Daily Brief

Apple has released emergency security updates to tackle three zero-day vulnerabilities that have been exploited in attacks against iPhone and Mac users. Two of the identified bugs were found in the WebKit browser engine and the Security framework. These allowed for arbitrary code execution via maliciously crafted webpages and signature validation bypass using harmful apps. The third vulnerability was spotted in the Kernel Framework and could potentially enable local attackers to escalate privileges. Apple addressed the flaws in several operating systems, including macOS, iOS, iPadOS, and watchOS. The company confirmed it was aware of previous exploitation against older versions of iOS. These zero-day vulnerabilities were discovered and reported by researchers from the Citizen Lab at The University of Toronto's Munk School and Google's Threat Analysis Group. In the past, similar flaws have been abused in spyware attacks on high-risk individuals. Citizen Lab disclosed two other zero-days that had also been abused previously to infect fully patched iPhones with NSO Group's Pegasus spyware. These vulnerabilities were patched by Apple earlier in the month. So far this year, Apple has also addressed a total of 16 zero-day vulnerabilities.

GitHub has announced the widespread introduction of passkeys to allow secure and passwordless logins for all users, further reducing the risk of data breaches. Passkeys, which are linked to specific devices, provide added protection against phishing attacks and unauthorized access attempts. The feature enhances user security and experience by negating the need to memorize separate passwords for different websites or applications. The move follows GitHub's public beta testing of passwordless authentication, started in July, which has been adopted by tens of thousands of developers. Users can register for one or more passkeys via their account's security settings. This development follows Microsoft, Apple, and Google's efforts to improve passkey support across their platforms. GitHub has taken several steps towards enhancing account security over the years, including making two-factor authentication mandatory for all active developers and implementing sign-in alerts.

The 'Sandman' threat actor is targeting telecommunications providers in Middle East, Western Europe, and South Asia using a new info-stealing malware called 'LuaDream'. The actor was identified by SentinelLabs in collaboration with QGroup GmbH. 'Sandman' typically gains access to networks using stolen admin credentials, then uses “pass-the-hash” attacks to move laterally within the network and maintain access for long-term cyberespionage operations. The LuaDream malware, named after the LuaJIT compiler it uses, is a modular malware deployed via DLL hijacking on targeted systems. It collects data, manages plugins to extend functionality, and is being actively developed, as indicated by version strings observed. The malware uses a sophisticated seven-step in-memory staging process to evade detection. Anti-analysis measures include custom-creating DLL files close to the time of attacks, suggesting these are tailored for specific intrusions. ATT&CK evidence points to the presence of 34 components, including 13 core and 21 support components, which utilize the LuaJIT bytecode and Windows API via the ffi library. LuaDream connects to a command and control (C2) server upon initialization and sends information about malware versions, IP/MAC addresses, and OS details. SentinelLabs have identified specific plugins deployed in each attack but believe there may be others. While parts of 'Sandman's' custom malware and its C2 server infrastructure have been exposed, the actor's origin is still unknown. Sandman is one of several advanced attackers targeting telecom companies for espionage with unique, stealthy backdoors.

Cybersecurity researchers have identified a multi-step hacking campaign targeting the hospitality industry (hotels, booking sites, travel agencies) to steal customer financial data. The campaign involves infecting hotel systems with info-stealing malware, and then using this access to set up phishing schemes against customers. Once the system is infected, the hackers can manipulate official communications with genuine customers, sending them messages appearing to come from the compromised hotel or booking service. Such messages include requests for additional credit card verification and are written professionally in order to avoid arousing suspicion. The customer is then directed to a fake Booking.com payment page, which looks legitimate but is designed to steal credit card information. Users are cautioned to avoid clicking on unsolicited links and to contact the company directly for more information if they receive an unusual request, particularly one requiring immediate action.

T-Mobile has denied recent claims that it has experienced yet another data breach. An 89 GB ZIP archive containing employee IDs, job information, customer orders and more was posted online, allegedly containing data from T-Mobile and Connectivity Source, a T-Mobile authorized retailer. The claim initially caused concern due to T-Mobile's history of numerous data breaches, having suffered nine breaches since 2018, with two already occurring in 2023. Investigations have indicated that this data breach is likely associated with Connectivity Source, which had alerted of a breach earlier in the year. Connectivity Source said that about 17,835 employees were affected by the breach, but no customer data was included in the leaked information. Despite customer data not being involved in this case, the data that was leaked could still be exploited by threat actors for targeted phishing or SIM Swapping attacks. All Connectivity Source employees have been cautioned to be vigilant about suspicious emails.

