Daily Brief

Microsoft released hotfix updates for issues related to the March 2024 security updates on Exchange servers. The April 2024 hotfix update is optional, adding support for ECC certificates and Hybrid Modern Authentication for web applications. Included fixes address problems such as inability to display inline images and download attachments in Outlook on the Web (OWA). The April update rectifies the error preventing document previews and file downloads in OWA, where users encountered "We can't open this document" messages. The update is applicable for Exchange Server 2019 CU13 and CU14, as well as Exchange Server 2016 CU23. Microsoft continues to offer extended support for Exchange Server 2016 until October 2025 despite the end of mainstream support. Aside from patches, Microsoft now provides documentation and guidance for migration to Microsoft 365, emphasizing the shift towards cloud services.

The U.S. Treasury Department has imposed sanctions on four Iranian nationals and two front companies linked to cyberattacks on U.S. government and private sector entities. The sanctioned individuals were involved in spear phishing campaigns and other cyberattacks targeting the Department of Treasury and defense contractors. Sanctions were placed on front companies Mehrsam Andisheh Saz Nik and Dadeh Afzar Arman, associated with the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command. The sanctioned cybercriminals include Alireza Shafie Nasab, Reza Kazemifar Rahman, Hosein Mohammad Harooni, and Komeil Baradaran Salmani, all linked to extensive cyber operations against the U.S. Assets and interests of the named individuals and companies in the U.S. are frozen, and U.S. persons are prohibited from dealing with them without authorization. The State Department is offering rewards of up to $10 million for information leading to the apprehension or conviction of the sanctioned individuals and entities. The Justice Department also unsealed indictments related to a multi-year hacking campaign against U.S. government agencies and defense contractors, in which over 200,000 employee accounts were compromised in one instance.

South Korean National Police Agency warns of North Korean hacking groups targeting defense contractors. Attackers, including groups like Lazarus, Andariel, and Kimsuky, exploited vulnerabilities to plant malware and steal technology data. Special security inspection from January 15 to February 16 revealed breaches unnoticed by companies since late 2022. Lazarus group compromised a testing network system, stealing critical data from multiple computers and transferring it overseas. Andariel hackers obtained an employee's credentials, accessed subcontractor networks, and caused significant data leaks, exacerbated by poor password practices. Kimsuky exploited an email server vulnerability to illegally download large amounts of technical data. South Korean authorities recommend increased network security measures, regular password updates, two-factor authentication, and blocking foreign IP accesses to protect against cyber threats.

The U.S. State Department announced visa restrictions on 13 individuals involved in the creation and sale of commercial spyware, along with their immediate family members. These initiatives are part of the U.S. administration's broader policy to curb the proliferation and misuse of spyware, which poses threats to human rights and national security. The decision targets individuals whose activities have supported arbitrary detentions, forced disappearances, and extrajudicial killings via the misuse of spyware technologies. The restrictions align with Section 212(a)(3)(C) of the Immigration and Nationality Act, serving foreign policy interests by preventing entry to these individuals. Secretary of State Antony J. Blinken emphasized the role of commercial spyware in violating basic human rights and endangering the privacy and safety of global citizens. The U.S. has coordinatively sought international cooperation through mechanisms like the Freedom Online Coalition and the Commerce Department's Bureau of Industry and Security to manage global surveillance practices. These measures complement the Executive Order issued by the Biden Administration in March 2023, intensifying efforts to tackle mercenary surveillance tools that threaten security.

North Korean hackers exploited the eScan antivirus update mechanism to insert backdoors and deliver the GuptiMiner malware into large corporate networks. GuptiMiner is described as a sophisticated malware capable of DNS manipulation, extracting payloads from images, and evading detection by checking system specifications. The malware, delivered through a hijacked antivirus update, gains system-level privileges via DLL sideloading, establishes persistence, and injects shellcode into legitimate processes. Additional findings reveal the deployment of multiple malware tools including two backdoors and the XMRig Monero miner; one backdoor is used for scanning local networks while the other targets private keys and cryptocurrency wallets. Similarities in malware functionality suggest a potential link to the North Korean APT group Kimsuky. Despite eScan's security improvements, such as HTTPS for update downloads and rejections of non-signed binaries, new infections by GuptiMiner continue to be observed, indicating the presence of outdated clients. Avast has released a list of Indicators of Compromise (IoCs) to help defenders detect and mitigate threats caused by GuptiMiner.

