Daily Brief

Google has blocked ads on sites using Polyfill.io after a supply chain attack post acquisition by a Chinese CDN company. Over 110,000 websites using the JavaScript library from Polyfill.io are redirecting users to malicious sites. Original creator Andrew Betts warned users against using the library, stressing that modern browsers already support needed features. Alternative solutions have been provided by companies like Cloudflare and Fastly following the security concerns. The domain cdn.polyfill.io has been modified to inject malware, redirecting traffic to unwanted sites selectively. Attack avoids detection by not executing in the presence of web analytics and admin users. The attack introduces a broader security concern with potential remote code execution when combined with other exploits like CVE-2024-2961. Continuous risk mitigation efforts are necessary, as highlighted by ongoing threats and vulnerabilities in web security infrastructure.

An Australian study, Project Hakea, conducted by the Crime Commission in New South Wales, has uncovered widespread misuse of tracking devices by organized crime groups and individuals involved in domestic violence. The top 100 buyers of tracking devices, including GPS trackers and Bluetooth trackers like Apple AirTags, were found to be significantly more likely to have a history of violence or connections to organized crime. The study linked these devices to over 20 serious criminal activities since 2016, including murders, kidnappings, and drive-by shootings, highlighting their role in facilitating organized crime. Notably, misuse of tracking devices in domestic violence cases was also a significant finding, with a large percentage of offenders informing victims about the trackers to intimidate or control them. The Crime Commission’s report suggested stricter regulations on the sale of tracking devices and the promotion of their illegal uses to help curb their role in criminal activities. Anti-stalking features in smartphones and calls for more manufacturers to support these protections were also emphasized as necessary steps to mitigate unauthorized tracking. The connection between criminal use of trackers and domestic violence suggests a disturbing trend of technology misuse that necessitates immediate legal and regulatory actions.

Geisinger, a major U.S. healthcare provider, announced that over a million patient records were likely stolen due to a security breach at Microsoft-owned Nuance Communications. The breach was pinpointed to unauthorized access by a former Nuance employee who wasn't promptly deactivated from the system after termination. Sensitive data involved included birth dates, addresses, hospital records, and demographic details; financial information was not reported as stolen. The incident was detected on November 29, and Nuance cut off the ex-employee's access immediately after being alerted by Geisinger. Law enforcement delayed the notification to patients to not compromise the ongoing investigation, resulting in a delay in public disclosure. The accused ex-employee has been arrested and is facing federal charges, although specific charges have not been detailed. This breach is part of a concerning pattern with Nuance, referencing a similar incident in 2018, and raises questions about Microsoft’s overarching security measures given recent related criticisms.

Geisinger, a major US healthcare provider, announced that over a million patient records may have been stolen following a security breach tied to Microsoft-owned Nuance Communications. The breach was attributed to a former Nuance employee who retained access to sensitive files after being terminated, leading to unauthorized data extraction two days post-dismissal. The compromised data included birth dates, addresses, hospital admission and discharge records, and other personal medical details, although no financial information was reportedly taken. Nuance and Geisinger collaborated with law enforcement, leading to the arrest of the ex-employee facing federal charges, although specific charges are still not disclosed. This incident surfaces amid previous accusations against Nuance for similar security failings, including an incident in 2018 involving the San Francisco Department of Public Health. Jonathan Friesen, Geisinger's chief privacy officer, expressed regret over the incident and reassured ongoing cooperation with authorities to address the data breach. The incident casts a negative light on Microsoft, reflecting broader criticisms regarding its subsidiary's lax security measures and raising concerns about national security implications.

More than 100,000 websites are affected by malware due to a takeover of the polyfill.io domain by Chinese CDN operator Funnull. Security experts urge immediate removal of all scripts sourced from polyfill.io to prevent further malicious attacks. Google has started blocking ads on affected websites to minimize victim count and has notified site owners of the security risks. The domain was originally intended to offer JavaScript polyfills for enhancing functionality on older browsers, but now serves malicious code. Funnull's acquisition of the polyfill.io domain and its GitHub account in February has led to a substantial web supply chain attack. Websites like JSTor, Intuit, and the World Economic Forum, which used this service, may be compromised. Alternative CDN links from providers like Fastly and Cloudflare have been created to replace the compromised service without risks. Malware injection is dynamic, based on HTTP headers sent by user devices, resulting in various potential attack vectors.

