Daily Brief

The London Clinic is investigating an alleged breach of Princess Kate's medical records by an employee. Kate Middleton, Princess of Wales and future Queen of the UK, had surgery at the clinic earlier this year. Al Russell, CEO of the London Clinic, emphasized the institution's commitment to patient confidentiality and the serious approach to any breach. The Information Commissioner's Office has received a report of the incident and is currently assessing the information provided. Joe Jones from the International Association of Privacy Professionals noted the severity of a potential breach, given the possible negative consequences of unauthorized data sharing. Rumors regarding the Princess's health circulated due to her absence from public events, but she was seen shopping recently, looking well.

Researchers discovered a new denial-of-service (DoS) attack, termed Loop DoS, targeting application-layer protocols over UDP, affecting a large number of systems. Loop DoS attacks function by inducing two servers to continuously communicate with each other, unwittingly participating in a traffic loop that leads to a service disruption. User Datagram Protocol (UDP) is vulnerable due to its inability to authenticate source IP addresses, which allows attackers to exploit IP spoofing and reflect attacks back to the victim server. Protocols at risk include DNS, NTP, TFTP, and others that can execute infinite error response loops when interacting with another compromised service. An estimated 300,000 hosts are susceptible to Loop DoS attacks, which can be initiated by a single spoofing-capable host, making the threat relatively easy to execute. Notable companies with vulnerable products include Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel, although no active exploits have been reported yet in the wild. Researchers emphasize the importance of initiatives like BCP38 to filter spoofed traffic and mitigate the risk of such DoS attacks.

Robert Purbeck pleads guilty to federal computer fraud and abuse, affecting over 132,000 individuals. Purbeck targeted at least 18 organizations across the U.S., including medical clinics, using aliases for extortion. He threatened to sell personal information of a child of a Florida orthodontist unless a ransom was paid. In one case, Purbeck purchased credentials off the dark web to access and steal data from a Georgia medical clinic's server. Purbeck also penetrated the server of a Newnan, Georgia police department, extracting files and additional personal data. U.S. attorney emphasizes the risk of cyberattacks on healthcare and local governments and committed to combatting cyber threats. Purbeck’s attempts to regain access to seized devices and sue authorities were denied; allegations of excessive force during his arrest are mostly dismissed. As part of the guilty plea, Purbeck agrees to pay $1 million in restitution; sentencing is scheduled for June 18.

Canadian government proposed a ban on "consumer hacking devices" like Flipper Zero due to car theft concerns. Car thefts in Canada have reportedly increased to 90,000 annually, with lawmakers linking this rise to hacking tools. Flipper Zero is a multifunctional pen-testing tool, used for experimenting and debugging hardware and digital devices. Flipper Devices, the producer of Flipper Zero, argues the device can't effectively be used for car thefts like keyless entry system hacks. The real issue, according to Flipper Devices, is outdated and vulnerable access control systems in automobiles, not the tools used to expose their weaknesses. Flipper Zero is a low-powered device, which is not suitable for the signal repeater strategies typically employed by car thieves. The team urges the security research community to support the opposition to the ban through petitions and spreading awareness.

Kaspersky's annual report shows a 6% increase in people affected by stalkerware, with 31,031 cases documented in 2023. Europe and North America have seen significant cases, but Russia, Brazil, and India are the top three affected countries. The most prevalent stalkerware app globally is TrackView, impacting over 4,000 users; other notable apps include Reptilic, SpyPhone, Mobile Tracker, and Cerberus. Stalkerware is often marketed as legitimate tools like anti-theft or parental controls when they're used for invasive tracking without victim consent. Victims may find themselves at greater risk if they attempt to remove stalkerware, especially those in abusive relationships. A commissioned survey found that 23% of respondents experienced online stalking, with women reporting higher instances of violence and abuse than men. While the majority are against monitoring a partner without consent, a worrying 46% of survey participants find it acceptable, indicating a decline in privacy norms. The normalization of sharing personal information and account access among younger generations may contribute to the increasing acceptance and use of stalkerware.

