Daily Brief

Security researchers from Blackwing Intelligence have found ways to bypass Windows Hello's fingerprint authentication. The vulnerabilities were discovered in laptops from Dell, Lenovo, and Microsoft, using fingerprint sensors from different manufacturers. Blackwing Intelligence's work was commissioned by Microsoft's Offensive Research and Security Engineering group and presented at the BlueHat conference. The method involved booting a laptop into Linux, using a sensor's driver to store a new fingerprint with the same ID as a Windows user, and tricking the chip into using the Linux database through a man-in-the-middle device. The implementation flaws allow someone with physical access to a device to log in as the user associated with a fingerprint without actually having that person's fingerprint. Microsoft indicates that the issues have been addressed by vendors, and users should check for updates or errata. The researchers recommend that device makers should not include these design flaws and that users implement additional security measures, such as boot passwords.

Unusual cybercriminal group, self-identified as "gay furry hackers" known as SiegedSec, claims to have breached the Idaho National Laboratory's systems. The hackers reportedly stole and leaked personal data of employees, including Social Security numbers, addresses, and bank details. The cyberattack targeted a third-party vendor system associated with the lab’s cloud HR services. Idaho National Laboratory acknowledges the cyberattack, has involved law enforcement, and is taking action to secure employee data. The group has issued an odd ransom demand, offering to remove the leaked information if the lab engages in research to create "IRL catgirls," a nod to an internet meme. The INL is a critical part of America's nuclear research infrastructure, employing over 6,100 people and operating the world's densest concentration of nuclear reactors. Motivations for the attack remain ambiguous, with SiegedSec previously citing human rights issues and the enjoyment of leaks as reasons for their NATO breach.

Kansas Judicial Branch suffered a cybersecurity incident last month, resulting in stolen sensitive files containing confidential information. Hackers impacted the availability of systems including document submission, electronic payment systems, and case management systems for district and appellate courts. Over a month after the incident, vital court services remain offline, with no clear resolution timeline provided. The data theft includes Office of Judicial Administration files, district court case records, and possibly other confidential data. The incident has the hallmarks of a ransomware attack, including system disruption and threats to publish stolen data unless a ransom is paid. The specific type of cyberattack has not been disclosed, and no ransomware groups have claimed responsibility yet. The Kansas authority is estimating several weeks to restore all systems and plans to notify all individuals impacted by the data breach. The public statement characterized the incident as an attack against all Kansans and condemned the perpetrators.

Security researchers from Blackwing Intelligence bypassed Windows Hello fingerprint authentication on laptops from Dell, Lenovo, and Microsoft. The vulnerability was in the embedded fingerprint sensors on the Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15. These Match-on-Chip (MoC) sensors, which perform fingerprint matching internally, were exploited through man-in-the-middle (MiTM) attacks using a customized Raspberry Pi. Sensitive data and communication should have been protected by Microsoft’s Secure Device Connection Protocol (SDCP), but the protocol was not enabled on two devices and improperly implemented on the third. On the Dell and Lenovo laptops, attackers bypassed authentication by enrolling an attacker’s fingerprint using a legitimate user’s ID. On the Microsoft device, researchers spoofed the fingerprint sensor, taking advantage of unprotected cleartext USB communication. Blackwing Intelligence recommends that manufacturers enable and correctly implement SDCP to protect against such attacks. Microsoft notes an increase in users signing into Windows 10 with Windows Hello, highlighting the importance of securing biometric authentication methods.

Welltok, a Healthcare SaaS provider, experienced a major data breach exposing the personal data of approximately 8.5 million U.S. patients. The breach occurred due to a hack of the company's file transfer program, MOVEit, which was previously targeted by the Clop ransomware gang exploiting a zero-day vulnerability. Personal data exposed in the breach comprise full names, email addresses, physical addresses, telephone numbers, and in some cases, sensitive information like Social Security Numbers, Medicare/Medicaid IDs, and health insurance details. The breach was first acknowledged by Welltok in late October when a notice was published, despite the firm having applied all available security updates from the vendor at the time. Numerous healthcare providers across multiple states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts, have been affected. The breach ranks as the second-largest MOVEit incident to date next to the Maximus breach, according to reports filed with the U.S. Department of Health and Human Services breach portal.

