Daily Brief

Industry experts will discuss the evolving digital landscape and the increasing importance of securing identities. The webinar, titled “The New GitHub Flavored Markdown Meaning of Identity Security,” aims to provide insights into the latest identity security technologies and trends. Participants will learn innovative strategies for protecting identities against emerging threats. Best practices for implementing effective identity security measures will be explored. Real-world case studies on successful security transformations will be highlighted. The event is scheduled for July 17 at various global times, emphasizing accessibility for a broad audience. Attendees are encouraged to secure their spots to gain valuable knowledge on navigating the complexities of modern identity security. The webinar is sponsored by tech giant Cisco, ensuring high-profile industry insights.

TeamViewer experienced a cybersecurity breach, attributed to the Russian state-backed group Midnight Blizzard. The intrusion involved the misuse of credentials from an employee's standard account within TeamViewer's corporate IT environment. Initial investigations suggest that the hackers did not access the production environment or customer data. TeamViewer has emphasized the separation between their corporate network and production systems as a protective measure. Cybersecurity measures, including multi-factor authentication and monitoring network connections, are recommended for TeamViewer users. The scope of the cybersecurity breach remains under investigation, raising concerns about potential undisclosed impacts. TeamViewer is working with external incident response experts to manage the situation and prevent further intrusions.

Google has announced it will no longer trust TLS server authentication certificates from Entrust starting November 1, due to a series of compliance failures and unmet improvement commitments. This decision will affect Chrome users on all major operating systems except iOS, where Chrome does not perform its own certificate verification. Previously, Mozilla also highlighted issues with Entrust's certificate management, noting procedural failures and a lack of tangible improvements. Entrust has acknowledged their failures and expressed commitment to addressing the issues and continuing their public TLS certificate services. Certificates issued before October 31 will remain trusted in Chrome as long as they comply with specified roots, and enterprises can manually trust these roots or override the constraints in their internal networks. The move serves as a broader industry reminder of the high standards expected of certificate authorities in maintaining secure and trusted internet encryption practices. Google emphasizes the role of certificate authorities in upholding encrypted connections and the necessity for adherence to security and compliance expectations.

GitLab has updated its software to address 14 different security vulnerabilities. One particularly critical flaw (CVE-2024-5655) with a CVSS score of 9.6, could allow attackers to impersonate users and trigger CI/CD pipelines. The vulnerabilities affected both the Community and Enterprise editions of GitLab, specifically versions: 17.1.1, 17.0.3, and 16.11.5. Two significant changes include the disabling of GraphQL authentication using CI_JOB_TOKEN and preventing automatic pipeline runs on merge request retargeting. There is currently no evidence of the vulnerabilities being exploited in the wild. Users are strongly encouraged to install the latest patches to secure their systems against potential exploitation.

Microsoft has once again encountered issues with the expiration of TLS certificates, leading to security warnings in Microsoft 365 and Office Online. An Australian reader noted security software alerts about insecure connections on cdn.uci.officeapps.live.com, which is a key endpoint for Microsoft services. The TLS certificate in question was valid from August 18, 2023, to June 27, 2024, but it expired, causing disruptions and error messages for users. Users reported problems such as error codes when opening Microsoft Word, indicating issues with approximately 200 PCs. This is not the first instance of Microsoft failing to renew certificates timely; similar issues occurred in 2022 with the Windows Insider subdomain. Microsoft's Azure ECC TLS Issuing CA 01 has also expired, potentially complicating the situation further due to additional expired certificates issued by the service. There has been noticeable feedback on Microsoft's forums from affected users, and Microsoft is reportedly working on addressing the problem and improving their certificate management strategies. Microsoft's habitual certificate management errors stress the importance of diligent digital infrastructure maintenance to avoid service outages and security vulnerabilities.

