Daily Brief

Cybercriminals are leveraging Amazon Web Services (AWS) and GitHub to distribute remote access trojans (RATs) VCURMS and STRRAT. The delivery method involves a phishing email with a malicious Java-based downloader posing as a payment verification button. VCURMS uses a Proton Mail address to communicate with its command-and-control server and conducts periodic mailbox checks for command execution instructions. The malware is equipped to steal sensitive data from applications and browsers, capture screenshots, and gather detailed hardware and network information. VCURMS bears resemblance to another Java-based infostealer known as Rude Stealer, which surfaced in the previous year. STRRAT, also Java-based and active since 2020, includes varied features such as keylogging and credential theft from browsers and applications. Darktrace has also uncovered a separate phishing campaign exploiting Dropbox's automated emails to distribute a malicious Microsoft 365 login mimic. The public hosting of malware and utilization of protected commercial services underscore the need for advanced detection and security practices to combat these elevated threats.

Enterprises are adopting multi-cloud strategies for data sovereignty and cost optimization, but this introduces complex security challenges. A lack of cohesive cloud security skills could lead to vulnerabilities, requiring continuous monitoring and skills in cloud infrastructure and operations. Misconfigurations in security settings of cloud providers, like in the case of AWS's S3 buckets, can lead to significant security breaches. The shared responsibility model in cloud security remains misunderstood by many organizations, leading to potential gaps in protection. A layered defense approach is necessary for cloud security, with a focus on shared responsibility across the organization's departments and personnel. Trend Micro advocates for a united approach to cloud security, emphasizing the role of SOC teams and the use of platforms like Vision One for extended detection and response. Integration with AWS and continuous improvement of cloud security features in response to the evolving threat landscape are key to maintaining a secure cloud infrastructure. Trend Micro's threat intelligence network plays a crucial role in keeping cloud assets safe and updated with the latest patches and threat data.

Researchers have successfully extracted information from closed AI services by probing the APIs of AI models from OpenAI and Google. By performing targeted attacks, the scientists recovered the embedding projection layer of transformer models, revealing model dimensions and potential capabilities. The cost of performing these attacks varied, with complete projection matrix extraction costing under $20 for some models. The findings by 13 computer scientists have been shared with the affected companies, prompting the implementation of new defenses. OpenAI's deprecated models' dimensions were disclosed in a research paper, while the dimensions of active models were withheld to prevent potential exploitation. The attack demonstrates that it is possible to recover significant aspects of a model without having direct access, raising intellectual property security concerns. A report commissioned by the US Department of State recommends restrictions on the release or sale of advanced AI models and increased security measures to protect intellectual property, including model weights. Advanced techniques to detect and prevent parameter extraction attempts are recommended, which may involve monitoring usage patterns or developing more sophisticated countermeasures.

Microsoft's March security update addresses 61 vulnerabilities, with critical fixes for Windows Hyper-V issues. Two critical flaws in Hyper-V could lead to denial-of-service and remote code execution. No exploits of the flaws were known or active at the time of the patch release, though six vulnerabilities were assessed as "Exploitation More Likely." The Azure Kubernetes Service, Windows Composite Image File System, and the Authenticator app had significant privilege escalation flaws patched. The Print Spooler and Exchange Server each had notable vulnerabilities that could allow attackers to gain SYSTEM privileges or execute malicious code, respectively. The most severe vulnerability, CVE-2024-21334 in Open Management Infrastructure, had a CVSS score of 9.8 and could be exploited by remote unauthenticated attackers. Microsoft's Q1 2024 patches showed a quieter trend with fewer CVEs addressed compared to the previous four-year average for the first quarter. Other vendors have also released security updates during the past few weeks to mitigate various vulnerabilities.

Microsoft released patches addressing 61 vulnerabilities, with two critical bugs affecting Windows Hyper-V hypervisor not under active attack. Adobe patched 56 issues across several products, while SAP fixed a dozen vulnerabilities, including three rated as HotNews Notes. Intel and AMD disclosed vulnerabilities, with Intel pushing eight patches and AMD issuing guidance on mitigating Spectre-type attacks. Fortinet updated five security advisories, addressing critical issues in FortiOS and FortiProxy, among other products. No vulnerabilities were reported as currently under active exploitation, though experts warn some could become targets soon. Companies are advised to apply these security updates promptly to mitigate potential risks associated with these vulnerabilities.

