Daily Brief

White hat hackers identified and exploited a vulnerability on the Ronin Network blockchain, withdrawing $12 million to demonstrate the security flaw. The hackers targeted the Ronin bridge, exploiting an undocumented bug introduced in a recent update that misinterpreted the vote threshold needed for fund withdrawals. After demonstrating the exploit, the hackers paused the bridge for 40 minutes and informed Ronin Network, facilitating the identification and resolution of the flaw. Ronin Network has committed to a thorough audit and redesign of the bridge governance process to prevent similar vulnerabilities in the future. The white hats returned all the stolen funds and received a $500,000 bounty for their assistance in exposing the flaw. The incident highlights ongoing security challenges in blockchain technology and underscores the importance of robust security measures and constant vigilance. Ronin Network guaranteed full reimbursement of user funds in the event the hackers had decided to keep the stolen funds.

The SEC completed its investigation into Progress Software's response to a zero-day exploit in MOVEit Transfer, deciding not to recommend enforcement action. This security breach, exploited via a previously unknown vulnerability, affected over 2,770 companies globally and compromised the data of approximately 95 million individuals. The Clop ransomware gang utilized this vulnerability during the 2023 Memorial Day weekend, resulting in significant data theft across various sectors including government, finance, healthcare, airlines, and education. Despite the SEC's decision not to pursue enforcement, Progress Software is facing numerous class-action lawsuits consolidated in the Massachusetts federal courts. The criminal exploitation of the vulnerability has reportedly netted the Clop gang between $75 and $100 million in ransom payments. Progress Software was initially subpoenaed by the SEC on October 2, 2023, as part of the regulatory body's investigation into the handling of the data theft incidents.

The BlackSuit ransomware has demanded over $500 million from victims since its emergence over two years ago. Originally known as Royal ransomware, the malware rebranded to BlackSuit in June 2023 after being initially identified as Quantum ransomware in January 2022. BlackSuit is believed to be a successor to the infamous Conti cybercrime syndicate and has shown significant evolutions in capabilities and coding similarities to its predecessors. Ransom demands made by the BlackSuit gang typically range from $1 million to $10 million USD, with the largest single demand reaching $60 million. Over 350 organizations have been targeted by the BlackSuit ransomware, resulting in at least $275 million in confirmed ransom payments. The FBI and CISA continue to release advisories detailing indicators of compromise and tactics to help organizations defend against BlackSuit ransomware attacks. A notable attack by BlackSuit caused a significant IT outage at CDK Global, impacting over 15,000 car dealerships across North America and disrupting operations severely.

A new malware, named CMoon, has been actively targeting a Russian gas company's website since early July 2024. CMoon is capable of stealing credentials, snapping screenshots, launching DDoS attacks, and downloading additional payloads. The infection begins when users download what appear to be regular documents (.docx, .xlsx, .rtf, .pdf) from the compromised website, which are actually malicious executables. The malware propagates itself through USB drives, replacing files on the drive with executables that further spread the worm. CMoon targets sensitive information within web browsers, cryptocurrency wallets, FTP and SSH clients, and files containing specific keywords like 'secret' and 'password.' After data theft, CMoon packages the stolen data and sends it to an external server where it is decrypted and checked for integrity. After being notified, the gas company removed the malicious files on July 25, 2024, but the self-propagating nature of the malware means it could continue to spread autonomously. Kaspersky researchers suggest that CMoon might also be distributed through other unseen channels, advising continued vigilance.

Alon Leviev, a SafeBreach researcher, exposed critical vulnerabilities at Black Hat 2024, showing how Windows systems can be "unpatched" through downgrade attacks. The vulnerabilities, tracked as CVE-2024-38202 and CVE-2024-21302, affect Windows 10, Windows 11, and Windows Server, potentially reintroducing old exploits. Microsoft has issued advisories offering mitigation advice but has yet to release a comprehensive fix for these zero-day vulnerabilities. The attack manipulates the update process, deceiving the OS into believing it's fully updated while actually reverting to older, vulnerable software versions. Mechanisms such as Credential Guard and Hyper-V can be downgraded, undermining Windows virtualization-based security features. The vulnerabilities make patched systems susceptible to thousands of past vulnerabilities, essentially treating patched vulnerabilities as new, exploitable issues. Microsoft is still developing fixes for these vulnerabilities and has published preliminary guidelines to help protect against potential exploit attempts.