Neiman Marcus's customer data stolen from their Snowflake storage and offered for sale for $150,000 on the dark web. An intruder accessed the personal information of 64,472 customers including names, contact details, birth dates, and gift card numbers. Multi-factor authentication (MFA) may not have been enabled, a common oversight in recent Snowflake breaches. Upon discovery, Neiman Marcus disabled the compromised database access, initiated a cybersecurity investigation, and informed law enforcement. The spokesperson confirmed the data did not include credit card details but included some Social Security number digits and extensive customer transaction data. Neiman Marcus vows to enhance security measures following the breach. The breach is part of a larger pattern, with at least 165 organizations affected by similar Snowpike-linked data thefts.

Plugins on WordPress.org were modified to include backdoors as part of a supply chain attack, compromising at least five plugins. Malicious PHP scripts were injected to create unauthorized admin accounts and inject SEO spam. The attack was detected by Wordfence who promptly notified plugin developers; Most affected products have since been patched. Over 35,000 websites could be affected, with immediate malware scans recommended for sites with suspicious admin accounts or network traffic. The compromised plugins were identified between June 21 and June 22, though the exact method of the breach remains under investigation. The specific backdoor allows attackers to create admin accounts named "Options" and "PluginAuth" and send data to an attacker-controlled IP. Some impacted plugins were temporarily removed from WordPress.org, potentially leading to user warnings even on updated and secured versions.

The FBI reported that crypto scammers stole approximately $10 million by posing as attorneys who could help recover lost cryptocurrencies. Between February 2023 and 2024, these criminals targeted U.S. victims already impacted by previous scams, offering fraudulent recovery services for a fee. Fake law firms contacted victims through social media and messaging platforms, falsely claiming authority to conduct fraud investigations and sometimes impersonating government agencies. Scammers required victims to pay initial fees for services, taxes, and other charges, often ceasing communication after payments were received. The FBI's Internet Crime Complaint Center (IC3) specifically warns against these types of fraud, advising to verify any such recovery service and confirm any claimed affiliations with legitimate agencies. Consumers and businesses are advised to be cautious and refrain from sharing personal or financial information with unverified parties. The Department of Financial Protection and Innovation provides resources like a crypto scam tracker to help the public identify known scams. This scam is part of a larger trend where crypto-related crimes have resulted in substantial financial losses, exceeding those caused by ransomware in terms of damage to the U.S. economy.

Polyfill.io service, essential for enabling modern JavaScript functionality on older browsers, was corrupted after acquisition by Chinese company Funnull. Sansec cybersecurity warned the domain and associated Github account were purchased by Funnull, which then modified the script to inject malicious code. The malicious script redirects users to scam sites, such as fake Sportsbook sites, via a deceptive Google analytics domain and specific URL redirects. Cloudflare and Fastly have established trusted mirrors of the Polyfill.io service to mitigate risks and ensure continuity for users depending on its functionality. Original Polyfills service developer indicated that most modern web platforms swiftly adopt new features, reducing the need for such polyfills. Google has started notifying advertisers of the potential risks posed by these redirects, which may affect landing page traffic and integrity. The security research community has found it challenging to fully analyze the script due to its protection against reverse engineering and targeted activation criteria.

Medusa banking trojan, also known as TangleBot, actively targets Android users in France, Italy, the US, Canada, Spain, the UK, and Turkey with sophisticated malware variants. Recent activity since May shows the malware requires fewer permissions but includes advanced features such as full-screen overlays and screenshot capabilities to facilitate fraudulent transactions. The malware distribution is associated with five different botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) and uses phishing techniques through SMS to install malicious dropper apps. Dropper apps masquerade as legitimate applications like Chrome browser, 5G apps, and a streaming app named 4K Sports, especially exploiting the UEFA EURO 2024 as bait. Medusa’s infrastructure leverages public social media profiles to dynamically fetch command and control server URLs, centralizing campaign coordination. Enhanced Medusa variants have minimized their footprint on devices while retaining essential permissions to exploit Android's Accessibility Services, crucial for executing malicious tasks undetected. Recent improvements include the removal of 17 commands from the malware, supplemented by five new ones, increasing the malware’s stealth and functionality. Although not yet observed on Google Play, the broadening participation in the malware-as-a-service (MaaS) indicates increasing threat levels and sophisticated distribution methods.

