Daily Brief

Cybersecurity firm Sygnia's report notes a consistent pattern in ransomware attacks exploiting VMware ESXi's vulnerabilities across various malware families including LockBit, HelloKitty, and BlackCat. Virtualization platforms, crucial to IT infrastructure, often have inherent misconfigurations and vulnerabilities that make them attractive targets for cybercriminals. Symptomatic actions in ransomware campaigns include misusing virtual environments, necessitating robust security measures like improved monitoring, strong authentication, and enhanced backup solutions. Recent malvertising campaigns have been targeting IT professionals with trojanized installer versions of popular software like WinSCP and PuTTY, which serve as initial access points for ransomware attacks. These malvertising methods lead to the deployment of additional payloads including Cobalt Strike Beacons and post-exploitation toolkits like Sliver. A notable decrease in global ransomware attacks occurred in April 2024, with a 15% decline, despite the emergence of new ransomware groups targeting considerable ransoms, especially from Russian companies. The report emphasizes the increasing role of initial access brokers and ransomware operators in facilitating high-impact attacks and lowering cost barriers for cybercriminal activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified an actively exploited vulnerability within Apache Flink. The vulnerability, assigned CVE-2020-17519, allows attackers to read any file on the Apache Flink JobManager's local filesystem via its REST interface. Attackers can exploit this flaw through directory traversal requests, potentially accessing sensitive data without authentication. Affected versions include 1.11.0, 1.11.1, and 1.11.2, with fixes available in versions 1.11.3 and 1.12.0 since January 2021. Palo Alto Networks' Unit 42 observed significant exploitation of this flaw from November 2020 to January 2021. In addition to CVE-2020-17519, other vulnerabilities such as CVE-2020-28188 and CVE-2020-29227 were also exploited around the same period. CISA has mandated federal agencies to update their systems with the latest patches by June 13, 2024, to mitigate this risk.

The Police Service of Northern Ireland (PSNI) is set to be fined £750,000 by the UK's Information Commissioner Office (ICO) for a significant data breach. A spreadsheet containing personal details of 9,483 PSNI officers and staff was mistakenly published online following a Freedom of Information request. Exposed information included surnames, initials, ranks, and roles, which posed a severe safety risk to the individuals affected. Many affected staff were forced to change addresses, sever family contacts, and alter daily routines to ensure safety. ICO criticized PSNI for inadequate internal procedures and protocols for safely disclosing information. The proposed fine is much lower than the initial provisional figure of £5.6 million, considering PSNI's status as a public entity with limited budget. PSNI has responded positively to the enforcement notice and penalty, committing to implementing the required data security improvements. Ongoing investigations and efforts are in place to determine possession of the leaked data, including multiple searches and arrests.

Veeam reported a critical vulnerability in its Backup Enterprise Manager (VBEM), rated 9.8 out of 10, allowing unauthorized logins. Despite severe access risks, the flaw does not permit the deletion of backups due to immutable backup systems and multi-factor authorization. Veeam has released a patch for CVE-2024-29849 and urges customers to update promptly to prevent potential exploitation. The vulnerability impacts only those customers using VBEM, which is an optional tool not deployed by all Veeam clients. Alongside the critical flaw, Veeam disclosed three other vulnerabilities in VBEM and recommended immediate patching. For those unable to upgrade immediately, Veeam advises stopping VBEM's services or uninstalling the software if it is not required. The company emphasized the importance of keeping software up-to-date as attackers often target known vulnerabilities in unpatched systems.

IT service desks are vulnerable to cyber attacks through social engineering, particularly targeting password resets. In 2022, 71% of IT departments experienced vishing attacks, a significant increase from previous years. Case studies: EA Games and MGM Resorts both suffered substantial data breaches and financial losses due to service desk exploits. EA Games hackers accessed internal systems by tricking a service desk employee via Slack, stealing 750GB of data including game source codes. MGM Resorts faced a devastating breach after attackers used social engineering to obtain system access, leading to significant operational disruptions and losses approximated at $100 million. Key defensive strategies include regular cybersecurity training for service desk staff and automating the password reset process. Implementing robust user verification methods can significantly reduce the risks of social engineering attacks on service desks.

