Daily Brief

Microsoft detected approximately 1,287 password attacks every second throughout 2022, emphasizing the need for improved password security in organizations. Traditional password advice, such as 8-character passwords with varied characters and mandatory periodic changes, has resulted in weak and predictable passwords due to human tendency for convenience and memorability. The National Cyber Security Centre advocates for passwords comprising three random words, as they are both harder for attackers to guess and easier for users to remember. The National Institute of Standards and Technology recommends tailoring password expiration dates to password length, reducing the frequency of mandatory changes for longer passwords. Specops Software offers a solution with Breached Password Protection to prevent the use of known compromised passwords, enhancing Active Directory account security. Organizations can use sophisticated password security tools that enforce password strength and length-based aging while blocking breached passwords, helping to maintain robust security without inconveniencing users. With these strategies, organizations aim to not only fortify their defenses against cyber threats but also improve the overall end-user experience with simpler, yet secure authentication methods.

Cybersecurity researchers identified a critical vulnerability in Google Kubernetes Engine that could allow any Gmail user to control Kubernetes clusters. Approximately 250,000 active GKE clusters are estimated to be at risk of being compromised due to this issue. The vulnerability arises from a misconception about the system:authenticated group, which is believed to contain only verified identities, but actually includes any Google authenticated account. Attackers could exploit the flaw by using a Google OAuth 2.0 bearer token, enabling unauthorized access and potential activities like lateral movement, cryptomining, and sensitive data theft. The exploitation method does not leave traces that can be readily linked to the specific Gmail or Google Workspace account used. Google has responded by updating GKE to prevent binding of the system:authenticated group to the cluster-admin role in versions 1.28 and above and has advised users not to bind the group to any RBAC roles. Orca Security has cautioned that while no large-scale attacks using this technique have been recorded, the potential risk should not be overlooked, and users are advised to secure their clusters proactively.

Security researchers uncovered 24 zero-day exploits at Pwn2Own Automotive 2024, targeting a Tesla and other automotive technologies. The team from Synacktiv won $295,000 on the first day, successfully exploiting Tesla Modem and various EV charging stations. NCC Group EDG ranked second, earning $70,000 by hacking infotainment systems and an EV charger. After identified vulnerabilities are reported, vendors have 90 days to fix the issues before public disclosure. Pwn2Own Automotive 2024 in Tokyo is part of the larger Automotive World conference, with a focus on vehicle-related cybersecurity. Participants aim to expose vulnerabilities in Tesla's in-vehicle systems and EV charging technologies from multiple brands. The highest reward includes $200,000 plus a Tesla car, for significant exploits in critical vehicle systems. Last year, Pwn2Own Vancouver 2023 saw researchers awarded $1,035,000 and a Tesla Model 3 for demonstrating 27 zero-day exploits.

Kasseika ransomware is deploying BYOVD (Bring Your Own Vulnerable Driver) tactics, a method also used by Akira, AvosLocker, BlackByte, and RobbinHood. This technique involves disabling antivirus processes before deploying ransomware, a method analyzed by Trend Micro. The ransomware shows similarities to the defunct BlackMatter and suggests that experienced threat actors may be leveraging acquired access to BlackMatter's resources. Kasseika's infection process starts with a phishing email, followed by distributing RATs and using tools like PsExec for lateral movements within networks. The group uses a malicious signed driver, "viragt64.sys," on Microsoft's vulnerable driver blocklist, to neutralize 991 security tools. Once the security tools are bypassed, Kasseika launches its ransomware payload, encrypts files with ChaCha20 and RSA, and then demands a ransom paid in Bitcoin. Kasseika's ransomware also attempts to cover its tracks by wiping system event logs to impede detection by security tools.

Nudge Security is designed to adapt to business needs, allowing IT and security leaders to manage SaaS usage without hindering employee productivity. It provides a comprehensive inventory of SaaS accounts and activity by analyzing machine-generated email messages for security-relevant events. The platform includes tools for monitoring access methods, such as MFA and SSO enrollment, while assessing risks associated with OAuth grants and scopes. Nudge Security helps monitor and minimize the organization's SaaS attack surface, providing data on vendor security profiles and alerting on relevant breaches. The service aims to control SaaS sprawl and reduce shadow IT by automating employee engagement and guiding users toward security best practices. It offers automated workflows to handle common SaaS security tasks, enhancing efficiency and reducing the burden of manual oversight. Organizations can start a 14-day free trial to evaluate Nudge Security's impact on their SaaS security and governance.

