Daily Brief

The Tor Project has officially introduced WebTunnel, a new type of bridge designed to evade censorship by mimicking HTTPS traffic. WebTunnel is developed to assist users in accessing the Tor network in restrictive regimes that actively block such connections. Connections made using WebTunnel appear as normal HTTPS connections to observers, effectively hiding the user's use of the Tor network. Compared to traditional Tor bridges and obfsproxy bridges, WebTunnel offers a more robust solution against censorship efforts by blending in with the majority of web traffic. Currently, there are about 60 WebTunnel bridges globally, assisting over 700 daily users in countries with internet restrictions like China and Russia. Implementation of WebTunnel has not been successful in some regions of Iran, indicating the need for further developments. The Tor Project emphasizes the importance of internet access for communication, human rights defense, and global solidarity, especially during geopolitical conflicts.

JetBrains denounces Rapid7's immediate and detailed disclosure of security vulnerabilities in its TeamCity platform as unethical and damaging. Rapid7's disclosure led to rapid exploitation by attackers, resulting in ransomware incidents and potential use of compromised accounts in DDoS campaigns. JetBrains insists it adheres to responsible disclosure norms, providing enough details to customers to mitigate risk without enabling simple exploitation. The article contrasts the disclosure policies of different organizations, such as Google's Project Zero and Microsoft, as well as national cybersecurity authorities. Rapid7's disclosure policy advocates for prompt public disclosure but permits a 60-day window for vendors to release a fix, with potential 30-day extensions. The conflict over disclosure norms between JetBrains and Rapid7 underscores the need for balance between timely remediation and preventing exploitation. The discussion on the timing of disclosures is significant in the context of ransomware attack costs, which can average around $1.5 million for remediation. Both JetBrains and Rapid7 maintain their stances, with Rapid7 stating it follows its disclosure policies, highlighting ongoing debates in cybersecurity disclosure practices.

Google awarded $10 million to 632 researchers for reporting security flaws across its products and services in 2023. The total paid by Google's Vulnerability Reward Program has reached $59 million since 2010, with $3.4 million awarded for Android vulnerabilities alone last year. Google increased the maximum reward for critical Android vulnerabilities and tripled bounty payments for sandbox escape chain exploits in Chrome. Notable payouts included $70,000 for 20 discoveries in Wear OS and Android Automotive OS and $116,000 for 50 reports in Nest, Fitbit, and Wearables. Chrome browser attracted 359 bug reports, resulting in $2.1 million in rewards, including a significant $30,000 award for a JavaScript engine vulnerability. Introduction of 'MiraclePtr' in Chrome M116 to protect against non-renderer Use-After-Free vulnerabilities, with separate rewards for bypassing this protection. A focused effort on securing AI products resulted in $87,000 paid out during a bugSWAT live-hacking event featuring Google Bard. Google maintains a dedicated Bug Hunters community to foster engagement and participation in the Vulnerability Reward Program.

GitHub users inadvertently exposed 12.8 million authentication secrets across 3 million repositories in 2023, with most secrets remaining active after five days. GitGuardian issued 1.8 million alerts to affected users but observed only a 1.8% swift response to secure the compromised data. Exposed credentials include passwords, API keys, TLS/SSL certificates, and various tokens, posing risks for data breaches and financial loss. A Sophos report indicated that compromised credentials were the root cause in 50% of attacks in the first half of the year, highlighting the significance of the GitHub leaks. India, the United States, and Brazil lead the list of countries with the highest number of exposed secrets; the IT sector is the most affected, followed by education. The report observed a 1,212-fold increase in leaked OpenAI API keys in 2023, emphasizing the risk associated with the popular use of AI services like ChatGPT. Large language models (LLMs) show potential for detecting leaked secrets effectively, although scalability and cost factors pose challenges. GitHub recently implemented push protection by default to help mitigate accidental secret exposures in the future.

Threat hunters identified seven malicious Python packages on PyPI, designed to steal crypto wallet recovery phrases. Dubbed BIPClip, the attack campaign aimed at cryptocurrency wallet developers has been active since December 2022. The packages, downloaded 7,451 times before removal, exfiltrated data to a control server under the attackers' command. The threat actors involved used GitHub and social platforms like Telegram and YouTube to publicize their tools. Sophisticated tactics were applied to avoid raising suspicion, such as mimicking legitimate package functions. The campaign leveraged common software supply chain vulnerabilities and used legitimate services like GitHub to spread malware. Cases like MavenGate and CocoaPods demonstrate the risks associated with abandoned digital assets in open-source ecosystems.

