Daily Brief

Microsoft has officially introduced support for passkeys in Windows 11 edition of its desktop operating system. This new feature offers a password-free login to websites and applications using either a device PIN or biometric data. The creation of passkeys, which were first announced in May 2022, is based on the FIDO standards which are both strong and resistant to phishing. It has been adopted by other companies such as Apple and Google. Microsoft initially added passkey management back in June 2023 via the Windows Insider program. General accessibility of this feature has been marked by its recent launch. On Windows, passkeys can be created through the Windows Hello feature and users can manage their saved passkeys via Start > Settings > Accounts > Passkeys. Aside from the launch of passkeys, Microsoft revealed that it is also introducing Windows Hello for Business to enterprise-managed Windows 11 devices. This is designed to protect user profiles by enabling IT teams to establish a policy for Microsoft Entra ID connected machines. Other new features include enhancements to the Windows Firewall, and a new Custom App Control option to ensure only approved and trusted applications are allowed on devices. This aims to protect endpoint devices from malicious code.

Microsoft's new Windows 11 update includes security improvements aimed at increasing online protection for users. A key feature is the Passkeys management dashboard, designed to streamline the process of going passwordless and linked to specific devices to help defend against data breaches. Passkeys provide alternative access using facial recognition, PINs, or fingerprints rather than traditional passwords making them more difficult for threat actors to steal through phishing attacks. The need for stronger security measures is underscored by Microsoft's internal data, which reveals a three-fold increase in phishing attacks targeting user credentials since last year, totalling over 4,000 incidents every second. Also included in the update are tools for IT administrators like a new policy to block passwords across all Azure AD joined enterprise devices, Config Refresh to automatically revert all policies to a secure default state, and App Control for Business to ensure only trusted apps are running. These moves reflect an industry trend towards enhanced digital security, with tech giants such as Apple and Google also expressing support for passkeys and Web Authentication credentials.

A new cybercrime group named ShadowSyndicate, also known as Infra Storm, has emerged, believed to be associated with seven different ransomware families. The group has been active since July 16, 2022. Cybersecurity experts Group-IB and Bridewell issued the findings, noting that the group is linked to ransomware activity connected to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. ShadowSyndicate was identified using a distinct SSH fingerprint found in 85 servers, 52 of which were used for command-and-control of Cobalt Strike. The majority of these servers are located in Panama. The cybercrime group has shown links associated with TrickBot, Ryuk/Conti, FIN7, and TrueBot malware operations. German law enforcement conducted a second successful strike against actors connected with the DoppelPaymer ransomware group, arresting two key suspects in Germany and Ukraine. Reports indicate ransomware groups are continuously developing new extortion methods, making 2023 the second most profitable year after 2021. A rise of ransomware attacks has corresponded with an increase in cyber insurance claims by 12% in the first half of the year, with an average loss amount exceeding $365,000.

Google has assigned a critical severity rating of 10/10 to a libwebp security vulnerability (CVE-2023-5129), formerly tagged as a Chrome bug (CVE-2023-4863). The vulnerability was initially reported by Apple Security Engineering and Architecture and the Citizen Lab at the University of Toronto and was promptly patched by Google within a week. The flaw concerns a heap buffer overflow in WebP, impacting Google Chrome versions before 116.0.5845.187, and it allows attackers to execute out-of-bounds memory writes using specially crafted HTML pages. This vulnerability, located within the Huffman coding algorithm used by libwebp for lossless compression, can result in severe consequences, including crashes, arbitrary code execution, and unauthorized access to sensitive information. This reclassification as a libwebp vulnerability is significant as it went initially undetected as a potential security risk for numerous projects using libwebp, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers. Prompt action to address this vulnerability across these platforms is crucial to ensure user data security.

AtlasCross, a new Advanced Persistent Threat (APT) group, has been discovered launching sophisticated phishing attacks impersonating the American Red Cross to deliver backdoor malware. Cybersecurity firm NSFocus identified two previously unknown trojans, DangerAds and AtlasAgent, associated with AtlasCross attacks. AtlasCross lures victims through phishing emails impersonating the American Red Cross and exploiting a macro-enabled Word document to deliver its malware. The undisclosed origin of the AtlasCross hackers due to their sophisticated and evasive nature has raised concerns among cybersecurity researchers. The DangerAds trojan acts as a loader to deliver AtlasAgent, a custom C++ malware, which executes additional shellcode, controls the launch of programs, downloads files from the attacker's servers, and collects host and process details. Despite NSFocus' report, AtlasCross remains a largely unknown threat with unclear motivations and selective targeting, indicative of a possible longer duration of undetected activity.

