Daily Brief

Over 900 websites using Google's Firebase have inadvertently exposed sensitive data due to misconfiguration. The data breach includes 125 million user records with personal information, passwords, and billing details. Security researchers identified the leak and notified 842 affected websites, but only 24 percent rectified the issue. Misconfigured Firebase databases allowed for public access to 85 million names, 106 million email addresses, and 34 million phone numbers. Less than 1 percent of site owners responded to notifications, highlighting a lack of engagement in rectifying the leaks. The issue of misconfigured databases is widespread, with OWASP listing security misconfiguration as a common vulnerability. The researchers encourage users of Firebase and other cloud services to ensure secure configurations to protect sensitive data.

A Chinese APT group, Earth Krahang, has compromised 70 and targeted 116 organizations in 45 countries, with a focus on government entities. The campaign, active since early 2022, employs spear-phishing and exploits vulnerabilities such as CVE-2023-32315 and CVE-2022-21587. The hackers use webshells, build VPN servers, brute-force email passwords, and deploy custom backdoors for espionage. Trend Micro identified malicious tools including Cobalt Strike, RESHELL, and XDealer. Earth Krahang has connections to the China-backed company I-Soon, and their tools have been linked with other Chinese APT groups. The report details the threat actors' methods, including the use of compromised government email accounts for further spear-phishing attacks on other officials.

Fujitsu confirmed that malware compromised its internal systems, potentially leading to a customer data breach. The tech giant discovered that personal and customer information files may have been illicitly accessed and exfiltrated. Details about the type of malware, the exact timing of the intrusion, and the scope of the data accessed remain unspecified. No misuse of customer information has been reported following the incident, per Fujitsu. The company has implemented additional security measures and monitoring tools and has disconnected the affected systems. Fujitsu is notifying impacted individuals and has reported the incident to Japan's Personal Information Protection Commission. The breach adds to Fujitsu's history of security incidents, including the Horizon scandal and a 2022 cloud service vulnerability. In related news, over 70 million AT&T customer records were allegedly leaked on a cybercrime forum, originally stolen in 2021.

Microsoft is deprecating RSA keys under 2048 bits in Windows TLS to enhance security. RSA cryptography relies on key length for strength, with 2048-bit keys being substantially more secure than 1024-bit keys. The deprecation targets TLS server authentication certificates, aligning with internet standards that have discouraged 1024-bit keys since 2013. Organizations using older software or devices with 1024-bit RSA keys will need to update to maintain authentication with Windows servers. Microsoft has yet to announce a specific start date for the deprecation but plans to provide a transition period for affected Windows administrators. Enterprise and test certification authority-issued TLS certificates are exempt from the impact to avoid widespread issues. Microsoft advises organizations to adopt RSA keys of 2048 bits or longer promptly in line with best security practices.

Over 133,000 Fortinet appliances remain unpatched and vulnerable to CVE-2024-21762, a critical remote code execution bug. Asia has the highest number of unpatched Fortinet devices, followed by North America and Europe. The US Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-21762 in its Known Exploited Vulnerability catalog due to active exploitation. Proof of concept exploits for the Fortinet vulnerability are becoming increasingly available online, raising risks for unpatched systems. Fortinet also disclosed another critical RCE flaw, CVE-2023-48788, in March, which could soon be exploited according to experts. CVE-2023-48788 affects FortiClient Endpoint Management Server (EMS) and has a severity score of 9.3. Past Fortinet vulnerabilities have been commonly exploited by nation-state actors and ransomware groups. CISA warns of the state-sponsored offensive cyber group Volt Typhoon potentially leveraging such vulnerabilities.

