Daily Brief

The Biden Administration has petitioned a court to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for warrantless surveillance, bypassing congressional debate on the matter. Senator Ron Wyden criticizes the Justice Department's decision to seek a year-long extension without any reforms, as bipartisan support exists for reauthorization with added protections for Americans. The FISA Court has been asked to permit continued operation of surveillance programs for another year—a move defended as routine by National Security Council legal advisor Josh Geltzer. Privacy advocates and civil liberties organizations, such as the ACLU and EFF, argue against the administration's actions, insisting that reforms are necessary to prevent abuse of Section 702 powers. The FBI has previously been found to misuse these surveillance authorities, targeting U.S. elected officials and citizens without proper warrants, highlighting the need for stricter oversight. Four proposed bills aim to reauthorize Section 702 with added restrictions, including a requirement for warrants in certain investigations to protect civil liberties. The ongoing debate underscores tensions between national security priorities and the protection of individual privacy rights, with the future shape of Section 702 hanging in the balance.

Palo Alto Networks' Unit 42 discovers a new variant of Bifrost RAT with improved evasion tactics. The malware impersonates a VMware domain to avoid detection and complicates tracing by using a Taiwan-based DNS resolver. Bifrost collects sensitive information including hostnames, IP addresses, and process IDs, encrypting the data with RC4 before exfiltration. The new variant lacks debugging information, hindering analysis efforts. An ARM version of Bifrost has been developed, indicating an expansion in the threat actor's targeting capabilities. Despite Bifrost's long history, its recent enhancements suggest a push by developers to make it a stealthier threat. Unit 42's findings emphasize the necessity for heightened awareness and defense measures against such evolving malware threats.

Brave Software has introduced "Leo," a privacy-centric AI assistant, in the Android version of its browser. Leo is designed to perform tasks such as summarizing content, translating pages, writing code, and generating written materials. The AI assistant can be accessed by users through a simple interface within the Brave browser on Android. There are two service levels available: a free tier and a premium tier costing $14.99/month with added features and cross-device support. Leo leverages several advanced large-language models for accuracy and multilingual support, with privacy as a central emphasis. The roll-out of Leo is phased, meaning some users may need to wait before seeing the feature, with an iOS launch also on the horizon.

CISA warns that devices compromised via certain Ivanti vulnerabilities can maintain hidden control even after factory resets. Attackers can bypass detection from Ivanti's Integrity Checker Tool, maintaining root access despite appearances of a clean state. Vulnerabilities in Ivanti appliances allow for critical exploits including authentication bypass and arbitrary command execution. Ivanti's detection tools failed to identify compromises during forensic investigations, as attackers skillfully erased traces of intrusion. Threat actors may achieve persistent root-level access that survives factory reset procedures, challenging the reliability of recovery efforts. Despite Ivanti's reassurances, CISA advises considering the significant risk associated with continued use of affected devices in enterprise networks. CISA has previously instructed federal agencies to isolate, reset, and rebuild Ivanti devices using updated software due to substantial threat concerns. Certain Ivanti security flaws have been previously exploited by nation-state actors, leading to widespread compromises in critical sectors.

The Biden administration concerns over possible national security threats posed by Chinese-made connected vehicles. U.S. President Biden highlights the risks of Chinese cars in the U.S. potentially gathering sensitive data and being remotely accessed. The Department of Commerce issued an Advanced Notice of Proposed Rulemaking seeking public input on securing tech supply chains in connected vehicles. Commerce Secretary Gina Raimondo emphasized the risks to both national security and personal privacy from foreign access to connected cars. The scrutiny includes evaluating the technology in vehicles that could capture data or remotely manipulate the cars. Chinese electric vehicle maker BYD has recently outperformed Tesla, signaling China's growing dominance in the auto industry. An increase in Chinese vehicle exports and their rising popularity in markets like Mexico points to the strategic expansion of Chinese automakers. The U.S. considers proactive measures to ensure the auto industry's future is secure and domestically controlled.

