Daily Brief

Google has donated $1 million to the Rust Foundation to enhance the interoperability between Rust and C++, boosting memory safety in software development. C++ has faced criticism for memory safety issues, leading to increased advocacy for the memory-safe programming language Rust. The funding is expected to lower the barrier for adopting Rust in legacy systems and Android, where currently C++ is widely used alongside other languages. Google's grant follows a similar $1 million contribution from Microsoft, which also pledged $10 million to integrate Rust as a "first-class language" in its engineering systems. Over 1,000 Google developers have committed Rust code, with significant adoption seen in Android, while Google has been developing tools to facilitate Rust and C++ code communication. The Rust Foundation has launched an Interop Initiative to streamline the process of integrating Rust with C++ in existing projects and workflows.

Microsoft is probing an issue with Outlook where opening .ICS files triggers security warnings after the December 2023 Patch Tuesday update. Users encounter alerts about potential security concerns with .ICS calendar files saved locally, a bug acknowledged by Microsoft. The warnings relate to a fix for CVE-2023-35636, a vulnerability that could expose Windows credentials through malicious files. Microsoft has offered a registry key workaround that disables these security notices, with caution that it also affects other file types. A full resolution is yet to be released, and Microsoft has previously resolved separate Outlook connectivity and crash issues earlier in the month.

Multiple attackers are exploiting a new Ivanti vulnerability, SSRF (CVE-2024-21893), which was publicly disclosed on January 31. Ivanti had already been addressing two other zero-day bugs (CVE-2023-46805 and CVE-2024-21887) when this latest flaw was discovered. The new vulnerability can be used in conjunction with CVE-2024-21887, allowing unauthenticated command injection with root privileges. Proof-of-concept (PoC) exploits have been published, and a notable increase in attack attempts has been recorded, with over 170 IP addresses involved so far. Prior Ivanti flaws were reportedly exploited by Chinese nation-state actors, but the perpetrators behind the new attacks remain unidentified. Ivanti has released patches for the vulnerabilities, and the US Cybersecurity and Infrastructure Security Agency issued an emergency directive for federal agencies to disconnect affected Ivanti products by February 2.

The US State Department has introduced new visa restrictions targeting individuals connected to the misuse of commercial spyware. These restrictions are part of broader US efforts to combat the exploitation of surveillance tools that infringe on human rights and pose security threats. Specific incidents of commercial spyware misuse have involved severe human rights violations, including arbitrary detentions and extrajudicial killings. An Executive Order has been issued prohibiting US government use of potentially risky mercenary surveillance tools. The Commerce Department added four European spyware firms to its Entity List for their role in distributing hacking tools used against high-risk individuals internationally. Previous actions in November 2021 saw the sanctioning of four other companies from Israel, Russia, and Singapore for similar offenses in spyware development and distribution. The Biden administration, in coordination with the Freedom Online Coalition of 36 governments, emphasizes principles to prevent the misuse of surveillance technology and uphold human rights. The US reaffirms its stance on human rights and pledges to hold accountable those who abuse commercial spyware.

The U.S. government's "voluntary" cybersecurity performance goals for healthcare organizations are likely to become mandatory regulations in the future. Taylor Lehmann, director at Google Cloud's Office of CISO, advises hospitals to take new cybersecurity goals seriously as they will form the basis of forthcoming regulations. HHS intends to establish enforceable security standards and provide financial support for healthcare facilities to adopt high-impact cybersecurity practices. Recent ransomware attacks and data thefts at healthcare organizations emphasize the urgency of improving cyber defenses. Essential cybersecurity goals outlined include mitigating vulnerabilities, multi-factor authentication, email security, and secure data encryption. Healthcare networks, especially in rural areas, face challenges updating technology and hiring security support staff, with some affected hospitals being forced to close. The strategy focuses on prevention but might undervalue the importance of resilience and recovery during cyberattacks. Lehmann highlights the need to balance data confidentiality with the critical availability of healthcare services, suggesting a shift in security priorities.

