Daily Brief

Polish government institutions were targeted by Russian military-linked hackers, identified as APT28. The attack involved a sophisticated phishing campaign, as stated by Poland's CSIRT MON and CERT Polska. Phishing emails purported to offer information about a "mysterious Ukrainian woman," leading to a malicious website. The website tricked users into downloading a ZIP file containing malware disguised as an image, along with hidden malicious files. The execution of the malware involved DLL side loading, displaying a distraction while further malicious activities occurred in the background. This attack pattern mirrors previous campaigns by APT28, including the use of similar lures during the Israel-Hamas conflict. The U.S. State Department called on Russia to cease such malicious activities and highlighted ongoing efforts with the EU and NATO to address these threats. A significant vulnerability in Microsoft Outlook, CVE-2023-23397, was exploited during these campaigns, affecting multiple European entities, including NATO.

Project management platform Monday.com removed its "Share Update" feature due to abuse by phishing attackers. Phishing emails, appearing as official Monday.com communications, prompted users about HR policies or employee feedback, containing malicious links. The attacks utilized legit service SendGrid for email dispatch, which passed all authentication checks like SPF, DMARC, and DKIM. The phishing links redirected to forms on formstack.com, collecting undisclosed types of information; these forms are now disabled. Monday.com responded by disabling the exploited feature, investigating misuse, and contacting affected email recipients with warnings and precautionary advice. The platform stated that the compromised feature did not involve access to any customer accounts or data hosted on Monday.com. The platform is reviewing the "Share Update" feature, with no clear timeline for its restoration or modification.

Mick Baccio, former White House election threat analyst, highlights evolving security threats for upcoming 2024 US elections. Baccio served as threat intelligence team leader during the 2016 election and later as CISO for Pete Buttigieg's 2020 campaign. The 2016 election experienced direct cyber attacks including compromised email accounts and networks. By 2020, election threats included more division and sophisticated influence operations, a trend expected to amplify in 2024. AI identified as a significant factor in potential election manipulation for the 2024 elections; concerns shared by figures such as Hillary Clinton. Financial motivations drive cybercriminals to exploit the fast-paced nature of electoral campaigns, posing threats to fund security. Potential upcoming election interference techniques, including the abuse of AI by crime gangs and nation-state entities, remain a critical concern.

Citrix has issued a warning regarding a vulnerability in the PuTTY SSH client used within XenCenter for managing virtual environments. The vulnerability, identified as CVE-2024-31497, potentially allows attackers to steal SSH private keys from XenCenter administrators. The flaw arises from how PuTTY, in older versions, generates cryptographic nonces. The versions affected include those bundled with XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. Citrix has advised administrators to update their PuTTY to version 0.81 or higher or remove the PuTTY component if the "Open SSH Console" feature is not needed. Starting with XenCenter 8.2.6, Citrix has removed the third-party PuTTY component from its distribution. This advisory comes in the context of past Citrix vulnerabilities, which have been exploited in active attacks, emphasizing the criticality of addressing this issue promptly.

Ascension, a major US faith-based healthcare provider, reported a "cybersecurity event" that significantly disrupted clinical operations. The organization detected unusual network activity and took immediate steps to disconnect from partners to contain the impact. Ransomware is believed to be involved, although Ascension has not confirmed this; affected systems include virtual desktop infrastructure and VPNs. Ascension has enlisted Mandiant to investigate the breach and is working with authorities to understand the scope and impact. Some Ascension facilities have resorted to manual operations due to system outages, indicating a serious disruption in patient care services. Ascension is committed to notifying affected individuals and complying with regulatory requirements should sensitive information be compromised. This incident is part of a broader trend of increasing cyberattacks on healthcare organizations, recognized as high-value targets by cybercriminals. The US cybersecurity agency CISA highlights the need for stronger cyber defenses in the healthcare sector, amidst ongoing threats from both cybercriminals and foreign adversaries.

