Daily Brief

Black Basta ransomware group likely exploited a Windows privilege escalation bug as a zero-day, according to Symantec. Microsoft addressed the vulnerability (CVE-2024-26169) in its March Patch Tuesday, which could let attackers elevate to SYSTEM level. The exploit was detected in a failed ransomware attack analyzed by Symantec, showing signs of compilation before the official patch. The same cybercrime group used social engineering and Microsoft’s Quick Assist to distribute ransomware in related attacks. The techniques employed by Black Basta in this failed attempt align closely with those observed by Microsoft in a documented campaign by Storm-1811. The exploit works by manipulating registry keys through a null security descriptor, allowing execution with administrative rights. Time stamps on the malware variants suggest its creation predates Microsoft's patch, though time stamp manipulation cannot be ruled out entirely.

AWS has incorporated FIDO2 passkeys as a new multi-factor authentication (MFA) option to boost security. Starting July 2024, AWS will require all root account users to enable MFA, beginning with standalone accounts. Passkeys, supported by AWS, employ public key cryptography and are designed to resist phishing and man-in-the-middle attacks. Users can create and use software-based syncable passkeys, accessible via platforms like Apple Touch ID and Windows Hello. Amazon emphasizes the importance of choosing secure MFA methods and suggests passkeys as a robust option against social engineering attacks. AWS will gradually enforce the MFA requirement, extending it to more users over time, with the intention of enhancing overall security. The push for broader MFA adoption aligns with Amazon's commitment to the CISA's Secure by Design pledge.

Google has issued patches for 50 vulnerabilities in Pixel devices, including one actively exploited zero-day. This zero-day, identified as CVE-2024-32896, comprises an elevation of privilege flaw with high-severity impact noted in Pixel firmware. The exploitation of CVE-2024-32896 is reported to be limited and targeted, prompting an immediate patch to the 2024-06-05 level. The June 2024 update also addresses other security concerns, including seven critical privilege escalation vulnerabilities in different Pixel subcomponents. Unlike other Android devices, Pixels receive unique updates due to distinct features and Google's direct hardware control. Pixel users must manually install the update through their device settings to protect against these vulnerabilities. Additionally, a recent Arm's disclosure mentioned another unrelated but active exploit, CVE-2024-4610, affecting GPU kernel drivers. In April, Google patched other Pixel-specific zero-days used by forensic firms to bypass security controls and access device data.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding fraudsters impersonating its employees to solicit money transfers. Criminals are using legitimate government titles and names to lend credibility to their schemes, fooling individuals into sending funds through various methods. CISA explicitly clarifies that its staff will never request money transfers or instruct secrecy during communications. The agency advises the public to hang up immediately on suspicious calls, note down the caller’s number, and confirm the legitimacy of the contact through CISA’s provided phone number or report to law enforcement. The Federal Trade Commission (FTC) also highlights a significant rise in impersonation scams, with financial losses more than tripling since 2020, totaling over $1.1 billion in 2023. Both business and government impersonation scams are prevalent, with scammers often combining fake roles within a single fraudulent operation.

A new phishing toolkit has been developed to create convincing Progressive Web Apps (PWAs) for credential theft. PWAs can mimic corporate login forms with a forged address bar, increasing their deceptive appearance. Originally designed for legitimate enhancements in engagement, PWAs are being manipulated for phishing, demonstrating a significant security concern. The toolkit allows the creation of fake interfaces that can mislead users into installing malicious software under the guise of legitimate applications. Security researcher mr.d0x has made the PWA phishing templates available on GitHub for testing and educational purposes. Measures against such attacks are limited, as Chrome shows the real domain only periodically and not all security training programs cover PWA phishing risks. No existing group policies effectively prevent the installation of PWAs, posing a challenge for IT security at organizational levels. This technique may likely be adopted by cybercriminals in future attacks, complicating the cybersecurity landscape.

