Daily Brief

Traditional penetration testing (pen testing) may introduce risks and increase costs due to its inability to keep up with rapid development cycles. Penetration Testing as a Service (PTaaS) offers a semi-automated, continuous monitoring solution that aligns with agile DevOps practices. PTaaS enhances cybersecurity by combining dynamic application security testing (DAST) with the expertise of ethical hackers. Hidden costs of classic pen testing, when factoring in team time and resources, can significantly exceed the initial quote, potentially doubling the expense. PTaaS delivers cost savings by reducing false positives, requiring less time for set-up, offering on-demand real-time testing, and eliminating delays in vulnerability remediation. Regular pen testing often leads to a one-time security snapshot, whereas PTaaS allows for continuous security validation and improvements, with better insights into security posture. By enabling better collaboration between DevOps and SecOps teams, PTaaS improves return on investment (ROI) and strengthens application and data security. Outpost24 promotes its PTaaS solution as a means to protect an organization's applications and data in real-time while controlling costs and enhancing security collaboration.

The U.S. is close to implementing new cyberattack reporting rules for critical infrastructure operators as per the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Critical infrastructure sectors must report substantial cyber incidents within 72 hours and ransom payments within 24 hours to the US Cybersecurity and Infrastructure Agency (CISA). The reporting is designed to help rapidly deploy resources to victims, analyze cross-sector trends, and share information to improve defenses. Reports will be anonymized before sharing with industry sectors to protect privacy and encourage compliance. Small Business Administration-recognized small businesses may be exempt from the reporting requirements. A new website for reporting cyber incidents is being set up by CISA, with final rules and detailed guidelines forthcoming. Industry concerns include the potential strain on resources and the complexity of compliance with the new cybersecurity reporting requirements. CISA's final rule is expected to be published within 18 months after the close of the 60-day public comment period starting April 4, with the intent to enhance national cybersecurity defenses.

Cybersecurity is an ever-evolving field; organizations must constantly update their defenses against sophisticated threats. Threat actors are finding innovative ways to exploit vulnerabilities and bypass both traditional and advanced cyber defenses. The upcoming webinar aims to address application security blind spots and presents best practices for more robust security postures. Industry experts will discuss continuous monitoring, multi-engine malware scanning, file disarming, defense-in-depth strategies, and threat intelligence. The webinar will feature insights from Buu Lam of F5 DevCentral, George Prichici and Adam Rocker of OPSWAT, moderated by James Azar, CISO & Moderator for THN. Despite the prevalence of cyber threats, a significant number of companies do not perform comprehensive malware scans or disarm files to remove threats. The event encourages registration for actionable strategies to fortify web application security and adapt to the threat landscape in 2024.

Canonical, the parent company of Ubuntu, has tightened app submission reviews on the Snap Store following a surge in fraudulent crypto-wallet apps. Snap name registrations will now undergo manual review, a temporary policy shift to combat the recent influx of malicious activities. A fake "Exodus" wallet app scam resulted in a user losing nine Bitcoins, approximately $490,000 in value, highlighting the severity of the issue. Continuous efforts by scam publishers have led to multiple fake wallets appearing on the Snap Store, with new fake accounts emerging even after removal of earlier ones. Despite being confined within a sandbox, fraudulent apps deceive users by presenting a legitimate appearance and using social engineering to obtain user credentials. Canonical's policy changes are in line with similar updates by Flathub and are part of ongoing efforts to address security risks posed by deceptive cryptocurrency apps. In addition to security actions, Canonical has extended the support period for Ubuntu Pro users, providing critical security updates for up to 12 years for certain releases.

Non-human identities such as API keys and passwords are crucial for modern software development but often neglected in the race to innovate. Developers may compromise security by taking shortcuts like hard-coding secrets due to pressure to deliver quickly. A predominant culture of speed over security and lack of robust training leads to the mishandling of sensitive information. The shift-left security approach is insufficient as it does not address ongoing security maintenance throughout the development lifecycle. Security best practices should be integrated into every stage of development, emphasizing it as a shared responsibility among all team members. Entro offers a solution for managing development-stage non-human identities discreetly, without hindering the R&D process. Entro's secrets management includes "secrets enrichment," providing detailed context for each secret to enhance security measures. Advocating for a balanced focus on both development speed and robust security practices is key to safeguarding confidential data.

