Daily Brief

HPE Aruba Networking has patched three critical vulnerabilities in the CLI of Aruba Access Points, potentially allowing remote code execution. The flaws affect devices running various versions of Instant AOS-8 and AOS 10 and are rated with a near-max severity score of 9.8 out of 10. Security researcher Erik De Jong identified these vulnerabilities which target devices via the PAPI UDP port (8211). Impacted software versions are specifically AOS-10.6.x.x, AOS-10.4.x.x, Instant AOS-8.12.x.x, and Instant AOS-8.10.x.x. Users are urged to update their devices to the latest respective software versions available which include several AOS-10 and Instant AOS-8 updates. For temporary security measures, enabling "cluster-security" on Instant AOS-8.x or blocking access to UDP/8211 on AOS-10 devices is advised. No current exploits of these vulnerabilities have been reported, and no other Aruba products are affected according to HPE Aruba Networking. Earlier security challenges for HPE include a possible breach investigated in February and email environment compromise by APT29 in May 2023.

Businesses traditionally use the Common Vulnerability Scoring System (CVSS) to rank and prioritize vulnerabilities based on potential impact. CVSS scores, while standardized, often overlook real-time threat data like actual exploit likelihood, leading to less efficient prioritization. The Exploit Prediction Scoring System (EPSS) offers a dynamic alternative by assessing the probability of a vulnerability being exploited within 30 days using real-world data. EPSS utilizes machine learning and various sources like the National Vulnerability Database to predict vulnerabilities' exploit probabilities more accurately. Comparisons show EPSS-based prioritization results in focusing on fewer, more likely to be exploited vulnerabilities, increasing remediation efficiency. Incorporating EPSS can lead to better resource allocation in cybersecurity efforts, managing vulnerabilities more effectively by their actual threat levels. The cloud-based security platform, Intruder, integrates EPSS to provide enhanced and intelligent vulnerability prioritization, aiding businesses in focusing on significant threats.

Over a year, 25 Kurdish-linked websites were targeted in a watering hole attack to collect sensitive data. The attack involved distributing four variants of an information-stealing framework through compromised websites. The frameworks ranged from simple location trackers to complex tools that recorded images from devices' selfie cameras. One variant tricked users into downloading malicious Android APKs, facilitating further data exfiltration. Despite the attacks' scope and sophistication, no specific threat actor has been definitively identified. Analysis suggests that the attacks could be linked to the Kurdistan Regional Government, following certain political tensions and arrests. The campaign's technical simplicity suggests it could be an emerging threat actor with limited resources. Victims included Kurdish media, political organizations, and military websites across Kurdish regions and Türkiye.

Network Rail's public Wi-Fi services at the UK's major train stations were compromised, displaying Islamophobic messages linked to the 2017 Manchester Arena bombings. All 20 stations managed by Network Rail, including 10 major ones in London and others like Manchester Piccadilly and Birmingham New Street, were affected, with Wi-Fi still offline as investigations proceeded. British Transport Police and Network Rail are conducting a joint investigation to uncover the root cause of the cyberattack, which manifested publicly through the Wi-Fi portal landing pages. Warwickshire-based Telent, the operator of Network Rail's Wi-Fi network, is collaborating with authorities in the investigation but noted that no other customers are thought to be affected. Experts warn that public Wi-Fi networks, especially in critical national infrastructure, present soft targets due to weaker security measures compared to private, encrypted networks. Security concerns are accentuated by outdated hardware and software vulnerabilities in public transport systems, spotlighting the urgent need for enhanced protection measures. The incident not only reflects the vulnerabilities present within public Wi-Fi networks but also emphasizes the growing focus of cybercriminals on critical infrastructure as potential targets for high-impact messages. The specific details of how the attack was carried out and the extent of exposure are still under investigation, with initial suspicions pointing towards potential vulnerabilities within Telent's network management practices.

The UK government proposes legislation enabling banks to share data to tackle government benefit fraud. The Fraud, Error, and Debt Bill aims to save £1.6 billion over five years by modernizing the Department for Work and Pensions' powers. Privacy advocates have labeled the bill as a "financial snoopers' charter," arguing it unjustifiably invades privacy. The bill includes safeguarding measures and a Code of Practice to ensure the safe use of new powers. Big Brother Watch criticizes the proposal, likening it to unwarranted surveillance particularly impacting vulnerable groups. The proposal is intended to protect against fraud and assist vulnerable claimants to avoid accumulating debt. The bill previously reached the House of Lords Committee Stage before being cut, but has since been revitalized by the new Labour government.

