Daily Brief

Microsoft has expanded testing for its Windows 11 admin protection feature among Windows Insiders. The admin protection employs a just-in-time elevation mechanism and Windows Hello authentication, enhancing security by requiring additional verification for administrative actions. Users can now enable admin protection directly from the Windows Security settings, making it more accessible to non-technical users. The feature ensures administrators operate with standard user permissions and must authenticate via PIN or biometric methods to gain elevated privileges. Admin protection is designed to be more secure than previous User Account Control (UAC) by using color-coded authorization prompts. Microsoft continues to innovate with upcoming features like Quick Machine Recovery and Config Refresh, targeting enhanced manageability and security. These developments are part of Microsoft’s Secure Future Initiative aimed at bolstering cybersecurity across its products. The admin protection feature is currently available in the Canary Channel for users of the Windows 11 Insider Preview Build 27774.

Microsoft has identified a new phishing campaign by Star Blizzard, linked to Russia's FSB, targeting WhatsApp accounts. The campaign involves emails that impersonate US government officials and invite victims to join a WhatsApp group using a QR code. The QR codes used are designed to deceive the recipient into linking their WhatsApp account to a device controlled by the hackers. Once linked, the hackers can access and exfiltrate messages from the compromised WhatsApp account using browser plugins. This new method marks a tactical shift for Star Blizzard, previously known for directly phishing for credentials. Microsoft and US Justice Department actions in October led to the seizure of over 180 websites used by Star Blizzard, momentarily disrupting their operations. Despite setbacks, Star Blizzard has shown resilience by quickly shifting tactics and continuing their espionage activities targeting governmental and defense sectors.

The U.S. Treasury Department has sanctioned individuals and companies connected to North Korea's illegal IT work, aimed at funding its defense and weapons programs. Sanctions target North Korean front companies such as Korea Osong Shipping Co and Chonsurim Trading Corporation, their leaders, and a supporting Chinese firm, Liaoning China Trade. The sanctioned entities are accused of generating revenue for North Korea by employing IT workers overseas who engage in fraudulent activities. These IT workers, termed "IT warriors," use false identities to secure IT contracts globally, often masquerading as U.S.-based employees. North Korea retains up to 90% of the earnings from these workers, channeling the funds into its military and weapons programs. The U.S. measures include freezing assets of these entities within the U.S. and prohibiting American firms and citizens from transacting with them. The State Department has also set a reward of up to $5 million for information disrupting similar illegal IT operations by other North Korean entities. Enforcement actions extend to potential penalties against U.S. and international financial institutions that engage with the sanctioned parties.

Russian group Star Blizzard, previously known as SEABORGIUM, has launched a spear-phishing campaign targeting WhatsApp users to harvest credentials. The group, active since 2012, traditionally targeted government, defense, and those associated with Ukraine through spear-phishing emails. The Microsoft Threat Intelligence team reports that this shift to exploiting WhatsApp QR codes aims to evade recent crackdowns by Microsoft and the U.S. Department of Justice. Targets include government and diplomacy sectors, defense policy researchers, and individuals aiding Ukraine against Russia. The campaign, which was active since early 2023 but wound down by November 2024, initiated attacks with an email containing a fake QR code. Following through the fraudulent QR code process could grant Star Blizzard access to victims' WhatsApp messages and data. Microsoft warns individuals in the targeted sectors to remain vigilant about emails with external links and QR codes.

President Biden signed an executive order aimed at enhancing U.S. cybersecurity defenses, particularly against foreign threats and ransomware. The order facilitates sanctions against entities targeting federal agencies and critical infrastructure, expanding on prior directives from the Obama era. Key areas of focus include unauthorized access to critical infrastructure, deployment of ransomware, and intrusion tactics often used by foreign actors. The new executive order builds on previous cybersecurity initiatives, including those aimed at strengthening critical infrastructure and modernizing national security systems. Deputy National Security Adviser Anne Neuberger highlighted the order's purpose to make cyberattacks costly and challenging for adversaries like China, Russia, Iran, and ransomware groups. The order also speaks to the broader strategy of portraying the U.S. as proactive and serious about thwarting cyber threats and safeguarding national security and economic stability. This executive order continues to designate and sanction individuals and entities involved in significant malicious cyber activities, updating critical criteria for these actions.

