Daily Brief

Hybrid password attacks combine multiple hacking techniques, such as brute force and dictionary attacks, to enhance effectiveness. These attacks take advantage of the simplicity and commonality in user passwords, using pre-determined lists and variations to crack passwords swiftly. By employing social engineering along with technical attacks, cybercriminals approach targets from multiple angles, complicating defense strategies. Defending against hybrid attacks involves implementing multi-factor authentication (MFA) to add layers of security beyond just passwords. Organizations are advised to enforce longer and more complex passwords, ideally 20 characters or longer, to significantly delay or prevent brute force attacks. Regular auditing tools, like Specops Password Auditor, help identify and remedy compromised passwords by scanning against a large database of known compromised credentials. Establishing a robust password policy using tools like Specops Password Policy can prevent the use of previously breached passwords and encourage stronger password creation, hence enhancing defense against hybrid attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about threat actors exploiting unencrypted F5 BIG-IP cookies for network reconnaissance. The exploited F5 BIG-IP Local Traffic Manager (LTM) module enables attackers to identify and potentially exploit vulnerabilities in other network devices. CISA has advised organizations to encrypt persistent cookies in F5 BIG-IP devices and to utilize the BIG-IP iHealth diagnostic tool to check for potential security issues. The advisory was released amid reports of Russian APT29 group targeting multiple sectors including diplomatic and defense, to gather intelligence and enable future cyber operations. APT29, linked to the Russian Foreign Intelligence Service (SVR), uses tactics such as proxy networks to blend into legitimate traffic and remain undetected. The joint bulletin by U.S. and U.K. agencies highlighted the use of TOR by APT29 for anonymity, leasing infrastructure under fake identities, and exploiting security vulnerabilities like CVE-2022-27924 and CVE-2023-42793. Recommendations for organizations include baselining authorized devices and applying additional scrutiny to non-baseline systems to disrupt malicious activities.

GitLab has patched eight security vulnerabilities in their Community Edition (CE) and Enterprise Edition (EE) software, including a critical flaw. The critical vulnerability, identified as CVE-2024-9164, has a high severity score of 9.6, allowing unauthorized execution of CI/CD pipelines on arbitrary branches. This flaw affects numerous GitLab versions beginning from 12.5, highlighting the need for updates to versions 17.2.9, 17.3.5, and 17.4.2. Other identified vulnerabilities in the update included four high-severity issues, two medium-severity, and one low-severity problem. The recent months have seen GitLab continuously addressing similar pipeline vulnerabilities, indicating an ongoing challenge in securing CI/CD operations. Though there is no reported exploitation of these vulnerabilities, users are strongly urged to upgrade to the latest GitLab releases to mitigate potential security risks.

Joint police operation led to the shutdown of Bohemia and Cannabia, significant dark web markets dealing in illegal goods and cybercrime services. The operation involved cooperation from Dutch, Irish, UK, and US law enforcement agencies, initiating towards the end of 2022. Bohemia reported handling 82,000 ads globally every day with an estimated monthly transaction volume of 67,000, totaling around €12 million in September 2023. Authorities arrested two marketplace administrators, one each in the Netherlands and Ireland, and seized two vehicles along with €8 million in cryptocurrency. The successful operation challenges the perceived anonymity of the dark web, signaling enhanced international cooperation and effectiveness in policing these platforms. The takedown followed service disruptions and alleged exit scams within Bohemia, hinted to involve a disgruntled developer going rogue. Additionally, Ukrainian authorities arrested a man for operating a VPN service that provided access to the Russian internet in violation of sanctions, indicating ongoing related cybercrime activities.

The FBI created a cryptocurrency, NexFundAI, using it as bait to uncover fraudulent schemes in the crypto market. Eighteen individuals have been charged for participating in schemes including "wash trades," which artificially inflate trading volumes to boost asset prices. Arrests were made in three countries: the UK, US (Texas), and Portugal, highlighting the international scale of the operation. The FBI's approach involved setting up a fake company to promote NexFundAI, allowing federal agents to monitor and gather evidence of fraudulent activities directly. The U.S. Securities and Exchange Commission (SEC) also charged five individuals who falsely promoted crypto assets, revealing deception in the investment market. Four of the defendants pleaded guilty, indicating a potentially broader impact of this investigation on exposing further fraudulent practices within the cryptocurrency sector. This operation underscores ongoing challenges and fraudulent activities in the crypto markets, prompting investors to remain cautious.