Life360, a company specializing in safety and location services, disclosed an extortion attempt following a breach of its Tile customer support platform. The breach, which occurred after Life360's acquisition of Tile for $205 million, exposed user names, addresses, email addresses, phone numbers, and device IDs. The stolen data did not include highly sensitive information such as credit card numbers, passwords, or location data. The breach involved the use of credentials believed to be stolen from a former Tile employee, allowing unauthorized access to various Tile systems. Life360 has taken measures to secure its platforms and has reported the incident to law enforcement, though details on when the breach was detected and the full extent of the impact remain unclear. The threat actor sent multiple extortion emails to Life360, claiming possession of the stolen customer information. There is ongoing concern about whether the stolen data might appear on hacking forums or the dark web, impacting customer privacy and security.

The White House report detailed 11 major data breaches across U.S. federal agencies in 2023, with various departments impacted. A total of 32,211 cybersecurity incidents were reported by U.S. federal agencies in 2023, marking a 9.9% increase from the previous year. Major causes of the incidents include improper usage, phishing, and web-based attacks, with brute force attacks showing a significant increase. Most incidents were rated "medium" or below in terms of potential impact on national security, economic security, or public services. Notable breaches involved the Departments of Health and Human Services, Treasury, Justice, and the Office of Personnel Management, with incidents ranging from ransomware attacks to accidental data exposure. Affected data included personally identifiable information such as names, Social Security numbers, and health information, impacting millions of individuals. Response measures have involved strengthening internal processes, training, and in some cases, providing credit monitoring services to affected parties.

Microsoft has declared the deprecation of its DirectAccess remote access technology, promoting migration to Always On VPN. DirectAccess, introduced with Windows 7 and Server 2008 R2, allowed seamless corporate network access for remote users and IT management. Always On VPN, available from Windows Server 2016 and Windows 10 onwards, supports modern VPN protocols and multi-factor authentication for enhanced security. The newer VPN solution also accommodates both domain-joined and non-domain-joined devices, offering greater flexibility over DirectAccess. Microsoft has not specified a removal date for DirectAccess but urges users to begin transitioning to Always On VPN to prevent future disruptions. A migration guide has been provided, recommending a phased migration approach and parallel setup of both systems to ensure continuity. Post-migration steps include removing the DirectAccess server role, updating DNS records, and decommissioning the server from AD DS.

The Netherlands’ cybersecurity agency (NCSC) has discovered that a previously reported Chinese malware attack targeted at least 20,000 FortiGate firewall systems. This expansive campaign, linked to Chinese state-sponsored actors, used a stealth malware named Coathanger and compromised devices during a "zero-day period" in 2022 and 2023. The specific vulnerability exploited was CVE-2022-42475, a critical buffer overflow bug in FortiOS SSL-VPN, which allows for remote code execution. The victims of this malware campaign include Western governments, international organizations, and numerous defense companies. The Coathanger malware creates persistent access in infected systems, maintaining footholds even after system updates. Dutch intelligence warns that many devices might still be infected as full removal of Coathanger requires complete device reformat. Reports indicate that the attackers could potentially expand their reach, posing significant risk of further data theft and system compromise. Security concerns for edge devices like firewalls are increasing, evidenced by a growing number of vulnerabilities identified and the inherent security challenges of these highly targeted devices.

OAuth grants, which facilitate third-party access to Google accounts, pose significant security risks if not managed properly. Essential to investigate potential risks associated with OAuth grants, including the permissions they entail which can be viewed in OAuth consent screens or API logs. Attack instances, like the abuse of Microsoft OAuth grants by the group "Midnight Blizzard," underscore the need for vigilance. Checking app registration details, such as client ID and publisher email, can reveal if an app might be malicious or poorly configured. Vendor trust can be assessed through markers like official marketplace listings and verification statuses, although these can still be exploited by sophisticated threat actors. App popularity within an organization or the wider market can serve as a trust indicator, helping to determine the reliability of the app. Tools like Nudge Security streamline the management of OAuth risks by continuously discovering SaaS apps and assessing the associated risk levels, with features to revoke risky OAuth grants.