Former Meta VP, Dipinder Singh Khurana, is accused of stealing sensitive documents for his startup. The stolen data allegedly includes details on Meta's data centers, AI programs, and staffing information. Meta has filed a lawsuit claiming breach of contract, duty of loyalty, fiduciary duty, unjust enrichment, and violation of computer crime laws. Evidence suggests Khurana uploaded Meta's confidential information to personal cloud accounts, including Google Drive and Dropbox. Meta alleges that at least eight employees left to join Khurana's new employer, potentially through the use of insider knowledge. Khurana's new company is reportedly in stealth mode and aims to provide AI cloud computing services at scale. Meta is seeking damages and the return of any benefits Khurana gained from the alleged theft of company secrets. The allegations are still to be addressed in court, and neither Khurana nor his lawyers have responded publicly.

A ransomware attack on Stanford University's Department of Public Safety led to the theft of personal data from 27,000 individuals. The breach occurred between May 12 and September 27, 2023, with the university disclosing the incident one month after discovery. Attackers did not access other university systems; the breach was contained within the Department of Public Safety's network. Stolen data includes sensitive PII such as Social Security numbers, government IDs, and possibly biometric and health information. The Akira ransomware gang has claimed responsibility and has published the stolen files on the dark web. Victims' personal data range from birth dates and driver’s license numbers to email addresses and credit card information. The ransom demands from Akira ransomware vary from $200,000 to millions, with a previous incident at Stanford involving Clop ransomware and Accellion FTA in 2021.

Acer Philippines has confirmed a data breach involving employee information due to a cyberattack on a third-party vendor. A hacker using the name 'ph1ns' released the Acer employee database on a hacking forum, indicating a theft of data without ransomware or encryption. The leaked data was not taken from Acer's direct systems; an external vendor in the Philippines was the source of the breach. Acer has notified both the National Privacy Commission (NPC) and the Cybercrime Investigation and Coordinating Center (CICC) to investigate the incident. The company emphasizes that customer data remains secure and Acer systems have not been compromised. This incident adds to a series of security issues for Acer, including a server breach in February 2023, a customer data theft in October 2021, and a major REvil ransomware demand in March 2021.

US President Joe Biden's fiscal 2025 budget proposal includes substantial federal cybersecurity funding increases, requesting $3 billion for the Cybersecurity and Infrastructure Security Agency (CISA). The proposed budget aims to enhance cybersecurity across various government departments with a $13 billion allocation. CISA's budget increase will support the implementation of the Cyber Incident Reporting for Critical Infrastructure Act and improve critical infrastructure security coordination. In response to rising cyber threats, the budget includes an additional $25 million for the Department of Justice to bolster intelligence and analysis and establishes a new focus on national security cyber threats with a $5 billion investment. Healthcare cybersecurity is a key focus, with approximately $1.5 billion proposed to assist hospitals and medical facilities in countering ransomware and other cyber attacks, which have surged by 95% since 2018. To promote advanced cybersecurity practices, Biden's proposal includes $800 million for hospital cybersecurity aid and $500 million for an incentive program related to healthcare security. The spending plan also dedicates $141 million to the Department of Health and Human Services’ ongoing information security efforts, including HIPAA modernization.

Microsoft’s March 2024 Patch Tuesday addresses 60 security issues, with updates tackling eighteen remote code execution (RCE) vulnerabilities. Only two critical flaws were fixed: one Hyper-V RCE and a denial of service issue, signaling a focused yet significant patch rollout. Notably absent were zero-day exploits; none were patched or disclosed in this month's update cycle. High-profile fixes include an elevation of privilege in Microsoft Office and a security feature bypass in Microsoft Defender. The Office vulnerability allowed authenticated users to gain SYSTEM privileges and was patched following the report from Iván Almuiña at Hacking Corporation Sàrl. The Microsoft Defender vulnerability, which could stop the software from starting, was discovered by Manuel Feifel at Infoguard and is now fixed in Antimalware Platform version 4.18.24010.12. A Skype for Consumer RCE flaw, which could be exploited via a malicious link or image, was another significant fix credited to researchers Hector Peralta and Nicole Armua from Trend Micro's Zero Day Initiative. Security updates from other vendors in March 2024 are also highlighted, reflecting a broad industry response to emerging threats.

