Daily Brief

Open Source Security Foundation (OpenSSF) introduces a new initiative called Siren to improve security in free and open-source software (FOSS). Siren is designed to aggregate and disseminate threat intelligence, providing real-time security bulletins and a community-driven knowledge base. The initiative aims to bridge the information gap between FOSS developers and enterprise security teams. Siren will share tactics, techniques, procedures used against open-source projects, and indicators of compromise from recent security incidents. Siren is intended as a post-disclosure tool to keep the community informed, rather than a platform for initially disclosing new vulnerabilities. The importance of securing open source software has risen after high-profile supply chain attacks exposed significant vulnerabilities. Synopsys' recent research highlighted that 96% of analyzed code bases used open source components, with 84% containing at least one vulnerability. OpenSSF emphasizes the critical need for centralized threat intelligence sharing to protect the integrity of open source software.

Julian Assange granted permission by the High Court in London to appeal his extradition to the US. Assange faces charges including 17 counts of espionage and one of computer misuse in the U.S., with potential 175-year prison term. Charges relate to WikiLeaks' publication of US diplomatic and military documents shared by Chelsea Manning. Legal grounds for appeal include potential discrimination and exclusion from First Amendment protections. In 2022, the UK government approved Assange's extradition to the US, triggering ongoing legal challenges. Assange's defense argues his journalistic activities, including the mass dissemination of classified data, should be protected as free speech. US gave assurances of constitutional protections and non-prejudiced sentencing, deemed insufficient by British courts. Speculation exists around potential US motives to avoid a high-profile trial amidst free-speech activist support for Assange.

A critical vulnerability identified in Fluent Bit potentially impacts all major cloud service providers including Amazon AWS, Google GCP, and Microsoft Azure. The flaw, tracked as CVE-2024-4323 and nicknamed "Linguistic Lumberjack," permits denial-of-service attacks and remote code execution through heap buffer overflows. Fluent Bit, a widely used logging and metrics tool embedded in numerous Kubernetes distributions, was downloaded over 13 billion times by March 2024. Security researchers at Tenable discovered the vulnerability, which was introduced in Fluent Bit version 2.0.7, within the tool's HTTP server parser. Immediate risks associated with CVE-2024-4323 include relatively easy-to-execute DoS attacks and potential information leaks due to its exploitation. Fixes for the vulnerability have been committed in the main branch of Fluent Bit and are expected to be released in version 3.0.4. Tenable has informed major service providers through their vulnerability disclosure platforms and advised limiting access to Fluent Bit’s monitoring API as a temporary mitigation measure.

OmniVision suffered a data breach following a Cactus ransomware attack between September 4 and September 30, 2023. The company, a subsidiary of Will Semiconductor and a manufacturer of imaging sensors, reported the breach to California authorities. The breach resulted in the encryption of some of OmniVision's systems and theft of personal information. The internal investigation, completed on April 3, 2024, confirmed unauthorized access and theft of data. OmniVision has implemented enhanced security measures, including faster detection of suspicious activities. The Cactus ransomware gang, known for using VPN vulnerabilities, claimed responsibility and released stolen data freely online. Impacted individuals are being offered 24 months of credit monitoring and identity theft restoration services. The company advises affected individuals to remain vigilant against unsolicited communications and to monitor their financial accounts regularly.

Rui-Siang Lin, the operator of Incognito Market, was arrested at JFK Airport on charges relating to drug sales over $100 million. Incognito Market used cryptocurrency to facilitate illegal narcotics transactions totaling about 1,000 kilograms, including cocaine and methamphetamine. Three servers used by Incognito Market were seized, revealing transactions and accounts of over 200,000 customers and 1,000 vendors. At its peak, the marketplace amassed substantial revenue, generating over $83 million and earning Lin at least $4 million from commissions. Lin faces several severe charges including life imprisonment for narcotics conspiracy and money laundering. The final acts of operation included shutting down the marketplace, withholding funds, and threatening users with exposure unless additional payments were made. Homeland Security Investigations noted the extensive damage and risk caused by these operations, highlighting the mixture of narcotics sold, including potentially lethal fentanyl.

