Daily Brief

"Leaky Vessels" vulnerabilities discovered, allowing hackers to escape Docker, runc containers and access host system data. Security researcher Rory McNamara from Snyk identified the flaws in November 2023 and disclosed them responsibly. No signs of active exploitation of the vulnerabilities in the wild have been detected yet. The vulnerabilities affect runc and Buildkit, widely used in container management systems like Docker and Kubernetes. Patch released for Buildkit version 0.12.5 and runc version 1.1.12 to address the flaws; Docker updated to version 4.27.0. Major cloud service providers AWS, Google Cloud, Ubuntu, and CISA issued security bulletins and alerts to users for mitigation. Urgent recommendations for system admins to apply security updates to protect against potential exploitation.

Clorox encountered a cyberattack in August 2023, leading to significant operational disruptions and decreased product availability. The cyberattack had tremendous financial implications, with Clorox incurring $49 million in related expenses by the end of the year. Costs include payments for third-party consulting, IT recovery, forensic investigations, and additional operational expenses due to the attack. Clorox's report suggests a progressive recovery, with aims to restore distribution, rebuild retailer inventories, and focus on growth and margin improvement. CEO Linda Rendle reports strong execution on the recovery plan and anticipates reduced future costs associated with the cyberattack. In a related incident, Johnson Controls International also reported a loss of $27 million due to a September 2023 ransomware attack leading to a data breach. The cyberattack on Clorox is suspected to be the work of Scattered Spider, a collective known for social engineering and ties to the BlackCat/ALPHV ransomware gang.

Google has begun testing the elimination of third-party cookies on Chrome, currently affecting approximately 1% of users worldwide. Third-party cookies are used for tracking browsing habits for targeted ads; Google is aiming to replace them with Privacy Sandbox APIs for privacy-centric personalized advertising. Browsers like Firefox and Safari have already stopped default access to third-party cookies, with Google planning to phase them out by 2024. The change signifies a major shift in online advertising, pushing advertisers toward adopting new technologies that preserve user privacy. Developers are in collaboration with Google to balance web dynamism and accessibility with increased privacy. Google provides methods to check if you're part of the cookie deprecation test, including the presence of an "eye" icon in the address bar and specific settings changes. Users can manually opt into the testing phase by enabling a flag in Chrome's experimental features should they wish to participate ahead of the broader rollout.

Mastodon has patched a serious vulnerability, identified as CVE-2024-23832, which could permit attackers to impersonate users and take over accounts. The issue affects all Mastodon versions prior to 3.5.17, 4.0.13, 4.1.13, and 4.2.5, and has a high severity rating of 9.4. Administrators of Mastodon instances are urged to update their servers to version 4.2.5 promptly to mitigate the risk of hijacking user accounts. User accounts could be compromised if admins of their respective instance don't update to the secure version by mid-February. Server administrators are notified of the need for this critical update through a prominent banner within the platform. The implications of such an exploit are severe, with the potential to affect individual users, communities, and overall platform integrity. In July 2023, another critical bug, CVE-2023-36460, was resolved, which allowed attackers to execute commands leading to full server compromises.

Security researchers have discovered a vulnerability in Flysmart+ Manager, an app used by Airbus pilots for safe aircraft operations. The app, which had disabled important security controls, could potentially be exploited to manipulate takeoff and landing data. An attacker would need to be within Wi-Fi range and time their intercept with the EFB's monthly data update cycle to exploit the vulnerability. Despite the complexity, a proof-of-concept exploit revealed the possibility of accessing sensitive aircraft performance data. Airbus has been praised for addressing the issue within 19 months, considered reasonable in aviation tech circles. The vulnerability is a concern for pilots, who might not notice manipulated data, potentially leading to unsafe takeoff procedures. Airbus and EASA have confirmed that existing security checks can validate critical flight data, and improvements have been made to the app.

