Daily Brief

Vendor Risk Management (VRM) is crucial for protecting organizational assets and data integrity amid the increasing dependence on third-party SaaS providers. Traditional methods for vendor risk assessment are becoming obsolete due to their slow and static nature, unable to cope with the rapid SaaS environment. Nudge Security offers a solution by providing robust security profiles for over 97,000 SaaS apps, enhanced with AI-powered risk insights. The service allows organizations to quickly identify and assess SaaS used internally and evaluate vendor security using comprehensive profiles, without extensive deployment requirements. Nudge Security helps organizations maintain a directory of approved applications and automates guidance for employees towards secure software choices. The platform speeds up evaluations of potential new SaaS purchases by providing easy access to security profiles and compliance information. Features also include visibility into the SaaS supply chain, crucial for managing data security risks and regulatory compliance. Alerts for breaches affecting SaaS providers or their supply chain are provided, enabling timely responses to mitigate potential security threats. Nudge Security's streamlined process for SaaS discovery and risk assessment offers a modern approach to VRM and improves organizations' SaaS security postures.

GitHub released a public beta feature called code scanning autofix for Advanced Security customers to enhance security by providing code suggestions. The tool, using GitHub Copilot and CodeQL, supports JavaScript, Typescript, Java, and Python, addressing over 90% of common alert types. Autofix is powered by CodeQL, Copilot APIs, and OpenAI GPT-4, and is expected to expand to include more languages like C# and Go. It aims to help devs fix vulnerabilities instantly by recommending fixes and explanations within the codebase context. The system generates fixes extending beyond one file, including necessary changes in other files and dependencies. GitHub emphasizes the importance of developer review for each recommendation due to the present limitations, such as the potential inclusion of dependencies with malicious software. The tool is designed to streamline the patching process by offering suggestions based on codebase specifics and security best practices.

Over the years, operational technology (OT) environments have seen varied cyber-attacks, necessitating improved cybersecurity measures. OT cyber-attacks are not always sophisticated; many impact production due to IT tactics, techniques, and procedures (TTPs) affecting IT assets. The article categorizes OT cyber-attacks into two main groups: those using IT TTPs and inadvertently impacting OT (Category 1) and those involving deliberate, sophisticated attacks with OT-specific TTPs (Category 2). Category 1 attacks are more common in public reports and include ransomware, data theft, and unintended OT asset disruptions caused by breaches in IT systems. Category 2 attacks, though less frequent, pose a greater risk since they target OT systems directly with the intent to disrupt or manipulate production processes. The prevalence of attacks using IT TTPs (Category 1) hints at a potential shift in cybercriminal tactics towards more advanced, OT-focused strategies (Category 2) as defenses against IT attacks improve. The analysis suggests that organizations should prioritize building resilience against IT-level threats and prepare for possible evolution in cybercriminal methods targeting OT assets. The report promotes awareness and the development of robust cybersecurity controls specifically for OT to mitigate the future risk of sophisticated OT cyber-attacks.

The U.S. has imposed sanctions on two Russian nationals, Ilya Gambashidze and Nikolai Tupikin, along with their companies, for orchestrating cyber influence operations. These operations involve the use of fake websites and social media accounts under the 'Doppelganger' campaign targeting European and U.S. audiences. The sanctioned entities mimicked legitimate news and government sites to disseminate disinformation and promote Russian government narratives. Over $200,000 in cryptocurrency transactions linked to one of the individuals demonstrate financial connections to a sanctioned exchange involved in Russia's illicit activities. The Doppelganger operation, active since early 2022, has been cited as a significant Russian-origin influence campaign and has utilized AI to create fake news. These measures are part of broader initiatives, including legislation aimed at preventing the sale of sensitive data to foreign adversaries and controlling foreign adversary-influenced applications.

Pwn2Own Vancouver 2024 Day 1 ended with contestants demonstrating zero-day vulnerabilities in Windows 11, Tesla cars, and Ubuntu Linux, winning $732,500 and a Tesla Model 3. Notable achievements included Synacktiv hacking Tesla's ECU in under 30 seconds, winning the car and $200,000, and Theori researchers escaping a VMware Workstation VM, earning $130,000. Abdul Aziz Hariri of Haboob SA exploited an Adobe Reader vulnerability on macOS for a $50,000 prize. Reverse Tactics team members Bruno PUJOS and Corentin BAYET used two Oracle VirtualBox bugs and a Windows UAF to achieve SYSTEM privileges, winning $90,000. Manfred Paul successfully hacked the Apple Safari, Google Chrome, and Microsoft Edge web browsers, exploiting three zero-day vulnerabilities and securing $102,500. Vendors have a 90-day window to patch reported flaws before the Trend Micro's Zero Day Initiative publicly discloses them. Pwn2Own targets a broad range of categories including web browsers, cloud-native technologies, virtualization, and automotive systems, with a total prize pool of over $1,300,000. The top award includes $500,000 and a Tesla Model 3, with significant awards for exploiting a Windows kernel vulnerability and achieving a Hyper-V Client guest-to-host escape.