Advanced persistent threat actor, dubbed SloppyLemming, linked to India, targets entities across South and East Asia including government and law enforcement agencies, using Cloudflare to facilitate attacks. The group has been active since at least July 2021, employing malware like Ares RAT and WarHawk to conduct espionage operations. SloppyLemming uses spear-phishing emails with urgent prompts leading victims to click on malicious links for credential harvesting. The threat actor employs a custom-built tool, CloudPhish, to create malicious Cloudflare Workers that log and exfiltrate victim credentials. Targets include entities in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia, with specific focus on sensitive sectors like energy, education, telecommunications, and technology. Some attack tactics include exploiting software vulnerabilities like WinRAR CVE-2023-38831 for remote code execution and employing fake RAR archives containing malicious executables. Cloudflare reports suggest SloppyLemming's specialized attacks on Pakistani law enforcement and potential indications of targeting operations related to Pakistan's nuclear power facility.

Nation-state backed Chinese hackers infiltrated a number of U.S. internet service providers, gathering sensitive data as part of a cyber espionage campaign. The cyber espionage actions were linked to a group known as Salt Typhoon, FamousSparrow, or GhostEmperor, as identified by Microsoft and other cybersecurity entities. Investigators are looking into whether this group compromised Cisco Systems routers, which play a critical role in managing internet traffic. The primary objective of these breaches is to establish a long-term presence within the networks to continuously collect important data or to prepare for potential destructive cyber attacks. GhostEmperor was first exposed in October 2021 by Kaspersky, detailing a sophisticated and stealthy campaign mainly targeting Southeast Asian nations but also affecting countries in Africa and the Middle East. A recent investigation in 2024 by Sygnia uncovered that this group had compromised an unnamed client in 2023, leading to further network infiltrations through business partners. This incident is part of ongoing Chinese efforts focusing on telecommunication sectors and critical infrastructure as key targets for espionage and cyber warfare.

WordPress escalated their dispute with web hosting provider WP Engine by barring its servers from accessing vital resources on WordPress.org, including software updates. This move could jeopardize the security and functionality of WordPress sites hosted on WP Engine by preventing updates to essential plugins and themes. The conflict stems from WordPress co-founder Matt Mullenweg's claim that WP Engine profits from using WordPress without appropriate contributions to its development. Mullenweg has demanded that WP Engine pay license fees for the trademark, asserting a financial compensation for the benefits derived from using WordPress resources. WP Engine has resisted these fee demands, leading to Mullenweg's decision to cut off access to WordPress.org resources as a means of pressing WP Engine. The quarrel has led to broader community unrest, with discussions among WordPress users about a potential fork of WordPress and dissatisfaction with the block imposed on WP Engine. WP Engine noted the access blockage on their status page, advising affected customers to seek support directly from WP Engine.

Salt Typhoon, a Chinese cyberspy group, has reportedly infiltrated several US internet service providers. These cyber intrusions are part of China's broader strategy to target critical infrastructure and core internet devices to gather data and potentially prepare for disruptive actions. US agencies and the FBI have linked these intrusions to ongoing activities by other Chinese espionage groups including Flax Typhoon and Volt Typhoon. Flax Typhoon was involved in controlling a large botnet targeting US critical infrastructures, while Volt Typhoon exploited vulnerabilities to penetrate US networks. Binary Defense uncovered Chinese state-sponsored espionage activities within a global engineering firm, indicating a consistent pattern of espionage and intellectual property theft. These incidents highlight significant vulnerabilities in the US supply chain and information infrastructure, exacerbated by extensive espionage activities. Concerns are raised about why these breaches took so long to discover, suggesting potential underestimations of the extent and impact of such state-sponsored cyber activities.

RansomHub, a ransomware group, targeted Delaware Libraries, demanding approximately $1 million. The attack impacted 35 library sites across the state, causing shutdowns of computer labs and disruption of phone, printing, internet, and computer services. Initial impact traced back to a ransomware infection on a virtual server, leading to widespread IT service outages. Delaware Libraries confirmed these disruptions stem from ransomware, with ongoing investigations and temporary measures to maintain basic services. RansomHub claims have included leakage of old financial documents, emphasizing no immediate breach of sensitive or personal data. Delaware Libraries opted to rebuild affected systems rather than paying the ransom, aligning with federal cybersecurity guidance. Recovery and investigation efforts involve collaboration with Microsoft and the Delaware Department of Technology and Information, hinting at a protracted restoration period.

