Daily Brief

Passphrases are becoming preferred over complex passwords due to easier memorability and equivalent security enhancements. Verizon reports 83% of cyberattacks begin with stolen credentials, emphasizing the need for stronger authentication methods. Traditional complex passwords, often based on predictable user behavior patterns, are vulnerable to brute-force and hybrid dictionary attacks. A study by Bitwarden shows that 84% of users admit to reusing passwords across multiple platforms, increasing the risk of security breaches. The National Institute of Standards and Technology (NIST) and the FBI advocate for passphrases that are longer than 15 characters as they offer better security against breaches. UK’s National Cyber Security Centre and Canadian Centre for Cyber Security recommend passphrases consisting of at least three or four random words. Specops Software offers solutions like Specops Password Policy and Authentication Client, which facilitate the transition to passphrase use while enhancing the user experience. Transitioning to passphrases can simultaneously improve security and user convenience, reducing the frequency of password resets with longer phrase usage.

CISA has issued an urgent call to high-risk chemical facilities to secure their online platforms following a breach facilitated by exploiting vulnerabilities in Ivanti products. The Chemical Security Assessment Tool (CSAT) portal was compromised, potentially exposing sensitive security data of facilities that house dangerous chemicals. Three specific vulnerabilities in Ivanti devices (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893) were utilized by attackers; these issues were urgently added to CISA's KEV catalog with a 48-hour deadline for patching. While malicious activity was detected and an advanced webshell was installed by attackers, CISA confirmed that there was no evidence of data exfiltration and that all sensitive data remained encrypted. Exposed data included Top-Screen surveys and security vulnerability assessments from chemical facilities, which could have revealed detailed information on the chemicals stored and facility vulnerabilities if not encrypted. CISA has encouraged those with CSAT accounts to change passwords and is setting up identity protection services for individuals vetted under the CFATS Personnel Surety Program from December 2015 to July 2023. No evidence was found of malicious use of accessed data, but notifications were sent to potentially affected entities and individuals as a precautionary measure.

UK and US law enforcement agencies are collaborating to tackle the Qilin ransomware group, which has targeted global healthcare systems, including the NHS. In June, Qilin launched a significant ransomware attack on Synnovis, a provider for NHS's London hospitals, causing widespread disruption including surgery cancellations. Following the attack, Qilin leaked sensitive patient data online, despite ongoing investigations revealing no evidence of the main patient database being published yet. Qilin's cybercriminal activities have extended internationally, having stolen substantial amounts of data from over half a million US radiology patients. The ransomware gang demanded a ransom of $50 million, which was not paid, leading them to release millions of patients' records on the dark web. The UK's National Crime Agency and international partners, including the FBI, are intensifying efforts to mitigate the damage and pursue the perpetrators. Recent warnings from the US Department of Health have identified multiple attacks by Qilin on varied healthcare services across the US since October 2022.

Group-IB researchers identified a new threat actor, Boolka, using SQL injection to compromise websites. Boolka employs malicious JavaScript scripts on victim websites to intercept and collect user data, which is then encoded in Base64. A command-and-control server named "boolka[.]tk" is contacted by the JavaScript to orchestrate data exfiltration. Fake browser extension downloads are used to further infect visitor systems with the BMANAGER trojan. BMANAGER trojan installs and utilizes additional malicious modules like BMBACKUP, BMHOOK, BMLOG, and BMREADER for data theft and surveillance. The malware establishes persistence on infected hosts using scheduled tasks and operates a local SQL database for data storage. Boolka has noticeably advanced in sophistication since starting attacks in 2022, now developing proprietary malware distribution frameworks. Continuous mitigation efforts are emphasized due to the increasing sophistication and adaptability of threats like Boolka.

