Daily Brief

VMware has patched critical vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation that could allow attackers to escape virtual machine sandboxes. The flaws, with scores up to 9.3, could enable unauthorized access to the host system and other virtual machines, undermining security isolation. CVE identifiers assigned to the vulnerabilities range from CVE-2024-22252 to CVE-2024-22255, exposing users to potential cyber-attacks. Workarounds include removing USB controllers from VMs, which might affect peripheral connectivity, while patches are also available for older versions. VMware stresses the importance of quick patch deployment, despite no reports of active exploitation, and advises admins to subscribe to their mailing list for updates. The company has released a FAQ to guide users through fixing or mitigating vulnerabilities for various product configurations.

BlackCat ransomware group has abruptly shut down their operations and potentially executed an exit scam following a purported $22 million ransom payment from a healthcare unit. Security experts have debunked the group's claim of being seized by law enforcement, revealing inconsistencies in the posted seizure notice code. The U.K.'s National Crime Agency confirmed it had no involvement in any disruption of BlackCat's online infrastructure. A disgruntled affiliate accused BlackCat of absconding with the full ransom amount, prompting speculation of an exit scam and possible future rebranding of the group. BlackCat, known for earlier iterations as DarkSide and BlackMatter, had previously regained control of their infrastructure after a seizure in December 2023, highlighting their resilience to law enforcement actions. The group's closure aligns with shifts in ransomware landscape, including LockBit moving activities to a new dark web portal and RA World's continued infiltration into various sectors since April 2023.

Capita has reported a significant net loss of £106.6 million for 2023, impacted by a costly cyberattack. The Black Basta ransomware group's attack in March last year cost Capita an estimated £25.3 million. The company's market value dropped 20% following the announcement of its losses. CEO Adolfo Hernandez announced further cost-cutting measures, targeting savings of £100 million by mid-2025. Despite the cyberattack, Capita continues to secure government contracts, including a £239 million pension scheme management deal. Capita's customer net promoter score dropped due to the cyberattack's impact on its pensions administration business. The company is cooperating with the Information Commissioner's Office and is not expecting a regulatory penalty at the moment. Ongoing dark web monitoring has not indicated further circulation of stolen data from the attack.

Hackers are exploiting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis using sophisticated Golang-based malware. The campaign involves using configuration weaknesses to introduce malware that performs unauthorized cryptocurrency mining and establishes a backdoor. New Golang payloads—h.sh, d.sh, w.sh, c.sh—automate the discovery and exploitation of vulnerable services, attempting to stay under the radar. The payloads exploit old vulnerabilities, such as CVE-2022-26134 in Atlassian Confluence, to execute unauthenticated remote code on the server. Cado Security uncovered the campaign when a Docker API honeypot was compromised, leading to an investigation that revealed the use of a multi-stage attack script. The threat actors use shell scripts and common Linux tactics to install miners, create persistence, and remove traces of the initial access. Despite widespread malware detection, the four new Golang binaries remain mostly undetected by antivirus engines, suggesting a recent onset of the campaign. Technical analysis and indicators of compromise have been shared by Cado Security for better industry awareness and defense against this campaign.

Reflectiz offers a sandbox solution that continuously monitors web applications for security threats, compliance risks, and privacy issues. The platform provides visibility into hidden website elements and third-party web apps that can introduce security risks or regulatory non-compliance. Reflectiz uses automated detection cycles and a proprietary browser to dynamically analyze web page activities, thus identifying immediate risks. The service includes a unique rating system to benchmark website exposure levels to various threats, based on continual monitoring and analysis. A comprehensive inventory system within Reflectiz allows for easy management and immediate action on risky scripts and data items. Reflectiz has introduced a PCI Dashboard add-on to meet the upcoming PCI DSS v4.0 requirements for compliance reporting and real-time script monitoring. The platform enables clients to establish a security baseline and provides alerts for unauthorized changes to website elements, reducing the frequency of false alerts. Reflectiz emphasizes a proactive approach to security, offering a 30-day free trial to demonstrate the platform's capability in enhancing web exposure management.

