Daily Brief

Malwarebytes has launched their Black Friday 2024 promotion, offering a 50% discount on various subscriptions including personal, family, and business plans. The promotion covers their standalone anti-malware software, VPN, and Personal Data Remover services, available until December 8th. Malwarebytes Premium version 5.2 features include real-time malware protection, exploit protection, and malicious website blocking. The service has been expanded over the past years to include Malwarebytes VPN, Identity Theft Protection, and a Personal Data Remover service. The VPN service features over 470 servers across more than 45 countries, providing increased privacy and anonymous browsing capabilities. Their Identity Protection service includes credit monitoring and features up to $2 million in ID theft insurance. Personal Data Remover helps users remove personal information from data broker databases, enhancing privacy. Special discounts are promoted in partnership with BleepingComputer, which earns a commission from purchases made through their links.

Interpol and Afripol coordinated Operation Serengeti, arresting over 1,000 individuals across 19 African countries for cybercrime. The operation, running from September 2nd to October 31st, targeted individuals involved in ransomware, business email compromise (BEC), digital extortion, and online scams. The suspects are linked to cybercrimes causing financial losses nearing $193 million globally, affecting at least 35,224 identified victims. Authorities dismantled 134,089 malicious infrastructures and networks with support from Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, Team Cymru, Trend Micro, and Uppsala Security. Operation Serengeti also succeeded in recovering approximately $44 million from cybercriminal activities. Involved nations included Algeria, Benin, Côte d’Ivoire, DRC, Gabon, Ghana, Mauritius, Mozambique, Rwanda, South Africa, Tanzania, Tunisia, Zambia, and Zimbabwe.

A bipartisan group of US senators has introduced the Health Care Cybersecurity and Resiliency Act of 2024 to set minimum cybersecurity standards in the healthcare sector. The proposed legislation mandates multi-factor authentication (MFA) and encryption of protected health information, alongside other unspecified security measures. The bill requires improved coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). It specifically calls for HHS to develop a cybersecurity incident response plan within a year and to update the breach reporting portal with more detailed information. Covered entities under HIPAA must report the number of individuals affected by a breach and the security practices considered during the breach investigation. The legislation includes provisions for federal training, grants for security enhancements, and additional support for rural healthcare facilities to prevent and respond to cyberattacks. The urgency for this bill was highlighted by the severe impact of the ransomware attack on Change Healthcare, which affected millions and had substantial financial repercussions.

MITRE ATT&CK Evaluations offer rigorous testing of cybersecurity solutions against real-world threats, uniquely simulating attacker behavior in a controlled environment. These evaluations help decision-makers understand how different cybersecurity products perform in detecting, responding to, and reporting various attack techniques. MITRE's framework organizes adversary tactics, techniques, and procedures into stages, providing a structured approach to cybersecurity threat management. Results from MITRE ATT&CK Evaluations guide leaders in making informed decisions about cybersecurity strategies and investments. The 2024 edition of the evaluations will include emulations focused on ransomware-as-a-service and state-sponsored tactics from North Korea, targeting multiple operating systems. Cynet’s webinar, following the release of the 2024 results, promises to distill key takeaways and provide actionable insights for utilizing evaluation outcomes effectively. Cynet's platform achieved unprecedented results in the 2023 evaluations, with 100% Visibility and Analytic Coverage, enhancing its reputation among cybersecurity solutions.

The FBI and CISA have issued new advisories highlighting the increasing threat posed by ransomware, with average payouts in 2024 estimated at $4.88 million. IBM has integrated ransomware protection features into its FlashSystem NVMe-based flash storage, including the ability to take immutable snapshots for secure data recovery. IBM introduced Storage Sentinel in 2022, which scans snapshots to detect ransomware corruption and assists in ensuring data integrity for restoration processes. IBM’s computational storage, the FlashCore Module, has been designed to perform real-time, block-level scanning for ransomware signals, providing rapid threat detection within seconds. The integration includes machine-learning algorithms that detect ransomware patterns and offer enhanced in-drive scanning capabilities without relying on file-level context. IBM’s systems allow for alerts from the FlashSystem storage to trigger automatic recovery actions through integrations with Storage Insights and other external systems. The article discusses a demo by TD Synnex showing IBM's FlashSystem capability to detect and respond to ransomware threats quickly, potentially saving valuable data before encryption locks it away.

