Daily Brief

Gartner analysts stress the importance of recovery over the unrealistic expectation of preventing all infosec incidents. Asserting "adrenalin does not scale," they argue against a culture of persecution where infosec teams are driven by fear of personal consequences. Most organizations’ incident response capabilities are immature; developing and rehearsing recovery plans is crucial for improvement. Recovery playbooks and mock drills can alleviate the need for "heroic action" and practice makes infosec teams more effective in real situations. Preparing business stakeholders for impactful recommendations like system takedowns and aligning on tolerable impacts aid in smoother incident management. Measures should be taken to combat burnout and stress in infosec professionals, including shift work and mental health support systems. Gartner suggests normalizing the reporting of all incidents, big or small, to foster a culture of continuous improvement and resilience. Behavioral psychologists might be beneficial for understanding both the mental state of security staff and attackers, potentially easing the infosec skills shortage.

APT28, a Russian-linked cyber espionage group, is conducting extensive phishing campaigns across continents. The phishing schemes use fake documents from government and NGOs to lure victims in Europe, Asia, and the Americas. IBM X-Force has identified the campaigns, which exploit vulnerabilities such as CVE-2023-23397 in Microsoft Outlook. The campaigns employ malware like MASEPIE, OCEANMAP, and STEELHOOK to steal sensitive information and execute malicious commands. Recently, APT28 has used compromised Ubiquiti routers to host their payload-delivering servers, though a botnet was recently disrupted by U.S. authorities. Impersonated countries in the phishing attacks include Argentina, Ukraine, Georgia, Belarus, and the U.S., among others. APT28 has displayed adaptability in their operations by using new infection methodologies and commercially available infrastructure. Malware like OCEANMAP is identified as an evolution of CredoMap, signifying the group's ongoing development of their cyber tools.

Filipino police raided a firm falsely posing as an online gaming company, freeing 875 individuals forced to partake in romance scams. The individuals, including 504 foreigners from various countries, were deceived with job promises, only to be enslaved and coerced into scamming. Victims were subjected to physical harm for not meeting quotas and had their passports confiscated to prevent escape. A tip from a tortured Vietnamese worker led to the raid, where authorities found weapons, falsified vehicle information, and evidence of the scam operation. Of the nine individuals arrested, charges include anti-trafficking violations; the majority are not Filipino nationals. The operation, Zun Yuan Technology Incorporated, presented itself deceptively as an online gaming industry player but primarily recruited staff for scams. Southeast Asia has seen a rise in scam operations with trafficked labor, prompting regulatory responses and regional shifts in cyber fraud activities.

As ransomware attacks increase globally, the UK House of Commons/House of Lords Joint Committee on the National Security Strategy highlights ransomware as a grave security threat. Huawei's HiSec SASE Solution offers integrated protection for enterprise branches and headquarters to guard against ransomware. The solution promises rapid threat handling, with 99% of security events addressed within seconds, and up to 50% higher threat detection performance. HiSec SASE features intelligent operations to reduce OPEX, intelligent orchestration for efficient resource use, intelligent lossless communication, and intelligent response for real-time backup and recovery. The solution delivers an on-demand loading of key security capabilities, synchronized threat detection results network-wide, and 99.5% automatic threat handling. Huawei's All-in-One Intelligent Security Gateway integrates multiple security functions, supporting LTE and PoE to cut CAPEX by up to 30%. iMaster NCE-Campus is part of the solution, providing network management, control, and AI-based automation and analysis. The launch of Huawei's HiSec SASE comes in response to costly ransomware attacks on high-profile targets, emphasizing the need for businesses to strengthen cyber defenses.

Cloudflare researchers have developed a fix for a side-channel vulnerability in AI chat sessions after a paper revealed the flaw. The vulnerability allowed attackers to intercept and reconstruct parts of AI chat responses transmitted sequentially. By adding a 'p' property with variable random string value, Cloudflare successfully obfuscated the token size, thereby padding the data and protecting against the attack. A new infostealer malware campaign is targeting Roblox users, designed to steal sensitive information while improving game performance. Former telecommunications manager Jonathan Katz pleaded guilty to orchestrating SIM swap attacks, resulting in unauthorized account access, and faces significant legal repercussions. With new operational tech vulnerabilities emerging, companies are reminded to stay vigilant and safeguard against potential cyber threats. Parents are warned to monitor the applications being used by their children on Roblox due to the risk posed by the camouflaged malware campaign.