Russian state-sponsored actors, also known as Midnight Blizzard or Cozy Bear, compromised Microsoft's corporate systems, stealing leadership emails. The breach occurred in late November 2023 but was only detected on January 12, 2024, with Redmond yet to assess the full financial impact. Microsoft's statement emphasized that customer environments, production systems, source code, or AI systems were not accessed during the attack. Cozy Bear had previously infiltrated Microsoft in the SolarWinds supply-chain attack and other subsequent breaches by various attackers have occurred since. US Senator Ron Wyden criticized Microsoft for failing to implement multi-factor authentication in its legacy systems, which might have prevented the breach. Despite the security lapses, Microsoft continues to dominate in enterprise and government contracts, with cybersecurity revenue exceeding $20 billion. Industry experts criticize Microsoft for potential security weaknesses due to reliance on its products for various IT infrastructure and services.

The reliance on open-source software components in application infrastructures is increasing, highlighting the attack surface including supply chain vulnerabilities. Incorporating one open-source library often means adding multiple dependent libraries, exposing applications to any vulnerabilities within those libraries. Software Composition Analysis (SCA) platforms help detect and fix known vulnerabilities but are not fully equipped to handle unknown risks, such as supply chain attacks. Gartner predicts that by 2025, up to 45% of organizations will experience supply chain attacks, stressing the urgency to prepare and defend against them. Traditional SCA tools are insufficient for supply chain attack prevention, necessitating a new approach to tackle both known and unknown supply chain risks. A comprehensive cheat sheet is available for download, offering insights into five types of critical supply chain attacks and 14 best practices for defense. The article also highlights the importance of differentiating between vulnerabilities and attacks, suggesting a more robust protection strategy is needed. Executives are encouraged to consider a masterclass on SaaS security which is based on insights from a study of 493 companies, for practical dos and don'ts in the field.

The U.S., U.K., and Australia have sanctioned a Russian national believed to be involved in the Medibank ransomware attack. Identified as Alexander Ermakov, he is associated with the now-defunct REvil cybercrime group. The Medibank breach in October 2022 affected around 9.7 million individuals, exposing sensitive personal and medical data. Financial sanctions criminalize any transactions with Ermakov's assets, imposing penalties of up to 10 years in prison. Australia has additionally enforced a travel ban on Ermakov to hinder his movements. The U.K.'s actions align with efforts to deter cybercrime undermining national prosperity and security. The U.S. Treasury has criticized Russia for cultivating cybercriminals and called for stronger action against cybercrime operating within its borders. Underlining the resolve to protect critical infrastructure, the sanctions aim to disrupt ransomware actors threatening the economies of allied nations.

A database without password protection, estimated to hold 1.3 million Dutch COVID-19 test records, was found unsecured on the internet. Personal information exposed included names, birth dates, passport numbers, email addresses, test certificates, appointment records, and testing samples. The database is believed to be associated with CoronaLab, which is recommended by the US Embassy in the Netherlands for COVID-19 testing. Security researcher Jeremiah Fowler discovered the breach but received no response from CoronaLab or parent company Microbe & Lab after multiple contact attempts. The database remained open for nearly three weeks before the cloud hosting provider was contacted and the database was finally secured. The CoronaLab website is currently down, and there's no indication of whether European data protection authorities have been informed, as required by the GDPR. Patients and customers affected by the breach appear to be unaware of their data exposure.

The UK National Cyber Security Centre (NCSC) warns that by 2025, AI could significantly improve state-backed cyber attackers' capabilities by evading current detection systems. Highly capable states could have the data necessary to train AI models for malware development, increasing the potential for new, sophisticated cyber threats. The NCSC forecasts that AI will enhance attackers' abilities to discover vulnerabilities, analyze data in real-time, and identify valuable files for effective data theft or extortion. Predictions suggest that both highly skilled actors and lower-skilled cybercriminals will benefit from AI advancements, with the latter improving their social engineering and ransomware tactics. The report emphasizes the need for continued investment and expertise in AI to keep up with the evolving threat landscape and advises organizations to follow recommended cyber security practices. The upcoming CYBERUK conference will focus on the challenges of emerging technologies like AI and their national security implications, with a call to manage AI’s cyber threat risks responsibly. The NCSC's report follows initiatives such as The Bletchley Declaration from the AI Safety Summit, aimed at managing AI risks, although such agreements lack enforcement mechanisms.

