Daily Brief

SaaS applications are increasingly prevalent in businesses, pushing technological and operational boundaries. A new guide by LayerX, titled "Let There Be Light: Eliminating the Risk of Shadow SaaS," addresses the security risks associated with unauthorized SaaS app usage, commonly known as shadow SaaS. Approximately 65% of SaaS apps are unapproved by IT departments, and 80% of employees admit to using such apps, creating significant data exposure risks. The guide offers a three-pronged strategy for mitigating shadow SaaS risks including App Discovery, User Monitoring, and Active Enforcement. It evaluates different security controls like CASB, SASE, and Secure Browser Extensions, providing detailed comparisons on their effectiveness. Secure Browser Extensions are highlighted as particularly effective for controlling shadow SaaS by enhancing visibility and governance while maintaining user flexibility. This guide is positioned as essential reading for security leaders aiming to secure their corporate environments without hindering operational flexibility.

The U.S. NSA, FBI, and Department of State issued a cybersecurity alert concerning North Korean hackers impersonating trusted email sources. This group, identified as Kimsuky, exploits weak DMARC policies to send spoofed emails, making them seem legitimate. Kimsuky targets geopolitical experts to gather information on topics like nuclear disarmament and U.S.-South Korea relations. The hackers engage in prolonged, seemingly innocuous conversations to gain the trust of their targets before asking for sensitive information. Proofpoint's analysis shows that Kimsuky rarely uses malware but focuses on credential harvesting and social engineering. Many targeted entities have inadequate or unenforced DMARC policies, enabling these phishing attempts to bypass standard security checks. U.S. government advises organizations to strengthen DMARC settings to quarantine or reject suspicious emails and to improve overall email security monitoring.

Google announced that passkeys are being used by over 400 million accounts, providing authentication over 1 billion times in the past two years. Passkeys allow authentication via fingerprint, face scan, or a PIN, proving quicker and more secure than traditional passwords. Google has surpassed traditional two-factor authentication methods, with passkeys used more frequently than SMS and app-based OTPs combined. The Advanced Protection Program, safeguarding high-risk users, will now support passkeys alongside or instead of hardware security keys. Google has incorporated passkeys in Chrome and across all its platforms by default since December 2022. Major companies including Apple, Amazon, and Microsoft have also adopted the passkey standard. Concerns persist regarding the potential for passkeys to lock users into specific platforms, impacting user freedom and experience.

A Europol-led initiative, Operation Pandora, successfully shut down 12 phone scam centers across Albania, Bosnia-Herzegovina, Kosovo, and Lebanon, and arrested 21 suspects involved in the operations. The criminal network made thousands of scam calls daily, including fake police alerts, investment fraud, and romance scams, potentially defrauding victims of over €10 million. The operation was triggered when a bank teller in Freiburg, Germany, became suspicious of a customer wanting to withdraw €100,000, uncovering the customer was a victim of a fake police scam. German investigators traced over 28,000 scam calls linked to the criminal network in just 48 hours, leading to an extensive investigation and eventual raids. More than 1.3 million nefarious conversations were intercepted during the course of the operation, helping to prevent further victimization and loss of funds. The different call centers specializes in various types of scams, with geographical specialization such as debt-collection fraud in Bosnia-Herzegovina, banking fraud in Kosovo, investment scams in Albania, and prepaid card fraud in Lebanon. The crackdown involved coordinated raids across multiple countries on April 18, seizing significant amounts of documents, data carriers, cash, and other assets totaling approximately €1 million.

HPE Aruba has issued updates for severe vulnerabilities in ArubaOS, potentially enabling remote code execution. Four out of ten security flaws have been identified as critical, allowing arbitrary code execution by a remote attacker. Attack vectors include exploiting buffer overflow vulnerabilities by sending malicious packets to the PAPI UDP port. Affected products are Mobility Conductor, Mobility Controllers, and WLAN and SD-WAN Gateways under Aruba Central management. Vulnerable software versions include those in ArubaOS and SD-WAN which are no longer maintained. Security researcher Chancen reported seven of the issues, highlighting the critical nature of the four buffer overflow flaws. HPE Aruba recommends installing the latest patches, and as an interim solution, enabling Enhanced PAPI Security on ArubaOS 8.x with a non-default key.

