Daily Brief

Increasing use of NFC and other implants could pose novel security risks in datacenters. Security expert Len Noe demonstrates how implants can clone access cards and allow seamless entry into secure buildings. Implants, often undetectable by standard scanners, contain information considered medical data, complicating legal challenges. Specially trained sniffer dogs can detect chemicals in implants, offering a potential security solution. Despite the low number of individuals using implants maliciously, the potential for increased cybercriminal activity exists. Current countermeasures include the implementation of multi-factor authentication methods in sensitive areas. The evolution of brain-computer interfaces and implant technologies necessitates new security considerations and strategies.

Exabeam and LogRhythm have completed their merger, resulting in significant job cuts and a lawsuit from shareholders. Reports indicate a 30% reduction in workforce by the newly merged entity, as announced during an internal company Zoom meeting. The merger remains private with no details disclosed on the deal's value or structure; Chris O'Malley, former LogRhythm president, is appointed CEO of the combined company. Exabeam aims to provide AI-driven security solutions, positioning itself against larger tech company offerings, according to CEO Chris O'Malley. Former Exabeam CEO Adam Gellar will depart the company with a considerable exit package. The merger has faced criticism from stakeholders, describing it as a survival attempt by two struggling companies under a private equity arrangement. An Exabeam investor tried to halt the merger by legally requesting to inspect Exabeam and LogRhythm's books, but the lawsuit was dismissed. Law firm Kahn Swick & Foti is investigating the fairness of the merger to Exabeam's shareholders, particularly concerning the cancellation of common stockholder's shares without compensation.

FIN7, a sophisticated Russian hacking group active since 2013, is selling a tool named "AvNeutralizer" which disables enterprise endpoint protection software. Initially involved in financial fraud through debit and credit card theft, FIN7 has evolved into ransomware operations including partnerships with DarkSide and BlackMatter. The "AvNeutralizer," also known as AuKill, aids in evading detection by disabling antivirus and EDR software and has been linked to multiple ransomware groups. Recent findings by SentinelOne reveal that "AvNeutralizer" utilizes legitimate system drivers to incapacitate security processes, thereby creating denial of service conditions. SentinelOne's analysis shows FIN7 continually updating their toolsets, emphasizing their adaptability and posing a persistent threat to global enterprises. Marketed on Russian hacking forums under various aliases, the tool ranges in price from $4,000 to $15,000, indicating a structured commerce in cybercrime solutions. Additional FIN 7-developed hacking tools and methods remain undisclosed in public trading, highlighting the group's deep reservoir of cybercrime resources.

Microsoft is introducing inbound SMTP DANE and DNSSEC in a public preview for Exchange Online to increase email security and integrity. These security protocols are designed to prevent downgrade and man-in-the-middle (MiTM) attacks by authenticating mail servers and validating TLS certificates. SMTP DANE uses a TLS Authentication (TLSA) DNS record for ensuring secure connections and verifying the identity of destination mail servers. DNSSEC extension offers cryptographic verification of DNS records to prevent spoofing, hijacking, and interception during email transit. The implementation aims to protect email domains from impersonation, ensure encryption-based delivery to the correct recipients, and boost email reputation. Microsoft plans to deploy this feature across all Outlook domains by late 2024, already enabled for some domains, and available to enterprise and home customers for free. The Exchange Team encourages other email providers and domain owners to adopt these standards to improve overall email security and safeguard against malicious activities.

Kaspersky, a Russian cybersecurity firm, is exiting the U.S. market due to a U.S. Commerce Department ruling stating the company poses a national security threat. As part of its departure, Kaspersky is offering U.S. customers six months of free security updates, despite announcing the cessation of its operations and distribution in the U.S. beginning July 20 for new users and September 29 for existing users. The U.S. government accuses Kaspersky executives of working with Russian military and intelligence in support of the Russian government's cyber objectives, claims the company disputes. In a letter to customers, Kaspersky expressed gratitude for their trust and emphasized its commitment to providing high-quality cybersecurity. The farewell gesture includes not just updates but also other unspecified security solutions for free. The company did not specify how it will ensure the security of these products after the September deadline when updates become prohibited. Kaspersky did not respond to inquiries about the specifics of the free product offerings to American customers.

