Daily Brief

A US Navy service member, Wenheng Zhao (also known as Thomas Zhao), pleaded guilty to passing on American military secrets to a Chinese intelligence officer and is set to be sentenced in January. Zhao held a US security clearance that gave him access to 'secret' data at Naval Base Ventura County in California, which focuses on developing and testing missiles, electronic warfare systems and other weapons. Zhao admitted to receiving bribes from a Chinese spymaster in return for confidential information about US Navy operational security, military training and exercises, and critical infrastructure. In addition to providing plans of a large maritime training exercise in the Pacific theater, Zhao also sold operational orders, electrical plans, and blueprints for a radar system in Okinawa, Japan, and has admitted to using encrypted communication methods to transmit this information. Accompanying Zhao's arrest was another Navy service member, Jinchao Wei, also charged with spying-related crimes in a separate naval base in San Diego, California. Latest reports indicate that a former US Army sergeant was arrested last week and is facing federal felonies for conspiring to pass classified information to the Chinese government.

Microsoft Defender for Endpoint now includes an automatic attack disruption feature that isolates compromised user accounts, preventing lateral movement in hands-on-keyboard attacks. This tactical move targets incidents like human-operated ransomware, where adversaries infiltrate networks, escalate privileges through stolen accounts, and deploy malicious payloads. The 'contain user' capacity achieves this by suspending compromised users across all devices, thwarting an attacker's opportunity to execute hostile activity, such as moving laterally, performing data theft, and encrypting remotely. Once the preliminary phases of a human-operated assault are recognized on an endpoint using signals from Microsoft 365 Defender, the automatic attack disruption feature stops the attack on that machine. Concurrently, Defender for Endpoint will immunize all other devices in the organization by blocking incoming malicious traffic, leaving potential adversaries with no additional targets. Since this feature's introduction, 6,500 devices have been spared from ransomware campaigns conducted by various hacker groups. Microsoft Defender for Endpoint has also been capable of isolating hacked and unmanaged Windows devices since June 2022, further restricting potentially malicious activity.

The wage gap for US-based Chief Information Security Officers (CISOs) has increased, with the high earners seeing their salaries grow at three times that of the lower earners, according to a recently released survey by IANS. The survey polled 600 CISOs, finding that the majority make either under $400k annually or over $700k, and very few fall into the intermediate wage bracket. Just over half earn less than $400k a year, with 30% of this group earning less than $300k. Of all respondents, a fifth earn more than $700k, and half of these higher earners earn more than $1 million per year. The total increase in compensation for CISOs this year was 11%, notably slower than last year’s growth rate of 14%. The report also revealed that 75% of surveyed CISOs are considering changing jobs, giving reasons such as pay and work-life balance issues. Nick Kakolowski, senior research director at IANS, noted that while high earners have continued to see substantial increases in compensation, middle and lower earners have not, which is leading to job dissatisfaction.

Microsoft has identified China-backed cyber group, Storm-0062, as the entity exploiting a critical zero-day in Atlassian Confluence Data Center and Server since mid-September. Although Atlassian had disclosed a vulnerability (CVE-2023-22515) and made security updates available from early October, the company did not release details regarding the threat groups exploiting it. Storm-0062, which has links to China's Ministry of State Security, leveraged the flaw for nearly three weeks, creating arbitrary administrator accounts on vulnerable endpoints. The group known, also known as DarkShadow or Oro0lxy, is notorious for targeting software, engineering, medical research, government, defense, and tech firms across the world to collect intelligence. Rapid7 researchers recently released a proof-of-concept exploit along with full technical details about the vulnerability, which may shift the landscape of exploitation. However, Rapid7 has also provided detailed instructions to counter the threat. The flaw does not affect Confluence Data Center and Server versions before 8.0.0 and Atlassian-hosted instances at atlassian.net domains are not vulnerable to these attacks. Users of affected versions are strongly encouraged to upgrade to the fixed releases.

Microsoft Copilot, an AI productivity tool which has access to and compiles data across various Microsoft 365 apps, presents potential data security concerns due to its broad access to sensitive information. The author indicates that on average, 10% of a company's M365 data is open to all employees, which Copilot can readily access and generate. Generative AI like Copilot amplify the challenge of protecting data, as they can generate new sensitive data that must be secured. Rapid deployment and complex permission mechanisms often leaves Microsoft 365 open to least-privilege enforcement issues. Microsoft's reliance on sensitivity labels to enforce DLP policies and prevent data leaks is seen as problematic due to the complexity of labeling and the difficulty of keeping up with rapidly generated data. Blind trust in AI generated content opens up loopholes for unintentional data breaches and privacy violations. The author suggests undertaking a risk assessment and improving security controls using tools like the Varonis Data Security Platform before implementing AI tools like Copilot.

