Daily Brief

Zscaler took a "test environment" offline following rumors of a security breach, with no evidence of customer or production environments being compromised. Initial investigations by Zscaler into the breach rumors found them to be "completely inaccurate and unfounded," according to a post by the company and comments from an employee on Mastodon. Further examination revealed that an isolated test environment had been exposed to the internet and was subsequently taken offline for forensic analysis. The exposed test environment did not contain customer data, was not hosted on Zscaler's infrastructure, and had no connection to Zscaler's other environments. Rumors of the breach began circulating after threat actor IntelBroker claimed to sell access to a cybersecurity firm with credentials and critical data, implying Zscaler was the target. IntelBroker, known for multiple high-profile breaches, cited Zscaler's revenue match as evidence in a forum, heightening suspicions before the company's clarification. No external or customer-facing systems were affected, and Zscaler is continuing the investigation while monitoring their systems closely.

Zscaler has denied allegations of a security breach following claims by a known threat actor, IntelBroker, who asserts selling unauthorized access to a major cybersecurity firm. Despite the accusation, which was not directly named but linked to Zscaler through revenue numbers and forum posts, the company found no evidence of any compromise during their investigation. The company emphasized the security of customer and production environments, confirming ongoing monitoring and investigation without any incident detected. Zscaler issued statements on both their Trust site and social platforms like Mastodon, addressing the rumors as "inaccurate and unfounded." A post by a Zscaler employee on Mastodon also urged caution against spreading misinformation that could impact cybersecurity perceptions. The incident follows a series of breaches attributed to IntelBroker, including significant breaches at organizations like DC Health Link and Home Depot. BleepingComputer reached out to Zscaler but hasn't received further details or confirmation beyond the company's public statements.

BogusBazaar, a fraudulent e-commerce network, has scammed 850,000 individuals out of $50 million by setting up over 22,500 fake online stores. Victims from Western Europe, America, and Australia were deceived into buying nonexistent or counterfeit products and had their credit card details stolen. The fake stores mimicked reputable payment services like PayPal and Stripe, capturing credit card data when customers attempted transactions. The operation is highly decentralized, utilizing WordPress and WooCommerce for rapid deployment of new sites, many hosted on U.S. servers. The BogusBazaar model operates on a fraud-as-a-service basis, with most affiliates based in China targeting consumers in Western countries. According to SRLabs, these fraudulent activities have largely evaded law enforcement due to the dispersed nature and low individual transaction volumes of the scams. Despite ongoing investigations, BogusBazaar remains active, with SRLabs reporting the findings to authorities and internet service providers.

95% of international data is transmitted via undersea cables, integral to global internet stability. Growing threats from shipping, military activities, and physical attacks are jeopardizing these vital infrastructures. Jeff Huggins, President of Cailabs US, emphasizes the necessity of enhancing the resilience of global communication systems. Huggins’ experience in the US Navy and defense industry underscores the increasing target on undersea and terrestrial internet cables. Suggested solutions include integrating satellite links with terrestrial optical networks to decrease vulnerability. Governments are urged to prioritize the protection of these cables to safeguard national security and international commerce.

The University System of Georgia (USG) is issuing data breach notifications to 800,000 individuals following a data compromise by the Clop ransomware gang in 2023. USG, a state agency overseeing 26 public colleges, discovered the breach nearly a year after the initial MOVEit zero-day attack orchestrated by Clop. The exposed data includes sensitive information, potentially affecting not just current students but also past students, staff, and contractors. Notification letters sent in mid-April 2024 detailed the breach and offered a year of free identity protection and fraud detection services through Experian. The attack on USG was part of a global campaign by Clop, affecting thousands of organizations and nearly 95 million people worldwide. Personal data stolen in these attacks has been used for extortion, sold to other cybercriminals, or is still awaiting monetization by Clop.

