Daily Brief

The PixPirate Android banking trojan is applying a new evasion technique to conceal its presence from users' device screens, posing a persistent threat in Brazil. PixPirate exploits the Android accessibility services to execute unauthorized transactions via PIX instant payment and steal sensitive information, such as banking credentials and credit card data. The malware has evolved to avoid detection by hiding its app icon, making it harder for victims to recognize and remove the infection from their devices. Attackers are distributing the trojan primarily through SMS and WhatsApp using a dropper/downloader app that collaborates with the main payload to conduct fraud. The downloader is instrumental not only for deploying the PixPirate malware but also for executing and maintaining its operations through ongoing communication and command execution. Despite the potential removal of the downloader, PixPirate can persist on the infected device by triggering its execution based on various system events. The campaign's sophistication signals a growing trend of advanced financial malware targeting Latin American banks, including a recent malware called Fakext which uses a rogue Edge browser extension to hijack banking credentials.

Stanford University confirmed a ransomware attack which went undetected for four months, affecting 27,000 individuals. Sensitive data, including names and social security numbers, were stolen from the Department of Public Safety's database. The breach occurred on May 12, 2023, but was only discovered on September 27, raising concerns about the duration of unauthorized access. Stanford has offered the impacted individuals two years of free credit monitoring and ID theft recovery services. The university has engaged law enforcement and cybersecurity experts to address the breach and to strengthen its security measures. Akira, the ransomware group responsible, has made Stanford's stolen data available for download via a torrent file. Akira, operational since March 2023, has been responsible for other major attacks and is considered a significant threat in the ransomware landscape.

Russian-Canadian cybercriminal Mikhail Vasiliev received a four-year prison sentence for involvement with the LockBit ransomware gang. Vasiliev pleaded guilty to eight charges and was implicated in roughly a thousand cyberattacks with demands totaling over $100 million. His cybercrimes primarily targeted businesses in various Canadian provinces between 2021 and 2022. The court ordered him to pay $860,000 in restitution and mentioned the possibility of extradition to the U.S. for additional charges. Though disrupted by law enforcement, LockBit relaunched operations on new infrastructure, attempting to maintain its active image. Analysis suggests LockBit's current activities may be overstated, with data leaks mostly from companies attacked in previous years.

Cybercriminals are increasingly targeting identities within SaaS applications, posing a risk of data breaches and compliance violations. A range of identities, both human and non-human, such as API keys and service accounts, are potential entry points for attackers in SaaS platforms. While human identities can be safeguarded with multi-factor identification and single sign-on, non-human identities require different security measures. Non-human accounts, often equipped with higher privileges for integration tasks, are more challenging to protect and more susceptible to attacks. Cybersecurity strategies for non-human accounts include continuous monitoring and automated security checks to detect unusual activities. Many organizations neglect the security of non-human identities, despite their high potential risk for exploitation. An upcoming webinar will feature Adaptive Shield's CEO Maor Bin, focusing on identity risks in SaaS applications and how to enforce a strong identity security posture. The webinar will cover advanced methods and tools to enhance protection against evolving cyber threats within SaaS environments.

HiddenLayer has identified security threats in Google's Gemini large language model that could lead to unintended content generation and information leaks. The security guardrails meant to guide the AI in building appropriate responses can be bypassed, potentially leaking system prompts using synonym attacks or crafted prompts. Gemini models could be manipulated to spread misinformation, execute illegal activities, or cause the AI to divulge sensitive system messages. The models are tricked into mixing up user inputs with system prompts, especially when fed a series of nonsensical inputs. A test using Google Workspace integration revealed potential for malicious actors to gain control over a user's interaction with the AI model. Alongside this, academics highlighted the possibility of model-stealing attacks that can extract information from production language models like OpenAI's ChatGPT or Google's PaLM-2. Security measures like model defenses and safeguards against harmful responses are being continuously improved by Google, which also runs red-teaming exercises. In response to these vulnerabilities, Google has restricted AI responses to election-related queries and is working to improve their protective measures.

