Daily Brief

Polish government institutions were targeted in a sophisticated malware campaign by APT28, a Russian nation-state actor. The attack involved phishing emails that trick victims into clicking a link, redirecting them through multiple websites to mask the attack's origin. Victims downloaded a ZIP file containing malware disguised as common files, which, when executed, initiated further malware activity. The malware employed DLL side-loading techniques and displayed deceptive content to distract victims while executing harmful scripts. CERT Polska identified similarities between this campaign and previous attacks which deployed custom backdoors like HeadLace. APT28 has used legitimate web services to avoid detection by cybersecurity measures, a recurring tactic in their operations. Following this, NATO countries highlighted ongoing cyber espionage activities by APT28 targeting political and state entities across Western Europe. Recommendations include blocking specific domains and enhancing email filtering to prevent similar security breaches.

Dell has issued warnings to customers regarding a data breach impacting an estimated 49 million individuals. A threat actor claimed to have accessed a Dell portal relating to customer purchases, stealing data. The compromised data includes customer purchase-related information but excludes sensitive financial details, email addresses, and phone numbers. Dell is collaborating with law enforcement and a third-party forensic team to investigate the breach thoroughly. A hacker named Menelik advertised the stolen Dell data for sale on a hacking forum, though it has since been removed. Although Dell considers the risk to customers as not significant due to the nature of the stolen data, there remains a potential for targeted physical and cyber attacks using the information. Customers are advised to verify the authenticity of any communications claiming to be from Dell, particularly those requesting installations or updates.

Two vulnerabilities in Ivanti Connect Secure, CVE-2023-46805 and CVE-2024-21887, are being exploited by attackers to deploy the Mirai botnet. CVE-2023-46805 involves an authentication bypass, while CVE-2024-21887 allows for command injection, facilitating a combined exploitation chain. The attackers access Ivanti's API endpoint to inject malicious commands, leveraging these flaws to execute arbitrary code and compromise systems. The specific attack method involves downloading and executing a script from a remote server that introduces the Mirai botnet malware into compromised systems. Security experts have observed that these vulnerabilities could potentially be used to deploy other forms of malware and ransomware, indicating a broad security threat. Additionally, a separate incident involving a fake Windows File Explorer executable distributing a cryptocurrency miner was noted, reflecting the diverse tactics employed by cybercriminals. Organizations are advised to address these security vulnerabilities urgently to prevent potential widespread malware infections.

Demand for cybersecurity expertise is high among SMEs who often cannot afford a full-time CISO. vCISO services offer SMEs on-demand access to top-tier cybersecurity guidance, filling a significant market gap. MSPs and MSSPs can leverage vCISO offerings to grow their business, attract more customers, and increase upsell opportunities. A new guide, based on insights from industry leader Cynomi, provides a roadmap for MSPs and MSSPs to scale their vCISO services profitably. The guide includes practical steps and strategies to enhance service delivery, cut costs, and improve operational efficiency. Implementing the guide's strategies will help increase recurring revenue, enhance customer satisfaction, and significantly boost profitability.

Two critical vulnerabilities in F5 Next Central Manager have been identified that allow full administrative control and the creation of hidden rogue accounts. Affected versions span from 20.0.1 to 20.1.0, with fixes available in version 20.2.0. The vulnerabilities can be exploited remotely and include server-side request forgery (SSRF) exploits allowing attackers to bypass security controls. The flaws enable attackers to maintain persistent access to the system, even after passwords are reset and systems are patched. Additional vulnerabilities in the system could enable brute-force attacks on admin passwords and unauthorized password resets by administrators. Although no active exploits are reported in the wild, the urgency to update to the latest software version has been emphasized. F5's networking and application infrastructure, due to its high privileges, represents a significant target for attackers aiming to gain broad access within a network.

Zscaler took a "test environment" offline following rumors of a security breach, with no evidence of customer or production environments being compromised. Initial investigations by Zscaler into the breach rumors found them to be "completely inaccurate and unfounded," according to a post by the company and comments from an employee on Mastodon. Further examination revealed that an isolated test environment had been exposed to the internet and was subsequently taken offline for forensic analysis. The exposed test environment did not contain customer data, was not hosted on Zscaler's infrastructure, and had no connection to Zscaler's other environments. Rumors of the breach began circulating after threat actor IntelBroker claimed to sell access to a cybersecurity firm with credentials and critical data, implying Zscaler was the target. IntelBroker, known for multiple high-profile breaches, cited Zscaler's revenue match as evidence in a forum, heightening suspicions before the company's clarification. No external or customer-facing systems were affected, and Zscaler is continuing the investigation while monitoring their systems closely.

Zscaler has denied allegations of a security breach following claims by a known threat actor, IntelBroker, who asserts selling unauthorized access to a major cybersecurity firm. Despite the accusation, which was not directly named but linked to Zscaler through revenue numbers and forum posts, the company found no evidence of any compromise during their investigation. The company emphasized the security of customer and production environments, confirming ongoing monitoring and investigation without any incident detected. Zscaler issued statements on both their Trust site and social platforms like Mastodon, addressing the rumors as "inaccurate and unfounded." A post by a Zscaler employee on Mastodon also urged caution against spreading misinformation that could impact cybersecurity perceptions. The incident follows a series of breaches attributed to IntelBroker, including significant breaches at organizations like DC Health Link and Home Depot. BleepingComputer reached out to Zscaler but hasn't received further details or confirmation beyond the company's public statements.