Leicester City Council experienced a "cyber incident" leading to IT systems and crucial service phone lines being taken offline. Despite the use of vague terms, security experts suspect the attack could be ransomware, although there is no official confirmation yet. The incident led to the shutdown of some network services, including Citrix Netscaler and Cisco AnyConnect VPN appliances. The council is collaborating with cybersecurity experts and law enforcement to understand the attack and has consulted other councils for recovery strategies. Recovery efforts are focused on prioritizing critical services with hopes to commence the process by mid-week. Emergency phone numbers have been established for essential services, with online forms for reporting currently disabled. The attack on Leicester is not an isolated incident; other UK councils have recently endured cyberattacks, disrupting services for extended periods. There is some confidence that sensitive data held by Leicester City Council is protected and that the impact on personal data will be minimal.

Continuous Threat Exposure Management (CTEM) is a proposed strategy to effectively manage cyber risks by combining attack simulation, risk assessment, and remediation. The CTEM framework is becoming increasingly significant as organizations seek an integrated approach to improve security posture and risk management. XM Cyber highlights the importance of obtaining an "attacker's view" of an environment to prioritize vulnerabilities according to the risk they pose to crucial assets. A CTEM program operates in five stages to systematically de-escalate cyber threats and is distinguished from other security approaches by its continual, dynamic nature. Key benefits of CTEM include the ability to effectively prioritize and address the most critical exposures, thereby streamlining and enhancing organizational security efforts. Establishing a CTEM program requires organizational commitment, a shared understanding of risk, and a prioritization process tailored to an organization's unique needs. XM Cyber encourages organizations to adopt the CTEM framework and provides further insights in a whitepaper discussing the operationalization of the CTEM framework by Gartner®.

A new malware campaign has exploited a serious security vulnerability in the Popup Builder WordPress plugin, affecting over 3,900 websites. The campaign uses recently created domains, some registered as recently as February 12th, 2024, to insert malicious JavaScript through CVE-2023-6000. Attackers can generate rogue admin accounts and install unwanted plugins using the exploited flaw, leading to site redirections to phishing or scam pages. Website owners using WordPress are advised to update plugins and scan their websites for any unusual code or users to mitigate the threat. The threat emphasizes the critical importance of regularly updating and patching website software to avoid security vulnerabilities. Additionally, Wordfence has identified a high-severity bug in the Ultimate Member plugin that allows the injection of malicious scripts due to insufficient input sanitization. The XSS flaw in Ultimate Member, CVE-2024-2123, has been fixed in the most recent update, with prior versions of the plugin being susceptible to unauthenticated attacker exploits. The issue follows previous plugin and theme vulnerabilities within WordPress, highlighting the platform's ongoing challenge with securing against malicious activities.

Russia has detained a South Korean citizen, Baek Won-soon, on charges of cyber espionage and transferred him from Vladivostok to Moscow for further investigation. Won-soon is accused of transferring classified "top secret" information to unnamed foreign intelligence agencies. Initially detained in Vladivostok earlier this year, Won-soon's arrest has now been extended until June 15, 2024, and he has been relocated to Lefortovo pretrial detention center in Moscow. The same detention facility is currently holding American journalist Evan Gershkovich, who is awaiting trial on suspicion of espionage, charges he has denied. The arrest comes at a time of increasing geopolitical collaboration between Russia and North Korea, the latter known for its state-sponsored hacking efforts targeting Russia for intelligence. Additionally, the article mentions the recent arrest of a former Google engineer in the U.S. for allegedly stealing proprietary information while working for China-based companies.

