Daily Brief

Four significant and currently unpatched vulnerabilities were identified in the Gogs open-source Git service, with three classified as critical. Authenticated attackers can potentially execute arbitrary commands, steal, modify, or delete source code, and plant backdoors on affected Gogs instances. The exploitable issues require that the attacker has an authenticated status, with the most critical flaw additionally needing SSH access enabled. Around 7,300 Gogs instances are publicly accessible online, predominantly in China and the U.S., with unclear specifics on how many are vulnerable. SonarSource, the research team that found the flaws, reported a lack of response from Gogs maintainers regarding the implementation of fixes. SonarSource suggests disabling the built-in SSH server, halting user registrations, or shifting to alternative platforms like Gitea due to the absence of vendor-supplied patches. The discovery is parallel to revelations about phantom secrets in SCM systems, stressing persistent risks in managing sensitive data within repositories.

Apple complied with Roskomnadzor's request to remove 25 VPN apps from its Russian App Store on July 4, 2024. Affected VPN providers include notable names like ProtonVPN, Red Shield VPN, NordVPN, and Le VPN. Roskomnadzor's actions are part of broader efforts by the Russian government to control internet access and content. NordVPN had previously ceased operations in Russia in March 2019 by shutting down all its Russian servers. The takedown aligns with Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection". VPN services have been added to Russia's "Unified register" of internet resources prohibited from public distribution. Le VPN introduced an alternative service named Le VPN Give to circumvent these restrictions using obfuscated VPN connections. This incident is part of ongoing censorship initiatives since the Russo-Ukrainian conflict began in February 2022, impacting various media and social media platforms.

Vietnam mandates selfie-based identity verification for digital transactions above $400, raising privacy and security concerns due to the country's poor cybersecurity ranking. Critics argue that Vietnamese banks' implementation accepting still photos instead of live images undermines security claims. Resecurity discovered a surge in leaked Singaporean identity documents with selfies on the dark web, indicating potential exploitation by cybercrime groups. Selfie verification's popularity surged during the pandemic, driven by the need for digital engagement and remote account opening in financial services. Concerns exist about the handling and disposal of the biometric data collected through selfie verification processes. The efficacy of "liveness checks" in verification, which includes real-time movement and biometric matching, may mitigate some risks of data misuse. Debate continues over balancing the need for robust digital identity verification processes with privacy, security, and inclusive accessibility. As technology and regulations evolve, continuous reassessment of privacy and security measures in digital identity verifications is required.

OpenAI failed to disclose a data breach of its private employee forum early in 2023, despite learning of the intrusion promptly. The breach involved the theft of no AI builds, leading executives to downplay the threat, believing it involved only a private individual. This undisclosed breach adds to concerns regarding OpenAI's safety culture, amplified by the recent departure of key safety executives. The macOS ChatGPT app was found to bypass built-in safety features and stored user data unsecuredly, which OpenAI later rectified but did not initially report. Other security news highlights include vulnerabilities in Xerox printers, a data breach of the FIA, and the discovery of a new, thorough ransomware group called Volcano Demon. A massive new password dictionary named "RockYou2024" surfaced, containing nearly ten billion unique plaintext passwords from previous breaches. Prudential’s breach victim count has dramatically increased from 36,000 to over 2.5 million due to the ALPHV/BlackCat ransomware attack.

Mt Gox, once a prominent Japanese crypto exchange, has announced plans to repay some investors in Bitcoin and Bitcoin Cash after losing track of assets now valued over $50 billion. The repayment by Mt Gox could potentially influence Bitcoin prices negatively due to increased circulation following payout completion. India's government is likely to increase funding for its semiconductor mission, having already committed the majority of the $9.1 billion initially allocated to attract chip manufacturing. An anticipated additional funding request by India aims to further establish local semiconductor production facilities in cooperation with international partners like Taiwanese foundry Powerchip. Samsung Electronics workers have begun a three-day strike, demanding better working conditions and pay, amidst the company's efforts to manage strike disruptions. Central banks in India, Malaysia, the Philippines, Singapore, and Thailand have collaborated under Project Nexus to link their instant payment systems, aiming to simplify and standardize cross-border transactions within the region.

