Daily Brief

Samsung informs customers of a data breach affecting the UK online store, exposing personal information. The breach was due to a hacker exploiting a third-party application vulnerability. Customers who made purchases between July 1, 2019, and June 30, 2020, are affected. Exposed data may include names, contact details, and addresses, but financial data and passwords are secure. The incident is confined to the UK and does not impact US customers, employees, or retailers. Samsung has reported the issue to the UK's Information Commissioner's Office and taken steps to address the security breach. This marks Samsung's third data breach of the year, with previous incidents in March and July.

Scammers are spoofing accounts of known cryptocurrency researchers and blockchain security firms to promote phishing pages. The campaign involves fake security breach alerts, tricking users into visiting malicious websites under the guise of protecting their assets. Impersonated accounts include CertiK, ZachXBT, and Scam Sniffer, exploiting their credibility to deceive users. Despite warnings from legitimate sources, bot accounts helped amplify the scam, making related hastags trend on social media platforms. To date, the scammers have stolen over $305k in cryptocurrency by convincing users to interact with a fake 'Revoke Approvals' system on malicious sites. Impersonation of legitimate figures in the crypto community is becoming a common tactic for phishing operations, requiring users to verify information and exercise caution. Users are reminded to verify the authenticity of claims, consult official sources, and avoid connecting wallets to suspicious platforms or signing untrusted smart contracts.

Citrix has issued hotfixes for Citrix Hypervisor targeting two vulnerabilities, including a high-severity Intel CPU flaw known as "Reptar". The addressed vulnerabilities are identified as CVE-2023-23583, affecting Ice Lake and later Intel processor generations, and CVE-2023-46835, specific to Citrix Hypervisor 8.2 with certain AMD CPUs. CVE-2023-23583, disclosed by Intel, could cause system crashes or privilege escalation, although the likelihood of exploitation is deemed low. The flaw could allow guest VM code to compromise the VM and potentially the host system. CVE-2023-46835 concerns a scenario where privileged code in a guest VM might compromise an AMD-based host via a passed-through PCI device. The hotfixes also include updated Intel microcode to help mitigate these hardware issues. Detailed instructions for applying the hotfixes are available on Citrix's Knowledge Center.

The Toronto Public Library (TPL) suffered a ransomware attack that resulted in theft of personal information including employee, customer, volunteer, and donor details. Compromised data includes names, social insurance numbers, birth dates, home addresses, and government-issued ID copies dating back to 1998. The main cardholder and donor databases remained unaffected, but some data on the compromised server may have been exposed. TPL has not paid any ransom and is working with cybersecurity experts to investigate, while also reporting the incident to relevant authorities. The Black Basta ransomware group is believed to be behind the attack after a ransom note was seen on a TPL workstation. Black Basta, emerging in April 2022, allegedly has ties to the Conti ransomware group and the FIN7 cybercrime gang, and has targeted multiple high-profile entities.

Researchers exposed novel weaknesses in Google Workspace that allow for password decryption and potential ransomware attacks. The vulnerabilities discussed can lead to data exfiltration and allow access to Google Cloud Platform (GCP) services with custom permissions. Google has stated these issues won't be fixed as they are considered to be outside of their threat model and should be mitigated by user security. The attacks exploit Google Credential Provider for Windows (GCPW) and can lead to the theft of plaintext passwords and bypass multi-factor authentication (MFA). Attackers can steal refresh tokens stored in the Windows registry or the Chrome profile to access various Google services. Bitdefender's report also highlights the risk of lateral movement through cloned virtual machines using a common password. Experts stress the importance of organizational security measures, as threat actors commonly exploit these types of vulnerabilities.