Google has published a white paper criticizing Microsoft's security practices, particularly after recent breaches involving Microsoft software. The paper highlights the Cyber Safety Review Board's critique of Microsoft's handling of a June 2023 attack by Storm-0558, a group with China affiliations. Google contrasts Microsoft's security failures with its own practices in Google Workspace, advocating that Microsoft customers switch to their platform. The report details how Microsoft's security missteps include outdated key security and incorrect public statements about source of breaches. Google is promoting Workspace to federal agencies with discounts and a bonus year of service in an attempt to capture part of Microsoft’s client base in the public sector. The white paper also references Google's own past security breach in 2009, using it as an example of how the company has learned and improved from such incidents. Google’s aggressive marketing includes discount offers to agencies with over 500 workers for Google Workspace Enterprise Plus.

Police departments in several U.S. cities have sidestepped local bans on facial recognition technology by requesting assistance from agencies in areas without these prohibitions. Documents and reports indicate that the San Francisco Police Department (SFPD) and Austin Police Department (APD) have both engaged in this practice, albeit with varying degrees of success. SFPD attempted facial recognition searches through other agencies five times since 2019 without successful matches, while APD has conducted at least 13 searches since 2020, some resulting in arrests. Both police departments claim these searches were conducted without official authorization, and there have been no reported consequences for SFPD officers involved. Former San Francisco District Attorney Chesa Boudin expressed concerns about the legality and admissibility of evidence obtained through such methods, highlighting the potential for cases to be dismissed if the technology's use is proven. The widespread use of facial recognition technology by law enforcement—including unauthorized sharing of data—raises significant privacy and racial bias concerns among advocates. Despite improvements to address biases, instances like the Metropolitan Police in London demonstrate ongoing issues with high rates of false positives in facial recognition systems. The interaction between local bans and federal use of facial recognition technology reflects a complex landscape of regulatory and ethical challenges surrounding surveillance practices.

Iranian threat actor linked to MOIS, referred to as Void Manticore, executed destructive wiping attacks in Albania and Israel. These attacks targeted governmental and critical infrastructure, using custom wiper malware named Cl Wiper, No-Justice, and BiBi. Void Manticore, also recognized by other names including Storm-0842, shares operational overlaps with another group, Scarred Manticore, suggesting coordinated attacks. Tactics include the utilization of public tools and conventional protocols such as RDP, SMB, and FTP for initial infiltration and lateral movements. Initial access often involves exploiting known vulnerabilities in internet-facing applications, followed by the deployment of web shells for further control. U.S. Cybersecurity and Infrastructure Security Agency issued advisories regarding these threat actors' exploitation techniques and recommended defensive measures. Microsoft has identified a high level of cooperation among various Iranian groups, revealing organized and multiphase attack strategies on international targets. Check Point highlights the dual nature of these campaigns that combine psychological operations with actual data destruction to maximize impact.

A newly updated version of BiBi Wiper malware now also corrupts disk partition tables, increasing restoration difficulties. BiBi Wiper, associated with Iranian group Void Manticore, targets Israel and Albania, disrupting critical operational systems. Security Joes first detected BiBi Wiper in October 2023; subsequent warnings were issued by Israel's CERT about its significant threat. Check Point Research identified additional custom wipers used by Void Manticore, suggesting coordinated attacks with another group, Scarred Manticore. Void Manticore, masquerading behind the Karma hacktivism group on Telegram, has claimed responsibility for attacks on over 40 Israeli organizations. The malware specifically targets Israeli systems without disabling critical recovery facilities but removes partition data to hinder repair. BiBi Wiper variants show operational differences between Windows and Linux platforms, refining tactics to maximize system disruptions. The related CI Wiper and Partition Wiper are employed in attacks on Albanian targets, causing severe damage like BSOD and system crashes.

A security audit of QNAP QTS uncovered fifteen vulnerabilities, eleven of which remain unfixed. The critical vulnerability, CVE-2024-27130, allows remote code execution via a stack buffer overflow in the Share feature. For exploitation, a crafted request using a 'name' parameter and a valid 'ssid' parameter from the NAS share link is needed. Although the exploit requires specific conditions, shared links can sometimes be found online, increasing risk exposure. WatchTowr Labs developed a proof of concept that creates a privileged account when the exploit is successful. QNAP issued security updates in April 2024 for four of the vulnerabilities, but did not address the others. Despite multiple delays in response, QNAP has yet to comment on these latest findings.

