Daily Brief

Traditional security measures struggle to protect the expanding digital estates of modern businesses, leading to frequent breaches. The recurrent security incidents are often linked to outdated reliance on password credentials, exemplified by recent breaches involving Okta and the MOVEit application. SSH Communications Security introduces the PrivX Zero Trust Suite, integrating multiple security functions to manage complex digital environments effectively. The suite shifts from static passwords to just-in-time certificates and adds strong multifactor authentication to enhance control over privileged accounts. For industrial environments, the system supports access via common OT protocols, enhancing security without disrupting existing operations. The Universal SSH Key Manager within the suite helps manage and secure SSH keys, with capabilities for future transition to post-quantum cryptography. SSH Secure Collaboration tools safeguard communications in regulated industries by enforcing encryption and maintaining clear audit trails. The comprehensive approach of SSH's Zero Trust Suite aims to replace numerous disjointed tools with a unified, scalable, and secure platform.

The UK's Competition and Markets Authority (CMA) expresses ongoing concerns regarding Google's Privacy Sandbox, a technology intended to replace web cookies for ad targeting. Despite initial intentions, the Privacy Sandbox faces criticism for not adequately addressing privacy and competition issues, leading to delayed implementation until 2025. Privacy concerns center around the Topics API, which categorizes user interests for targeted ads based on browser activity without sufficiently informing users of data usage. Additional worries include potential misuse of Topics data for non-advertising purposes, which could contravene data protection laws. Google has received feedback from regulators, including a draft assessment from the UK Information Commissioner's Office (ICO), indicating that the technology fails to meet privacy standards. The ICO's evaluation and public comments reflect a growing list of nearly 80 unaddressed issues with Google's Privacy Sandbox, highlighting the complexity and potential risks of the new ad technology. Competitors and regulatory bodies are wary of Google's new ad mechanisms, fearing increased gatekeeping powers and a lack of transparency in data handling. Google continues to collaborate with global privacy and competition regulators to refine and improve the Privacy Sandbox amidst increasing scrutiny and regulatory pressure.

The UK has introduced new laws under the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) to enhance cybersecurity measures for smart devices. Manufacturers must now avoid default passwords that are easily guessable or commonly found online, with significant fines imposed for non-compliance. The legislation mandates that vendors provide a contact point for security issues and disclose the minimum duration for security updates on devices. The PSTI Act is applicable to a wide range of consumer smart devices including smartphones, home appliances, and wearables. The National Cyber Security Centre (NCSC) issued guidelines to assist consumers in strengthening device security, recommending the use of passwords composed of three random words. Critics argue that the current requirements under the PSTI Act, covering only three of ETSI's 13 recommended standards, are insufficient for robust security. There is concern among experts about the government's commitment to enforcing these rules, despite the potential for severe financial penalties for violations. Overall, the new laws are seen as a positive initial step towards securing smart devices, but some believe stronger measures are necessary.

Multiple critical vulnerabilities discovered in the Judge0 online code execution system. Flaws enable sandbox escape, allowing attackers root access on host machines. The vulnerabilities are tied to issues in a Ruby script which improperly handles symbolic links. Attackers could exploit these flaws to overwrite scripts, escape Docker containers, and escalate privileges. Compromise may result in complete control over the Judge0 system, its database, and connected applications. CVE-2024-29021 involves an SSRF vulnerability that can lead to command injection via database manipulation. The vulnerabilities were patched in Judge0 version 1.13.1 released on April 18, 2024, following responsible disclosure. Users urged to update immediately to prevent potential exploitation of these security gaps.

Exposure Management is a holistic strategy for identifying, assessing, and mitigating security vulnerabilities across an organization's entire digital presence, extending beyond mere software flaws to include misconfigurations and credential issues. This approach sees organizations continuously and proactively improving their cybersecurity posture by considering how attackers might exploit each identified vulnerability. Exposure Management is aligned with Gartner’s Continuous Threat Exposure Management (CTEM), providing a structured framework for actionable security improvements. Traditional pentesting and red teaming can be integrated with Exposure Management to create a robust defense by simulating attacks and identifying pre-emptive corrections. Unlike traditional vulnerability assessments, Exposure Management offers a broader perspective by including all possible security weaknesses, whereas Risk-Based Vulnerability Management (RBVM) prioritizes vulnerabilities based on explicit risk factors. The collaboration of Exposure Management with Red Teaming, Penetration Testing, Breach and Attack Simulation (BAS), and RBVM enables a comprehensive understanding and prioritization of cybersecurity efforts. Implementing Exposure Management allows organizations to allocate resources efficiently and optimize their response to the most critical and likely security threats.

