Daily Brief

Researchers have introduced "Deceptive Delight," a method for jailbreaking large language models (LLMs) with a 64.6% success rate. This adversarial approach involves sneaking harmful instructions into benign conversations, bypassing AI safety measures within three interactions. Unlike other methods which sandwich harmful content, Deceptive Delight gradually leads LLMs to produce unsafe outputs. A related Context Fusion Attack bypasses LLM safety nets through contextual manipulation, demonstrating potential vulnerabilities in AI conversations. The study tested eight AI models using 40 unsafe topics, discovering high vulnerabilities in violence-related content. Results from this research suggest that taking two conversational turns significantly increases the malicious content generation, with the third turn intensifying the harmful output. Researchers recommend employing robust content filters, prompt engineering, and clearly defining acceptable inputs and outputs to mitigate risks. Potential misuse includes software supply chain attacks by exploiting AI-generated, non-existent software packages.

Only 15% of organizations centralize their SaaS security within cybersecurity teams. A significant 34% of security practitioners lack awareness of the SaaS applications used in their organizations. The disjointed procurement and management of SaaS apps by business units result in inconsistent security practices. In 2023, SaaS-related data breaches increased, highlighting the need for better security culture across organizations. Many organizations suffer from overconfidence in their security measures, often overlooking essential continuous monitoring and compliance. Cultural disconnects within organizations contribute to a weak security posture, allowing breaches through oversight gaps. Continuous monitoring and a robust SaaS Security Posture Management (SSPM) solution are critical for preserving security integrity in SaaS environments. The AppOmni 2024 State of SaaS Security Report emphasizes the importance of a security-first organizational culture to mitigate future data breaches.

Threat actors have used Amazon S3 Transfer Acceleration as part of recent ransomware attacks to quickly exfiltrate victim data to controlled S3 buckets. The Golang ransomware was disguised as the infamous LockBit ransomware, misleading victims to capitalize on LockBit's notoriety. Embedded hard-coded AWS credentials in the ransomware artifacts indicate an increased use of popular cloud services for malicious purposes. The AWS accounts involved were suspended after responsible disclosure to AWS security by Trend Micro researchers, who also found over 30 related malicious samples. The ransomware targets Windows and macOS systems, obtaining the machine's UUID, and using a calculated master key to encrypt files. Post-encryption, files are renamed and victims' device wallpapers are changed to display a message linking to LockBit 2.0 to pressure victims into paying ransoms. A separate mention of a decryptor for the Mallox ransomware variant shows a possibility for victims to restore files for free, due to a flaw in its cryptographic schema.

Millions of Android and iOS app users are at risk due to hardcoded and unencrypted cloud service credentials found in popular mobile applications. Researchers Yuanjing Guo and Tommy Dong from Symantec identified these vulnerabilities in apps available on Google Play and the Apple App Store. Exposed credentials include sensitive data like Azure Blob Storage, AWS, and Twilio keys, potentially allowing unauthorized access to backend infrastructure and user data. The issues arise from poor coding practices, with developers leaving sensitive credentials within the app's code, which could be accessed by anyone with the ability to review the app’s binary or source code. Symantec highlights the need for more secure development practices and urges a shift towards encrypting sensitive data, using secure storage for credentials, and regular security checks. The company also recommends that users install third-party security systems, be cautious about app permissions, and only download apps from reputable sources to mitigate risks. Additional protective measures suggested include the use of services like AWS Secrets Manager or Azure Key Vault to securely manage and store sensitive information.

Democratic US lawmakers have urged the DOJ to prosecute tax preparation firms accused of sharing taxpayer data with tech giants like Meta and Google. Firms such as TaxSlayer, H&R Block, TaxAct, and Ramsey Solutions have been implicated, though not explicitly named in the latest Treasury Inspector General for Tax Administration (TIGTA) report. The controversial data sharing involved sensitive information such as incomes, tax refunds, and Social Security numbers, and it utilized tracking technology like pixels that monitor user activities on websites. The TIGTA report criticized the tax prep companies for their inadequate disclosure of the data collection's purposes and recipients, suggesting they might not have complied fully with legal requirements. The Senators, including Elizabeth Warren and Ron Wyden, argue that these acts of data sharing violate taxpayer privacy laws, and stressed the need for immediate DOJ investigation and potential criminal charges. The situation underscores a broader concern about the unregulated use of "junk fees" and unethical practices among tax preparation services, notably the recent settlement involving TurboTax. The Department of Justice has received the lawmakers' letter, but its response or potential for legal action remains uncertain as of now.

