Daily Brief

Ronald Simpson, ex-IT director at Webster University, pleaded guilty to a $2.1 million fraud involving the university and a computer equipment supplier. Simpson orchestrated a scheme from 2018 to 2023, misleading both the school and supplier to enrich himself through illicit sales. He faces up to 20 years in prison and a $250,000 fine with sentencing scheduled for September. The fraud entailed Simpson purchasing equipment under false pretenses and selling it to a third party, diverting funds to his personal accounts. Webster University terminated Simpson in September 2023 upon discovering the fraudulent activities. As part of the scam, Simpson exploited a return policy meant for defective items, falsely claiming equipment issues to receive and then sell replacements. The FBI conducted the investigation that led to Simpson’s guilty plea.

AMD's internal data is being advertised for sale on the dark web by an individual using the pseudonym IntelBroker. The data for sale reportedly includes customer databases, product specifications, internal financial details, staff information, and source code among other sensitive documents. AMD acknowledges awareness of the purported incident and is collaborating with law enforcement and third-party services to investigate the claims. IntelBroker, the vendor of this data, is known for distributing information from previous high-profile security breaches including incidents involving Europol, Home Depot, and the Pentagon. The legitimacy and actual value of the stolen data are unclear, posing a substantial risk to potential buyers in the underground market. The exposure of such critical information could potentially facilitate activities by phishers, fraudsters, and unscrupulous investors. Law enforcement officials are actively pursuing individuals associated with BreachForums, increasing pressure on IntelBroker and other users of the platform.

The EU Council has delayed a vote on a legislative proposal aimed at protecting children online by mandating the scanning of private digital communications for illegal content. Critics, including tech companies and civil liberties groups, argue that the proposal, known as Chat Control, would undermine encryption, jeopardizing user privacy and security. The proposed client-side scanning, or "upload moderation," would require internet services to pre-scan messages and media on devices before encryption, looking for content such as child sexual abuse material (CSAM). This approach has been widely contested; similar plans by Apple were abandoned in 2021 after significant opposition. Signal’s CEO Meredith Whittaker has expressed concerns that such technology is unfeasible without creating vulnerabilities that could have wide-reaching implications. European MPs have urged the Council of Europe to reject the proposal, warning that it contravenes the European commitment to secure communication and digital privacy. Business entities like Threema threaten to exit the European market if forced to comply, citing a loss of secure and private communication for EU citizens and professionals.

AMD is investigating a possible cyberattack after data claiming to be stolen was listed for sale on a hacking forum. A threat actor known as IntelBroker alleges to possess AMD employee details, confidential financial records, and other sensitive data. IntelBroker claims the data includes future AMD product details, employee databases, and more sensitive files. AMD is coordinating closely with law enforcement and a third-party hosting provider to determine the authenticity and importance of the claimed data. The hacker, also linked to previous breaches involving DC Health Link and the Europol Platform for Experts, has a history of significant cyber incidents. AMD remains cautious as it had dealt with a similar threat in June 2022 from the RansomHouse extortion group, which claimed a substantial data theft. The tech company has not confirmed the veracity of the new hacking claim as the investigation continues.

Researchers have identified a phishing-as-a-service platform, ONNX Store, aimed at Microsoft 365 accounts primarily within financial institutions. ONNX Store utilizes QR codes in PDF attachments to bypass traditional phishing defenses and two-factor authentication, targeting employees under the guise of HR communication. The platform, believed to be operated by the Arabic-speaking hacker MRxC0DER, provides a robust mechanism including real-time credential theft via phishing pages that replicate the Microsoft 365 login screen. ONNX allows its clients to manage phishing campaigns through Telegram bots, offering customizable Microsoft Office 365 phishing templates and support channels for operational assistance. Attacks observed include phishing emails impersonating HR departments with offers of salary updates to lure victims into scanning malicious QR codes and entering login credentials. Captured credentials and 2FA tokens are immediately transferred to the attackers, enabling potential unauthorized access to sensitive company information. ONNX’s infrastructure uses advanced deception techniques such as encrypted JavaScript and Cloudflare services to evade detection and ensure ongoing operations through bulletproof hosting. Protection against ONNX phishing involves blocking unverified PDF and HTML attachments, avoiding untrusted HTTPS sites, and implementing FIDO2 hardware for securing high-risk accounts.