Cybersecurity researchers from ETH Zurich have discovered a new attack method, called ZenHammer, which circumvents existing Rowhammer defenses in AMD CPUs. ZenHammer effectively induces bit flips in DDR4 memory on AMD Zen 2 and Zen 3 platforms, significantly expanding the attack surface given AMD's substantial market share. For the first time, this technique has also successfully triggered bit flips on DDR5 devices, which were previously thought to be resistant to such attacks. The RowHammer vulnerability arises from DRAM's physical memory cell layout and can lead to altered memory contents, system credential compromise, and overall system instability. Target Row Refresh (TRR) mitigations implemented by DRAM manufacturers have been bypassed by ZenHammer through reverse engineering and optimized hammering instruction sequences. ETH Zurich's research demonstrates the need for further investigation into DDR5's RowHammer defenses and security guarantees. AMD has acknowledged the issue and is assessing the vulnerability of RowHammer bit flips on DDR5 devices, with updates to follow upon conclusion of their investigation.

INC Ransom group claimed responsibility for a cyberattack on NHS Scotland, allegedly stealing 3TB of data and leaking sensitive files. The attack was contained to NHS Dumfries and Galloway, a regional branch, preventing wider spread across NHS Scotland. The Scottish Government, along with various agencies, is assessing the breach's impact and working with the police on the ongoing investigation. Leaked data includes patients' medical test results, medication information, and the personal information of both patients and medical staff. NHS Dumfries and Galloway has been addressing the issue since the initial incident was disclosed on March 15 but has not yet confirmed the nature of the data accessed. The attack highlights the ongoing risk to healthcare institutions, with a particular emphasis on the significant impact ransomware can have on this sector. Efforts are underway to increase cybersecurity in healthcare, including the ARPA-H's involvement in DARPA's Artificial Intelligence Cyber Challenge to secure critical infrastructure.

Telegram introduces Peer-to-Peer Login (P2PL), offering free premium membership in exchange for using user's phone numbers to send OTPs. P2PL is under trial for Telegram's Android users in select countries, allows sending up to 150 OTP SMS messages, including international, at a charge. Privacy concerns arise as recipients can view sender's phone number, increasing risks of spam or unauthorized contact. Telegram warns against personal sharing and interaction with OTP recipients but can terminate accounts that breach terms. With 900 million active users, Telegram Premium launched in June 2022, providing enhanced features to subscribers. Parallel to Telegram's move, Meta faces accusations of a "man-in-the-middle" traffic interception scheme concerning Snapchat, YouTube, and Amazon data for competitive analysis. The Meta incident involves a secret project named Ghostbusters, using Onavo-acquired VPN apps to track user behavior illicitly from 2016 to 2018. Legal and privacy implications are in focus, as Meta contends no wrongful gains from the intercepted user data per their statement.

The German Federal Office for Information Security (BIS) has issued an urgent warning concerning over 17,000 unpatched Microsoft Exchange Servers, constituting a significant cybersecurity risk. Approximately 37 percent of Germany's public-facing Exchange servers are vulnerable to critical exploits due to outdated or unpatched software, including versions that are no longer supported. The BIS emphasizes the importance of cybersecurity and the urgent need for action by organizations, citing potential threats to sensitive data and services if systems remain unpatched. A recent example of a critical vulnerability that needs patching is CVE-2024-21410, an elevation-of-privilege flaw that Microsoft addressed last month, but many servers remain unpatched. The BIS has started daily communications with network providers to encourage prompt remediation of any detected vulnerabilities. There is an increased concern about exploitation by criminals and state-sanctioned groups, with essential services like medical facilities, schools, and government entities being at high risk. BIS urges administrators to act swiftly and apply available security patches to prevent potential cyber attacks, even though the quality of the software is the responsibility of Microsoft.

Generative AI mistakenly recommends non-existing software packages which are subsequently made real and installed by unwitting developers. Alibaba among businesses fooled into integrating a fake software dependency, potentially exposing systems to malware. Security researcher Bar Lanyado created a benign, fake Python package to demonstrate how genuine the threat could be. Lanyado's experiment revealed that generative AI models often reproduce the same hallucinated package names across different models and questions. The research indicates a viable attack vector where AI-recommended nonexistent packages could be registered and used to distribute malware. The Python and npm ecosystems are particularly vulnerable due to their lack of protections against the registration of such hallucinated names. The proof-of-concept fake package received over 15,000 downloads and was even included in the repositories of large companies. While there is currently no known occurrence of this attack method in the wild, its lack of traces makes it difficult to detect and prevent.