New DEEP#GOSU malware uses advanced techniques to target Windows systems and evade detection by utilizing PowerShell, VBScript, and legitimate cloud services for command-and-control. Cybersecurity researchers link the campaign to North Korea-sponsored group Kimsuky, utilizing multi-stage threats for stealth operations and long-term surveillance and control. The infection starts with a malicious email attachment with a deceptive shortcut file prompting the execution of embedded malicious scripts. The malware employs Dropbox to distribute payloads and Google Docs for dynamically retrieving configuration data, highlighting a trend towards using cloud services in cyberattacks. Capabilities of the DEEP#GOSU malware include keylogging, clipboard monitoring, file management, remote access via RAT software, and data exfiltration through secure channels. This campaign's discovery follows revelations of other North Korean-linked cyber groups using sophisticated methods for espionage and financial gains, including crypto asset theft. Security experts emphasize the need for vigilance given the increased sophistication and apparent state sponsorship behind contemporary cyber threats.

Over 70 million records allegedly stolen from AT&T were posted on a cybercrime forum. The data includes sensitive personal details such as Social Security Numbers and addresses. Cybersecurity group VX-Underground verified the authenticity of the stolen data. ShinyHunters, a cybercriminal group, initially claimed the theft in 2021 and sought to sell the data. AT&T previously denied the legitimacy of the data in 2021 and maintains there has been no system compromise. In January 2023, AT&T acknowledged an unrelated breach affecting around 9 million customers. AT&T believes the newly circulated data may be the same dataset that has appeared before on forums.

Electronic Arts postponed the Apex Legends Global Series North American finals after players' game clients were hacked during a match. The hack displayed a cheat interface on player Genburten's screen, granting an unfair advantage by revealing all player positions. The incident involved the unexpected appearance of a cheating tool on live-stream, leading to a compromised match and tournament disruption. Hackers employing aliases 'Destroyer2009' and 'R4ndom' claimed to use a remote code execution (RCE) vulnerability to carry out the attack. Easy Anti-Cheat investigated claims of an RCE exploit in their software, publicly stating confidence in the absence of such a vulnerability. The exact origin of the hack remains obscure, with theories ranging from an RCE in the game client to pre-compromised player devices. This event marks the first instance of players being hacked mid-match in the history of the Apex Legends Global Series.

Japanese tech giant Fujitsu reported a cyberattack involving malware which compromised several of its IT systems and resulted in unauthorized access to customer data. The company, a leading international IT services provider, confirmed that personal information and sensitive customer details may have been stolen during the breach. Following the detection of malware, Fujitsu isolated the impacted computers and has strengthened monitoring to prevent further incidents. An internal investigation is ongoing to ascertain the scope of the breach and identify the specific data that was exfiltrated by the attackers. Fujitsu has informed Japan's Personal Information Protection Commission and is preparing to notify affected customers, though it notes that no misuse of the data has been reported thus far. The article references a previous security incident in May 2021, where Fujitsu's ProjectWEB tool was exploited, compromising data from Japanese government agencies, including sensitive information and potentially air traffic control data from the Narita International Airport. After the 2021 breach, ProjectWEB was discontinued and replaced with a more secure, zero-trust based information-sharing platform.

Japanese technology company Fujitsu has confirmed a malware infection on some of its systems, resulting in a data breach. Cybercriminals have reportedly stolen sensitive customer data during the breach. Fujitsu, a leading IT services provider with a significant global presence, is involved in various sectors, including government projects. The firm has responded by isolating affected computers, enhancing monitoring, and initiating a thorough investigation. There have been no reports of the stolen data being misused, but Fujitsu has notified authorities and is preparing communications for affected customers. The breach's scale, specifically whether it affects corporate clients or consumers, is still unclear as details are yet to be disclosed. The incident follows a previous breach in May 2021 that impacted Japanese government agencies and resulted in the theft of proprietary data and email addresses.

The explosion of SaaS use has prompted an update in the NIST Cybersecurity Framework (CSF) to version 2.0, addressing the unique security challenges of SaaS applications. The new NIST CSF 2.0 includes a 'Govern' function, highlighting the need for preventive and detective controls in SaaS security. Implementing SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR) is recommended for comprehensive SaaS threat monitoring. Recent attacks on Microsoft Azure environments and an US telecom operator's HR software underscore the necessity of adherence to NIST guidelines. NIST 2.0 emphasizes the importance of detecting anomalous activities through log analysis and correlating information from multiple sources to protect against breaches. NIST's 'Protect' function stresses limiting access to authorized users and maintaining a clear understanding of employee permissions to ensure robust SaaS application security. SaaS security aligned with NIST 2.0 involves robust user inventory management, authentication, role-based access control, and effective incident detection and response strategies.

