Daily Brief

The average ransom payment for ransomware attacks increased dramatically by 500% in recent years, reaching $2 million in 2024 from $400,000 in 2023. Outdated legacy Multi-Factor Authentication (MFA) systems are largely to blame for this rise, proving inadequate in preventing modern cyberattacks. Cybercriminals leverage Generative AI to create sophisticated phishing attacks that bypass conventional security measures and contribute to higher ransom demands. Reports highlight losses ranging into billions by major corporations, indicating a refocusing of criminal efforts towards higher ransom yields. Phishing-resistant, next-generation MFA technologies, including biometric recognition, are essential to combat these evolving cyber threats effectively. Organizations are encouraged to adopt these advanced MFA solutions to curb the increasing trend of ransomware-induced financial losses. Continuous monitoring, regular system updates, and ongoing security assessments are crucial for maintaining the effectiveness of these advanced security measures.

The Indirector attack targets modern Intel CPUs, including Raptor Lake and Alder Lake generations, exploiting hardware vulnerabilities to steal sensitive data. Discovered by researchers at the University of California, San Marcos, Indirector manipulates the Branch Target Buffer and Indirect Branch Predictor components. The attack uses high-precision techniques for speculative execution manipulation, combined with cache side-channel strategies to access data. Intel was notified about the vulnerability in February 2024, and the findings will be presented fully at the USENIX Security Symposium in August 2024. Suggested mitigations include enhancing the Indirect Branch Predictor Barrier and redesigning the Branch Prediction Unit with encryption and complexity increases. Implementation of mitigation measures, particularly the IBPB, can lead to a significant performance reduction, approximately 50% during certain operations. Intel has communicated with related hardware and software vendors to address this issue and researchers have released proof-of-concept code on GitHub.

A zero-day vulnerability in Cisco’s NX-OS software was exploited by the Chinese state-sponsored group Velvet Ant to deploy custom malware. This exploit allowed attackers to gain root access on vulnerable Cisco Nexus switches and execute arbitrary commands. The vulnerability, identified as CVE-2024-20399, involved inadequate validation of CLI command inputs. Once access was gained, attackers could remotely connect to devices, upload files, and execute malicious code without detection. Cisco has issued patches for the vulnerability and recommends regular credential updates and monitoring for network administrators. Sygnia, the cybersecurity firm that discovered the breach, was originally investigating Velvet Ant's espionage activities when they detected the exploit. Apart from NX-OS, Velvet Ant has targeted F5 BIG-IP appliances and tested exploits on ASA and FTD firewalls under campaigns like ArcaneDoor.

An Australian man was charged by the AFP for committing 'evil twin' WiFi attacks across various domestic flights and airports. He employed a deceptive tactic by setting up fake WiFi access points using the same SSIDs as legitimate networks to harvest credentials. His activities were detected after airline employees reported suspicious WiFi networks in April 2024, leading to AFP seizing his devices. The captured data from his devices revealed fraudulent pages at Perth, Melbourne, and Adelaide airports, among other locations. Investigations are ongoing to ascertain the full extent of the cybercrimes and the data misuse. The suspect's technique involved creating portals that appeared legitimate but were designed to steal users' email and social media logins. The incident highlights the risks posed by unsecured public WiFi networks and the importance of using VPNs and avoiding sharing sensitive information. Cybersecurity experts emphasize that while 'evil twin' attacks are rare, they exemplify potential vulnerabilities in public network security protocols.

CDK Global's dealer management system was crippled by a ransomware attack on June 18, affecting operations across North American car dealerships. The company promises to restore full functionality to all dealers by Thursday, post multiple IT system shutdowns to contain breaches. Affected applications also include Customer Relationship Management (CRM), ONE-EIGHTY, and service solutions, currently being restored in phases. Over 15,000 car dealerships had been forced to revert to manual operations, disrupting sales and services significantly. CDK Global has faced a second cyberattack during the recovery phase, further complicating restoration efforts. The BlackSuit ransomware group, a probable evolution of the Royal ransomware operation, is believed to be behind the attacks. CDK is reportedly negotiating with the attackers for a decryptor to prevent the leak of stolen data.

