Daily Brief

The rapid evolution of digital landscapes has significantly increased the complexity of cybersecurity threats facing today's organizations. The introduction of cloud services and the rise of remote working have further exposed digital identities to cyber exploitation, emphasizing the need for strengthened identity security measures. Our research, "The Identity Underground Report," highlights the overlooked security liabilities in identity management, including forgotten user accounts and configuration errors that criminals exploit. These identity threat exposures (ITEs) in both on-premise and cloud environments pose serious risks, granting unauthorized access to critical resources. The report also discusses the challenges faced by organizations in synchronizing on-prem user accounts with cloud Identity Providers (IdPs), which can inadvertently aid attackers. Key solutions suggested include the implementation of Multi-Factor Authentication (MFA) and the investment in comprehensive identity security strategies to prevent risk and enhance security posture. By understanding and addressing these vulnerabilities highlighted in the report, organizations are better positioned to mitigate risks and prioritize security investments effectively.

A critical vulnerability has been identified in PuTTY versions 0.68 through 0.80, potentially allowing full recovery of private keys. The security flaw (CVE-2024-31497) affects the ECDSA cryptographic algorithm, specifically exploiting biased nonces in key generation. Attackers capable of obtaining several dozen signed messages and the corresponding public key can recover the private key and forge signatures. Compromised environments include servers authenticated using the vulnerable keys, with PuTTY advising immediate key revocation and updating to patched versions. The vulnerability was also found in other software that uses PuTTY, including FileZilla, WinSCP, and TortoiseGit, all of which have released updates fixing the issue. Researchers recommend transitioning to the usage of RFC 6979 for generating cryptographic nonces to avoid similar vulnerabilities in the future. All users affected are urged to update their software to the latest versions and to regenerate any potentially compromised ECDSA NIST-P521 keys.

Google's $62 million settlement for tracking users' locations, despite turned-off settings, faces objections due to the distribution method and political concerns. Critics argue that the allocation to progressive nonprofits rather than directly to affected users raises fairness and bias issues. The settlement includes notable recipients like the ACLU and the Electronic Frontier Foundation, receiving $6 million each. Objector Theodore Frank of the Hamilton Lincoln Law Institute proposes a more feasible monetary distribution directly to millions of plaintiffs, challenging the need for cy pres awards. Frank highlighted potential conflicts of interest and ideological biases in the nonprofit beneficiaries that could alienate some class members. The ongoing debate focuses on whether the settlement's intended beneficiaries align with the interests of all class members and raises questions about conflict of interests with the lawyers involved. A court hearing scheduled for April 18, 2024, will address these objections and potentially influence the final terms of the settlement.

The U.S. Federal Trade Commission (FTC) fined Cerebral $7 million for unlawfully sharing users' sensitive health data with third-party advertisers. Cerebral accused of failing to disclose that consumer data would be used for advertising, contrary to their "safe and secure" service claims. Nearly 3.2 million consumers' personal health information, including medical histories and insurance details, were shared with companies like LinkedIn, Snapchat, and TikTok. The FTC highlighted Cerebral's deceptive practices, including burying data sharing details in complex privacy policies and sending unsealed postcards revealing patient diagnoses. Former employees were able to access patient data through insecure methods from May to December 2021, breaching privacy safeguards. Under the FTC's proposed order, Cerebral must cease disclosing health information for marketing and implement a comprehensive data security program. Cerebral is also required to inform users about the privacy violations and provide options for users to have their data deleted.

The U.S. Department of Justice and Australian Federal Police have conducted arrests related to the distribution of a malicious software known as Hive RAT. Edmond Chakhmakhchyan from Los Angeles was arrested for selling Hive RAT licenses and offering customer support while explicitly advertising the malware's capabilities on a cybercrime forum. Hive RAT enables users to remotely access and control other people’s computers, steal credentials, and potentially engage in further criminal activities. The Australian suspect, whose identity remains undisclosed, has been charged with multiple counts related to the creation and distribution of the malware. Concurrently, another individual, Charles O. Parks III, was arrested for orchestrating a large-scale cryptojacking operation that defrauded major cloud providers, utilizing stolen computing resources for cryptocurrency mining. Parks employed deceptive practices to exploit elevated cloud computing privileges without payment, causing substantial financial losses to cloud service providers. These arrests underscore significant actions taken by law enforcement globally to tackle the burgeoning threats posed by advanced cybercriminal activities, including malware dissemination and cryptojacking.

