Daily Brief

Breach and Attack Simulation (BAS) is crucial for testing and strengthening an organization's cybersecurity measures against real-world scenarios. Studies indicate cybersecurity defenses are often insufficient, with only a fraction of attacks being detected or triggering alerts, emphasizing the need for continuous security validation. BAS tools simulate various cyber threats, adapting to evolving tactics, techniques, and procedures (TTPs) to maintain preparedness against current and future security challenges. Regular BAS exercises provide valuable data, enabling organizations to prioritize responses to vulnerabilities, refine security controls, and implement better prevention and detection strategies. Integrating BAS into cybersecurity strategies involves tailoring simulations to the organization's specific threat landscape, scheduling consistent simulations, and applying insights to enhance security measures. Quantitative metrics should measure BAS impact on cybersecurity, assessing improvements in defensive capabilities and response efficiencies to fine-tune security measures continually. Picus Security pioneered BAS technology and continues to aid organizations in improving cyber resilience, providing insights into security postures and preparing defenses against sophisticated cyberattacks.

HelloFresh has been fined £140,000 by Britain's data privacy watchdog for sending over 79 million unsolicited emails and over 1 million unsolicited texts. The Information Commissioner’s Office (ICO) determined that HelloFresh failed to obtain specific and informed consent for marketing messages, conflating email consents with age confirmation. Customers were not adequately informed that HelloFresh would use their data for marketing for up to two years post-subscription cancellation. The investigation covered the period from August 23, 2021, to February 23, 2022, revealing the mass distribution of unrequested messages. Despite requests from individuals for HelloFresh to stop sending them marketing communications, the company continued to do so. The ICO emphasized that it would take decisive action to protect consumer rights regarding the use of personal data for marketing. This fine contributes to a total of £2.44 million imposed on spammers by the ICO since the previous year.

A chief network engineer was suspected of accessing HR files without authorization. During a disciplinary meeting, it was advised that due to lost trust, dismissal was the only solution. While the engineer was being fired, his network access was revoked to prevent potential retaliation. A secret hot backup site was discovered in the engineer's apartment, made without company knowledge. Despite being fired, the engineer managed to throttle the company's network bandwidth, causing slow performance. The company considered the incident a lesson learned, taking no action against the whistle-blowing party or the former engineer. The situation underscores the importance of thorough system checks and the risks of disgruntled ex-employees.

Cybersecurity researchers have unveiled a new attack targeting misconfigured Apache Hadoop and Flink systems to plant crypto miners. The malware incorporates packers and rootkits to stealthily operate, evading standard detection methods while disrupting specific system directories and configurations. Attackers exploit a YARN ResourceManager misconfiguration in Hadoop, allowing remote code execution via a crafted HTTP request. Similar vulnerabilities in Apache Flink are being exploited to execute code remotely without any needed authentication. The unique aspect of these attacks is their use of rootkits to obscure the crypto mining processes after initial system penetration. A detailed infection chain has been described, with malware designed to clear directories, download malicious payloads, and set up persistence through cron jobs. Recommendations include deploying agent-based security solutions that can detect crypto miners, rootkits, and other suspicious activities in runtime environments.

Most consumers at CES express discomfort with the sharing of their personal data by car manufacturers to third parties, with 72% unhappy about such practices. Only 28% of drivers are aware of the types of data their vehicles are collecting, potentially including highly sensitive personal information. Mozilla Foundation's report rates all 25 scrutinized automakers poorly in terms of privacy, indicating widespread data collection and potential selling. Despite privacy concerns, the majority of users still pair their phones with their vehicles, unwittingly increasing data exchange and surveillance risks. A staggering 87% of participants believe that they should have the right to demand automakers delete their data, reflecting a call for stronger privacy controls. Less than half of the respondents worry about the data collected by their vehicle's sensors and infotainment systems, signaling a gap in privacy awareness. Drivers appear willing to trade some level of privacy for vehicle personalization and insurance benefits, but most prefer an opt-in model for data sharing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a critical vulnerability in Microsoft SharePoint Server, identified as CVE-2023-29357. This significant privilege escalation flaw, with a CVSS score of 9.8, could enable attackers to obtain administrator privileges. Patches for the vulnerability were released by Microsoft in its June 2023 Patch Tuesday updates. Security researcher Nguyễn Tiến Giang of StarLabs SG showcased an exploit utilizing this SharePoint flaw combined with another vulnerability to achieve a remote execution attack chain during the Pwn2Own contest. Crafting the exploit chain required nearly a year of research and has earned the researcher a $100,000 prize. The specific details surrounding the real-world exploitations and the identities of the actors leveraging CVE-2023-29357 remain undisclosed. CISA has urged federal agencies to apply the necessary patches by January 31, 2024, to mitigate the threat posed by the actively exploited vulnerability.

