Daily Brief

John Lambert from Microsoft highlights the differing mindsets between defenders, who prioritize listing gaps, and attackers, who approach with a specific goal and use graphs to plot breaches. Cloud security must include penetration testing to mirror an attacker's perspective and identify potential vulnerabilities not immediately obvious from standard security procedures. The evolving architecture of cloud services, due to their programmable and rapidly changing nature, adds complexities that require specific penetration testing methods tailored for cloud environments. Penetration testing in the cloud should cover asset mapping, vulnerability assessment, privilege escalation, lateral movement, and data exfiltration, considering the hybrid cloud and on-premises networks for comprehensive security. The shared responsibility model in cloud services delineates security responsibilities, where service providers secure the infrastructure and clients are responsible for their data and applications. Regular, automated cloud penetration testing is crucial due to the fast pace of change in cloud technologies, which requires continuous validation to ensure effective defense against attacks. The article advocates for a systematic approach to cloud penetration testing, emphasizing continuous improvement and alignment with the organization's risk exposure and cloud service models.

Hijack Loader malware, also known as IDAT Loader, has been updated with advanced anti-analysis capabilities to improve stealth and evade detection. New functionalities include bypassing User Account Control (UAC), evading inline API hooking, and employing process hollowing tactics. The updated loader decrypts and parses a PNG image to load subsequent payloads, a technique targeting specific entities as previously reported. Since its initial documentation in September 2023, Hijack Loader has been involved in delivering diverse malware families such as Amadey and Racoon Stealer V2. Recent versions have added up to seven new modules to assist in creating processes, performing UAC bypass, and excluding from Windows Defender Antivirus using PowerShell. Another critical update includes the use of the Heaven's Gate technique to circumvent user mode hooks for enhanced undetectability. The loader is part of broader malware distribution efforts featuring other families like DarkGate and GuLoader, often spread through malvertising and phishing. Additional observations indicate a rise in information stealer malware like TesseractStealer, capitalizing on the open-source Tesseract engine to extract text from images for data theft.

Ransomware first began targeting businesses significantly about ten years ago, marking a shift from individual to corporate victims. Mikko Hyppönen discussed the evolution and persistence of ransomware threats in a keynote at the RSA Conference. The rise in cryptocurrency values, like Bitcoin, has financially empowered cybercriminals, creating highly profitable criminal enterprises. Despite ongoing efforts, the cybersecurity industry struggles to fully prevent or resolve ransomware attacks. Extortionists often target sectors with significant vulnerabilities, such as government and healthcare, but also attack any poorly secured IT systems. The situation has forced many victimized companies to pay ransoms due to the threat of their data being leaked online. The ongoing threat of ransomware provides job security for professionals within the cybersecurity field.

A critical vulnerability (CVE-2023-40000) in LiteSpeed Cache for WordPress has been exploited to create unauthorized admin accounts. Attackers are setting up admin profiles with specific usernames like wpsupp-user and wp-configuser to gain complete control of sites. The vulnerability enables unauthenticated users to execute stored cross-site scripting (XSS) attacks via crafted HTTP requests. Despite a fix in version 5.7.0.1 released in October 2023, many sites remain at risk, with vulnerable versions still widely used. Malicious actors have exploited the flaw to inject harmful JavaScript into WordPress websites, compromising web integrity and user safety. Additional threats like the Mal.Metrica redirect scam leverage similar vulnerabilities in WordPress plugins, misleading users with fake CAPTCHA verifications. Website owners are urged to update to the latest plugin versions, scrutinize installed plugins, and remove any suspicious files. As a preventative measure, enabling automatic updates and exercising caution with suspicious links are recommended for all WordPress users.

The 33rd RSA Conference is taking place this week, led by SVP Linda Gray Martin. Linda Gray Martin oversees major aspects of the event, including keynote speeches and security measures for over 40,000 attendees. In addition to logistical responsibilities, she enjoys selecting the music heard during keynote entrances. The conference features both inspiring events and unexpected incidents, such as a past encounter with a skunk. Gray Martin emphasizes the importance of community and the powerful energy from gathering in person. The RSA Conference team prepares to surprise attendees, aiming for engaging rather than disruptive events.

