Daily Brief

Apple has patched a zero-click vulnerability in the Shortcuts app that could let shortcuts access sensitive data without user consent. The flaw, identified as CVE-2024-23204 with a CVSS score of 7.5, was fixed with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3. Apple Shortcuts is a default scripting app on iOS, iPadOS, macOS, and watchOS that enables users to create workflows to automate tasks. The vulnerability involved the "Expand URL" action in Shortcuts, which could be exploited to send encoded sensitive data to a malicious server. Bitdefender researcher Jubaer Alnazi Jabin reported the bug, outlining that malicious shortcuts could bypass Apple's Transparency, Consent, and Control (TCC) framework. The sharing feature of Shortcuts could have extended the reach of this vulnerability, as users might inadvertently import and share malicious shortcuts. Jabin demonstrated that the exfiltrated data could be captured and manipulated by attackers, suggesting potential for further exploitation.

Avast has been fined $16.5 million by the FTC for selling user browsing data without consent. The company falsely claimed its products would prevent online tracking while selling user data to advertisers. Selling or licensing web browsing data for advertising has been prohibited for Avast, and it must notify affected users. Data sold included sensitive information, potentially allowing third parties to track users across different data sets. The data sales were exposed by a joint investigation, leading to Avast's browser add-ons removal from major web browsers. Avast has terminated its subsidiary Jumpshot, responsible for data collection, and has since merged with NortonLifeLock. The FTC has condemned Avast for duping consumers with false privacy protection promises while engaging in covert surveillance practices.

Avast has agreed to pay $16.5 million to settle Federal Trade Commission (FTC) accusations of selling customer browsing data through its subsidiary Jumpshot. The FTC complaint alleged Avast misrepresented data practices, selling data that could reveal sensitive user information to third parties. Data sold included details on users' web searches, visits, and personal interests, potentially exposing confidential information such as religious beliefs and political leanings. Avast’s efforts to anonymize the data were inadequate, making it possible for data buyers to re-identify the browsing data with individual users. Jumpshot, closed in 2020 following the data sales allegations, had accumulated over eight petabytes of browsing data. As part of the settlement, Avast is prohibited from selling browser data moving forward, must destroy all web browsing data and derived algorithms, and must secure explicit user consent for any future data licensing. Avast denies wrongdoing but has agreed to the settlement to resolve the investigation, emphasizing its commitment to its user base.

A major cyberattack led Change Healthcare to shut down systems, disrupting pharmacy operations nationwide. The IT outage affected prescription order processing and insurance eligibility checks, causing some patients to pay full cash prices. Change Healthcare, owned by UnitedHealth, handles 15 billion healthcare transactions and is a crucial tech provider. The cyber security issue began on Wednesday and was confirmed to be an outside threat by Change Healthcare. The disruption is expected to extend into Friday, with the company working on resolving the issue and providing updates. Pharmacies like CVS and Athenahealth users experienced outages, with CVS enacting business continuity plans to minimize service disruption. Despite no compromise of CVS Health’s systems, the inability to process insurance claims for some customers persists. Other pharmacies, including Michigan's Scheurer Health and reportedly Publix, were also unable to process prescriptions due to the outage.

Law enforcement has disrupted the LockBit ransomware operation as they were developing a new variant aimed at solving past issues. Unlike rivals, LockBit chose .NET and CoreRT for its new variant, intending to target more platforms and possibly evade static file detection. A previous leak of LockBit's builder in September 2022 led to copycat attacks, which the new variant attempted to counter with an expiry date for each version. The under-development LockBit-NG-Dev features a completely rewritten codebase with multiple encryption methods, lacking some past capabilities but remaining powerful. Although progress has been made with three major arrests, the potential for LockBit's return under a new name exists, as near-200 affiliates remain at large. Trend Micro speculates that the disrupted .NET variant might influence the future of LockBit or be adopted by other ransomware groups.

