Daily Brief

Microsoft schedules a private security summit in Redmond, Washington, with no press or public allowed, sparking concerns about transparency. The event will include discussions on improving security and resilience in collaboration with endpoint security partners and friendly government representatives. Recent CrowdStrike-induced outages that affected millions of Windows machines will be a significant topic, highlighting critical lessons and future preventative measures. US Senator Ron Wyden, a vocal critic of Microsoft's security practices, notably did not receive an invitation to the summit. Microsoft faces ongoing scrutiny for security failings, evidenced by repeated breaches from nation-state actors and criticisms of their security measures. Transparency and concrete security improvements remain elusive goals for Microsoft, despite public promises and initiatives like the Secure Future Initiative following major security breaches. The summit aims to discuss safe deployment practices and system resilience without providing public insight into the specific strategies or outcomes discussed.

A critical Microsoft Windows vulnerability (CVE-2024-38063) allows unauthenticated remote code execution via an IPv6 packet, requiring urgent patching. The vulnerability affects Windows 10, Windows 11, and Windows Server systems and has a high severity CVSS score of 9.8. Microsoft released a patch for this flaw on August 13 during their Patch Tuesday updates, emphasizing immediate implementation. Exploit code for this vulnerability has been published online by a coder known as Ynwarcs, making systems that are unpatched highly susceptible to attacks. Delay in applying patches can lead to exploitation from malicious entities, leveraging the delay period post-patch release known as "Exploit Wednesday." There is no alternative workaround except disabling IPv6, which is not feasible for many users, highlighting the importance of patch application. Prompt action is advised as further delays may give cybercriminals more opportunities to exploit this severe security flaw.

The Iranian APT33 hacking group, associated with the Islamic Revolutionary Guard Corps, has deployed new "Tickler" malware to infiltrate organizations in the US and UAE, targeting sectors such as government, defense, and oil and gas. These cyber-attacks, active from April to July 2024, leveraged Microsoft Azure infrastructure for command and control functionalities using deceptive Azure subscriptions. APT33 employed password spray tactics to compromise multiple accounts across different sectors, notably exploiting the education sector to secure operational infrastructure. Subsequently, the compromised Azure services were used for further attacks on crucial national sectors, with defense, government, and space industries facing significant targeting. Microsoft disrupted the fraudulent Azure subscriptions and announced mandatory multi-factor authentication (MFA) for all Azure sign-in attempts starting October 15, to enhance security postures. This series of breaches is a continuation of APT33's persistent cyber operations, including the deployment of FalseFont backdoor malware in previous attacks on defense contractors globally.

A former infrastructure engineer locked out Windows admins from 254 servers in a ransom scheme. The engineer demanded a €700,000 ransom to prevent daily server shutdowns at a New Jersey industrial company. Utilizing admin privileges, he changed passwords and threatened to delete backups, making data recovery difficult. The FBI's investigation traced unauthorized remote access and scheduled malicious activities back to the engineer. Forensic analysis revealed web searches on methods for password changes and log clearances. The criminal activities were intended to deny the company access to systems and data severely. The engineer faces up to 35 years in prison for extortion, intentional computer damage, and wire fraud charges.

The U.S. State Department and Secret Service are offering a $2.5 million reward for information leading to the arrest and/or conviction of Belarusian hacker Volodymyr Kadariya. Kadariya is accused of running malvertising campaigns linked to the Angler Exploit Kit, which targeted vulnerabilities in software like Adobe Flash and Internet Explorer to distribute malware. First indicted in June 2023 for wire and computer fraud, the indictment was publicly disclosed in August 2024, identifying Kadariya as a key player in global malware operations. His criminal activities included the management of malware distribution networks and scams, employing tactics such as "scareware" to trick victims into downloading malicious files. Kadariya's operations also involved selling stolen data and providing cybercriminals with access to compromised systems. The Angler Exploit Kit, prominent from 2013 to mid-2016, was instrumental in a significant volume of cyber attacks worldwide before it ceased activity. Kadariya's current location is unknown, and the substantial reward aims to facilitate his capture and curb his extensive cybercriminal impact.

