Daily Brief

CISA has issued a warning about active exploitation of two critical vulnerabilities in the Palo Alto Networks' Expedition migration tool. The vulnerabilities identified are unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9464), which affect systems running the Expedition tool. These vulnerabilities allow attackers to execute arbitrary OS commands, access and modify database contents, and manipulate files on the affected systems. Palo Alto Networks has released security updates for these issues in Expedition version 1.2.96 and later and advises restricted network access if immediate updating is not possible. Information compromised includes usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. CISA has mandated federal agencies to patch affected servers by December 5, highlighting the urgency of addressing these security flaws. Additional precautions recommend rotating all Expedition and firewall usernames, passwords, and API keys after implementing the security update. These vulnerabilities do not impact other Palo Alto products such as Panorama, Prisma Access, or Cloud NGFW.

Researchers at Gen Digital discovered new malware, Glove Stealer, which can bypass Chrome's App-Bound encryption to steal browser cookies. The malware exploits a vulnerability described by security researcher Alexander Hagenah, needing local admin access to decrypt App-Bound encrypted keys. Glove Stealer also targets data from other browsers, cryptocurrency wallets, 2FA tokens, and passwords stored in management apps like Bitwarden and LastPass. The malware affects multiple applications, attempting to steal sensitive information from over 280 browser extensions and 80 local applications, particularly those related to financial transactions and authentication. Despite the advancements in Google Chrome's encryption methods, Glove Stealer’s technique highlights continued vulnerabilities that allow attackers to extract sensitive data. The infostealer is in its early development stages, characterized by its basic method and minimalist design, suggesting potential for future evolution and increased threat. Increasing attacks targeting encrypted cookie data have been observed since the implementation of App-Bound encryption, using techniques like spear phishing and exploiting system vulnerabilities.

Glove Stealer malware bypasses Google Chrome's App-Bound cookie encryption, a newly implemented security feature. The malware has capabilities to steal browser cookies, cryptocurrency wallets, and 2FA session tokens from a variety of sources including Google, Microsoft, and LastPass. It can also access passwords and emails from popular security applications and clients, like Bitwarden, KeePass, and Thunderbird. The exploitation relies on local admin privileges to operate, utilizing a supporting module that interacts with Chrome’s IElevator service. Despite the sophistication of bypassing App-Bound encryption, this method is still considered basic and indicative of the malware being in early development. Glove Stealer is part of a wider trend of infostealer malware that exploits web browsers' vulnerabilities via sophisticated social engineering and phishing tactics. Increases in such campaigns have been noted since the introduction of App-Bound encryption in July, leveraging various attack vectors like vulnerable drivers and fake tech support.

Robert Purbeck was sentenced to 10 years in prison for serial cybercrimes against U.S. medical facilities, following a guilty plea on two counts of computer fraud and abuse. Purbeck’s aggressive extortion tactics led to severe damages to his victims, including a dentist and an orthodontist who faced extensive financial losses due to forced security measures and legal costs. He stole sensitive patient information to leverage his demands for Bitcoin payments, threatening to disclose or misuse the data if his demands were not met. The cybercrimes affected at least 19 victims, ranging from medical facilities to a church and even a safe house for victims of domestic violence. Purbeck was ordered to pay over $1 million in restitution to the victims and will serve three years of supervised release after his prison term. His criminal activities included threats of adding individuals, including family members of his victims, to sex offender registries and causing financial harm by threatening to drain bank accounts. The FBI’s investigation culminated in a raid on Purbeck’s home in August 2019, seizing devices with personal data of over 132,000 people.

Infoblox identified approximately 70,000 hijacked domains out of 800,000 vulnerable registered domains over the past three months. Hijacked domains span various entities including well-known brands, non-profits, and government organizations, utilized for phishing and fraud. The 'Sitting Ducks' attack leverages DNS misconfigurations, allowing attackers to control a domain by pointing it to a malicious DNS server. The technique is stealthy and difficult to detect because it does not render the domain inactive, making only subtle changes like IP address shifts. Victims include diverse entities like entertainment companies, IPTV providers, law firms, and online retailers. Threat actors use the hijacked domains for a range of malicious activities including malware command and control centers, spam distribution, and credential phishing. Rotational hijacking is common, with domains being repeatedly compromised by different threat actors over time. Due to the high reputation of hijacked domains, they often escape detection by standard security measures, facilitating ongoing criminal activity.