GitHub has enabled push protection by default for all public repositories to prevent accidental secret exposures, such as API keys. The feature scans for over 200 types of secrets from more than 180 service providers before accepting 'git push' operations. If a secret is detected during a push to a public repository, users are prompted to remove it or can choose to bypass the block. The rollout might take a week or two to apply to all accounts, with users having the option to opt-in early or completely disable the feature. GitHub Enterprise subscribers can access GitHub Advanced Security for additional protection within private repositories. In the initial weeks of 2024 alone, GitHub's secret scanning tools detected over 1 million leaked secrets on public repositories. The update adds an essential layer of protection, as leaked credentials have caused several high-impact data breaches in recent years.

Cybercriminals are increasingly using infostealers to harvest sensitive credentials from PCs as a cost-effective method to penetrate corporate IT networks. Infostealers, which fetch passwords and financial data, provide an easier path for ransomware deployment compared to other tactics like brute force or exploiting vulnerabilities. Notable ransomware gangs, including LockBit and former members of Trickbot/Conti, have shown interest in acquiring or utilizing infostealer capabilities. Security firm Mandiant reports a significant rise in infostealer advertisements on the dark web and a 2000% increase in logs of stolen credentials for sale. Kaspersky intelligence indicates a dramatic spike in stolen OpenAI credentials sold on dark web markets in 2023, revealing the scale of the infostealer problem. IBM X-Force's analysis observed a 266% jump in infostealer-related activity, signaling a trend in ransomware groups favoring stolen credentials for initial access. Security experts urge corporations to not underestimate the impact of infostealers and to prioritize defense against this growing threat.

An AI service known as Cutout.Pro has experienced a data breach, exposing the personal data of 20 million users. Information leaked includes email addresses, hashed passwords, IP addresses, and user names. A hacker under the pseudonym 'KryptonZambie' posted 5.93 GB of Cutout.Pro's data on a hacking forum, containing 41.4 million records. Data breach monitoring service Have I Been Pwned confirmed and cataloged the breach impacting nearly 20 million individuals. The stolen data has further been distributed via the hacker's personal Telegram channel. Cutout.Pro has yet to issue an official statement regarding the breach, and attempts to reach the company have remained unanswered. Users of Cutout.Pro are urged to reset their passwords and stay vigilant against potential phishing scams leveraging the leaked information.

Cybersecurity researchers have unveiled a new attack method dubbed Silver SAML, which bypasses defenses against the previously known Golden SAML attacks. Silver SAML allows attackers to exploit identity providers like Entra ID, affecting applications that rely on it for authentication. Unlike Golden SAML, Silver SAML does not require access to Active Directory Federation Services and poses a moderate-severity threat. Attackers can forge SAML responses if they procure the private key of an externally generated certificate used by an identity provider, such as Okta. Microsoft has been informed but does not consider the issue a pressing vulnerability requiring immediate resolution, though they are open to taking future protective measures. There's currently no evidence of Silver SAML being used maliciously, but organizations are advised to utilize only Entra ID self-signed certificates for SAML signing. Researchers at Semperis have released a SilverSAMLForger proof-of-concept, and organizations should monitor Entra ID audit logs for suspicious changes to thwart potential attacks.

Consumer groups in the EU are challenging Meta's use of data collection practices, which offer users a choice between consenting to data processing or paying for a subscription service with no ads. The legal complaints suggest that Meta's methods are in breach of GDPR, undermining principles like data minimisation and transparency, and not providing a valid legal basis for processing data for advertising purposes. Privacy advocacy group noyb had previously contested Meta's policy change, suggesting that the company's consent requirements did not align with the need for consent to be freely given under EU law. BEUC members argue that the "pay-or-consent" model uses Meta's dominant market position to force user consent, which is seen as unconstitutional and non-transparent. Meta disputes these allegations, claiming their approach is compliant with GDPR and based on guidance and recent court judgments in Europe. The complaints follow a history of Meta's struggles with EU legislation, including a record €1.2 billion GDPR fine for data transfer mishandling and delays in product launches due to regulatory compliance issues.