Threat actors have developed a new technique using Microsoft Management Console (MMC) files to bypass security measures and execute malicious code. The approach, named GrimResource, involves specially crafted management saved console (MSC) files that exploit vulnerabilities in MMC libraries. When combined with DotNetToJScript, this technique allows for arbitrary code execution, leading to unauthorized system access and control. This method exploits a known XSS flaw in the apds.dll library, which remains unpatched since its report to both Microsoft and Adobe in late 2018. A recent example involves the North Korea-linked Kimsuky hacking group using a malicious MSC file to deliver malware. Elastic Security Labs discovered this technique after analyzing an uploaded artifact on the VirusTotal platform, highlighting the ongoing evolution of cyber attack methods. Despite Microsoft's efforts to restrict malware dissemination via commonly abused file types, attackers continue to find alternative methods like MSC files to deploy attacks.

P2PInfect, a previously dormant malware botnet, has started deploying a ransomware module and a cryptominer targeting Redis servers. Initially discovered in July 2023, P2PInfect leveraged known vulnerabilities in Redis servers and utilized features like Redis replication for propagation. Between August and September 2023, the botnet’s activity surged, attempting thousands of breaches weekly while introducing features such as cron-based persistence and fallback communication systems. As of May 16, 2024, infected devices began downloading and executing a ransomware payload targeted at files with specific extensions and appending them with '.encrypted'. The ransomware, however, is limited by the privileges of the compromised Redis user, primarily encrypting configuration files as Redis is typically deployed in memory. Alongside the ransomware, an inactive XMR (Monero) miner in previous versions was activated, successfully generating approximately $10,000. A new user-mode rootkit was also identified, designed to conceal malicious operations from security tools, though its effectiveness is constrained by the Redis deployment. Cado Security suggests that P2PInfect could either be rented out to various cybercriminals or operated by a singular group, with its operational goals and ownership remaining somewhat ambiguous.

Browser security solutions are emerging as a cost-effective method to protect against web-related threats where traditional network and endpoint security fall short. Such platforms specialize in combating threats from phishing websites, malicious browser extensions, and internal data leaks, like sensitive information being shared wrongly. A new report details testimonials from six Chief Information Security Officers (CISOs) who have switched to browser security platforms, resulting in reduced operational costs and increased efficiency. Transitioning from using CASB and agent-based DLP solutions to lighter, more agile browser security frameworks like LayerX has significantly decreased Total Cost of Ownership (TCO) and improved granular data protection. CISOs benefit from easier management of browser security, such as keeping browser versions up-to-date and protecting against harmful extensions on both managed and unmanaged devices. Some organizations have shifted from traditional training to employing real-time notifications on browsers using solutions like LayerX, which has proven effective in mitigating risky online behaviors. The report emphasizes the continuous need for discovering, prioritizing, and mitigating new exposures through advanced security methods like Attack Surface Management (ASM), penetration testing, and Red Teaming.

79% of companies experienced ransomware attacks in the past year, with attacks becoming almost daily occurrences for some organizations. Attackers are increasingly targeting backup data and systems to cripple recovery processes, with 93% of last year's cyber attacks aimed at backup storage. Object First and Veeam collaborate to offer zero-trust based, immutable backup solutions dubbed Zero Trust Data Resilience (ZTDR), which protects data even if systems are compromised. The immutable storage, using the S3 Object Lock protocol, prevents data from being altered or deleted, securing data against ransomware and physical tampering. Veeam provides end-to-end encryption for data in all aspects of the 3-2-1 backup strategy, ensuring data is safeguarded against exfiltration even if accessed by unauthorized parties. Businesses express high concern over backup systems becoming targets; nearly 90% of surveyed organizations are worried about their backup integrity. The Object First Ootbi technology combines scalability, ease of management, and advanced security measures suitable for companies of varying sizes and needs.

"Why attack surfaces are expanding" webinar scheduled for June 25th, hosted by Cloudflare and The Register. Session aims to address the increasing issues related to cyber threats as attack surfaces expand. Attendees will gain insights into the latest trends affecting cybersecurity vulnerabilities. The webinar will provide actionable strategies for organizations to enhance their network security. Experts from Cloudflower will share their extensive knowledge and real-world case studies. The event emphasizes on equipping attendees with practical skills to address modern cybersecurity challenges. Secure your participation by registering for the webinar to learn from top cybersecurity experts.