Chinese cyber espionage group Sharp Panda, now termed Sharp Dragon, targets governmental organizations in Africa and the Caribbean to expand its intelligence gathering. Sharp Dragon utilizes sophisticated tools such as Cobalt Strike Beacon for backdoor access and command execution, adopting strategies to minimize detection of their custom tools. Original operations focused on Southeast Asian governments using VictoryDLL and Soul modular malware to facilitate long-term reconnaissance. Recent activities demonstrate a refined approach, involving high-profile government entities from G20 nations and employing 1-day security flaws for initial infiltration. The cyber attacks align with China's broader agenda to increase its influence in critical sectors across the targeted regions, suggesting strategic geopolitical motivations. Sharp Dragon uses increasingly deceptive tactics, including phishing emails with malicious attachments and executables disguised as documents to initiate infections. Reports indicate the potential use of operational relay box networks (ORBs) by Chinese actors to obscure origins and maintain access to high-value networks, showing a trend toward more covert operations.

70% of CISOs globally anticipate their organizations could face a significant cyber attack within the next year, slightly up from 68% the previous year. Top concerns among these security leaders include ransomware, malware, email fraud, and threats from compromised cloud accounts and insider attacks. A substantial 43% admit their organizations are not adequately prepared to handle such an attack, noting some improvement from 61% the previous year. Despite ongoing risks, 62% would consider paying ransom in the event of a ransomware attack, reflecting consistent sentiment from last year. The burden and stress on CISOs are evident with 66% expressing concerns about unrealistic expectations and personal liability, which has significantly increased over the past few years. Encouraging trends include increased cybersecurity representation at the board level and better alignment between CISOs and board members. Overall, burnout and legal accountability concerns remain significant, with over half of the CISOs experiencing or observing professional burnout.

A Chinese advanced persistent threat (APT) group has targeted several governmental entities in the Middle East, Africa, and Asia since late 2022 as part of Operation Diplomatic Specter. Palo Alto Networks’ Unit 42 highlighted the use of sophisticated techniques including rare email exfiltration tactics against compromised servers for espionage. Targets included diplomatic missions, military operations, and high-ranking officials, with the attacks aimed at intelligence gathering on a large scale. The APT group utilized previously undocumented backdoors, dubbed TunnelSpecter and SweetSpecter, to maintain stealth and exfiltrate data. Initial infiltration leveraged known vulnerabilities in Exchange servers, with subsequent actions focused on keyword searches within mail servers to exfiltrate sensitive information. Overlaps in techniques and tools suggest ties between earlier tracked activities and known China-nexus groups such as APT27 and Mustang Panda. Researchers observed daily efforts by the threat actor to monitor geopolitical developments and extract relevant information, indicating highly strategic espionage objectives.

Many organizations use over 400 SaaS applications, with critical business data often not adequately secured. Approximately 56% of IT professionals are unaware of their specific responsibilities concerning SaaS data backups. SaaS backups pose unique challenges due to lack of ownership over the operating and data environments, necessitating complex backup processes. Insecure backup solutions can lead to significant risks, including intellectual property theft and exposure of sensitive operational details. Despite the rise of SaaS usage, many IT leaders lack a full understanding of the Shared Responsibility Model, increasing the risk of data mishaps. Common vulnerabilities in SaaS include user permission issues, data exposure, and susceptibility to specific cyberattacks. It's essential to scrutinize potential backup service providers for robust security measures aimed at protecting against complex SaaS-specific threats. As SaaS becomes integral to daily operations, ensuring the availability and security of backups is paramount to prevent loss and exploitation.

Ivanti has issued patches for critical vulnerabilities in Endpoint Manager (EPM) that allow for remote code execution. Six of the vulnerabilities are SQL injection flaws, enabling unauthenticated attackers on the same network to execute arbitrary code. The remaining four vulnerabilities require attacker authentication and affect the core server of Ivanti EPM versions up to 2022 SU5. A separate high-severity flaw in Avalanche, enabling remote code execution by uploading a malicious file, was also patched. Additional fixes include high-severity vulnerabilities in Neurons for ITSM, Connect Secure, and Secure Access clients for Windows and Linux. There is no current evidence that these flaws have been exploited in the wild or were introduced through a malicious supply chain attack. The announcement coincides with disclosures of critical vulnerabilities in other software, emphasizing ongoing cyber security risks.