Chinese state television CCTV conducted an undercover investigation uncovering smartphone farms used for fraudulent activities. The farms consist of chassis packed with 20 smartphone motherboards, which are then racked in data centers with up to 1,000 devices. These devices operate fake accounts and frequently change IP addresses to avoid detection while conducting scams like fake e-commerce orders and boosting SEO through fake comments and likes. Rent for a 20-smartphone system can cost between RMB 3,000 ($417) and RMB 6,000 ($834), with operators remaining willfully ignorant of their clients' identities. Phone farming violates China's telecommunications regulations, Article 53, requiring a network access license for equipment connected to the public network. E-commerce platforms are blocking search terms related to phone farms, but the farms can still be found through alternative means, some of which provide management software for screen mirroring and remote device access. While some vendors claim legitimate uses for their technology, such as game development and testing, over 23 percent of businesses involved in this sector have encountered legal issues, and less than three percent have received administrative penalties.

North Korea's Kimsuky cybercrime group is adopting new tactics in cyber espionage, utilizing Windows Help files to deploy infostealers. These attacks primarily aim at gathering intelligence from government sectors and think tanks to benefit Kim Jong Un's regime. The threat actors, known for spear phishing, are now using Microsoft Compiled HTML Help (CHM) files to execute arbitrary commands on Windows systems. Their operations include stealing information about victim's computers, running processes, and recent Word documents, indicating a focus on obtaining sensitive data. Security vendor Rapid7, which reported the findings, has outlined the compromise indicators and is moderately confident the campaign is targeting South Korea, with potential expansion beyond Asia. The German federal infosec agency has reported Kimsuky activity within Germany, demonstrating the group's expanding geographic focus. The use of CHM files is known, but Rapid7 warns that some organizations' defenses might overlook them, highlighting the need for continued vigilance and adaptation to counter such threats.

Ivanti has disclosed a critical remote code execution (RCE) vulnerability in Standalone Sentry, designated as CVE-2023-41724 with a CVSS score of 9.6. The flaw allows an unauthenticated attacker to execute arbitrary commands on the appliance if they are on the same physical or logical network. All supported Standalone Sentry versions are affected, but Ivanti has issued a patch to address the issue. Versions 9.17.1, 9.18.1, and 9.19.1 of the software are available for download and customers are urged to update immediately. The vulnerability was discovered in collaboration with cybersecurity experts from the NATO Cyber Security Centre, though no known exploitations have been reported. Ivanti notes that to exploit the flaw on the internet, a threat actor would require a valid TLS client certificate enrolled through EPMM, adding an extra layer of security. The disclosure comes amid previous exploitations of Ivanti's vulnerabilities by suspected China-linked cyber espionage groups, highlighting ongoing concerns around cyber threats targeting Ivanti software.

Atlassian has released patches for over two dozen vulnerabilities, including a critical SQL injection bug in Bamboo Data Center and Server. The critical flaw, tracked as CVE-2024-1597 with a CVSS score of 10.0, could be exploited without user interaction. The vulnerability lies in the org.postgresql:postgresql dependency, potentially allowing an unauthenticated attacker to compromise confidentiality, integrity, and availability. Affected Bamboo Data Center and Server versions introduced the flaw, but products using default SQL database connection settings are not impacted. Security researcher Paul Gerste discovered and reported the issue, urging users to upgrade to the latest version of the software. It's recommended to immediately update affected Bamboo instances to mitigate the risk of exploitation.

Hackers compromised an official Spa Grand Prix email account to conduct a phishing scheme against fans. Unsuspecting recipients were directed to a fraudulent website through a €50 voucher offer for Formula 1 event tickets. The Spa Grand Prix organizer quickly alerted customers to the cyberattack and prompted them not to engage with the phishing emails. Following the incident, the organization upgraded security measures and filed a complaint with the Belgian cyber police and plans to file a civil claim. The extent of the data breach and the number of affected individuals remain unspecified as the organization has not yet disclosed these details. There was explicit reassurance that the Spa Grand Prix’s main website and ticketing system have not been compromised and remain secure. Ticketholders concerned about potential data exposure have been advised to get in touch with the Grand Prix’s secretariat for assistance.

