Daily Brief

BlackBerry has scrapped its plan to divide the company into two separate entities, choosing instead to restructure as two independent divisions focused on cybersecurity and IoT. The decision followed a strategic review called Project Imperium, which initially recommended splitting the IoT and cybersecurity units. The company aims to streamline its corporate functions, ensuring each business unit operates independently, profitably, and with positive cash flow. John J. Giamatteo, who has led BlackBerry's cybersecurity business since 2021, has been appointed as the new CEO, succeeding the retired John Chen. Giamatteo expressed commitment to unlocking BlackBerry's value, hinting at aggressive steps including cost-cutting measures. BlackBerry is in the process of hiring a consulting firm to provide expertise for the separation and rightsizing initiative.

Apple has released security updates addressing multiple vulnerabilities across iOS, iPadOS, macOS, tvOS, watchOS, and Safari browser. The updates include fixes for 12 security issues on iOS and iPadOS, and 39 on macOS, including a severe security flaw (CVE-2023-45866) that allowed keystroke injection. Two zero-day vulnerabilities, previously disclosed and actively exploited, have been patched in the latest iOS 16.7.3 and iPadOS 16.7.3 releases. Safari 17.2 update addresses two WebKit flaws that could lead to code execution and DoS attacks, for users on macOS Monterey and macOS Ventura. iOS and iPadOS updates also introduce iMessage Contact Key Verification to enhance privacy and security in message communications. There's a lack of detailed information on the exploitation of the security flaws and the threat actors involved.

Interpol's Operation Turquesa V targeted human traffickers forcing victims into cyber scam operations. Over 850,000 checks were conducted in 33 countries, leading to 257 arrests and about 12,000 stops of "irregular migrants." Notably, 163 potential victims were rescued from forced labor conditions, including over 100 Brazilians lured with fake cryptocurrency jobs. The operation discovered major human trafficking hubs in South America and the Middle East, expanding from previous hotspots in Southeast Asia. Federal police in Cambodia froze $286,000 in proceeds from criminal groups operating scam centers. Real-time checks against global databases of facial and fingerprint scans were enabled by Interpol-issued mobile devices at key transit points. China emerged as the third most prevalent country of origin for migrants involved in this trafficking corridor. Dozens of minors, trafficked for sexual exploitation, were rescued, highlighting the widespread abuse by organized crime groups.

Apache Struts 2, a popular open-source web application framework, has a critical remote code execution vulnerability identified as CVE-2023-50164. The flaw exists due to improper "file upload logic," allowing unauthorized path traversal and the potential to upload and execute a malicious file. Steven Seeley of Source Incite reported this vulnerability which affects Struts 2 versions prior to 2.5.33 and 6.3.0.2. The Apache Software Foundation has released patches for the vulnerability and there are no alternative workarounds to fix the issue. Developers using Struts 2 are strongly advised to apply the patch immediately, as the upgrade process is touted as a "drop-in replacement" and should be straightforward. While there are no reports of this vulnerability being exploited in the wild, similar past vulnerabilities have led to significant breaches, such as the Equifax incident in 2017.

The US Congress is considering two bills for reauthorizing Section 702 of the FISA, which enables warrantless surveillance of foreign communications. The FISA Reform and Reauthorization Act (HR 6611) may expand the definition of a service provider, compelling more businesses to facilitate government surveillance. Critics argue this could apply to a vast array of entities, including hotels, cafes with Wi-Fi, and even technicians and cleaning services. Civil rights advocates support an alternative bill, HR 6570, which includes strong civil liberties protections. A FISA Court opinion revealed attempts by the government to stretch current service provider definitions for surveillance purposes. The FRRA exempts members of Congress from such surveillance, only requiring FBI consent for access to their communications. Privacy advocates, including the Electronic Frontier Foundation and legal experts, urge citizens to oppose the FRRA and support HR 6570 for better privacy safeguards.