Security investigations reveal phishing sites impersonating the U.S. Postal Service (USPS) generate traffic levels comparable to the legitimate USPS website, particularly peaking during the holiday season. Akamai Technologies detected substantial DNS queries to "combosquatting" domains, which closely mimic USPS's online presence, starting from an incident involving suspicious SMS with malicious JavaScript in October 2023. Analysis highlighted that the most engaged malicious domains, primarily during the October 2023 to February 2024 period, amassed nearly half a million queries, with two sites exceeding 150,000 each. Phishing tactics involved creating highly convincing replicas of the official USPS website, complete with accurate parcel tracking capabilities, encouraging users to input sensitive data. One specific scam included a fake postage item shop that gained traffic around November, exploiting consumer activity during the holiday gift-buying season. The total query count for all identified malicious USPS-themed websites reached over 1.128 million, only slightly less than the queries to the authentic USPS site during the same timeframe. Consumers are advised to verify package shipment communications directly through the official USPS website, avoiding links in unsolicited emails or SMS.

Google Chrome version 124 introduces a quantum-resistant encryption mechanism, X25519Kyber768, causing connectivity issues with some servers and firewalls. Users and system administrators report dropped connections post-update due to servers failing to handle the new, larger ClientHello messages in TLS handshakes. The issues affect various network devices and security appliances from major vendors including Fortinet, SonicWall, Palo Alto Networks, and AWS. This quantum-resistant algorithm aims to protect data from future "store now, decrypt later" attacks, which leverage advancements in quantum computing to decrypt previously secure communications. Companies like Apple and Signal have also begun implementing quantum-resistant algorithms to safeguard against future cryptographic threats. Administrators can temporarily disable the TLS 1.3 Kyber support in Chrome to resolve connectivity issues or await updates from affected vendors. Google advises that long-term use of post-quantum secure ciphers will be necessary, and the option to disable them in Chrome will eventually be removed.

Okta has observed a significant rise in credential stuffing attacks, leveraging residential proxy services, stolen credential lists, and scripting tools. These attacks have been primarily routed through anonymizing services like TOR and various residential proxies, making detection and mitigation more challenging. Cisco’s Talos intelligence also highlighted a global increase in brute-force attacks since March 18, 2024, targeting VPNs, web interfaces, and SSH services. Credential stuffing involves using stolen credentials from one breach to access accounts on other platforms, often utilizing information from phishing or malware. Okta's Identity Threat Research team noticed this uptick particularly between April 19 and April 26, 2024, using similar anonymizing infrastructures as noted by Talos. Residential proxies misused in these attacks often involve legitimate devices enrolled unknowingly into a botnet, camouflaging malicious traffic. To safeguard against these attacks, Okta advises organizations to adopt strong passwords, enable two-factor authentication, block suspicious IP addresses, and support passkeys. Recent discoveries include malicious Android VPN apps that convert devices into proxies without owners' knowledge, intensifying the credential stuffing threat landscape.

Japanese police introduced decoy payment cards in convenience stores to alert elderly individuals about tech support scams. The cards, labeled as “Virus Trojan Horse Removal Payment Card” and “Unpaid Bill Late Fee Payment Card,” are part of an initiative by the Echizen Police in Fukui prefecture. This measure is in response to $7.5 million lost in various online frauds last year in Fukui, including $700,000 from investment scams in January alone. The initiative involves local store employees who inform customers attempting to buy these cards that they are being scammed. The police reward store employees aiding in this preventive measure, which also helps identify victims and investigate the scams. The program has successfully prevented scams for at least two elderly men deceived into paying for fake malware removal. The conspicuous labels on the cards make them easily identifiable to victims who believe they are purchasing a legitimate solution to their supposed problem.

Okta has issued a warning about a significant increase in credential stuffing attacks against its identity and access management services. These attacks, utilizing automated methods to test stolen credentials, have led to breaches in some customer accounts. Identified attack sources include the same infrastructure previously noted by Cisco Talos in similar cybersecurity threats. Attackers predominantly used the TOR network and various residential proxies to mask their activities. The most affected are organizations using Okta's Classic Engine in Audit-only mode and those allowing access via anonymizing proxies. Okta suggests robust countermeasures such as enabling 'Log and Enforce' mode, multi-factor authentication, and blocking IP addresses known for malicious activities. The company also advocates for passwordless authentication and stringent monitoring of anomalous sign-in attempts to further secure user accounts.