Neiman Marcus confirmed a data breach impacting 64,472 individuals due to unauthorized access to their Snowflake database platform. Hackers accessed personal information including names, contact details, dates of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers. The breach discovery followed an online attempt to sell the stolen data, with the data thief associated with the recent wide-scale Snowflake data thefts. Despite the exposure of gift card numbers, the data breach did not expose gift card PINs, preserving the usability of the cards. Neiman Marcus disabled access to the compromised database and collaborated with cybersecurity experts and law enforcement in their response. The incident is linked to UNC553337, a financially motivated threat actor known for using stolen credentials to breach accounts and extort organizations. Multi-factor authentication absence in impacted accounts facilitated the unauthorized access, highlighting the importance of stronger security measures.

Neiman Marcus confirmed a data breach impacting 64,472 individuals, following attempts by hackers to sell the stolen data. Unauthorized access to a database was gained between April and May 2024 by a third party, exposing personal details such as names, contact information, dates of birth, and gift card numbers. The breach is connected to a larger series of data thefts involving Snowflake database platforms, with a threat actor named "Sp1d3r" attempting to sell the data. Although gift card numbers were exposed, the PINs were not compromised, ensuring the gift cards remain valid. Neiman Marcus has responded by disabling the affected database platform, conducting an investigation with cybersecurity experts, and contacting law enforcement. "Sp1d3r", the involved threat actor, reportedly tried to extort Neiman Marcus before offering the data on a hacking forum, which was later removed possibly due to negotiation talks. A broader investigation involving Snowflake, Mandiant, and CrowdStrike has linked the so-called UNC5537 threat actor to breaches affecting at least 165 organizations.

The FBI has issued a warning against cybercriminals pretending to be law firms offering cryptocurrency recovery services to victims of investment scams. Scammers have fooled victims into believing their legitimacy by falsely claiming associations with legitimate government agencies like the FBI and financial institutions. Fraudulent outfits often ask for personal information and payment, falsely promising to recover lost digital assets. From February 2023 to February 2024, victims have paid over $9 million to these fake recovery services, according to IC3 data. Government and state-level authorities can actually track and potentially recover stolen cryptocurrency, but they do not charge fees or proactively contact victims for personal information. The public is advised to thoroughly investigate any service claiming they can recover cryptocurrency and report any suspicious interactions to the IC3. No private company is authorized to issue seizure orders for digital assets, indicating that many social media and internet ads are scams targeting new victims.

Passphrases are becoming preferred over complex passwords due to easier memorability and equivalent security enhancements. Verizon reports 83% of cyberattacks begin with stolen credentials, emphasizing the need for stronger authentication methods. Traditional complex passwords, often based on predictable user behavior patterns, are vulnerable to brute-force and hybrid dictionary attacks. A study by Bitwarden shows that 84% of users admit to reusing passwords across multiple platforms, increasing the risk of security breaches. The National Institute of Standards and Technology (NIST) and the FBI advocate for passphrases that are longer than 15 characters as they offer better security against breaches. UK’s National Cyber Security Centre and Canadian Centre for Cyber Security recommend passphrases consisting of at least three or four random words. Specops Software offers solutions like Specops Password Policy and Authentication Client, which facilitate the transition to passphrase use while enhancing the user experience. Transitioning to passphrases can simultaneously improve security and user convenience, reducing the frequency of password resets with longer phrase usage.

CISA has issued an urgent call to high-risk chemical facilities to secure their online platforms following a breach facilitated by exploiting vulnerabilities in Ivanti products. The Chemical Security Assessment Tool (CSAT) portal was compromised, potentially exposing sensitive security data of facilities that house dangerous chemicals. Three specific vulnerabilities in Ivanti devices (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893) were utilized by attackers; these issues were urgently added to CISA's KEV catalog with a 48-hour deadline for patching. While malicious activity was detected and an advanced webshell was installed by attackers, CISA confirmed that there was no evidence of data exfiltration and that all sensitive data remained encrypted. Exposed data included Top-Screen surveys and security vulnerability assessments from chemical facilities, which could have revealed detailed information on the chemicals stored and facility vulnerabilities if not encrypted. CISA has encouraged those with CSAT accounts to change passwords and is setting up identity protection services for individuals vetted under the CFATS Personnel Surety Program from December 2015 to July 2023. No evidence was found of malicious use of accessed data, but notifications were sent to potentially affected entities and individuals as a precautionary measure.