Daily Brief

AWS STS allows for temporary, limited-privilege credentials, which can be exploited by threat actors to gain unauthorized cloud access. Malware, exposed credentials, and phishing can result in stolen IAM tokens, enabling attackers to determine associated roles and privileges. Attackers might create new IAM users with long-term tokens, ensuring their access persists even after revocation of their initial tokens. Short-term STS tokens secured with MFA can be abused to create multiple new tokens and perform malicious activities like data exfiltration. Recommendations to mitigate AWS token abuse include logging CloudTrail events, detecting abnormal role-chaining, and rotating IAM user keys. While AWS STS enhances security by limiting credential use, misconfigurations in IAM can lead to adversaries leveraging STS tokens for access and malicious operations.

Malicious browser extensions are becoming a prevalent form of cyber threat, with high user adoption rates and potential for serious privacy and security breaches. Extensions can turn malicious either by design or when attackers compromise legitimate ones, as seen in the DataSpii and Nigelthorn malware incidents. These malicious extensions fall into three categories: Initially Malicious, Compromised, and Risky (due to excessive permissions). Methods of extension installation include Admin Installation, Normal Installation, Developer Installation, and the least secure, Sideload Installation. 81% of extensions are installed from official browser stores by users themselves, emphasizing the need for awareness and caution in selecting extensions. To combat this threat, organizations must weigh the necessity of extensions against their security risks and properly vet the security of those adopted by employees. A report by LayerX, "Unveiling the Threat of Malicious Browser Extensions," covers the threat landscape and makes recommendations for mitigation, crucial for security and IT professionals.

Over 21 security vulnerabilities, named Sierra:21, have been identified in Sierra Wireless AirLink cellular routers, affecting critical sectors. Approximately 86,000 devices could be at risk, predominantly in the U.S., Canada, Australia, France, and Thailand, impacting sectors such as energy and healthcare. Attackers could exploit these vulnerabilities to steal credentials, control routers, launch attacks, and gain initial access to critical networks. Flaws are of varying severity, with the potential for remote code execution, denial-of-service attacks, and unauthorized access. Vulnerable routers could be harnessed by botnets for automatic spreading, C2 communication, and DDoS attacks. Patches have been released for most issues; however, the TinyXML component is not actively maintained, requiring vendors to address the problems. The vulnerabilities could enable attacks leading to network disruption, espionage, and further malicious activities in critical infrastructure.

The UK government has dismissed allegations that the Sellafield nuclear complex had been infiltrated by malware linked to Russia and China since or before 2015. The Guardian reported that "sleeper malware" might have compromised information regarding the movement of nuclear materials and safety measures. The UK government refuted the claims, expressing confidence in their protective monitoring systems and stating there is no evidence of such malware within their network. Government statements assert that critical networks are segregated, aiming to reassure that IT system breaches would not impact operational safety networks. Questions arise regarding the isolation of systems, as the government's response did not address the successful Stuxnet attack on Iranian facilities, which bypassed network isolation. The Office for Nuclear Regulation (ONR) has noted the need for improvements in cybersecurity at Sellafield Ltd., though it claims there is no current threat to public safety. The ONR has placed Sellafield Ltd. under increased scrutiny due to not meeting specific cybersecurity standards, and some issues are currently under investigation.

The UK communications regulator, Ofcom, has published proposals for age verification as part of the Online Safety Act to protect children from inappropriate online content. Methods suggested for age checks include credit card checks, facial age estimation, and photo ID matching, raising significant privacy concerns. Service providers may face challenges balancing the implementation of these checks with adhering to privacy regulations. Prior age verification proposals were criticized for potentially creating large repositories of personal data vulnerable to breaches. Ofcom's proposals demand robust methods for age verification, rejecting simpler measures such as self-declaration of age by users. These rules will apply to online services targeting the UK market or those with a "significant number" of UK users, though the criteria for "significant number" remain undefined. The regulator is advising against directing users to VPN information or links, as this could encourage exploration of technology that poses its own risks. Final guidance is expected in early 2025, with subsequent enforcement by the UK government.