Ascension, a major U.S. healthcare provider, has taken certain systems offline following detection of a cyber security event. Unusual activity was noticed on May 8, prompting an immediate investigation to determine the nature and scope of the incident. This cybersecurity breach has led to disruptions in clinical operations across Ascension's network of 140 hospitals and 40 senior care facilities. Ascension advised business partners to disconnect from its systems temporarily as a precautionary measure. The healthcare organization has engaged Mandiant, a leading incident response firm, to assist in the investigation and remediation efforts. Authorities have been notified of the event, and ongoing updates are promised as more information becomes available. This incident comes shortly after HHS issued warnings about increased cyberattack tactics targeting healthcare IT systems via social engineering.

Undersea cables, crucial for global data transmission, face increasing cyber and physical threats. Recent damages to submarine cables in the Red Sea highlight vulnerabilities not limited to actions by countries such as Russia or China. Jeff Huggins, a former Navy intelligence officer and current US President at Cailabs, emphasizes the necessity of robust communications infrastructure for national security and commerce. Huggins advocates for the integration of optical ground station networks with optical satellite links to strengthen resilience. The growing priority of securing undersea communication cables has become evident from Huggins' experience in defense and communications technology sectors. Governments are urged to enhance efforts in securing these vital infrastructures to ensure uninterrupted global connectivity.

F5 has patched two high-severity vulnerabilities in BIG-IP Next Central Manager that could grant administrative control to attackers. The vulnerabilities, identified as an SQL injection (CVE-2024-26026) and an OData injection (CVE-2024-21793), allow remote, unauthenticated execution of SQL queries. These flaws enable attackers to create hidden, rogue accounts on managed assets, which are invisible within the central management interface, posing a severe security risk. Eclypsium, the security firm that reported these flaws, shared a proof-of-concept exploit and highlighted the potential for these accounts to be used maliciously. F5 advises restricting access to the Next Central Manager to trusted users over secure networks as a temporary mitigation measure if immediate updating is not possible. No current evidence suggests that these vulnerabilities have been exploited in the wild, according to Eclypsium. Over 10,000 F5 BIG-IP devices with management ports are publicly accessible online, increasing the risk of potential exploitation.

The FBI has issued a warning regarding a cybercrime group, known as Storm-0539, targeting retail companies' gift card departments through sophisticated phishing attacks. These attacks have been occurring since at least January 2024, involving the theft of employee credentials, including names, usernames, phone numbers, and sensitive SSH passwords and keys. Storm-0539 exploits these stolen credentials to create fraudulent gift cards and manipulate existing gift card balances, often changing associated email addresses to ones they control. The group successfully navigates around multi-factor authentication (MFA) by registering their devices for subsequent login attempts, thereby maintaining persistent access to the victim’s systems. Microsoft also highlighted a significant rise in these types of fraudulent activities by Storm-0539 during the holiday season. The FBI recommends retail companies strengthen their security protocols, update incident response plans, rigorously train employees to recognize phishing attempts, and implement robust password and authentication measures to mitigate such threats.

LockBit ransomware gang claimed responsibility for a cyberattack on Wichita, disrupting city IT systems, including online payment services. The attack, confirmed by Wichita on May 5, 2024, led to the shutdown of systems to prevent further spread, affecting services like court fines and water bill payments. LockBit threatened to publish stolen files by May 15, 2024, unless a ransom is paid, an unusually quick escalation post-attack. The quick listing on LockBit's extortion portal may be retaliation for a recent law enforcement operation targeting LockBit’s leadership. Essential city services, such as public safety and transportation, are heavily impacted, with some resorting to manual operations. The city is still assessing the extent of the data breach, with a high risk of data leakage if the ransom remains unpaid.

CISA director Jen Easterly emphasized the crucial need for 'secure by design' software to combat ransomware during the RSA Conference in San Francisco. Secure coding practices can greatly reduce the impact of cyberattacks and ransomware on critical infrastructure, potentially making such attacks rare. Easterly highlighted ongoing threats from ransomware groups and nation-state actors, including China's Volt Typhoon, which targets U.S. infrastructure for disruptive purposes. The U.S. government aims to leverage its procurement power to encourage tech companies to enhance security in their products. More than 60 tech companies, including giants like Microsoft and Google, pledged to develop more secure technology at the RSA Conference. Chris Krebs, former CISA chief, outlined additional strategies to promote tech security, including litigation, regulatory actions, and potential legislative measures. Krebs also noted the challenges in applying outdated regulatory frameworks to modern cybersecurity threats and the limited legislative time left due to the election year.