VMware issued a security advisory for critical vulnerabilities in vCenter Server, affecting remote code execution and local privilege escalation. Affected versions include vCenter Server 7.0 and 8.0, along with VMware Cloud Foundation 4.x and 5.x. Three specific vulnerabilities were addressed: CVE-2024-37079, CVE-2024-37080, CVE-2024-37081. Updates are available in vCenter Server 8.0 U2d, 8.0 U1e, and 7.0 U3r; Cloud Foundation patches are accessible through KB88287. VMware states that updating vCenter Server will not impact running workloads or VMs, though temporary unavailability of management interfaces is likely during the upgrade. No active exploitation of these vulnerabilities has been detected, yet VMware urges updating immediately due to the risk of targeting by threat actors. The company also identified an issue with custom ciphers in version 7.0 U3r, recommending a precheck.

An investigative report by the Australian Information Commissioner revealed significant security oversights by Medibank, including unenforced multi-factor authentication (MFA), leading to a severe data breach. The breach occurred when a Medibank contractor's browser-stored work credentials were stolen from his home computer by malware. The attacker exploited these credentials to access Medibank's systems, including their Microsoft Exchange and VPN, allowing for extensive internal access. Between August 25 and October 13, 2022, the attacker extracted 520 GB of sensitive customer data, including personal and health information. Failure to act on generated EDR software alerts in late August allowed the breach to propagate undetected until mid-October. The breach revealed by Medibank in October 2022 effectively compromised the personal data of 9.7 million customers. The report underscores the necessity of robust security measures like MFA, especially for systems like VPNs, which are highly targeted by cyber actors.

The European Union has introduced a controversial proposal to scan users' private messages for child sexual abuse material (CSAM), raising significant concerns among privacy advocates. Meredith Whittaker, president of the Signal Foundation, criticized the proposal, stating that it severely undermines the integrity of end-to-end encryption (E2EE). The proposed measure, known as "upload moderation," would require messages to be analyzed before encryption, allowing for the detection of CSAM. The law excludes audio communications and requires user consent under service provider terms, offering alternatives for users who do not consent to scanning. Europol emphasizes the need for tech industry cooperation to balance public safety and privacy, suggesting the design of systems capable of reporting harmful activity without breaking encryption. The response from the tech community, including Apple, highlights concerns about privacy infringement and the potential for such measures to lead to broader surveillance practices. Signal warns that interfering with encryption algorithms or creating backdoors for scanning could lead to vulnerabilities, exploitable by both malicious actors and nation-state hackers.

The CHERI Alliance CIC has been established to promote the adoption of CHERI security technology, enhancing memory safety in CPUs. Founding members include notable organizations like the FreeBSD Foundation, University of Cambridge, and various security and chip design companies. CHERI technology focuses on preventing common memory vulnerabilities such as buffer overflows through fine-grained security controls. Despite significant involvement in developing CHERI, chip designer Arm is conspicuously absent from the alliance’s member list. The Alliance aims to stimulate industry collaboration, foster academic partnerships, and push for CHERI's broad implementation across different ISAs. The initiative is mentioned in a White House report emphasizing the importance of hardware support for robust memory safety. Efforts are being focused around the RISC-V ISA, suggesting a strategic pivot or broadening of technological foundations. The CHERI Alliance is set to formally launch in September and is currently open for new members.

Two individuals, Sagar Steven Singh and Nicholas Ceraolo, admitted guilt for hacking a federal law enforcement database as part of a blackmail scheme. The hackers were part of "ViLE", a group that exploited stolen personal information to extort money by threatening to release it publicly. They used stolen credentials of a police officer to access a law enforcement database containing sensitive information about criminal activities and personal data. Ceraolo further impersonated officers to extract additional personal data from social media platforms under false pretenses. The exposed data was used in blackmail attempts, including threats to disclose personal details like social security numbers and addresses unless payment was received. In one incident, Singh demanded Instagram account credentials by threatening the target’s family safety. The U.S. Department of Justice is pursuing the case, with sentences for the crimes committed by Singh and Ceraolo ranging from two to seven years. Ongoing efforts are being made to apprehend and prosecute other members of the ViLE hacking group.