UnitedHealth Group confirmed it paid a ransom following a February ransomware attack by the BlackCat/ALPHV gang, which disrupted multiple healthcare services across the U.S. The cybercriminals claimed to have stolen 6TB of sensitive patient data during the Optum ransomware attack resulting in UnitedHealth paying $22 million to prevent data leaks. Post-payment, the U.S. government initiated an investigation into the health data breach, suspecting extensive unauthorized data access. RansomHub later increased pressure on UnitedHealth by beginning to leak alleged corporate and patient data online. The attack incurred substantial financial damages to UnitedHealth, approximating $872 million. Despite the ransom, stolen data, including PHI and PII, risk extensive public and private sector compromise, although only limited data has reportedly been surfaced on the dark web. UnitedHealth has been proactive in mitigating fallout, offering free credit monitoring and identity theft protection while restoring nearly all impacted services to normal operations.

Researchers discovered a dependency confusion vulnerability in the archived Apache Cordova App Harness project, exposing a method for cyber attacks. Dependency confusion occurs when package managers mistakenly fetch malicious packages from public repositories that masquerade as legitimate private packages. A study by Orca in May 2023 found that nearly 49% of organizations could be susceptible to these types of attacks. The Apache project lacked safeguards against such attacks because it referenced an internal dependency without a relative file path, making it vulnerable to spoofing. The malicious package foisted upon the Cordova App Harness managed over 100 downloads, indicating ongoing use and potential threat exposure. Despite the project's discontinuation in 2019, its continued usage underscores the risks associated with archived but active open-source software. The Apache security team has intervened by securing the ownership of the compromised package to mitigate future risks. Security experts recommend creating public placeholders for packages to prevent similar attacks and stress the importance of updating and securing third-party dependencies.

Global organizations now detect cyberattacks in a record low average of ten days, down from last year's 16 days, Mandiant reports. Despite improvements, attackers are adapting by using more sophisticated methods and zero-day vulnerabilities to evade detection. Ransomware incidents are detected faster than other types of attacks, contributing to the decreased average detection time. The Asia-Pacific (JAPAC) region improved significantly, dropping its average detection time from 33 days to just nine days. The Europe, Middle East, and Africa (EMEA) region saw a slight increase in detection times, potentially influenced by volatile situations like the Ukrainian conflict. Less than half of the intrusions (46 percent) are detected by organizations' internal resources, showing a reliance on external sources for identifying breaches. Mandiant emphasized the necessity of robust threat hunting programs and comprehensive investigative approaches to improve defensive measures against sophisticated cyber threats.

UnitedHealth Group acknowledged a significant data breach following a ransomware attack targeting its subsidiary Change Healthcare. Personal identifiers and health information affecting a vast number of Americans were involved, with exact figures still undisclosed. The breach, initiated in February, disrupted services across U.S. hospitals and pharmacies, affecting electronic prescription capabilities. ALPHV, a known cybercrime group, accessed Change Healthcare's networks using stolen remote access credentials and later activated ransomware. UnitedHealth has paid a reported $22 million ransom to mitigate the risk of data exposure and is continuously monitoring for leaked data on the dark web. RansomHub, another cybercriminal entity, claims to have released sensitive patient data from the hack and has demanded further ransom. Recovery and analysis by third-party cybersecurity experts are expected to take several months, with UnitedHealth estimating financial impacts could reach up to $1.6 billion for the year. The company ensures ongoing vigilance in data monitoring to prevent further unauthorized disclosures and damages.

An upcoming webinar titled "Supply Chain Under Siege: Unveiling Hidden Threats" focuses on proactive techniques for identifying and mitigating threats within the supply chain. The session is designed for cybersecurity professionals and business executives, aiming to equip them with advanced threat-hunting skills. Industry experts Rhys Arkins and Jeffrey Martin will lead the webinar, offering insights into the evolving landscape of supply chain vulnerabilities. Participants will learn how to proactively detect and neutralize potential breaches by understanding the complex networks of interconnected systems and third-party interactions. The webinar emphasizes the importance of staying ahead in cybersecurity by transforming reactive security measures into proactive defenses. Registration is currently open for those interested in enhancing their capabilities to prevent supply chain attacks and protect their organizations.