Amnesty International reports Indonesia acquired spyware via a complex network involving Israel, Greece, Singapore, and Malaysia. The investigation used open-source intelligence to track spyware purchases by Indonesian authorities from 2017 to 2023. Key buyers included the Indonesian National Police and the National Cyber and Crypto Agency. Major suppliers identified were Q Cyber Technologies, Intellexa consortium, Saito Tech, FinFisher, and Wintego Systems. Transactions frequently involved intermediary companies in Singapore that obscured the actual buyers and hindered supply chain transparency. Some spyware platforms were linked to malicious domains mimicking opposition and media websites, particularly in regions documenting human rights abuses. Amnesty criticized the lack of regulatory oversight in Indonesia, which fosters a permissive environment for spyware misuse and potential human rights violations. The report highlights the difficulty in tracing spyware use due to the secretive nature of the technologies which potentially facilitates impunity for abuses.

Chinese researchers unmask critical security vulnerabilities across nearly 14,000 government websites in China, revealing significant cybersecurity concerns. The study highlights poor domain name configurations, outdated third-party libraries (like vulnerable jQuery versions), and inadequate server redundancy among key issues. Analysis shows over 25% of these government websites may suffer from ineffective DNS configurations, potentially leading to accessibility and reliability issues. The research identifies a dangerous reliance on a limited number of DNS service providers, posing risks of network failures or mass service outages if these providers face cyber attacks or technical problems. Despite the presence of DNSSEC signatures, issues persist with unsigned or improperly documented signatures, indicating potential inaccuracies in public WHOIS records and a lack of comprehensive domain coverage. The team used Zed Attack Proxy (ZAP) for analysis but noted that practical and immediate solutions to enhance security remain elusive, emphasizing the need for continuous monitoring and updates. The findings may conflict with the Chinese government's directive to upgrade cybersecurity measures across its digital services, as the country has been pushing for enhanced security protocols and improvements in government-operated digital platforms.

Microsoft extends passkey technology to consumer accounts, allowing login via face, fingerprint, or PIN across various platforms. In celebration of World Password Day, Microsoft announces passkeys now function across desktop and mobile browsers, with upcoming app support. Google confirms their passkey system has authenticated over 1 billion logins across more than 400 million accounts. Passkeys, based on FIDO alliance standards supported by Apple, Microsoft, and Google, use cryptographic key pairs for secure authentications. Passkeys eliminate the need for traditional passwords, aiming to simplify user access and enhance security against password attacks. Microsoft reports a dramatic spike in password attacks, highlighting the urgency for more robust security measures like passkey technology. Passkeys are described as phishing-resistant, offering unique authentication that prevents misuse on fraudulent sites. Microsoft and Google predict that passkeys will significantly reduce the complications associated with managing passwords.

Onur Aksoy, a Florida-based CEO, was sentenced to 6.5 years for trafficking counterfeit Cisco devices. Aksoy’s operation involved over $100 million in fake network equipment sold to entities including U.S. military, government, and healthcare sectors. The counterfeit products were sourced from China and Hong Kong, appearing like new, genuine Cisco products but were, in fact, modified outdated models. U.S. Customs intercepted 180 shipments related to Aksoy’s companies between 2014 and 2022, which led to alterations in shipping strategies to avoid detection. Performance and functionality issues in these counterfeit devices caused significant disruptions in customer operations. Cisco had repeatedly contacted Aksoy from 2014 to 2019 to stop the illegal operations, receiving forged documents in response. A 2021 raid on Aksoy’s warehouse resulted in the seizure of over 1,156 counterfeit Cisco devices, leading to his eventual arrest and sentencing. Apart from prison, Aksoy is required to pay $100 million in restitution to Cisco and allow the destruction of seized counterfeit products.

Miami resident Onur Aksoy was sentenced to six and a half years in prison for trafficking counterfeit Cisco equipment, some of which was sold to the US military. Aksoy’s operation, which lasted from 2014 to 2022, involved creating fake Cisco devices using lower-end hardware and pirated software, costing hundreds of millions in revenue. He managed 19 companies and maintained 25 online sales accounts on platforms such as Amazon and eBay, specifically designed to distribute counterfeit networking equipment widely. The counterfeit goods jeopardized the safety and functionality of U.S. military applications, including those used in combat and flight simulations. Customs intercepted 180 shipments, but many slipped through due to the high volume and use of fake addresses. The financial impact included $100 million earned from eBay sales alone, with substantial personal gains prompting multiple cease and desist notices from Cisco. Aksoy was arrested in 2022 after a raid on his warehouse, and he pleaded guilty to multiple charges, including mail and wire fraud. The case emphasizes the risks and consequences associated with trafficking counterfeit goods within critical supply chains.