Enzo Biochem has agreed to a $7.5 million settlement for a class-action lawsuit stemming from a 2023 ransomware attack. The settlement follows a $4.5 million penalty paid to three state attorneys general for the same incident, with New York's AG leading the charge. The ransomware attack resulted in the compromise of personal and health information of 2.47 million people. Post-attack, Enzo invested in substantial security upgrades including MFA, password policy improvements, an EDR system, and a 24/7 SOC. The significant security failings highlighted included poor credential management and lack of effective data encryption and multi-factor authentication. Enzo implemented a "Zero Trust" security framework following the attack to enhance data protection and system integrity. Despite these efforts, the company’s stock price dropped to its lowest value since 1991, reflecting the serious impact of the cyber incident.

Wolf Haldenstein law firm has disclosed a data breach affecting approximately 3.5 million individuals. The breach occurred on December 13, 2023, but complexities in data analysis and digital forensics caused significant delays in investigation progress. Personal data exposed includes sensitive information that could increase the risk of phishing and other targeted attacks. Despite detecting suspicious activity in 2023, the firm only finalized the identification of potentially affected individuals nearly a year later. Wolf Haldenstein has been unable to contact many affected individuals directly due to missing contact information. Additional security measures such as complementary credit monitoring and advice on fraud alerts have been recommended by the firm. The specific types of exposed data and the roles (clients, employees, etc.) of those impacted have not been fully disclosed. Public statement and additional checks are advised for anyone who might have been associated with the firm.

Industry experts Vileen Dhutia from Rubrik and Tim Phillips from The Register will host a webinar on proactive data security and identity management strategies. The session is aimed at evolving cybersecurity from traditional methods to a holistic security strategy. Attendees will learn to transform reactive security measures into proactive ones, enhancing overall data protection. The webinar will introduce advanced tools and strategic practices designed to preemptively address emerging cybersecurity threats. Key focus on building a resilient organizational culture that prioritizes and continuously improves data security. The event is scheduled for 23rd January 2025 and aims to prepare organizations for future cybersecurity challenges. Sponsored by Rubrik, the webinar promises actionable insights to drive lasting organizational change in cybersecurity practices.

The FTC has mandated GoDaddy to enhance security measures after failing to protect its hosting services adequately. GoDaddy's inadequate security included lacking multi-factor authentication, poor software update management, and insufficient threat monitoring. These security shortcomings led to several significant breaches between 2019 and 2022, compromising customer websites and data. In specific incidents, attackers stole source code and installed malware, impacting GoDaddy's cPanel shared hosting environment. The FTC's proposed settlement requires GoDaddy to create a comprehensive information security program and undergo biennial reviews by an independent assessor. GoDaddy's misleading claims about its security measures affected millions of customers, especially small businesses relying on its services. Similar FTC actions include a recent order for Marriott International to establish a substantial data security program following significant breaches.

Raspberry Pi offered cash prizes for hacking the OTP memory of their new RP2350 microcontroller to identify security vulnerabilities. Despite no initial winners, the challenge's prize was doubled to $20,000 and extended, attracting four successful entries. The hacks utilized advanced techniques such as power tampering, laser faults, and focused ion beams, all requiring physical access to the hardware. Following the hacks, $20,000 was awarded to each participant, underlining the company's commitment to "security through transparency." Raspberry Pi's approach contrasts with more common "security through obscurity" strategies in the tech industry, promoting a proactive stance on disclosing and addressing vulnerabilities. The results prompted the need for hardware revisions to mitigate the demonstrated attack vectors, highlighting the challenge of balancing transparency with security needs. A new hacking challenge is announced, continuing the cycle of testing and security enhancements.

