Daily Brief

Nissan Oceania will inform approximately 100,000 individuals from Australia and New Zealand about a data breach that occurred in December 2023. The breach may involve the Akira ransomware gang, who claim to have stolen thousands of ID documents along with other sensitive personal information. Stolen data includes government IDs, Medicare cards, driving licenses, passports, and tax file numbers, affecting about 10% of the victims. The remaining 90% may have had loan, employment, or salary information compromised. The breach extends beyond Nissan, impacting customers from other automakers for whom Nissan provides finance services, such as Mitsubishi and Renault. Nissan Oceania is offering affected individuals in Australia and New Zealand credit monitoring services and the potential reimbursement for replacing ID documents. The Akira group has publicly shared data supposedly belonging to Nissan, indicating the possibility of a ransomware attack, but Nissan has not confirmed this. Akira ransomware has been active since March 2023, targeting several major organizations including Lush and Stanford University.

A now-patched Windows Defender SmartScreen vulnerability, CVE-2024-21412, is being exploited by hackers to deliver DarkGate malware. The malicious campaign utilizes fake software installers to bypass SmartScreen security warnings and automatically execute malware. Attackers send phishing emails with PDF attachments containing links that redirect through Google's services, evading email security measures. The attack chain involves multiple steps, including the use of .url files and a remote WebDAV server to trigger automatic execution of a malicious MSI file. The DarkGate malware, which can steal data and allow remote access, uses advanced evasion techniques and determines its operational tactics through encrypted configuration parameters. Trend Micro recommends applying Microsoft's February 2024 Patch Tuesday update to remediate the vulnerability and has published indicators of compromise for organizations to detect potential attacks.

DarkGate malware operators are exploiting a Windows Defender SmartScreen flaw, CVE-2024-21412, which was recently patched by Microsoft. The flaw allowed attackers to bypass security warnings and automatically execute malicious software installers. Attackers distributed emails with a rigged PDF that redirected victims through Google's services to compromised servers harboring malicious .url files. These .url files automatically triggered the execution of fake installer MSI files that appeared to be from reputable sources like NVIDIA and Apple. The MSI files would then deploy a DLL sideloading technique to decrypt and run the DarkGate malware, enabling data theft, payload delivery, and unauthorized remote access. The latest version of DarkGate, 6.1.7, includes enhanced encryption and configuration options for better evasion and targeted attacks. Users and organizations are urged to apply the February 2024 Patch Tuesday update to protect against this exploitation, and Trend Micro has listed all IoCs related to this campaign.

The U.S. Department of Health and Human Services (HHS) is investigating a ransomware attack on UnitedHealthcare Group’s subsidiary Optum, which operates Change Healthcare. The attack, attributed to the BlackCat ransomware gang, may have resulted in the theft of protected health information. Change Healthcare, a widely-used payment platform in the U.S. healthcare system, was hit by the attack, causing significant service disruptions. HHS' Office for Civil Rights (OCR) is focusing on whether Health Insurance Portability and Accountability Act (HIPAA) rules were violated during the breach. The BlackCat gang claims to have stolen 6TB of data, including sensitive information from critical healthcare providers and U.S. military healthcare systems. There was an increase of 141% in individuals affected by large breaches in 2023 compared to 2022, with hacking accounting for 79% of the reported breaches.

Fortinet fixed a critical remote code execution bug in its FortiClient Enterprise Management Server software after being alerted by the UK's National Cyber Security Centre and a Fortinet developer. The vulnerability, identified as CVE-2023-48788, affects versions 7.0 and 7.2 of the FortiClient EMS software, resulting in the potential for attackers to execute code with SYSTEM privileges on impacted servers. The SQL injection flaw in the software's DB2 Administration Server component is particularly dangerous because it can be exploited by unauthenticated attackers in low-complexity attacks without user interaction. No evidence has been disclosed on whether this vulnerability had been exploited before the patch was issued. Fortinet also fixed another critical vulnerability in the FortiOS and FortiProxy squid proxy, as well as two high-severity vulnerabilities in FortiWLM and FortiClient EMS. Attackers have previously exploited Fortinet vulnerabilities in ransomware and cyber espionage campaigns, highlighting the critical importance of applying security patches promptly.