WikiLeaks founder Julian Assange has been released after over five years in a U.K. high-security prison, concluding a 14-year legal fight. Assange pled guilty to conspiring to obtain and disclose U.S. national defense documents, sentenced to time already served. The plea agreement involved negotiations spanning numerous global figures and organizations, influenced by widespread campaigns for his release. His legal issues extended to accusations in Sweden, including rape and sexual assault, which he has denied. The U.S. Department of Justice highlighted the grave risks posed by Assange’s disclosures, which allegedly aided U.S. adversaries and endangered lives. WikiLeaks, since its inception in 2006, has published significant volumes of sensitive data, impacting international relations and national security. Assange is set to return to Australia, continuing to face legal and diplomatic repercussions from his actions.

Four Vietnamese nationals linked to FIN9 cybercrime group were indicted in the U.S. for orchestrating a $71 million cybercrime spree. The accused conducted phishing campaigns and supply chain compromises to access and steal sensitive information from U.S. companies. They extracted non-public info, employee benefits, gift card data, and credit card details, causing extensive financial and information losses. Using stolen data, they engaged in further illegal activities such as opening cryptocurrency accounts and setting up servers to hide their tracks. Defendants sold stolen gift cards via cryptocurrency marketplaces under fraudulent identities to launder the proceeds. If convicted, the accused face up to 45 years in prison, with additional charges of money laundering and identity fraud enhancing potential sentences. The case reflects growing concerns about sophisticated global cybercrime impacting critical infrastructure and private security.

Multiple WordPress plugins were backdoored, allowing attackers to inject malicious code. The malware enables creation of rogue administrator accounts named "Options" and "PluginAuth." Malicious code also injects JavaScript into the website footer to distribute SEO spam. Compromised account details are sent to an attacker-controlled IP address, 94.156.79[.]8. The attack was first noticed on June 21, 2024, and the affected plugins have since been removed from the WordPress directory. WordPress site owners are urged to check for unauthorized admin accounts and eliminate any related malicious code. The exact method by which the plugins were compromised remains unknown.

WikiLeaks founder Julian Assange has been released from a UK prison after agreeing to plead guilty to U.S. charges. Assange was previously held for five years in the UK, awaiting extradition for leaking classified documents. He has left the UK from Stanstead airport and is expected to plead guilty in a U.S. federal court located in the Northern Mariana Islands. This location was chosen to accommodate Assange's preferences and its proximity to Australia, his native country. Following his court appearance, Assange is anticipated to be allowed to return to Australia, considering the time he has already served. The U.S. Department of Justice indicates that the court proceedings will be completed, and a sentence handed down in a single day.

The American Privacy Rights Act (APRA) intended to establish a nationwide privacy standard but has been significantly weakened due to recent legislative amendments. Major concerns include the removal of anti-discrimination measures, transparency in AI usage, and protections for minors. Legal advocacy groups, including the Lawyers' Committee for Civil Rights Under Law, now urge lawmakers to vote against the revised APRA, pointing out the lack of comprehensive privacy safeguards. Critics argue that the revised APRA fails to cover personal data handled by on-device AI technologies, potentially giving tech companies excessive freedom. The new version of the bill is argued to be weaker than existing state privacy laws and could preempt more robust state-level protections. Several privacy and civil rights organizations expressed their inability to support the APRA in its current form due to its deficiencies in foundational civil rights and privacy protections.

CISA's Chemical Security Assessment Tool (CSAT) was breached on January 23, 2024, after a webshell was deployed on its Ivanti device. CSAT is used by facilities to report possession and safety assessments of chemicals potentially usable in terrorism, determining if they are high-risk facilities. The breach potentially exposed sensitive data including Top-Screen surveys, Security Vulnerability Assessments, and Site Security Plans. No evidence of data exfiltration was found, yet all information in the CSAT environment is encrypted with AES 256 encryption. The vulnerabilities that allowed the breach were CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, all exploited by threat actors promptly after disclosure. Despite no evidence of data theft, CISA has notified all potentially impacted individuals and organizations as a precautionary measure and advised CSAT account holders to reset their passwords. The incident was significant enough to meet the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).