Daily Brief

The R programming language recently patched an arbitrary code execution vulnerability, rated at a CVSS severity of 8.8. This vulnerability, identified as CVE-2024-27322, could be exploited by loading a malicious RDS file or corrupted R package into projects. Potential impacts include unauthorized file access, data deletion, and other malicious activities. The security flaw was fixed in R version 4.4.0, with recommendations for users to upgrade. The vulnerability stems from inadequate data deserialization processes in R, making code injection possible. Exploitation details were analyzed by HiddenLayer, highlighting the use of promise objects and lazy evaluation in R for malicious activation. HiddenLayer warned that this vulnerability could compromise software supply chains or target specific individuals, especially within the researcher community. The issue was complicated enough that casual exploitation is unlikely; however, those in controlled environments could still be at risk.

Aleksanteri Kivimäki was sentenced to six years and three months in prison by the Länsi-Uusimaa district court, Finland, for criminal activities including extensive data theft from the Vastaamo psychotherapy clinic. Kivimäki faced charges encompassing 9,231 counts of aggravated dissemination of sensitive information, 20,745 counts of attempted blackmail, and 20 counts of aggravated blackmail. The data breach involved tens of thousands of patient records, which led to Kivimäki demanding ransoms of up to €500 from the victims to prevent the release of their therapy details online. Following the cyberattack, Finland's crime rate reportedly more than doubled due to over 20,000 extortion attempts logged in a single week. Former CEO of Vastaamo was also sentenced to a three-month suspended term for failing to safeguard client data against breaches. Separately, over 5,000 compensation claims against Kivimäki are pending, which will be addressed in future court proceedings. Finnish authorities managed to arrest Kivimäki in France in early 2022 after he was pinpointed through digital evidence linking him to the server used for the crime and published messages under a pseudonym.

Latrodectus malware is leveraged in sophisticated phishing campaigns using Microsoft Azure and Cloudflare themes to evade email security detection. Initially identified by Walmart's security team, the malware functions as a backdoor that can download further harmful payloads or execute commands. Recent campaigns deliver the malware through deceptive PDFs attached in reply-chain phishing emails, presenting a masked link to a fake Cloudflare captcha solver. Upon solving the captcha, users inadvertently trigger the download of a JavaScript file, which leads to the installation of further malicious software through an MSI file. The installed DLL component of Latrodectus runs quietly in the background, allowing for the download of more malware or execution of commands, often without immediate detection. Associated with the developers of the IcedID malware, Latrodectus attacks may eventually connect to broader threats, including Cobalt Strike and potentially ransomware distributions. Security professionals recommend isolation of infected systems promptly and thorough network assessments to identify and mitigate potential threats.

Over 25,000 individuals' personal and financial data were compromised in a cyberattack on the Philadelphia Inquirer in May 2023. The attack led to the temporary disruption of the newspaper’s print publication, directing readers to their online platform. Kroll forensics were hired to investigate after anomalous activity was detected affecting the paper's content management system. Compromised data included names, personal identifiers, and sensitive financial information such as account numbers and security codes. The newspaper has offered 24 months of free credit monitoring and identity restoration services to affected individuals. Cuba ransomware gang claimed responsibility, alleging they stole and later leaked financial documents and source codes after a failed ransom negotiation. The Inquirer later reported discrepancies in the authenticity of the leaked documents, which were subsequently removed from the gang’s leak site. FBI and CISA indicate that the Cuba ransomware gang has a history of targeting U.S. critical infrastructure, amassing substantial ransoms.

UnitedHealth CEO Andrew Witty revealed that cybercriminals accessed Change Healthcare systems using stolen credentials to infiltrate a Citrix portal lacking multi-factor authentication. The intrusion enabled criminals to extract data and deploy ransomware, leading UnitedHealth to make a $22 million payment to the attackers. Witty’s forthcoming statement to U.S. lawmakers details the nine-day period in February when criminals maneuvered within the systems before deploying ransomware, ultimately causing widespread service disruptions. The breach has cost UnitedHealth approximately $870 million, with potential annual costs reaching up to $1.6 billion. Following the attack, UnitedHealth rapidly engaged with IT security firms and technology companies to rebuild and secure the infrastructure, significantly reducing future intrusion risks. Multiple ransomware groups have since targeted or claimed to target systems related to UnitedHealth, indicating a continued threat. In his testimony, Witty advocates for mandatory cybersecurity standards for healthcare, emphasizing the need for government collaboration and support for vulnerable institutions. UnitedHealth takes frequent defensive actions against cyber threats, with Witty noting the organization faces an attempted intrusion every 70 seconds.

