Daily Brief

Microsoft Outlook has a critical vulnerability, CVE-2024-21413, that allows for remote code execution (RCE) and circumvents Protected View. Discovered by Check Point, attackers can exploit the bug by sending emails with malicious links that open harmful Office files in editing mode, not just read-only. The Preview Pane in Outlook can trigger the exploit without needing to open the email, as it previews maliciously crafted Office documents. No user interaction is necessary for the exploitation, which can be done remotely and without authentication. Successful exploitation allows attackers to gain high privileges for reading, writing, and deleting, stealing NTLM credentials, and executing arbitrary code. The vulnerability affects Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Microsoft has retracted an initial statement that the issue was being exploited in the wild, stating it was an error to report active exploitation. Users are strongly urged to apply the official patch immediately to protect against potential attacks exploiting this vulnerability.

Chinese government-associated group Volt Typhoon has compromised a major US city's emergency network and probed telecom providers. Dragos, an industrial cybersecurity firm, reports that the espionage efforts have been focused on American electric companies and have targeted their strategic assets. The activities of Volt Typhoon involve strategic reconnaissance, with the group's interest in regions extending beyond the US to include electric companies in Africa. The pace of network penetration by Volt Typhoon is increasing, with one American electric company's IT network breached for over 300 days. Although the operational technology (OT) network was not breached, the spies did obtain valuable geographic information system data. Volt Typhoon exploited vulnerabilities in various IT infrastructures, such as routers and VPNs, using legitimate tools and stolen credentials for lateral movement within networks.

A critical privilege escalation vulnerability was found in Zoom's Windows applications. The flaw could potentially allow unauthenticated attackers to gain elevated privileges on a user's system. The vulnerability, marked CVE-2024-24691, was discovered by Zoom's own offensive security team, with a high severity score of 9.6. Affected Zoom products include the desktop client, VDI client, and Meeting SDK for Windows. The software, widely used for video conferencing, became even more popular during the COVID-19 pandemic, peaking at 300 million daily participants. User interaction such as clicking a link or opening an attachment is required to exploit the vulnerability. Zoom has released a security update (version 5.17.7) to patch this and six other vulnerabilities, urging users to update immediately.

Microsoft has issued a security advisory about a critical remote code execution (RCE) vulnerability in Outlook that has been exploited as a zero-day. The vulnerability, identified as CVE-2024-21413, was uncovered by Check Point and can be triggered by simply opening an email containing a malicious link. Attackers can bypass Outlook's Protected View, enabling the opening of harmful Office files in editing mode and leading to potential NTLM credential theft and RCE. The Preview Pane in Windows Explorer is also susceptible, making it possible for attacks to succeed without any direct user interaction with the email. The vulnerability affects various Microsoft Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and older versions of Outlook still under extended support. The exploitation technique involves using a 'file://' protocol with an added exclamation mark to bypass security restrictions in Outlook. Given that the critical vulnerability lies in the core Windows/COM APIs, other software using the same APIs could potentially be at risk. Microsoft strongly recommends that all Outlook users apply the available patch to protect against this security flaw.

The US Air Force is reinstating warrant officer ranks, focusing on luring tech talent for the cyber and IT fields. Warrant officers have technical expertise and hold ranks above enlisted members but have limited command duties. This initiative is part of a strategy to enhance capabilities against advanced threats from nations like China and Russia. The reintroduction of warrant officer ranks aims to attract individuals who are skilled in areas like coding and network attacks. Commissioned officers and enlisted airmen will also see the addition of new technical career paths. The Air Force's 16th Air Force group will be elevated to a separate service component command, and a new Information Dominance Systems Center will be established. Specific implementation plans and roles are still under development, with urgency emphasized to be ready for potential conflicts.