A newly discovered UEFI Secure Boot vulnerability, identified as CVE-2024-7344, enables bootkits to bypass security protocols, even with Secure Boot activated. The flaw is associated with a Microsoft-signed application commonly used in third-party system recovery tools, allowing unauthorized UEFI binary loading. Exploitation involves substituting the system’s default OS bootloader with a compromised version and introducing a malicious binary file, all executed before the OS loads. The risk is elevated because affected applications, not necessarily present on a target system, could still facilitate an attack if the malicious loader is deployed independently. Security firm ESET reported the vulnerability to CERT/CC and collaborated with vendors to address the risk; a fix was issued and affected certificates were revoked in a recent Windows update. Microsoft and ESET have provided patches and additional PowerShell tools for admins to verify the application of revocations, aiming to curb any potential exploitation attempts. Users of the vulnerable software are encouraged to update their systems immediately to mitigate the risk and secure their boot processes.

The efficacy of traditional Multi-Factor Authentication (MFA) systems is declining amid sophisticated cyber threats including phishing and ransomware. State-sponsored cybercriminals and other malicious actors are increasingly exploiting legacy MFA vulnerabilities. Legacy MFA solutions such as one-time passwords and SMS authentication are particularly susceptible to social engineering and phishing schemes. Cybercriminals utilize advancements in generative AI to craft highly authentic communication, fooling even vigilant users and bypassing MFA protections. The diminishing vigilance of users, compounded by high disengagement and turnover rates in workplaces, exacerbates the vulnerabilities in cybersecurity defenses that rely heavily on user interaction. Security experts recommend shifting to next-generation MFA technologies that decrease dependency on user actions and enhance security through biometric and passwordless verifications. The transition to phishing-resistant, next-generation MFA is viewed as crucial to mitigate the increasingly sophisticated cyber threats targeting legacy systems. Token promotes its biometric, next-generation MFA device as a more effective solution against the rising wave of cyber attacks initiated via phishing.

DigiCert is introducing a new platform, DigiCert ONE, aimed at modernizing trust management in a rapidly expanding digital landscape. The platform is designed to automate and streamline handling of the increasing quantity of IoT devices, certificates, and compliance requirements. Traditional trust management methods are no longer adequate for the complex, fast-paced environments of today's digital world. DigiCert ONE aims to reduce operational complexity and enhance security scalability across various sectors including IoT security, enterprise IT, and DevOps. A free webinar will be held to showcase the functionalities and benefits of the DigiCert ONE platform, providing an opportunity for attendees to see the system in action. The event targets individuals struggling with outdated trust management processes and those looking to improve their organization’s security and compliance posture efficiently.

Cybersecurity researchers discovered a trivial bypass in Active Directory Group Policy that was supposed to disable NT LAN Manager (NTLM) v1. A misconfiguration in on-premise applications can override Group Policy settings, allowing NTLMv1 authentications to continue despite restrictions. NTLM, which is widely used in Windows environments for network user authentication, has been deprecated due to security vulnerabilities. Microsoft removed NTLMv1 in recent updates to Windows 11 and Windows Server, promoting the use of NTLMv2, which includes better security features. The bypass exploits a setting in the Netlogon Remote Protocol, using a specific data structure that includes a configuration allowing NTLMv1. Researchers recommend enabling audit logs for all NTLM authentications and monitoring for applications that might still use NTLMv1. Keeping systems up-to-date and careful configuration monitoring are advised to mitigate potential security threats associated with this vulnerability.

Stolen credential-based attacks have become the leading cyber threat, with significant breaches affecting organizations heavily reliant on cloud-based platforms like Snowflake. In 2024, approximately 165 organizations using Snowflake were compromised using credentials harvested from older infostealer malware infections, illustrating the ongoing risk and impact of such attacks. These breaches utilized simple login methods without multi-factor authentication (MFA), magnifying the ease and effectiveness of the credential-based attack strategy. The increased adoption of MFA has not adequately addressed the problem, as not all implementations are resistant to sophisticated phishing techniques. The breaches highlight a vast issue of visibility and control over identity and access management, particularly in environments heavily utilizing software-as-a-service (SaaS) and cloud applications. On a positive note, new technologies such as browser-based ITDR platforms like Push Security are emerging to help prevent account takeovers by enhancing credential monitoring and MFA implementation. Despite the availability of threat intelligence on compromised credentials, the challenge persists in accurately identifying and mitigating the use of stolen credentials in real-time.