A critical vulnerability was discovered in the WordPress plugin Backup Migration, affecting over 90,000 installations. The flaw, identified as CVE-2023-6553 with a severity score of 9.8/10, allows for remote code execution and full website compromise. The bug was reported by Nex Team to Wordfence, and can be exploited without user interaction due to PHP code injection capability. Backup Migration versions up to 1.3.6 are impacted; however, a patch was released shortly after discovery. Despite the availability of a patched version (Backup Migration 1.3.8), approximately 50,000 websites remain unsecured. Website administrators are urged to update their plugin to mitigate the risk of exploitation by unauthenticated attackers. In addition to this vulnerability, a phishing campaign targeting WordPress admins with fake security advisories has been reported.

North Korean hacking group Lazarus exploits the Log4Shell vulnerability to deploy new malware, including two remote access trojans (RATs) and a downloader, targeting multiple industries internationally. Cisco Talos labels the campaign "Operation Blacksmith," observing its commencement around March 2023 with attacks on manufacturing, agricultural, and physical security companies. The D programming language is utilized in creating the new malware to likely avoid detection, marking a strategic shift in Lazarus Group's cyber offensive tactics. NineRAT, one of the RATs, uses Telegram API for command and control operations, while DLRAT collects system information and accepts remote commands for payload delivery. BottomLoader, the malware downloader, establishes persistence and retrieves payloads using PowerShell, modifying the startup directory to maintain long-term access. The attack process begins with exploiting vulnerable VMWare Horizon servers via Log4Shell, after which Lazarus conducts reconnaissance and maintains presence via proxy tools and credential theft utilities like ProcDump and MimiKatz. The findings by Cisco Talos suggest Lazarus might share data with other APT groups, indicating a broad and collaborative approach to cyber espionage and threat activities.

Valve addressed an HTML injection vulnerability in Counter-Strike 2, which was exploited to reveal player IP addresses. The bug allowed attackers to inject images into the game’s kick voting panel, although initially believed to be a Cross Site Scripting (XSS) issue. The Panorama UI in Counter-Strike 2, which uses HTML, CSS, and JavaScript, had input fields that didn't sanitize HTML, allowing images with IP logger scripts. The IP addresses collected through the vulnerability could potentially be used for DDoS attacks on the affected players. Valve swiftly deployed a 7MB patch preventing HTML from being rendered, converting it instead to plaintext. There has been no official confirmation from Valve post-patch deployment as to the complete resolution of the issue. A previous but more severe bug in 2019 in the Counter-Strike: Global Offensive Panorama UI also involved HTML injection but allowed remote execution of JavaScript commands.

Norton Healthcare, with multiple hospitals and clinics, was hit by a ransomware attack in May. Attackers may have accessed sensitive data of 2.5 million people including Social Security Numbers, financial accounts, and health information. Unauthorized access occurred between May 7 and May 9, but medical record systems were reportedly not compromised. The FBI was notified, and no ransom payment was made to the attackers, known as AlphV/BlackCat, who took credit for the breach. The healthcare system is enhancing network security safeguards in response to the incident. US hospitals have been facing a surge in ransomware attacks, with significant impacts on healthcare services and patient safety. The U.S. Department of Health and Human Services reported significant increases in data breaches and ransomware incidents in recent years.

Apple has released emergency security updates to address two zero-day vulnerabilities that have been exploited in the wild. The flaws, known as CVE-2023-42916 and CVE-2023-42917, affect older iPhone models, some Apple Watches, and Apple TV units. These vulnerabilities exist within the WebKit browser engine, risking sensitive data exposure and allowing for arbitrary code execution via malicious web pages. Enhanced input validation and improved memory handling have been implemented in iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2 to counteract these security issues. Google’s Threat Analysis Group (TAG) security researcher Clément Lecigne discovered and reported these critical security breaches. Although specific details on the exploitation incidents haven't been disclosed by Apple, such vulnerabilities are often used in high-profile state-sponsored cyber-espionage. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated Federal Civilian Executive Branch (FCEB) agencies to patch against these threats due to evidence of active exploitation. Apple has addressed a total of 20 zero-day vulnerabilities that have been used in cyberattacks since the beginning of the year.

