Daily Brief

GitHub has enabled push protection by default for all public repositories to prevent accidental secret exposures, such as API keys. The feature scans for over 200 types of secrets from more than 180 service providers before accepting 'git push' operations. If a secret is detected during a push to a public repository, users are prompted to remove it or can choose to bypass the block. The rollout might take a week or two to apply to all accounts, with users having the option to opt-in early or completely disable the feature. GitHub Enterprise subscribers can access GitHub Advanced Security for additional protection within private repositories. In the initial weeks of 2024 alone, GitHub's secret scanning tools detected over 1 million leaked secrets on public repositories. The update adds an essential layer of protection, as leaked credentials have caused several high-impact data breaches in recent years.

Cybercriminals are increasingly using infostealers to harvest sensitive credentials from PCs as a cost-effective method to penetrate corporate IT networks. Infostealers, which fetch passwords and financial data, provide an easier path for ransomware deployment compared to other tactics like brute force or exploiting vulnerabilities. Notable ransomware gangs, including LockBit and former members of Trickbot/Conti, have shown interest in acquiring or utilizing infostealer capabilities. Security firm Mandiant reports a significant rise in infostealer advertisements on the dark web and a 2000% increase in logs of stolen credentials for sale. Kaspersky intelligence indicates a dramatic spike in stolen OpenAI credentials sold on dark web markets in 2023, revealing the scale of the infostealer problem. IBM X-Force's analysis observed a 266% jump in infostealer-related activity, signaling a trend in ransomware groups favoring stolen credentials for initial access. Security experts urge corporations to not underestimate the impact of infostealers and to prioritize defense against this growing threat.

An AI service known as Cutout.Pro has experienced a data breach, exposing the personal data of 20 million users. Information leaked includes email addresses, hashed passwords, IP addresses, and user names. A hacker under the pseudonym 'KryptonZambie' posted 5.93 GB of Cutout.Pro's data on a hacking forum, containing 41.4 million records. Data breach monitoring service Have I Been Pwned confirmed and cataloged the breach impacting nearly 20 million individuals. The stolen data has further been distributed via the hacker's personal Telegram channel. Cutout.Pro has yet to issue an official statement regarding the breach, and attempts to reach the company have remained unanswered. Users of Cutout.Pro are urged to reset their passwords and stay vigilant against potential phishing scams leveraging the leaked information.

Cybersecurity researchers have unveiled a new attack method dubbed Silver SAML, which bypasses defenses against the previously known Golden SAML attacks. Silver SAML allows attackers to exploit identity providers like Entra ID, affecting applications that rely on it for authentication. Unlike Golden SAML, Silver SAML does not require access to Active Directory Federation Services and poses a moderate-severity threat. Attackers can forge SAML responses if they procure the private key of an externally generated certificate used by an identity provider, such as Okta. Microsoft has been informed but does not consider the issue a pressing vulnerability requiring immediate resolution, though they are open to taking future protective measures. There's currently no evidence of Silver SAML being used maliciously, but organizations are advised to utilize only Entra ID self-signed certificates for SAML signing. Researchers at Semperis have released a SilverSAMLForger proof-of-concept, and organizations should monitor Entra ID audit logs for suspicious changes to thwart potential attacks.

Consumer groups in the EU are challenging Meta's use of data collection practices, which offer users a choice between consenting to data processing or paying for a subscription service with no ads. The legal complaints suggest that Meta's methods are in breach of GDPR, undermining principles like data minimisation and transparency, and not providing a valid legal basis for processing data for advertising purposes. Privacy advocacy group noyb had previously contested Meta's policy change, suggesting that the company's consent requirements did not align with the need for consent to be freely given under EU law. BEUC members argue that the "pay-or-consent" model uses Meta's dominant market position to force user consent, which is seen as unconstitutional and non-transparent. Meta disputes these allegations, claiming their approach is compliant with GDPR and based on guidance and recent court judgments in Europe. The complaints follow a history of Meta's struggles with EU legislation, including a record €1.2 billion GDPR fine for data transfer mishandling and delays in product launches due to regulatory compliance issues.