Google's transition to using Rust and other memory-safe languages has led to a significant decrease in memory vulnerabilities in Android, dropping from 76% to 24% over six years. Adopting Rust since 2019, Google noted a decline in memory safety vulnerabilities from 223 cases in 2019 to under 50 in 2024. The reduction in vulnerabilities is attributed to a shift from reactive patching methods to proactive strategies, including the use of tools like Clang sanitizers. Google emphasizes the importance of incorporating secure-by-design principles which ensure inherent security from the beginning of code development. Safe Coding practices allow for strong assertions about code properties, reducing the introduction of new vulnerabilities. Google's strategic focus also extends to interoperability between Rust, C++, and Kotlin to eliminate vulnerability classes without needing full code rewrites. Increased collaboration with Arm, focusing on security improvements in GPU software/firmware, has flagged and addressed critical memory safety issues. Despite an increase in the quantity of new memory unsafe code, the number of vulnerabilities has decreased, attributed to the natural decay of vulnerabilities over time.

Android has reduced its memory safety vulnerabilities by 68% in five years, from 76% in 2019 to 24% in 2024. Google has shifted towards using memory-safe languages like Rust for writing new code, aiming to minimize new flaws. Old code was minimally altered to focus on critical security fixes, enhancing safety without affecting backward compatibility. The strategy has improved the security of Android, making it a leading example of effective long-term security improvement in large projects. The gradual refinement of older code along with the careful integration of new, safer coding practices has synergistically reduced memory-related vulnerabilities. Despite concerns, Google states that leaving older code unchanged has proven safer as older bugs are resolved and less new code is introduced. Google highlights the industry evolution through four stages of dealing with memory safety flaws, emphasizing a commitment to proactive vulnerability management. Google’s report aligns with CISA’s recommendations for more secure coding practices and moving away from memory-unsafe languages in critical projects.

CISA alerted about ongoing cyberattacks on critical infrastructure, particularly aiming at Internet-exposed OT and ICS devices in the Water and Wastewater Systems sector using unsophisticated methods like brute force and use of default credentials. Threat actors are focusing on exposed operational technology (OT) and industrial control systems (ICS) to disrupt operations or generate nuisance impacts primarily through basic cyberattack strategies. CISA's guidance emphasized the necessity of updating security practices, such as changing default passwords, enabling multifactor authentication, and using firewalls for enhanced protection against unauthorized access. The advisory follows recent incidents affecting water facilities, including a cyberattack that forced an Arkansas City water treatment plant into manual operations. U.S. government bodies, like the EPA, are actively issuing guidelines and seeking state cooperation to strengthen cybersecurity measures across the nation's water systems to defend against both domestic and foreign cyber threats. Several state-backed actors from countries like Russia, Iran, and China have been implicated in attempts to breach U.S. water system security in recent years.

Vienna-based privacy non-profit noyb filed a complaint against Mozilla for activating Privacy Preserving Attribution (PPA) without user consent. The PPA feature, similar to initiatives by Google and Apple, tracks user interactions under the guise of preserving privacy but has raised concerns over actual user consent. Noyb asserts that Mozilla enabled this tracking feature by default in Firefox version 128, potentially violating EU's GDPR. PPA is designed to measure ad effectiveness without invasive tracking, instead using aggregate data to protect individual privacy. The feature utilizes differential privacy via the Distributed Aggregation Protocol to anonymously and securely aggregate user data. Mozilla defends PPA, stating it provides non-invasive, aggregated insights into ad performance, countering the need for individual tracking. The complaint emphasizes the need for explicit user consent and opting out options, suggesting Mozilla underestimated user understanding and choice in the matter.

Cybersecurity researchers from Palo Alto Networks Unit 42 have discovered a new tool named Splinter, designed for post-exploitation in cybersecurity red team operations. Splinter, crafted in Rust programming language, builds upon standard features found in existing penetration testing tools but is considered less advanced than tools like Cobalt Strike. Although initially not tied to any specific threat actor, the tool poses significant risks if co-opted by malicious entities due to its capabilities, including command execution, file management, and data collection. The tool includes a large number of Rust crates, making it exceptionally large (around 7 MB) and features a configuration for command-and-control server communication via HTTPS. Further insights into cybersecurity reveal other emerging threats, such as stealthy code injection techniques exploiting Microsoft Office RPC interfaces and novel process injection methods like Thread Name-Calling, which manipulate APIs to bypass endpoint protection. The ongoing identification and disclosure of such cybersecurity vulnerabilities and tools stress the importance of advancing organizational prevention and detection capabilities in response to evolving criminal tactics.