Dell has confirmed the theft of a database containing customer order information, now being sold on the dark web. The database supposedly contains 49 million records, revealing names, addresses, and specifics about buyers' Dell equipment. Dell asserts the stolen data excludes sensitive information like payment details, email addresses, and phone numbers. The stolen data encompasses Dell purchases made between 2017 and 2024. Dell is actively investigating the breach, have engaged law enforcement and a third-party forensic team, and are taking steps to protect affected customers. Despite the extent of data stolen, Dell communicated to customers that there is minimal risk associated with the breach. This incident follows a previous security issue at Dell in 2018, highlighting ongoing challenges with data security.

Researchers have uncovered a VPN bypass method named TunnelVision which uses DHCP manipulation to hijack VPN traffic. TunnelVision can intercept, disrupt, or alter VPN-secured network communications by rerouting traffic through an attacker-controlled server. This vulnerability, identified as CVE-2024-3661 with a CVSS score of 7.6, affects all DHCP client-supporting operating systems except Android. The attack leverages the unauthenticated nature of DHCP option 121 to redirect traffic meant for secure VPN channels. It applies universally across various VPN implementations, making the technique provider and protocol-independent. Systems affected include Windows, Linux, macOS, and iOS; however, platforms like Mullvad VPN acknowledge partial mitigation in desktop versions. Recommended defenses against this attack include DHCP snooping, ARP protections, port security, and the use of network namespaces on Linux.

AT&T has been blocking emails from Microsoft 365 users due to a significant influx of spam originating from Microsoft's servers. The issue began on Monday, affecting users with AT&T, sbcglobal.net, and bellsouth.com email addresses, who reported an inability to receive emails from Microsoft 365. Complaints were also raised by users unable to send emails to AT&T domains from Gmail, although this was not independently confirmed. AT&T acknowledged the problem, attributing the email delivery delays to the high volume of spam and is working with Microsoft to resolve the issue. AT&T customers expressed frustration on forums, noting that emails sent to AT&T were neither being delivered nor bounced back, essentially disappearing. Microsoft plans to combat spam by setting a limit of 2,000 external recipients for bulk emails on its Exchange Online platform starting January 2025. Google has similarly tightened its spam and phishing defenses starting April 1st by implementing stricter spam thresholds and authentication guidelines for bulk email senders.

Global attackers from China, Russia, and Iran have infiltrated US critical water infrastructure, signaling a significant security threat. Former NSA cyber chief Rob Joyce emphasized the severity of the situation at the RSA Conference, calling these intrusions a "wake-up call" despite no major damages yet. U.S. officials have directly accused the Chinese government of spearheading the Volt Typhoon campaign, targeting critical systems, and using living-off-the-land tactics for stealth. Hacktivist groups linked to nation states, such as Russia's Sandworm, have been implicated in these cyberattacks, often posing as independent activists to obscure their true origins. There has been an observable physical impact, such as tank overflows at a Texas water facility, illustrating the potential for cyberattacks to cause real-world damage. Discussions at the RSA Conference highlighted the vulnerability of critical infrastructure, often due to underfunding and inadequate cybersecurity measures in sectors like water and wastewater. Experts call for a reevaluation of log management and stronger identity and access management policies to better protect critical infrastructure from sophisticated cyber threats.

British Columbia's government is currently investigating several cybersecurity incidents that have affected its networks. Premier David Eby confirmed that no sensitive information appears to have been stolen, though the full extent of data access is still being assessed. The incidents have been described as sophisticated, with ongoing efforts to enhance protection and response strategies in collaboration with the Canadian Centre for Cyber Security. Specific details on the number of incidents or their exact detection times have not been disclosed. The government commits to maintaining transparency with the public regarding the investigation's progress and findings without jeopardizing the efforts. Other recent cyber-related challenges in Canada include a data breach in November linked to service providers for government relocations, and cyberattacks on the RCMP and Canada's anti-money laundering agency. British Columbians and those with further information on the incidents are encouraged to contribute tips confidentially.