Hewlett Packard Enterprise (HPE) is investigating claims of a data breach after a seller on a hacking forum offered data purported to be from HPE. HPE has communicated no evidence of a breach or impact on their products and services, and no ransom demand has been made. The seller, known as IntelBroker, claims the data includes HPE credentials, system logs, configuration files, and more but has not revealed the source or method of acquisition. This development follows recent admissions by HPE of infiltration by Russian APT29 hackers who accessed and exfiltrated data from its Office 365 email environment since May 2023. The Russian hackers are believed to have stolen files from HPE's cybersecurity team and maintained cloud infrastructure access until December 2023. HPE has previously suffered breaches, including a notable attack in 2018 by Chinese APT10 hackers and a 2021 compromise of its Aruba Central platform's data repositories.

AnyDesk has acknowledged an IT security incident that allowed criminals to access their remote-desktop software systems. The incident disrupted services and is reportedly not related to a ransomware attack. Attackers obtained AnyDesk's code signing certificate, potentially enabling malware distribution disguised as legitimate AnyDesk software. All security certificates have been revoked, and AnyDesk is transitioning to a new code signing certificate. Additionally, portal passwords have been reset. AnyDesk customer credentials are allegedly being sold on the dark web, but their connection to this breach is unclear. AnyDesk engaged CrowdStrike for incident response and has communicated that the scenario is under control, encouraging users to update to the latest version. Threat intelligence experts report that stolen AnyDesk credentials are marketed for scams, sourced from prior infostealer malware incidents.

Belarusian and Cypriot national Aliaksandr Klimenka is facing U.S. charges for his involvement with the BTC-e crypto exchange and its alleged $4 billion money laundering operation. Klimenka, arrested in Latvia, could receive up to 25 years in prison for money laundering and operating an unlicensed money services business. BTC-e is accused of functioning as a hub for cybercrime including hacking, ransomware, and drug trafficking, due to its high anonymity trading features. The exchange lacked anti-money laundering (AML) and know-your-customer (KYC) policies, violating U.S. federal laws. The story also mentions recent indictments of other cybercriminals, including the 19-year-old Noah Michael Urban of Florida for wire fraud and identity theft linked to cybercrime group Scattered Spider. Three individuals were charged in connection with a SIM swapping attack targeting the crypto exchange FTX, which included Robert Powell, Carter Rohn, and Emily Hernandez.

A server-side request forgery (SSRF) zero-day vulnerability, CVE-2024-21893, in Ivanti products is being widely exploited by attackers. Ivanti had warned about the vulnerability at the end of January 2024, noting limited active exploitation at that time. The defect allows unauthenticated access to restricted resources on affected Ivanti Connect Secure and Policy Secure versions 9.x and 22.x. The exploitation activity has surged, with 170 distinct IP addresses targeting the flaw, suggesting an increased focus on this vulnerability by attackers. A proof-of-concept (PoC) exploit was published by researchers, but attackers were observed exploiting the vulnerability before its release. Nearly 22,500 Ivanti Connect Secure devices are exposed online, though it's unclear how many are actually vulnerable to CVE-2024-21893. Due to the severity of ongoing exploitations, CISA has directed federal agencies to disconnect affected Ivanti devices, only reconnecting after a factory reset and firmware update. Fewer patches are available for certain product versions, prompting federal agencies and private organizations alike to evaluate the security of their Ivanti deployments.

Lurie Children's Hospital in Chicago is operating with pen-and-paper methods due to a significant cyberattack that has disabled email, phone, and internet services. The incident forced the hospital to pull its network systems offline and is causing disruptions including canceled appointments, delayed surgeries, and challenges in patient care. Law enforcement agencies and outside experts are involved in responding to the cybersecurity matter at the hospital, which treats over 200,000 children annually. The attack comes shortly after a similar cyberattack on Saint Anthony Hospital, which the LockBit ransomware gang claimed responsibility for, leading to data theft but not operational downtime. No group has claimed responsibility for the attack on Lurie Children's Hospital, and attribution has not been made. US hospitals may soon be required to meet certain cybersecurity standards to receive federal funding, as proposed in a concept paper from the US Department of Health and Human Services.