Star Health, a major Indian health insurance provider, confirmed unauthorized access to over 30 million customer records. Hackers claimed to have leaked sensitive customer data on Telegram, including PDFs of insurance claims and national identity cards. Despite initial claims of no widespread compromise, Star Health acknowledged the data breach and is conducting a rigorous forensic investigation. The company is collaborating with government and regulatory bodies and has reported the incident to insurance and cybersecurity authorities. Star Health filed a lawsuit against Telegram, Cloudflare, and the hacker "xenZen" to hinder further data leaks and misuse. The Madras High Court has ordered measures to restrict access to the data, following Star Health's legal actions. The breach and subsequent leaks have raised concerns about cybersecurity practices within the health insurance industry, impacting customer trust and regulatory scrutiny.

Critical RCE vulnerability (CVE-2024-40711) in Veeam Backup & Replication servers exploited by Akira and Fog ransomware gangs. The flaw, identified by security researcher Florian Hauser, involves deserialization of untrusted data, allowing unauthenticated low-complexity attacks. Veeam released updates on September 4 after discovering exploitation attempts, followed by a technical analysis from watchTowr Labs. Attackers initially gained access via compromised VPN gateways lacking multifactor authentication, some using outdated software versions. Sophos X-Ops observed that attackers added compromised local admin and remote desktop user accounts through the CVE-2024-40711 exploit. Data exfiltration was noted in at least one incident where the attacker used rclone utility after deploying Fog ransomware on an unprotected server. The CVE-2024-40711 exploit adds to a history of Veeam vulnerabilities targeted by ransomware, including attacks by FIN7 linked to several major ransomware families and used in assaults on U.S. critical infrastructure. Veeam products are widely used, including 74% of the Global 2,000 companies, emphasizing the high impact of such vulnerabilities.

Fidelity Investments reported a data breach affecting 77,099 customers, occurring between August 17 and August 19. The breach involved unauthorized third-party access using two recently established customer accounts. Fidelity has not specified the exact personal details stolen but confirmed there was no access to Fidelity accounts or financial systems directly linked to these accounts. Immediate actions were taken to secure the systems once the breach was detected, and an external security firm has been engaged for investigation. Affected customers are being notified and provided with two years of free credit monitoring services. Fidelity states there is currently no evidence of misuse of the stolen information. The asset manager handles $5.5 trillion in customer assets and serves over 51.5 million people and 28,000 businesses globally.

Marriott International, along with its subsidiary Starwood Hotels, has agreed to a $52 million settlement due to data breaches affecting over 344 million customers. The settlement mandates the implementation of a comprehensive information security program and permits U.S. customers to request deletions of their personal data. The Federal Trade Commission (FTC) highlighted three significant breaches, reflecting poor security measures and delayed response times. The breaches included exposed payment card information in 2014, access to 339 million guest records in 2014, and exposure of 5.2 million guests' details in 2018. Key issues identified in Marriott’s security included inadequate password controls, use of outdated software, and insufficient monitoring of IT environments. Marriott also settled separately with 49 states and the District of Columbia for $52 million concerning the same data breaches. The case underscores ongoing challenges in data security and corporate responsibility in protecting consumer information.

U.S. and U.K. cybersecurity agencies issued a warning about APT29, a Russian-linked hacking group, targeting exposed Zimbra and JetBrains TeamCity servers. The hackers utilize known vulnerabilities, specifically CVE-2022-27924 and CVE-2023-42793, to infiltrate systems for email credential theft and initial access. The advisory released by the NSA, FBI, U.S. Cyber Command, and U.K.'s NCSC urges network defenders to patch vulnerabilities to prevent these scalable attacks. APT29, also known as Cozy Bear and other aliases, has a history of targeting both governmental and private sector entities in the U.S. and Europe. These attacks are part of broader campaigns, including breaches during the SolarWinds incident and unauthorized access to Microsoft 365 accounts of U.S. and NATO officials. Recent warnings also highlight APT29's shift towards exploiting cloud services, underscoring the global threat posed by their activities. The advisory emphasizes the importance of updating security measures, prioritizing patches, and maintaining up-to-date software to safeguard against potential breaches.