A new Linux malware, dubbed GTPDOOR, has been identified targeting telecommunications networks and exploiting GPRS (General Packet Radio Service) roaming exchanges (GRX). GTPDOOR utilizes the GPRS Tunnelling Protocol (GTP) for its command-and-control (C2) operations, allowing the malware to receive and execute commands across GPRS roaming networks. GPRS roaming enables mobile users to access data services outside their home network via intermediary GRX providers, and GTPDOOR takes advantage of this infrastructure to facilitate malicious activities. Initial discoveries of the malware originated from two samples uploaded to VirusTotal from China and Italy, which have been linked to a sophisticated threat actor known as LightBasin. Upon execution, GTPDOOR masquerades as a benign system process called '[syslog]' and opens a raw socket to allow for the unnoticed receipt and execution of malicious commands. The malware can elicit a response from an external network check, which means attackers can covertly probe and communicate with a compromised system within the GRX network.

The Lazarus Group, known for its cybercriminal activities, exploited a Windows Kernel zero-day vulnerability (CVE-2024-21338) to gain SYSTEM privileges on compromised systems. This security flaw was addressed in a recent Microsoft Patch Tuesday update; however, exploitation was detected post-release, leading Microsoft to adjust its exploitability assessment. Avast, a cybersecurity firm, identified the exploit in the wild, revealing that the Lazarus Group leveraged it to disable security software using an updated version of their FudModule rootkit. The FudModule rootkit can disable monitoring from various security solutions and is considered to be actively developed and deployed selectively by the Lazarus Group. The successful exploitation of this flaw involves bypassing security measures and executing arbitrary code using the appid.sys driver, crucial for Windows AppLocker function. FudModule targets specific security software, such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus, to evade detection. This incident underscores the increasing technical sophistication and stealth of the North Korean hacking collective, elaborating on their concerted efforts to avoid tracking. Lazarus Group has also been implicated in luring victims on Apple macOS systems using fake meeting invite links to install malware, depicting their broad tactics across various platforms.

The number of people impacted by data breaches increased by 40% in 2022, even though there were 60 fewer reported data compromises than in the previous year. Organizations have increased their cybersecurity spending in response to the escalating challenges posed by data breaches and cyber threats. IT leaders are encouraged to maximize the efficiency of their cybersecurity resources by adopting a risk-based approach to their cybersecurity strategies. A risk-based cybersecurity strategy involves identifying and prioritizing an organization's greatest vulnerabilities, and understanding the business impact of potential threats. By focusing on protecting against high-impact vulnerabilities and deploying robust solutions, organizations can optimize their cybersecurity spending decisions. A risk-based approach will help organizations prepare for current and potential future cyber threats, ensuring operational integrity and maximizing the return on investment in cybersecurity. IT professionals are advised to assess and prioritize cybersecurity risks to keep their organizations safe and bolster cybersecurity return on investment (ROI).

An unknown cyberespionage group, SPIKEDWINE, has targeted European officials connected to Indian diplomatic events using a new backdoor, WINELOADER. The attack was executed through a deceptive PDF email attachment purporting to be from the Ambassador of India, inviting recipients to a wine tasting. The PDF document, containing a malicious link, was first uploaded to VirusTotal from Latvia, suggesting espionage activity as early as July 2023. The link directs users to download an HTML application filled with obfuscated JavaScript designed to fetch the WINELOADER malware. WINELOADER comes equipped with capabilities for executing additional malicious modules, DLL injection, and command-and-control communication adjustments to avoid detection. Researchers noted the attack's low volume and high sophistication, highlighting features that dodge memory forensics and URL scanning solutions. The operation also used compromised websites for command-and-control and as repositories for intermediary payloads, indicating a well-orchestrated stealth campaign.

North Korean state-backed Lazarus Group uploaded malware-infected packages to Python Package Index (PyPI), potentially compromising developer systems. The malicious packages, named pycryptoenv, pycryptoconf, quasarlib, and swapmempool, were designed to mimic legitimate packages to exploit typos during installation. The rogue packages were collectively downloaded 3,269 times before being removed, with 'pycryptoconf' being the most downloaded. JPCERT/CC identified the malware technique as using a Python test script to hide an XOR-encoded DLL file, which then executes more malicious code. Two DLL files named IconCache.db and NTUSER.DAT are created, with NTUSER.DAT being used to load and execute the malware Comebacker to establish C2 server connections. This incident is part of an ongoing trend where malicious npm and PyPI packages are used to single out developers in targeted cyber attacks. Developers are advised to exercise caution when installing modules to prevent unintentional installation of malicious packages.