Prudential Financial reported that a data breach in February compromised the personal information of over 2.5 million people. Initially, the breach was detected on February 5, a day after attackers accessed significant user and employee data. The breach initially seemed to impact 36,000 individuals, but later filings with the Maine Attorney General expanded the number to over 2.5 million. The ALPHV/Blackcat ransomware gang, which claimed responsibility, is known for multiple high-profile attacks and has been linked by the FBI to numerous global incidents. Following the breach, Prudential has engaged cybersecurity experts to ensure the unauthorized parties no longer have access to corporate systems. Prudential, a leading global financial services firm, reported revenues of over $50 billion in 2023, highlighting the scale and impact of the breach. The breach is part of a troubling trend involving significant data compromises through corporate and third-party platforms, as evidenced by an additional breach affecting 320,000 Prudential customers via a third-party service in May 2023.

Hackers are exploiting a severe vulnerability, CVE-2024-0769, in D-Link DIR-859 WiFi routers, targeting user account data. The flaw is due to a path traversal issue in "fatlady.php," affecting all firmware versions and allowing data leakage and control over devices. Despite the D-Link DIR-859 model being end-of-life and not supported with updates, D-Link has issued an advisory without a patch. Threat monitoring has detected active exploitation, where attackers use modified public exploits to access sensitive files like 'DEVICE.ACCOUNT.xml'. Attackers use a malicious POST request to 'hedwig.cgi' to exploit the vulnerability and access user credentials stored in configuration files. The devices' vulnerabilities remain a significant risk since no patches will be issued and the devices will continue to be at risk as long as they are internet-connected. GreyNoise identifies other potentially vulnerable configuration files, advising defenders to monitor these to prevent additional exploit variations.

Google announced it will stop trusting TLS server authentication certificates from Entrust in Chrome starting November 2024, due to non-compliance and security management issues. This change will affect Chrome versions 127 and higher, across Windows, macOS, ChromeOS, Android, and Linux, except for iOS and iPadOS due to Apple's policies. The decision follows a series of publicly disclosed incidents which have raised concerns about Entrust’s competence and reliability as a certificate authority. Chrome users and enterprise customers can manually override this setting if they choose to continue trusting certificates from Entrust. Website operators using Entrust certificates are advised to switch to another publicly trusted certificate authority by October 31, 2024, to avoid service disruptions. Chrome users attempting to access sites with Entrust certificates post-November 2024 will encounter warnings that their connections are not secure. Despite Entrust's wide use among major corporations like Microsoft and Visa, Google's move reflects growing scrutiny over digital certificate providers and internet security standards.

The new ransomware, dubbed Brain Cipher, recently targeted Indonesia's temporary National Data Center, causing significant disruptions to government online services. Brain Cipher's attack encrypted servers and affected services including immigration, passport control, and the issuance of permits, impacting over 200 government agencies. The ransomware group demanded $8 million in Monero cryptocurrency for a decryptor and threatened to leak stolen data. Brain Cipher has launched its own data leak site and engages in double-extortion tactics, threatening to release stolen data if their demands are not met. The ransomware was developed using a leaked version of the LockBit 3.0 builder but includes modifications such as encrypting file names and changing file extensions. Initial ransom notes linked to Tor-hosted negotiation and data leak sites, suggesting an organized operation aimed at maximizing pressure on victims. There have been numerous samples of Brain Cipher ransomware identified, pointing to its recent and growing use in global cyberattacks.

CISA, along with other Five Eyes cyber security agencies, reviewed 172 critical open source projects and found widespread use of memory-unsafe languages like C and C++. Over half of the projects examined contain memory-unsafe code, which is prone to security vulnerabilities such as buffer overflows and use-after-free errors. The report promotes the adoption of memory-safe programming languages, which automatically manage memory safety, reducing the risk of such vulnerabilities. Memory-safe languages recommended include C#, Go, Java, Python, Rust, and Swift, with Rust gaining popularity due to its neutrality compared to corporate-associated languages. Large-scale projects like Linux and web browser frameworks Chromium and Gecko predominantly use memory-unsafe languages for many critical components. Efforts to rewrite critical components in memory-safe languages are proposed to mitigate risks, as demonstrated by recent initiatives like Prossimo's Rust rewrite of NTP daemon. CISA urges the continuous evaluation and use of memory-safe languages to enhance the security and integrity of open source software, advising a strategic shift in software development practices. The report also highlights the importance of persistent use of static code analysis and fuzzing tools to manage memory-safety risks until broader adoption of memory-safe languages can be achieved.