A new vulnerability in the R programming language allows arbitrary code execution through the deserialization of specially crafted RDS and RDX files. Identified as CVE-2024-27322, with a CVSS v3 score of 8.8, this issue primarily affects users of R, popular among statisticians, data analysts, and AI/ML researchers. Attack vectors include embedding promise objects in file metadata, which execute arbitrary code when deserialized. Social engineering techniques may be employed to trick users into opening malicious files, or attackers might distribute the corrupted files via popular repositories. The vulnerability poses significant risks in sectors reliant on data analysis due to the extensive use of R programming. CERT/CC has issued warnings and advises updating to R Core version 4.4.0, which includes patches that prevent this type of exploit. Organizations unable to upgrade immediately are recommended to run potentially harmful RDS/RDX files in isolated environments like sandboxes to mitigate risks.

Google has significantly increased the payouts for reporting remote code execution (RCE) vulnerabilities in select Android apps, raising the maximum reward from $30,000 to $300,000, with a potential top reward of $450,000 for high-quality reports. The reward enhancements specifically target Tier 1 applications such as Google Play Services, Android Google Search app, Google Cloud, and Gmail. Researchers focusing on vulnerabilities that enable sensitive data theft without user interaction now qualify for $75,000. Exceptionally detailed reports that include a suggested fix and root cause analysis are eligible for a 1.5x reward multiplier, potentially earning researchers up to $450,000. Reports of lesser quality that lack comprehensive analysis or proposed mitigation strategies will receive only half the standard reward amount. In addition to the increased rewards, Google has integrated a previous 2x multiplier for bugs in SDKs directly into the standard reward structure to streamline decision-making and increase overall rewards. This adjustment reflects on the Mobile Vulnerability Rewards Program's first year, where Google received over 40 valid security bug reports and distributed close to $100,000 in rewards.

JFrog security researchers discovered that roughly 20% of the 15 million Docker Hub repositories contained malicious content, including malware and phishing sites. Three distinct campaigns named "Downloader", "eBook Phishing", and "Website SEO" were identified, contributing significantly to the spread of these malicious Docker repositories. The "Downloader" campaign, particularly noteworthy, pushed infectious software downloads, disguising them as genuine software, which then compromised the user's system. Nearly a million repositories were part of the "eBook Phishing" campaign, which deceived users into providing credit card details under the guise of free eBook downloads. The "Website SEO" campaign, although its exact purpose remains unclear, consistently produced repositories named "website" potentially as a preparatory test for more harmful activities. Researchers noted that these campaigns exploited Docker Hub's platform credibility, complicating the detection of malicious repositories. Docker has taken action by removing 3.2 million repositories suspected of hosting malicious or undesirable content based on JFrog's findings. This situation accentuates the necessity for ongoing moderation and security vigilance on widely used platforms like Docker Hub.

A former National Security Agency (NSA) employee was sentenced to 262 months in prison after attempting to sell top-secret documents to Russia. Jareh Sebastian Dalke, the ex-NSA employee, worked as an information systems security designer for less than a month in 2022, during which he acquired classified national defense documents. After leaving the NSA, Dalke contacted someone he believed was a Russian agent to sell the documents for $85,000; however, the contact was actually an undercover FBI agent. Dalke arranged to transfer the documents over the internet at Union Station in Denver, where he was apprehended by the FBI. During the sting operation, Dalke provided snippets of the classified documents and expressed a desire to "provide this information" to his supposed Russian contacts, showcasing his willingness to betray US national security. He pleaded guilty to six counts of attempted transmission of national defense information to a foreign government. Attorney General Merrick Garland emphasized that this sentencing serves as a deterrent to others who might betray national security. Concerns were raised regarding the vetting process for individuals given access to sensitive information, noting that this case echoes previous security breaches.

A novel Android backdoor named Wpeeper has been detected in unofficial app stores, posing as Uptodown App Store. Wpeeper uses hacked WordPress sites as relays for its command and control (C2) servers, concealing its actual network infrastructure. Discovered by QAX's XLab on April 18, 2024, with no prior detections on Virus Total, the malware ceased activity on April 22 to likely avoid detection. Analysis revealed thousands of devices were infected, but the full extent of the infection remains uncertain. Wpeeper's communications are encrypted and can dynamically update its C2 server addresses to maintain operational security. The malware's capabilities include stealing user data through 13 different commands, though the end use of this data is not clearly stated. Recommendations include downloading apps only from Google Play and using Android's Play Protect to defend against malware like Wpeeper.

