Daily Brief

Mozilla has introduced a paid tier to its Monitor service, now called Mozilla Monitor Plus, which aims to remove subscriber's personal information from data brokers. The service expansion comes as Mozilla seeks revenue diversification, with the Plus tier costing $8.99 per month, or $107.88 a year. Mozilla Monitor originally provided alerts on data breaches using the HaveIBeenPwned database to notify users of their info being compromised. The new Monitor Plus service will work with over 190 data broker sites to request the deletion of personal information, claiming to cover twice the number of sites compared to some competitors. The concern over data privacy has been heightened by recent events and regulations, such as Europe's GDPR and the California Consumer Privacy Act, with more legislative attention towards data brokers. California's upcoming Delete Act will introduce a data deletion mechanism, which may diminish the necessity of services like Monitor Plus in the state by 2026. Monitor Plus and similar services might serve as a stopgap solution in a largely unregulated data broker environment until more comprehensive privacy laws are enacted.

Verizon is notifying over 63,000 people, predominantly current employees, of a privacy incident in which an insider had improper access to a file with personal information. The incident, classified as "inadvertent disclosure" and "insider wrongdoing" was reported to the Maine Attorney General due to state laws mandating disclosure of security lapses. Personal data exposed includes names, addresses, Social Security numbers or equivalents, gender information, union affiliation, birthdates, and compensation details. There is no current evidence suggesting malicious intent or external sharing of the compromised information, according to Verizon. Verizon is conducting an internal review of the incident and is not publicly discussing actions taken regarding the employee responsible for the disclosure. The company is enhancing its technical controls to prevent similar occurrences and is offering two years of complimentary credit monitoring and identity protection services for affected individuals. Verizon's previous security issue in October 2022 involved a data compromise and attempted SIM swapping attack on prepaid customers' accounts.

Verizon is notifying 63,000 people, predominantly current employees, about their personal data being leaked due to an insider incident. The situation, deemed an "inadvertent disclosure," was identified and disclosed per Maine's stringent data loss regulations, although it directly impacted only 82 Maine residents. Compromised personal information includes names, addresses, Social Security numbers, gender, union status, birthdates, and compensation details. Verizon believes there was no malicious intent behind the leak, and there's no evidence that the information was circulated externally. The employee responsible for the leak has not been publicly discussed by Verizon, which considers it a private employment matter. Enhanced technical controls are being implemented by Verizon to prevent future unauthorized file access, and affected individuals are being offered two years of free credit monitoring and identity protection services. The telecom giant also faced a security issue in October 2022, where prepaid customer accounts were targeted by criminals through SIM swapping to access banking apps and accounts.

Chinese state-sponsored hackers infiltrated the Dutch Ministry of Defence and deployed sophisticated malware in the network. The breach involved less than 50 users in a network used for unclassified R&D, limiting the potential damage thanks to network segmentation. Investigators discovered a new type of malware, called Coathanger, which is a persistent RAT capable of surviving system reboots and firmware upgrades. The Dutch Military Intelligence and Security Service has attributed the cyber-espionage to a Chinese group with high confidence. The Coathanger malware targeted FortiGate firewalls by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability. Fortinet had previously reported similar exploit attempts on government organizations by leveraging zero-day vulnerabilities. Dutch officials stress the importance of timely patching edge devices to thwart such cyber attacks and underline the significance of public attribution to bolster international cybersecurity defense.

The Dutch Ministry of Defence was breached by a Chinese cyber-espionage group that deployed malware. Damage was contained due to the network being segmented and used primarily by fewer than 50 users for R&D of unclassified projects. Military Intelligence and Security Service (MIVD) found a persistent RAT malware named Coathanger capable of surviving reboots and firmware upgrades. Although not attributed to a specific group, MIVD has high confidence that the attack was conducted by a Chinese state-sponsored hacking group. This attack mirrors similar Chinese campaigns that target internet-facing devices with malware that remains through firmware updates. Defense Minister Kajsa Ollongren emphasized the importance of publicly attributing these espionage activities to China to build global cyber resilience. FortiGate firewalls were exploited by using a then-unknown vulnerability, urging the need for timely security patch applications.

