Daily Brief

Microsoft acknowledges that the February 2024 updates for Windows 11 versions 22H2 and 23H2 are failing to install, resulting in 0x800F0922 errors. The errors halt update downloads at 96%, with affected systems displaying a message to reassure users while the changes are being undone. The issue has prompted Microsoft to add an entry to the Windows release health dashboard, detailing the problem and assuring users that they are working on a solution. A temporary workaround suggested by Microsoft involves deleting the 'C:\$WinREAgent' folder and potentially restarting the computer for successful update installation. The problems may be related to the Windows Recovery Environment (WinRE), drawing parallels to previous update issues in January 2024. Microsoft has also alluded that the error could be due to insufficient space in the System Reserved partition or issues with connectivity to Windows Update servers, particularly in cases where a VPN is used.

Broadcom announced the integration of VMware's SD-WAN and Symantec's Security Service Edge into a new offering called "VMware VeloCloud SASE, Secured by Symantec" at the Mobile World Congress in Barcelona. The new SASE product combines network and security services such as SD-WAN, secure web gateway, cloud access security broker, next-gen firewall, and zero trust network access. This marks the first instance of cross-brand integration following Broadcom's acquisition strategy, aiming to encourage customers to utilize more of its combined software solutions. VMware previously updated telco offerings at Mobile World Congress, but this year highlighted customer updates, including Dish Networks' 5G performance management pilot, Vodafone's network programmability proof-of-concept, and Singtel's partnership for 5G and edge cloud. It's unclear if the new customer projects are a result of the Broadcom acquisition or an existing trend, leaving questions about Broadcom's impact and strategy for VMware. Meanwhile, KKR confirmed the acquisition of VMware's end user compute portfolio for approximately $4 billion, planning to create a standalone business emphasizing customer success and partner support. Shankar Iyer of Broadcom's EUC division expressed optimism about the divestment, coinciding with his ten-year anniversary in the division, citing the move as an opportunity for dedicated focus and growth.

A severe SQL Injection vulnerability has been discovered in the Ultimate Member WordPress plugin, affecting over 200,000 websites. Christiaan Swiers identified the vulnerability, CVE-2024-1071, with a high severity CVSS score of 9.8. The flaw stems from improper escaping of a 'sorting' parameter and could allow unauthenticated attackers to extract sensitive data. The vulnerability is only a concern for users who enabled the "Enable custom table for usermeta" option. Developers have patched the vulnerability with the release of Ultimate Member version 2.8.3; users urged to update immediately. Wordfence has reported an attempt to exploit this vulnerability since the disclosure. The disclosure occurs amid rising campaigns exploiting WordPress sites, injecting crypto drainers, and phishing tactics to compromise Web3 ecosystems. Additional information was provided on a new drainer-as-a-service (DaaS) scheme, and the use of Telegram bots to perpetrate fraudulent activities.

The Ministry of Industry and Information Technology in China has issued a warning about fake digital currency wallet apps targeting users of the nation's central bank digital currency (CBDC), also known as e-Yuan or e-CNY. The fraudulent tactics used by scammers include patriotic themes and promises of high returns from get-rich-quick schemes, as well as phishing for personal information. The ministry has advised the public to only use official sources to download wallet apps and be cautious with QR codes and unfamiliar websites. Over 260 million digital wallets for the e-CNY have been issued, and as usage grows, scammers find the scale attractive for cybercrime. Despite the presence of numerous Android app stores in China, the ministry is working on keeping a list of harmful apps and advises netizens to avoid them. This initiative aligns with the Chinese government's larger goals to promote the digital yuan for international trade and to challenge the dominance of the US dollar. Authorities are expected to enforce stricter regulations on app store operators to ensure the safety and integrity of the online ecosystem in China.

UnitedHealth Group subsidiary Optum suffered a ransomware attack by BlackCat, impacting Change Healthcare's payment exchange platform. The outage has caused widespread billing disruptions across the U.S. healthcare system. Optum has initiated daily updates, taking care to restore systems without compromising security. The BlackCat ransomware group is reportedly the same gang behind former DarkSide and BlackMatter operations. The FBI has linked BlackCat to over 60 breaches and estimates its earnings at $300 million from more than 1,000 victims. UnitedHealth Group's SEC filing hinted at "nation-state" involvement, but no public evidence links BlackCat to foreign governments. The U.S. State Department has announced rewards for information leading to BlackCat gang leaders or affiliates.