BogusBazaar, a vast network of 75,000 fake online stores, has defrauded 850,000 individuals across the US and Europe, stealing credit card information to attempt $50 million in fraudulent transactions. The operation involves resale of stolen credit card details on dark web marketplaces, enabling further unauthorized purchases by other criminals. Most victims are located in the United States and Western Europe, with no significant numbers reported in China, the suspected base of the operation. The fake shops are hosted on domains with previously good reputations to enhance their appearance of legitimacy, mainly pretending to sell discounted clothing and shoes. The fraud network is structured with a core team that provides infrastructure management and customized software for the franchisees who operate the majority of the fake webshops. SRLabs has identified and shared a list of related URLs and indicators of compromise with law enforcement and other stakeholders to help curb the operation. Measures to verify the legitimacy of online shops include checking for complete contact details, return policies, browsing content quality, and the presence of trust seals and active social media profiles.

Researchers have unveiled two new attack methods, named Pathfinder, that compromise high-performance Intel CPUs to extract AES encryption keys. Pathfinder attacks exploit the branch predictor features in CPUs, particularly the Path History Register (PHR), to induce errors and leak data. These techniques allow attackers to reconstruct the control flow of programs and execute high-resolution Spectre-style attacks. Demonstrations showed the ability to extract secret AES keys and leak images processed by the libjpeg library. Intel has acknowledged the vulnerability, noting that existing mitigations against Spectre v1 attacks partially address the issue. The attacks have been disclosed responsibly, with Intel releasing an advisory in response without current evidence of affecting AMD CPUs. The research highlights a significant vulnerability in CPU design that cannot be easily mitigated with existing techniques.

Precise but complex permissions in SaaS platforms create significant management challenges for application admins. Administrators often struggle with tracking and modifying permissions due to lack of centralized visibility, resulting in administrative inefficiencies and potential security vulnerabilities. A centralized permissions inventory helps reduce the SaaS attack surface by controlling unnecessary user permissions, monitoring non-human access, and ensuring robust scrutiny of potential entry points. This permissions inventory can detect over-privileged accounts and privilege abuses, thus preventing unauthorized access and mitigating insider threats. The single view benefits multitenant management by allowing comparative assessments of user permissions across different environments, enhancing security operations. Helps organizations achieve regulatory compliance by supporting access recertification, facilitating segregation of duties, and enabling the implementation of role-based and attribute-based access controls. A centralized approach simplifies the management of user permissions, which is crucial for protecting sensitive data and ensuring compliance with data protection laws. Future tools in SaaS posture management solutions are expected to provide more comprehensive and integrative approaches to managing permissions, offering the potential for more streamlined and secure SaaS environments.

The University System of Georgia (USG) disclosed a data breach affecting 800,000 individuals due to a cyber attack on the MOVEit file transfer tool by the Cl0p gang. The breach, detected on May 31, 2023, involved sensitive data such as full and partial Social Security numbers, dates of birth, bank account details, and tax ID numbers. USG alerted affected individuals starting April 15, revealing potential publication of their data on the cybercriminal group’s website. The incident led to immediate and comprehensive updates to MOVEit Transfer software, following guidelines from software provider Progress Software and the Cybersecurity and Infrastructure Security Agency (CISA). A detailed investigation was initiated by USG to determine the scope of the impact and to enhance future data security measures. Victims were offered 12 months of credit monitoring services by Experian to mitigate potential identity theft. The larger scale of the MOVEit breach has affected nearly 95 million individuals globally, with significant breaches also reported by other major entities like the BBC and British Airways. Despite the vast impact of the breach, legal repercussions for late disclosure by USG are minimal due to vague state laws regarding breach notification timelines.