Cybersecurity firm Wiz reports a cryptojacking campaign exploiting misconfigured Kubernetes clusters to mine Dero cryptocurrency. The term "cryptojacking" refers to the unauthorized use of someone else's computer processing power to mine cryptocurrency. Attackers are using Docker Hub to host malicious container images, with some accumulating over 10,000 pulls. These images bypass initial security setups by targeting Kubernetes API servers set to allow anonymous access. The new cryptojacking variant uses misleading names like "k8s-device-plugin" and "pytorch-container" for DaemonSets to deploy mining operations across cluster nodes. The involved DERO miner is a UPX-packed, open-source Go binary with built-in cryptocurrency wallet addresses and mining pool URLs to facilitate undetected operations. Security analysts also discovered additional malicious tools, including a Windows DERO miner and scripts intended to disrupt competing mining processes. The actor’s tactics include using innocuously named domains to camouflage malicious traffic and blend with legitimate web activities.

Police in Ukraine have arrested a 28-year-old Russian expert linked to the Conti and LockBit ransomware groups. The individual specialized in developing crypters to make malware payloads undetectable by antivirus software. His arrest was part of Operation Endgame, which targeted botnets used by ransomware operators for network breaches. Information from the Dutch police, following an attack on a multinational company, was crucial in tracking down the suspect. At least one direct involvement in a ransomware attack using a Conti payload was confirmed by the authorities. Searches in Kyiv and Kharkiv led to the seizure of computer equipment, mobile phones, and handwritten notes. The man faces charges for unauthorized interference in electronic systems and could be sentenced to up to 15 years in prison. The ongoing investigation aims to detail his exact contributions to the cyber attacks orchestrated by these ransomware groups.

Last week, ShinyHunters targeted Ticketmaster, compromising 1.3 terabytes of data from 560 million users, sparking global concern. Live Nation confirmed the breach via a SEC filing, identifying unauthorized activity in their third-party cloud database hosted by Snowflake, but anticipates no significant impact on operations. Santander also experienced a data breach affecting customers and employees, linked to a third-party provider's database hosted by Snowflake. Snowflake issued security alerts advising users to inspect logs and strengthen access controls, as the attackers leveraged single-factor authentication. Recommendations included enforcing multi-factor authentication, setting network policies, and resetting and rotating credentials to enhance security. Mitiga's research suggested the incidents were part of a broader campaign utilizing stolen credentials, primarily targeting environments lacking multi-factor authentication. The breaches underscore the need for robust cybersecurity practices including mandatory multi-factor authentication, single sign-on enforcement, and proactive password management policies. The situation highlights the vulnerability of cloud environments and the critical importance of implementing comprehensive security measures to protect sensitive data.

Black Basta ransomware actors potentially exploited a Microsoft Windows privilege escalation flaw (CVE-2024-26169) before it was patched in March 2024. Symantec's analysis suggests the exploit tool may have been in use as a zero-day, possibly compiled prior to Microsoft's fix. Threat actors known as Cardinal, Storm-1811, and UNC4393 have been using legitimate Microsoft tools (e.g., Teams, Quick Assist) to facilitate attacks, including credential theft and persistent access. These attacks include misuse of Microsoft Teams and Quick Assist for initial access, followed by the deployment of credential theft tools and batch scripts for further exploitation. The exploit involves manipulation of the werkernel.sys security descriptor to gain administrative privileges via registry key changes. Although an attempt to deploy ransomware using this exploit was unsuccessful, the presence of the tool in the wild indicates active exploitation. The ransomware threat landscape has intensified, with a significant rise in ransom payments to attackers and the emergence of new ransomware families like DORRA.

Black Basta ransomware group suspected of using a Windows zero-day vulnerability (CVE-2024-26169) for privilege escalation in ransomware attacks. The vulnerability, located in the Windows Error Reporting Service, was patched by Microsoft in their March 12, 2024 Patch Tuesday update. Symantec's investigation links the exploit to Black Basta following their detection of specific tool deployment post-initial DarkGate loader infection. Attack technique involved altering registry keys through an exploited weakness in werkernel.sys file handling, enabling execution with SYSTEM privileges. Evidence suggests Black Basta had developed an operational exploit tool weeks to months before Microsoft issued a patch. Security analysts highlight the importance of timely system updates and adherence to CISA's security guidelines to mitigate potential threats from such vulnerabilities. Black Basta has been previously connected to the defunct Conti group and has reportedly amassed over $100 million through ransom operations since April 2022.