A new version of the PixPirate Android banking trojan employs innovative hiding techniques to remain undetected on devices. PixPirate specifically targets users of the Brazilian Pix payment platform and manages to operate covertly, even after its dropper app has been removed. IBM Trusteer researchers discovered that PixPirate doesn't use an app icon, making it invisible on all recent Android versions, including version 14. The malware functions by using a 'downloader' app to install a 'droppee' app, which contains the encrypted PixPirate malware and is activated by device events rather than a launcher icon. PixPirate listens for system events like device boot or connectivity changes to execute in the background, facilitating hidden fraudulent transactions. The malware has Remote Access Trojan (RAT) capabilities, automating the theft process, including capturing credentials and performing unsanctioned money transfers. PixPirate also has mechanisms to disable Google Play Protect, further reducing the chances of detection and removal by the user or system defenses. Although the malware spreads through common phishing tactics via WhatsApp or SMS, its icon-less design and event-based activation present a challenging new threat vector.

Google's vulnerability reward programs distributed $10 million to bug hunters in 2023, a decrease from $12 million the previous year. The company introduced new reward categories, including bounties for vulnerabilities in AI products and Android phone apps. Microsoft outpaced Google in bounty payouts, awarding $13.8 million to researchers in a similar period. Google's largest single bounty in 2023 was $113,337, awarded for an unspecified program and recipient. The Android Vulnerability Reward Program (VRP) paid over $3.4 million for Android device security issues, and maximum rewards for critical bugs were increased to $15,000. Google included Wear OS in its bounty program and hosted live hack-a-thon events, uncovering over 20 critical vulnerabilities with payouts totaling $70,000. Chrome Vulnerability Reward Program (VRP) paid $2.1 million, with fewer reports following the implementation of MiraclePtr technology aimed at preventing specific types of exploits. Concerns have been raised about the effectiveness of bug bounty programs in actually improving software security, with some arguing for the importance of investing in secure software development over bounty payouts.

Microsoft is releasing Copilot for Security, a generative AI service for cybersecurity tasks, on April 1, 2024. The AI service, powered by GPT-4 and a specialized security model, offers automated assistance with security operations, analysis, and incident response. Integration is set up across Microsoft's own product suite, including Sentinel and Defender XDR, and with third-party services, aiming to streamline cybersecurity workflows. Features include a standalone portal or embedded service, custom promptbooks, company-specific knowledge bases, multilingual support, and detailed usage reporting. Copilot for Security employs a 'pay-as-you-go' model through Microsoft Azure, with billing based on Security Compute Units at an anticipated rate of $4/hour. According to Microsoft, users of Copilot for Security completed tasks 22% faster on average, although for some response tasks, the service slowed down progress due to its load time. The service aims to alleviate the current cybersecurity talent shortage by enabling faster and more efficient security task handling, potentially improving threat detection and response.

OPSWAT's latest whitepaper offers insight on the insufficiency of common file upload security tools when used singularly. CEO Benny Czarny emphasizes the importance of a comprehensive, layered cybersecurity strategy to combat evolving malware threats. The paper identifies the limitations of standalone tools including Anti-Malware File Scanning, Web Application Firewalls, and Sandboxing. OPSWAT's MetaDefender Platform integrates multiple layers of security technology, including more than 30 anti-malware engines for near-perfect efficacy rates. Deep Content Disarm and Reconstruction (Deep CDR) and Proactive Data Loss Prevention (DLP) are highlighted as innovative methodologies for preemptive threat neutralization and data protection. The platform also includes an adaptive, emulation-based sandboxing feature that operates with other technologies for a robust defense against sophisticated malware. The whitepaper underscores OPSWAT's continued innovation to address the challenges and needs of protecting critical infrastructure in an ever-changing threat landscape.

Penetration Testing as a Service (PTaaS) is becoming a sustainable alternative to annual pen test vendor rotation. Rotating pen test vendors annually is not mandatory but considered a best practice to uncover new vulnerabilities. A single, long-term relationship with a trusted vendor can be beneficial and avoid the resource drain associated with onboarding new vendors. PTaaS provides a standardized, manageable approach, offering continuous and regular testing rather than infrequent, annual tests. PTaaS providers typically utilize a larger pool of testers with diverse skill sets, potentially leading to more comprehensive and customized testing. Outpost24's SWAT, a PTaaS solution for web applications, provides continuous monitoring and the benefits of a SaaS delivery model. Concluding that while annual rotation can be useful, PTaaS offers more efficient, consistent, and in-depth pen testing options for organizations.