Robert Purbeck, aged 45, from Idaho, was sentenced to ten years in prison for hacking and extortion activities targeting US organizations. Purbeck illegally accessed data from at least 19 organizations, compromising personal details of over 132,000 people for extortion purposes. His criminal activities included the purchase of network access on darknet markets to breach systems of a medical clinic in Georgia and a local police department. Purbeck used the stolen personally identifiable information (PII) to extort a Florida orthodontist, threatening to release patient data unless he received ransom payments. The FBI discovered evidence of multiple data breaches and the stolen data during a 2019 raid on Purbeck's home. He pleaded guilty to two federal charges of unauthorized computer access and was also ordered to pay over $1 million in restitution to his victims post-prison.

Marco Figueroa from Mozilla's 0DIN uncovered extensive user capabilities within OpenAI's ChatGPT sandbox environment. Users can upload and execute Python scripts, and access directories including some that contain configuration and setup information. The sandbox restricts internet access and certain commands to preserve security, yet allows file uploads, downloads, and command execution within its confines. Figueroa highlighted the ability to download the ChatGPT "playbook," raising concerns about the potential for reverse-engineering or security circumventions. OpenAI's current sandbox design allows significant interaction without breaching the host system's security, suggesting it's well-isolated. There is ongoing debate whether extensive access is a design oversight or an intentional feature for transparency and user trust. OpenAI has been contacted for comments on potential security implications but has yet to formulate a detailed response.

Password resets are costly, averaging $70 each, combining IT staff time and lost worker productivity. Annual password reset costs for an organization with 1,000 employees, each needing two resets per year, can reach $140,000. Self-service password resets offer significant savings, with the average organization reducing expenses by $65,000 in 2023. Implementing self-service solutions can also minimize password reset needs across remote and hybrid work setups by updating local cached credentials automatically. Additional benefits include global accessibility, enhanced user behavior with interactive password guidance, and better compliance and audit capabilities owing to detailed activity logs. Self-service password solutions like Specops uReset enable users to reset their passwords securely and conveniently without IT intervention, leading to more efficient resource allocation and a streamlined password management process.

Google has highlighted an increase in scams using cloaking techniques, which disguise malicious sites as legitimate ones to evade detection. The company noticed a growing trend of scareware campaigns which falsely inform users of malware infections, subsequently directing them to fraudulent support sites. Recent scams have significantly involved cryptocurrency schemes, heavily orchestrated by crime syndicates in Southeast Asia utilizing cutting-edge technologies like AI and deepfakes. The U.N. report indicates these criminal groups are innovating quickly, integrating technology to streamline their operations and facilitate money laundering. Google has taken legal action against entities like two app developers and a website called Bigboostup.com for their roles in disseminating fraudulent apps and fake reviews. In partnership with various anti-scam organizations and strengthening their ad review process, Google blocked over 5.5 billion ads in violation of its policies in 2023. Google has also enhanced its Android services, introducing features in its Phone app and Google Play Protect to detect and warn users about scams and malicious apps.

Ransomware attacks are growing in frequency and sophistication, posing significant threats to business data security. Despite robust cybersecurity measures, many organizations fail to implement key disaster recovery practices, increasing their vulnerability to ransomware. Effective disaster recovery plans are essential for rapid response and resilience against cyber threats, ensuring minimal business disruption. Common BCDR oversights include overreliance on local immutability, insufficient protection of Windows-based backup solutions, and inadequate SaaS data security. Insufficient recovery testing and manual recovery processes can lead to extended downtime and escalated recovery costs in the event of a ransomware attack. Automating recovery processes and regularly testing disaster recovery plans can greatly enhance an organization's ability to fend off ransomware attacks. Unitrends offers an all-in-one BCDR solution that provides comprehensive protection against ransomware, ensuring data integrity and recovery across multiple platforms.