Microsoft is implementing Extended Protection (EP) by default through the latest Cumulative Update (CU14) for Exchange Server 2019. The EP feature strengthens authentication mechanisms to thwart authentication relay and Man-in-the-Middle (MitM) attacks. Administrators are advised to review their server environments for compatibility issues before enabling EP, as certain configurations may cause disruptions. Microsoft provides an ExchangeExtendedProtectionManagement PowerShell script to manage EP settings, including the option to disable the feature if necessary. Extended Protection support, introduced in August 2022, was Microsoft's response to address critical vulnerabilities allowing for privilege escalation attacks. Systems running the August 2022 security update or later already support EP, while older systems without the update are considered persistently vulnerable. Microsoft emphasizes the importance of keeping on-premises Exchange servers updated to deploy security patches promptly and maintain optimal protection.

Prudential Financial, a top life insurance company, reported unauthorized access to their IT systems, impacting company and customer data. The breach, confirmed via an 8K filing with the SEC, happened on February 4, 2024, with detection on the following day. External cybersecurity experts were engaged immediately to investigate, contain, and remediate the cybersecurity incident. Although admin and user data were accessed, there's currently no evidence of the cybercriminal group taking any customer or client data. The extent of the data breach is still under investigation to determine if additional information or systems were compromised. Prudential Financial has notified law enforcement and is in the process of informing regulatory authorities. The company maintains that the incident has not materially impacted its operations or its financial position.

German battery manufacturer VARTA AG was the victim of a cyberattack leading to a shutdown of IT systems and halting production across five plants. The incident occurred on the night of February 12th, 2024, with the company taking proactive measures to shut down and disconnect IT systems for security. VARTA's history spans over a century, and the company's products are known globally, contributing to over $875 million in annual revenue. The full extent and damage of the cyberattack are currently being assessed; VARTA's primary focus is on maintaining data integrity. An emergency plan was activated, including the formation of a task force with cybersecurity experts for system restoration. The nature of the cyberattack remains unclear, with no confirmation of it being a ransomware attack or any group claiming responsibility. The company's share price experienced a 4.75% drop after news of the cyberattack became public. VARTA has yet to release further details on the cyberattack, including whether data encryption was involved.

Hackers exploited PlayDapp, a blockchain-based gaming platform, by minting 1.79 billion PLA tokens using a stolen private key. The intruders initially minted 200 million PLA tokens valued at $36.5 million and later added 1.59 billion tokens worth approximately $253.9 million. Security firm PeckShield suggested the compromise involved a leaked private key, prompting PlayDapp to move all tokens to a new secure wallet. PlayDapp offered a $1 million "white hat" reward for the return of stolen assets, threatening legal action; the hackers declined and continued their attack. Due to the excess minting, the total number of PLA tokens created exceeded the number in circulation, devaluing the currency from $0.18 to $0.14 per token. PlayDapp paused all PLA trading, suspended deposits and withdrawals, and is working to freeze the hacker's wallets on exchanges to contain the situation. Token holders have been advised to halt transactions and be cautious of phishing attempts during the migration to a secure system. Although no specific threat actors are identified, the nature of the attack is reminiscent of those conducted by the North Korean "Lazarus Group."

Ubuntu's 'command-not-found' utility has a logic flaw that can promote malicious snap packages, posing a serious security threat. Attackers could impersonate legitimate packages due to a lack of validation when the utility suggests snap packages for missing commands. Approximately 26% of APT commands could be mimicked by malicious snaps, significantly raising supply chain risks for Linux and WSL users. The issue isn't exclusive to Ubuntu and affects any Linux distribution using 'command-not-found' and the Snap package system. Malicious snaps can exploit system features or deliver new exploits via auto-update, even potentially escaping sandboxing when kernel flaws are present. Attackers can use typo-squatting, unclaimed snap names, or unreserved aliases for existing APT packages to trick users into installing malware. The exact scale of exploitation is unknown; however, some incidents have already been reported, indicating the risk is not merely theoretical. Users and developers must be vigilant, ensuring package authenticity and securing associated package names to mitigate these risks.