Bitwarden has rolled out a new inline auto-fill menu to bolster security against credential theft via malicious form fields. The update is a response to the potential for attackers to leverage rogue iframes on compromised legitimate sites to capture user credentials. During the initial concern, Bitwarden had disabled iframe auto-fill by default but allowed users to re-enable it with a clear warning of the risks. The password manager has since integrated additional precautions that permit iframe auto-fill solely on recognized sites and subdomains linked to the origin domain. The updated auto-fill system aims to provide a secure and convenient user experience, maintaining visibility on the screen and offering keyboard navigation. While this feature is not enabled by default, users can activate it via Bitwarden settings, with recommendations to disable any similar browser auto-fill services to prevent conflict. Bitwarden offers various auto-fill methods, including shortcuts and context menus, and allows users to specify trusted URLs for the auto-fill feature.

ScreenConnect servers have been compromised using a severe auth bypass vulnerability, leading to LockBit ransomware deployment on affected networks. ConnectWise quickly addressed the vulnerability with security updates, right after the flaw was exposed and proof-of-concept exploits were shared by cybersecurity firms. ConnectWise released an unrestricted software update allowing all clients, including those with expired licenses, to upgrade and protect their systems. The Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the vulnerability to its Known Exploited Vulnerabilities Catalog, implementing a one-week compliance deadline for U.S. federal agencies. A relatively small number of ScreenConnect servers have been patched, leaving many potential targets for LockBit ransomware attacks. Sophos X-Ops observed several LockBit attacks following exploitation of ScreenConnect vulnerabilities, indicating some LockBit affiliates remain active post law enforcement crackdown. LockBit infrastructure and dark web operations were recently dismantled in an international law enforcement effort, yet affiliates and splinter groups continue to pose threats. The U.S. State Department is offering rewards for information leading to LockBit associates, reflecting the significance of the threat the group poses to organizations globally.

The FTC ordered Avast to pay $16.5 million for unlawfully selling user browsing data. Avast is banned from selling or licensing browsing data for advertising, violating user privacy. The FTC alleges Avast gathered and sold detailed user browsing data without consent since at least 2014. Avast misled customers, claiming to safeguard privacy while profiting from their data via Jumpshot. Avast must now obtain clear consent before selling data from non-Avast products and delete all data shared with third parties. Users affected by the sale of their data without consent will be notified about the FTC's enforcement actions. The FTC condemns Avast's practices, labeling them as bait-and-switch tactics that compromised consumer privacy.

Apple introduces PQ3, a new post-quantum cryptographic (PQC) protocol, to elevate iMessage security against future quantum computing threats. PQ3 is considered the first messaging protocol with Level 3 security, surpassing current protections offered by widely-used messaging applications. Apple's PQ3 merges techniques from Kyber and Elliptic Curve cryptography (ECC) to provide enhanced encryption and mitigate the risks associated with quantum attacks. The protocol is designed to combat harvest now, decrypt later (HNDL) attacks, where encrypted data could potentially be decrypted by quantum computers in the future. PQ3 includes an automatic key rotation feature, limiting exposure to past and future message decryption in case of a key compromise; keys rotate every 50 messages or at least once every seven days. Support for Apple's PQ3 protocol is planned for rollout in upcoming iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 releases. Apple's announcement comes as other tech companies like AWS, Cloudflare, Google, and Signal have been moving towards quantum-resistant encryption to safeguard against evolving threats.

Ukrainian police have apprehended a father and son suspected of being affiliates of the LockBit ransomware group, which has launched over 3,000 attacks in more than four years. The arrests were part of an international effort, with coordination from French authorities and Europol, to dismantle the cybercrime network. LockBit leaders still evade capture, with recent indictments issued for Russian nationals unlikely to lead to immediate arrests due to extradition challenges. The United States has put forth a reward of up to $15 million for information leading to the identification or capture of LockBit members, as part of a broader strategy to combat ransomware. Despite significant geopolitical and operational challenges, particularly due to the conflict in Ukraine, authorities continue their relentless pursuit of cybercriminals involved in ransomware attacks. The recent arrests and reward announcements indicate a strengthening international resolve to confront ransomware syndicates and hold their operators accountable.