Two executives were arrested in Japan for creating a business that outsourced work to North Korean IT engineers, potentially violating international sanctions. Pak Hyon-il, a South Korean national, and Japanese citizen Toshiron Minomo allegedly facilitated this outsourcing without their customers' knowledge. Pak and Minomo are accused of inflating their company's registered capital and of unemployment benefit fraud; authorities are investigating the extent of these actions. There is concern that the outsourced work could fund North Korea's foreign currency acquisition schemes, including nuclear and missile development. Japanese government recently issued a warning about North Korean IT workers posing as Japanese nationals or working remotely, emphasizing the associated risks of malware, cybersecurity threats, and sanctions violations. The U.S. and South Korean governments have also cautioned against employing North Korean agents, outlining indicators such as threats over proprietary code and inconsistencies in communication or documentation.

China supported an armed offensive against the Myanmar military junta over the proliferation of online scams. Beijing had ties with Myanmar’s ousted administration and was upset by the coup which derailed infrastructure projects. The Three Brotherhood Alliance launched Operation 1027, named after the date of execution, targeting the military junta in response to the unchecked scam centers. The offensive disrupted trade and overran bases, with China's tacit approval due to concerns over the impact of scams on its citizens. A UN report identified Myanmar’s Kokang zone as a major hub for human trafficking linked to online scams, surpassing Cambodia. Global pressure has been mounting to dismantle such scam operations, leading to Interpol's involvement. Post-offensive, China's focus remained on repatriating scam suspects rather than ending the alliance's armed operations. Myanmar's military made concessions and accepted a China-mediated ceasefire, underlining China's leverage despite internal conflict dynamics.

'Darcula' PhaaS (phishing-as-a-service) exploits RCS and iMessage instead of traditional SMS for phishing attacks, impacting users globally. Over 200 customizable templates allow scammers to convincingly impersonate brands in 100+ countries, targeting various services including government and finance. Advanced technologies such as JavaScript, React, and Docker are used for dynamic updates and feature additions, bypassing the need for clients to reinstall phishing kits. Netcraft discovered 20,000 linked domains, with 120 new domains added daily, revealing Darcula's extensive scale. Darcula bypasses recent legislation targeting SMS-based phishing by using RCS and iMessage which enable end-to-end encryption and are perceived as more secure by users. Cybercriminals overcome platform restrictions such as high volume messaging bans by creating multiple Apple IDs and utilizing device farms. iMessage's safeguard requiring recipients to engage before accessing links is circumvented by instructing users to reply with a 'Y' or '1.' Netcraft advises suspicion towards unsolicited messages with URLs and recommends looking out for grammatical errors, attractive offers, and urgent calls to action as phishing indicators.

Apple device users are the target of a multi-factor authentication bombing campaign aimed to trick them into allowing a password reset. AI entrepreneur Parth Patel first reported the attack after experiencing over 100 system-level password reset requests and subsequently receiving a call from a scammer posing as Apple support. The attack tries to exploit user fatigue from repeated notifications to force a mistaken approval for a password reset. Attackers use sophisticated tactics, including caller ID spoofing and accurate personal information likely sourced from data brokers like PeopleDataLabs. The scam's success hinges on a possible rate-limiting oversight in Apple's iForgot system, enabling an onslaught of reset requests. Apple has not yet introduced protective measures against this specific type of abuse, though Microsoft has adjusted its MFA system to counter similar attacks. Apple recommends users to hang up on unsolicited calls claiming to be from Apple support and to be cautious with system alerts about password resets.

Over 52% of American internet users now utilize ad blocking software, up from 34% based on 2022 data. The adoption rate of ad blockers is notably higher among tech-savvy professionals with over five years of experience: 66% of advertisers, 72% of programmers, and 76% of cybersecurity experts. The primary motivation for the general public to use ad blockers is privacy protection (20%), over simply blocking ads (18%). Tech professionals prioritize privacy even more when using ad blockers, with advertisers, developers, and security pros citing it as the main reason at rates of 27%, 30%, and 29% respectively. Trust in companies regarding data collection varies, with Google still deemed trustworthy despite being a major data collector; TikTok and Meta are among the least trusted. The report highlights a general lack of awareness about extensive third-party data collection and its implications for privacy and personal data security.