BogusBazaar, a fraudulent e-commerce network, has scammed 850,000 individuals out of $50 million by setting up over 22,500 fake online stores. Victims from Western Europe, America, and Australia were deceived into buying nonexistent or counterfeit products and had their credit card details stolen. The fake stores mimicked reputable payment services like PayPal and Stripe, capturing credit card data when customers attempted transactions. The operation is highly decentralized, utilizing WordPress and WooCommerce for rapid deployment of new sites, many hosted on U.S. servers. The BogusBazaar model operates on a fraud-as-a-service basis, with most affiliates based in China targeting consumers in Western countries. According to SRLabs, these fraudulent activities have largely evaded law enforcement due to the dispersed nature and low individual transaction volumes of the scams. Despite ongoing investigations, BogusBazaar remains active, with SRLabs reporting the findings to authorities and internet service providers.

95% of international data is transmitted via undersea cables, integral to global internet stability. Growing threats from shipping, military activities, and physical attacks are jeopardizing these vital infrastructures. Jeff Huggins, President of Cailabs US, emphasizes the necessity of enhancing the resilience of global communication systems. Huggins’ experience in the US Navy and defense industry underscores the increasing target on undersea and terrestrial internet cables. Suggested solutions include integrating satellite links with terrestrial optical networks to decrease vulnerability. Governments are urged to prioritize the protection of these cables to safeguard national security and international commerce.

The University System of Georgia (USG) is issuing data breach notifications to 800,000 individuals following a data compromise by the Clop ransomware gang in 2023. USG, a state agency overseeing 26 public colleges, discovered the breach nearly a year after the initial MOVEit zero-day attack orchestrated by Clop. The exposed data includes sensitive information, potentially affecting not just current students but also past students, staff, and contractors. Notification letters sent in mid-April 2024 detailed the breach and offered a year of free identity protection and fraud detection services through Experian. The attack on USG was part of a global campaign by Clop, affecting thousands of organizations and nearly 95 million people worldwide. Personal data stolen in these attacks has been used for extortion, sold to other cybercriminals, or is still awaiting monetization by Clop.

Ascension, a major U.S. healthcare provider, has taken certain systems offline following detection of a cyber security event. Unusual activity was noticed on May 8, prompting an immediate investigation to determine the nature and scope of the incident. This cybersecurity breach has led to disruptions in clinical operations across Ascension's network of 140 hospitals and 40 senior care facilities. Ascension advised business partners to disconnect from its systems temporarily as a precautionary measure. The healthcare organization has engaged Mandiant, a leading incident response firm, to assist in the investigation and remediation efforts. Authorities have been notified of the event, and ongoing updates are promised as more information becomes available. This incident comes shortly after HHS issued warnings about increased cyberattack tactics targeting healthcare IT systems via social engineering.

Undersea cables, crucial for global data transmission, face increasing cyber and physical threats. Recent damages to submarine cables in the Red Sea highlight vulnerabilities not limited to actions by countries such as Russia or China. Jeff Huggins, a former Navy intelligence officer and current US President at Cailabs, emphasizes the necessity of robust communications infrastructure for national security and commerce. Huggins advocates for the integration of optical ground station networks with optical satellite links to strengthen resilience. The growing priority of securing undersea communication cables has become evident from Huggins' experience in defense and communications technology sectors. Governments are urged to enhance efforts in securing these vital infrastructures to ensure uninterrupted global connectivity.

F5 has patched two high-severity vulnerabilities in BIG-IP Next Central Manager that could grant administrative control to attackers. The vulnerabilities, identified as an SQL injection (CVE-2024-26026) and an OData injection (CVE-2024-21793), allow remote, unauthenticated execution of SQL queries. These flaws enable attackers to create hidden, rogue accounts on managed assets, which are invisible within the central management interface, posing a severe security risk. Eclypsium, the security firm that reported these flaws, shared a proof-of-concept exploit and highlighted the potential for these accounts to be used maliciously. F5 advises restricting access to the Next Central Manager to trusted users over secure networks as a temporary mitigation measure if immediate updating is not possible. No current evidence suggests that these vulnerabilities have been exploited in the wild, according to Eclypsium. Over 10,000 F5 BIG-IP devices with management ports are publicly accessible online, increasing the risk of potential exploitation.

The FBI has issued a warning regarding a cybercrime group, known as Storm-0539, targeting retail companies' gift card departments through sophisticated phishing attacks. These attacks have been occurring since at least January 2024, involving the theft of employee credentials, including names, usernames, phone numbers, and sensitive SSH passwords and keys. Storm-0539 exploits these stolen credentials to create fraudulent gift cards and manipulate existing gift card balances, often changing associated email addresses to ones they control. The group successfully navigates around multi-factor authentication (MFA) by registering their devices for subsequent login attempts, thereby maintaining persistent access to the victim’s systems. Microsoft also highlighted a significant rise in these types of fraudulent activities by Storm-0539 during the holiday season. The FBI recommends retail companies strengthen their security protocols, update incident response plans, rigorously train employees to recognize phishing attempts, and implement robust password and authentication measures to mitigate such threats.

LockBit ransomware gang claimed responsibility for a cyberattack on Wichita, disrupting city IT systems, including online payment services. The attack, confirmed by Wichita on May 5, 2024, led to the shutdown of systems to prevent further spread, affecting services like court fines and water bill payments. LockBit threatened to publish stolen files by May 15, 2024, unless a ransom is paid, an unusually quick escalation post-attack. The quick listing on LockBit's extortion portal may be retaliation for a recent law enforcement operation targeting LockBit’s leadership. Essential city services, such as public safety and transportation, are heavily impacted, with some resorting to manual operations. The city is still assessing the extent of the data breach, with a high risk of data leakage if the ransom remains unpaid.