Threat actors are exploiting vulnerabilities in JetBrains TeamCity software to launch ransomware and implant cryptocurrency miners and Trojans. These attacks are primarily based on the CVE-2024-27198 flaw which allows administrative control over affected servers without authentication. Following the public disclosure of the flaw, BianLian and Jasmin ransomware families, among others, have weaponized it for malicious purposes. The ransomware ecosystem is evolving with new strains appearing and existing groups like LockBit recruiting affiliates despite law enforcement efforts. Adjusted losses from reported ransomware infections in 2023 exceed $59.6 million in the U.S., with critical infrastructure sectors heavily targeted. Collaboration among ransomware groups is increasing, leading to shared tools, tactics, and operational partnerships, which may complicate detection and attribution efforts. Sophisticated evasion techniques such as exploiting public-facing application vulnerabilities and "living-off-the-land" strategies are growing trends among cybercriminals. Security experts call for persistent strategic efforts to weaken the regenerative power of ransomware-as-a-service (RaaS) operations to combat this surge in ransomware crime.

The adoption of Generative AI technologies is widespread, with 79% of organizations already incorporating these innovations. Generative AI, including Large Language Models (LLMs), represents the new forefront of technological advancement but introduces complex security challenges. A webinar featuring Elad Schulman, CEO & Co-Founder of Lasso Security, and Nir Chervoni from Booking.com will address securing Generative AI technologies. The session aims to aid IT professionals, cybersecurity experts, and business leaders in understanding the security intricacies of Generative AI. Attendees will gain expert knowledge on the immense potential and notable security considerations of Generative AI in business applications. The article emphasizes the importance of data security solutions for cloud services, like those offered by Rewind for Atlassian Cloud. It also highlights the necessity of keeping pace with advanced threat actors through tools such as Censys Search for improved threat intelligence.

The Five Eyes intelligence alliance has issued an urgent warning about potential cyber attacks from China's Volt Typhoon group targeting critical infrastructure. Volt Typhoon is associated with China and has previously compromised multiple critical infrastructure IT networks in America. The advisory from CISA and international partners alerts non-technical senior leaders to prioritize cybersecurity and implement recommended best practices. Critical suggestions include employing intelligence-informed prioritization tools, enabling comprehensive logging, and conducting regular incident response drills. The alert also places emphasis on supply chain security and the importance of vendor risk management, including adherence to strict security standards. Organizations are advised to be aware of foreign ownership, control, or influence over their suppliers, referencing U.S. Department of Commerce Entities and Unverified Lists.

Cybersecurity experts at Palo Alto Networks Unit 42 have discovered an upgraded variant of BunnyLoader, a sophisticated malware with enhanced data theft and evasion abilities. Named BunnyLoader 3.0 by its developer, the malware now boasts improved keylogging functions, smaller payload size, and written modules specifically designed for stealing data. Initially offered as malware-as-a-service (MaaS) for a monthly subscription, BunnyLoader has seen frequent updates to bypass antivirus measures and enhance its data collection capabilities. The latest upgrade includes denial-of-service (DoS) features for HTTP flood attacks and the separation of its different components into individual binaries for targeted deployment. BunnyLoader's proliferation involves a complex infection chain utilizing a new dropper named PureCrypter, leading to the delivery of multiple types of stealers, such as PureLogs and Meduza. The expanding MaaS landscape exemplifies the continuous retooling by threat actors to evade cybersecurity defenses. The study also references the persistence of SmokeLoader and a new information stealer called GlorySprout, shedding light on the evolving cybercrime ecosystem and the ongoing conflicts involving cyberattacks on Ukrainian government and financial institutions.

Security researcher Will Dormann has identified an advertisement on the social media platform X, supposed to link to Forbes, misleadingly redirecting users to a scam-related Telegram account. The ad manipulates the platform's preview system, which attempts to display the ultimate URL destination, but in this case, shows Forbes while redirecting to another site. Initially, users are taken to joinchannelnow[.]net which, depending on the user agent of the request, either redirects to the scam on Telegram or to a legitimate Forbes article. The fraudulent setup can trick X's preview system, especially on mobile apps where there's no status bar to reveal the true link destination before clicking. The vulnerability has been reportedly exploited by adversaries ranging from crypto scammers to malware and phishing operators, taking advantage of users' trust in the displayed URL. Users are advised to avoid clicking on external links in X posts and ads without thorough scrutiny, and on mobile devices, it is recommended to avoid tapping links altogether.