A large-scale supply chain attack impacting CDNs including Polyfill.io, BootCDN, Bootcss, and Staticfile affected millions of websites. The attack traced back to a common operator due to exposed Cloudflare API keys in a public GitHub repository. The leak occurred due to negligent security practices, specifically the public upload of a .env file containing sensitive API keys and tokens. Researchers identified that all four affected domains were managed under a singular Cloudflare user account. MalwareHunterTeam and other researchers voiced concerns over the scope of impact, suggesting a wider attack than initially thought. Additional attacks have been traced back to at least June 2023, with primitive versions of the malicious code circulating since then. The article discusses ongoing actions and suggests the potential for future related attacks, given multiple domains still being registered under associated operators. Key stakeholders are advised to monitor and possibly replace their use of affected CDN services with safer alternatives provided by reputable organizations.

The 8220 Gang exploited vulnerabilities in Oracle WebLogic Server for cryptocurrency mining activities. Trend Micro has identified the cybercriminal group under the alias Water Sigbin. Exploited vulnerabilities included CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839. Attack involves complex fileless malware techniques that allow code execution directly in memory to avoid detection. Malware deployment stages include using PowerShell scripts, mimicking legitimate applications, and extracting system information. Malicious activities also encompass establishing persistence on the system and evading Windows Defender Antivirus. Additionally, the gang operates the k4spreader tool to spread botnet and mining malware using other server vulnerabilities. Security initiatives must continuously scan for and address vulnerabilities to mitigate such threats.

SaaS adoption is increasing, yet many enterprises have not updated their security strategies or tools to address SaaS-specific threats. Traditional on-prem security controls are ineffective in the SaaS environment, where visibility is limited and security responsibilities are shared with vendors. Each SaaS application has unique security settings that often change, making it hard for security teams to monitor threats effectively. Threat actors use sophisticated techniques like session hijacking and lateral movements within interconnected SaaS platforms to exploit vulnerabilities. IBM states data breaches in 2023 have grown to cost an average of $4.45 million each, highlighting the financial impact of inadequate SaaS security. Continuous monitoring, inventive machine identity management, and the implementation of Zero Trust architecture in SaaS environments are crucial for enhanced protection. Proper hygiene, robust inventory of machine identities, and a SaaS-specific security review process are essential to detect and mitigate threats early.

Security researchers from Graz University of Technology have unveiled a new side-channel attack dubbed SnailLoad, capable of spying on individuals' web activities without direct system access. SnailLoad manipulates network latency, a common bottleneck in internet connections, to infer the webpages and videos accessed by a user. The technique does not require an adversary-in-the-middle position, physical proximity, or user interaction, relying solely on network packet timing to gather intelligence. Attackers induce a target to download a benign file from a controlled server, then measure delays in network response to analyze and infer user activities. A convolutional neural network (CNN) refined with data from similar network environments is used to translate latency variations into accurate predictions of the user’s online behavior, achieving up to 98% accuracy in video identification. This attack introduces no malicious code and operates by merely monitoring prolonged data transmission times ("snail pace"), highlighting vulnerabilities in how routers handle Network Address Translation (NAT). The findings also include a disclosure of router firmware issues involving TCP sequence randomization, potentially allowing attackers to manipulate web traffic or orchestrate denial-of-service attacks. Patches to address these vulnerabilities are being developed by router vendors and the OpenWrt community.

Researchers from the operational technology (OT) security firm Claroty have discovered multiple vulnerabilities in Emerson Rosemount gas chromatographs, specifically affecting models GC370XA, GC700XA, and GC1500XA (versions 4.1.5 and earlier). The vulnerabilities include two command injection flaws and two authentication and authorization issues, which could be exploited by unauthenticated attackers. These security gaps could potentially allow attackers to bypass authentication, execute arbitrary commands, access sensitive information, and induce a denial-of-service (DoS) state. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that exploitation of these flaws could lead to unauthorized access and control over the gas chromatograph systems. Emerson has released an updated version of the firmware to patch these security vulnerabilities and is advising users to adhere to cybersecurity best practices and ensure these devices are not directly accessible via the internet. Another report from Nozomi Networks unveiled similar vulnerabilities in AiLux RTU62351B, Proges Plus temperature monitoring devices, and related software, highlighting the pervasive risks in connected industrial devices. These other flaws remain unpatched and pose a significant risk, including the potential manipulation of medical monitoring systems and spoilage of temperature-sensitive pharmaceuticals due to DoS attacks.