Threat actors are using free or counterfeit software to distribute Hijack Loader and Vidar Stealer malware. Compromised Cisco Webex Meetings app downloads lead to the execution of stealthy malware loaders via DLL side-loading. The malware leverages enhanced privileges to escape detection by adding itself to Windows Defender's exclusion list. Apart from stealing information, the malware also installs a cryptocurrency miner and other malicious payloads on victims' systems. Techniques involve PowerShell scripts and deceptive browser update prompts to entice victims into executing malicious code. Detection challenges arise due to malware’s ability to mask its association with any files and the reliance on user interaction. Multiple cybersecurity firms have reported on the diverse tactics and payloads utilized in recent sophisticated phishing and malware campaigns. Security experts emphasize the importance of vigilance when downloading software and clicking on links, even from seemingly legitimate sources.

The U.S. government will cease financial support on July 12 for healthcare providers impacted by the Change Healthcare ransomware attack in February. The Centers for Medicare & Medicaid Services (CMS) initiated support programs in March offering funding and relaxed rules for affected organizations to maintain operations. Over $3.2 billion in accelerated payments have been disbursed to nearly 9,000 Medicare providers to help manage cash flow disruptions caused by the cyberattack. The support measures included allowing Medicare Advantage and Medicaid plans to provide advanced funding, and the acceptance of paper claims by Medicare Administrative Contractors while electronic systems were offline. Though most of the emergency funding (96%) has been repaid, ongoing challenges persist for some providers beyond the July 12 cutoff. CMS continues to encourage all healthcare entities to prioritize cybersecurity enhancements and remains ready to address future cyber incidents. The ransomware attack has been one of the costliest for the healthcare sector, with estimated costs nearing $1 billion, including a $22 million ransom payment to the attackers.

NHS Dumfries and Galloway CEO confirms that cybercriminals accessed and copied sensitive data during a February cyberattack. Data from approximately 150,000 individuals leaked after the trust refused to comply with ransom demands. Victims are primarily residents from Dumfries and Galloway; targeted communications and general notices are being distributed. The leaked data raises concerns over identity theft, cybersecurity threats, extortion, and mental health impacts. The situation parallels the 2022 Medibank breach in Australia, which also faced a ransom demand that was not met. Efforts to analyze and prioritize the leaked data focus on identifying and assisting high-risk or vulnerable patients. CEO Julie White offers an apology and reiterates the organization's commitment to transparency and adherence to law enforcement advice. Dumfries and Galloway NHS has published a detailed FAQ and summary online to clarify the breach's context and implications.

Seventy percent of enterprises have initiated dedicated teams to bolster security for Software as a Service (SaaS) applications. Despite 2023's economic and job market challenges, organizations have markedly increased resources for SaaS security, including a 56% rise in staffing and a 39% increase in budget allocations. The survey reveals a significant shift in prioritization, with 80% of organizations now focusing on SaaS security, a sharp contrast to its historical position as an afterthought. Enhanced SaaS security strategies have led to better capability maturation and visibility into SaaS applications, with marked improvements in detection and configuration management. Major challenges persist, particularly in achieving visibility into business-critical applications and managing risks associated with third-party apps and SaaS misconfigurations. The survey points to the effectiveness of SaaS Security Posture Management (SSPM) tools, highlighting users experience better control and ease in managing SaaS security compared to other methods. Overall, the surveyed data indicates a positive trend in SaaS security outcomes and mitigation of security incidents, suggesting robust investment and strategic implementation are paying dividends.

Cybersecurity experts have discovered a new malware targeting openly accessible Docker API endpoints to deploy cryptocurrency miners. The malware utilizes a variety of tools, including a remote access capability that allows further malicious software downloads and distribution through SSH. The attackers focus on Docker servers with open port 2375, conducting a multi-stage attack including reconnaissance, privilege escalation, and exploitation. A complex chain of scripts and binaries, including scripts named “b.sh” and “ar.sh,” are employed to configure remote access, scan for other vulnerable hosts, and install additional payloads. The malware incorporates a Go-based binary, "chkstart," enhancing the complexity of the malware and making analysis more difficult compared to previous versions written in shell script. Additional payloads like "exeremo" for lateral movement and "fkoths," a Go-based binary to erase traces, signify an advanced attempt to maintain persistence and avoid detection. These findings indicate continuous improvement and adaptation by the attackers, highlighting persistent security risks associated with misconfigured Docker hosts.