UnitedHealth's Change Healthcare experienced a significant ransomware attack by ALPHV aka BlackCat, leading to compromised patient services. The attack exploited insufficient cybersecurity measures, namely the absence of multi-factor authentication and lack of network segmentation. Tom Kellermann, SVP at Contrast Security, highlighted the company's failures in threat hunting and robust cybersecurity practices. Sensitive health data was stolen, and the attackers demanded a $22 million ransom, which UnitedHealth paid. Despite the ransom payment, additional threats and data leaks occurred, exacerbating the situation. Kellermann criticized the decision to pay the ransom and suggested the U.S. government should prohibit such payments to deter future attacks. The breach not only resulted in financial loss but also disrupted essential medical services, affecting pharmacies and hospitals.

US Homeland Security is exploring AI to enhance effectiveness against crimes like child exploitation and critical infrastructure attacks. AI technologies can automate defenses within computer networks, improving national security and infrastructure protection. Potential misuse of AI in surveillance and inherent biases pose significant concerns; measures are being implemented to combat these issues. Homeland Security's Office for Civil Rights and Civil Liberties plays a crucial role in ensuring AI respects civil rights and privacy. The establishment of an AI Safety and Security Board aims to oversee AI implementations responsibly amidst critiques of Big Tech influence. Secretary Alejandro Mayorkas highlights three pilot AI programs aimed at improving criminal investigations, disaster relief funding, and training with refugee officers. Critics remain wary of the privacy implications and the risks of bias in AI use within governmental operations.

Mobile healthcare provider DocGo experienced a significant breach, resulting in the theft of patient health data. Hackers accessed protected health information from the company’s ambulance service records in the United States. DocGo has undertaken measures to contain the breach, including working with cybersecurity experts and informing law enforcement. There is currently no evidence of ongoing unauthorized access or impact on other business units within the company. DocGo believes the cyberattack will not materially affect its operations or financial stability. The exact number of affected individuals is undisclosed, and investigations are ongoing. The incident was disclosed through a FORM 8-K filing with the Securities and Exchange Commission (SEC). No specific threat actors have been identified, and the nature of the data stolen may lead to future extortion attempts if not addressed.

Researchers at Leviathan Security Group identified a vulnerability, dubbed TunnelVision, affecting numerous VPN clients by redirecting their encrypted traffic via rogue DHCP servers. This flaw operates across various VPNs and operating systems, with the exception of Android, as it does not support DHCP option 121 which is critical to the exploit. The vulnerability allows attackers to reroute VPN traffic through unsecured pathways, potentially exposing user data, despite the VPN's encryption methods being irrelevant to the exploit. Three attack scenarios were described: DHCP starvation, racing for DHCPDISCOVER responses, and ARP spoofing, each enabling the attacker to issue malicious DHCP leases. Although HTTPS and SSH traffic remain encrypted and unreadable, attackers can still see destination addresses, posing privacy concerns. Current mitigation recommendations include avoiding untrusted networks, using VPNs in secure environments like virtual machines, and employing host-based firewalls. The researchers noted the challenge in fully resolving this vulnerability without significant changes to how DHCP and VPNs operate, labeling it a broader systemic issue requiring attention from both users and providers.

Hackers are exploiting an outdated LiteSpeed Cache plugin vulnerability on WordPress sites to create admin accounts and control the websites. The LiteSpeed Cache plugin, used by over five million sites, speeds up page loads and improves Google rankings; older versions prior to 5.7.0.1 harbor a cross-site scripting flaw. More than 1.2 million probes from a single IP were recorded, indicating a wide-scale attempt to discover and compromise vulnerable sites. Attack tactics involve injecting malicious JavaScript into WordPress files or databases to establish unauthorized admin users. Despite updates, approximately 1.835 million installations of the LiteSpeed Cache plugin remain vulnerable due to non-upgradation. A similar exploit was observed with the less popular "Email Subscribers" plugin, highlighting a continuous risk across various plugins. Recommendations for site admins include updating plugins, removing non-essential components, and vigilant monitoring for unauthorized admin creation. Following a breach, comprehensive site cleanup procedures including account deletions, password resets, and database file restoration from clean backups are mandatory.