Leicester City Council was victim to a ransomware attack by INC Ransom in March, affecting its operational systems. Nearly two months post-attack, the council's streetlight management system is malfunctioning, causing streetlights to stay on continuously. The council deployed a default mode forcing lights to stay on to maintain public safety, due to inability to detect and repair faults remotely. Residents experience inconvenience and disturbance, with expectations for the issue to be resolved by early May, although delays are anticipated based on past recovery predictions. The ransomware group leaked 1.3 TB of data after the council refrained from paying the ransom, revealing considerable sensitive information. Leicester City Council's response involved coordinating with local police and the National Cyber Security Centre to navigate consequences without yielding to ransom demands. The council is in the process of notifying individuals at high-risk due to the breach and prioritizing their security.

European Police Chiefs emphasized the growing challenge posed by end-to-end encryption (E2EE) which limits access to crucial data for crime investigation. Authorities highlighted that privacy measures like E2EE prevent law enforcement from accessing evidence needed to prosecute serious crimes including terrorism and human trafficking. The U.K. National Crime Agency criticized Meta's decision to implement E2EE in Messenger, arguing it impedes efforts to combat online child sexual abuse. Police agencies advocate for a balanced approach, where tech companies ensure user privacy and security while still enabling access to data for crime prevention and investigation. Technical solutions that allow for both cybersecurity and government access to potential evidence are considered feasible but require cooperation between governments and the tech industry. Meta employs various mechanisms to monitor and handle illegal content on platforms like WhatsApp and Instagram, even with E2EE in place, using unencrypted data and user reports. New features in Instagram aim to protect users through client-side machine learning, analyzing potentially harmful content directly on devices.

Cybercrime costs are projected to soar to 10.5 trillion USD annually by 2025, up from 3 trillion USD in 2015, indicating a robust growth in criminal sophistication and success. Beyond ransomware payments and immediate recovery expenses, businesses face extensive hidden costs including operational disruptions and revenue loss, particularly in key services like finance and healthcare. Extended downtime not only results in direct revenue loss but also damages reputation, trust, and customer loyalty, potentially leading to a long-term impact on business health. Data breaches complicate relationships with customers and suppliers, increase regulatory fines, and lead to higher insurance premiums, adding to the financial strain on businesses. The vulnerability to cyberattacks is exacerbated by human errors, with 88 percent of breaches linked to employee mistakes, emphasizing the need for robust security training and awareness. Cybersecurity strategies must encompass technological upgrades, employee education, regular security audits, and advanced threat detection to mitigate risks effectively. National cybersecurity efforts, similar to military defenses, are being increased in countries like the U.S., China, and the UK to combat the evolving threat landscape. Both individual and organizational efforts are critical in enhancing cybersecurity defenses and reducing vulnerability to cyberattacks.

German authorities have issued arrest warrants for three individuals suspected of espionage activities for China. The suspects reportedly gathered information on technologies and scientific research beneficial to Chinese military capabilities. A specific instance involved a contract with a German university to study high-performance marine engines for combat ships. The suspects also illegally exported a laser to China, which falls under EU regulation due to its potential dual-use in military applications. Additions to the case include the arrest of another individual spying within the European Parliament and Chinese opposition in Germany. These arrests come alongside other international incidents, highlighting a pattern of alleged espionage activities linked to China. Chinese officials have responded to these accusations, denouncing them as "malicious slander" and criticizing political moves against China.

Over a million Neighbourhood Watch members' data was compromised due to a vulnerability in the Neighbourhood Alert communications platform. The bug allowed unverified users to register as coordinators and access personal information such as names, addresses, and phone numbers without any approval process. The platform, operated by Nottingham-based VISAV, is endorsed by local authorities across the UK and has over half a million users. The security flaw was identified and reported by a user in late March, with the potential for significant personal data harvesting by drawing large geographical schematics. Police officers, MPs, and other individuals with elevated privacy needs had their details exposed, increasing the risk of misuse of their information. VISAV's product director Mike Douglas acknowledged the breach, termed it a "security anomaly," and confirmed that corrective measures were promptly implemented. The company has informed all potentially affected users and reported the incident to the Information Commissioner's Office (ICO) to comply with regulatory requirements and prevent future incidents.