Lazarus Group, a North Korean state-sponsored cyber unit, has been using novel malware strains programmed in DLang, a memory-safe language. These attacks, part of "Operation Blacksmith," have targeted industries like manufacturing, agriculture, and physical security. Three new DLang-based malware strains have been deployed, exploiting vulnerabilities like CVE-2021-44228 in Log4j, and widely affecting VMware Horizon servers. The RAT malware named NineRAT was discovered to use Telegram bots for command and control, evading detection from typical network defenses. Operation Blacksmith involved long-term cyber espionage campaigns, but Lazarus Group has also engaged in ransomware attacks. The shift towards memory-safe programming languages like Rust and DLang is consistent with broader trends in malware development. This strategic move provides attackers with more reliable tools while mitigating risks associated with memory corruption vulnerabilities.

Americold, a global cold storage company, has acknowledged a significant data breach affecting over 129,000 individuals, including employees and their dependents. The breach, which occurred in April and was claimed by the Cactus ransomware group, forced Americold to halt its IT network, impacting operations internationally. Americold's clients were instructed to halt inbound deliveries and adjust outbound shipments in response to the network compromise. Comprehensive data analysis revealed the theft of personal data, such as Social Security numbers, financial account information, and health insurance details. This breach is the second cyber incident Americold has faced; the first incident in November 2020 also disrupted their operations significantly. Cactus ransomware, which claimed responsibility for the April attack, has threatened to release more stolen data, indicating the attack was part of a double-extortion scheme. Americold has yet to make a public statement concerning the breach as of the time of the report.

Toyota Financial Services experienced a data breach with personal and financial data of customers exposed. The breach was identified following a ransomware group's claim of compromising Toyota systems in Europe and Africa. Medusa ransomware demanded an $8 million ransom, threatening to leak data unless paid within ten days. Toyota Kreditbank GmbH in Germany acknowledged unauthorized access to customer data, with the potential for phishing and identity theft. Toyota responded to the incident by taking affected systems offline, impacting customer service functionality. Although the full extent of the breach is not yet known, exposed data includes names, birth dates, and payment information. Toyota has committed to keeping customers updated as the internal investigation progresses and more information becomes available. There has been no comment regarding the total number of customers affected or if Toyota intends to pay the ransom.

Two years after the Log4Shell vulnerability was revealed, about 25% of applications remain susceptible due to outdated Log4j libraries. Research by Veracode found many apps have never updated Log4j, with 32% using versions before the 2015 end-of-life (EOL). Despite the risks, 79% of developers don't update third-party libraries post-integration, contributing to the current security lapse. Log4Shell remains a threat with nearly 35% of apps vulnerable, and in total, 40% are at risk of high or critical-rated remote code execution flaws. Even post-patch efforts demonstrate a reversion to neglecting library updates, as only a minority of developers maintain their software with the latest security patches. A significant volume of Log4j downloads, about 26%, still contain vulnerable versions, showing ongoing security risk management issues. The initial response to Log4Shell was swift, mitigating some potential damages, yet long-term maintenance and patching habits lag behind, leaving applications vulnerable.

Spanish police apprehend a Venezuelan national believed to be a leader within 'Kelvin Security’—a hacking collective linked to 300 cyberattacks globally. Arrest follows a lengthy inquiry into Kelvin Security’s activities, with cyberattacks targeting critical infrastructure and government institutions in multiple countries. The group is known for breaching public systems, stealing confidential data, and trading it on platforms like RaidForums and BreachForums. High-profile breaches include attacks on Vodafone Italia and U.S. firm Frost & Sullivan, with compromised data offered for sale on hacker forums. Kelvin Security's operations were recently tied to ARES, which trades databases stolen from state organizations. Post-arrest investigations aim to unveil more about the group's network, using seized electronic devices to trace co-conspirators and data buyers. The Spanish National Police's intensive multi-unit operation against cybercrime underscores the complexity of tracking and prosecuting international cybercriminals.