individuals came from its systems, despite a hacker's claim of a 2021 breach. Some of the data, which includes sensitive information like social security numbers and dates of birth, has been verified as accurate by BleepingComputer and other cybersecurity researchers. ShinyHunters, the threat actor, initially tried to sell the data on a forum in 2021 for $200,000, but it has now been released for free by another actor, MajorNelson. AT&T maintains its stance that there has been no evidence of a breach in their system and suggests the data could be from a third-party source. The total mobile customer base of AT&T at the end of 2021 was 201.8 million, indicating that the leak, if legitimate, is likely partial. AT&T advises customers to be vigilant against SMS and email phishing, as well as SIM swapping attacks, which could result from the data exposure.

New acoustic side-channel attack on keyboards can deduce typing based on sound, with a 43% success rate on average, even in noisy environments. Researchers from Augusta University in the U.S. presented their findings, detailing how the attack works without needing controlled recording conditions. The attack leverages unique sound emissions from different keystrokes and uses specialized software to analyze the typing pattern and create a dataset. To gather typing samples, attackers could employ malware, malicious websites, browser extensions, betrayed apps, or even physical devices like compromised USB keyboards. A statistical model is trained using the dataset to create a profile of the target's typing pattern, allowing for a 5% deviation in keystroke intervals to account for variability and noise. The method's effectiveness is higher for individuals with consistent typing habits, while it may not work well on rare computer users or very fast typists. Typing prediction accuracy is enhanced by filtering predictions through an English dictionary, though the use of silent keyboards may decrease prediction effectiveness.

AI developers and data scientists are warned not to neglect security amid the rush to deploy AI applications. Supply-chain attacks pose significant risks, including data theft and system hijacking. Just like traditional software, AI projects combine libraries, packages, training data, models, and custom code which can be exploited if security is an afterthought. Code from public repositories may contain hidden backdoors or malicious functions. Security vulnerabilities are not always effectively addressed by academics and smaller startups, leading to potential compromise and misuse of AI tools and models during and after deployment. Cybersecurity startups are emerging to address AI supply-chain risks, advocating for proper auditing, security testing, and evaluation of machine-learning projects. Hugging Face's online model conversion service was found vulnerable, highlighting the potential for attackers to execute arbitrary code on their systems and access sensitive data from user repositories. JFrog reported that malicious code was discovered in 100 models hosted on Hugging Face, emphasizing the possible widespread risk. AI community members are encouraged to adopt supply-chain security practices, such as digital authentication for developers and comprehensive security assessments for their tools and software.