The article discusses the new Data Protection for Google Drive by Material Security, designed to manage the sharing of sensitive data and permissions within Google Drive. Many Google Workspace administrators struggle with the spread of confidential information being shared in an uncontrolled manner, leading to potential security risks. Correctly identifying and managing these risks is difficult using standard tools provided by Google, such as the Workspace admin dashboard or the Drive API. Material Security offers a powerful data platform that integrates with Google Workspace, enabling detailed inspections of historical and current file contents, metadata, permissions, and sharing settings. The system allows for precise searches and activity-based filtering to uncover risky sharing practices and automatically revokes improper access without disrupting productivity. Automated remediation workflows are sophisticated enough to distinguish between valid and invalid sharing scenarios, helping to maintain a secure yet productive environment. Material Security emphasizes the importance of strong security within productivity suites, considering them to be critical infrastructure for organizations. The article ends with an encouragement to schedule a demo with Material Security for a closer look at their capabilities in protecting Google Drive data.

SEMI, an industry association for chip vendors, has opposed the EU’s plan to impose export controls on China. The group emphasizes that these controls should be a "last resort" for national security purposes. SEMI warns that the European Commission's proposed measures could deter foreign investment and disrupt complex semiconductor supply chains. The European Chips Act could be jeopardized by excessive foreign investment screening, according to SEMI. SEMI suggests that rather than restricting outbound investments, the EU should focus on economic security and technology leakage prevention. The association argues for a balanced approach to economic opportunities and global market access for EU companies. SEMI's stance comes amid US restrictions on investments in China, highlighting the importance of investment in advancing semiconductor capabilities.

The U.S. Treasury Department sanctioned individuals and entities linked to Intellexa Alliance for distributing harmful spyware. Intellexa's software, including Predator, was used against U.S. officials, journalists, and policy experts by unnamed foreign actors. OFAC highlighted the security risks and human rights concerns stemming from the misuse of commercial spyware, citing its use to repress dissidents worldwide. The Intellexa Alliance and related companies have been previously placed on the U.S. Entity List, restricting their business operations. Predator spyware can infiltrate mobile devices without user interaction, allowing operators to collect sensitive information and conduct surveillance. The U.S.'s recent policy allows for visa restrictions on foreign individuals involved in commercial spyware misuse. The Treasury Department emphasizes the importance of responsible development and use of surveillance technologies to protect human rights and civil liberties.

VMware has issued security updates for critical use-after-free vulnerabilities in ESXi, Workstation, and Fusion software. The flaws, identified as CVE-2024-22252 and CVE-2024-22253, could enable code execution on affected systems. These vulnerabilities have a high severity rating, with CVSS scores of up to 9.3 and could allow attackers with local access to compromise the host system. Patches have been released for versions of VMware software, including those that are end-of-life (EoL) due to the severity of these issues. Security researchers from Ant Group Light-Year Security Lab and QiAnXin discovered and reported the critical vulnerabilities. As a temporary measure, VMware has recommended that customers remove all USB controllers from virtual machines to mitigate potential exploitation risks. The default keyboard and mouse input devices are unaffected as they do not use USB protocol within the virtual machines.

GhostSec, in collaboration with Stormous ransomware group, has initiated widespread double extortion ransomware attacks across over 15 countries. The ransomware-as-a-service (RaaS) program named STMX_GhostLocker has been launched, offering both free and paid services to affiliates. Key business sectors targeted by these attacks include technology, education, manufacturing, government, and energy, among others. The Five Families coalition, which includes GhostSec, is strengthening underworld Internet connections to expand its operations. GhostLocker 2.0, advertised for its fast encryption capabilities, has introduced a new ransom note and a web panel for affiliates to manage their attacks. Talos researchers uncovered two additional tools used by GhostSec: a deep website scanning toolset and GhostPresser, designed to compromise WordPress sites. The group’s activities illustrate a broadening toolkit and increased sophistication in attacking and exploiting vulnerabilities in legitimate websites and services.