UnitedHealth's Change Healthcare was breached by the BlackCat ransomware gang using stolen credentials without multi-factor authentication (MFA). The breach, occurring in late February 2024, severely disrupted critical healthcare services across the U.S., impacting payment processing, prescriptions, and insurance claims. The BlackCat gang initially received a $22 million ransom, which was subsequently stolen by an affiliate in an exit scam; this led to another extortion attempt via data leakage. After public disclosure through the CEO's testimony, it was revealed the attackers had network access for about ten days prior to deploying ransomware, stealing corporate and patient data. Remedial actions included extensive system and network overhauls, with the replacement of thousands of laptops and rebuilding of core services in a few weeks—a task usually spanning several months. Despite heavy operational impacts, the essential services are nearly restored to full capacity, with payment processing at about 86% of its pre-incident level. The decision to pay the ransom was described by CEO Andrew Witty as one of his hardest, underscoring the intense predicament ransomware victims face.

Cybersecurity researchers have identified multiple malicious campaigns on Docker Hub involving over four million "imageless" containers over a span of five years. These containers lack actual content, featuring only documentation which leads users to phishing or malware-infested websites. Approximately 3.2 million of these repositories serve as redirection mechanisms to deceptive sites as part of three distinct campaigns. One reported campaign involves a downloader which contacts a command-and-control server to fetch links to cracked software, disguising the server’s malicious intent. The exact purpose of another website cluster identified in the campaigns remains unknown, although it spreads across platforms with weak content moderation. JFrog's security experts highlight the difficulty in protecting users from such threats at the initial stages, recommending heightened vigilance as the primary defense. The situation underscores the broader risk of supply chain attacks in the open-source ecosystem, urging developers to be cautious with downloads from these sources.

The European Commission has initiated formal proceedings against Meta for inadequately monitoring political misinformation spread by foreign entities ahead of the European elections. Concerns center on Meta’s advertising network being a potential target for Russian online attackers, violating the Digital Services Act (DSA). Meta could face penalties up to $8.5 billion under the DSA for failure in policies surrounding deceptive advertising and political content management. A particular issue raised was the deprecation of CrowdTangle, a tool previously used by journalists and researchers to monitor elections in real-time, without providing a sufficient replacement. The investigation involves multiple aspects of election integrity, including Meta's content recommender systems and mechanisms for users to flag illegal content as non-compliant with DSA. Meta has five working days to respond to the EC’s inquiries and demonstrate the corrective measures it has implemented regarding its election-monitoring tools and overall compliance with the DSA. Ursula von der Leyen emphasized the importance of robust rules to protect EU citizens from targeted disinformation and the need for strict compliance by major digital platforms during election periods.

The U.S. Government has introduced new AI security guidelines to protect critical infrastructure against AI-driven threats. These guidelines are a result of a comprehensive assessment of AI risks across all sixteen critical infrastructure sectors. The measures involve enhancing transparency and implementing secure-by-design practices to assess and mitigate AI risks effectively. Owners and operators are urged to evaluate their sector-specific AI uses and coordinate mitigation strategies, especially identifying dependencies on AI vendors. The initiative aligns with recent cybersecurity insights from the Five Eyes intelligence alliance on the secure deployment of AI technologies. Concerns include adversarial manipulation of AI systems, prompt injection attacks, and the potential for AI to be used in nation-state espionage and influence operations. Recent incidents highlighted include vulnerabilities in AI models like the Keras 2 neural network library that could allow attackers to trojanize AI systems. Best practices recommended include robust validation of AI systems, stringent supply chain security, and strict access and configuration controls to prevent malicious exploitation.

Researchers discovered that Safari on iOS 17.4 exposes users to potential web tracking due to the way Apple implemented third-party app store installations under EU antitrust rules. Implemented with "catastrophic security and privacy flaws," Safari allows third-party app stores to receive a unique per-user identifier when users visit various websites, compromising their privacy. The MarketplaceKit process utilized in these installations does not adequately check origin or validate incoming requests, which could lead to further security vulnerabilities. Only a few approved marketplaces currently exist, but these could potentially exploit the flawed Safari implementation to track user behavior across sites. The researchers advise using alternative browsers like Brave, which checks website origins against URLs to prevent cross-site tracking. Apple's required modifications under the Digital Markets Act (DMA) have led to security oversights, making previously cited concerns over privacy and security ironically valid. The flaw stems from Apple's attempt to oversee and track the usage between third-party marketplaces and their users, ostensibly for calculating fees.