Rafael Rivera, a Microsoft MVP alum, discovered undocumented features in the Bing Wallpaper app that could compromise user privacy. The app, recently added to the Microsoft Store, can alter browser settings, decrypt cookies, and prompt users to switch to Bing and Edge. Rivera's analysis revealed the Bing Wallpaper app can decrypt and read major browser cookies, including those of Chrome and Edge, potentially for user tracking. The app installs Bing Visual Search on host PCs without user consent and is considered a potentially unwanted program by ESET. Microsoft denies claims that the app decrypts "all" user cookies, maintaining it only accesses specific cookies without mentioning its actions on Firefox. There is a lack of clarity and documentation on different versions or configurations of the app and their specific capabilities or settings. Rivera highlighted the broader issue of potentially unethical data gathering practices by Microsoft, expressing disappointment in the company's direction.

Hackers are actively exploiting a critical remote code execution vulnerability, CVE-2023-28461, in Array Networks SSL VPN products. The vulnerability impacts both hardware (AG Series) and virtual (vxAG) versions, specifically on firmware version 9.4.0.481 and earlier. Array Networks addressed the issue with a security update, raising the firmware to version 9.4.0.484, shortly after the flaw was disclosed on March 9, last year. The U.S. Cyber Defense Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. More than 5,000 customers globally, including enterprises, service providers, and government agencies, use these VPN products for secure remote access. Security patches and mitigation commands are available, though organizations are advised to test these fixes due to potential impacts on VPN functionality. CISA has urged federal agencies and critical infrastructure entities to apply these updates by December 16 or discontinue the affected products’ use.

Two critical vulnerabilities have been identified in the CleanTalk WordPress plugin, impacting over 200,000 sites by allowing potential remote attacks. The security flaws, CVE-2024-10542 and CVE-2024-10781, have a high-severity rating of 9.8 and pertain to authorization bypass issues. Unauthenticated attackers could exploit these vulnerabilities to install, activate, or manipulate arbitrary plugins, which may lead to remote code execution. The vulnerabilities were patched in the recent updates, versions 6.44 and 6.45, of the plugin. The compromised plugin functions included are related to spam protection and firewall defenses, which are critical for site security. Researchers recommend users promptly update their plugin to the latest version to protect their sites from unauthorized access and further exploitation. The report coincides with warnings about increased malicious campaigns targeting WordPress sites for malicious code injection and data theft.

Russian-based RomCom cybercrime group exploited zero-day vulnerabilities targeting Firefox and Tor Browser users in Europe and North America. The first vulnerability, a use-after-free bug in Firefox (CVE-2024-9680), allowed remote code execution within the browser's sandbox; patched by Mozilla on October 9, 2024. A second flaw involved a Windows Task Scheduler service (CVE-2024-49039) leading to privilege escalation, enabling code execution outside the browsers' sandboxes; Microsoft addressed this in November. The vulnerabilities were chained in attacks that required no user interaction, only visiting a malicious website to trigger remote code execution and download the RomCom backdoor. Victims included organizations across various sectors such as government, defense, energy, pharmaceutical, and insurance, predominantly in Ukraine, Europe, and North America. This sophisticated attack chain demonstrates RomCom's continued evolution towards high-value, targeted espionage and intelligence-enhancing operations. RomCom has previously exploited similar zero-day vulnerabilities, indicating a consistent pattern of high-profile and technologically advanced cyberattack strategies.

A UK hospital has declared a major incident and canceled all outpatient appointments due to cybersecurity issues. This incident has affected the entire Wirral University Teaching Hospital NHS Trust, impacting multiple hospitals. The cyber incident began affecting IT systems on Monday, with ongoing disruptions noted as of Tuesday morning. Hospital officials have not disclosed the nature of the cyber problem, but the incident has widespread impacts on various departments beyond emergency services. Outpatients have been urged to only visit emergency departments for critical conditions while all non-urgent consultations are redirected to other NHS services. The Trust has enacted its business continuity processes and is prioritizing patient safety while attempting to manage the incident. This marks the third significant cybersecurity challenge for NHS units in England this year, following previous ransomware attacks on other NHS services. The prior attacks caused extensive service disruptions, including thousands of canceled appointments and procedures, underlining a challenging year for NHS cybersecurity.