The FBI and CISA have issued a warning regarding the Rhysida ransomware gang's attacks on various organizations in multiple sectors. Rhysida emerged in May 2023 and gained notoriety for breaching the Chilean Army and leaking data, as well as targeting healthcare organizations. The joint cybersecurity advisory includes IOCs, detection information, and TTPs to assist defenders. The ransomware, operating as RaaS, has affected education, healthcare, manufacturing, IT, and government sectors, exploiting weak security such as the absence of MFA. Rhysida's tactics include phishing attacks and exploiting the critical Zerologon vulnerability (CVE-2020-1472). Some affiliates of the Vice Society ransomware group have switched to using Rhysida ransomware payloads in their attacks. Defenders are advised to prioritize patching exploited vulnerabilities, enable MFA, and implement network segmentation as mitigations against ransomware incidents.

PJ&A, a medical transcription service provider, experienced a cyberattack that compromised the data of nearly 9 million patients. The network breach occurred between March 27 and May 2, 2023, and the company began notifying affected individuals on October 31, 2023. Exposed data includes personal health information, but financial details and account credentials were not accessed. The total number of impacted patients was confirmed by a report to the U.S. Department of Health and Human Services Office for Civil Rights. Cook County Health and Northwell Health, both major healthcare providers, are among the entities impacted by the breach, with CCH ending its relationship with PJ&A. Over 3.8 million Northwell Health patients had their sensitive information stolen over a period of about two weeks due to PJ&A's network being compromised. An additional four million patients associated with various other healthcare providers have yet to be notified about their data exposure.

The U.S. dismantled the IPStorm botnet, and its Russian-Moldovan creator pleaded guilty to cybercrimes. Sergei Makinin developed malware that infiltrated devices globally across multiple operating systems from 2019 to 2022. Infected devices were turned into proxies for a profit, with access sold to other cybercriminals via specific websites. The botnet utilized the InterPlanetary File System (IPFS) peer-to-peer network to disguise malicious traffic. Makinin, facing up to 30 years in prison, profited at least $550,000 from the botnet scheme. The plea agreement includes the forfeiture of cryptocurrency wallets associated with the criminal activity. Collaboration between law enforcement and the cybersecurity sector was pivotal in leading to the botnet's takedown and the perpetrator's arrest.

The article emphasizes the importance of the OWASP Top 10 as a resource for identifying critical web application security risks, valuable for developers and security professionals. The OWASP Top 10 outlines prevalent vulnerabilities such as Broken Access Control, Cryptographic Failures, and Injection Flaws, offering guidance for testing and mitigating these issues. The list also includes Insecure Design, Security Misconfiguration, and the use of Vulnerable and Outdated Components, pinpointing common areas of neglect that can lead to security breaches. Flaws in Identification and Authentication, Software and Data Integrity Failures, and Security Logging and Monitoring reflect deeper systemic issues within web application frameworks. Server-Side Request Forgery (SSRF) highlights complex attack vectors that exploit the web application's interaction with other internal or external systems. The article underscores the necessity for regular security testing and vigilance, especially as rapid development cycles can introduce new vulnerabilities. Pen Testing as a Service (PTaaS) is presented as a solution for continuous security testing, combining manual and automated penetration tests to ensure overall application security.

Fraudsters are using fake social media accounts to impersonate cryptocurrency scam investigators and blockchain security companies. The scammers promote phishing sites by warning users of non-existent security breaches in cryptocurrency exchanges like Uniswap and Opensea. Victims are deceived into visiting malicious websites that claim to help safeguard their assets by revoking permissions, ultimately leading to fund theft. Notable figures and organizations in the crypto community have been impersonated, including CertiK and ZachXBT, with scammers creating similar sounding social media account names. The fraudulent campaign was significant enough to trend hashtags related to the fake exploits within the U.S. Even savvy community members, such as vx-underground, have been tricked into sharing the scam information, highlighting the effectiveness of the impersonation tactic. The article advises users to be vigilant by double-checking the authenticity of accounts and claims before taking action to protect their assets, and to use cold wallets for enhanced security.

