Daily Brief

Frontier Communications suffered a cyberattack in mid-April 2024, leading to unauthorized access of its IT systems. Personal data of approximately 750,000 customers, including full names and Social Security Numbers, were exposed in the breach. The RansomHub ransomware group claimed responsibility for the attack, threatening to sell or leak the information unless demands are met. Frontier has notified the affected customers and offered one year of free credit monitoring and identity theft services through Kroll to mitigate potential damage. No financial information of customers was compromised in the breach, according to Frontier. The company took immediate action by shutting down some systems to contain the attack and has since enhanced its network security. Customers experienced connectivity issues during the attack, illustrating the operational impact beyond data exposure. Frontier continues to investigate the full impact of the incident while advising customers to stay vigilant against unsolicited communications and to monitor their accounts closely.

Frontier Communications acknowledged a data breach affecting 751,895 individuals, as reported in a regulatory filing. Compromised information includes names and social security numbers; no financial data was reportedly affected. The breach was first detected on April 14, prompting immediate activation of Frontier's incident response plans. Following detection, Frontier engaged cybersecurity experts and implemented enhanced security measures to contain the breach. The company has also notified law enforcement and relevant regulatory authorities about the incident. Contrary to claims by the cybercriminal group RansomHub, Frontier maintains that financial data and additional personal information were not compromised. RansomHub, having previously targeted other high-profile entities, falsely claimed to have stolen extensive data, attempting to sell it once via their blog. Frontier remains vigilant, reinforcing network security post-incident to prevent further unauthorized access.

Microsoft has updated its Windows Recall feature for Copilot+ PCs to be opt-in, bolstering user privacy following substantial customer feedback. The enhanced Recall requires users to authenticate via Windows Hello before enabling or accessing the feature, ensuring that data is only accessible to verified users. Data within Recall remains encrypted at all times and is only decrypted 'just in time' when a user authenticates, providing an additional layer of security against unauthorized access. The feature takes screenshots periodically to create a searchable index of computer activity, aimed at improving productivity by allowing users to search through past activities using natural language. Despite improvements, Microsoft has not confirmed whether these privacy settings will also apply by default in corporate environments, a significant concern highlighted by enterprise customers. The updated security measures, including proof of presence and encryption, respond to initial criticism that the feature compromised user privacy and security.

2023 witnessed a surge in cyberattacks, including ransomware, DDoS, and data breaches. Many incidents could have been prevented with improved cyber hygiene practices. An upcoming webinar will guide participants on optimizing cybersecurity efforts. Key focus areas include defense, deterrence, and cost-effective compliance in cyber hygiene. Attendees will learn essential strategies to protect against various types of cyber threats. The webinar includes sessions on Attack Surface Discovery, Penetration Testing, and Red Teaming. Registration is open for those looking to enhance their organization's security preparedness.

Cybersecurity researchers have identified an advanced macOS variant of the previously known LightSpy spyware, now targeting Apple computers. The malware exploits CVE-2018-4233 and CVE-2018-4404 vulnerabilities using exploits partly borrowed from the Metasploit framework specifically to target macOS version 10. LightSpy is a sophisticated malware with plugin-based architecture capable of capturing a wide range of data including microphone audio, camera snapshots, screen activity, and sensitive information from browsers and iCloud Keychain. The intrusion begins with a WebKit flaw exploitation, delivering a disguised MachO binary, leading to further downloading and execution of payloads that ensure persistence and root access for the malware. The spyware connects to a command-and-control server to fetch commands and can dynamically download plugins to extend its capabilities. ThreatFabric's analysis has traced the active deployment of this macOS variant of LightSpy to about 20 devices since January 2024, primarily test devices. Researchers were able to access the command-and-control panel due to a misconfiguration, revealing more insights into the operations and targets of the malware. This discovery is part of broader, global security concerns involving malware and targeted cyber-espionage affecting various operating systems and devices.