AT&T denies that the leaked data of 71 million individuals came from its systems, despite a hacker's claim of a 2021 breach. Some of the data, which includes sensitive information like social security numbers and dates of birth, has been verified as accurate by BleepingComputer and other cybersecurity researchers. ShinyHunters, the threat actor, initially tried to sell the data on a forum in 2021 for $200,000, but it has now been released for free by another actor, MajorNelson. AT&T maintains its stance that there has been no evidence of a breach in their system and suggests the data could be from a third-party source. The total mobile customer base of AT&T at the end of 2021 was 201.8 million, indicating that the leak, if legitimate, is likely partial. AT&T advises customers to be vigilant against SMS and email phishing, as well as SIM swapping attacks, which could result from the data exposure.

New acoustic side-channel attack on keyboards can deduce typing based on sound, with a 43% success rate on average, even in noisy environments. Researchers from Augusta University in the U.S. presented their findings, detailing how the attack works without needing controlled recording conditions. The attack leverages unique sound emissions from different keystrokes and uses specialized software to analyze the typing pattern and create a dataset. To gather typing samples, attackers could employ malware, malicious websites, browser extensions, betrayed apps, or even physical devices like compromised USB keyboards. A statistical model is trained using the dataset to create a profile of the target's typing pattern, allowing for a 5% deviation in keystroke intervals to account for variability and noise. The method's effectiveness is higher for individuals with consistent typing habits, while it may not work well on rare computer users or very fast typists. Typing prediction accuracy is enhanced by filtering predictions through an English dictionary, though the use of silent keyboards may decrease prediction effectiveness.

AI developers and data scientists are warned not to neglect security amid the rush to deploy AI applications. Supply-chain attacks pose significant risks, including data theft and system hijacking. Just like traditional software, AI projects combine libraries, packages, training data, models, and custom code which can be exploited if security is an afterthought. Code from public repositories may contain hidden backdoors or malicious functions. Security vulnerabilities are not always effectively addressed by academics and smaller startups, leading to potential compromise and misuse of AI tools and models during and after deployment. Cybersecurity startups are emerging to address AI supply-chain risks, advocating for proper auditing, security testing, and evaluation of machine-learning projects. Hugging Face's online model conversion service was found vulnerable, highlighting the potential for attackers to execute arbitrary code on their systems and access sensitive data from user repositories. JFrog reported that malicious code was discovered in 100 models hosted on Hugging Face, emphasizing the possible widespread risk. AI community members are encouraged to adopt supply-chain security practices, such as digital authentication for developers and comprehensive security assessments for their tools and software.

ShadowSyndicate ransomware actor is scanning for servers susceptible to CVE-2024-23334, a serious vulnerability in the aiohttp Python library. The flaw allows unauthenticated attackers to traverse directories and access files on affected servers due to faulty validation in static routes. After the vulnerability was patched in version 3.9.2 of aiohttp on January 28, 2024, exploitation attempts have escalated in frequency following a PoC exploit release on February 27. Threat analysts observed scanning originating from IP addresses linked to ShadowSyndicate, a known financially-motivated threat group active since July 2022. It remains uncertain whether these scanning attempts have led to any successful breaches. There are approximately 44,170 aiohttp instances exposed on the internet globally, with the U.S. hosting the largest percentage. Difficulty in patching outdated open-source libraries increases their attractiveness as targets for threat actors, often long after security updates are available.

Cybersecurity researchers at G DATA discovered GitHub repositories used to distribute a malware called RisePro. The gitgub campaign involved 17 repositories across 11 accounts offering cracked software as bait. Microsoft's GitHub has since removed the malicious repositories after they were reported. Attackers employed deceptive tactics, such as bogus build status indicators, to lend an aura of legitimacy to their GitHub repositories. Victims downloading from these repositories received RAR archives containing a payload designed to evade analysis and deliver the RisePro info stealer. RisePro, which emerged in late 2022, is a C++ malware that exfiltrates sensitive data to attackers using Telegram channels. Information-stealing malware like RisePro is on the rise and has become a key method for initiating ransomware and significant data breaches.