A new advanced persistent threat (APT) group, dubbed Lotus Bane, has been identified targeting a financial entity in Vietnam. The Singapore-based cybersecurity firm Group-IB revealed Lotus Bane has been operational since at least 2022, employing tactics such as DLL side-loading and utilizing named pipes for malicious communication. Lotus Bane's modus operandi shares similarities with known Vietnamese APT group OceanLotus (APT32), especially with the use of PIPEDANCE malware. Although the full scope of Lotus Bane's activities is not yet clear, the sophistication of their attacks suggests the potential for broader operations across the Asia-Pacific (APAC) region, mainly within the banking sector. The discovery underscores the ongoing threat of APT groups targeting financial institutions in APAC, Europe, Latin America, and North America, including other groups like UNC1945 attacking ATM systems. The presence of threat actors like Lotus Bane and UNC1945 emphasizes the complexity of cyber-threats and the importance of robust cybersecurity measures in protecting the financial industry.

Apple has released critical updates to fix actively exploited zero-day vulnerabilities in its various operating systems. Improved validation measures have been implemented in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6 to address the security issues. The tech giant has patched three such zero-day flaws since the beginning of the year, with the earlier one being a WebKit issue. The U.S. CISA has added two exploited vulnerabilities to its KEV catalog, one affecting Android Pixel devices and another exploited by a Mirai botnet. Users and federal agencies are urged to apply the necessary updates before March 26, 2024, to avoid potential security breaches. While the precise methods of how the vulnerabilities are being exploited remain unclear, the updates are crucial in protecting users from these threats. The vulnerabilities highlighted also include issues that span multiple platforms and devices, indicating the wide-ranging impact of security flaws.

Japan's government has ordered local tech firms LINE and NAVER to separate their technology stacks following a significant data breach. Over 510,000 users were affected by the data leak, which is linked to shared technical resources between the two companies. LINE, widely used in Asia, merged with Yahoo! Japan in 2021, linking it with NAVER and SoftBank through corporate ownership. The breach involved unauthorized access to former employee credentials stored on a shared Active Directory between LINE and NAVER. Japan's Ministry of Internal Affairs and Communications criticized the security practices of LINE and NAVER, calling for an overhaul and regular reports on improvements. LINE is instructed to develop its own authentication tools and maintain minimal essential links with NAVER, ensuring that LINE user data is no longer stored on NAVER infrastructure. Both companies have acknowledged the findings and directives, while SoftBank, which has stakes in both companies, has noted the Ministry's guidance and is considering its broader implications.

The US Department of Health and Human Services (HHS) is aiding healthcare providers hit by the Change Healthcare ransomware attack, assumed to be by ALPHV/BlackCat. HHS has enacted more lenient Medicare regulations and is expediting funding to the impacted medical facilities, aiming to ease their cash flow difficulties and maintain patient care. Over 70,000 pharmacies and healthcare organizations using Change Healthcare's software for insurance claims and prescriptions have faced operational disruptions since the cyber attack on February 21. The government has allowed for an expedited change in Medicare claims processing and encourages advance funding by Medicare Advantage organizations to the most affected providers. Medicaid and the Children's Health Insurance Program are advised to ease prior authorization demands and also offer advance payments. Paper claims are being accepted due to electronic billing system downtimes, highlighting the need for enhanced cyber security in the healthcare sector. Cybersecurity experts predict that the initially voluntary cyber security performance goals issued by HHS may soon become mandatory in the wake of this incident. Further complications emerge as the ALPHV/BlackCat ransomware gang appears to have performed an exit scam, faking a law enforcement seizure after allegedly embezzling over $22 million in ransom payments.

The National Security Agency (NSA) has released new guidance to help organizations adopt zero-trust principles, aiming to restrict adversary movement on internal networks. Zero-trust architecture emphasizes strict network resource access controls, assuming a threat may already be present on the network, contrasting with traditional trust models. NSA’s guidance focuses on the 'network and environment' component of zero trust, covering hardware, software, entities, and communication protocols. The NSA outlines four maturity levels for organizations to enhance network security through data flow mapping, segmentation, and software-defined networking. Data flow mapping involves detailed inventory and visibility of data storage and processing, while macro and micro segmentation prevent lateral movement across network segments. Software-defined networking affords centralized control and policy enforcement, contributing to granular security monitoring and heightened attack response capabilities. The guidance is part of an ongoing effort by the NSA to promote a resilient enterprise architecture through zero-trust, with previous guidance released on user pillar maturity.