The PoorTry driver, originally designed to disable endpoint detection and response (EDR) systems, has been upgraded to delete files critical to security software operation. This evolution marks a strategic shift by ransomware gangs to enhance the disruptive phase of attacks, ensuring a smoother encryption process by eliminating recovery options for EDR systems. Initially developed in 2021, PoorTry, also known as 'BurntCigar', was used by prominent ransomware groups like BlackCat, Cuba, and LockBit, and was flagged for having its malicious drivers signed through Microsoft's attestation process. Aside from ransomware, groups engaged in credential theft and SIM-swapping have also utilized PoorTry. Recent reports in 2024 highlight PoorTry's new capabilities in a RansomHub attack, systematically terminating and deleting security-related files to leave systems unprotected. The malware now uses advanced obfuscation techniques and supports operational flexibility in targeting a range of EDR products by deleting files by name or type. Attackers have started manipulating signature timestamps and employing varied certificates for payload execution, complicating detection and response efforts. Despite ongoing efforts to neutralize PoorTry’s impact, its developers continue to refine the tool’s capabilities, presenting both challenges and detection opportunities in cybersecurity defense.

The Iranian hacking group APT33, also known as Peach Sandstorm or Refined Kitten, has deployed Tickler malware to infiltrate networks within the US and UAE sectors, including government, defense, and oil. This malware was part of a broader intelligence collection operation conducted from April to July 2024, aimed primarily at gathering sensitive information from targeted sectors. Microsoft researchers highlighted that APT33 exploited Azure infrastructure for the malware’s command-and-control setups, employing fraudulently acquired Azure subscriptions which have since been disrupted. Initial access was achieved through extensive “password spray” attacks, a method where common passwords are used across multiple accounts to avoid detection. The compromised accounts, particularly from the education sector, were subsequently used to either control existing Azure subscriptions or establish new ones to support ongoing malicious activities. These orchestrated attacks had successfully penetrated defense, space, and government institutions, employing both Tickler and previously used FalseFont malware. Microsoft plans to enforce Multi-Factor Authentication (MFA) on all Azure accounts from October 15 to significantly reduce the risk of similar breaches in the future, following their findings that MFA prevents most unauthorized access attempts.

Iranian government-backed hackers, known as Pioneer Kitten, have been infiltrating U.S. and foreign networks, targeting sensitive data and deploying ransomware. Attacks have exploited vulnerabilities in VPN and firewall technologies from Check Point, Citrix, and Palo Alto Networks, among others. Most attacks are financially motivated, seeking to develop ransomware capabilities in collaboration with ransomware-as-a-service gangs like NoEscape and ALPHV/BlackCat. These cybercriminals have also targeted sectors such as defense, banking, healthcare, and education in the U.S., as well as international targets in Israel, Azerbaijan, and the UAE. A related group, Peach Sandstorm, linked to the Iranian Revolutionary Guard, used a new malware, Tickler, to breach U.S. and UAE sectors including satellite and oil and gas. The FBI warns that compromised U.S. cloud services accounts may be used by these actors to conduct further malicious activities. Recent activities indicate an escalation in election-related attacks, with suspicions of Iranian involvement in a hack-and-leak campaign against Donald Trump.

DICK'S Sporting Goods experienced a significant cyberattack, with confidential information reportedly exposed. The breach was detected on August 21, 2024, prompting immediate activation of the company’s cybersecurity response plan. In response to the cyberattack, DICK’S shut down email systems and temporarily locked out all employee accounts. The company engaged external cybersecurity experts to investigate, isolate, and contain the breach. All employees must have their identities manually verified on camera to regain access to their accounts, indicating heightened security measures. DICK'S has reported the incident to federal law enforcement and maintains that the breach has not impacted business operations. An ongoing investigation has yet to conclude the full extent and impact of the breach; however, DICK'S believes the breach is not material to its operations.

Iranian hackers from the Pioneer Kitten group are targeting U.S. sectors including defense, education, finance, and healthcare. These cyber actors are believed to be linked to the Iranian government, enhancing geopolitical cyber threats. The hackers monetize access by selling admin credentials and controlling domains through online cyber marketplaces. The FBI identifies direct collaboration between Pioneer Kitten and ransomware affiliates like NoEscape and ALPHV to execute encryption and increase ransom demands. Pioneer Kitten conceals their nationality and origins while partnering with ransomware groups, keeping these details secret from their partners. Recent activities include probing networks for vulnerabilities in security gateways and VPN devices, utilizing exploits in their cyber campaigns. Pioneer Kitten has historically exploited various security flaws to breach networks, showing a pattern of sophisticated and targeted cyber-attacks. Alerts from federal agencies like CISA and the FBI warn of the ongoing threat and capabilities of Pioneer Kitten to deploy and profit from ransomware operations.