McLaren Health Care's IT and phone systems were disrupted due to a ransomware attack by INC Ransom. The attack affected 13 hospitals across Michigan and potentially compromised a patient information database. McLaren Health Care is a major non-profit healthcare provider with annual revenues exceeding $6.5 billion and employs over 28,000 staff. McLaren advised patients to bring detailed personal medication information to appointments due to the database access issues. Some non-urgent appointments and procedures may be rescheduled as a precaution. A revealed ransom note at McLaren Bay Region Hospital indicated encryption and threatened data leak unless a ransom was paid. INC Ransom, which surfaced in July 2023, has targeted various sectors including healthcare, and may be linked to other ransomware groups. A significant data breach was later acknowledged by McLaren, affecting 2.2 million individuals and involving sensitive personal health information.

The UK's Information Commissioner's Office (ICO) has issued a provisional $7.74 million fine to Advanced Computer Software Group Ltd for failing to protect personal data during a 2022 ransomware attack. Advanced, a service provider for the UK's NHS, experienced a breach that exposed personal details of approximately 83,000 individuals and sensitive access instructions for 890 home-care recipients. The breach significantly impacted numerous healthcare services and disrupted NHS 111 operations, affecting public and private entities. Despite the breach, impacted individuals were promptly informed, and no data has been reported as leaked on the dark web till now. The ICO highlighted deficiencies in Advanced's information security measures, underscoring the lack of fundamental practices such as security updates, multi-factor authentication, and vulnerability assessments. The proposed fine of $93.3 per affected individual reflects the gravity of the incident, stressing the high expectations on organizations handling sensitive data. The final decision on the imposition of the fine is pending, as the ICO awaits a response from Advanced, which could potentially adjust the penalty amount.

Researchers at CISPA Helmholtz Center in Germany identified severe security vulnerabilities in T-Head Semiconductor's RISC-V processors, particularly in the TH1520 SoC's C910 cores. The primary vulnerability, dubbed GhostWrite, allows unprivileged applications or users to manipulate physical memory and execute arbitrary code with high-level privileges, entirely compromising the device. GhostWrite's exploitability stems from a flaw in the vector extension instructions of the C910, which interact directly with physical rather than virtual memory, undermining established security barriers. Disabling the vector extension is the only current mitigation, significantly hindering performance and functionality of dependent applications. The findings will be presented at the Black Hat security conference in Las Vegas and have been detailed on a dedicated website and a technical paper. Other identified vulnerabilities include CPU crash bugs in the T-Head XuanTie C906 and C908 cores, necessitating system restarts when exploited. Alibaba's T-Head has confirmed the reproducibility of the C910 and C906 bugs but has not yet responded to the C908 issue. Michael Schwarz from CISPA highlighted that, unlike more complex ISAs that support microcode updates to patch vulnerabilities, RISC-V's simpler structure does not yet support such updates, limiting immediate remediation options.

macOS Sequoia introduces stricter Gatekeeper controls, preventing users from bypassing security warnings on improperly signed or non-notarized apps. Users will need to access System Settings > Privacy & Security to allow software to run, setting a higher security standard. Apple's notary service will continue to check and notarize apps distributed outside the Mac App Store, ensuring software safety before distribution. The upgrade, scheduled for this fall, will include weekly system prompts to manage permissions for apps that access screen and audio recording features. These prompts aim to enhance user control over app permissions but have raised concerns about potential annoyance due to their frequency. Enhanced alerts are especially significant for combatting stalkerware, as they warn users about apps capable of monitoring their activities.

Threat actors are actively exploiting a recently patched remote code execution vulnerability, CVE-2024-4885, in Progress WhatsUp Gold servers. The CVE has a severity score of 9.8 and targets the '/NmAPI/RecurringReport' endpoints of the monitoring application. Publicly available proofs-of-concept have facilitated the exploitation, which began around August 1, 2024, from multiple unique IP addresses. Progress has already issued updates in their latest version 23.1.3 to mitigate this vulnerability, along with fixes for other critical and high-severity issues. The exploits allow attackers to execute code with elevated permissions, potentially leading to further unauthorized activities on the network. Security recommendations include updating to the latest software version and restricting network traffic to trusted IPs and over secure channels. Persistent exposure and lack of timely updates could allow attackers to establish footholds within corporate networks, necessitating robust monitoring and firewall defenses.