North Korean group Lazarus hacked CyberLink, trojanizing an installer for a supply chain attack. Trojans found within CyberLink installers detected on devices in multiple countries including the US and Japan. Microsoft attributes the attack to the group known as Diamond Sleet, with high confidence. Attack involves a second-stage payload interacting with previously compromised infrastructure. Microsoft added the legitimate CyberLink certificate used for signing the malware to its disallowed list. Malware targets systems not protected by specific security software, downloads second-stage payload disguised as a PNG. No hands-on-keyboard activity detected post-breach, but Microsoft has informed affected parties and removed payloads from GitHub.

A novel Mirai-based botnet, dubbed 'InfectedSlurs,' is exploiting zero-day vulnerabilities to infect network video recorders (NVRs) and routers for DDoS attacks. Cybersecurity firm Akamai detected the malware, which became active in late 2022 and was first observed on their honeypots in October 2023. The malware exploits two unpatched remote code execution (RCE) vulnerabilities in devices from unnamed vendors who are working on patches due for release in December 2023. Akamai’s investigation revealed that the botnet uses default vendor credentials for infection and targets a specific NVR manufacturer, along with routers popular in homes and hotels. The botnet's C2 infrastructure largely supports DDoS operations, and analysis suggests it is only minimally altered from the original Mirai, lacking a persistence mechanism. Device owners are advised to reboot their NVR and router devices to temporarily disrupt the botnet until patches are available.

The malware known as Lumma can allegedly restore expired Google authentication cookies to gain access to user accounts. Lumma's developers offer this feature to subscribers of their highest-tier plan, costing $1,000 per month. Session cookies, which are typically short-lived for security, can apparently be resurrected by the malware, potentially bypassing standard security measures. The cookie restoration capability has been announced but not yet confirmed by independent security researchers or Google. Google was contacted for comments on this vulnerability but has not yet provided a response. The malware developers claim to have updated Lumma to circumvent new restrictions by Google designed to prevent such cookie restoration. Users are advised to avoid malware infection by not downloading files from unreliable sources and being cautious with search engine results to safeguard their accounts until Google addresses the issue.

The Blender project has been experiencing ongoing DDoS attacks since Saturday, causing significant site outages and service disruptions. As a widely-used open-source 3D design suite, Blender's inability to process legitimate requests has severely impacted creators relying on their services. Blender's team has been actively combating the attacks, but efforts to block the attackers' IP ranges were futile as they rapidly shifted to new locations. In response to the continual issues, the team moved Blender's main website to CloudFlare, effectively reducing the severity of the attack's impact. Over 240 million fake requests have been launched against Blender's servers, as reported by the company's COO, Francesco Siddi. While the identity and motives of the perpetrators behind the DDoS attacks remain unknown, the risks, including potential service interruptions and malware infections from unofficial downloads, are still present for users.

Black Friday 2023 brings significant discounts on various computer security products, including antivirus, VPNs, and online security courses. NordVPN, SurfShark, and ProtonVPN offer up to 85% off on multi-year subscription plans for their services. Avast, ESET, and Malwarebytes slash prices by up to 70%, providing affordable antivirus and VPN bundle options. Cybersecurity and IT skill courses from StackCommerce, PuralSight, and Udemy are heavily discounted, some as low as $9.99. Additional promotions include firewalls, password managers, and security keys from vendors such as Any.Run, Firewalla, Hak5, LastPass, and Yubico. The sales are time-sensitive, with many expiring at the end of November or on Cyber Monday. The article includes disclosures regarding affiliate links and partnerships which may earn commissions for BleepingComputer.com.