American building materials producer, Simpson Manufacturing, has experienced a significant disruption in operations following a cyberattack. Their network and applications were affected, leading the company to shut down its IT infrastructure to mitigate further implications. Detected on October 10, 2023, the company tagged the situation as a cybersecurity incident, prompting them to take actions for stoppage and remediation, which included taking systems offline. The firm has not yet given details on the type of cyberattack, nor has any ransomware group claimed responsibility. But the scenario's symptoms, such as prolonged operational disruption, suggest it might be a complex ransomware attack involving data encryption. Simpson Manufacturing plays a significant role in North America's building materials industry, with more than 5,000 employees and a net annual sale of $2.12 billion, raising concerns over the probability of extensive proprietary information theft. The company is currently working with third-party cybersecurity experts in the nascent stages of investigation and recovery. However, no setback on the company's stock trading has been noticed since the incident's public announcement. Further information will be disclosed as the investigation progresses.

Microsoft’s Patch Tuesday marks 20 years as a key part of IT management in October 2023. The system allowed controlled release of patches, creating stability and predictability for system administrators. Prior to the introduction of Patch Tuesday, software updates were released sporadically, causing confusion and pressure for IT admins. Patch Tuesday was introduced following feedback from customers, leading Microsoft to streamline their software fixes. The changes saw patch consumption increase. The patching procedure has evolved significantly since initiation, with the volume of patches issued each month growing extensively. Where once the limit was about 12 fixes each month, more than 100+ security fixes are now issued per month. The monthly security bulletins released on Patch Tuesday have been adopted by other vendors such as Oracle, Adobe, and SAP. Hardware vendors have also started to release patches on the same day as Microsoft. Despite the increased volume of updates, there has been a significant improvement in the quality of patches, as well as the tools and systems used to distribute and apply them. Patch Tuesday has also improved the relationship between security researchers and software vendors over the years, making responsible disclosure an industry norm.

Hackers are once again leveraging LinkedIn Smart Links for phishing attacks aimed at stealing Microsoft account credentials, according to cybersecurity firm Cofense. Smart Links, a part of LinkedIn's Sales Navigator service, are often used for marketing and tracking purposes, with business accounts emailing content using these links. As they originate from LinkedIn's domain, they usually bypass email protection systems. Cofense reports a surge in the use of this technique, with over 800 emails leading to phishing pages discovered in a recent campaign between July and August 2023. The campaign is primarily targeting the finance, manufacturing, energy, construction, and healthcare sectors. The phishing emails typically cover subjects like payments, HR issues, documents, and security notifications. The phishing pages resemble the standard Microsoft login portal. The phishing process is made more credible by using the Smart Link to fill in the target's email address on the Microsoft login page. Cofense highlights the need for enhanced user education, as attackers are increasingly utilizing legitimate services to evasion security tools.

Over 17,000 WordPress websites were infiltrated in September 2023 by malware known as Balada Injector. Approximately 9,000 of the websites were compromised via a recently exposed security flaw in the tagDiv Composer plugin, allowing unauthenticated users to execute stored cross-site scripting (XSS) attacks. The Balada Injector, a malware campaign first discovered by Doctor Web in December 2022, exploits WordPress plugin flaws to deploy a Linux backdoor on vulnerable systems and has affected over a million websites since 2017. The attackers' primary goal is to direct users of the compromised sites to deceptive tech support pages, fraudulent lottery wins, and push notification scams. In the latest breaches, attackers exploited a flaw to inject a malicious script, establish persistent access over sites by adding malicious plugins, uploading backdoors, and creating rogue blog administrators. Attack scripts have targeted WordPress site administrators to perform malicious actions with elevated privileges. Attackers also plant backdoors in websites' 404 error pages that are capable of executing arbitrary PHP code. Sucuri, a security company, has characterised this as "one of the most complex types of attacks" due to the scripts' rapidly evolving nature and their ability to automate malicious plugin installation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning for a high-severity flaw in Adobe Acrobat Reader, citing evidence of active exploitation. Identified as CVE-2023-21608, the vulnerability is described as a use-after-free bug that can be exploited for remote code execution (RCE) with the user's privileges. Adobe released a patch for the flaw in January 2023, with HackSys security researchers Ashfaq Ansari and Krishnakant Patil credited for its discovery and reporting. Information regarding the exploitation and the potential threat actors exploiting CVE-2023-21608 is yet to be revealed. A proof-of-concept (PoC) exploit for the flaw was made available in late January 2023. The vulnerability is the second Adobe Acrobat and Reader flaw to see in-the-wild exploitation, following CVE-2023-26369, an out-of-bounds write issue. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply Adobe's vendor-provided patches by October 31, 2023, to protect their networks from potential threats.