A novel 'Loop DoS' attack could jeopardize over 300,000 online systems through an exploit in the User Datagram Protocol (UDP). The attack causes two network services to enter an endless loop, producing massive traffic and overwhelming resources. This denial-of-service (DoS) attack exploits CVE-2024-2169, a vulnerability that allows IP spoofing and lacks proper packet verification. Both outdated and crucial modern internet protocols including DNS, NTP, and TFTP could be affected by this security issue. Attackers can initiate the self-sustaining loop of error messages between two servers, leading to a drain on system resources. Despite no current evidence of exploitation, researchers have disclosed the vulnerability to vendors and the CERT Coordination Center. CERT/CC advises adopting the latest security patches, turning off unnecessary UDP services, and implementing anti-spoofing and traffic-limiting measures as countermeasures.

Microsoft exposes an early-start phishing scam targeting tax filers with false tax return emails designed to steal sensitive information. Scammers are using social engineering techniques, including blurred documents to lure victims into installing malware on their machines. The info-stealer malware attempts to harvest user credentials upon clicking a fraudulent "download documents" button in the email. Microsoft warns of the increased risk during tax season as scammers use AI and deepfake technology to craft more convincing emails and target specific vulnerable groups. High-value data of millions of individuals and businesses are at risk due to the added stress and distractions of the tax season. Scammers often impersonate legitimate tax processors or the IRS and bait users with promises of hefty returns in exchange for personal information. Microsoft recommends safeguarding against tax-season phishing by verifying email sources, being cautious with sensitive information, and enabling multi-factor authentication (MFA). The IRS advises that it does not solicit personal or financial information through unsolicited emails, text messages, or social media.

GitHub introduces a new AI-powered feature, Code Scanning Autofix, in public beta to expedite the process of fixing vulnerabilities while coding. The tool, powered by GitHub Copilot and CodeQL, addresses over 90% of alert types for languages such as JavaScript, Typescript, Java, and Python. Code Scanning Autofix provides fix suggestions with natural language explanations and code previews, facilitating easier and faster developer response to vulnerabilities. This feature could significantly reduce the workload for security teams, allowing them to focus on overarching security concerns rather than frequent coding vulnerabilities. While the tool promises to address a substantial portion of found issues, developers are reminded to verify the effectiveness of the fixes to ensure full resolution and code function retention. GitHub plans to expand support to more programming languages, including C# and Go, and emphasizes the tool's role in managing "application security debt." The introduction of this feature follows recent GitHub enhancements such as push protection to prevent accidental exposure of sensitive secrets in public repositories.

The US EPA is forming a Water Sector Cybersecurity Task Force to combat escalating cyber threats. The initiative is a response to growing concerns over foreign adversaries targeting US water services. Recent cyber incidents, including an attack by an Iran-backed group and China's Volt Typhoon's activities, have heightened awareness. The task force will focus on plugging widespread security vulnerabilities and promoting industry-wide best practices. It builds upon existing efforts, such as the 2023 Roadmap to a Secure and Resilient Water and Wastewater Sector. There are instances where basic cybersecurity measures, such as changing default passwords and updating software, are not widely implemented. The EPA's previous attempt at mandating cybersecurity evaluations met with legal challenges from some states. With the Biden-Harris administration's support, the EPA's renewed effort aims to implement more effective protections for the water sector.

Ivanti has issued an immediate patch for a critical vulnerability in Standalone Sentry, reported by NATO Cyber Security Centre. The vulnerability, identified as CVE-2023-41724, affects all supported versions and could allow attackers to execute commands without authentication. A second critical vulnerability, CVE-2023-46808, found in Ivanti Neurons for ITSM, has been patched in cloud deployments but remains a risk for on-premises systems. Ivanti states there is currently no evidence of exploitation in the wild for these security issues. At least 13,000 Ivanti endpoints were exposed to potential attacks due to unpatched vulnerabilities earlier. CISA has previously ordered federal agencies to secure or disconnect vulnerable Ivanti VPN appliances following widespread targeted attacks. Historically, Ivanti vulnerabilities have been exploited by nation-state actors, including suspected Chinese threat groups targeting government and financial entities.