Researchers at Blackwing Intelligence identified vulnerabilities in fingerprint sensors used by several laptop manufacturers, which could allow unauthorized bypass of Windows Hello authentication. Affected laptops include models from Dell, Lenovo, and Microsoft, with the compromised sensors supplied by Goodix, Synaptics, and ELAN. The sensors use "match on chip" technology, which does not protect against malicious devices spoofing legitimate sensors to falsely indicate successful authentication. The Secure Device Connection Protocol (SDCP) by Microsoft, designed to create a secure communication channel, was found to be either unsupported or improperly implemented. Attack methods include exploiting SDCP absence, sensor spoofing with communication replay, and utilizing flawed TLS stacks. The Goodix sensor could be exploited by taking advantage of inconsistent enrollment operations between Windows and Linux, where the Linux environment does not use SDCP. To counter these vulnerabilities, the researchers suggest that manufacturers enable SDCP by default and subject fingerprint sensor implementations to audits by independent experts. The discovery follows a previous Windows Hello biometric bypass issue patched by Microsoft in July 2021, underscoring the ongoing need for robust security measures in biometric authentication systems.

US law enforcement recovered approximately $9 million from a "pig butchering" cryptocurrency scam affecting over 70 victims. Criminals enticed victims using fake investment companies and cryptocurrency exchanges before absconding with deposited funds. Techniques like chain hopping, coin swaps, and cross-chain bridges were used in attempts to launder the stolen money. The Secret Service and DOJ collaborated to trace the illicit funds to multiple wallet addresses tied to the criminal group. Despite successful asset recovery, no arrests or specific identities of the cybercriminals have been disclosed by the DOJ. Authorities stress continued efforts to protect the financial security of citizens and crack down on cyber-enabled financial fraud. The confiscated proceedings were returned to victims in the form of the stablecoin Tether, in partnership with the DOJ's National Cryptocurrency Enforcement Team.

North Korean threat actors impersonated job recruiters and seekers to distribute malware and infiltrate organizations globally. The campaigns, codenamed Contagious Interview and Wagemole by Palo Alto Networks' Unit 42, involve cryptocurrency theft, espionage, and financial gain. The first campaign uses fake job interviews to infect software developers with malware aimed at cryptocurrency theft and staging further attacks. Attackers also pose as job candidates, using GitHub to host resumes with forged identities to gain employment and conduct espionage. Two new cross-platform malware, BeaverTail and InvisibleFerret, can target Windows, Linux, and macOS, stealing information and facilitating remote control. Overlaps with previous North Korean operations, including Operation Dream Job and Sapphire Sleet, indicate a consistent pattern of strategic social engineering. The activities tie into broader North Korean strategies to bypass sanctions by deploying skilled IT workers who redirect their earnings to state weapons programs. The U.S. government advisory acknowledges North Korea's tactic of using IT worker employment to fund weapons programs, further highlighting the risks to global businesses.

Employees are adopting AI tools such as ChatGPT rapidly, with little oversight, which may increase productivity but poses security risks. Cybersecurity teams are under pressure to quickly adopt AI without proper security assessments, potentially leading to data breaches. Indie AI apps, favored for their freemium models, typically have less robust security measures, making them attractive targets for hackers. Connections between AI tools and enterprise SaaS systems can allow threat actors to access sensitive company data. The article cites the CircleCI data breach incident as an example, where a delay in noticing suspicious activity led to a significant data breach. Security researchers recommend that companies should enforce due diligence, revise application and data policies, and provide regular employee training. Vendor assessments of indie AI tools should include a rigorous look at their security posture and data privacy compliance. Building open communication and accessibility between cybersecurity teams and business units is vital for maintaining SaaS security in the face of AI adoption.

Microsoft's bug bounty program marks a decade, disbursing $63 million to researchers, with substantial growth in the last five years. Aanchal Gupta, Microsoft's deputy CISO, underscores early resistance but stresses the program's importance in pre-release bug detection. The initiative's recent expansion includes increased rewards, with $13 million awarded to researchers in one year and new categories for serious risks. Katie Moussouris, a key advocate for Microsoft's program inception, reflects on implementing bug bounties amidst initial corporate reluctance. Moussouris emphasizes that while bug bounties are financially incentivizing, they should not replace secure software development processes. Moussouris calls for "concrete feedback loop" integration into secure development life cycles and setting meaningful metrics beyond cash payouts. The article challenges the efficacy of bug bounty programs, suggesting that more attention should be given to preventative measures and rapid vulnerability response.