Daily Brief

Microsoft Copilot is an AI tool integrated into Microsoft 365 apps, utilizing user data to improve productivity. Copilot's access to extensive sensitive data presents significant security concerns for information security teams. Around 10% of a company's Microsoft 365 (M365) data is accessible to all employees, which Copilot can also use. Common vulnerabilities include complex permissions, ineffective data labeling, and the potential for AI-generated data breaches. The Varonis Data Security Platform can help organizations enforce least privilege and improve their security posture before rolling out Copilot. Varonis offers a free risk assessment for M365 users to identify sensitive data risks and vulnerabilities in preparation for Copilot implementation.

Wing Security has introduced a free tool for basic third-party risk management (TPRM) to help organizations mitigate risks associated with SaaS vendors. As SaaS usage grows, companies face security challenges due to the interconnected nature of SaaS supply chains, which can lead to potential cybersecurity threats. The article emphasizes the importance of due diligence and security checks before onboarding new SaaS applications, noting that these often bypass traditional IT approval processes. Third-party risk in SaaS involves managing potential cybersecurity, data privacy, compliance, operational, financial, and reputational risks posed by vendors. Five key tips for SaaS security are provided: identification and categorization of third-party connections, due diligence and assessment of vendors, ongoing monitoring of SaaS vendors, robust incident response planning, and thorough documentation and reporting. The consequences of inadequate TPRM practices include cybersecurity breaches, data exposure, financial loss, reputational damage, and non-compliance penalties. Good TPRM fosters improved security, compliance, vendor trust, and regulatory navigation, playing a crucial role in strengthening an organization's overall security posture against SaaS threats.

A Russia-linked influence operation known as Doppelganger is targeting audiences in Ukraine, the United States, and Germany with disinformation campaigns. Doppelganger has been active since at least February 2022 and utilizes a combination of fake news sites and social media accounts to disseminate false narratives. The influence campaigns aim to undermine Ukrainian sovereignty, promote anti-LGBTQ+ sentiments, question U.S. military competence, and highlight social and economic issues in Germany. Advanced obfuscation techniques are used, including brandjacking and the strategic use of website redirects and AI to create false articles, making detection more difficult. Across its campaigns, Doppelganger is said to use over 800 social media accounts and various first and second-stage domains to hide actual content destinations. Engagement with the disinformation content has been minimal, leading to negligible impact in terms of social media interactions such as reshares, likes, and replies. Recorded Future emphasizes the scalable and adaptable nature of Russian information warfare designed to influence public opinion and behavior over time. Meta has taken steps to disrupt multiple influence operations from China and Russia and highlights the lack of current U.S. federal government sharing on foreign election interference threat intelligence.

Jamf Threat Labs reports a deceptive method used by attackers to trick iPhone users into believing they're in Lockdown Mode when they are not. The fake Lockdown Mode technique could be used post-exploitation, allowing malware to run surreptitiously on the device. Apple's Lockdown Mode in iOS 16, designed to protect users from sophisticated threats, does not prevent the execution of malicious payloads on an already compromised device. The novel attack involves manipulating functions linked to the activation of Lockdown Mode, giving users a false sense of security. This deceptive strategy can lead to users being less vigilant and unknowingly exposed to continued spying or data theft. Apple has since moved the implementation of Lockdown Mode to the kernel level in iOS 17 to enhance security and prevent such manipulations without a system reboot. Jamf's research emphasizes the risk of interface tampering and highlights an evolution in social engineering techniques likely to be more exploited in the future.

Qualcomm has disclosed information on three serious security flaws that faced targeted exploitation previously. Google's teams identified the vulnerabilities, which were part of limited attacks, including CVE-2022-22071 with an 8.4 CVSS score. Security professionals luckyrb, the Google Android Security team, and Google Project Zero members reported these security issues. Specifics on how the vulnerabilities were exploited and the identities of the attackers remain undisclosed. CISA has listed the vulnerabilities in its KEV catalog, mandating federal agencies to patch them by December 26, 2023. The announcement comes as Google's December security updates for Android aim to resolve 85 different flaws, highlighting a critical system issue enabling code execution without user interaction.