Two suspected China-linked espionage groups, UNC5325 and UNC3886, have been exploiting Ivanti Connect Secure VPN vulnerabilities to deploy new malware. Malware, including LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, are used to maintain persistent access on compromised networks. The groups target the defense industrial base, technology, and telecommunication sectors in the U.S. and Asia-Pacific region, with moderate confidence in their association due to code similarities. Attackers have combined the SSRF vulnerability CVE-2024-21893 with a command injection flaw CVE-2024-21887 to gain unauthorized access and deploy BUSHWALK. Malicious plugins such as PITFUEL and PITDOG are employed to load persistent and tunnelling capable backdoors like LITTLELAMB.WOOLTEA and PITHOOK. Mandiant reports these activities demonstrate the threat actors' sophisticated understanding of the target appliances and ability to evade detection using living-off-the-land techniques. Additional threat groups associated with China, such as Volt Typhoon, target critical infrastructure for reconnaissance, aiming to exploit vulnerabilities for potential future attacks.

President Joe Biden has issued an Executive Order aimed at preventing the mass transfer of U.S. citizens' personal data to high-risk countries. The order puts restrictions on the sale of sensitive data including genomic, biometric, personal health, geolocation, and financial information to countries deemed a threat to privacy and national security. Data brokers and companies have been known to sell personal data to foreign entities, which can be utilized by intelligence services and foreign militaries for surveillance and other malevolent activities. Researchers have found that sensitive data about military personnel and their families can be obtained cheaply, raising counterintelligence and privacy concerns. The Executive Order will prompt federal agencies to set regulations that safeguard personal and government data from exploitation, and establish security protocols for commercial data access agreements. The U.S. Justice Department recognizes China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern regarding data misuse. The order also specifies requirements for the Departments of Health and Human Services, Defense, and Veterans Affairs to protect sensitive data accessed through federal grants, contracts, and awards. Criticism of the order includes concerns that it doesn't encompass all authoritarian regimes that pose a risk and may not adequately prevent data from being relayed to other adversary nations such as China.

Acemagic, a Chinese PC manufacturer, acknowledged shipping products with pre-installed Bladabindi and Redline malware. The malware discovery was initially reported by The Net Guy, a YouTuber who found it shortly after booting Acemagic mini PCs. Bladabindi malware is a backdoor that can steal user information, while Redline can inventory systems, extract browser data, and steal cryptocurrency. Acemagic attempted to explain the incident by stating their developers modified Microsoft source code and network settings to improve boot times, leading to the malware infection. The company has offered full refunds for affected machines made between September and November 2023 and posted clean system images for users to disinfect their PCs. Infected model numbers include the AD08, AD15, and S1, with manufacture dates indicated on stickers on the machines. Acemagic has committed to strengthening its digital certificate usage to prevent unauthorized software modifications in the future.

The head of ASIO, Mike Burgess, articulated concerns about foreign adversaries targeting Australian critical infrastructure for potential sabotage. Burgess highlighted that the intersection of physical and cyber aspects of infrastructure increases vulnerability to cyberattacks. There has been an increase in activities from terrorists, foreign spies, and extremists interested in sabotage, with one nation-state frequently scanning critical infrastructures like water and energy. The speech mentioned the term "The A-Team," referring to a foreign intelligence service-run group targeting Australians with access to sensitive information via professional networking sites. A former Australian politician was mentioned as having been recruited by "The A-Team," providing them with significant insider information and attempting to involve others, including a prime minister's family member. ASIO disrupted several schemes where Australians, including academics and aspiring politicians, were approached to provide internal confidential information. Burgess emphasized the importance of developing a robust security culture, with further guidance forthcoming from ASIO and reference to the Signals Directorate's Essential Eight infosec strategies.

ALPHV/BlackCat ransomware gang claims responsibility for a significant cyber attack against Change Healthcare. The attack impacted thousands of pharmacies and hospitals in the US, disrupting the healthcare operations. The criminals allege to have stolen over 6TB of sensitive data, including personal and medical information. Experts advise skepticism towards the gang's claims, as ransomware criminals often exaggerate to pressure victims into paying ransoms. UnitedHealth Group (Change Healthcare's parent company) is collaborating with law enforcement and cybersecurity firms like Mandiant and Palo Alto Networks in response to the attack. Despite initial beliefs that a nation-state actor was responsible, evidence surfaced pointing to the financially motivated ALPHV/BlackCat group. The FBI and other federal agencies have warned healthcare facilities about the heightened risk from ALPHV, advising on mitigation strategies like the use of multifactor authentication and network vulnerability remediations. The exact method of initial access for the cyber attack remains unclear, with speculation around exploiting ConnectWise vulnerabilities being dismissed by the culprits.