Daily Brief

ASUS has issued a critical firmware update for seven router models due to a severe authentication bypass flaw identified as CVE-2024-3080, with a CVSS score of 9.8. The vulnerability allows unauthenticated, remote attackers to gain control of affected routers without needing login credentials. Affected router owners are urged to update their firmware immediately or strengthen their device security settings if immediate update isn't possible. Recommendations include enforcing strong passwords, disabling internet access to administration panels, and turning off features like port forwarding and VPN server. The update also fixes another high-severity issue, CVE-2024-3079, a buffer overflow vulnerability that can be exploited with admin access. Additionally, ASUS responded to CVE-2024-3913, impacting multiple router models with a critical arbitrary firmware upload flaw. Not all models will receive updates as some have reached end-of-life status, suggesting alternate mitigation options per model. Alongside the router firmware upgrades, a new version of Download Master for ASUS routers has been released to tackle five less severe, but significant, security threats.

Microsoft is set to improve cybersecurity for personal Outlook email accounts by phasing out basic authentication by September 16, 2024. This move is aimed at decreasing vulnerability by replacing basic authentication with token-based authentication and multi-factor authentication (MFA). The change will see the end of support for the 'Mail' and 'Calendar' apps on Windows and the 'light' version of the Outlook Web App due to security concerns. Users of older Outlook versions which rely on basic authentication will need to switch to more recent email clients that support modern authentication methods. Microsoft is ceasing the ability to access Gmail accounts via Outlook.com from June 30, 2024; however, standalone Outlook clients for Windows and Mac will retain this functionality. Enhancements are part of Microsoft's 'Secure Future Initiative' aimed at bolstering user security amid rising email-based cyberattacks. The firm suggests users with Microsoft 365 subscriptions to utilize the Outlook version included, ensuring full compatibility and security.

The Smishing Triad, a threat group possibly Chinese-speaking, has expanded its operations to Pakistan with malicious SMS scams using Pakistan Post's identity. Targets receive fake messages about failed package deliveries and are tricked into entering financial details on fraudulent websites. Google detailed the activities of PINEAPPLE, a threat actor distributing the Astaroth malware in Brazil using spam with tax and finance-themed lures. PINEAPPLE exploits cloud services like Google Cloud, Amazon AWS, and Microsoft Azure to deliver malware across Brazil and LATAM. UNC5176, a Brazil-based cluster, targets sectors like financial services and healthcare with URSA malware, capable of stealing extensive personal data. New threat actor FLUXROOT uses cloud services to host phishing pages and distribute the Grandoreiro banking trojan in Latin America. An additional threat actor, Red Akodon, targets organizations across multiple sectors in Colombia, using phishing emails designed to steal credentials.

A Pakistan-based threat actor, UTA0137, has been targeting Indian government entities using a malware named DISGOMOJI. DISGOMOJI, a Golang-based malware aimed at Linux systems, uses Discord for command and control via emoji-encoded messages. The malware infiltrates systems through spear-phishing campaigns delivering a malicious Golang ELF binary within a ZIP file. Once installed, DISGOMOJI downloads a benign document as a decoy while secretly fetching the malware payload from a remote server. Volexity discovered variations of DISGOMOJI with features for establishing persistence, avoiding duplication, and hiding its real functionality to impede analysis. The attackers also utilize legitimate tools like Nmap, Chisel, and Ligolo for networking tasks, and have exploited the DirtyPipe vulnerability for privilege escalation. In a specific user manipulation tactic, the malware displays a fake Firefox update dialog to trick users into surrendering their passwords. Continuous improvements to DISGOMOJI indicate an evolving threat capability and ongoing espionage activity against the Indian government.

Meta has delayed training its large language models (LLMs) on EU user data following concerns raised by the Irish Data Protection Commission (DPC). The planned data utilization was based on the 'Legitimate Interests' legal ground without explicit consent from users which contradicts the EU's GDPR requirements. The delay affects the use of public Facebook and Instagram content from adult users in the European Union, intended to enhance AI's contextual understanding. Meta argues that the restriction will hinder European competitive edge in AI innovation and adaptability, resulting in a "second-rate experience" in AI applications. Collaboration with both the DPC and the UK’s Information Commissioner's Office (ICO) is ongoing to seek compliance and acceptance for the AI tools. Austrian non-profit organization, noyb, filed a complaint in 11 EU countries alleging that Meta's AI data practices violate GDPR privacy laws. Meta remains "highly confident" that its data handling tactics comply with European laws, despite criticisms and legal challenges from privacy advocates.