Ukrainian Cyber Police arrested three people for hacking over 100 million email and Instagram accounts worldwide. The suspects are accused of conducting brute-force attacks to gain unauthorized access to accounts and selling credentials on the dark web. Arrested individuals could face up to 15 years in prison if found guilty. Authorities executed seven searches across Ukraine, seizing computers, phones, and other assets. A U.S. national admitted to computer fraud for breaching over a dozen entities and exfiltrating personal data of 132,000 individuals. The U.S. defendant, who caused harm by extorting victims with sensitive data, agreed to pay over $1 million in restitution. The mention of Atlassian Server referring to Rewind's services and Censys Search appears to be unrelated promotional content.

The U.S. Environmental Protection Agency (EPA) is creating a Water Sector Cybersecurity Task Force to protect water systems from cyberattacks. EPA Administrator Michael Regan and National Security Advisor Jake Sullivan expressed concerns to U.S. Governors about the vulnerability of water and wastewater systems to cyber threats. Cyber Av3ngers and China-linked Volt Typhoon are among the groups identified as targeting U.S. water systems. There are significant risks involved as water systems are critical infrastructure, yet often lack adequate cybersecurity safeguards. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a fact sheet warning of the serious risk posed by Volt Typhoon and advised implementation of cybersecurity best practices. SentinelOne reported China's media strategy aims to manipulate global perception of U.S. hacking activities and espionage.

An IT contractor was sentenced to 2.5 years of imprisonment for unauthorized transactions from the National Maritime Museum's accounts. The individual exploited his role to reroute over AU$66,000 of museum funds to his personal accounts. A significant portion of the stolen funds was used to purchase advanced IT equipment and vehicle enhancements. The fraudulent activity was detected by the museum, leading to an investigation by the Australian Federal Police and a subsequent arrest in March 2023. The court has mandated a minimum non-parole period of 15 months out of the 30-month sentence. Separately, security concerns have been raised as Australian government contractors with security clearances have been sharing sensitive project details on LinkedIn. Additionally, it was discovered that over half of these contractors are listed on Have I Been Pwned, suggesting their credentials may have been compromised in previous data breaches.

Cybersecurity researchers discovered 19 million plaintext passwords leaked due to misconfigured Firebase instances. Over five million domains were scanned, revealing 916 websites with poor security setups, exposing sensitive user records. Exposed data includes names, emails, passwords, phone numbers, and billing information with bank details from various companies. Researchers attempted to notify affected organizations, resulting in a quarter of them remedying the Firebase misconfigurations. Despite attempts to raise awareness, only 1% of site owners responded, and the researchers received bug bounties from two site owners. An Indonesian gambling network displayed the largest data exposure, including 8 million bank records and 10 million plaintext passwords. The total number of exposed records amounts to 223 million, which is a conservative estimate, suggesting the problem could be more extensive. This data exposure investigation follows a previous project where the same researchers found admin and superadmin access due to misconfigurations in an AI-powered hiring software used by various U.S. fast-food chains.

The White House and the Environmental Protection Agency (EPA) warn of ongoing cyberattacks targeting the United States' water sector. U.S. National Security Advisor Jake Sullivan and EPA Administrator Michael Regan urge governors to strengthen cybersecurity defenses for water systems. A Water Sector Cybersecurity Task Force is being established to develop strategies against cyber threats nationwide. Chinese and Iranian state-backed hackers have recently breached U.S. water systems, prompting increased security measures. The Cybersecurity and Infrastructure Security Agency (CISA) has released a security scan tool to help water utilities identify and address vulnerabilities. There have been multiple ransomware attacks on U.S. Water and Wastewater Systems Sector over the past decade, some leading to significant disruptions.