Pizza Hut Australia has issued data breach notifications to 193,000 customers following a cyberattack that allowed hackers unauthorised access to their personal information. Amongst the data breached were customer records and online transactions data stored on the Pizza Hut Australia customer database, potentially including partial financial information and encrypted account passwords. Although the company stated that account passwords underwent "one-way encryption", affected customers are advised to update their passwords and stay vigilant for potential phishing attacks and suspicious links sent via unsolicited communications. The company reported that the incident affected only a small number of customers and the Office of the Australian Information Commissioner (OAIC) has been fully informed about the situation. In unrelated events, there were earlier claims by notorious data broker 'ShinyHunters' of stealing the data of 1 million customers from Pizza Hut Australia via an unprotected Amazon Web Services (AWS) endpoint between July and August 2023; however, it's unclear whether the recent breach is related to these allegations. Earlier in 2023, Pizza Hut's parent company, Yum! Brands was targeted by a ransomware attack which led to the theft of employee information from its networks but there was no evidence to suggest customer data was impacted in this incident.

Cisco announces its most expensive acquisition, purchasing software firm Splunk for approximately $28 billion. The deal is expected to be finalized by Q3 of 2024. Once completed, Splunk CEO Gary Steele will join Cisco's exec team, reporting directly to Cisco's CEO Chuck Robbins. The deal is projected to be cash flow positive and add to Cisco's gross margins this year. It is also expected to enhance the company's earnings per share by next year. Cisco is set to incorporate Splunk's analytics into its operations, creating a cybersecurity model geared towards threat prediction and prevention over threat detection and response. This acquisition aims to strengthen Cisco's security analytics and security coverage from devices to applications to clouds. Robbins claims that this merger supports the application of generative AI in transforming industries and creating new opportunities, thereby providing customers with visibility into their data. Post-acquisition, the future of Splunk's employees and the Splunk brand remains unclear, with coherent plans expected to be laid out upon closer to the closure of the deal. Regulatory approvals and shareholder consent may still pose potential obstacles to the acquisition process.

The P2PInfect malware has seen a surge in activity since the end of August 2023, with a 600x jump between the 12th and 19th of September. The proliferation has coincided with the emergence of multiple variants of the virus, suggesting fast-paced development by the malware's creators, primarily impacting China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. Initially discovered in July 2023, P2PInfect focused on attacking poorly secured Redis instances, but has now included the abuse of the database's replication feature to deliver the malware. The malware employs a persistence mechanism, leveraging a cron job to start the malware every 30 minutes. It also supports a secondary method to retrieve and execute a copy of the malware binary if it's deleted or the main process is terminated. The malware has been found to overwrite SSH authorized_keys files with an attacker-controlled SSH key, effectively keeping existing users from logging in over SSH, a step that requires the malware to have root access. The exact goals of the P2PInfect malware are unclear, as while the code fetches a crypto miner payload, there's no evidence of cryptomining to date. It is speculated those behind the botnet may be waiting to roll out additional functionalities or looking to sell access to the botnet.

Malicious apps are becoming a growing threat in Software-as-a-Service (SaaS) environments, often integrated by employees to augment productivity. These apps connect to "hub" apps such as Salesforce, Google Workspace, or Microsoft 365, but unlike traditional third-party apps, they perform unauthorized activities with the data. The threat lies in the apps' request for a range of permissions, which once granted, can enable them to read, update, create, and delete content. Threat actors get these apps connected through sophisticated phishing attacks or by publishing them in app stores with malign functionalities hidden within. Identifying and mitigating these risks requires SaaS Security Posture Management (SSPM) solutions that provide visibility into third-party apps connected to hub apps and their respective permissions. Proper security settings, preventive measures like admin approval for app connections, as well as SSPMs with AI capabilities can help detect and prevent malicious attacks from these apps. Identifying too high permission sets or using AI to detect anomalies that indicate an app's malicious nature can help secure the SaaS environment.

The UK Information Commissioner’s Office (ICO) has fined a total of £590,000 (~$726,000) to five businesses for making illegal cold calls, violating data laws. The penalized companies include SGS Home Protect, Cover Appliance Ltd, F12 Management, HouseHold Appliance 247, and RHAP; evidenced to have made a collective 1.9 million cold calls to individuals registered with the Telephone Preference Service (TPS), against their consent. Since October 2021, the ICO has fined 16 companies for disregarding the Privacy and Electronic Regulations legislation and infringing privacy norms, a total amounting to £1.45 million. Two commercial operations Crown Glazing and Maxen Power Supply, were fined in June for making majority of the illegal calls. In April, recruitment business Join The Tribe Ltd was fined £130,000 (~$160,000) for sending 107 million spam emails. ICO continues the crackdown against such practices to protect individuals registered with TPS from cold callers and unsolicited marketing attempts.