Microsoft President Brad Smith testified before Congress, acknowledging the company's security shortcomings and defending its operations in China. The U.S. government, including the White House and Congress, are urged to take action to prevent further security breaches linked to Microsoft, leveraging tools from executive orders to revised federal spending. A Homeland Security report criticized Microsoft for "avoidable errors" that allowed Chinese-backed cyberspies to access sensitive U.S. government emails via Microsoft's Exchange Online. Despite the risks, Smith claimed Microsoft is not compelled by Chinese law to hand over data or provide governmental snooping services, a statement met with skepticism by some members of Congress. Discussions highlighted the potential national security threats due to the U.S. government's heavy reliance on Microsoft for cloud infrastructure, operating systems, and security products. There are calls for an independent evaluation of security tools offered by Microsoft and potentially exploring other vendor options to enhance cybersecurity diversity and effectiveness. Senators have questioned the Pentagon's continued investment in Microsoft products despite these security issues, suggesting a reassessment of contractual decisions with the company. The ongoing debate emphasizes the need for a robust government strategy to ensure software accountability and secure procurement practices at the federal level.

Stanford Internet Observatory (SIO), known for highlighting social media disinformation, is undergoing management changes and staff reductions. The restructuring follows the departure of research director Renee DiResta and amidst legal pressures from conservative groups critiquing the organization's role in online speech moderation. Despite these changes, a Stanford spokesperson affirmed that SIO will not disband but will continue its mission, focusing areas such as child safety but reducing its focus on election misinformation. The changes occur during crucial political periods in both the US and UK, raising questions about the timing and impact on election integrity research. Last year, SIO faced significant pressure from the Subcommittee on the Weaponization of the Federal Government, which demanded documents related to their moderation activities. SIO's involvement in the Election Integrity Partnership and the Virality Project targeted it for lawsuits and legal scrutiny, alleging violation of First Amendment rights due to perceived government collaboration in censorship. These legal and political challenges have led to substantial legal costs for Stanford, as well as concerns over the chilling effects on freedom of inquiry and academic research integrity.

Keytronic, a large PCBA manufacturer, confirmed a data breach following a ransomware attack by the Black Basta group. The cyberattack occurred on May 6, disrupting operations and causing Keytronic to shut down facilities in the U.S. and Mexico for two weeks. The attack led to the theft of 530GB of sensitive data, including HR, finance, and engineering information, as well as personal details such as employees' passports and social security cards. Keytronic disclosed in an SEC filing that the breach will materially impact their financial condition in the fourth quarter of 2024, with already $600,000 spent on external cybersecurity responses. The company is in the process of notifying affected parties and regulatory agencies as required, following the new SEC guidelines. The Black Basta ransomware operation, believed to include former members of the Conti group, has claimed responsibility for this and several other significant breaches in various sectors.

Meta has paused its AI training plans using European user data following concerns from European data protection agencies, particularly led by Ireland. The decision prevents Meta from utilizing Facebook and Instagram posts from EU citizens to train its large language models (LLMs), claiming this will delay AI advancements and offerings in Europe. Meta expressed disappointment, stating this move contradicts their efforts to incorporate regulatory feedback and could hinder European technological innovation. However, European Data Protection Commissioner and privacy advocates have welcomed this decision, with continued engagement planned to address data usage and privacy concerns. Meta intended to use only public posts for AI training and had included options for European users to opt out, which were not made available to non-EU users. Without EU data, Meta argues its AI won't effectively understand regional languages or cultural contexts, resulting in a compromised service quality for European users. Meta has committed to ongoing collaboration with European regulators, including resolving specific issues raised by the UK's Information Commissioner’s Office. The decision has broader implications for AI development policies, emphasizing the need for privacy assurance in the early stages of technological development.

Mozilla Firefox has introduced a feature in version 127 that requires device credentials to access stored passwords in its browser's password manager. This security update necessitates the use of biometrics, system passwords, or pins, preventing unauthorized access to credentials during local or remote device access. The security feature aligns Firefox with other browsers like Google Chrome and Microsoft Edge, which already employ similar authentication measures for accessing saved login details. Although this update secures the password manager from unauthorized physical access, it does not protect against information-stealing malware that can decrypt stored credentials. Mozilla recommends setting a Primary Password as an added layer of security, which encrypts the password database and is solely known to the user. Despite enhanced protections, the Primary Password can still be brute-forced, making it crucial to use a long and complicated password to enhance security. Firefox's implementation helps in balancing user convenience with increased security measures for managing web credentials.