Cisco has patched a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) affecting license servers, potentially enabling attackers to change any user's password, including administrators. The vulnerability, identified as CVE-2024-20419, stemmed from an unverified password change flaw within SSM On-Prem's authentication process. Attackers could exploit the bug by sending specially crafted HTTP requests to the vulnerable system, allowing them to reset passwords without needing the original user credentials. This flaw affects both the current SSM On-Prem and older versions known as SSM Satellite, specifically those installations earlier than Release 7.0. There are no available workarounds for this issue; Cisco urges all users to update their systems to the latest patched version to mitigate risk. Though Cisco's Product Security Incident Response Team has not yet observed any public proof of concept or actual exploitation, the severity of this flaw necessitates immediate updates. Additionally, Cisco recently patched another vulnerability and issued warnings about state-backed hacking groups exploiting zero-day vulnerabilities targeting government networks.

Craig Wright, an Australian, has officially declared he is not the creator of Bitcoin, following a series of lost legal battles in the High Court of England and Wales. The British judge in the case accused Wright of extensive and repeated lies during the trial and found his evidence claiming him to be Satoshi Nakamoto was forged. Judge Mr Justice James Mellor has recommended the UK's Crown Prosecution Service consider prosecuting Wright for perjury and document forgery. Wright has been ordered by the court to pay more than £6 million in legal costs to the Crypto Open Patent Alliance (COPA), a group backed by significant industry players including Jack Dorsey and Coinbase. He has complied with parts of the court's orders by publicly admitting on his personal website and social media that he is not Bitcoin's creator, Satoshi Nakamoto. The court's decision reconfirms earlier rulings from March and May that dismissed Wright's claims of being the digital currency's originator. No current appeals have been filed by Wright against the judgment.

Over 442,519 Life360 customer data, including phone numbers, were exposed due to an API flaw. A hacker known by the handle 'emo' exploited this flaw to verify user details such as emails, names, and phone numbers. The exposed login API on Android would display users’ first names and phone numbers, and obscured verified phone numbers were shown in a partial format. Life360 has reportedly fixed the API issue, and additional data requests now return a placeholder rather than real phone numbers. Simultaneously, the same hacker claims to have leaked over 15 million Trello email addresses by exploiting another unsecured API. BleepingComputer confirmed the authenticity of the leaked Life360 data by verifying multiple entries. Life360 also revealed an extortion attempt following another breach involving their Tile customer support platform. The Tile breach involved unauthorized access to names, addresses, email addresses, phone numbers, and device IDs, though more sensitive information like credit card numbers and passwords were not exposed.

North Korean cyber actors have updated BeaverTail malware to target MacOS users through a deceptive disk image mimicking MiroTalk video service. The BeaverTail malware steal important data from web browsers, cryptocurrency wallets, and delivers additional malicious payloads including a backdoor named InvisibleFerret. The newly discovered macOS variant follows the exploitation pattern of social engineering, where users are lured to fake job interview downloads. The malware also executes additional Python scripts from remote servers, enhancing its intrusion capabilities. Researchers warned about a related npm package "call-blockflow" that imitates legitimate software to conceal malicious activities, downloaded 18 times before being unpublished. Persistent efforts by DPRK-linked hackers have been observed in various cyber espionage campaigns, including those targeting software supply chains and foreign organizations. JPCERT/CC raised alarms about similar malicious activities by North Korean actors against Japanese targets, leveraging phishing and malicious executables to harvest and exfiltrate valuable information.

Ransomware attack costs on critical infrastructure have dramatically increased, with median ransom payments rising to $2.54 million, up from last year's $62,500. The average cost to recover from these attacks is now approximately $3 million per incident, with certain sectors like energy and water experiencing a fourfold increase to $3.12 million. Recovery times are lengthening, with only 20% of affected organizations recovering in a week or less, down from 41% the previous year. The high costs and prolonged recovery times are occurring despite an increasing number of organizations (61%) choosing to pay ransoms. Legal and regulatory measures, such as the proposed UK Cyber Security and Resilience Bill and the US CIRCIA, are being considered to improve disclosure and enhance cybersecurity measures across critical sectors. Sophos' report highlights that exploited vulnerabilities remain the top cause of ransomware attacks, urging an improvement in cybersecurity practices across the board.