Hackers are increasingly using AI for sophisticated attacks on unprepared businesses and organizations. Employees often use generative AI applications that process sensitive data without IT department oversight, expanding potential cyber threats. Palo Alto Networks utilizes AI to enhance cybersecurity, providing tools for better visibility, control, and governance. Senior executives from Palo Alto Networks, including the CEO and Chief Product Officer, discuss the benefits of AI in combating real-time threats and securing AI applications in the workplace. Demonstrations include AI-driven software agents called copilots, which help monitor systems and networks for threats automatically. Testimonies from major companies like Costco and Dell reveal the necessity to tag and protect data used in AI applications as confidential. Customer care specialist Consensus uses AI to automate threat detection across a large network of endpoints and servers. The insights are presented in a series of on-demand videos titled "Precision AI: Unveiling the Future of AI & Cybersecurity."

Researchers from the Graz University of Technology have discovered a new Linux kernel exploitation technique named SLUBStick, enhancing the exploitation of heap vulnerabilities. SLUBStick utilizes a timing side-channel in the heap allocator for cross-cache attacks, achieving over a 99% success rate, significantly higher than previous methods. The technique targets memory safety vulnerabilities in the Linux kernel, which are typically challenging to exploit due to advanced security features like SMAP, KASLR, and kCFI. SLUBStick has been tested on Linux kernel versions 5.19 and 6.2 using nine documented security flaws from 2021 to 2023, achieving root privilege escalation and container escapes. Existing defenses such as KASLR are effectively bypassed using SLUBStick, which allows for arbitrary memory read and write capabilities. The exploitation method assumes that the operating system has a present heap vulnerability and that the attacker can execute unprivileged code. This discovery highlights the need for continuous improvement of security measures within Linux environments to guard against advanced exploit techniques.

The demand for Chief Information Security Officer (CISO) roles has grown due to increasing cyberattacks like ransomware. Skilled CISOs are scarce and command high salaries, making it difficult for SMBs to afford in-house CISOs. Virtual CISO (vCISO) services have become popular as they provide affordable, strategic cybersecurity assistance to SMBs. MSPs and MSSPs see vCISO offerings as a way to meet the growing needs of their clients for enhanced cyber resilience and also to generate recurring revenue. The eBook from Cynomi details how service providers can expand their vCISO services to cover comprehensive duties typically performed by full-time CISOs. vCISO platforms enable service providers to deliver a full suite of services, increasing their value and positioning them as trusted partners at the executive level. More than 80% of service providers are planning to offer vCISO services, reflecting a significant trend in cybersecurity management for SMBs.

Cybersecurity researchers identified significant vulnerabilities in Roundcube webmail that could allow hackers to execute malicious JavaScript and steal sensitive data. Exploiting these security flaws lets attackers access emails, contacts, and even the victim’s email password and enables them to send emails from the victim's account. The vulnerabilities are activated simply by a victim viewing or, in some instances, clicking a malicious email crafted by the attacker. Detailed disclosures followed responsible protocols, with the vulnerabilities fully addressed in the latest Roundcube updates, versions 1.6.8 and 1.5.8. This type of exploit requires no complex interaction from the user, posing a significant security risk to any unpatched system. The exposure of such vulnerabilities confirms the importance of timely software updates and the continued risks of targeted cyberattacks by sophisticated actors, including nation-state entities. It is also noted that similar critical vulnerabilities were discovered and addressed in the RaspAP project, highlighting ongoing security challenges in various software environments.

Microsoft Outlook's anti-phishing feature, First Contact Safety Tip, can be bypassed using simple CSS modifications in HTML emails. Phishers can make the safety banner invisible by altering the CSS to blend the banner's text and background with the email's content, rendering it white. Although direct CSS properties like display and opacity modifications don’t work due to Outlook's limitations, color changes effectively hide warnings. The warning remains visible in a truncated form within the email preview pane, but this might be overlooked by users not paying close attention. Cybercriminals can further manipulate CSS to fake encryption or signatures, enhancing the perceived legitimacy of phishing emails. Detected tweaks won't directly resemble standard Outlook formatting, but could still deceive less attentive users. Microsoft has recognized the issue but does not consider it an immediate threat, opting to revisit the findings in the future. This vulnerability exposes organizations to increased phishing risks if not diligently monitored.