Microsoft's latest findings reveal the 'Skeleton Key' attack, capable of coaxing AI models to generate harmful content, despite safety guardrails. Several prominent AI models, including Meta Llama3-70b-instruct and Google Gemini Pro, were tested and found susceptible to the Skeleton Key technique. Attackers can manipulate AI to produce forbidden content through simple textual prompts that subtly alter the AI's behavior guidelines. Microsoft's tests demonstrated that while most AI models honored the modified prompt with a warning, OpenAI's GPT-4 resisted direct prompts but succumbed to system message modifications. Microsoft, at a recent conference, shed light on emerging risks and their efforts to introduce tools like 'Prompt Shields' to prevent such vulnerabilities. Notably, the attack surface extends across various AI platforms demonstrating weaknesses in the current design and implementation of behavior guardrails in AI technologies. The University of Maryland's researchers suggest that attacks like Skeleton Key might be mitigated more effectively with robust input/output filtering or tailored system prompts.

TeamViewer disclosed a security breach in its internal corporate IT environment identified on June 26, 2024. The company activated its response team and has been collaborating with global cyber security experts to contain and remediate the issue. There is no evidence suggesting any customer data compromise, and the corporate IT environment is segregated from the product environment. The breach's origin and method remain unclear, but an ongoing investigation is expected to provide further insights. TeamViewer is widely used for remote monitoring and management by over 600,000 customers. The Health-ISAC has warned that APT29, a state-sponsored actor linked to the Russian SVR, is actively exploiting TeamViewer in broader cyber-attacks. APT29 historically breached major corporations like Microsoft and HPE, also impacting some customer communications according to Microsoft's recent statements.

Polyfill.io's domain has been shut down by Namecheap following accusations of incorporating suspicious code into users' websites, potentially harming a vast number of internet users. Cloudflare and security experts have warned about a supply chain risk involving Polyfill.io, alleging the service was altering its JavaScript offerings to include malicious scripts. Security firm Sansec detailed the malicious code, which targets mobile users with redirections to a fake sports betting site and includes features to avoid detection and analysis. Consequent to these security concerns, Cloudflare has introduced an automatic JavaScript URL rewriting service to protect sites by replacing potentially harmful Polyfill.io code. Despite the allegations, the owner of Polyfill.io denies any wrongdoing, attributing the claims to slander and malicious defamation, and has relaunched the site under a new domain. Following the initial sale of the Polyfill.io domain and related assets, various inconsistencies and suspicions about the new owner's actual location and legitimacy have surfaced. The controversy continues with Polyfill expressing intentions to develop and expand a new global CDN product, claiming substantial funding and competitive goals against Cloudflare.

TeamViewer detected an "irregularity" in its corporate IT network, indicating a security breach. The anomaly was discovered within TeamViewer’s corporate environment and immediate measures including incident response were activated. TeamViewer asserts that their product environments and customer data were not affected. Investigations are ongoing with a focus on system integrity, assisted by cybersecurity experts. NCCI Group has informed clients about an APT group's significant compromise of the TeamViewer platform. US Health Information Sharing and Analysis Center (H-ISAC) has issued a warning about active cyberthreats exploiting TeamViewer, particularly citing APT29, possibly linked to Russian intelligence. TeamViewer continues to withhold detailed information on the nature of the incident, citing ongoing investigations.

Geisinger, a major healthcare provider in Pennsylvania, announced a data breach involving unauthorized access by a former Nuance employee. The breach exposed data of over 1 million patients but did not include sensitive financial details like SSN or bank information. The unauthorized access occurred in November 2023, shortly after the employee was terminated from Nuance. Nuance acted swiftly to revoke the ex-employee's access and informed law enforcement, leading to the individual's arrest. The type of patient information compromised varied depending on the services utilized by each patient. Geisinger has advised potentially affected individuals to monitor their health statements and alert their insurers to any discrepancies. Law firm Lynch Carpenter is investigating the breach's extent, potentially leading to a class action lawsuit against Geisinger.