CISA has proposed new security requirements to protect U.S. personal and government data from adversary nations. The proposals are part of the implementation of Executive Order 14117, signed by President Biden, focusing on severe data security threats. The aim is to control access to bulk sensitive U.S. data and government-related information, especially involving transactions with countries of concern. Impacted sectors could include AI development, cloud services, telecommunications, health and biotechnology, financial, and defense industries. The new security measures will involve both organizational/systematic requirements and specific data-level needs. CISA is currently seeking public feedback to refine the proposal and prepare a final form. Stakeholders and the public can contribute their views and suggestions through CISA's portal on regulations.gov using the identifier CISA-2024-0029.

Symantec reveals hardcoded, unencrypted cloud service credentials in numerous iOS and Android apps, risking user data. Exposed credentials include access to Amazon Web Services (AWS) and Microsoft Azure Blob Storage, endangering sensitive information. Attackers can potentially extract, manipulate, or steal user data and source code via these credentials. The security flaw is due to poor development practices and a lack of proper credential storage methods. Over 1,800 mobile applications were found with embedded AWS credentials, 77% of which held valid access tokens. Recommendations for developers include using environment variables for credentials storage, encrypting data, and implementing automated security scans early in the development cycle. Immediate action is necessary from developers to secure their applications and protect user data from potential breaches.

The SEC has charged Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast regarding misleading disclosures following the 2020 SolarWinds Orion attack. These companies allegedly downplayed the severity of breaches to their systems, failing to provide full disclosure to investors about the risks and impacts. Unisys is additionally charged with violations related to disclosure controls and procedures, having inaccurately described cybersecurity risks as hypothetical. Investigative findings revealed that Avaya understated access by threat actors to their systems, while Check Point used vague descriptions to minimize the perceived breach severity. Mimecast did not fully disclose the nature of stolen code and the extent of accessed encrypted credentials during the cybersecurity incident. Collectively, these companies have agreed to pay civil penalties amounting to nearly $7 million to settle the charges, with Unisys paying the highest penalty of $4 million. The SEC's actions highlight the necessity for accurate and comprehensive disclosure of cybersecurity incidents to protect investors and maintain market integrity.

TSMC tipped US officials about possible Huawei efforts to skirt export controls by acquiring AI-focused chips. This alert was raised after a customer's order closely resembled Huawei's Ascend 910B processor, used primarily for training AI models. Recent monitoring includes a Department of Commerce investigation into whether TSMC has supplied AI or smartphone chips to Huawei, violating U.S. export restrictions. The US has progressively been imposing stricter rules on AI chip shipments to Chinese companies, citing national security issues linked to potential military applications. Amid these export controls, Huawei has reportedly faced significant financial losses, driving China to increase efforts toward technological self-sufficiency. Beijing's response includes a considerable surge in Chinese AI patent filings and advancements in domestic chip engineering, potentially closing the gap with Western technology leaders. TSMC affirms its compliance with all applicable international regulations, denying any ongoing supply of critical technology to Huawei since September 2020. The incident underscores broader geopolitical tensions and the ongoing technological rivalry between the US and China.

Proof-of-concept code for CVE-2024-43532, a Windows Server vulnerability, has been made public. Exploit allows NTLM relay attacks by downgrading authentication security via the Remote Registry client. Affects all Windows Server versions from 2008 to 2022, and Windows 10 and 11. Attackers can seize domain control by obtaining user certificates through intercepted authentication handshakes relayed to Active Directory Certificate Services. Attack methodology was previously used by cybercriminals, including the LockFile ransomware gang. Microsoft initially dismissed the vulnerability as a documentation issue until a resubmission prompted acknowledgment and a subsequent fix. Researcher Stiv Kupchik released the exploit details at the No Hat security conference and suggested defenses including monitoring RPC calls via Event Tracing for Windows.