Intruder has launched Intel, a free platform providing vulnerability intelligence to enhance organizational security. Intel was developed after Intruder's preferred tool was discontinued, aiming to benefit the broader information security community. The platform focuses on the most trending CVEs from the last 24 hours, assigning a 'hype score' to each to prioritize threat levels. Intel integrates real-time insights and expert analysis with data from respected sources like NVD and CISA. Users are encouraged to utilize Intel to distinguish critical vulnerabilities from less significant threats efficiently.

The threat actor RomCom, affiliated with Russia, has utilized zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to install backdoors on victims' systems. The exploit process requires no user interaction, relying on visiting a malicious web page with an unpatched browser to execute arbitrary code and deploy the RomCom RAT malware. The attack leverages fake websites like economistjournal[.]cloud to redirect victims to another server that hosts the malware, which then exploits browser and OS vulnerabilities to gain code execution. The shellcode used in the Firefox exploit facilitates sandbox escape and elevates privileges through a Windows Task Scheduler vulnerability, culminating in the installation of the RomCom RAT. Most victims traced by telemetry data are located in Europe and North America, reflecting the geographical focus of the attack. This attack marks the second known occasion of RomCom exploiting zero-day vulnerabilities, pointing to their high level of sophistication and ongoing development of stealthy cyber capabilities. Google's Threat Analysis Group also discovered the exploited Windows vulnerability independently, suggesting multiple adversaries may be leveraging the same zero-day flaw.

Over the weekend, QNAP patched 24 vulnerabilities, including two critical and nine high-severity issues, affecting various products. Critical vulnerabilities in QNAP's Notes Station 3 were identified, potentially allowing code execution, file read/write, and other severe impacts. Older OpenSSH flaws also plague previous operating system versions of QNAP’s QTS and QuTS hero, with partial fixes available. Following user reports of malfunctions, QNAP withdrew a QTS firmware update, investigated the issues, and reissued a stable version within 24 hours. Veritas disclosed seven critical vulnerabilities in its Enterprise Vault platform, all of which could lead to remote code execution. These vulnerabilities, reported in July, have not yet been patched; Veritas plans to release patches in Q3 2025, raising concerns over delayed response. Enterprises are urged to apply existing mitigation strategies while awaiting the release of Veritas patches to protect against potential exploits.

Earth Estries, a China-linked APT group, has been using the GHOSTSPIDER malware to infiltrate telecommunications companies across Southeast Asia and other regions. This group has compromised over 20 entities in industries including telecommunications, technology, consulting, chemical, transportation, government agencies, and NGOs. Victims span across more than a dozen countries, including the U.S., India, Brazil, and several Southeast Asian and African nations. Earth Estries employs a variety of malware tools such as MASOL RAT, Demodex rootkit, and Deed RAT for espionage. The hackers leverage known vulnerabilities in widely-used software like Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange Server to gain initial access. The operations of Earth Estries show a high level of sophistication, involving different teams for various espionage activities and a well-organized command structure. Trend Micro highlights the complexity and stealth of the attacks, which begin at edge devices and extend to cloud environments, complicating detection efforts.

The UK government announced the creation of the Laboratory for AI Security Research (LASR) aimed at boosting the country's defenses against AI-driven cyber threats predominantly from Russia. The announcement was made by the Chancellor of the Duchy of Lancaster, Pat McFadden, during the NATO Cyber Defence Conference, signaling a robust stance against Russian cyber activities. LASR will focus on enhancing AI security in collaboration with key UK institutions like GCHQ, NCSC, and the Defence Science and Technology Laboratory, and will also seek partnerships with NATO and Five Eyes nations. An initial £8.22 million in funding has been allocated for the lab, with an additional £1 million directed towards an incident response project to support allies under cyber threat. The lab aims to ensure the UK and its allies can maximize the benefits of AI technology while protecting against its weaponization by adversaries on both physical and cyber battlefields. The UK's commitment to resisting Russian cyber threats is part of a broader stance of standing firm against aggressive actions by nation-states, as emphasized by historical lessons against appeasing dictators.