Framework Computer has announced a data breach after its accounting provider, Keating Consulting Group, was subject to a phishing attack. An accountant from the provider was deceived by a fraudulent email from someone pretending to be Framework's CEO, resulting in the leak of customer PII. The leaked customer information includes full names, email addresses, and account balances related to pre-orders and some past orders. Framework detected the breach shortly after and has notified all affected customers, warning them to be vigilant against potential phishing scams. The company has announced mandatory phishing and social engineering attack training for all Keating Consulting employees with access to customer data. Framework is also reviewing the training and procedures of all other finance consultants who have had access to customer information. Details on the total number of customers affected by the breach have not been publicly disclosed as of the time of the article.

eBay has agreed to pay $3 million to settle charges related to the harassment of Ina and David Steiner, critics of the company. The settlement follows the guilty pleas of six former eBay employees and a contractor who physically and electronically harassed the couple. The harassment campaign included sending disturbing deliveries and conducting surveillance on the Steiners. As part of the settlement, eBay is mandated to employ an independent compliance monitor and improve its compliance program for three years. The Steiners are also pursuing a separate private lawsuit against eBay for damages. eBay CEO Jamie Iannone issued an apology for the company's 2019 actions and indicated eBay's cooperation with law enforcement. Former eBay senior director Jim Baugh and others engaged in a series of actions to intimidate the Steiners, including sending them live cockroaches and posting their address online for sexual solicitations. Most of the individuals involved have been sentenced, with Baugh receiving a 57-month prison sentence and others receiving various sentences, including home confinement.

Two critical vulnerabilities in the POST SMTP Mailer/Email Log WordPress plugin could allow attackers to take over websites. The flaws were discovered by Wordfence researchers last month and reported to the plugin vendor. The first vulnerability (CVE-2023-6875) is an authorization bypass that can let an unauthenticated attacker reset the API key and access sensitive log data. The second issue (CVE-2023-7027) is an XSS flaw permitting the injection of arbitrary scripts into affected websites. The plugin's vendor released version 2.8.8 on January 1, 2024, with security fixes for both vulnerabilities. Despite the patch, around 150,000 WordPress sites using outdated versions of the plugin remain at risk of exploitation. Majority of sites have not updated to the patched 2.8.8 version, leaving a large number still vulnerable to attacks.

Halara, an athleisure brand popularized via TikTok, confirms a possible data breach after a hacker released customer data online. The hacker, known as 'Sanggiero,' posted a file with personal details of nearly 950,000 individuals on a hacking forum and Telegram. Although the data claims to represent 1 million rows, the actual count is 941,910 records, including names, phone numbers, and addresses. BleepingComputer verified that multiple records in the leaked file are accurate by contacting individuals who confirmed they are Halara customers. The hacker alleges the data was obtained through an API vulnerability on Halara's website, which reportedly remains unfixed. Sanggiero chose to distribute the data for free, believing it had limited value in the criminal marketplace. The breach raises concerns about possible smishing attacks targeting affected customers, as well as the broader risk of account theft and fraudulent transactions on retail platforms.