A new Linux malware, dubbed GTPDOOR, has been identified targeting telecommunications networks and exploiting GPRS (General Packet Radio Service) roaming exchanges (GRX). GTPDOOR utilizes the GPRS Tunnelling Protocol (GTP) for its command-and-control (C2) operations, allowing the malware to receive and execute commands across GPRS roaming networks. GPRS roaming enables mobile users to access data services outside their home network via intermediary GRX providers, and GTPDOOR takes advantage of this infrastructure to facilitate malicious activities. Initial discoveries of the malware originated from two samples uploaded to VirusTotal from China and Italy, which have been linked to a sophisticated threat actor known as LightBasin. Upon execution, GTPDOOR masquerades as a benign system process called '[syslog]' and opens a raw socket to allow for the unnoticed receipt and execution of malicious commands. The malware can elicit a response from an external network check, which means attackers can covertly probe and communicate with a compromised system within the GRX network.

The Lazarus Group, known for its cybercriminal activities, exploited a Windows Kernel zero-day vulnerability (CVE-2024-21338) to gain SYSTEM privileges on compromised systems. This security flaw was addressed in a recent Microsoft Patch Tuesday update; however, exploitation was detected post-release, leading Microsoft to adjust its exploitability assessment. Avast, a cybersecurity firm, identified the exploit in the wild, revealing that the Lazarus Group leveraged it to disable security software using an updated version of their FudModule rootkit. The FudModule rootkit can disable monitoring from various security solutions and is considered to be actively developed and deployed selectively by the Lazarus Group. The successful exploitation of this flaw involves bypassing security measures and executing arbitrary code using the appid.sys driver, crucial for Windows AppLocker function. FudModule targets specific security software, such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus, to evade detection. This incident underscores the increasing technical sophistication and stealth of the North Korean hacking collective, elaborating on their concerted efforts to avoid tracking. Lazarus Group has also been implicated in luring victims on Apple macOS systems using fake meeting invite links to install malware, depicting their broad tactics across various platforms.

The number of people impacted by data breaches increased by 40% in 2022, even though there were 60 fewer reported data compromises than in the previous year. Organizations have increased their cybersecurity spending in response to the escalating challenges posed by data breaches and cyber threats. IT leaders are encouraged to maximize the efficiency of their cybersecurity resources by adopting a risk-based approach to their cybersecurity strategies. A risk-based cybersecurity strategy involves identifying and prioritizing an organization's greatest vulnerabilities, and understanding the business impact of potential threats. By focusing on protecting against high-impact vulnerabilities and deploying robust solutions, organizations can optimize their cybersecurity spending decisions. A risk-based approach will help organizations prepare for current and potential future cyber threats, ensuring operational integrity and maximizing the return on investment in cybersecurity. IT professionals are advised to assess and prioritize cybersecurity risks to keep their organizations safe and bolster cybersecurity return on investment (ROI).

An unknown cyberespionage group, SPIKEDWINE, has targeted European officials connected to Indian diplomatic events using a new backdoor, WINELOADER. The attack was executed through a deceptive PDF email attachment purporting to be from the Ambassador of India, inviting recipients to a wine tasting. The PDF document, containing a malicious link, was first uploaded to VirusTotal from Latvia, suggesting espionage activity as early as July 2023. The link directs users to download an HTML application filled with obfuscated JavaScript designed to fetch the WINELOADER malware. WINELOADER comes equipped with capabilities for executing additional malicious modules, DLL injection, and command-and-control communication adjustments to avoid detection. Researchers noted the attack's low volume and high sophistication, highlighting features that dodge memory forensics and URL scanning solutions. The operation also used compromised websites for command-and-control and as repositories for intermediary payloads, indicating a well-orchestrated stealth campaign.

North Korean state-backed Lazarus Group uploaded malware-infected packages to Python Package Index (PyPI), potentially compromising developer systems. The malicious packages, named pycryptoenv, pycryptoconf, quasarlib, and swapmempool, were designed to mimic legitimate packages to exploit typos during installation. The rogue packages were collectively downloaded 3,269 times before being removed, with 'pycryptoconf' being the most downloaded. JPCERT/CC identified the malware technique as using a Python test script to hide an XOR-encoded DLL file, which then executes more malicious code. Two DLL files named IconCache.db and NTUSER.DAT are created, with NTUSER.DAT being used to load and execute the malware Comebacker to establish C2 server connections. This incident is part of an ongoing trend where malicious npm and PyPI packages are used to single out developers in targeted cyber attacks. Developers are advised to exercise caution when installing modules to prevent unintentional installation of malicious packages.