A critical security flaw (CVE-2024-0204) with a 9.8 CVSS score was found in Fortra's GoAnywhere MFT software, allowing unauthorized creation of admin users. Fortra issued an advisory on January 22, 2024, providing guidance for users who cannot immediately upgrade to the patched version 7.4.1. Workarounds involve deleting or replacing the InitialAccountSetup.xhtml file in the software's install directory, depending on the type of deployment. The vulnerability was identified by researchers Mohammed Eldeeb and Islam Elrfai and was caused by a path traversal weakness. Cybersecurity firm Horizon3.ai released a proof-of-concept (PoC) exploit and explained how to detect compromises by checking for new admin users in the GoAnywhere administrator portal. So far, there is no evidence of active exploitation of this particular vulnerability; however, another flaw (CVE-2023-0669) in GoAnywhere MFT was previously leveraged by the Cl0p ransomware group.

Fortra's GoAnywhere Managed File Transfer (MFT) software faced a critical authentication bypass vulnerability allowing creation of new admin users on unpatched systems. Exploit code for the vulnerability (CVE-2024-0204) is now public, enabling attackers to manipulate unpatched instances through the admin portal. While the bug was silently fixed by Fortra on December 7 with the update of GoAnywhere MFT 7.4.1, public disclosure was delayed, with more details provided in a private customer advisory. Security researchers from Horizon3's Attack Team published technical details and a proof-of-concept (PoC) exploit nearly seven weeks after the patch. Clop ransomware gang exploited a different vulnerability in GoAnywhere MFT to breach over 100 organizations, with high-profile victims including Community Health Systems and Procter & Gamble. The current recommendation for admins unable to immediately update is to remove the attack vector as specified by Fortra, while monitoring for any unexpected additions to admin user groups. This incident is part of a broader pattern of cybercriminals targeting MFT platforms over the years.

Australia, the US, and the UK have sanctioned Aleksandr Gennadievich Ermakov for the Medibank ransomware attack. The Medibank breach in October 2022 led to the leak of data for about 10 million individuals, including sensitive health information. Ermakov, associated with multiple online aliases, was identified as a key member of the REvil ransomware group. This trilateral sanction represents the first coordinated action against cybercriminals by the partnering countries. The sanctions aim to disrupt Ermakov's operations by stripping away his financial resources and anonymity, key elements for cybercriminals. Although Ermakov may attempt to evade these sanctions, international authorities hope to deter others from facilitating his illegal activities, including providing ransom payments. Naming and sanctioning Ermakov marks a significant step in the global fight against ransomware and cybercrime, emphasizing the commitment to accountability.

Sanctions have been announced by Australia, USA, and UK against Russian national Aleksandr Gennadievich Ermakov for his involvement in the Medibank ransomware attack. Ermakov, a member of the notorious REvil ransomware group, is believed to be responsible for the 2022 cyberattack on Medibank, a major Australian health insurer. The Medibank breach resulted in the theft and subsequent leakage of sensitive data pertaining to approximately 10 million individuals, including personal and health information. Investigations led to the identification of Ermakov and his online aliases, presenting evidence of his role in the cyber crime. The coordinated sanctions signify a joint effort by the involved nations to deter cybercriminal activities and hold perpetrators accountable. The public exposure of Ermakov's identity aims to disrupt his operations by removing the protective veil of anonymity critical to cybercriminals. Financial sanctions could impede further illicit transactions, including ransomware payments, by criminalizing any transfer of assets to Ermakov. The collaborative international response reflects growing global intolerance toward cybercriminals targeting critical infrastructure and personal data.

Veolia North America, part of the global conglomerate Veolia, has experienced a ransomware attack affecting its Municipal Water division's systems and online bill payment services. The company took immediate defensive actions, temporarily disabling certain systems to prevent further impact and has since restored affected systems and servers. Customers' payments were not affected, and no penalties or interest will apply for late payments during the service disruption; water treatment and wastewater services continued without interruption. A limited number of individuals potentially had their personal information compromised; Veolia is collaborating with law enforcement and cybersecurity experts to evaluate the incident's ramifications. Veolia provides essential services across the U.S. and Canada, treating billions of gallons of water daily; the broader Veolia group serves millions worldwide with water and waste treatment. Similar ransomware attacks have targeted other water service providers, including Southern Water in the UK, prompting cybersecurity agencies to push for enhanced security measures in the water sector. Increasing cyber threats to water infrastructure have led to advisories by CISA and partner agencies, emphasizing the need for robust incident response plans to protect critical utilities.