The PixPirate Android banking trojan is applying a new evasion technique to conceal its presence from users' device screens, posing a persistent threat in Brazil. PixPirate exploits the Android accessibility services to execute unauthorized transactions via PIX instant payment and steal sensitive information, such as banking credentials and credit card data. The malware has evolved to avoid detection by hiding its app icon, making it harder for victims to recognize and remove the infection from their devices. Attackers are distributing the trojan primarily through SMS and WhatsApp using a dropper/downloader app that collaborates with the main payload to conduct fraud. The downloader is instrumental not only for deploying the PixPirate malware but also for executing and maintaining its operations through ongoing communication and command execution. Despite the potential removal of the downloader, PixPirate can persist on the infected device by triggering its execution based on various system events. The campaign's sophistication signals a growing trend of advanced financial malware targeting Latin American banks, including a recent malware called Fakext which uses a rogue Edge browser extension to hijack banking credentials.

Stanford University confirmed a ransomware attack which went undetected for four months, affecting 27,000 individuals. Sensitive data, including names and social security numbers, were stolen from the Department of Public Safety's database. The breach occurred on May 12, 2023, but was only discovered on September 27, raising concerns about the duration of unauthorized access. Stanford has offered the impacted individuals two years of free credit monitoring and ID theft recovery services. The university has engaged law enforcement and cybersecurity experts to address the breach and to strengthen its security measures. Akira, the ransomware group responsible, has made Stanford's stolen data available for download via a torrent file. Akira, operational since March 2023, has been responsible for other major attacks and is considered a significant threat in the ransomware landscape.

Russian-Canadian cybercriminal Mikhail Vasiliev received a four-year prison sentence for involvement with the LockBit ransomware gang. Vasiliev pleaded guilty to eight charges and was implicated in roughly a thousand cyberattacks with demands totaling over $100 million. His cybercrimes primarily targeted businesses in various Canadian provinces between 2021 and 2022. The court ordered him to pay $860,000 in restitution and mentioned the possibility of extradition to the U.S. for additional charges. Though disrupted by law enforcement, LockBit relaunched operations on new infrastructure, attempting to maintain its active image. Analysis suggests LockBit's current activities may be overstated, with data leaks mostly from companies attacked in previous years.

Cybercriminals are increasingly targeting identities within SaaS applications, posing a risk of data breaches and compliance violations. A range of identities, both human and non-human, such as API keys and service accounts, are potential entry points for attackers in SaaS platforms. While human identities can be safeguarded with multi-factor identification and single sign-on, non-human identities require different security measures. Non-human accounts, often equipped with higher privileges for integration tasks, are more challenging to protect and more susceptible to attacks. Cybersecurity strategies for non-human accounts include continuous monitoring and automated security checks to detect unusual activities. Many organizations neglect the security of non-human identities, despite their high potential risk for exploitation. An upcoming webinar will feature Adaptive Shield's CEO Maor Bin, focusing on identity risks in SaaS applications and how to enforce a strong identity security posture. The webinar will cover advanced methods and tools to enhance protection against evolving cyber threats within SaaS environments.

HiddenLayer has identified security threats in Google's Gemini large language model that could lead to unintended content generation and information leaks. The security guardrails meant to guide the AI in building appropriate responses can be bypassed, potentially leaking system prompts using synonym attacks or crafted prompts. Gemini models could be manipulated to spread misinformation, execute illegal activities, or cause the AI to divulge sensitive system messages. The models are tricked into mixing up user inputs with system prompts, especially when fed a series of nonsensical inputs. A test using Google Workspace integration revealed potential for malicious actors to gain control over a user's interaction with the AI model. Alongside this, academics highlighted the possibility of model-stealing attacks that can extract information from production language models like OpenAI's ChatGPT or Google's PaLM-2. Security measures like model defenses and safeguards against harmful responses are being continuously improved by Google, which also runs red-teaming exercises. In response to these vulnerabilities, Google has restricted AI responses to election-related queries and is working to improve their protective measures.