A cyberattack on French healthcare services firm Viamedis has led to the exposure of sensitive data of policyholders and healthcare professionals. Although banking, telephone, and email information were not compromised, the breach did reveal individuals' social security numbers and other personal details. Viamedis, which services 84 healthcare organizations for 20 million insured individuals, is still assessing the full extent of the breach. The company has alerted health organizations, filed a complaint with the public prosecutor, and notified national authorities such as CNIL and ANSSI. The breach was the result of a phishing attack on an employee, not a ransomware attack. Partner organizations like Malakoff Humanis have acknowledged the breach's indirect effects and are sending notifications to affected customers. The temporary disconnection from Viamedis's platform is anticipated to impact certain healthcare services across various providers. A payment processor named Almerys has also reportedly been targeted by a cyberattack, indicating a possibly coordinated campaign against healthcare payment services.

Commercial spyware vendors are responsible for 80% of zero-day vulnerabilities discovered by Google's Threat Analysis Group in 2023. Google has monitored 40 spyware vendors, tracing 35 of the 72 zero-day exploits affecting its products in the last decade back to these vendors. The majority of the zero-days impact Google Chrome and Android, followed by Apple iOS and Windows. Spyware vendors target high-profile individuals, such as journalists and political figures, and sell exploit licenses for millions of dollars. Zero-day hunting has become increasingly aggressive, with spyware vendors developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023. Google's discovery and patching of vulnerabilities impose significant costs on spyware vendors, disrupting their operations and financial models. Despite challenges, spyware remains in demand with lucrative contracts, prompting Google to call for greater global action against spyware proliferation. Google combats spyware threats through its security initiatives like Safe Browsing, Gmail security features, the Advanced Protection Program, and Google Play Protect, while maintaining transparency in sharing threat intelligence.

JetBrains has issued a warning about a critical authentication bypass vulnerability, CVE-2024-23917, affecting TeamCity On-Premises servers. The vulnerability affects all TeamCity On-Premises versions from 2017.1 to 2023.11.2, enabling attackers to potentially execute remote code without user interaction. Users are strongly encouraged to update their servers to version 2023.11.3 to remedy the security flaw, or temporarily take servers offline if immediate update is not possible. Alternative security measures include a security patch plugin for users unable to upgrade immediately, applicable to certain older TeamCity versions. TeamCity Cloud servers have been secured against the flaw, and there is no indication of attacks, although it is unknown how many exposed on-premises servers have been updated. The vulnerability resembles a prior CVE-2023-42793 flaw exploited by APT29 and other hacking groups, pointing to the risk of widespread RCE attacks and potential software supply chain disruptions. JetBrains' TeamCity is widely used by over 30,000 organizations globally, including industry giants across various sectors. Over 2,000 TeamCity servers are currently exposed online, with Shadowserver actively monitoring the situation; the number of secured servers amongst them is not specified.

The Dutch Ministry of Defense (MoD) experienced an attempted cyberattack in 2023, attributed to Chinese state-sponsored actors. A novel malware, named Coathanger, was developed to target Fortinet's FortiGate firewalls, exploiting a known vulnerability (CVE-2022-42475) for access. Coathanger malware, a second-stage remote access trojan (RAT), is designed to evade traditional detection and persist through reboots and firmware updates. The MoD's network segmentation was credited for limiting the damage of the intrusion, as the attackers' activities were contained. Dutch Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) released technical details and indicators of compromise (IOCs) to help other organizations detect potential breaches. Complete reformatting of affected devices is required to remove the Coathanger malware, and victims are urged to contact national cybersecurity authorities. This public disclosure by Dutch authorities aims to increase international resilience against Chinese cyber espionage initiatives, highlighting a broader pattern of political espionage.