The UK Extension to the EU-US Data Privacy Framework, also known as Data Bridge, is set to become operational on 12 October. This arrangement will enable personal data to be smoothly transferred between the UK and the US. The European Commission had adopted an adequacy decision for the EU-US Data Privacy Framework in July 2021. However, since the UK is currently not part of the European Union, a separate Data Bridge is required for the transfer of personal data from the UK to the US. The Information Commissioner's Office (ICO) in the UK has expressed concerns about the Data Bridge, arguing that sensitive data may not be appropriately protected by it. The ICO is particularly concerned about the differing definitions of "sensitive data" in the Data Bridge and the UK's General Data Protection Regulation (GDPR), potentially leading to lesser protections for certain categories of personal data. Further concerns have been raised about the lack of protections for criminal offence data in the US equivalent to those of the UK’s Rehabilitation of Offenders Act 1974. The Data Bridge also does not include provisions for rights similar to the UK GDPR, particularly for decisions based on automated processing and the right to be forgotten. Companies unable to rely on the Data Bridge for personal data transfers to the US can resort to other safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs).

Curl has released updates to address two critical security flaws in libcurl and in the curl command line transfer tool. The more severe vulnerability identified as CVE-2023-38545, is a heap-based buffer overflow flaw triggered when hostnames exceed 255 bytes. The buffer overflow could lead to data corruption or execution of arbitrary code during a slow SOCKS5 proxy handshake. curl stated that an attacker may exploit the vulnerability using a malicious HTTPS server redirecting to a specific URL designed to trigger the heap buffer overflow. Applications using libcurl version 7.69.0 to 8.3.0 are advised to upgrade to 8.4.0 swiftly, particularly those that have not set the preferred receive buffer size or have set it to smaller than 65541 bytes. The second identified flaw, CVE-2023-38546, is a less severe cookie injection vulnerability affecting only libcurl, with a low likelihood of exploitation. Despite an early leak of the patch details for CVE-2023-38545 by Red Hat's CentOS Stream project, the patches were officially released on schedule, rectifying the vulnerabilities. The project founder, Daniel Stenberg, acknowledged that the flaws could have been avoided had curl been written in a memory-safe language, but there are no current plans to switch from C. Stenberg did state, however, that an ongoing consideration is to replace curl's HTTP backend with the Rust-coded Hyper, albeit proceeding at a slow pace.

Microsoft has updated its software, addressing 103 vulnerabilities, with two cases actively exploited in the wild. Out of the 103 flaws, 13 are evaluated as Critical, and the remaining 90 deemed Important. Besides, 18 security vulnerabilities were addressed in its Edge browser since the second Tuesday of September. The two weaponized zero-days require the attacker to first log on to the system and then run a crafted application to exploit the vulnerability. Microsoft also identified flaws in Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol, potentially leading to remote code execution and denial-of-service (DoS) attacks. A severe privilege escalation bug in Windows IIS Server, allowing an attacker to impersonate and log in as another user through a brute force attack, was also resolved. Microsoft also released an update for the HTTP/2 Rapid Reset attack, exploited in a zero-day to perform hyper-volumetric distributed denial-of-service (DDoS) attacks. Lastly, Microsoft announced the deprecation of Visual Basic Script, often exploited for malware distribution. It will soon be a feature on demand before its removal from the operating system.

Password reuse is a significant security issue, with 65% of users admitting to reusing credentials across multiple sites and 64% of exposed credentials for employees of Fortune 1000 companies being reused. Around 80% of all data breaches source from lost or stolen passwords, often from one system, being used to gain unauthorized access to other systems. Weak or reused passwords can provide cybercriminals with access to sensitive company data or facilitate the deployment of ransomware across the network. Current password security measures like multi-factor authentication (MFA) may not be entirely sufficient as attackers can still bypass these systems, particularly if they have obtained the user's password. The use of Specops Password Policy enables a stronger password policy that blocks the use of known or compromised passwords and can continuously check passwords against a database of breached ones. Specops' Breached Password Protection feature utilizes a honeypot system and updated lists of password leaks to ensure continual security protection for IT systems.

Microsoft linked an exploitation of a critical flaw in Atlassian Confluence Data Center and Server to a nation-state actor it tracks as Storm-0062. The vulnerability, tracked as CVE-2023-22515 and rated 10.0 on the CVSS severity scale, enables remote attackers to create unauthorized Confluence administrator accounts and access servers. The company's threat intelligence team detected in-the-wild abuse of the vulnerability as of September 14, 2023, but the full extent of the attacks remains uncertain. Oro0lxy, an alias linked to Storm-0062, is associated with Li Xiaoyu, a Chinese hacker previously accused by the U.S. Department of Justice (DoJ) of infiltrating hundreds of companies in the U.S., Hong Kong, and China, including COVID-19 vaccine research developer Moderna. Xiaoyu, allegedly operating under the Guangdong regional division of China's MSS faces accusations from the DoJ of data theft for both personal gain and in service of the Chinese government. Organizations using Confluence applications are advised to upgrade to the latest versions and isolate their networks from public internet access until necessary security fixes are in place.