Ukraine has been targeted by cyberattacks leveraging a seven-year-old vulnerability in Microsoft Office to deploy Cobalt Strike malware. The attacks involved a PowerPoint file masqueraded as an old U.S. Army mine-clearing manual, suggesting that the attackers aimed at military personnel. The operation resulted in the remote execution of an obfuscated script that configured persistence through system registry modifications and mimicked a legitimate Cisco VPN client. Malware used in the attacks could detect virtual machine environments and avoid security software detection. The origin of the attacks is uncertain, with no concrete link to a specific threat actor; the possibility of a red teaming exercise was also noted but not confirmed. In a broader context, a Russian state-sponsored group, identified as Sandworm or APT44, has targeted about 20 Ukrainian critical infrastructure entities using various malware tools. Sandworm has been active since at least 2009 and is associated with multiple disruptive cyber operations against Ukraine and other global targets. This situation highlights the ongoing cyber warfare aspect of the broader geopolitical conflict involving Ukraine and Russia.

North Korean threat actors are conducting a social engineering campaign targeting software developers under the guise of job interviews to install malware. The campaign, named DEV#POPPER by Securonix, lures developers into downloading malicious npm packages containing a JavaScript file that acts as an information stealer. Palo Alto Networks' Unit 42 and Phylum reported that these attacks use npm packages to deliver malware families like BeaverTail and InvisibleFerret that siphon sensitive data. These attacks are distinct from Operation Dream Job, another campaign by the Lazarus Group targeting various professional sectors with malware-dressed job offers. The malware is first introduced to victims via a ZIP archive shared during the interview process, leading to system compromise upon execution. The malicious software can execute commands, enumerate files, and log keystrokes and clipboard data, indicating an advanced capability to siphon off sensitive information. Researchers emphasize the necessity of maintaining a security-focused mindset, particularly during situations that might lower one's guard, like job interviews.

Kaiser Permanente has notified 13.4 million individuals about the unintentional sharing of their data with external third parties such as Google and Microsoft Bing. Data shared included IP addresses, names, and information relating to user interactions with Kaiser’s websites and mobile apps. The information transmission occurred through tracking and analytics tools previously installed on Kaiser's digital platforms. No sensitive data such as Social Security numbers or financial information was disclosed to third parties. Kaiser has removed the identified technologies from its platforms and implemented additional security measures to prevent future incidents. This incident sheds light on broader issues of privacy with healthcare entities using third-party tracking technologies. Kaiser Permanente is conducting ongoing reviews and has reported the incident to the U.S. Department of Health and Human Services.

Private equity firm Thoma Bravo has completed the acquisition of UK-based cybersecurity company Darktrace for $5.3 billion. The deal marks Thoma Bravo's second attempt to buy Darktrace, following a failed bid in 2022 due to collapsed negotiations and subsequent fraud allegations. Darktrace's share price has significantly recovered, reaching $7.59, after dropping post the initial acquisition fallout and fraud claims. Shareholders of Darktrace are set to receive $7.75 per share, representing a 44 percent premium over the past three months' average share price. Thoma Bravo aims to leverage Darktrace's capabilities in AI and cybersecurity to enhance its extensive portfolio of cybersecurity companies. Darktrace is exiting the London Stock Exchange, citing undervaluation compared to peers and expressing optimism for future growth and innovation under private ownership. The acquisition has sparked discussions on the negative outlook for UK's public tech sector investments, emphasizing the dominance of larger US tech firms. Darktrace's earlier financial backing by Mike Lynch, currently on trial for fraud, remains a noteworthy part of its history, with his family set to gain substantially from the sale.

A new cybercrimes campaign, coined “Dev Popper,” targets software developers through deceptive job interview offers to install a Python-based remote access trojan (RAT). Attackers contact potential developer candidates posing as employers, presenting coding tasks from a GitHub repository as part of the interview process. The malicious file downloaded by the candidates is a ZIP archive that includes an NPM package, which upon execution activates a hidden obfuscated JavaScript file designed to download further malware. The multi-stage infection ultimately installs a RAT that relays vital system information (OS type, hostname, network data) to the attacker's command and control server. While the exact perpetrators are uncertain, the tactics suggest a possible link to North Korean threat actors, although there is not enough evidence for definitive attribution. Securonix, the security firm analyzing the campaign, emphasizes the efficacy of this method due to its exploitation of professional trust and engagement in the job application process. This method is part of a broader pattern of North Korean hackers using job lures to target various sectors, including security researchers and aerospace employees.