CISA launched the Ransomware Vulnerability Warning Pilot in January 2023 to identify and notify organizations of vulnerabilities exploited by ransomware gangs. In its first year, 1,754 notifications were sent out to entities with internet-exposed devices, aimed at closing security gaps quickly. Resultingly, 852 notifications led to actions such as patching or temporary system shutdowns to mitigate risks. This program is a direct result of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed by President Biden in March 2022. The pilot scheme is set to evolve into a fully automated warning system by the end of the next year. The initiative is part of a broader strategy by CISA to combat cyber threats, using proactive measures to make it financially and operationally difficult for threat actors. Acting section chief Gabe Davis likened CISA's comprehensive cybersecurity approach to a "full-court press" during the NBA playoff season, emphasizing relentless defense against cyber threats.

The UK Ministry of Defence confirmed a breach exposing payroll data of active, reserve, and some retired personnel. An external payment system managed by a contractor was compromised, affecting approximately 270,000 records. Personal data including names, banking details, and some addresses were exposed, though core MoD networks remained secure. All April salaries and payments were processed despite the breach, with no major impact on financial disbursements. Immediate measures were taken to isolate the affected system and halt further intrusion. An ongoing investigation has pointed to potential security lapses by the contractor handling the attacked system. There are currently no indications of data theft, though affected individuals have been informed of the potential risk. The incident has raised concerns about foreign state involvement, but no official attribution has been made yet.

TikTok and its parent company ByteDance are suing the US government, challenging the constitutionality of a recent law mandating the sale or shutdown of TikTok due to national security concerns. The law requires ByteDance to sell TikTok to an approved buyer within 270 days or face shutdown, with the possibility of a 90-day extension. US lawmakers argue that TikTok could be used by the Chinese government for surveillance or propaganda, allegations TikTok denies. The lawsuit claims the law is unconstitutional and does not fairly assess the alleged threats TikTok poses, with no concrete evidence provided by lawmakers. The deadline imposed by the law, according to the lawsuit, makes it commercially, technically, or legally impossible for TikTok to meet the conditions for sale. Critics of the law, including civil liberties experts, believe the US government may struggle to demonstrate the national security threats in court, given the general deference to national security interests. The conversation around TikTok’s ownership and potential ban raises broader concerns about the need for comprehensive consumer privacy legislation in the US.

A new cybersecurity threat named "TunnelVision" exposes VPN traffic by manipulating DHCP server settings. Attackers can reroute VPN traffic to a local network or a malicious gateway, bypassing encryption and allowing data snooping. The exploit utilizes DHCP option 121 to alter routing tables without authentication, compromising the intended secure VPN connection. Leviathan Security has identified the issue, tracked as CVE-2024-3661, and has reported it to CISA, EFF, and impacted vendors. Although the vulnerability has existed since 2002, there have been no reported active exploitations. TunnelVision primarily affects users on public Wi-Fi networks where attackers can more easily implement rogue DHCP servers. Devices running Windows, Linux, macOS, and iOS are vulnerable, while Android devices remain unaffected due to lack of DHCP option 121 support. Leviathan Security suggests that VPN providers improve their software to resist such DHCP manipulations and users remain vigilant on public networks.

Nearly 52,000 Tinyproxy servers are susceptible to a severe remote code execution vulnerability identified as CVE-2023-49606. The flaw, disclosed by Cisco Talos, impacts the latest versions of the Tinyproxy software and could allow attackers to execute malicious code remotely without the need for authentication. Despite efforts from Cisco Talos to communicate the vulnerability to Tinyproxy developers, there was an initial lack of response, complicating the resolution process. Analysis by Censys identified that 57% of observed Tinyproxy instances on the internet are vulnerable, mostly located in the U.S., South Korea, China, France, and Germany. Five days after public disclosure, Tinyproxy maintainers released a security fix to address the memory management issue that allowed the exploitation. Developers highlighted some inaccuracies in communication from Cisco Talos regarding the vulnerability disclosure process and provided interim security measures till the fix is more broadly integrated.