A Ukrainian group identified as 'UAC-0184' was found using steganography in image files to deploy the Remcos RAT to an entity in Finland with Ukraine ties. This method evades detection by hiding malicious code within image pixel data. Morphisec analysts detected the campaign, which began in early 2024 and follows similar attacks on the Ukrainian armed forces in 2023. The attack begins with a phishing email leading to a multi-stage infection process involving an executable and a modular malware loader called 'IDAT.' IDAT uses advanced evasion techniques, including API call resolution at runtime and dynamic code injection, to deliver the Remcos RAT undetected. Remcos RAT allows attackers to stealthily monitor and steal data from compromised systems. Other malware types, like Danabot, SystemBC, and RedLine Stealer, may also be distributed by IDAT, although specifics were not detailed for the Finland incident.

Nevada Attorney General Aaron Ford filed a motion for a temporary restraining order (TRO) to block minors from accessing encrypted messaging on Meta's Messenger platform. The motion is part of broader legal action against social media companies, accusing them of deceptively marketing addictive services to youth. The filing cites potential risks to children from end-to-end encryption (E2EE), claiming it aids child predators and hinders law enforcement. Meta introduced default E2EE for Messenger users in December 2023, which Nevada officials say obstructs criminal evidence gathering. If successful, the injunction would require Meta to disable E2EE for users under 18 in Nevada, potentially impacting minors visiting the state. Legal experts and researchers argue that banning E2EE for children undermines their digital privacy and security, contravening consumer protection laws. A hearing on the matter began on Monday, with no decision reached at the time of reporting; neither Meta nor AG Ford's office provided comments.

The White House Office of the National Cyber Director (ONCD) is advising tech companies to use memory-safe programming languages to minimize software vulnerabilities. Memory safety issues, such as buffer overflow and use after free, arise from coding errors and can lead to significant security risks if exploited by attackers. ONCD's report acknowledges the longstanding challenge of memory safety vulnerabilities, highlighting the critical need for new strategies in software development. The initiative is part of the National Cybersecurity Strategy signed by President Biden, which places more responsibility on software vendors for cybersecurity. The NSA and other cybersecurity organizations have previously released guidelines promoting memory safety in software development practices. Research by Microsoft has shown that most vulnerabilities in memory-unsafe languages are due to memory safety issues, even after extensive code reviews. Google's research suggests that memory-safe languages can considerably decrease or even eliminate memory safety flaws within large codebases. The ONCD emphasizes the importance of such measures in protecting the nation's digital ecosystem and reducing the overall threat surface.

ALPHV/BlackCat ransomware gang is identified as responsible for the cyberattack on Change Healthcare, impacting pharmacies like CVS and Walgreens. The attack has caused prescription fulfillment delays nationwide due to pharmacies' inability to transmit insurance claims. Change Healthcare disclosed the breach on February 21 and has been struggling to fully restore services. UnitedHealth, the parent company, suggested the possibility of a nation-state cyber threat actor in an SEC filing. ALPHV is linked to the Darkside/Blackmatter group known for the Colonial Pipeline attack and recent hits on critical infrastructure. Despite a US government bounty for information leading to the capture of ALPHV leaders, the group's activities continue to be disruptive. The healthcare provider is taking cautious measures, refusing to compromise security as they work to bring systems back online.

Threat actors are exploiting an old CMS text editor, FCKeditor, to carry out SEO poisoning on educational and government websites. Open redirects are used to guide users from reputable domains to malicious external URLs, effectively bypassing URL filters of security products. The tactic involves using trusted domains to increase the ranking of malicious URLs in Google Search results, a strategy known as SEO poisoning. Despite the potential for abuse, companies like Google and Microsoft do not always view open redirects as a security flaw needing immediate attention. Notable institutions such as MIT, Columbia University, and government sites like Virginia and Austin, Texas have been identified as victims of this campaign. The deprecated FCKeditor plugin, which was replaced by CKEditor in 2009, is still in use on some sites, leaving them vulnerable to these attacks. The attackers initially plant static HTML pages on a compromised domain to rank on search engines, later replacing them with links directing users to malicious sites. The cybersecurity community stresses the importance of updating and replacing outdated software to prevent such exploitation, noting that many government and educational entities often lag in this regard.