The Better Outcomes Registry & Network (BORN) in Canada has reported a data breach of 3.4 million childcare health records, potentially impacting anyone who received pregnancy care or had a child born in Ontario between January 2010 and May 2023. Unauthorized copies of files containing personal health information were copied due to a vulnerability in the MOVEit file transfer platform developed by Progress Software. After discovering the incident on May 31, BORN isolated the affected server, stopped using the MOVEit software, and notified authorities. Over 2,000 organizations and over 60 million individuals have reportedly been affected by unpatched MOVEit installations, with the US being the most impacted (88.8% of known victims), followed by Canada (4.7%), Germany (1.7%), and the UK (1%). The data affected included names, addresses, postal codes, birth data, and health card numbers, however patient financial information, social insurance numbers, health card details, and email addresses were not exposed. The ransomware group Cl0p has claimed responsibility for the attack. BORN is continuing to monitor for fraudulent misuse of the breached data and has taken further security measures to prevent a similar incident in the future.

Hackers are exploiting a high severity vulnerability known as CVE-2023-32315 in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers. The flaw is an authentication bypass that impacts Openfire's administration console and allows unauthenticated attackers to create new admin accounts on vulnerable servers and install malicious Java plugins. This flaw affects Openfire versions from 3.10.0 up to 4.6.7 and from 4.7.0 to 4.7.4 and, despite being fixed in May 2023 with the release of versions 4.6.8, 4.7.5, and 4.8.0, over 3,000 Openfire servers were still running a vulnerable version by mid-August 2023. Hackers have specifically exploited the flaw by creating new admin users, logging in to install a malicious JAR plugin that can execute any command, with Dr. Web seeing the first case of active exploitation in June 2023. The attackers are using the Openfire flaw to run crypto mining operations, backdoor the servers, or extract sensitive information about the compromised server. Unknown ransomware encryptions with the .locked1 extension have also been reported, with ransom demands ranging from .09 to .12 bitcoins ($2,300 to $3,500), Security experts thus encourage administrators to ensure they install all available security updates for their servers promptly.

Password-based authentication is an enduring cybersecurity vulnerability, as bad actors can gain access to numerous stolen credentials via the dark web, potentially compromising both personal and business data. The predictability of human behavior compounds the current weaknesses in password-based authentication as many users opt for weak, easy-to-remember passwords or reuse the same across multiple accounts. Brute-force attacks, using automated login attempts to identify the correct username and password combinations, are common for infiltrating systems. To mitigate these issues, measures such as limiting unsuccessful login attempts and implementing stronger password complexity requirements are suggested. Additionally, penetration testing of web applications could help catch vulnerabilities. Monitoring password selection using a continuously updated list of breached passwords can also bolster security efforts. Users with compromised passwords should be prompted to change them immediately. A third-party password tool like Specops Password Policy may be useful for windows-based networks using Active Directory for identity and access management, as it offers comprehensive password policy enforcement and continuous compromised password scanning.

Dutch security firm, ThreatFabric, has discovered an updated version of an Android banking trojan named Xenomorph. The malware is now targeting over 35 US financial institutions alongside others in Spain, Canada, Italy, and Belgium. The trojan uses phishing web pages to drive victims into installing malicious Android apps, aiming at a broader range of apps than its antecedents. Xenomorph, a variant of another banking malware named Alien, maintains a feature that allows complete control over the victim's device, enabling an unauthorized transfer of funds to the malware operator's account. The updated version includes various functionalities, such as anti-sleep features, a mimic feature for app impersonation, and overlays for stealing sensitive user information. The malware remains undetectable for long periods by hiding its icon from the home screen and auto-granting permissions by exploiting the device's accessibility services. While previous attacks spread through disguised apps on Google Play Store, the latest wave in mid-August 2023 utilized counterfeit sites offering Chrome browser updates. Investigations reveal that threat actors target multiple operating systems, with payloads also serving Windows stealer malware such as Lumma C2 and RisePro, and malware loader, named Private Loader.

Cybersecurity compliance refers to the fulfillment of rules, set by law, regulatory authorities, trade associations, or industry groups, regarding the protection of sensitive information and customer data. Different sectors have varying cybersecurity needs. Cybersecurity regulations often overlap across industries. For instance, a company in the EU that accepts credit card payments must comply with both credit and banking card regulations (PCI DSS) and GDPR. Multitudes of security frameworks and certifications such as SOC 2, ISO, HIPAA, Cyber Essentials, GDPR, and others, serve different purposes and requirements, depending on the industry and business model. The best-fit compliance standard should be chosen per individual business needs. Automated tools can aid businesses in complying with these standards, often incorporating elements such as risk assessments, encrypted data storage, vulnerability management, and incident response planning. Cybersecurity compliance can be complex and labor-intensive, but can be extremely detrimental if ignored. It can result in breaches, settlements, damaged reputation, heavy fines, and potential loss of business opportunities. Automated platforms such as Intruder integrate with compliance platforms like Drata, and can expedite auditing, reporting, and documentation for compliance, simplifying the processes of cybersecurity compliance.

