Daily Brief

Hackers deploy various methods like brute-force, dictionary attacks, and credential stuffing to breach password security. Effective defense against brute-force attacks includes using complex passwords to combat automated tools trying all combinations. Dictionary attacks make use of commonly used words and leaked passwords, highlighting the need for original password creation to enhance security. Password spraying targets multiple accounts with common passwords to avoid detection, underscoring the importance of unique passwords for each account. Credential stuffing takes advantage of reused credentials across different services, necessitating the use of unique passwords for every site and service. Sophisticated phishing schemes mimic legitimate requests to steal confidential information, which can be countered by cautious verification of communication authenticity. Keylogger attacks secretly monitor and record all user keystrokes, pointing to the need for secure keyboard encryption and anti-keylogging software. Social engineering manipulates individuals for information breach, stressing the importance of awareness and verification before responding to unusual requests.

The FIDO Alliance is developing protocols to simplify the transfer of passkeys across different platforms. A new draft includes specifications for secure credential exchange, enhancing provider interoperability. Major tech entities like Apple, Google, Microsoft, and Amazon are involved, supporting the shift to passwordless authentication. The proposed Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) ensure secure and non-transparent credential transfers. Passkeys offer a phishing-resistant sign-in option that is quicker and more successful than traditional methods. The inability to transfer passkeys between platforms currently compels users to generate new passkeys for each device. Over 175 million Amazon customers have adopted passkeys, highlighting widespread consumer acceptance and enhanced security.

Amazon reports over 175 million users have adopted passkeys for secure authentication since its introduction a year ago. Passkeys allow users to log in six times faster than traditional methods by leveraging biometric or PIN-based verification. This new security feature uses a cryptographic challenge-response method where the user's device manages private keys securely. Amazon has extended the use of passkeys to other services including AWS and Audible due to the positive customer uptake. Passkeys enhance security by preventing them from being stolen during data breaches, phishing, or malware attacks. Currently, passkeys are device-specific and not transferable across different devices or password managers. The FIDO alliance recently introduced a new specification for making passkeys portable across various platforms and password managers.

AI exploitation is increasingly becoming a focus for cybercriminals, though its use is more hype than reality based on sensational media reports. Current AI tools accessible to hackers are typically enhanced models of publicly available large language models, with no superior capabilities and often marked as scams. Cybercriminals use AI primarily for generating phishing emails, writing code snippets, and trying to deceive AI systems into accepting malicious code as benign. The introduction of customizable GPTs (General Purpose Technologies) by OpenAI presents new vulnerabilities, such as the exposure of sensitive data through embedded instructions and API keys. Through prompt engineering, attackers manipulate GPTs to access and leak proprietary information or configure the GPTs for malicious purposes. Despite potential risks, there are existing frameworks that help organizations safeguard their AI developments from cyber threats. Understanding criminal tactics and potential misuse of AI is crucial for developing better defensive strategies against AI-driven cyberattacks.

North Korean group ScarCruft exploited a Windows zero-day vulnerability, CVE-2024-38178, to deploy RokRAT malware. The exploited vulnerability, found in the Windows Scripting Engine, can lead to remote code execution through Internet Explorer Mode in Edge. This security flaw was patched during Microsoft's August 2024 Patch Tuesday updates. The attack involved phishing with specially crafted URLs to trigger the execution of malicious code through a "toast" advertisement program. The malware attack, termed Operation Code on Toast, targeted users by injecting malicious code into advertising scripts distributed by an unknown ad agency. ScarCruft, also known as TA-RedAnt or APT37, has previously exploited similar vulnerabilities targeting legacy Internet Explorer components. RokRAT can manipulate files, execute remote commands, and exfiltrate data via common cloud services, complicating detection in enterprise systems. Recommendations highlight the importance of regular system and software updates to mitigate vulnerability exploitation risks.

Effective cyber threat intelligence collection is essential for understanding and mitigating cyber threats. Utilizing C2 IP addresses and pivoting techniques helps identify malware communications and related threat actor infrastructure. ANY.RUN's Threat Intelligence Lookup tool enhances threat investigations by allowing searches using over 40 different parameters, including IP addresses, domains, and specific malware like AgentTesla. Analyzing URLs and domains provides insights into phishing attacks and malware hosting, revealing broader malicious infrastructure. Employing the MITRE ATT&CK framework identifies emerging threats through detailed adversary tactics, techniques, and procedures. YARA rules facilitate the automation of malware detection and help identify new variants of known malware families. Command line artifacts and process names can be critical indicators in identifying specific malware, such as the Strela stealer. ANY.RUN offers a 14-day trial of its Threat Intelligence Lookup tool, aiming to improve quality and speed of cyber threat research efforts.

Google is inviting IT professionals to a webinar titled "TechByte: Work Smarter, Not Harder with Google Security Operations," scheduled for 23 October 2024. The session aims to educate attendees on automating threat detection, incident response, and vulnerability management using advanced Google tools. Experts from Google will demonstrate how their technology can simplify security processes and enhance operational effectiveness. The webinar will offer insights into improving security workflows, reducing complexity, and allowing IT staff more time to focus on strategic initiatives. This initiative is designed to strengthen organizational security postures by making cybersecurity tasks more efficient. Interested parties can register for the webinar to learn how to better protect their systems using cutting-edge solutions provided by Google. The event is sponsored by Google, highlighting their commitment to advancing cybersecurity practices through innovation and technology.