Cisco addressed several bugs in WebEx that potentially exposed sensitive information from government meetings. The security flaws enabled unauthorized access to 10,000 meetings involving Dutch officials, revealing details like meeting times, participant identities, and agendas. German officials could also have been affected, as some government meetings did not use password protection for WebEx sessions. The investigation was triggered by a German news report in May 2024, which disclosed that the WebEx flaws were exploited to access detailed meeting information. Dutch and German authorities are assessing the impact of the breach, with ongoing investigations to determine the full extent of unauthorized access. While there's no direct evidence of exploitation by external hostile entities, the possibility has prompted a review of security protocols for video conferencing services. Cisco has fully implemented fixes for these vulnerabilities as of May 28, 2024, and has informed affected customers based on available logs. The company continues to monitor for further unauthorized activity.

Cyber-physical systems (CPS) are particularly vulnerable as they were not typically designed with security as a primary concern. The Network and Information Security 2 Directive (NIS2) has broadened regulation requirements, affecting sectors such as energy, transport, water management, and healthcare. Understanding and applying the NIS2 regulations in managing CPS risks, which involve proprietary protocols and legacy systems, is crucial for businesses in relevant sectors. Claroty highlights the importance of exposure management over vulnerability management in securing vulnerabilities within the Extended Internet of Things (XIoT). A webinar hosted by The Register featuring experts from Claroty will discuss how to apply NIS2 regulations and effectively manage CPS risks using Claroty xDome. Professionals interested in improving their organization's risk management for cyber-physical systems can join the webinar on June 10, 2024.

A critical remote code execution vulnerability in PHP for Windows, identified as CVE-2024-4577, affects all versions since 5.x. The vulnerability was discovered by security researcher Orange Tsai and has been patched by PHP project maintainers. The flaw arises from mishandled character encoding conversions in PHP when used in CGI mode on Windows, particularly with the 'Best-Fit' feature. Exploitation can allow unauthenticated attackers to execute arbitrary code on remote PHP servers. The vulnerability is notably severe in systems using Windows XAMPP with default configurations, impacting various PHP versions including EoL (End of Life) PHP 8.0, 7.x, and 5.x. Recommended mitigation strategies include upgrading to patched PHP versions or applying specific mod_rewrite rules to block attacks. The vulnerability has led to active scanning by threat actors and researchers looking to exploit affected systems. DEVCORE suggests transitioning from CGI to more secure server APIs like FastCGI, PHP-FPM, and Mod-PHP to enhance security.

Traditional Software Composition Analysis (SCA) tools often create alert fatigue and fail to address the full spectrum of third-party risks in software supply chains. Traditional SCAs are proficient in identifying known vulnerabilities but fall short in detecting emerging threats and unknown attack vectors, leaving significant security gaps. Innovative security tools and strategies are necessary to handle systemic security challenges effectively and secure software supply chains against rising threats. Myrror Security’s new guide discusses the shortcomings of traditional SCA tools and provides insights into more comprehensive security solutions for the future. According to Gartner, 45% of organizations will be affected by software supply chain attacks by 2025, highlighting the urgency to adopt improved security measures. Reading Myrror Security’s guide will equip application security professionals with deeper insights into enhancing their security posture against software supply chain risks. Continuous discovery and proactive management of exposures, combined with penetration testing and red teaming, are recommended to maintain a robust defense against evolving cyber threats.

Google has issued new guidelines for third-party Android app developers to ensure responsible use of generative AI, aimed at preventing the creation of harmful content. Meta faces a GDPR complaint from privacy group noyb, which criticizes the company’s use of public data to train its AI systems without adequate user consent. Microsoft's AI feature Recall has come under fire for privacy and security risks related to its function of capturing and storing screenshots from users' PCs. Recall's vulnerabilities were highlighted by researchers who demonstrated ways to access and extract sensitive information stored in its database without requiring admin rights. These developments underscore the growing scrutiny over AI technologies and the balance between innovation and user privacy and security. Both Meta and Microsoft are adjusting their strategies in response to feedback and legal challenges, indicating ongoing tension in AI development and data privacy practices.