The AlphV/BlackCat ransomware group has allegedly breached accounting software firm Tipalti's systems, claiming to have stolen over 265GB of data. BlackCat is threatening to directly extort Tipalti's clients, including high-profile companies like Roblox and Twitch, due to an estimated low probability of receiving a payoff from Tipalti themselves. The ransomware group has threatened to release stolen data slowly over months to maximize reputational damage to the victim companies. Tipalti is actively investigating the ransomware group's claims and asserts strong security measures are in place within their systems. Security experts note that ransomware groups are testing new negotiation tactics, emphasizing the need for organizations to prepare defenses not only for their data but also for their supply chains and partnerships. Despite outreach to many of Tipalti's high-profile clients listed on their website, such as Discord, Canva, GoDaddy, and Twitter/X, most have not responded with comments regarding the incident.

DSPM provides insight into locating sensitive data, access permissions, usage, and security configurations, emphasizing the importance of protecting data at its source. The concept of DSPM isn't new; it's a data-centric approach that Varonis has advocated for years, though it's recently been formalized with a specific term. The scope of DSPM extends beyond cloud infrastructure and DevOps, covering data stored in SaaS applications, on-premises, in development environments, and throughout its lifecycle. Discovery is only the initial stage of DSPM; it leads to informed decision-making on security policy and risk reduction, not just identifying data storage. In-depth visibility into data platforms and applications is necessary for effective risk measurement and the establishment of actionable security controls. Workflows and automations play a critical role in fixing data security issues, but they must address root causes and scale with data growth, not just symptoms. Varonis emphasizes the significance of a reliable DSPM solution to protect data across all storage environments, including cloud, on-prem, and SaaS repositories. The Varonis DSPM dashboard and platform offer risk assessment, remediation policies, least privilege automation, user identity monitoring, and proactive incident response for robust data security management.

The Cybersecurity and Infrastructure Security Agency (CISA) disclosed twin cyberattacks on federal agency servers due to an unpatched Adobe ColdFusion flaw. Both servers were compromised several months after CISA had set a deadline for fixing the critical ColdFusion vulnerability, CVE-2023-26360. The first attack involved gaining access using the CVE, dropping a remote access trojan, and performing reconnaissance but was thwarted in later stages. The second attack started with exploiting the CVE, scanning the system, and inserting code to obtain credentials, which ultimately was ineffective due to newer ColdFusion versions. Despite the failed attempts to exfiltrate data and decrypt passwords, the incidents raised concerns over the delayed patching of known vulnerabilities. CISA could not provide details on whether the servers are now secure, who was responsible for the attack, or any potential links between the two incidents. The agency recommends vigilance and timely updates to prevent such exploitations, stressing the importance of adhering to advised deadlines for patching vulnerabilities.

Fancy Bear, associated with Russia's GRU, is targeting US and European government, defense, and aerospace networks through phishing campaigns. Microsoft identified vulnerabilities CVE-2023-23397 (Outlook) and CVE-2023-38831 (WinRAR) that were being exploited by the adversary. Polish Cyber Command observed compromised email accounts, granting unauthorized access to high-value information even after attackers lost direct access. Proofpoint detected over 10,000 phishing emails from Fancy Bear primarily targeting the defense, aerospace, technology, government, and manufacturing industries. Fancy Bear utilized compromised routers for their attacks and occasional campaigns were noted against higher education, construction, and consulting sectors. Despite patches for the vulnerabilities, ineffective update implementation has left networks susceptible to the attacks. Security professionals predict continued exploitation of these vulnerabilities by Fancy Bear and recommend thorough patching and defense measures.

Cisco introduces an AI Assistant for Firewall Policy to improve network security by analyzing and suggesting firewall rule optimizations. The AI tool can assess and recommend changes to policies, identify duplicates or inefficient rules, and enhance the response to security threats. Cisco acknowledges the growing importance of AI in cybersecurity, shifting focus from just defense and response to predicting attacker behavior. Jeetu Patel, Cisco's EVP for security, foresees challenges for point solution providers as AI integration demands high-level platform understanding across multiple security alerts. While the AI Assistant is currently in preview, Cisco is also integrating AI to detect malware activity within encrypted traffic. Cisco warns that the advanced AI services will be monetized as they incur computational costs, though no pricing details have been released as of yet. Patel emphasizes that while there will be a cost associated with AI security services, it should not deter broad usage and adoption among end users.