MarineMax, a leading boat and yacht retailer, reported a data breach impacting 123,494 people. The breach was orchestrated by the Rhysida ransomware gang with unauthorized network access detected from March 1 to March 10, 2024. Initial reports denied the presence of sensitive data on compromised systems; however, subsequent updates confirmed theft of personal data. Data stolen includes names and possibly other sensitive personal identifiers; exact details of stolen data remain undetermined. The breach has affected a "limited" number of systems, occurring after attackers gained access to MarineMax’s network. MarineMax has reported the incident to the Attorneys General of Maine and Vermont as part of their legal reporting requirements. The Rhysida gang has published 225GB of files online, claiming it represents data they couldn't sell, including financial documents and personal identity documents like driver's licenses and passports. The breach contributes to Rhysida's growing notoriety, having previously targeted organizations such as the British Library and the Chilean Army.

MarineMax, a major yacht retailer, reported a data breach affecting 123,494 individuals. Initial SEC filings suggested no sensitive data was compromised; this was later corrected to acknowledge personal data theft. The breach occurred through unauthorized access from March 1 to March 10, 2024. The Rhysida ransomware gang claimed responsibility, publishing stolen data including personal IDs on their dark web site. The attack highlights the increasing threat of ransomware groups like Rhysida, which target various industries. MarineMax's notification to affected individuals came after concluding their investigation into the incident. The breach notification was filed with the Maine and Vermont Attorney Generals, indicating regulatory compliance.

Modern work environments with distributed teams and the adoption of cloud technologies have complicated maintaining IT compliance. Regular assessments are required to determine which systems and applications handle sensitive data and are thus "in scope" for compliance regulations. The rise of SaaS tools has both enhanced productivity and introduced complexities for IT compliance audits like SOC 2, HIPAA, or PCI DSS. SaaS sprawl and shadow IT have increased the difficulty in managing compliance, as organizations often lack a comprehensive view of all the software in use. Nudge Security provides a systematic approach to automate user access reviews, assisting in identifying and managing both known and unknown applications. The solution offers features to discover cloud and SaaS assets, automate access reviews, streamline compliance tasks, and generate audit-ready reports. Automation through tools like Nudge Security helps manage user access efficiently, reducing the burden of manual tasks and helping maintain compliance in a dynamic SaaS environment.

In 2020, Hackney Council suffered a ransomware attack, compromising personal data of approximately 280,000 residents and employees, and destroying some backup files. The UK's Information Commissioner's Office (ICO) issued a reprimand rather than a fine, citing insufficient cybersecurity measures including poor patch management and insecure passwords on dormant accounts. Hackney disputes the ICO’s findings, claiming exaggeration and misunderstanding of the attack's risks and their data security practices, but will not appeal due to resource constraints. The attack led to significant service disruptions, impacting council operations and the ability of staff to respond to information requests effectively for nearly two years. Despite Hackney’s disagreement with some findings, they acknowledged the severity of the breach and its impact on the community, while commending staff efforts during the recovery period. ICO appreciates Hackney's subsequent improvements in cybersecurity but highlights the severe consequences of the council's initial failings. No fines were issued following ICO’s recent policy shift, which prioritizes reprimands and guidance over monetary penalties for public sector data breaches.

Insider risks are becoming a critical challenge in modern cybersecurity frameworks, particularly due to both intentional and unintentional insider threats. Recent reports include cases where employees of well-known companies like T-Mobile and Verizon were approached to facilitate SIM swap attacks for financial gain. Accidental insiders, unlike malicious insiders, often jeopardize security through negligence or unawareness, inadvertently opening doors for external threats. These unintentional actions can lead to significant breaches, exposing sensitive information like email, bank accounts, and identity credentials. The FBI has highlighted the increase in such insider-assisted threats, particularly SIM jacking, urging organizations to enhance internal security measures. Proactive internal controls, thorough employee training, and a security-aware culture are essential to mitigating the risks posed by insiders. Implementing sophisticated insider risk solutions like those offered by Everfox can help organizations protect against both intentional and accidental insider breaches.