Fortra issued a warning about a critical hardcoded password flaw in FileCatalyst Workflow, allowing unauthorized database access. Exploiting this flaw, attackers can extract sensitive data and create new admin profiles to take complete control over the system. The vulnerability, identified as CVE-2024-6633 with a CVSS score of 9.8, affects versions up to 5.1.6 Build 139. Fortra recommends upgrading to FileCatalyst Workflow version 5.1.7 or later to mitigate this security risk. The vulnerable HSQLDB database is intended only for initial installation setups and not for ongoing production use, as per vendor recommendations. There are no alternative mitigations; updating to the latest software version is the only recommended defense. Tenable discovered the vulnerability, noting that the hardcoded password "GOSENSGO613" is unchangeable by end-users and poses a high security risk for current deployments. The high potential for exploitation makes this flaw particularly hazardous for organizations using the affected product versions.

Google has updated its Chrome Vulnerability Reward Program, raising the maximum bounty to $250,000 for critical security flaws. The enhanced bounties aim to motivate researchers to submit high-quality reports and explore Chrome vulnerabilities thoroughly. Rewards now vary based on the quality of the vulnerability report and the potential security impact, with significant increases for reports demonstrating remote code execution. Google has also increased the reward for MiraclePtr bypass vulnerabilities to $250,128, up from the previous $100,115. The company continues to adapt its rewards program, including plans to introduce more experimental reward opportunities aimed at promoting deeper security research. Google has spent over $50 million in bug bounty payouts since the inception of its Vulnerability Reward Program in 2010, covering more than 15,000 reported vulnerabilities. The Play Security Reward Program (GPSRP) will close at the end of August due to a decrease in actionable vulnerability reports.

Dick's Sporting Goods reported a cyberattack discovered on August 21, notifying the SEC via an 8-K filing. An unidentified third party accessed portions of the company’s systems which contained confidential information; the specifics of the information compromised remain unclear. Although the cyberattack did not disrupt ongoing business operations, the full implications are still being assessed. The company has engaged law enforcement and external security experts to investigate the breach and fortify security measures. Customers affected by the breach will be notified, but the company has not specified which types of customer information were exposed. The outcome of this incident and further details will potentially be disclosed during the upcoming second-quarter earnings report on September 4. No clear evidence suggests the use of ransomware or immediate operational sabotage, as service continuance was not halted.

Fortra has patched a critical vulnerability in FileCatalyst Workflow, identified as CVE-2024-6633 with a CVSS score of 9.8. The security flaw was due to use of static default credentials in the HSQL database setup, potentially allowing unauthorized administrative access. Cybersecurity firm Tenable discovered the vulnerability, which made it possible for remote attackers to add admin users to the Workflow web application. Fortra’s advisory highlighted that although HSQLDB is intended only for installation and not for production, failure to switch databases left users exposed. Apart from the critical flaw, a high-severity SQL injection vulnerability (CVE-2024-6632, CVSS score: 7.2) was also patched. This SQL injection issue stemmed from improper validation of user input during the setup process, allowing attackers to make unauthorized database modifications. The vulnerabilities have been fixed in FileCatalyst Workflow version 5.1.7 and later, following responsible disclosure protocols.

DICK'S Sporting Goods experienced a cyberattack that exposed confidential information last Wednesday. Following the detection of the breach, the company hired cybersecurity experts to manage the incident and investigate its scope and impact. The cyberattack involved unauthorized access to certain information systems containing sensitive data. DICK'S initiated a swift response through its cybersecurity protocol, engaging external specialists to isolate and neutralize the threat. Employees have been temporarily restricted from accessing company systems, receiving further instructions via personal communication channels. The company has reported the incident to federal law enforcement but asserts that business operations remain unaffected. The ongoing investigation suggests that the incident may not significantly impact the company due to prompt response measures.