Microsoft announced the end of full security support for Windows 10 will be on October 14, 2025. Customers reluctant to upgrade can purchase Extended Security Updates (ESU) for three additional years. ESU will provide critical and important security updates but exclude patches for lesser flaws or new features. The pricing for the Windows 10 ESU program has not been disclosed but is expected to be similar to the Windows 7 ESU costs. Windows Enterprise customers can expect ESU at half the price compared to Windows 7 Pro devices. Microsoft is promoting its cloud-based service, Windows 365, for access to Windows 11 on Windows 10 PCs, which includes Windows 10 ESU at no extra charge. The US Public Interest Research Group praised the move for potentially reducing electronic waste by prolonging the life of existing computers. Details on the ESU program's availability for individual consumers are yet to be provided, with a future update promised by Microsoft.

Atlassian issued an email advisory about four critical vulnerabilities across several products, including Bitbucket, Confluence, and Jira. The email contained incorrect links, which initially led to a 'Page Not Found' error, delaying access to vital security information. Affected links were later redirected to the correct pages following realization of the error by Atlassian. The vulnerabilities are rated 9.0 or higher on the CVSS scale and allow remote code execution, posing a severe security risk. Customers are advised to upgrade their Atlassian products to the latest fixed versions to mitigate the threat immediately. Atlassian has publicly recognized the email error and issued an apology for any inconvenience caused to customers.

The protection of mission-critical data, applications, and workloads is essential for businesses to avoid the disastrous consequences of security disruptions. The rise of AI magnifies the cybersecurity challenge, as sensitive and personal data, such as financial transactions and health records, are at risk of being targeted. To secure AI data and allow freedom for AI models, adopting technologies like confidential computing, which uses encryption to protect data in transit and at rest, is crucial. Intel's 4th generation Xeon processors incorporate built-in security features that offer a secure foundation for deploying AI applications while meeting confidentiality requirements. Intel SGX and Intel TDX are innovations that provide additional layers of protection for data during processing, enforcing isolation at the application and VM levels. Tools like Federated Learning enable secure collaboration between organizations by allowing data analysis without exposing sensitive data or machine learning algorithms. Organizations must evolve their approach to securing the technology stack in order to confidently deploy AI-powered applications in alignment with security and compliance standards. Intel backs its hardware data security capabilities with additional services, such as remote attestation and federated learning, to ensure data integrity across AI/ML applications.

A covert actor known as AeroBlade has launched a cyber espionage attack on a U.S. aerospace organization. BlackBerry Threat Research and Intelligence team has been monitoring the group behind the attack, with its origin remaining unidentified. The attackers employed spear-phishing with a weaponized document using remote template injection and malicious macro code to execute the payload. The network infrastructure for the attack was established in September 2022, with the main offensive taking place nearly a year later, in July 2023. The attack method includes a reverse shell via a DLL, enabling attackers to take control of infected machines and exfiltrate data. The malware used has been made stealthy with anti-analysis features and avoids detection by bypassing execution in sandboxed environments. Attackers ensured persistence on the compromised systems by using Task Scheduler, scheduling a task to run daily, indicating a significant effort to maintain access and extract valuable information.

A study revealed that over 15,000 Go module repositories on GitHub are susceptible to a "repojacking" cyberattack technique. Repojacking exploits username changes and deletions on GitHub, allowing attackers to take over a repository’s name and disseminate malicious code. Aqua, a cloud security firm, previously warned of the broader risk across GitHub repositories and underscored the need for protective measures upon name changes. The decentralized nature of Go modules, relying on platforms like GitHub, makes them especially vulnerable compared to package managers like npm or PyPI. GitHub’s measure, popular repository namespace retirement, is ineffective against this issue for Go modules because of the caching mechanism used by the Go module mirror. VulnCheck suggests that Go developers must be vigilant about the modules they use and the current status of the repositories they originate from. The discovery coincides with the report of 1,681 exposed API tokens on platforms including GitHub, raising concerns about potential supply chain attacks and data theft.