Fidelity Investments disclosed a data breach impacting over 77,000 individuals. The breach occurred between August 17 and 19, involving unauthorized access via two recently established customer accounts. Exposed personal information has not been fully detailed, but names and other identifiers were compromised. Fidelity detected the breach on August 19, terminated the access immediately, and launched an investigation with external security experts. No evidence suggests that the stolen data has been misused; however, affected customers are offered two years of free credit monitoring and identity restoration services. Fidelity advises customers to stay vigilant by monitoring financial statements and credit reports, and reporting any suspicious activities. The incident has been reported to the Office of Maine's Attorney General as part of regulatory compliance.

The Underground ransomware gang claimed responsibility for a cyberattack on Casio on October 5, disrupting its systems and services. Casio confirmed the attack on its website, engaging external IT specialists to investigate potential data theft, including personal and confidential information. Recently, the ransomware group leaked substantial amounts of data allegedly stolen from Casio on a dark web extortion portal. The leaked data compromises Casio's workforce and intellectual property, potentially causing significant business impacts. Despite efforts, Casio has not responded to inquiries regarding the validity of the threat actors’ claims about the data breach. Underground ransomware, associated with the Russian cybercrime group RomCom, has been active since July 2023 and targets Windows systems. The malware exploits vulnerabilities to maintain access and maximize damage through data theft and encryption, while employing tactics to hinder data recovery. Underground ransomware has previously listed 17 victims, mostly in the USA, on its extortion portal.

GitLab has issued updates for a critical security flaw affecting its CE and EE versions, traceable as CVE-2024-9164. The vulnerability allows unauthorized users to initiate CI/CD pipelines in any repository branch, bypassing necessary permissions. An exploit of this flaw could lead to unauthorized code execution or access to sensitive data. Affected GitLab EE versions range from 12.5 to 17.2.8, 17.3 to 17.3.4, and 17.4 to 17.4.1, with patches now available in versions 17.4.2, 17.3.5, and 17.2.9. GitLab has reiterated the urgency for all users on impacted versions to upgrade immediately to secure their installations. CVE-2024-9164 is part of a series of critical vulnerabilities detected this year in GitLab pipelines, highlighting ongoing security challenges. Dedicated GitLab customers need not take any action as their instances are cloud-hosted and automatically updated.

Generative AI (GenAI) has evolved quickly from a novel idea to a key innovation driver in various industries. Security is a critical concern as companies incorporate this technology into their operations. AWS senior solutions architect, Anna McAbee, will lead a webinar focusing on security strategies for AI implementation. The session will cover adapting identity management, access controls, and data privacy frameworks specifically for AI applications. AWS tools like Amazon Bedrock and Amazon Q will be discussed as methods to help secure AI environments. Participants will learn how to deploy generative AI securely, ensuring resilience and compliance. The webinar aims to provide IT leaders with actionable insights on integrating AI with security mechanisms. Scheduled for 29 October at 9am PDT, 12pm EDT, and 4pm GMT; requires pre-registration.

Nearly 32 million records from Trackman, a golf technology company, were found unsecured in a non-password protected Microsoft Azure Blob database. The exposed data included names, email addresses, device information, IP addresses, and security tokens totaling 110 TB of sensitive information. Jeremiah Fowler, the researcher who discovered the breach, reported it to Trackman, but received no response or acknowledgment. The vulnerability exposed users to potential phishing attacks, device hacking, and other forms of digital crimes, particularly targeting professional athletes due to their high-profile status. Trackman closed off access to the data after being alerted but did not notify affected users nor make a public statement about the incident. The lapse in data security also raises concerns about the possible misuse of exposed information for spear phishing and social engineering attacks. Fowler emphasized the ease with which criminals could exploit this data, especially given the advancements in AI and technology that facilitate realistic phishing attempts.