Several French government websites experienced significant disruption due to a distributed denial of service (DDoS) attack. Cloudflare's Radar detected the onset of the attack on early Sunday, which escalated quickly, and saw fluctuations before sustaining an intense six-hour period of activity. France's digital transformation agency, DINUM, responded by deploying defensive measures against the attack amidst claims of ongoing disruptions by Anonymous Sudan. Anonymous Sudan claimed responsibility for the attack, which information security firm FalconFeeds suggests was likely assisted by Russian actors and other threat groups. The motive behind the DDoS attack remains unclear, but it comes after French President Macron suggested sending troops to support Ukraine against Russia's invasion, a move criticized by President Putin. The attacks targeted critical departments, including the prime minister's office, the civil aviation authority, and the Ministry of the Economy. However, at the time of reporting, the affected sites are accessible without obvious issues.

The Biden administration and US lawmakers are pushing for UnitedHealth Group to quicken payments to medical providers after a ransomware attack by ALPHV/BlackCat affiliates. Senator Ron Wyden criticized the cyber attack on Change Healthcare as inexcusable, stressing that the healthcare sector has been a known target for cybercriminals for years. The ransomware attack disrupted patient care and created severe cash-flow issues due to Change Healthcare's significant role in processing healthcare transactions. Health secretaries from the DHHS and DOL urged UnitedHealth and insurance companies to mitigate the impact on providers by expediting funds, accepting paper claims, and simplifying electronic interactions. Senator Wyden has called for mandatory cybersecurity standards in the healthcare industry and regular auditing to protect patient data. The criticism extends to federal regulators for not mandating minimum security requirements amidst a rise in cyber attacks against healthcare organizations. Concerns are also being raised about the systemic risks posed by large healthcare entities, such as the $13 billion merger of Optum and Change Healthcare. Senator Mark Warner sees the need for legislation, including mandatory cyber hygiene standards for healthcare providers, to ensure patient care and safety against future cyber threats.

The Kremlin has alleged that the U.S. is plotting a cyberattack against Russia's electronic voting system. Russian intelligence claims that American NGOs are instructed to lower voter turnout. No evidence was provided by the Russian Foreign Intelligence Service to back up the accusations. Russia warns that any foreign meddling would be seen as an act of aggression, offering a potential pretext for election discrepancies. The claims follow Russia's recent assurance that it will not interfere in U.S. elections, countering past allegations of meddling in 2016 and 2020. U.S. officials have not observed any significant threats or irregularities in their own ongoing election processes.

Tuta Mail introduces TutaCrypt, a new encryption protocol designed to resist quantum decryption. The Germany-based email service aims to secure communications against future "harvest now, decrypt later" attacks. TutaCrypt combines quantum-safe algorithms like CRYSTALS-Kyber with traditional ones such as X25519 for robust encryption. Existing AES 256/Argon2 cryptography layers enhance protection from current threats, without requiring user action for migration. Tuta's initiative addresses a growing concern over quantum computing's potential impact on current cryptographic standards. TutaCrypt generates dual key pairs for both quantum-resistant key encapsulation and traditional ECDH, stored securely on German servers. Current and future users will be transitioned to TutaCrypt automatically, signaling a proactive step in email security advancement. While the protocol currently has limitations regarding message integrity and key compromise risk, further improvements are planned.

Okta has denied that its data was leaked following a claim by a cybercriminal on a hacking forum. The threat actor, using the name 'Ddarknotevil,' alleged that the database containing details of 3,800 Okta customers was from a breach in October 2023. The data purportedly included user IDs, full names, company names, office addresses, phone numbers, email addresses, and positions/roles. After being notified, Okta conducted a thorough investigation and found no evidence of a new breach or a link to the October incident. Okta suggested the data might be aggregated from public sources, noting some dates in the leaked information are over a decade old. Cyber-intelligence firm KELA concluded that the data does not originate from Okta, but matches a July 2023 data dump from a different company's breach.

New York-based EquiLend Holdings LLC suffered a data breach as a result of a ransomware attack in January. The breach led to the theft of employees' personally identifiable information (PII), including names, birth dates, and Social Security numbers. Despite the breach, there is currently no evidence of the stolen data being used for identity theft or fraud. EquiLend has offered two years of complimentary identity theft protection services to affected employees through IDX. The company managed to restore all client-facing services post-attack and has found no indication of client transaction data being compromised. LockBit ransomware group claimed responsibility for the attack, although EquiLend has not explicitly confirmed the group's involvement. EquiLend, backed by ten global banks since its establishment in 2001, has a significant footprint with over 330 employees and its services used by more than 190 firms worldwide.