WatchTowr security researchers publicly disclosed multiple unpatched vulnerabilities in QNAP's operating systems after extended deadlines were exceeded. Of the 15 vulnerabilities found, only four have been patched despite reports initially made as early as December 2023. Six validated vulnerabilities, including a severe stack overflow issue permitting remote code execution, remain unpatched with CVEs assigned. The security firm extended the standard 90-day disclosure period, citing significant remediation blockers, but had to eventually disclose due to the ongoing risk to the internet community. Despite slow patch response times, QNAP cooperated with researchers by granting access to testing environments, signifying a high priority on user security. QNAP has faced criticism and negative impacts from past incidents, including ransomware attacks exploiting previously patched vulnerabilities. There is an ongoing concern over the speed of QNAP’s vulnerability response, especially given the company’s history with critical security breaches.

ByteDance and the Department of Justice have jointly requested an expedited court schedule for the TikTok ban/divestiture case aiming for a ruling by December 6, to meet the Supreme Court filing deadline. The request was made to the US Court of Appeals for the District of Columbia and includes eight content creators as co-petitioners, arguing against the feasibility and legality of a forced TikTok divestiture. The content creators claim the TikTok ban violates their First Amendment rights, emphasizing the significant public interest in prompt case resolution. The law in question, Protecting Americans from Foreign Adversary Controlled Applications Act, forces ByteDance to sell TikTok or shut it down, classifying them as foreign adversary-controlled applications. US lawmakers justify the law citing potential risks like data snooping or propaganda spread dictated by Beijing, but the plaintiffs argue there is no solid evidence supporting these claims enhancing data security. The ban is scheduled to begin on January 19, 2025, giving TikTok 270 days post-enactment to comply with the divestment or cessation of operations. The court is requested to calendar oral arguments by September of this year, with a decision requested by the end of May.

Multiple hackers are exploiting a flaw in Foxit PDF Reader to distribute various types of malware, including Agent Tesla and NanoCore RAT. The exploit deceives users with pop-up warnings, pressing them to execute harmful commands, leading to malware downloads and executions from Discord's CDN. Adobe Acrobat Reader is immune to this exploit, contributing to its low detection in antivirus systems and aiding the campaign's effectiveness. The malware attacks are linked to both cybercrime and espionage, with some activities attributed to the DoNot Team, known for its sophisticated cyber tactics. Malicious PDFs are being dispersed via social platforms like Facebook and utilize legitimate sites like Gitlab and Discord to host malware and evade detection. Check Point researchers identified a specific attack chain with PDFs delivering payloads capable of data theft, cryptocurrency mining, and system surveillance. Some malware within the PDFs is designed to steal browser credentials and can progress through multiple attack stages, ultimately delivering tools like Remcos RAT. Foxit has acknowledged the vulnerability and plans to release a corrective update in its upcoming software version.

GitGuardian introduces an SCA tool capable of scanning for Common Vulnerabilities and Exposures (CVEs) during coding. A significant percentage (70%-90%) of modern software uses open-source components, frequently introducing vulnerabilities. GitGuardian's tool allows developers to check for known vulnerabilities in dependencies before finalizing a pull request. The scanning tool, integrated via Git Hooks, automates the security checks at pre-commit or pre-push phases. The process is designed to catch vulnerabilities early in development, significantly reducing the cost and complexity of later fixes. SCA tool scans can be limited to new or altered code only, avoiding disruptions from unresolved issues in the existing codebase. Developers receive immediate feedback if a vulnerability is detected, with suggestions for patched versions when available. GitGuardian offers a 2-week free trial for their SCA tool, extending their suite of security solutions including Secrets Detection and Infra as Code Security.

The British Library (BL) experienced a significant ransomware attack, which severely impacted its operations and data security. BL's response was driven by emotional intelligence, focusing on frequent transparent communications despite the ongoing crisis. CEO Roly Keating emphasized the emotional impact on staff and users, adapting communications to be more relatable and human-focused. The library's candid approach in March revealed outdated architecture, which enabled the Rhysida gang to execute the attack. Keating highlighted the incident's lessons, aiming to enhance cyber resilience across the cultural and library sectors. Recovery efforts are ongoing, with a focus on retiring legacy systems, enhancing security measures like deploying MFA, and rebuilding technical infrastructure. While some services have resumed, the library continues to face challenges in fully restoring all functionalities. BL's strategy involves not negotiating with attackers, maintaining public access, and rebuilding trust and service quality via effective communication and narrative management.