Europol targets the privacy-enhancing technologies (PET) in Home Routing systems which hinder criminal investigations by encrypting data. Home Routing allows users to maintain their home network's services abroad, preventing local interception due to PET. Enforcement officials face delays and depend on foreign service provider cooperation due to encrypted communication paths. Europol proposes disabling PET for individuals using foreign SIM cards within EU to ease lawful interceptions. An alternative suggestion involves creating a quick mechanism for EU-wide communication interception requests. Currently, criminals exploit this system, aware of the delays and hurdles in cross-border law enforcement. Europol emphasizes the urgent need for collaborative solutions between national authorities, policymakers, and telecommunications providers to adjust or enhance current regulations.

Shopify has denied experiencing a data breach within its own networks, attributing the incident instead to a third-party application. A threat actor known as '888' claimed to have obtained customer data from Shopify and began selling it. This data includes detailed personal information and transaction records. Shopify has stated that the data loss stemmed from a compromised third-party app, whose developer will inform the impacted customers. Samples of the stolen data showed elements such as Shopify IDs, customer names, contacts, spending, and subscription details. This is not the first controversy involving Shopify; in 2020, they reported a breach involving unauthorized access by two members of their support team to merchant data. Threat actor 888, responsible for this data sale, has a history of dealing with stolen data from various prominent organizations worldwide.

Apple has removed certain VPN apps from its Russian App Store following demands from Russia's internet regulatory agency, Roskomnadzor. Two VPN providers, Red Shield VPN and Le VPN, confirmed their apps were taken down, allegedly to comply with local laws. Red Shield VPN criticized Apple's compliance, accusing the company of supporting an authoritarian regime, highlighting the effectiveness of Apple's action compared to the Kremlin's previous efforts. Mozilla resisted similar pressures from Roskomnadzor, reversing a temporary ban on VPNs in their store after one week. Google has also received requests from Roskomnadzor to remove VPN services but has not yet acted on these demands. Eight VPN apps, including big names like NordVPN, Proton, and Private Internet Access, are reportedly no longer available in the Russian App Store, though some may have been unlisted voluntarily by the providers in 2023. The focus of Roskomnadzor appears to be on preventing the distribution of VPN apps rather than attempting to block server access.

Cloudflare's DNS resolver service, 1.1.1.1, experienced service disruption affecting 300 networks across 70 countries due to BGP hijacking and a route leak. The incident started when Eletronet S.A. mistakenly announced the 1.1.1.1/32 IP address, leading other networks including a Tier 1 provider to treat it as a blackhole route. This specific announcement inadvertently redirected traffic meant for Cloudflare to Eletronet, causing service availability issues for Cloudflare users. Shortly after the initial disruption, another network, Nova Rede de Telecomunicações, further complicated the issue by leaking a 1.1.1.0/24 route to an upstream provider, exacerbating the hijacking impact. Cloudflare took corrective actions including disabling peering with the affected networks and resolving the incorrect route announcements within a few hours. To prevent future occurrences, Cloudflare highlighted the adoption of Resource Public Key Infrastructure (RPKI) which helped in rejecting invalid route announcements automatically.

Hackers, identifying as Sp1d3rHunters, have leaked barcode data for 166,000 tickets to Taylor Swift's Eras Tour, posing a threat to numerous upcoming concerts. The leak is part of an extortion attempt demanding $2 million to prevent further exposure of sensitive data, including information on events by major artists and sports fixtures. This cyber threat stems from a breach of Ticketmaster's data stored on Snowflake's platform, where hackers accessed databases using stolen credentials through malware. Additional victims compromised through the Snowflake breach include well-known organizations such as Neiman Marcus, Los Angeles Unified School District, and Santander. The breach was initially triggered by ShinyHunters, a notorious hacking group with a history of large-scale data leaks, who reportedly began selling 560 million Ticketmaster customer records in May. Sp1d3rHunters provided instructions on converting the leaked barcode information into scannable tickets, further complicating security measures for the affected events. Authorities and affected organizations, including Ticketmaster, are investigating the scope of the breach, evaluating impacts, and considering responses to prevent potential misuse of the leaked data.