LockBit ransomware gang, recently targeted by law enforcement, claims to have resumed operations, potentially leaking sensitive information, including data related to Donald Trump. The group taunts law enforcement and boasts about their resilience following the seizure of their servers and the arrest of members. LockBit's new leak site lists over a dozen alleged victims, including the FBI and healthcare facilities, and also the recently targeted Georgia's Fulton County. Fulton County faces a new ransom threat, with LockBit setting a March 2 deadline for payment to prevent the disclosure of sensitive data, including juror identities from a murder trial. Law enforcement's recent operation, dubbed Operation Cronos, captured over 1,000 decryption keys but LockBit alleges most keys remain protected and unusable by the FBI. The ransomware group's spokesperson, LockBitSupp, admitted to a PHP vulnerability in their system but downplayed the impact of law enforcement's breach on their operations.

The Five Eyes intelligence alliance has issued a warning regarding the Russian SVR's (APT29) increased focus on cloud service attacks. APT29, known for the SolarWinds breach, has been targeting cloud infrastructure, including Microsoft 365 and Exchange Online accounts. The advisory outlines SVR's tactics, including brute force attacks, password spraying, exploiting dormant accounts, and using stolen access tokens. SVR uses sophisticated tools like MagicWeb malware to authenticate within compromised networks and targets government and critical organizations globally. Defenders are urged to enable MFA, enforce strong passwords, practice the principle of least privilege, establish canary accounts, and monitor for specific indicators of compromise. By implementing the recommended mitigations, organizations could strengthen their defense against this particular nation-state threat.

ThyssenKrupp confirms a cyberattack on its Automotive division, forcing a shutdown of IT systems. The company is a global steel industry leader with over 100,000 employees and significant influence in multiple sectors. The breach was detected by the company's IT security team, leading to immediate containment efforts. No other ThyssenKrupp business units have been affected, and the situation is reportedly under control. Measures are being taken to gradually restore normal operations after the attack. The Saarland plant, a major site for steel production and R&D, was directly affected but continues to supply customers. ThyssenKrupp has been targeted by cyberattacks in the past, with previous incidents focused on espionage and operational disruption. No threat actors have claimed responsibility for the attack, and the specific details of the breach are not yet disclosed.

A large-scale ad fraud campaign named "SubdoMailing" uses over 8,000 domains and 13,000 subdomains to send up to 5 million spam emails daily. Trusted brands like MSN, VMware, McAfee, and eBay were compromised, lending credibility to the spam, leading to engagement in fraudulent activities. Guardio Labs researchers uncovered the campaign, revealing the use of hijacked subdomains to bypass spam filters and exploit email authentication protocols. The fraudulent emails direct users to fake giveaways and scams, triggering ad revenue for the attackers through a complex series of website redirections. Attackers employ techniques like CNAME hijacking and exploitation of SPF records to take over domains and authenticate their spam activity. The discovery includes a detailed analysis of methods used to make emails appear legitimate, leveraging SPF, DKIM, and DMARC protocols to evade detection. The threat actors behind SubdoMailing maintain a vast network of domains and IP addresses to facilitate their ad fraud operations on a huge scale. Guardio Labs has set up a checker website to help domain owners identify and address potential misuse of their brands in this ongoing campaign.

Despite cybersecurity training, end-users often prioritize convenience, leading to risky password practices such as password reuse. Even with awareness of best practices, training alone does not consistently change behavior due to a focus on efficiency and a mindset that breaches won't personally affect them. Research from LastPass reveals that 79% of trained individuals find the training helpful, yet only 31% cease reusing passwords, demonstrating the gap between knowledge and action. The common practice of password reuse is a significant problem revealed by Bitwarden's finding that 84% of users reuse passwords, risking organizational security through potential external breaches. Organizations are encouraged to complement cybersecurity training with technological solutions, such as enforced strong password policies and continuous scanning against databases of compromised passwords. Specops Password Policy is one such technology that prevents weak passwords and provides real-time feedback, thereby enhancing password security and supporting better user behavior.