The Tor Project has officially introduced WebTunnel, a new type of bridge designed to evade censorship by mimicking HTTPS traffic. WebTunnel is developed to assist users in accessing the Tor network in restrictive regimes that actively block such connections. Connections made using WebTunnel appear as normal HTTPS connections to observers, effectively hiding the user's use of the Tor network. Compared to traditional Tor bridges and obfsproxy bridges, WebTunnel offers a more robust solution against censorship efforts by blending in with the majority of web traffic. Currently, there are about 60 WebTunnel bridges globally, assisting over 700 daily users in countries with internet restrictions like China and Russia. Implementation of WebTunnel has not been successful in some regions of Iran, indicating the need for further developments. The Tor Project emphasizes the importance of internet access for communication, human rights defense, and global solidarity, especially during geopolitical conflicts.

JetBrains denounces Rapid7's immediate and detailed disclosure of security vulnerabilities in its TeamCity platform as unethical and damaging. Rapid7's disclosure led to rapid exploitation by attackers, resulting in ransomware incidents and potential use of compromised accounts in DDoS campaigns. JetBrains insists it adheres to responsible disclosure norms, providing enough details to customers to mitigate risk without enabling simple exploitation. The article contrasts the disclosure policies of different organizations, such as Google's Project Zero and Microsoft, as well as national cybersecurity authorities. Rapid7's disclosure policy advocates for prompt public disclosure but permits a 60-day window for vendors to release a fix, with potential 30-day extensions. The conflict over disclosure norms between JetBrains and Rapid7 underscores the need for balance between timely remediation and preventing exploitation. The discussion on the timing of disclosures is significant in the context of ransomware attack costs, which can average around $1.5 million for remediation. Both JetBrains and Rapid7 maintain their stances, with Rapid7 stating it follows its disclosure policies, highlighting ongoing debates in cybersecurity disclosure practices.

Google awarded $10 million to 632 researchers for reporting security flaws across its products and services in 2023. The total paid by Google's Vulnerability Reward Program has reached $59 million since 2010, with $3.4 million awarded for Android vulnerabilities alone last year. Google increased the maximum reward for critical Android vulnerabilities and tripled bounty payments for sandbox escape chain exploits in Chrome. Notable payouts included $70,000 for 20 discoveries in Wear OS and Android Automotive OS and $116,000 for 50 reports in Nest, Fitbit, and Wearables. Chrome browser attracted 359 bug reports, resulting in $2.1 million in rewards, including a significant $30,000 award for a JavaScript engine vulnerability. Introduction of 'MiraclePtr' in Chrome M116 to protect against non-renderer Use-After-Free vulnerabilities, with separate rewards for bypassing this protection. A focused effort on securing AI products resulted in $87,000 paid out during a bugSWAT live-hacking event featuring Google Bard. Google maintains a dedicated Bug Hunters community to foster engagement and participation in the Vulnerability Reward Program.

GitHub users inadvertently exposed 12.8 million authentication secrets across 3 million repositories in 2023, with most secrets remaining active after five days. GitGuardian issued 1.8 million alerts to affected users but observed only a 1.8% swift response to secure the compromised data. Exposed credentials include passwords, API keys, TLS/SSL certificates, and various tokens, posing risks for data breaches and financial loss. A Sophos report indicated that compromised credentials were the root cause in 50% of attacks in the first half of the year, highlighting the significance of the GitHub leaks. India, the United States, and Brazil lead the list of countries with the highest number of exposed secrets; the IT sector is the most affected, followed by education. The report observed a 1,212-fold increase in leaked OpenAI API keys in 2023, emphasizing the risk associated with the popular use of AI services like ChatGPT. Large language models (LLMs) show potential for detecting leaked secrets effectively, although scalability and cost factors pose challenges. GitHub recently implemented push protection by default to help mitigate accidental secret exposures in the future.

Threat hunters identified seven malicious Python packages on PyPI, designed to steal crypto wallet recovery phrases. Dubbed BIPClip, the attack campaign aimed at cryptocurrency wallet developers has been active since December 2022. The packages, downloaded 7,451 times before removal, exfiltrated data to a control server under the attackers' command. The threat actors involved used GitHub and social platforms like Telegram and YouTube to publicize their tools. Sophisticated tactics were applied to avoid raising suspicion, such as mimicking legitimate package functions. The campaign leveraged common software supply chain vulnerabilities and used legitimate services like GitHub to spread malware. Cases like MavenGate and CocoaPods demonstrate the risks associated with abandoned digital assets in open-source ecosystems.