Over 100 Romanian hospitals have been affected by a ransomware outbreak, linked to a breach at a third-party service provider. The ransomware attacks are believed to have originated through the Hipocrate Information System (HIS), used by the compromised hospitals for healthcare management. Romania's national cybersecurity agency (DNSC) reports that 26 hospitals had data encrypted, while 79 were disconnected from the internet as a precaution. Hospitals are advised to isolate affected systems, retain attack evidence, not shut down systems hastily, and restore from backups after thorough cleanup. Most hospitals have recent backups to facilitate recovery, but one hospital's data backup was 12 days old, posing a more significant restoration challenge. The ransom note did not specify a known ransomware group but requested a relatively low ransom of 3.5 Bitcoin (approximately $180,000). Authorities recommend not contacting the attackers or paying the ransom, noting the malware identified as 'Backmydata,' a variant of the Phobos ransomware.

Trans-Northern Pipelines Inc. (TNPI) has acknowledged a cybersecurity breach by ALPHV/BlackCat ransomware gang. The incident, which occurred in November 2023, supposedly led to the theft of 183GB of company data. TNPI, responsible for transporting vast quantities of refined petroleum across Canada, has ensured the continued safe operation of its systems post-attack. The ransomware group has publicly shared the stolen documents on its data leak site, including TNPI employee contact information. ALPHV, associated with prior DarkSide and BlackMatter operations, has a history of high-scale, profitable attacks, amassing over $300 million in ransoms from more than 1,000 victims. In December, the FBI intervened, disrupting ALPHV operations temporarily, but the group has since regained control over its data leak platform.

Microsoft and OpenAI report that nation-state actors from Russia, North Korea, Iran, and China are incorporating AI into their cyber warfare tactics. The collaborative efforts between the tech giants have led to the disruption of five state-affiliated cyber groups by terminating their AI service usage. Misuse of large language models (LLMs) by attackers focuses on social engineering and deceptive communications that exploit professional relationships. Although no breakthrough AI-driven cyberattacks have been observed, these actors are testing AI across multiple phases of cyber operations, including reconnaissance and malware development. Notably, Russia's Forest Blizzard group used OpenAI's resources for research on satellite communications and scripting assistance, showcasing the diverse applications of AI in cyber espionage. Microsoft is proactively developing principles to counteract the harmful use of AI tools by advanced persistent threats and cybercriminal organizations, emphasizing identification, notification, collaboration, and transparency.

Cybersecurity researchers identified a vulnerability in Ubuntu's command-not-found tool that could lead to the installation of rogue packages. The utility, meant to suggest packages for non-existent commands, could be manipulated to recommend malicious snaps from the snap repository. Attackers could register snap names corresponding to APT packages and trick users into installing counterfeit snaps instead of legitimate software. Up to 26% of APT package commands are susceptible to this potential exploitation, which includes typosquatting to dupe users into downloading malicious versions of intended packages. The example given includes the 'jupyter-notebook' APT package, which had its snap name unclaimed, leaving a gap for attackers to publish a malicious snap under the same name. Researchers are urging users to scrutinize the source of package installations and for developers to secure associated snap names for their packages. While the extent of the exploitation is unknown, the findings highlight the need for increased security awareness and preventative measures within the software supply chain.

DuckDuckGo has introduced an end-to-end encrypted Sync & Backup feature for securely syncing bookmarks, passwords, and settings across devices. The feature ensures privacy as users don't need an account to use it, and DuckDuckGo cannot access any synced data due to encryption. The new Sync & Backup is compatible with DuckDuckGo browser versions on Windows, macOS, iOS, and Android. DuckDuckGo's browser prioritizes user privacy with features like HTTPS upgrading, tracker blocking, and a 'Fire' button to delete browsing history. To use the new sync feature, users navigate to the Sync & Backup settings in the browser to connect devices through a QR code or alphanumeric code. A PDF with recovery codes is generated for users, providing access to their synced data if their devices are lost or stolen. DuckDuckGo is adding a password requirement for accessing Sync & Backup settings for additional security. The browser is currently in beta, with potential for occasional instability or performance hiccups.