Chirp Systems' smart locks can be remotely unlocked due to hard-coded credentials in their Android app. Over 50,000 households using affected Chirp-powered locks risk unauthorized access by strangers. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert and rated the security flaw with a CVSS score of 9.1. Despite being disclosed to Chirp three years ago, the vulnerability wasn't addressed until a recent CISA alert prompted an update for "bug fixes and improved stability." No known exploitation of this vulnerability has occurred, but the potential for gaining unrestricted physical access remains high. Chirp has updated its software after CISA's warning but concerns about the efficiency of the patch remain due to previous long-standing issues. Chirp, acquired by RealPage in 2020, is under the umbrella of private equity firm Thoma Bravo, raising questions about accountability and responsiveness to such critical flaws.

The RansomHub ransomware gang has begun leaking alleged stolen data from Change Healthcare, a United Health subsidiary. Initially, the BlackCat/ALPHV ransomware group claimed responsibility for the cyberattack in February, which disrupted major US healthcare services and reportedly involved the theft of 6 TB of data. Following law enforcement pressure, BlackCat declared the closure of their operations and a supposed exit scam involving a $22 million ransom from Change Healthcare. Subsequently, an affiliate named "Notchy" and RansomHub collaborated to extort Change Healthcare again, threatening to sell the stolen data if their demands were not met. The leaked data includes sensitive corporate and patient information, such as data-sharing agreements with insurance providers and detailed patient care billing. RansomHub has issued a new ultimatum, giving Change Healthcare a five-day deadline to meet their ransom demands to prevent the sale of the data to other parties. BleepingComputer has reached out to Change Healthcare for comments on the incident, but an official statement is pending.

TA558 hacking group employs steganography, embedding malicious code in images to distribute malware. Over 320 organizations worldwide, especially in the hospitality and tourism sectors, targeted by the SteganoAmor campaign. Attacks initiate through malicious emails exploiting the CVE-2017-11882 vulnerability in Microsoft Office, reliant on outdated system versions. Malicious payload disguised within legitimate-looking document attachments and images, fetched using compromised legitimate services like Google Drive. Positive Technologies identifies a diverse array of malware delivered through these tactics, posing severe security risks. The use of legitimate cloud and FTP services to host malware and control servers helps avoid detection by traditional antivirus tools. Updating Microsoft Office can significantly mitigate the threat by closing the exploited security vulnerability.

Microsoft plans to impose a daily limit of 2,000 external recipients for bulk emails via Exchange Online starting January 2025. The new limit aims to prevent the misuse of Exchange Online services and ensure fair usage among all users. This new External Recipient Rate (ERR) limit will act as a sub-limit within the existing 10,000 recipient limit per day. Customers needing to exceed the 2,000 external recipient limit will be required to transition to Azure Communication Services for Email. Google, following a similar path, has tightened spam defenses by implementing stricter requirements for bulk email senders. Bulk email senders targeting Gmail users must now employ SPF/DKIM and DMARC authentication for their domains and adhere to best practices for unsubscribing and message relevance. Failure to comply with Google's new guidelines will lead to rejection of the emails by Gmail.

Charles O. Parks III was arrested for committing wire fraud, money laundering, and engaging in unlawful monetary transactions using cloud servers for crypto mining. Parks employed fake corporate identities to establish accounts with major cloud service providers, costing them $3.5 million. He mined cryptocurrencies, including Ether, Litecoin, and Monero, using illicitly obtained computing resources. The fraudulent activities included tricking providers into granting him high-level access and using powerful servers with GPUs. Parks laundered the mined cryptocurrencies through NFTs and various online exchanges, converting them into USD to finance a high-end lifestyle. The indictment notes Parks left substantial unpaid bills at the cloud providers, directly impacting their financials. His initial court hearing is scheduled, with the indictment possibly leading to a 30-year prison sentence. Additional tips were provided to cloud service providers on enhancing security measures against similar fraudulent activities.