The Internet Archive experienced a significant disruption due to a DDoS attack on October 9, leading to temporary service degradation. The attack utilized a modern Mirai variant malware, targeting devices primarily located in Korea, China, and Brazil. Following the DDoS attack, there was an unauthorized raid on users' data, affecting the personal information of approximately 31 million users. The site returned with limited functionality, alternating between a basic page and a more complete but still reduced version of the usual homepage. Brewster Kahle, the digital librarian, announced gradual restoration of services, including the successful relaunching of the Wayback Machine. Netscout, a network visibility company, reported that the attack lasted for about three hours and involved traffic peaks at five gigabits per second. No specific group has been officially accused of the attack, leaving the source and motive somewhat unclear. The Internet Archive is taking measures to enhance security and restore full functionality, though details on these efforts have not been fully disclosed.

A new spear-phishing campaign using the Astaroth banking malware targets Brazil, focusing on manufacturing, retail, and government sectors. Trend Micro identifies the campaign as part of the Water Makara threat group, with similarities to Google TAG's PINEAPPLE intrusion set. Phishing emails impersonate Brazil's tax authority, enticing users to download a ZIP file purported to contain tax documents. Infected Windows shortcut files within the ZIP use mshta.exe to run obfuscated JavaScript, connecting to a command-and-control server. Astaroth, known for data theft, can lead to severe consequences including loss of consumer trust, regulatory penalties, and financial impacts due to business disruption. Recommended defensive measures include enforcing strong passwords, utilizing multi-factor authentication, keeping software up-to-date, and adhering to the principle of least privilege.

IBM announced the acquisition of Prescinto, a Bangalore-based SaaS startup specializing in asset performance management for renewable energy. Prescinto's technology manages 16 gigawatts of renewable infrastructure globally, comparable to the EU's annual new wind energy generation. The acquisition aims to enhance IBM's Maximo Application Suite, improving efficiency in managing renewable energy assets like solar plants. Binance collaborated with Delhi Police to dismantle a scam involving M/s Goldcoat Solar, which defrauded investors by posing as government affiliates. The scam involved false promises of high returns on investments in a fake government-backed solar power project. Binance's analytical support helped track the fraudulent transaction flow, leading to multiple arrests and recovery of significant funds. IBM’s strategy includes broadening its asset management solutions, already managing diverse utilities, through acquisitions and partnerships.

GitHub has issued security updates for its Enterprise Server to tackle multiple vulnerabilities, including a critical flaw. The critical vulnerability, identified as CVE-2024-9487, allows unauthorized access and user provisioning via a SAML SSO bypass. This flaw has a CVSS score of 9.5, indicating its severity. The issue was inadvertently introduced during the remediation of a previous vulnerability, CVE-2024-4985, which also had a high severity level. Alongside CVE-2024-9487, GitHub corrected two additional security issues in the latest server versions. Recommended action for organizations is to urgently update their self-hosted GitHub Enterprise Server to the latest version to mitigate risks. This update follows a pattern of critical fixes by GitHub, reflecting ongoing efforts to secure its systems against sophisticated threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a critical vulnerability in SolarWinds Web Help Desk software. The security flaw, labeled as CVE-2024-28987 with a CVSS score of 9.1, involves hardcoded credentials that could allow unauthorized access and data modification. This vulnerability could enable attackers to read and alter help desk ticket details, potentially exposing sensitive information such as password reset requests and service account credentials. SolarWinds first reported the flaw in late August 2024, with additional details released by cybersecurity firm Horizon3.ai the following month. The exact methods of exploitation and the identities of the attackers remain unclear. Following this report, Federal Civilian Executive Branch (FCEB) agencies are mandated to install specific updates by November 5, 2024, to mitigate the risk. This vulnerability notification follows shortly after another serious flaw in the same software was cataloged by CISA.

Security researchers at Zengo discovered a new flaw in WhatsApp revealing users' operating system and device setup. The issue arises from the unique and persistent identity keys assigned to each device using WhatsApp, varying by operating system. This vulnerability allows cybercriminals to identify the operating system of a user, enabling targeted malware attacks. Specific identity key formats for different platforms like Android, iOS, and Windows facilitate this OS fingerprinting. Tal Be’ery from Zengo emphasized the potential for attackers to exploit the most vulnerable system accessed by a victim’s WhatsApp. Meta was informed about this security flaw on September 17, but has not responded to Zengo since the initial acknowledgment. Zengo has decided to go public with this information due to the lack of response from Meta’s security team regarding the flaw. WhatsApp has not provided any comments on the matter.

Cisco is actively investigating a claim by a cyber criminal using the name IntelBroker, concerning a substantial data breach. The breach allegedly includes a wide range of sensitive data such as source codes, private keys, SSL certificates, and more from major customers. IntelBroker claims the breach occurred on June 10 and involved collaboration with other cyber criminals, EnergyWeaponUser and zjj. The stolen data is reported to affect several big companies including Microsoft, AT&T, Verizon, SAP, and others. IntelBroker is known for previous data thefts and sales involving companies like AMD and even entities like the US Army and the Pentagon. SAP has acknowledged awareness of the post on BreachForum Dark Web and is collaborating with partners to investigate. It is uncertain if the breach is connected to a past security compromise at Cisco involving their Magento-based merchandise site.

Amazon announces over 175 million users have enabled passkeys, enhancing sign-in speed and security. Passkeys allow users to log in six times faster by using biometric or PIN-based authentication tied to their devices. The adoption of passkeys offers users a password-less sign-in option, adding convenience and reducing the reliance on traditional passwords. Passkeys work by utilizing cryptographic keys; a private key stored on the user's device and a public key used by the service for authentication. The technology guarantees heightened security as the passkeys cannot be stolen through conventional means such as phishing or data breaches. Amazon has extended the passkey technology to other services including AWS and Audible, indicating the success and trust in this system. Despite the benefits, passkeys are not portable between devices or password managers, highlighting a limitation in their current implementation. The FIDO alliance introduced a new specification aimed at making passkeys portable across different platforms to improve their versatility.