The International Monetary Fund (IMF) reported a security breach involving unauthorized access to 11 email accounts. This cyberattack was detected by the IMF in February, with an ongoing investigation to determine the full extent and impact. Despite the breach, the IMF has not found evidence of additional systems being compromised beyond the affected email accounts. Immediate actions were taken to secure the compromised accounts, and the IMF is receiving assistance from independent cybersecurity experts. The IMF uses Microsoft's Office 365 platform; other notable breaches have occurred within this environment, affecting Microsoft itself and Hewlett Packard Enterprise. The incident is reminiscent of attacks by groups such as Midnight Blizzard and Storm-0558 who have targeted U.S. and corporate entities in recent history. The IMF continues to investigate the breach and has not provided additional details at this time; its spokesperson was unavailable for comment.

IT helpdesk workers are facing a growing number of cyberattacks, where attackers impersonate employees to gain access to organizational accounts. The attack methods are not particularly sophisticated, involving cybercriminals requesting changes to identity and access management controls over the phone. Once attackers register their own device to a compromised account, they can control the authentication chain, accessing sensitive data or conducting further malicious activities. Red Canary has observed adversaries exploiting helpdesk accounts to reset passwords and MFA registrations for high-value accounts, exposing organizations to significant risks. Attackers also reverse the roles by impersonating helpdesk staff to phish other employees, leveraging a sense of legitimacy to hijack accounts. Red Canary suggests enhanced security measures for helpdesk interactions, such as verifying employee identities through unique information or shared secrets, and strengthening MFA policies. The report emphasizes the need for a balance between user-friendly access and secure connectivity, noting that almost every MFA factor has potential weaknesses that can be exploited.

The U.S. Department of Justice is taking action to recover $2.3 million in cryptocurrencies linked to a "pig butchering" fraud, affecting at least 37 individuals. Pig butchering scams involve social engineering to deceive victims into investing in fake cryptocurrency platforms, appearing to show false profits. These schemes often begin as romance scams and then introduce the concept of profitable crypto investments to gain trust and defraud victims. Through investigation, authorities traced the fraudulent funds to two Binance wallets and are now using civil forfeiture to retrieve the amounts. The average loss per victim is over $62,000, indicating the severe financial impact of such scams, with annual losses in the U.S. exceeding $2 billion. The FBI has issued warnings about the rising frequency of these cryptocurrency investment schemes, advising public vigilance and caution. Individuals who suspect they've been targeted by scammers are encouraged to report to the authorities and provide relevant information.

Researchers have unveiled a new data leakage vulnerability known as GhostRace (CVE-2024-2193), exploiting speculative execution in modern CPUs. Similar to the Spectre v1 (CVE-2017-5753) vulnerability, GhostRace leverages speculative execution combined with race conditions for data leakage. The vulnerability was uncovered by IBM Research Europe and VUSec, highlighting potential risks in all synchronization primitives using conditional branches. GhostRace allows attackers to exploit speculative execution paths and Speculative Concurrent Use-After-Free (SCUAF) attacks to access sensitive data. The vulnerability arises from race conditions in transiently executed paths, which can result in access to arbitrarily sensitive data from the CPU. AMD suggests that the existing guidance for Spectre mitigations is effective against GhostRace, while Xen hypervisor has provided hardening patches to address potential vulnerabilities. Although patches have been released, the full impact on performance and security under various systems remains under further investigation.

PornHub has restricted access to its website for users in Texas to protest the state's age verification laws. Texas bill HB 1181, which mandates rigorous age checks for adult content viewers in the state, has been reinstated following appeals. The bill includes penalties for non-compliance, with PornHub's parent company Aylo Global Entertainment facing a $1.6 million fine and additional daily charges. The 5th U.S. Circuit Court of Appeals allowed the law's age verification enforcement but paused the required mental health notices. In response, Aylo has blocked several adult content sites for Texas visitors, pointing out the laws' ineffectiveness and potential risks. PornHub advocates for system-level age verification by operating system developers rather than multiple verifications by individual sites, citing privacy and data breach concerns. Such centralized age verification would pose significant data protection challenges for operating system developers and may increase VPN usage to bypass geographic restrictions.