Atlassian has issued important software updates to rectify four critical security flaws that could lead to remote code execution. The identified vulnerabilities include a template injection issue (CVE-2023-22522) in Confluence that could allow code execution through user input. Another flaw involves the Assets Discovery agent, enabling attackers to perform privileged remote code execution on connected machines. CVE-2023-22524 presents a risk where attackers could use WebSockets to sidestep blocklists and protections in Atlassian Companion and macOS Gatekeeper. Previously, Atlassian addressed a severe security weakness in Apache ActiveMQ (CVE-2023-46604) affecting Bamboo Data Center and Server products. Versions released to correct these issues are 9.2.7, 9.3.5, and 9.4.1 or later, with urgent updates recommended due to increased attacks on Atlassian tools.

Unidentified threat actors exploited a high-severity Adobe ColdFusion vulnerability to gain unauthorized access to U.S. federal agency servers. The compromised vulnerability, tracked as CVE-2023-26360, allowed for improper access control and arbitrary code execution on affected systems. The Cybersecurity and Infrastructure Security Agency (CISA) reported that at least two public-facing federal servers running outdated versions of ColdFusion were compromised. The CISA added the vulnerability to its Known Exploited Vulnerabilities catalog after identifying active exploitation. Adversaries used the flaw to deploy malware, including variants designed to steal web browser cookies and decrypt passwords, as well as a modified remote access Trojan. No data exfiltration or lateral movement within networks was observed, suggesting the possibility of a reconnaissance operation. The incidents involved uploading malicious artifacts and attempting to exfiltrate sensitive data, though no actual password decryption activities were detected on the victim system.

The digital landscape poses numerous growing security threats, challenging resource-limited security teams. Automation in security operations helps to streamline repetitive tasks, decrease human error, and allows focus on higher-level tasks, yet requires standardization for success. Lack of well-documented processes and resources hinder successful automation in many organizations. Effective automation demands identification of feasible-to-automate processes and evaluation of an organization's maturity and ability to maintain SOAR systems. Three critical investigation processes that can be automated to various extents are: evidence gathering, analysis, and remediation, though analysis and remediation may still require human oversight. A stepwise, iterative approach is recommended for building a tactical automation foundation that integrates with security operations workflows. When implemented properly, automation in security operations can significantly reduce response times and improve the efficacy of threat detection and resolution within organizations.

Google's December 2023 Android security updates remediate 85 vulnerabilities, including a critical zero-click remote code execution (RCE) bug. The zero-click RCE vulnerability, tracked as CVE-2023-40088, is found in Android's System component and can be exploited without user interaction. The exact implications of the CVE-2023-40088 bug aren't fully disclosed, but its severity suggests a significant risk if exploited. In addition to CVE-2023-40088, three other critical severity bugs related to privilege escalation and information disclosure have been patched. Past zero-days, including two from October and one from September 2023, highlight the ongoing risk and active exploitation of android vulnerabilities. Google has released two sets of patches; the more comprehensive 2023-12-05 security level includes additional fixes for proprietary and kernel components not necessary for all devices. Manufacturers except for Google Pixel may experience delays in rolling out these security updates as they conduct compatibility testing for different hardware configurations.

Russian state-sponsored hackers APT28 are exploiting a critical vulnerability, CVE-2023-23397, in Microsoft Outlook to gain access to Exchange accounts. Affected sectors include government, energy, and transportation across the US, Europe, and the Middle East. APT28 also targets other known vulnerabilities in WinRAR and Windows MSHTML to enhance their attacks. The Outlook flaw has been under exploitation since April 2022 and allows for email theft via a zero-day vulnerability, despite Microsoft's patch. The French cybersecurity agency reported similar attacks against diverse French organizations. Microsoft warns attacks are ongoing due to unpatched systems still vulnerable to the Outlook exploit. Polish Cyber Command Center has played a key role in detecting and mitigating these cyber attacks. Microsoft advises prioritizing patch management and reducing the attack surface to prevent such cyber threats.