Cybercriminals are leveraging Amazon Web Services (AWS) and GitHub to distribute remote access trojans (RATs) VCURMS and STRRAT. The delivery method involves a phishing email with a malicious Java-based downloader posing as a payment verification button. VCURMS uses a Proton Mail address to communicate with its command-and-control server and conducts periodic mailbox checks for command execution instructions. The malware is equipped to steal sensitive data from applications and browsers, capture screenshots, and gather detailed hardware and network information. VCURMS bears resemblance to another Java-based infostealer known as Rude Stealer, which surfaced in the previous year. STRRAT, also Java-based and active since 2020, includes varied features such as keylogging and credential theft from browsers and applications. Darktrace has also uncovered a separate phishing campaign exploiting Dropbox's automated emails to distribute a malicious Microsoft 365 login mimic. The public hosting of malware and utilization of protected commercial services underscore the need for advanced detection and security practices to combat these elevated threats.

Enterprises are adopting multi-cloud strategies for data sovereignty and cost optimization, but this introduces complex security challenges. A lack of cohesive cloud security skills could lead to vulnerabilities, requiring continuous monitoring and skills in cloud infrastructure and operations. Misconfigurations in security settings of cloud providers, like in the case of AWS's S3 buckets, can lead to significant security breaches. The shared responsibility model in cloud security remains misunderstood by many organizations, leading to potential gaps in protection. A layered defense approach is necessary for cloud security, with a focus on shared responsibility across the organization's departments and personnel. Trend Micro advocates for a united approach to cloud security, emphasizing the role of SOC teams and the use of platforms like Vision One for extended detection and response. Integration with AWS and continuous improvement of cloud security features in response to the evolving threat landscape are key to maintaining a secure cloud infrastructure. Trend Micro's threat intelligence network plays a crucial role in keeping cloud assets safe and updated with the latest patches and threat data.

Researchers have successfully extracted information from closed AI services by probing the APIs of AI models from OpenAI and Google. By performing targeted attacks, the scientists recovered the embedding projection layer of transformer models, revealing model dimensions and potential capabilities. The cost of performing these attacks varied, with complete projection matrix extraction costing under $20 for some models. The findings by 13 computer scientists have been shared with the affected companies, prompting the implementation of new defenses. OpenAI's deprecated models' dimensions were disclosed in a research paper, while the dimensions of active models were withheld to prevent potential exploitation. The attack demonstrates that it is possible to recover significant aspects of a model without having direct access, raising intellectual property security concerns. A report commissioned by the US Department of State recommends restrictions on the release or sale of advanced AI models and increased security measures to protect intellectual property, including model weights. Advanced techniques to detect and prevent parameter extraction attempts are recommended, which may involve monitoring usage patterns or developing more sophisticated countermeasures.

Microsoft's March security update addresses 61 vulnerabilities, with critical fixes for Windows Hyper-V issues. Two critical flaws in Hyper-V could lead to denial-of-service and remote code execution. No exploits of the flaws were known or active at the time of the patch release, though six vulnerabilities were assessed as "Exploitation More Likely." The Azure Kubernetes Service, Windows Composite Image File System, and the Authenticator app had significant privilege escalation flaws patched. The Print Spooler and Exchange Server each had notable vulnerabilities that could allow attackers to gain SYSTEM privileges or execute malicious code, respectively. The most severe vulnerability, CVE-2024-21334 in Open Management Infrastructure, had a CVSS score of 9.8 and could be exploited by remote unauthenticated attackers. Microsoft's Q1 2024 patches showed a quieter trend with fewer CVEs addressed compared to the previous four-year average for the first quarter. Other vendors have also released security updates during the past few weeks to mitigate various vulnerabilities.

Microsoft released patches addressing 61 vulnerabilities, with two critical bugs affecting Windows Hyper-V hypervisor not under active attack. Adobe patched 56 issues across several products, while SAP fixed a dozen vulnerabilities, including three rated as HotNews Notes. Intel and AMD disclosed vulnerabilities, with Intel pushing eight patches and AMD issuing guidance on mitigating Spectre-type attacks. Fortinet updated five security advisories, addressing critical issues in FortiOS and FortiProxy, among other products. No vulnerabilities were reported as currently under active exploitation, though experts warn some could become targets soon. Companies are advised to apply these security updates promptly to mitigate potential risks associated with these vulnerabilities.