Fastly's Network Learning Exchange (NLX) Threat Report for Q2 2023 provides unique insights into the cyber threat landscape. Data reveals the High Tech industry was targeted the most, accounting for 46% of attack traffic tagged with NLX. Media & Entertainment sector experienced 56% more attacks tagged with NLX, while the Commerce industry experienced 36% more, and the High Tech industry 24% more. NLX, a collective threat intelligence feed integrated in Fastly's Next-Gen WAF, helps identify and share potentially threatening IP addresses across all customer networks. Of analyzed attacks, 32% were Traversal, 28% were SQL Injection, 20% were Cross Site Scripting, 13% were OS Command Injection, and 7% were Log4j JNDI lookups. Attack traffic patterns indicated malicious activities spanned multiple industries, with 69% of IPs targeting multiple customers and 64% targeting multiple industries. Autonomous Systems (AS) analysis revealed Akamai Connected Cloud, Amazon, M247 Europe SRL, DigitalOcean, and Scaleway as major sources of NLX traffic. The report stresses the importance of actionable intelligence, using signals, and inspecting traffic regardless of its source to enhance security and reduce vulnerabilities.

Chinese state-sponsored hacker group, TAG-74, has launched a multi-year cyber espionage campaign targeting South Korea's academic, political, and government organizations. The cyberattacks are reportedly linked to Chinese military intelligence and pose a significant threat to various sectors, including academia, aerospace, defense, government, military, and politics in South Korea, Japan, and Russia. TAG-74 has been targeting South Korean academic institutions in particular, aligning with China's broader agenda of intellectual property theft and expansion of influence. The hackers use social engineering attacks and Microsoft Compiled HTML Help (CHM) file lures to deploy a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which is then used to install the Bisonal remote access trojan. TAG-74 is said to be closely related to another Chinese hacking group, Tick, reflecting extensive tool sharing among Chinese threat groups. Security firm Recorded Future expects TAG-74’s espionage activities to retain their focus on South Korea over many years, while also targeting strategic targets within Japan and Russia.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP) reported that Russian cyber spies have doubled their espionage operations on Ukrainian servers, aiming to find evidence of alleged Russian war crimes. Typically, five serious incidents that necessitate the involvement of Ukraine's Computer Emergency Response Team occur daily. The Russian intelligence service also increasingly targeted private sectors in efforts to monitor the results of kinetic operations, including missile and drone assaults, and to examine the strategies of government contractors and supply chain members. Despite the intensifying attacks, Ukraine claims it has halved the success rate of its adversaries, recording only 27 critical cyber incidents and attacking the energy grid less frequently in the first half of 2023 compared to the second half of 2022. FSB's cyber unit, Gamaredon, was the most active throughout the year, leaping from 128 in 2022 to 103 operations in the first half of 2023. However, only 11 of these incidents were deemed of critical or high-severity. Meanwhile, the destructive attacks were primarily orchestrated by GRU's Sandworm, which included erasing servers, data storage systems, and disabling networks. The country's cybersecurity head, Victor Zhora, warns that he expects Russia's online assaults on Ukraine to persist long after the cessation of the physical war.

Security researchers discovered infrastructure linked to a hacking group known as ShadowSyndicate, believed to have deployed seven different ransomware families in attacks over the past year. The group may act as an initial access broker (IAB), with evidence suggesting their affiliation to multiple ransomware operations. The threat actor's activities were identified based on a distinct SSH fingerprint found on 85 IP servers. ShadowSyndicate used various tools in their attacks, including the Sliver penetration tool, the Matanbuchus MaaS loader, and the Meterpreter Metasploit payload. Analysis revealed that all 85 servers were linked to 18 different owners, 22 different network names, and 13 different locations. The researchers linked ShadowSyndicate's activities to Quantum, Nokoyawa, and ALPHV/BlackCat ransomware attacks. While evidence suggests a connection to various high-profile ransomware operations, such as Ryuk, Conti, and Clop, a direct link is yet to be confirmed. Group-IB, the firm that discovered the information, invites external researchers to collaborate to further uncover the group's operations.

The BORN Ontario data breach impacted 3.4 million people and has had significant effects on The Hospital for Sick Children, known as SickKids. The breach occurred due to the exploitation of a zero-day vulnerability in Progress MOVEIt Transfer software. SickKids, along with many other Ontario healthcare providers, shares sensitive health information with BORN Ontario, a perinatal and child registry that collects and protects data relating to pregnancies and births. BORN Ontario uses this data to identify care gaps affecting individuals, connect information to suitable care providers, conduct health system quality assurance, and analyse data for emerging trends. The breach exposed a minimum of personal health information related to pregnancy, birth and newborn care, and depending on the type of care received, other data might also be exposed. It is currently unclear how many SickKids patients and associates were affected, and the hospital refers those interested to BORN Ontario's webpage for further details. This is the second major digital security blow SickKids has suffered in recent times, as it was targeted by the LockBit ransomware group in December last year.