Researchers at Palo Alto Networks' Unit 42 have noticed a shift in the P2Pinfect botnet's focus to target devices with 32-bit MIPS processors. MIPS chips are commonly found in various embedded systems, including routers and IoT devices, due to their efficiency. The botnet, initially spotted in 2023 attacking Redis servers, has evolved to infect a broader array of systems including those in the US, Germany, the UK, Asia, and others. The MIPS variant of P2Pinfect exploits weak SSH credentials, spreading through SFTP and SCP, and also targets the Redis server on MIPS devices using an OpenWRT package. Advanced evasion techniques have been incorporated in the recent version of P2Pinfect, complicating its detection and analysis for security professionals. Despite concerted efforts to track and understand the P2Pinfect botnet, the ultimate goals of the perpetrators behind the malware remain unclear, with potential uses including cryptocurrency mining, DDoS attacks, traffic proxying, and data theft.

SpyLoan Android malware, disguised as loan apps, downloaded over 12 million times from Google Play and other sources. These malicious apps steal personal data, including accounts, device info, and metadata from images, and exploit users for money. Victims are lured with offers of fast loans, tricked into high-interest payments, and then blackmailed. ESET identified 18 SpyLoan apps; Google removed 17 from Play Store, with one app reappearing with changed permissions. SpyLoan has been increasingly prevalent since 2020, with a significant uptick in 2023 across several countries. Apps bypass Google's defenses by presenting compliant privacy policies and transparent permissions during submission. SpyLoan apps break Google's Financial Services policy, using deceptive privacy policies to justify invasive permissions for extortion. Users are advised to only trust established financial institutions, scrutinize app permissions, and heed Google Play user reviews for signs of fraud.

Cyberattacks against e-commerce businesses surge by 200% around the holiday season, targeting service desks among other entry points. Service desks are vulnerable due to high-risk events, including account recovery processes when users forget passwords. Holiday periods offer hackers heightened opportunities for attacks as customer traffic increases and staff vigilance may decrease. The service desk's ability to reset passwords, create accounts, and bypass multi-factor authentication makes it an attractive target for cybercriminals. Social engineering is a prevalent method for attackers to exploit service desk protocols and gain unauthorized network access. Specops Software emphasizes the importance of continuous cybersecurity measures and offers tools like uReset and Secure Service Desk to protect organizations. Companies are advised to adopt advanced password security management solutions to strengthen their defenses, particularly during high-risk periods such as holidays.

Hackers have exploited a critical Adobe ColdFusion vulnerability, CVE-2023-26360, to gain access to U.S. government servers. The flaw, which allows arbitrary code execution, affected servers running Adobe ColdFusion 2018 Update 15 or earlier and 2021 Update 5 or earlier. Adobe released patches for the vulnerability in mid-March, but despite CISA's warnings, some federal agencies had unpatched systems that were breached in June. Two incidents involving the exploitation of the vulnerability were reported, including malware installation, credential harvesting, and access to sensitive directories and files. The attackers used the vulnerability to install web shells and remote access trojans to perform reconnaissance without data exfiltration. In both instances, the cyber intrusions were caught and contained quickly, with compromised systems isolated within 24 hours. CISA recommends updating to the latest version of ColdFusion, improving network segmentation, utilizing firewalls or WAFs, and enforcing policies for signed software execution to reduce risks.

Kali Linux 2023.4 has been released featuring GNOME 45 and fifteen new tools for ethical hacking and cybersecurity. The update brings new functionalities aimed at penetration testers and security professionals, although the core OS has few new features. GNOME 45, known as "Rīga," enhances user interface and performance, offering a refreshed experience for those preferring GNOME over KDE. The Linux Kernel has been upgraded to version 6.3.7, promising improved system stability and performance. Kali Linux is now available on cloud platforms such as Amazon AWS and Microsoft Azure for both AMD64 and ARM64 architectures. Deploying Kali Linux on Microsoft's Hyper-V is now simpler with added Vagrant support, allowing command-line interface management. A new dedicated image for the Raspberry Pi 5 has been released, with options for building your own Kali Linux image for the device. Instructions for upgrading existing installations to Kali Linux 2023.4 are available, along with a complete changelog on the Kali website.