Daily Brief

Ivanti has issued security patches for multiple vulnerabilities affecting Connect Secure and Policy Secure gateways. The high-severity flaw tracked as CVE-2024-21894 allows unauthenticated remote code execution (RCE) and denial of service (DoS) attacks. The vulnerability arises from a heap overflow in the IPSec component, impacting all supported versions of the gateway products. While there has been no reported exploitation, over 29,000 Ivanti gateways are exposed online, with nation-state actors previously targeting Ivanti vulnerabilities. The critical flaw, along with three other vulnerabilities, could be exploited without requiring user interaction. US Cybersecurity and Infrastructure Security Agency (CISA) has responded by issuing emergency directives to federal agencies to patch or disconnect vulnerable Ivanti VPN appliances. Ivanti has previously been targeted by suspected Chinese threat groups using zero-day vulnerabilities for malicious activities.

Google has repaired a high-severity Chrome zero-day vulnerability, CVE-2024-3159, discovered during the Pwn2Own hacking contest. The flaw lies in the V8 JavaScript engine and permits heap corruption through specially crafted HTML pages. Attackers could exploit this out-of-bounds read issue to crash the browser or access sensitive data. Security researchers Edouard Bochin and Tao Yan successfully executed code on Chrome and Edge, receiving a $42,500 prize for their double-tap exploit. The updated Chrome versions carrying the fix are rolling out globally on various operating systems, including Windows, Mac, and Linux. Google has also rectified two other Chrome zero-days and two Android zero-days, with fixes released shortly after disclosure. Mozilla quickly addressed two Firefox vulnerabilities unveiled at the same Pwn2Own event. Generally, zero-day vulnerabilities disclosed during Pwn2Own are publicly detailed by Trend Micro's Zero Day Initiative after 90 days, although some vendors patch the issues sooner.

AT&T acknowledges a major data breach impacting 73 million current and former customers, leading to multiple class-action lawsuits. Sensitive customer data leaked includes names, addresses, Social Security Numbers, and passcodes for customer support interactions. The breach was first reported in 2021 by Shiny Hunters but only confirmed by AT&T after a secondary leak by 'MajorNelson' in 2024. Plaintiffs accuse AT&T of negligence, breach of implied contract, and unjust enrichment, demanding compensation, credit monitoring, and improved security measures. Despite initial denials, AT&T admits the data belonged to millions of their customers and that the breach likely occurred in 2019 or earlier. Law firm Morgan & Morgan alleges AT&T had prior knowledge of system vulnerabilities and delayed breach acknowledgment, increasing fraud risks. The company has been criticized for its belated response and potential underestimation of the threat, leaving customers unknowingly at risk for years.

Google disclosed two high-severity zero-day vulnerabilities in Pixel phones that are being exploited by forensic companies. The exploited vulnerabilities have allowed attackers to extract data and potentially spy on users when the devices are in an unlocked state. CVE-2024-29745 involves a vulnerability within the fastboot firmware which supports various device state changes like unlocking or flashing. Forensic firms have been taking advantage of these vulnerabilities by rebooting devices into fastboot mode to exploit them and dump memory. CVE-2024-29748 allows local attackers to disrupt a factory reset, posing significant risk to device security and data integrity. The GrapheneOS team had previously alerted that similar exploits were being used to compromise Google Pixel and Samsung Galaxy phones. GrapheneOS has suggested that an auto-reboot feature could mitigate the risks associated with firmware vulnerability exploitation. Google's advisory and the recommendation for heightened security measures come amidst increasing concerns about device and data security.

The U.S. Cyber Safety Review Board (CSRB) reported that Microsoft's lax security practices facilitated a breach by China-based nation-state hackers, Storm-0558. Microsoft's corporate culture was flagged for not valuing security investments and risk management, in contrast to its central role in the tech ecosystem. The breach compromised 22 companies and over 500 consumer accounts by exploiting a Microsoft Azure Active Directory token forgery flaw. Microsoft's revelations about the breach changed over time, and the investigation into the hack is still ongoing. Around 60,000 unclassified emails from Outlook were reportedly exfiltrated during the campaign, which China has denied involvement in. The CSRB recommends updates to government cloud security frameworks and authorization processes to mitigate future cybersecurity risks. To aid federal agencies, Microsoft has expanded its Purview Audit logging capabilities, offering enhanced detection and response tools for cyber threats.