HPE Aruba Networking has disclosed 10 vulnerabilities in ArubaOS, urging network admins to patch immediately. Four of these vulnerabilities are classified as critical with a severity rating of 9.8, due to their potential for allowing remote code execution. Critical vulnerabilities stem from buffer overflow issues in various components of ArubaOS, potentially compromising wireless solutions. Vulnerable devices include Aruba Mobility Conductors, Mobility Controllers, and various gateways managed by Aruba Central. Patches are required for versions of ArubaOS from 10.5.1.0 and earlier, across multiple service generations, including unsupported versions. Exploitation could be conducted by sending specially crafted packets via Aruba's PAPI UDP port (8211). Six additional medium-severity vulnerabilities were identified, with suggested mitigations including enabling the PAPI Security feature with a non-default key. Immediate patch application and temporary workarounds are advised to prevent potential security breaches.

Bitwarden has introduced a new multi-factor authentication app, Bitwarden Authenticator, available for free on both iOS and Android platforms. The app utilizes time-based one-time passwords (TOTPs) to enhance security for users by adding an additional authentication layer. Unlike its premium in-app TOTP feature, the Bitwarden Authenticator is accessible to all users, including non-subscribers, and operates as a standalone application. The initial release of the app integrates basic TOTP generation and biometric options for security, with plans for future enhancements including push-based 2FA and account recovery. Bitwarden's roadmap for the app also includes features like Bitwarden account syncing and enterprise-grade authentication to cater to workforce needs. Currently, the app supports essential functions and uses the operating system's own services for backups; exporting capabilities are also provided. As an open-source project, Bitwarden makes the app’s code publicly available on GitHub for both iOS and Android versions.

CISA and the FBI have issued a warning to software developers to address path traversal vulnerabilities in their products before release. Path traversal can allow attackers to manipulate or access critical system files, potentially leading to unauthorized code execution or data breaches. These vulnerabilities are a concern in critical infrastructure, especially demonstrated by recent exploits in the healthcare sector. The alert highlights the continued prevalence of directory traversal flaws, referenced as 'unforgivable' since 2007 yet still common. Examples given include recent ransomware campaigns that exploited such vulnerabilities to deploy malicious payloads. The federal agencies recommend implementing known effective mitigations to prevent exploitation of these security flaws. Directory traversal vulnerabilities ranked eighth in MITRE’s list of top 25 most dangerous software weaknesses.

International law enforcement collaboration led to the shutdown of 12 call centers across Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, involved in extensive phone fraud operations. Operation, supported by Europol and initiated in December 2023, resulted in 21 arrests and identification of 39 suspects, targeting centers making thousands of scam calls daily. Law enforcement confiscated valuable evidence including data carriers, documents, and cash, totaling approximately €1 million. Comprehensive interception and monitoring by German police captured over 1.3 million conversations, blocking 80% of targeted financial fraud attempts, and prevented potential losses of more than €10 million. Scammers employed diverse deceptive strategies such as faux police alerts, investment fraud, romance scams, and other manipulation tactics to defraud victims. This crackdown is part of ongoing efforts against cybercrime networks engaging in "pig butchering" cryptocurrency scams and other investment frauds, having previously dismantled operations with massive financial losses across multiple countries. Critical electronic evidence obtained is expected to facilitate further identification of fraudulent operations and perpetrators involved.

Microsoft has discovered a new attack vector in Android apps named "Dirty Stream" that can allow overwriting of files, potentially leading to arbitrary code execution and data theft. The vulnerability stems from the mishandling of Android's content provider system, intended to facilitate secure data sharing between apps through isolation and permissions. Incorrect implementations, such as unvalidated filenames in intents and misuse of the FileProvider component, enable the attack, turning standard OS functions into security risks. Malicious apps can exploit this flaw by sending manipulated filenames or paths to targeted apps, thereby executing or storing malicious files. Microsoft's research indicates significant impact, with vulnerable apps accounting for over four billion installations worldwide. High-profile apps like Xiaomi's File Manager and WPS Office were mentioned as susceptible but have since worked closely with Microsoft to deploy security patches. The findings and recommendations have been shared with the Android developer community and incorporated into updated Google app security guidelines to enhance protection in future releases. Users are advised to keep their applications updated and avoid downloads from unofficial sources to mitigate potential threats.