Children's shoemaker Start-Rite has suffered a significant security incident, marking its second major security lapse in the last eight years. The breach involved customer payment details including names, addresses, card numbers, expiry dates, and CVV from the site's payment page, compromised between October 14 and November 7. Start-Rite has advised affected customers to cancel their cards and monitor their statements for unauthorized transactions. The company has reported the incident to the UK's Information Commissioner's Office (ICO) and is cooperating fully with law enforcement. Start-Rite claims the website is now secure, having removed the malicious code and third-party application responsible for the breach. The nature of the data stolen raises concerns about the company's compliance with payment card industry data security standards (PCI DSS). Security experts speculate that the breach was likely caused by card skimming malware injected through compromised third-party application code. Start-Rite has contacted all potentially impacted customers and continues to enhance its website security following the breach.

NatWest Group has formally banned a range of messaging apps including WhatsApp, Meta's Messenger, and Skype across its company-issued devices, aimed at ensuring all communications can be monitored for compliance. The full list of prohibited apps now also includes Telegram, Signal, Viber, Snapchat, Discord, WeChat, and Line, as these apps either support disappearing messages or lack sufficient record-recovery options. This decision aligns with broader industry practices where financial institutions maintain strict controls over communication channels to avert legal and regulatory repercussions. The bank reaffirmed that the use of non-approved communication channels for discussing business matters had been discouraged for years, with a formal policy now in place. Compliance with record-keeping regulations is critical amid hefty fines imposed on other banks for poor documentation practices, underscoring the importance of accessible and transparent communication records. Approved communication channels at NatWest include Microsoft Teams, Teams Chat, Viva Engage, Zoom, Outlook, Symphony Chat, and SMS, ensuring all business communications are retrievable if needed. This move also mirrors concerns highlighted by inquiries into UK government officials' use of WhatsApp for official matters, emphasizing the need for proper archiving practices.

A cybersecurity firm, Reflectiz, identified a misconfigured TikTok pixel on a travel company’s website that was sending sensitive user data to servers in China without proper authorization. This misconfiguration breached General Data Protection Regulation (GDPR) guidelines, which could have led to severe financial penalties for the travel company. Reflectiz employs advanced scanning technology to replicate user behavior and identify unauthorized data activities from third-party web components. The study underscores the risks associated with improper implementation of tracking pixels and the significant consequences of non-compliance with data protection laws. A similar incident involved a Swedish online pharmacy fined approximately $1.45 million due to an erroneous configuration of Facebook Pixel, affecting up to a million users. Reflectiz's solution does not require installation and begins with a remote scan to map a website’s entire ecosystem, continuously monitoring for any suspicious activity. The case emphasizes the importance for companies of all sizes to ensure strict compliance with data privacy regulations to avoid potential legal and financial repercussions.

A new malware named RustyAttr targets macOS by abusing extended file attributes, identified by a Singaporean cybersecurity firm. The malware campaign is attributed with moderate confidence to North Korea-linked Lazarus Group, based on similarities to previous attacks. RustyAttr is distributed in Tauri-based applications signed with a revoked certificate, utilizing shell scripts hidden within file metadata. The execution of malware triggers decoy mechanisms including error messages or dummy PDFs to distract the victim. Embedded malicious JavaScript in webpage templates loads and executes additional malicious content through extended attributes. Malware's full impact and objectives remain uncertain, with no confirmed victims or further payloads detected as of now. Users must disable macOS Gatekeeper protections to trigger the malware, indicating a need for social engineering tactics for effectiveness. The discovery underscores ongoing aggressive cyber-operations by North Korean actors, particularly targeting global business and cryptocurrency sectors.

Simon Langley, the head of tech security at Asda, has left the company amid its ongoing separation from former parent company Walmart. Asda is in the process of splitting its IT systems from Walmart, projecting to complete the separation by early 2025 with heightened costs now approximately £430 million. The separation includes transitioning to a new S/4HANA system hosted on Microsoft Azure, initially set to separate by February 14 but now extended. Approximately 135 IT staff were involved in a collective consultation to transfer to outsourcing firm TCS, highlighting staff changes and outsourcing. Alongside the IT overhaul, Asda announced redundancies affecting 475 staff at its head offices, coupled with contractors exiting soon as IT projects conclude. Changes also include operational policies at Asda; restrictions on contractors, and mandates for remote workers to spend three days per week in office leveraging new technologies. Uncertain continuity in the use of Walmart's wireless devices in Asda’s distribution depots raises concerns over inventory and application management during the transition.