The UK's Information Commissioner's Office (ICO) proposes a £750,000 fine against the Police Service of Northern Ireland (PSNI) following a significant data breach. In August 2023, a spreadsheet containing personal details of 9,483 PSNI officers and staff was accidentally released as a response to a Freedom of Information request. Information leaked included surnames, initials, ranks, roles, and workplaces, affecting every serving officer and civilian staff. The breach has caused severe personal impacts, including officers needing to relocate, changing daily routines, and increased personal security expenses. The ICO’s fine consideration includes the public sector nature of PSNI, leading to a lower fine compared to what would be imposed on a private sector entity under similar circumstances. PSNI acknowledges the breach's implications and is engaging with the ICO to implement recommended data protection measures. The aftermath of the breach saw an expanded investigation with numerous arrests, ongoing policy updates, and staff training to prevent future incidents. The ICO highlighted the breach to urge all organizations to enhance their data protection practices and secure personal information adequately.

Researchers from the University of Maryland identified vulnerabilities in Apple's Wi-Fi Positioning System (WPS) that could facilitate broad surveillance. Apple's WPS, unlike Google’s, returns the locations of both requested and non-requested Wi-Fi BSSIDs, potentially exposing extensive location data. This feature reportedly enabled the researchers to compile a database encompassing nearly 500 million worldwide BSSIDs. The WPS is not authenticated or rate limited, offering unrestricted access which has significant privacy implications. Apple has recently added support for users to opt-out of this tracking by using the "_nomap" suffix in their network names—a measure previously adopted by Google. The researchers engaged with major corporations like Apple and SpaceX, with SpaceX acting promptly by incorporating BSSID randomization. Future remediations are expected from Apple in response to this report’s findings, aiming to enhance user privacy. The findings are scheduled to be extensively discussed at Black Hat USA, a major cybersecurity conference.

Indian infosec company CloudSEK has exposed scam operations selling fraudulent versions of Pegasus spyware on platforms like Telegram. Scammers leverage the notoriety of Pegasus, created by Israel's NSO group, to sell fake tools masquerading as the powerful spyware. CloudSEK's investigation involved analyzing over 25,000 posts and interacting with 150 sellers, uncovering dozens of fake spyware samples. Some fraudulent offerings were priced aggressively, with one seller claiming to have made four sales of fake Pegasus access totalling $6 million in just two days. Despite stringent pricing, most of the fake spyware samples proved to be ineffective, consisting of randomly generated source codes and invalid operational demonstrations. The scammers took advantage of Apple's policy shift on attributing mercenary spyware attacks, using it to push more sales under the guise of Pegasus. CloudSEK warns buyers to be cautious of schemes exploiting the brand and reputation of known spyware entities to commit fraud.

Microsoft is set to phase out Visual Basic Script (VBScript) by the second half of 2024, transitioning towards JavaScript and PowerShell due to their advanced capabilities and suitability for modern tasks. VBScript, introduced in 1996, has been primarily used for automating tasks and developing interactive web pages with browsers like Internet Explorer and Edge. The deprecation plan will occur in phases, starting with VBScript becoming an on-demand feature in Windows 11 24H2 and eventually being fully retired in a later undetermined phase. This move mirrors Microsoft's broader strategy to minimize security vulnerabilities by discontinuing older technologies that are commonly exploited by threat actors, such as VBScript and NT LAN Manager (NTLM). Microsoft recently disabled outdated macro features across its platforms and introduced features to block risky file types, reflecting its ongoing commitment to enhancing security. Additionally, Microsoft's new AI-powered Recall feature in Windows raises privacy concerns as it periodically saves and processes snapshots of user activity without content moderation, creating potential risks for storing sensitive information. The UK Information Commissioner's Office is engaging with Microsoft to assess privacy safeguards associated with Recall, stressing the importance of transparency and rigorous data protection measures to protect user privacy.

Bitdefender has identified a previously unknown cyber espionage group called Unfading Sea Haze, likely backed by Chinese interests. Unfading Sea Haze has been active since at least 2018, targeting government and military entities with sophisticated data-stealing spyware. The group employs advanced evasion techniques and flexible tactics, including the use of spear phishing and memory-resident malware to minimize detection. The attackers primarily utilized malicious DLL files and keyloggers to harvest sensitive data from compromised systems and sent it via FTP using both hard-coded and dynamically generated credentials. Poor credential hygiene and inadequate patching practices were common vulnerabilities among the attacked organizations. The espionage group has continually evolved their methods and tools, a sign of strategic planning rather than reactive changes due to security incidents. Despite strong indications of ties to China, definitive attribution remains challenging due to potential deliberate obfuscation by the attackers. Key technical details, including indicators of compromise, have been published to help other organizations detect and block similar attacks.