TeamViewer confirmed a breach in its IT network attributed to Russia's APT29, also known as Midnight Blizzard. The intrusion was detected following unusual activity linked to a standard employee's login credentials. Investigation revealed that the breach was confined to TeamViewer's non-production systems, avoiding impact on its product environment or customer data. The attack did not result in unauthorized access to customer data or TeamViewer's product systems due to strong segregation between the company's corporate IT and production environments. TeamViewer utilized a "defense in depth" security strategy with multiple layers of protection to limit and contain the breach. No evidence suggests any lateral movement or expansion of the breach beyond the initial point of compromise. The incident has heightened awareness and response procedures at TeamViewer, ensuring strengthened security practices moving forward.

Infosys McCamish Systems (IMS) revealed a LockBit ransomware attack affected over six million individuals. Initially reported in February 2024, the attack occurred in November 2023, impacting sensitive data including 57,000 Bank of America customers. LockBit encrypted 2,000 computers within the IMS network during the incident. Following a detailed review by third-party eDiscovery experts, IMS confirmed the extensive unauthorized data access. Personal data compromised in the breach varies, necessitating personalized notification and identity protection services offered by IMS through Kroll. Only Oceanview Life and Annuity Company has been publicly named as one of the affected clients, with potential additional disclosures pending. IMS is a major service provider in the insurance and financial sectors, indicating a significant impact on these industries due to the breach.

Agropur, a major North American dairy cooperative, has reported a data breach impacting its online shared directories. The breach was confined to certain parts of the cooperative's network and did not affect transactional systems or disrupt core operations. The company is currently investigating the extent of the breach with the help of external cyber security experts and law enforcement. Despite no current evidence of misuse, Agropur has notified customers about the breach as a precautionary measure. The exposed data types and the number of affected individuals are still under investigation. Agropur has implemented corrective measures to mitigate the risk and safeguard against future incidents. Customers of Agropur and its associated brands are advised to remain vigilant for potential phishing attempts using the exposed data.

Ticketmaster discovered unauthorized access to a cloud-based Snowflake database, resulting in a significant data breach. Hackers obtained millions of customers' personal information including full names, contact details, and credit card information between April 2 and May 18, 2024. The threat actor, ShinyHunters, began selling the stolen data, including detailed personal and payment information for 560 million users. Customers were advised to stay vigilant against potential identity theft and fraud, with Ticketmaster offering one year of free identity monitoring. Ticketmaster's internal security failed to enforce multi-factor authentication, which facilitated the unauthorized access. The breach was part of a larger pattern of attacks targeting Snowflake accounts with insufficient security measures, affecting several high-profile organizations. This incidence is one of many linked to ShinyHunters and other attackers focusing on exploiting vulnerabilities in cloud data storage.

Kimsuky, a North Korean hacking group, has deployed a malicious Google Chrome extension named TRANSLATEXT to steal sensitive data. The extension targets South Korean academics specializing in North Korean affairs, harvesting emails, passwords, cookies, and browser screenshots. This cyber espionage activity also involves exploiting a Microsoft Office vulnerability (CVE-2017-11882) to distribute a keylogger and deploy espionage tools in the aerospace and defense sectors. The malicious files were initially delivered via a ZIP archive, disguised as historical content on the Korean military, which contains malware-triggering components. Kimsuky utilizes spear-phishing and social engineering tactics to start the infection chain, further highlighted by the recent use of job-themed lures. The threat actor manages to maintain control and execute secondary payloads through a backdoor tool named Niki, allowing deep access and control over compromised machines. Stolen data and command retrievals are channeled through a GitHub account briefly used to host the TRANSLATEXT extension, which mimics a legitimate Google Translate extension. The focus of Kimsuky's attacks emphasizes intelligence collection from governmental and academic figures, aligning with North Korea's strategic objectives to gather international intelligence.