Signal has transitioned from the X3DH key agreement protocol to the new PQXDH, providing additional security against potential future threat of quantum computers. Quantum computers currently available do not have enough qubits to pose a threat to public-key cryptography, but should a sufficiently powerful quantum computer be developed, it could potentially decipher private keys from public ones. Researchers worldwide, including those in countries identified as adversaries by the US, are actively working toward this goal. Most recently, Oded Regev, a computer science professor at New York University, has proposed a new quantum factoring algorithm that may be more efficient than Peter Shor’s algorithm. The US National Institute for Standards and Technology (NIST) has selected four algorithms, including CRYSTALS-Kyber, for its post-quantum cryptographic standard, and private sector firms are starting to implement technology to keep data secure after the expected quantum leap. Signal’s new PQXDH protocol uses X25519 and CRYSTALS-Kyber, and combines the two secrets, creating a situation where an attacker would need to break both in order to derive the shared secret key. The client software for Signal now supports PQXDH, and older X3DH protocols will be disabled within a few months, to better protect current and past data against future quantum computers. Further mitigations against the threat from an active quantum computer intercepting and eavesdropping on chat communications are anticipated.

The International Criminal Court (ICC) has experienced a breach of its IT systems, with the cybersecurity attack still ongoing. Additional security measures are being applied to mitigate the impact, according to a statement from the ICC. The statement did not provide details on who was behind the attack, how it happened, data theft, or whether the breach had been fully contained. The ICC has said it is enhancing its cybersecurity framework in response. The ICC is currently investigating alleged war crimes committed by Russia during the invasion of Ukraine. In March, arrest warrants were issued by the ICC against Russian President Vladimir Putin and Commissioner for Children's Rights Maria Lvova-Belova, related to claims of transporting children from occupied areas in Ukraine to Russia. Security expert, Jelle Wieringa, stated that the ICC’s holding of criminal case data makes it a “prime target for cyberattacks” as it offers bad actors the potential to disrupt international criminal justice proceedings. The ICC attack follows a series of recent high-profile ransomware attacks on organizations including the Greater Manchester Police in the UK, the US-Canada International Joint Commission, and two Las Vegas casino and hotel chains.

Pizza Hut's Australian branch experienced a data breach, exposing the personal details of around 190,000 customers. Information accessed included names, delivery addresses, email addresses, phone numbers, and order histories. The company discovered the data breached in early September and quickly secured their systems and enlisted forensic and cyber security experts to investigate the nature and impact of the breach. This is not the first cyber security issue for the popular pizza chain. Its UK and US operations were subject to a ransomware attack in January 2023, while its customer loyalty accounts were compromised in 2019. In 2017, customer credit card numbers were leaked due to a temporary security intrusion. The incident underlines the apparent lack of effective information security measures among fast food chains, with previous breaches reported at chains including KFC, McDonald's South Korea, and White Castle. Pizza Hut now faces potential reputation damage and the need for additional cybersecurity enhancements, reflecting the increasing importance of data protection in the fast food business sector.

The Snatch ransomware crew has claimed the Florida Department of Veterans Affairs as one of its most recent victims. However, due to a lack of confirmation from the department, it remains unclear if any veteran data was actually stolen. Snatch is a ransomware-as-a-service operation known for compromising a variety of critical infrastructure sectors, including defense companies, food and agriculture, and IT firms. The group is notorious for data theft and double extortion tactics whereby stolen data is posted on the Snatch extortion blog if ransoms are not paid. The FBI and CISA have issued a joint advisory warning against the expanding threat and provided ways to detect compromise through Snatch's activity methods. Snatch affiliates primarily gain access by brute forcing Remote Desktop Protocol (RDP) deployments, obtaining admin credentials and often buying stolen or leaked RDP credentials to sneak into organizations' networks. The criminals are known to establish a lasting presence on the network, using various tactics to move laterally, and find and steal information, spending as long as three months on some victim networks. Finally, organizations are advised to closely monitor their use of remote access tools to minimize the risk of a Snatch invasion.

India is facing a significant increase in cybercrime rates, with technology centers such as Bengaluru and Gurgaon recognised as focal points for this criminal activity, according to a report from the Future Crime Research Foundation (FCRF). Despite housing less than 0.2 percent of India's population, Gurgaon district accounted for 8.1 percent of reported cybercrime, which FCRF attributes to its status as a prominent corporate and IT hub, viewed as an attractive target by cybercriminals. Global tech companies such as Google, Microsoft, IBM India, Accenture, Cognizant, Infosys, and Wipro all have offices in Gurgaon, with disparities in digital literacy and cybersecurity awareness potentially driving criminal activity. Bangalore, known as India's "Silicon Valley", with its multitude of IT companies, has also been identified as an emerging hotspot for cybercrime. The report found that Bharatpur topped the list, accounting for 18 percent of cybercrime across India. The limited employment opportunities, lack of digital literacy, and presence of major urban centers were noted as contributing factors. The study also revealed that of all reported cybercrimes in India, nearly half (47.25 percent) involved Unified Payments Interface (UPI) fraud, while financially motivated crime accounted for 77.41 percent of all incidents.