Law enforcement agencies have disrupted the infrastructure of the LockBit ransomware group. Trend Micro analyzed a new version of LockBit malware being developed, which may evolve into LockBit 4.0. The next-gen LockBit variant, while still under development, is written in .NET and is likely to support multiple operating systems. This new variant lacks some capabilities of previous versions, like propagating through networks, but offers most expected functionalities, including various encryption modes and self-deletion features. The malware uses AES+RSA encryption and includes features such as file/dir exclusion and random file renaming to hinder restoration. Trend Micro’s technical analysis exposes the full capabilities of the new LockBit variant, potentially aiding in future defense strategies. The discovery of the LockBit-NG-Dev poses a significant challenge for the criminal group to continue operations, especially with security researchers now aware of its source code.

Russian Consular Department software installer compromised to distribute Konni RAT malware by suspected North Korean actors. German cybersecurity firm DCSO linked the cyberespionage operation to North Korea's historic patterns of targeting Russian entities. The backdoored software, named 'Statistika KZU', was intended for internal use by the Russian Ministry of Foreign Affairs. The MSI file initiates contact with a C2 server, allowing file transfers and command execution by the remote access trojan. Previous instances of similar backdooring occurred in October 2023, involving Russian tax filing software. Unclear how the installer was obtained by threat actors, hinting at extensive espionage efforts by North Korea against Russia. Despite geopolitical ties strengthening between North Korea and Russia, espionage activities continue to assess and verify Russian foreign policy. The report emphasizes the persistent threat landscape amidst evolving international relations.

There has been a significant increase in hacktivism, often linked with ongoing geopolitical conflicts, such as the war in Ukraine. Hacktivist groups have used platforms like Telegram to coordinate attacks and disseminate information, even as platforms attempt to curtail malicious activity. Notable hacktivist groups such as NoName057(16) and Anonymous Sudan engage in cyberattacks as a form of political activism, with varying levels of consistency and impact. Pro-Russian hacktivist groups, for example, have targeted countries that are seen as opposing Russian interests or providing support to Ukraine. Hacktivist attacks foster Fear, Uncertainty, and Doubt (FUD), impacting societal perception more than the direct effect of the cyber operations. NoName057(16) appears to target countries proportionate to their level of support to Ukraine, as tracked by the Ukraine Support Tracker, though geographical proximity also plays a role in victim selection. The distinction between proportional and disproportional responses is observed in the divergence between the level of support promised and the frequency of attacks experienced by various countries.

Cybercriminals are exploiting SSH-Snake, an open-source network mapping tool, for malicious network attacks. SSH-Snake operates as a self-replicating worm that finds SSH credentials to propagate across networks, making it more reliable for threat actors. The tool assists hackers in harvesting credentials, IP addresses, and bash command histories, offering stealth and lateral movement capabilities. Threat actors are taking advantage of recommended SSH key practices and exploiting tools intended for legitimate security assessments. The tool's developer, Joshua Rogers, emphasizes the importance of proactive security and infrastructure design to mitigate such threats. In related news, Aqua has detected a new botnet campaign, "Lucifer," targeting vulnerabilities in Apache Hadoop and Apache Druid for cryptojacking and DDoS attacks. Security specialists are urged to re-architect systems to prevent the wide-reaching impact of bots and scripts like SSH-Snake when exploited by attackers.

A leak on GitHub has exposed Chinese infosec vendor I-Soon as a contractor involved in government-sponsored cyber-attacks. The leaked documents indicate I-Soon has developed Remote Access Trojans (RATs) for major operating systems, including Linux, Windows, macOS, iOS, and Android. The Android malware I-Soon created is reportedly capable of extracting extensive messaging histories from various chat applications, including Telegram. I-Soon is said to have successfully targeted government departments in several Asian countries and even infiltrated a NATO system. Hardware hacking devices utilized by I-Soon, such as a 'poisoned' power bank that can upload data from victims' devices, are part of their espionage toolkit. The leak suggests a competitive industry in China where multiple agencies provide lists of foreign government systems as targets, with rewards for successful breaches. This leak provides a rare insight into the outsourcing of Beijing's cyber operations, though it reveals no unprecedented capabilities. The Register anticipates that further insights may emerge from the leaked documents once they undergo accurate translation and analysis.