Russian-speaking individuals targeted by phishing attacks using the Gophish toolkit to distribute DarkCrystal RAT and PowerRAT. The phishing campaigns deploy malicious Microsoft Word documents and HTML files embedded with JavaScript to execute the malware. Upon activation, malware performs system reconnaissance and collects data such as drive serial numbers, connecting to remote servers in Russia for further instructions. Both DarkCrystal RAT and PowerRAT facilitate additional malicious activities, including executing PowerShell scripts and commands from a command-and-control server. Victims are tricked into enabling malware execution by interacting with documents or links that appear to be from legitimate Russian services like Yandex Disk and VK. The malware ensures persistence on infected devices by modifying Windows Registry keys or creating scheduled tasks. The campaign reflects a broader trend of using sophisticated infection vectors, such as virtual hard disk files, to bypass security measures and deploy various RATs.

VMware has released secondary patches for two critical vulnerabilities in vCenter after initial fixes were insufficient. The first vulnerability, with a CVSS score of 9.8, allows remote code execution through specially crafted network packets without user interaction. The second flaw, scoring 7.5 on CVSS, could let an attacker escalate privileges to root by exploiting network access vulnerabilities. Both CVEs—CVE-2024-38812 and CVE-2024-38813—were initially patched on September 17 but required additional fixes as the original patches did not fully resolve the issues. VMware's user base, including major organizations, makes it a high-value target for various attackers, from ransomware gangs to nation-state actors. Earlier breaches in VMware systems by Chinese cyberspies have been reported, exploiting different vulnerabilities since late 2021. These vulnerabilities were discovered by researchers Zbl and srs from Team TZL at Tsinghua University during a cyber security competition. VMware and Broadcom strongly advise customers to apply the latest patches immediately to prevent potential exploitation.

Four tech companies, including Unisys, Avaya, Check Point, and Mimecast, have agreed to pay substantial SEC penalties for misleading investors following the 2020 SolarWinds cyberattack. The companies were fined for failing to fully disclose the extent of their exposure to the hack, which involved a Russian threat actor inserting a backdoor into SolarWinds’ Orion software. Avaya, Check Point, and Mimecast paid fines close to or exceeding $1 million each, while Unisys faced a heavier penalty of $4 million due to additional disclosure control and procedures violations. Despite awareness of the breaches, the implicated companies provided investors with understated or vague information about the cybersecurity incidents. The SEC emphasized the importance of accurate and comprehensive reporting on cyber incidents to protect investors and the public from misinformation. While none of the companies admitted to the allegations, they settled with the SEC, citing reasons including prioritizing company and shareholder interests and enhancing cybersecurity measures. The settlements highlight ongoing regulatory and legal challenges surrounding the disclosure of cybersecurity risks and incidents by publicly traded companies.

The Akira ransomware group has reverted to using encryption-based extortion tactics, focusing on operational efficiency and stability. Previously, Akira had shifted to pure data theft and holding the data for ransom without encrypting it, similar to tactics used by other ransomware groups in previous years. Security researchers from Cisco Talos observed that Akira is using updated but similar C++ based payloads for Windows as before, alongside new explorations into Rust-based encryptors for Linux. The strategic pivot back to older methods indicates a consolidation of tools and a focus on maintaining a robust and adaptable operational model. Akira is continuing to leverage high-impact vulnerabilities targeting both Windows and Linux systems, with a focus on environments like ESXi that manage multiple virtual machines. Microsoft's report highlighted Akira as a dominant ransomware group in the post-LockBit era, capturing a significant share of recent ransomware attacks. Akira's affiliates actively exploit newly disclosed vulnerabilities for initial access and to spread laterally within targeted networks, emphasizing the ongoing refinement of their tactics. Organizations are advised to rapidly patch known vulnerabilities, manage device configuration, and implement advanced detection measures to mitigate the risk posed by Akira's ransomware attacks.

A critical security flaw in Styra's Open Policy Agent (OPA) was discovered, risking the exposure of NTLM hashes to remote attackers. If exploited, the flaw allows leakage of NTLM credentials, enabling attackers to possibly relay or crack passwords. Tracked as CVE-2024-8260, the vulnerability affects both CLI and Go SDK for Windows and stems from improper input validation. The exploit requires initiating outbound SMB traffic, making attacks dependent on specific configurations. Styra addressed the flaw in version 0.68.0 released on August 29, 2024, following a responsible disclosure process initiated in June 2024. The disclosure coincides with a separate report by Akamai on a privilege escalation flaw in Microsoft's Remote Registry Service. Microsoft, acknowledging the risks, reiterated plans to retire NTLM in favor of Kerberos in an effort to strengthen user authentication and security measures.