Google addressed two zero-day vulnerabilities, CVE-2024-29745 and CVE-2024-29748, actively exploited to unlock Google Pixel phones. The vulnerabilities pertain to the Pixel’s bootloader and firmware, allowing unauthorized access to device data without a PIN. GrapheneOS, a security-focused Android distribution, initially discovered the flaws, which forensic firms were exploiting. The flaws enabled forensic firms to dump memory from devices they physically had access to, but Google's fix now prevents this by zeroing memory on boot. One of the vulnerabilities, CVE-2024-29748, was only partially fixed, with GrapheneOS developing a more robust solution to prevent circumvention of factory resets. Google's April 2024 security update for Pixel phones resolved 24 vulnerabilities, including a critical severity privilege elevation flaw, CVE-2024-29740. Pixel users are advised to update their devices through the security settings to ensure protection against these vulnerabilities.

Microsoft Copilot is an integrated AI assistant in Microsoft 365 apps, augmenting productivity by using existing user permissions. Unrestricted permissions may lead to sensitive data exposure through Copilot, as users can query, summarize, or list internal information such as employee details, bonuses, and credentials. Varonis demonstrated how Copilot can inadvertently reveal confidential data through specific prompts, highlighting potential security risks when permissions are not tightly controlled. Ensuring proper data security settings and minimizing unnecessary permission grants is critical to prevent unauthorized access to sensitive information. Varonis, together with Microsoft, provides strategies and tools to companies for safe Copilot deployment, offering ongoing assessment and enhancements to Microsoft 365 data security postures. The Varonis Data Security Platform integrates with Microsoft 365, applying measures such as DLP, automated data security policies, and risk remediation to safeguard against data exposure. Varonis monitors every action in the Microsoft 365 environment, analyzing interactions with Copilot for unusual behavior and triggering alerts when needed. Varonis recommends a Copilot Readiness Assessment for organizations to address data security concerns and to maintain a secure AI tool adoption.

Google is beta testing a prototype feature called Device Bound Session Credentials (DBSC) in Chrome to protect against session cookie theft by malware. The purpose of DBSC is to bind authentication sessions to the user's device, rendering stolen cookies useless to attackers. The initiative comes as a response to the prevalent use of off-the-shelf malware for hijacking accounts by bypassing MFA and stealing cookies. DBSC leverages cryptographic keys stored in Trusted Platform Modules (TPMs) on the device, requiring proof-of-possession throughout a session. Google TAG has previously reported phishing campaigns using cookie-stealing malware targeting platforms like YouTube. Enhanced Safe Browsing in Chrome is recommended for additional protection against phishing and malware. Google plans to roll out support for DBSC initially to Chrome desktop users with compatible hardware and further aims to sunset third-party cookies altogether. Collaboration with server and identity providers, as well as other browser vendors, is ongoing, with origin trials expected to start by the end of the year.

Ross Anderson, a leading computer scientist and information security expert, unexpectedly passed away in his sleep at the age of 67. Anderson was a professor at the University of Cambridge and held prestigious accolades, such as the Lovelace Medal and fellowship at the Royal Society. His work covered diverse areas in the field of security including cryptography, cybercrime analysis, and security psychology, as well as influencing real-world technology like ATM design. Anderson authored the influential book "Security Engineering" and was committed to affecting information security policy through initiatives like the Foundation for Information Policy Research. He was recognized not only for his professional achievements but as a spirited and principled colleague and mentor, unafraid to challenge institutional policies. Friends, colleagues, and the wider security community remember Anderson as a brilliant, curious, and steadfast figure who significantly shaped the technology landscape. In addition to being remembered for his considerable academic contributions, he is survived by his family who have requested privacy.

Google is tackling cookie theft by developing Device Bound Session Credentials (DBSC), which render stolen cookies useless. DBSC uses cryptographic keys to link a session cookie to the user's specific device, making the cookie inoperative if stolen and used elsewhere. The Chrome browser will leverage facilities like Trusted Platform Modules (TPM) to safely store private keys, with initial support for about half of desktop users. DBSC does not allow session correlation on the same device, ensuring privacy by using unique keys for each session. Google is working to make DBSC an open web standard and is already seeing interest from others in the industry, including Microsoft for the Edge browser. Google is experimenting with DBSC in Chrome Beta to protect Google Account users and plans to extend it to Google Workspace and Google Cloud customers. DBSC will align with Google's phase-out of third-party cookies, aiming to enhance security for both consumers and enterprise users without impacting user privacy.