Bitwarden, the open-source password manager, now allows users to access their web vaults with passkeys instead of traditional username and password combinations. Passkeys offer increased security as they are resistant to phishing attempts and do not require a master password, email, or two-factor authentication. The passkey feature is in beta and utilizes the PRF WebAuthn extension for user authentication and secure data encryption and decryption. With PRF WebAuthn, a unique, fixed value can be derived from a passkey for reliable data encryption without storing keys on hardware. Bitwarden’s blog gives a detailed overview of the PRF extension and its application in creating symmetric encryption keys. A new video guide demonstrates how to generate and use passkeys within the Bitwarden platform, with a limit of five passkeys per user during the beta period. The passkey feature is initially available on Chromium-based browsers supporting PRF WebAuthn, with plans to expand to additional clients.

Microsoft has issued a PowerShell script to facilitate updating the Windows Recovery Environment (WinRE) to patch a BitLocker encryption bypass flaw identified as CVE-2024-20666. The vulnerability, which could allow attackers to access encrypted data, was initially addressed in the recent KB5034441 security update during Patch Tuesday. Users reported installation issues with the KB5034441 update, receiving error messages instead of the expected notification of insufficient disk space on the WinRE partition. Microsoft's PowerShell script enables administrators to update the WinRE partition and apply the necessary patch without manual resizing, thus mitigating the BitLocker vulnerability. The script operates by mounting the WinRE image, applying an update, unmounting the image, and reconfiguring WinRE to work with BitLocker if a TPM protector is present. It's recommended to use Microsoft's Show or Hide Tool after running the script to prevent Windows Update from repeatedly attempting to install the problematic security update. Although manually resizing the WinRE partition is an option, Microsoft advises backing up data beforehand due to the risk of potential damage to system partitions.

A malware campaign using Balada Injector has infected more than 6,700 WordPress websites by exploiting a vulnerability in the Popup Builder plugin. The campaign started in mid-December, shortly after the discovery of a cross-site scripting (XSS) flaw within the plugin, affecting over 200,000 sites. Attackers inject a backdoor, leading visitors to compromised sites to fake support pages and lottery or notification scam sites. Sucuri's research indicated that attackers used two methods for infection: hijacking an event in Popup Builder and modifying the wp-blog-header.php file. The main backdoor, disguised as a 'wp-felody.php' plugin, allows attackers to execute arbitrary PHP code, upload and execute files, and fetch additional payloads. Attack patterns and domain registration analysis suggest an effort to conceal the true origins of the attack, including the use of Cloudflare firewalls. Security experts recommend that WordPress site admins update their themes and plugins, remove unsupported products, and minimize the number of active plugins to reduce the risk of such breaches.

Mandiant's account was compromised due to a likely brute-force attack, exploiting a gap created by an unsettled two-factor authentication (2FA) policy. The incident was exacerbated by the absence of adequate 2FA protection, potentially linked to policy changes that removed SMS-based 2FA for non-paying users. Despite the breach, there was no indication of a compromise of Mandiant or Google Cloud's internal systems. The situation brings to light the low adoption rate of 2FA among users and the heightened efficacy of even the least-secure 2FA methods compared to none. The compromised account was used to push a cryptocurrency scam involving the CLICKSINK drainer-as-a-service, which cashed in $900 million since December 2023. The CLICKSINK campaign lured victims through phishing pages, promising free crypto tokens, and then draining assets after users signed transactions. Mandiant, now alert to the rising trend of such cybercrimes, anticipates continued attacks by financially motivated threat actors due to the low cost and high rewards of draining operations.

GitHub has become a target for threat actors to host and deliver malicious payloads due to its common use in IT environments. By leveraging GitHub's services, adversaries manage to blend in with legitimate traffic, avoiding detection and complicating attribution efforts. Recorded Future's report highlights the use of GitHub for payload delivery, command-and-control obfuscation, and dead drop resolvers. Rare instances have been noted where GitHub is used for full-fledged C2 implementations or data exfiltration, the latter being less common due to practical limitations. Beyond these uses, GitHub Pages and repositories are also exploited for phishing, traffic redirection, and as backup C2 channels. The report addresses the broader issue of legitimate services such as Google Drive and Microsoft OneDrive being misused by cybercriminals. Recorded Future acknowledges the challenge in detecting GitHub abuse and suggests that a blend of strategies tailored to the specifics of an environment is necessary for effective prevention.