Cato Networks' Extended Detection and Response (XDR) solution integrates with Secure Access Service Edge (SASE), enhancing data quality for cybersecurity threat detection. The Cato XDR platform correlates security data across different domains, using native sensors from a unified SASE architecture for improved threat identification and incident response. Cato XDR leverages a diverse set of native sensors, including NGFW, IPS, DNS Security, CASB, DLP, and EPP/EDR, providing a comprehensive data view and reducing incident investigation times. The platform works in tandem with leading EDR providers to incorporate existing security solutions, offering a scalable and accessible approach for security teams. A hands-on review of Cato XDR demonstrates its user-friendly interface, AI-powered risk scoring, and efficient triage system, designed for various levels of security analyst expertise. Analysts can analyze, investigate, and document cybersecurity threats within the Cato platform, without the need to switch between different tools. The time to detection and response is significantly reduced, and the process simplifies with Cato XDR, making it a promising solution for organizations looking to enhance their cybersecurity operations.

Patchwork, an advanced threat actor, has leveraged romance scams to distribute VajraSpy malware under the guise of secure messaging apps in Pakistan and India. Over 1,400 downloads of compromised apps were discovered on the Google Play Store between April 2021 and March 2023, potentially impacting 148 devices. VajraSpy malware steals sensitive information such as contacts, files, call logs, SMS messages, WhatsApp and Signal messages, records phone calls, and takes pictures. Google removed one such malicious app, advertised for accessing news, which had accumulated 1,000 downloads before detection. This is part of an ongoing tactic by Patchwork, who has been reported to create fake personas on social platforms like Facebook and Instagram to direct victims to rogue apps. Aside from Patchwork, other South Asian cybercriminals engage in similar schemes, with a focus on financially extorting victims by threatening to leak manipulated nude images created from users' KYC process selfies. This rise in cyber exploitation involving malicious loan apps and sextortion schemes indicates a broader trend affecting users globally, including teenagers in English-speaking countries.

Current cyber security risk management platforms are mostly reactive, leading to alert fatigue and recurrent risks. SecurityHQ's Global SOC Head highlights that proactive risk management can prevent the majority of SOC incidents that are repeat occurrences. SecurityHQ advocates for a platform that integrates multiple frameworks such as NIST, MITRE, and NCSC to improve risk management strategies. These frameworks provide comprehensive approaches for assessing, managing, and mitigating risks effectively, based on real-world observations and global intelligence. SecurityHQ's SHQ Response Platform combines industry knowledge and practices from NIST, NCSC, and MITRE to translate risks into actionable mitigation plans. The platform aims to reduce alert fatigue by focusing on mitigating common risks and offering a library of linked threats, impacts, and controls. Effective use of the SHQ Response platform requires a team of experts capable of analyzing, acting on data, and mitigating risks accordingly.

Nearly three dozen Jordanians, including journalists and activists, targeted with NSO Group's Pegasus spyware; devices infiltrated from 2019 to September 2023. Surveillance involved zero-click and one-click attacks employing iOS exploits and social engineering techniques, with some victims experiencing multiple infections. Attackers often posed as journalists sending malicious links via WhatsApp and SMS to deliver the spyware. NSO Group contends their product is not for mass surveillance and only sold to legitimate agencies, arguing it played a role in counteracting encryption technologies used by criminals. Despite assurances, incidents in Jordan demonstrate the persistent misuse of the spyware tool against civil society, contrary to company claims. NSO Group reports a 'significant decrease' in misuse due to improved due diligence; however, the Jordan cases exhibit ongoing abuse patterns. Access Now highlights the detrimental impact on targeted individuals' privacy, expression rights, and chilling effect on activism and journalism. Call for a moratorium on the sale and use of surveillance technologies until sufficient safeguards are in place.

Mispadu, a banking Trojan, is exploiting a patched Windows SmartScreen flaw, affecting users chiefly in Mexico. The Delphi-based malware, observed since 2019, is known for stealing information in the Latin American region. Since August 2022, Mispadu has harvested over 90,000 bank account credentials via spam emails. It bypasses SmartScreen by using a specially crafted internet shortcut that points to a malicious network share. After execution, Mispadu assesses the victim's location and system before contacting a C2 server for data exfiltration. Other cybercrime groups have also exploited this Windows flaw, delivering various malware strains, including DarkGate and Phemedrone Stealer. The banking Trojan is part of a larger trend of cyberattacks in Mexico, involving information stealers and RATs like AllaKore RAT and AsyncRAT. The report coincides with revelations about FIN7's DICELOADER malware, known for its sophisticated methods and past distribution via malicious USB drives.