The U.S. Treasury Department sanctioned six Iranian intelligence officials for cyber attacks on critical infrastructure. These individuals are connected to the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Sanctioned officials executed cyber operations, including disrupting the programmable logic controllers of an Israeli tech firm, Unitronics. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) linked these actors to an attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The sanctioned group, known as Cyber Av3ngers, has been active since 2020, targeting various entities across the U.S., Europe, and Israel. The Treasury Department emphasized the danger such attacks pose to public safety and humanitarian consequences. Another pro-Iranian cyber group, Homeland Justice, has been targeting Albania and recently deployed wiper malware against the country's statistics institution.

A critical security vulnerability in Mastodon allows attackers to impersonate and take over any account on the decentralized social network. The issue, identified as CVE-2024-23832 with a severity rating of 9.4, was reported by a security researcher known as arcanicanis. This flaw is described as an "origin validation error," which presents a significant risk as it may grant attackers access to functionalities not intended for external sources. Versions of Mastodon at risk include all before 3.5.17, as well as versions prior to 4.0.13, 4.1.13, and 4.2.5 depending on the release series. Mastodon has deferred releasing further technical details about the flaw until February 15, 2024, to allow server instance administrators time to apply necessary updates. Due to Mastodon's federated structure, each independently hosted server instance requires its administrator to update promptly to mitigate any security risks. This disclosure follows up on Mastodon addressing two other critical vulnerabilities roughly seven months prior, which could lead to DoS attacks or enable remote code execution.

AnyDesk announced a security breach resulting in production system compromise detected after a security audit. The incident was not a ransomware attack, and authorities have been notified; compromised systems have been remediated or replaced. AnyDesk revoked all previous security certificates and is issuing new ones, while also urging users to reset passwords. Users are advised to download the latest AnyDesk version featuring a new code signing certificate to ensure safety. Specific details on the date and method of the breach were not provided, and it's unclear if data was stolen. There is currently no evidence suggesting that end-user systems have been compromised due to this breach. AnyDesk services over 170,000 customers globally and had recently experienced maintenance issues and service disruptions. This announcement followed a separate disclosure by Cloudflare about a breach due to stolen credentials suspected to be a nation-state activity.

AnyDesk has suffered a security breach, resulting in unauthorized access to its production servers. Hackers managed to steal source code and private code signing keys from the company’s systems. AnyDesk, widely used in enterprise settings for remote computer access, has taken steps to remediate the breach and strengthen security measures. The company has initiated a password reset for their web portal as a precaution, even though they claim authentication tokens could not be stolen due to their design. No evidence suggests that end-user devices were compromised in the incident. AnyDesk is replacing stolen code signing certificates and urges users to update to the latest version of their software. The breach was discovered following a four-day outage during which AnyDesk disabled client login for maintenance, later confirmed to be related to the cybersecurity incident. Users are advised to change their passwords and update to the new software version as the old code signing certificate will soon be revoked.

Continued ransomware attacks on hospitals disrupt patient care despite claims by groups like LockBit to avoid such targets. LockBit affiliates targeted Lurie Children's Hospital in Chicago, with reported delays in medical procedures due to IT shutdowns. A cyberfraudster from Ottawa linked to hundreds of ransomware cases has been sentenced to two years in prison. Coveware reports a drop in ransomware victims paying ransoms, with only 29% complying in the last quarter of 2023. Schneider Electric suffered a data breach due to a Cactus ransomware attack, and Truesec identified Akira ransomware's exploitation of an old Cisco vulnerability. Johnson Controls revealed a $27 million expense from a September 2023 ransomware attack and data breach. The Pentagon is probing a data theft by ALPHV ransomware from a U.S. military contractor, and international law enforcement operation Synergia shut down over 1,300 servers linked to cybercrime. Several new ransomware variants and strains were identified, including new versions of Phobos, Chaos, Dharma, and the emergence of Alpha ransomware.