Polish government institutions were targeted in a sophisticated malware campaign by APT28, a Russian nation-state actor. The attack involved phishing emails that trick victims into clicking a link, redirecting them through multiple websites to mask the attack's origin. Victims downloaded a ZIP file containing malware disguised as common files, which, when executed, initiated further malware activity. The malware employed DLL side-loading techniques and displayed deceptive content to distract victims while executing harmful scripts. CERT Polska identified similarities between this campaign and previous attacks which deployed custom backdoors like HeadLace. APT28 has used legitimate web services to avoid detection by cybersecurity measures, a recurring tactic in their operations. Following this, NATO countries highlighted ongoing cyber espionage activities by APT28 targeting political and state entities across Western Europe. Recommendations include blocking specific domains and enhancing email filtering to prevent similar security breaches.

Dell has issued warnings to customers regarding a data breach impacting an estimated 49 million individuals. A threat actor claimed to have accessed a Dell portal relating to customer purchases, stealing data. The compromised data includes customer purchase-related information but excludes sensitive financial details, email addresses, and phone numbers. Dell is collaborating with law enforcement and a third-party forensic team to investigate the breach thoroughly. A hacker named Menelik advertised the stolen Dell data for sale on a hacking forum, though it has since been removed. Although Dell considers the risk to customers as not significant due to the nature of the stolen data, there remains a potential for targeted physical and cyber attacks using the information. Customers are advised to verify the authenticity of any communications claiming to be from Dell, particularly those requesting installations or updates.

Two vulnerabilities in Ivanti Connect Secure, CVE-2023-46805 and CVE-2024-21887, are being exploited by attackers to deploy the Mirai botnet. CVE-2023-46805 involves an authentication bypass, while CVE-2024-21887 allows for command injection, facilitating a combined exploitation chain. The attackers access Ivanti's API endpoint to inject malicious commands, leveraging these flaws to execute arbitrary code and compromise systems. The specific attack method involves downloading and executing a script from a remote server that introduces the Mirai botnet malware into compromised systems. Security experts have observed that these vulnerabilities could potentially be used to deploy other forms of malware and ransomware, indicating a broad security threat. Additionally, a separate incident involving a fake Windows File Explorer executable distributing a cryptocurrency miner was noted, reflecting the diverse tactics employed by cybercriminals. Organizations are advised to address these security vulnerabilities urgently to prevent potential widespread malware infections.

Demand for cybersecurity expertise is high among SMEs who often cannot afford a full-time CISO. vCISO services offer SMEs on-demand access to top-tier cybersecurity guidance, filling a significant market gap. MSPs and MSSPs can leverage vCISO offerings to grow their business, attract more customers, and increase upsell opportunities. A new guide, based on insights from industry leader Cynomi, provides a roadmap for MSPs and MSSPs to scale their vCISO services profitably. The guide includes practical steps and strategies to enhance service delivery, cut costs, and improve operational efficiency. Implementing the guide's strategies will help increase recurring revenue, enhance customer satisfaction, and significantly boost profitability.

Two critical vulnerabilities in F5 Next Central Manager have been identified that allow full administrative control and the creation of hidden rogue accounts. Affected versions span from 20.0.1 to 20.1.0, with fixes available in version 20.2.0. The vulnerabilities can be exploited remotely and include server-side request forgery (SSRF) exploits allowing attackers to bypass security controls. The flaws enable attackers to maintain persistent access to the system, even after passwords are reset and systems are patched. Additional vulnerabilities in the system could enable brute-force attacks on admin passwords and unauthorized password resets by administrators. Although no active exploits are reported in the wild, the urgency to update to the latest software version has been emphasized. F5's networking and application infrastructure, due to its high privileges, represents a significant target for attackers aiming to gain broad access within a network.