Attack surface management (ASM) and vulnerability management (VM) are distinct yet related areas in cybersecurity with differing scopes; ASM includes discovering unknown assets, while VM focuses on known assets. Vulnerability management involves using automated tools to identify, prioritize, report, and patch known vulnerabilities within a defined IP range in an organization's digital infrastructure. ASM extends the concept of VM by beginning with the discovery of all digital assets, whether known or unknown, across various environments including on-premises, cloud, and third-party services. Through ASM, organizations aim to minimize exposure and prevent potential attacks by reducing their attack surface, which can include eliminating unnecessary services and monitoring for emerging risks. Combining ASM and VM provides a holistic security posture, allowing organizations to identify all assets and vulnerabilities and allocate resources for more effective protection against cyber threats. Solutions like Intruder offer both VM and ASM services to better manage and secure an organization's attack surface and can provide additional visibility, such as monitoring network changes and SSL/TLS certificate expirations.

The Mispadu banking trojan, initially targeting Latin America, has broadened its attacks to Europe, specifically Italy, Poland, and Sweden. Thousands of credentials have been stolen from various sectors, including finance, law firms, and manufacturing, with Mexico still as the primary focus. The trojan captures sensitive information through fake pop-ups, screenshots, and keystroke logging, and uses phishing techniques to expand its impact. Recent attacks have exploited a Windows SmartScreen security flaw (CVE-2023-36025) to infect users through malicious PDFs in spam emails that lead to a multi-stage deployment of the malware. The malware performs anti-VM checks to avoid detection and uses obfuscation techniques and command-and-control servers for operations. Over 60,000 files containing stolen data have been identified on the Mispadu command-and-control server. Related research from Proofpoint reveals that YouTube channels promoting cracked video games are distributing malware like Lumma Stealer and Vidar via video description links. General security advice is provided, including steps to secure cloud environments and the importance of updating security processes amidst business growth.

"Gesture jacking," a variant of clickjacking dubbed as "cross window forgery," targets web users by manipulating keypresses. Attackers create malicious OAuth prompts that capture key actions in a hidden browser window, potentially leading to account takeovers. Popular websites like Coinbase and Yahoo are vulnerable due to static or predictable authorization button IDs that can be targeted. Microsoft's Eric Lawrence explained that this attack method is effective because of how browsers handle URL fragments, transferring keypress inputs to targeted webpage elements. While not considered a browser bug, the technique exploits intended browser behavior, challenging browser makers to find a solution. Web developers are encouraged to adopt defensive measures such as randomizing ID tags on sensitive buttons and implementing Content Security Policies. Browsers continually implement changes to reduce clickjacking risks, with Chromium browsers offering policies against Scroll-to-Text-Fragment and Firefox considering similar features.

A critical SQL injection vulnerability was found in the WordPress LayerSlider plugin, potentially allowing unauthorized database access. The vulnerability is identified as CVE-2024-2879 with a high severity CVSS score of 9.8. Affected versions ranged from 7.9.11 to 7.10.0, with the issue resolved in the 7.10.1 version released on March 27, 2024. The security flaw was a result of insufficient escaping of user-input parameters and the lack of wpdb::prepare() usage. The flaw could enable attackers to retrieve sensitive data such as password hashes from websites with the vulnerable plugin installed. The LayerSlider plugin is popular, with millions of users around the world trusting it for creating website animations and visual effects. This incident is among several recent security disclosures affecting WordPress plugins, including WP-Members and Tutor LMS, pointing to an ongoing concern for web security. WordPress site administrators are urged to regularly update plugins and core software to mitigate these risks.

Microsoft's Exchange Online service was compromised, impacting senior US officials due to substandard security. Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board urges Microsoft to implement significant cultural and security changes. The China-linked group "Storm-0558" exploited a stale key from Microsoft's outdated identity management system to access enterprise email accounts. Around 60,000 emails from the US State Department were stolen, along with employee email addresses, risking diplomatic security and enabling future phishing attacks. Investigators found Microsoft did not uphold key rotation practices, leaving them vulnerable compared to other cloud providers who are more diligent. Microsoft criticized for not acknowledging the severity of the situation promptly and failed to provide accurate information about the attack's cause. The report also suggests Microsoft's current security initiatives are inadequate and require high-level executive oversight.