Apex Legends Global Series Pro League tournament matches were disrupted by a suspected cyberattack, causing forced implementation of cheats onto players' accounts. Professional players Noyan "Genburten" Ozkose and Phillip "ImperialHal" Dosen received unauthorized enhancements in-game, including wallhacks and aimbots, compromising the integrity of the competition. The affected players were subsequently banned by the automated anti-cheat system, though there is no suspicion that they intentionally used the cheats. The gaming community suspects an unpatched remote code execution (RCE) vulnerability in either the Apex Legends client, Easy Anti-Cheat, or the Source game engine may have been exploited. Apex Legends' developer Respawn Entertainment and publisher EA have yet to provide technical details or a timeline for updates following the incident. The esports account for Apex Legends announced the postponement of the NA finals to maintain the competitive integrity of the series. Cyberattacks on esports are rare but can cause significant reputational damage, financial implications, and disruptions to the entertainment value of streaming events. There is an increased awareness among gaming companies and tournament organizers regarding security threats, leading to the development of new anti-cheat technologies and services.

Fortra has fixed a critical remote code execution (RCE) vulnerability in its FileCatalyst file transfer software, tagged CVE-2024-25153 with a 9.8 CVSS score. The flaw allowed attackers to upload files outside the 'uploadtemp' directory through a directory traversal issue, potentially executing code via specially crafted JSP files. Security researcher Tom Wedgbury of LRQA Nettitude identified the vulnerability, which Fortra patched two days after the initial report on August 9, 2023. A proof-of-concept exploit demonstrated by Fortra shows the vulnerability could be used to upload a web shell for arbitrary system command execution. Alongside, two other vulnerabilities in FileCatalyst Direct were addressed in January 2024, preventing information leakage and further code execution risks. Users of Fortra's products are urged to update to the latest versions immediately, especially in light of last year's heavy exploitation of similar flaws in Fortra GoAnywhere by threat actors like Cl0p.

Cybersecurity researchers have unveiled a malware campaign using fake Google Sites pages to deliver AZORult malware. The attack employs HTML smuggling to bypass traditional security measures and deliver encoded malicious scripts. The phishing campaign's objective appears to be the collection and sale of sensitive data on the dark web, without a specified threat actor. AZORult, also known as PuffStealer or Ruzalto, can gather various types of sensitive information, including credentials and cryptocurrency wallet data. Attackers have added a CAPTCHA system to lend credibility to the phishing attempt and deter automated URL scanners. The attack method involves a complex chain of scripts and executables that evade detection and facilitate the silent running of the AZORult infostealer. Related campaigns have used malicious SVG files to distribute other malware like Agent Tesla and LokiBot, using advanced smuggling techniques. In Latin America, phishing campaigns impersonating government agencies are spreading RATs through booby-trapped emails with malicious PDF attachments.

WordPress users are urged to delete miniOrange's Malware Scanner and Web Application Firewall plugins due to a severe security flaw. The flaw, with a 9.8 CVSS rating, allows unauthorized attackers to gain admin privileges by updating user passwords. Plugins affected are permanently closed as of March 7, 2024, with Malware Scanner and Web Application Firewall having over 10,000 and 300 active installations, respectively. Attackers with admin access can upload malicious files, modify content, and redirect users to harmful sites. A similar critical vulnerability in RegistrationMagic plugin (CVE-2024-1991) was patched on March 11, 2024, in version 5.3.1.0. Security companies warn that flaws in these popular plugins could lead to complete site compromise. Users are reminded of the importance of regular updates and security best practices for WordPress installations.