Former Meta VP, Dipinder Singh Khurana, is accused of stealing sensitive documents for his startup. The stolen data allegedly includes details on Meta's data centers, AI programs, and staffing information. Meta has filed a lawsuit claiming breach of contract, duty of loyalty, fiduciary duty, unjust enrichment, and violation of computer crime laws. Evidence suggests Khurana uploaded Meta's confidential information to personal cloud accounts, including Google Drive and Dropbox. Meta alleges that at least eight employees left to join Khurana's new employer, potentially through the use of insider knowledge. Khurana's new company is reportedly in stealth mode and aims to provide AI cloud computing services at scale. Meta is seeking damages and the return of any benefits Khurana gained from the alleged theft of company secrets. The allegations are still to be addressed in court, and neither Khurana nor his lawyers have responded publicly.

A ransomware attack on Stanford University's Department of Public Safety led to the theft of personal data from 27,000 individuals. The breach occurred between May 12 and September 27, 2023, with the university disclosing the incident one month after discovery. Attackers did not access other university systems; the breach was contained within the Department of Public Safety's network. Stolen data includes sensitive PII such as Social Security numbers, government IDs, and possibly biometric and health information. The Akira ransomware gang has claimed responsibility and has published the stolen files on the dark web. Victims' personal data range from birth dates and driver’s license numbers to email addresses and credit card information. The ransom demands from Akira ransomware vary from $200,000 to millions, with a previous incident at Stanford involving Clop ransomware and Accellion FTA in 2021.

Acer Philippines has confirmed a data breach involving employee information due to a cyberattack on a third-party vendor. A hacker using the name 'ph1ns' released the Acer employee database on a hacking forum, indicating a theft of data without ransomware or encryption. The leaked data was not taken from Acer's direct systems; an external vendor in the Philippines was the source of the breach. Acer has notified both the National Privacy Commission (NPC) and the Cybercrime Investigation and Coordinating Center (CICC) to investigate the incident. The company emphasizes that customer data remains secure and Acer systems have not been compromised. This incident adds to a series of security issues for Acer, including a server breach in February 2023, a customer data theft in October 2021, and a major REvil ransomware demand in March 2021.

US President Joe Biden's fiscal 2025 budget proposal includes substantial federal cybersecurity funding increases, requesting $3 billion for the Cybersecurity and Infrastructure Security Agency (CISA). The proposed budget aims to enhance cybersecurity across various government departments with a $13 billion allocation. CISA's budget increase will support the implementation of the Cyber Incident Reporting for Critical Infrastructure Act and improve critical infrastructure security coordination. In response to rising cyber threats, the budget includes an additional $25 million for the Department of Justice to bolster intelligence and analysis and establishes a new focus on national security cyber threats with a $5 billion investment. Healthcare cybersecurity is a key focus, with approximately $1.5 billion proposed to assist hospitals and medical facilities in countering ransomware and other cyber attacks, which have surged by 95% since 2018. To promote advanced cybersecurity practices, Biden's proposal includes $800 million for hospital cybersecurity aid and $500 million for an incentive program related to healthcare security. The spending plan also dedicates $141 million to the Department of Health and Human Services’ ongoing information security efforts, including HIPAA modernization.

Microsoft’s March 2024 Patch Tuesday addresses 60 security issues, with updates tackling eighteen remote code execution (RCE) vulnerabilities. Only two critical flaws were fixed: one Hyper-V RCE and a denial of service issue, signaling a focused yet significant patch rollout. Notably absent were zero-day exploits; none were patched or disclosed in this month's update cycle. High-profile fixes include an elevation of privilege in Microsoft Office and a security feature bypass in Microsoft Defender. The Office vulnerability allowed authenticated users to gain SYSTEM privileges and was patched following the report from Iván Almuiña at Hacking Corporation Sàrl. The Microsoft Defender vulnerability, which could stop the software from starting, was discovered by Manuel Feifel at Infoguard and is now fixed in Antimalware Platform version 4.18.24010.12. A Skype for Consumer RCE flaw, which could be exploited via a malicious link or image, was another significant fix credited to researchers Hector Peralta and Nicole Armua from Trend Micro's Zero Day Initiative. Security updates from other vendors in March 2024 are also highlighted, reflecting a broad industry response to emerging threats.