A Russian hacktivist group, NoName57(16), has announced intentions to launch cyber attacks against EU internet infrastructure during the four-day EU election period. The attacks are said to be in retaliation for EU sanctions and perceived unfair treatment of Russia, citing ignored genocide claims in Ukraine's Donbas region. NoName57(16) and seven other pro-Russian groups, along with anonymous teams, plan on participating in these disruptive activities. Although specifics of the planned cyber attacks were not detailed, they are likely to include DDoS (Distributed Denial of Service) tactics, previously utilized against Ukrainian and European targets. Recent shifts in hacktivist focus now also include attacks on critical infrastructure sectors like water and wastewater systems across North America and Europe. Security analysts warn that such threats serve to undermine election security and should be treated with caution to avoid amplifying the impacts intended by these actors. Responses to the threat have been muted, with the European Parliament yet to comment, but Dutch political parties have already experienced DDoS attacks attributed to HackNet, another group involved in the announced campaign.

The FBI has obtained over 7,000 decryption keys linked to the LockBit ransomware to assist affected entities at no charge. Victims are encouraged to report their incidences to the FBI through the Internet Crime Complaint Center for recovery support. The LockBit ransomware group was significantly dismantled following an international law enforcement sting called Operation Cronos. Dmitry Yuryevich Khoroshev, alleged administrator of LockBit, was identified and his involvement with other ransomware operators revealed under duress. Despite setbacks, LockBit remains operational but less prolific, ranking behind other ransomware groups in recent activity based on Malwarebytes data. The FBI advises against ransom payments as there's no assurance that data will not be leaked or reused for further extortion. According to the Veeam Ransomware Trends Report 2024, businesses typically recover only 57% of data affected by ransomware, highlighting the risk of significant data loss. New ransomware variants continue emerging, targeting specific systems and adapting tactics, including a recent Linux variant that exploits Microsoft SQL servers and VMWare ESXi environments.

Ukraine's CERT-UA identified a new cyber campaign called "SickSync," by group UAC-0020 (Vermin) targeting Ukrainian defense forces. Vermin is linked to the Luhansk People's Republic (LPR), a region occupied by Russia, and their activities support Russian interests. The attack involves a phishing email with a malicious RARSFX archive leading to the deployment of SyncThing and SPECTR malware. SyncThing, a legitimate file-synchronization software, is exploited to establish a peer-to-peer connection to exfiltrate sensitive data stealthily. SPECTR malware is used for stealing documents and account passwords, hiding the stolen data in modified directory structures. CERT-UA advises treating any interaction with SyncThing's infrastructure as a potential compromise, necessitating immediate security investigations.

Ukraine's CERT-UA has issued warnings about espionage attacks on its defense forces utilizing SPECTR malware in the SickSync campaign. The identified threat actor UAC-0020 (also known as Vermin) is believed to be linked with the Luhansk People's Republic's security agencies, supported by Russia. The attacks start with spear-phishing emails that deploy a RAR archive with a decoy PDF, a compromised SyncThing application, and a script that launches the malware. The SPECTR malware's functionality includes capturing screenshots, harvesting data from devices, and stealing credentials from various communication applications. The legitimate SyncThing software's synchronization functionality is exploited to exfiltrate the stolen information via a peer-to-peer connection. This resurgence of the Vermin group marks its continued phishing operations against Ukrainian state entities, using a technique dating back to 2015. Additional threats include the use of Signal to deliver the DarkCrystal RAT and attacks by Belarusian hackers using Excel documents targeted at the Ukrainian Ministry of Defense.

Proofpoint has decommissioned SORBS, a spam blocklist service, ceasing its operation on June 5, 2024. SORBS, established by Michelle Sullivan over twenty years ago, provided a comprehensive DNS-based blocklist used by over 200,000 organizations. This service listed over 12 million hosts known for spam, phishing, or malware activities, aiding significantly in email threat mitigation. Although reviving SORBS would be manageable as its code base is intact, Proofpoint has cited sustainability issues without endorsing replacements. Concerns are rising within the anti-spam community about potential interest from spammers in acquiring SORBS for malicious purposes. Transparency and rigorous documentation of SORBS's operational procedures have historically bolstered its credibility. The anti-spam community is actively exploring alternative operators to continue the service, aiming to preserve its utility and integrity.