A Nigerian, Ebuka Raphael Umeti, was convicted by the U.S. Department of Justice for his role in a $1.5 million business email compromise (BEC) scam. Alongside two alleged co-conspirators, Umeti utilized social engineering and malicious software to defraud companies through deceptive emails. The scammers successfully extracted $571,000 from a New York wholesaler and $400,000 from a Texan metal supplier by impersonating legitimate business entities. Starting in 2020, the group expanded their operations to include malware developed by a new participant, Saudi national Mohammed Naji Mohammedali Butaish. Umeti and his Nigerian accomplice, Franklin Ifeanyichukwu Okwonna, were arrested in January 2023 and found guilty, while the third accomplice remains at large due to lack of extradition treaty with Saudi Arabia. Umeti faces up to 102 years in prison, though actual sentencing might be less severe; sentencing is scheduled for late August 2023.

Last week, a ransomware attack by Synnovis, affecting multiple London hospitals, forced over 800 operations and 700 outpatient appointments to be cancelled. The attack, attributed to the Qilin ransomware operation, occurred on June 3, severely disrupting the affected hospitals' pathology services. While emergency departments remained operational, many procedures dependent on pathology services had to be postponed. NHS England warns that the disruption could persist for months, with Synnovis focusing on recovery efforts to restore IT functionality gradually. The attack has exacerbated existing challenges in the healthcare system, leading to a shortage of blood supplies, particularly types O-positive and O-negative, essential for urgent medical procedures. The rise in ransomware activities, including the recent increase in Qilin attacks, underscores ongoing threats to global healthcare infrastructure and the need for enhanced cybersecurity measures. Despite the initial downtime of Qilin's leak site post-attack, it is now back online, with the gang yet to officially claim responsibility for the breach.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a severe Windows flaw, CVE-2024-26169, as being exploited in ransomware attacks. This vulnerability in the Windows Error Reporting service allows attackers to gain SYSTEM permissions without user interaction, classified as a zero-day due to its active exploitation. Microsoft issued a fix for this issue on March 12, 2024, though not initially labeled as exploited in the security advisory. Investigations by Symantec attribute the exploitation of this vulnerability to the Black Basta ransomware group, noting the use of exploit tools dating back to December 2023. The Cybersecurity agency has given Federal Civilian Executive Branch Agencies (FCEB) a July 4 deadline to secure their systems against this vulnerability, under directive BOD 22-01. Beyond federal agencies, all organizations are strongly encouraged to patch this flaw due to its potential to facilitate widespread ransomware attacks. Black Basta, identified as a significant threat, has been responsible for over 500 organizational breaches and extorted at least $100 million in ransoms.

Nagaraju Kandula, a former employee of National Computer Systems (NCS), was sentenced to two years and eight months in prison for deleting 180 virtual servers. Kandula pleaded guilty to the act, which was driven by spite after being terminated from his job due to poor performance. The malicious activity caused significant financial damage to NCS, amounting to approximately $678,000. Kandula had retained access to the company’s systems due to NCS’s oversight in not invalidating his credentials post-termination. Over several months, he accessed the NCS system multiple times, testing and eventually executing a script that wiped the servers. The servers involved were primarily used for quality assurance within software testing, preventing a compromise of sensitive information. This incident underscores the critical need for companies to secure their systems against former employees by immediately revoking access and changing passwords.

Nagaraju Kandula, a former quality assurance employee at National Computer Systems (NCS), was sentenced to 2.5 years in prison for deleting 180 virtual servers. Kandula, angered by his termination due to poor performance, took revenge by using his still-active company credentials to sabotage the Singapore-based IT firm. His unauthorized access between January and March 2023 enabled him to test and execute a script that wiped the servers on March 18-19, causing an estimated $678,000 in damages. The deleted servers belonged to a software testing environment, and the incident reportedly resulted in no leakage of sensitive information, minimizing the potential additional risks. The incident underscores the importance of revoking access rights and updating passwords immediately after an employee is dismissed to prevent potential security breaches. Police tracked down Kandula through the IP address associated with the sabotaging activities; his laptop and the malicious script were seized upon his arrest. This case highlights the catastrophic consequences of not adequately securing administrative credentials post-employee termination.