Binarly identified an unpatched vulnerability in the Lighttpd web server used in Intel and Lenovo baseboard management controllers (BMCs). The vulnerability originates from a patched flaw in Lighttpd version 1.4.51, made in August 2018, which lacked proper CVE identification and advisory. The flaw, an out-of-bounds read vulnerability, could allow extraction of sensitive data and bypass of security mechanisms like ASLR. Intel and Lenovo have not updated the affected BMCs as these products have reached end-of-life status, leading to a "forever-day" bug. The issue highlights the risk posed by outdated third-party components in firmware, impacting supply chain and end-user security. The absence of detailed advisories on security fixes impedes correct action through the firmware and software development chains.

Dutch chipmaker Nexperia suffered a significant data breach with unauthorized access to its IT servers in March 2024. Hackers, part of the 'Dunghill Leak' linked to Dark Angels ransomware gang, claimed the attack and threatened to release 1 TB of stolen data. Nexperia's initial response included shutting down affected IT systems and disconnecting them from the internet to mitigate the incident. The company has enlisted the services of cybersecurity firm FoxIT to assist in the investigation and evaluate the nature and extent of the breach. Nexperia reported the breach to law enforcement and data protection authorities in the Netherlands. Stolen data allegedly includes microscope scans of electronic components, employee passports, and non-disclosure agreements. No confirmation has been made by Nexperia regarding the authenticity of the data samples leaked online by the ransomware group.

Roku has implemented mandatory two-factor authentication (2FA) after approximately 591,000 user accounts were compromised in two separate incidents. The initial breach affected 15,363 accounts, prompting closer monitoring which then uncovered a second, larger breach impacting around 576,000 accounts. Fewer than 400 of these compromised accounts were used to make unauthorized purchases of subscriptions and Roku hardware. All affected customers have been reimbursed, and Roku reports no access to sensitive information such as full payment details or social security numbers. The breaches were attributed to credential stuffing attacks using login details obtained from breaches of other services. Roku confirmed its systems were not compromised and the credentials used were likely obtained from external sources. All Roku users, regardless of whether they were affected, are advised to reset passwords and use unique, strong passwords managed with tools like password managers. Roku expressed regret for the incidents and reassured customers of their commitment to securing user accounts and data.

The Daixin Team ransomware gang claimed responsibility for a cyberattack on Omni Hotels & Resorts, threatening to release sensitive customer data. Following the attack, Omni Hotels experienced a significant IT systems outage affecting reservations, hotel room door locks, and POS systems nationwide. Omni confirmed the attack on April 2, initially detected on March 29, leading to immediate steps to contain and assess the breach with cybersecurity experts. The nature of the incident was confirmed by sources as a ransomware attack, with Omni restoring services from backups. Daixin Team has added Omni Hotels to their dark web leak site but has not yet provided evidence of the stolen data. Allegedly, the stolen data includes detailed records of all guests from 2017 to the present. Previously, in October 2022, U.S. agencies warned that Daixin was targeting the U.S. Healthcare and Public Health sector, using similar ransomware and extortion tactics. Omni Hotels, with extensive operations across North America, also experienced a data breach in 2016 involving POS malware that compromised payment card information.

Cisco Duo reported a data breach at a third-party provider responsible for handling SMS and VoIP multi-factor authentication (MFA) messages. Hackers accessed MFA message logs through a phishing attack, obtaining employee credentials and subsequently downloaded message logs for specific accounts between March 1, 2024, and March 31, 2024. The compromised data, which did not include the contents of the messages, could potentially be used for targeted phishing attempts to acquire sensitive information like corporate credentials. Cisco has been actively coordinating with the affected provider to investigate and mitigate the incident, reassuring that no messages were accessed or sent out by the intruders. All affected message logs have been secured, and customers can request details by contacting Cisco Duo; additional security measures have also been implemented. The company advised customers, particularly those with exposed employee data, to stay vigilant against possible SMS phishing or social engineering attacks using the stolen information. Cisco has yet to reveal the identity of the compromised telephony provider or the exact number of customers affected by the breach.