FBI Director Christopher Wray appealed to US lawmakers to preserve FISA Section 702 without new warrant requirements. Section 702, set to expire in December, allows warrantless spying on foreign communications, incidentally collecting data on US persons. Law enforcement agencies argue that a proposed amendment requiring warrants would effectively cripple surveillance capabilities. A bipartisan bill suggests reforming Section 702, adding new limits and warrant requirements for surveilling US person data, with some exceptions for emergencies. The White House and FBI strongly oppose the warrant requirement, considering it a non-negotiable "red line." Wray conceded past FBI abuses of Section 702 but emphasized steps taken to improve compliance and accountability. The FBI has implemented measures to reduce unauthorized queries and introduced consequences for misuse, including potential dismissal.

SANS Institute offers complimentary resources to cybersecurity professionals to enhance knowledge and skills. Access to a range of open-source cybersecurity tools is available for free to aid in efficient and cost-effective security implementation. Free workshops provide hands-on experience with new tools and techniques, moderated by leading industry instructors. SANS provides informational posters and cheat sheets on various topics including Cloud Security and Incident Response at no charge. Cybersecurity webcasts from SANS feature quality speakers discussing various security topics, accessible live and for free. The SANS blog delivers insights into Cloud Security, Industrial Control Systems, and other cybersecurity areas, aiding in continuous learning. Virtual summits hosted by SANS allow global cybersecurity professionals to learn, network, and exchange information. Individuals and organizations can join the SANS community for free to leverage these valuable educational resources.

A newly discovered technique allows attackers to execute code in memory by exploiting a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604. The flaw has a severity rating of 10.0 and was patched in recent ActiveMQ versions, but it is actively being exploited by ransomware groups. Ransomware such as HelloKitty and a variant akin to TellYouThePass, along with SparkRAT, a remote access trojan, have been deployed using this vulnerability. Researchers at VulnCheck have developed an improved exploit that remains memory-resident, making it more stealthy and capable of obtaining a reverse shell. The exploit involves loading malicious XML through the ClassPathXmlApplicationContext or the newly mentioned FileSystemXmlApplicationContext without writing to the disk. Though the exploit is discreet, it still triggers an exception message in the activemq.log file, which requires attackers to clean up to avoid forensic detection. Security professionals are urged to patch their ActiveMQ servers and consider removing them from public internet access to mitigate the risk of this stealthy exploit.

Insider threats pose a significant challenge due to the inherent access to sensitive data by organization insiders. Varonis utilizes a data security triad approach "sensitivity, access, and activity" to mitigate insider risks. Sensitivity involves the discovery, classification, and control of sensitive data, which Varonis automates through a preconfigured rule library that identifies PII, PCI, PHI, etc. Access control is achieved by limiting data exposure through least privilege automation and removing unnecessary access to reduce the insider attack "blast radius." Monitoring data activity is vital, as insider actions may not trigger standard alarms; Varonis' UEBA (User and Entity Behavior Analytics) establishes behavioral patterns and alerts for suspicious activities. Varonis provides real-time security posture visualization, automated remediation policies, and intelligent access management to limit insider threats. Organizations can quickly investigate security incidents with Varonis' detailed forensics log and incident response team support, improving proactive threat detection and response.

Cybercriminals are increasingly disabling or wiping logging and telemetry capabilities to avoid detection, complicating incident response. In 42% of cases, organizations lacked the necessary logs to analyze security incidents properly, with attackers responsible for the absence in 82% of those cases. Attackers erase logs to evade identification and maintain access, impacting a quarter of affected organizations that already started with inadequate logging due to ignorance or resource constraints. Sophos emphasizes that complete and accurate logging is crucial for fast and effective incident response, allowing defenders to track attack origins and system activities. Microsoft and CISA offer free resources to enhance organizational logging capabilities, with Microsoft offering free logging on basic licenses and CISA maintaining the Logging Made Easy (LME) project. Ransomware attacks are getting faster, with 'fast attacks' occurring within five days, and some supply chain attacks seeing ransomware deployment within six hours.