A ransomware attack by Qilin targeted Synnovis, a key pathology services provider in London, causing severe disruptions. Approximately 1,500 medical procedures were canceled across major hospitals in London following the cyberattack, which first struck four weeks ago. Johanna Groothuizen, a cancer patient, was forced to opt for a simple mastectomy over a planned skin-sparing mastectomy and immediate reconstruction due to the attack. The attack compromised the ability of hospitals to perform certain surgeries by limiting access to essential services like blood transfusion support from Synnovis. Hanna had less than 24 hours to make a decision about her surgery, ultimately choosing the simpler procedure to avoid delaying her cancer treatment. The cyberattack has raised questions about the resilience and funding of cybersecurity within the UK's public health infrastructure. Services are slowly returning to normal, but the incident highlights the broader impacts of cyberattacks on public health and safety. The incident not only affected the immediate health outcomes for patients but also increased stress and urgency among hospital staff and impacted patient aftercare.

New ransomware-as-a-service, Eldorado, was first observed in March, targeting systems in the U.S., particularly within the real estate, educational, healthcare, and manufacturing sectors. Eldorado is designed to infect both Windows and VMware ESXi platforms, encrypted using the ChaCha20 algorithm. The operators are actively recruiting skilled affiliates online and have established a data leak site for extortion, though it was not accessible at the time of the report. Group-IB researchers accessed the ransomware encryptor and user manual, revealing that the malware supports both 32/64-bit systems and features significant customization options for targeted attacks. The malware avoids damaging critical system files and directories to maintain the bootability and usability of the compromised systems, and it is programmed to automatically delete itself post-attack to hinder forensic analysis. The cybersecurity firm provided defense recommendations, highlighting that proactive security measures are essential to defend against ransomware threats like Eldorida.

French cloud computing firm OVHcloud successfully mitigated a DDoS attack in April 2024, which recorded a peak packet rate of 840 million packets per second, surpassing the previous record of 809 million Mpps from 2020. The attack combined a TCP ACK flood from 5,000 source IPs and a DNS reflection leveraging around 15,000 DNS servers, utilizing 2/3 of the traffic from just four U.S.-based points of presence. OVHcloud has noted a significant rise in DDoS attacks since 2023, with occurrences of attacks exceeding 1 terabit per second becoming almost daily. The attacks are primarily facilitated by exploiting compromised MikroTik Cloud Core Router devices, with nearly 100,000 routers being vulnerable due to outdated operating systems. Potential threat levels escalate as even 1% compromise of these routers could lead to botnet attacks issuing over 2 billion packets per second. OVHcloud's observations highlight an urgent need for enhanced anti-DDoS measures and infrastructures to handle the evolving scale and complexity of DDoS threats.

The Ghostscript software, integral to many systems for PDF viewing and conversion, harbors a newly disclosed vulnerability labeled CVE-2024-29510. Despite being identified and partially mitigated, the flaw allows for remote code execution (RCE) and has significant implications if exploited. Ghostscript is widely used across various platforms and in automated workflows, often operating behind the scenes in image rendering, PDF conversions, and OCR tasks. The vulnerability's severity score (CVSS 5.5) has been contested by experts who believe its impact might be underestimated due to its potential for exploitation without user interaction. There's a divergence in the security community regarding the need for immediate action, with some professionals urging quicker remediation to prevent potential breaches. A proof of concept (PoC) for the vulnerability, facilitating RCE via EPS file handling, has been released, making public and operational attentions imperative. The National Vulnerability Database has yet to provide a comprehensive analysis, raising concerns about timely and accurate vulnerability assessments in the cybersecurity sector.

Upcoming webinar focused on the significance of Identity Threat Detection and Response (ITDR) in combating advanced identity-based cyber threats. The webinar is geared towards IT and cybersecurity professionals, aiming to equip them with the knowledge to safeguard digital identities. Yiftach Keshet, Silverfort's VP of Product Marketing, will lead the session, offering deep insights into ITDR technologies. Attendees will learn about continuous threat detection tactics and the importance of staying proactive in cybersecurity measures. The presentation will cover cutting-edge strategies for preventing ransomware attacks, unauthorized lateral movements, and data breaches. Every day without ITDR increases vulnerability to sophisticated cybercriminals targeting organizational digital assets. Registration urgency is stressed, as spots are filling up quickly and the opportunity is billed as a can't-miss for those serious about cybersecurity.