AnyDesk production systems were compromised in a cyberattack, allowing hackers to access source code and private code signing keys. Hack discovered following signs of an incident on AnyDesk's servers; cybersecurity firm CrowdStrike is assisting with the response plan. Company claims AnyDesk software is still safe and there's no sign of customer device compromise. Despite no evidence of authentication token theft, AnyDesk resets all web portal passwords and prompts users to change reused passwords. AnyDesk is issuing new code signing certificates and has released a new software version with a new certificate (version 8.0.8). The security incident caused a four-day service outage for AnyDesk, preventing logins, now attributed to maintenance related to the breach. Users are strongly advised to update to the new version of AnyDesk and change their passwords as a precautionary measure.

Cloud service provider Blackbaud has reached a proposed settlement with the FTC after a significant data breach. The breach involved unauthorized access to Blackbaud's databases, compromising the personal data of millions. The FTC criticized Blackbaud's data retention policies and delayed, inaccurate breach notifications. The company reportedly paid the attackers $235,000 in ransom, without confirmation that stolen data was deleted. Blackbaud has agreed to pay $3 million to the SEC and $49.5 million to US states to settle related charges. As part of the FTC settlement, Blackbaud is to improve their data security practices, including eliminating unnecessary data retention, implementing multi-factor authentication, and using encryption for sensitive data. Blackbaud neither admits nor denies the allegations but has committed to enhancing cybersecurity measures.

A critical vulnerability in Mastodon, CVE-2024-23832, could enable attackers to take over user accounts remotely. The severity score of the vulnerability is 9.4, indicating high potential impact and relative ease of exploitation. Mastodon versions prior to 3.5.17, 4.0.x before 4.0.13, 4.1.x before 4.1.13, and 4.2.x before 4.2.5 are affected. Full details of the vulnerability will be withheld until February 15 to allow admins to secure their servers. Mastodon’s decentralized structure makes updating more complex, as each server is independently managed. More than half of the active Mastodon servers upgraded to a secure version within one day of the vulnerability's announcement. Past critical security issues on Mastodon include two vulnerabilities with high severity scores, CVE-2023-36460 and CVE-2023-36459, uncovered in July 2023.

Lurie Children's Hospital in Chicago experienced a cyberattack, causing IT system disruption and medical care delays. The hospital responded by taking network systems offline to contain the attack and is working with experts and law enforcement. Essential services such as email, phone, and the MyChat platform were affected, pressing patients in an emergency to contact 911. Despite the cyberattack, the hospital remains operational and continues to prioritize providing safe and quality patient care, albeit with adjustments. Scheduled medical procedures faced delays, with diagnostic results impacted and prescriptions issued on paper due to IT system outage. The cyberattack forced the shifting of protocols to a first-come, first-served basis for prioritizing care, especially in emergency situations. No ransomware groups have claimed responsibility for the attack; however, healthcare institutions continue to be targeted despite some ransomware gangs' supposed guidelines against such actions. Recent hospital attacks in the U.S. and Germany by Lockbit illustrate the vulnerability of healthcare providers to ransomware, regardless of the gangs' stated policies.

Interpol arrested 31 individuals in a concerted three-month campaign to combat various cybercrimes across 55 nations. The operation, codenamed Synergia, took down over 70% of 1,300 identified malicious servers tied to phishing, banking malware, and ransomware. European countries hosted most of the command and control infrastructure, with the bulk of arrests made in Europe, and additional arrests in South Sudan and Zimbabwe. A network of about 60 law enforcement agencies was involved, conducting searches on 30 properties, spotlighting 70 more suspects. The operation was a response to the observed proliferation and professionalization of transnational cybercrime, requiring coordinated global action. Several private sector entities, such as Group-IB, provided essential intelligence, contributing more than 500 IP addresses associated with phishing and about 1,900 related to ransomware activity. Operation Synergia's achievements emphasize the critical need for cross-border law enforcement cooperation and private sector collaboration in fighting cybercrime. Interpol's recent Operation Turquesa V in the Americas targeted human trafficking for scam call centers, which plays a separate but related role in supporting cybercrime activities.