Verizon Communications has reported an insider data breach affecting roughly 63,206 of its employees. Sensitive employee data, which may vary per individual, was unauthorizedly accessed by a company insider on September 21, 2023. The breach was discovered by Verizon nearly three months later on December 12, 2023, after the internal exploitation took place. There's no current evidence to suggest misuse of the data or indications that it was distributed outside of Verizon. Verizon is taking steps to enhance its internal security and prevent further breaches, while also notifying regulators about the incident. Impacted employees are being offered a two-year identity theft protection and credit monitoring service for protection against any potential identity fraud. The incident has not affected any customer information according to Verizon's statement. The last significant cybersecurity issue Verizon faced prior, was in October 2022 regarding attempted SIM swaps that exposed customer data.

EquiLend, a significant securities finance technology firm, has fully restored client-facing services following a disruptive ransomware attack. The company, backed by major Wall Street institutions, operates the Next Generation Trading (NGT) platform, a pivotal system in the securities lending market. While internal teams and external experts worked on system recovery, EquiLend has not disclosed details about the attackers' entry point or the extent of data compromised. Rumors suggest that the ransomware group LockBit may have been behind the attack, although EquiLend has not confirmed if a ransom was paid. LockBit did not post EquiLend's information on its leak site, often a sign of ongoing ransom negotiations. EquiLend prides itself on "rigorous backups," which may have enabled them to refuse the attacker's demands and recover from backups instead. Despite the recovery, there is no available evidence suggesting that client transaction data was accessed or exfiltrated. The security breach occurred shortly after EquiLend's announcement of selling a majority stake to a private equity firm, Welsh, Carson, Anderson & Stowe.

AI SPERA's Criminal IP ASM, an advanced cybersecurity solution, is now available on the Microsoft Azure Marketplace. AI SPERA, a certified ISV partner of Microsoft, offers technologies enhancing Azure's functionality and security. Criminal IP ASM provides Automated Attack Surface Management to monitor internet-connected assets with just a domain address. It features IP-based security monitoring to swiftly detect vulnerabilities and risks, streamlining the management of a company's attack surface. The solution automates IT security tasks, improves detection times, eliminates false positives, and discovers previously unmonitored assets and vulnerabilities. Criminal IP ASM supports continuous threat exposure management and offers sector-specific proactive responses. AI SPERA has established partnerships with over 40 global security firms and offers services in multiple languages to users in over 160 countries.

Threat actors are deploying fake Facebook job ads to distribute a new malware named Ov3r_Stealer. Ov3r_Stealer is designed to steal a variety of sensitive data, including credentials, crypto wallets, and personal information. The malware is delivered via a weaponized PDF laced with an internet shortcut file, ultimately executing the Ov3r_Stealer payload via a PowerShell script. The campaign uses a fake Facebook account and runs ads impersonating Amazon CEO Andy Jassy to spread the malware. There is speculation that the malware may be sold or evolved to act as a loader for additional malicious payloads. Trustwave SpiderLabs identified similarities between Ov3r_Stealer and another malware called Phemedrone Stealer, noting potential code overlaps. Cybersecurity firm Hudson Rock has also reported that some threat actors are leveraging infostealer infections to advertise unauthorized access to law enforcement request portals of major tech firms. The incident highlights a growing trend of utilizing cracked software as a vector for distributing various types of malware, including information stealers and ransomware.

Security experts have identified three critical vulnerabilities in Azure HDInsight services, including Apache Hadoop, Kafka, and Spark. The flaws allow for privilege escalation and can cause a regular expression denial-of-service (ReDoS) condition. Two privilege escalation vulnerabilities could enable attackers with existing access to escalate to cluster administrator rights. A particular XXE vulnerability allows root-level file reading and privilege escalation due to inadequate user input validation. The ReDoS flaw in Apache Oozie results from improper input validation, making the system susceptible to DoS by causing intensive loop operations. Microsoft has patched these vulnerabilities in the October 26, 2023 update, following Orca security researchers' responsible disclosure. The report also references previous findings from Orca of eight significant flaws in Azure HDInsight and a "potential abuse risk" in Google Cloud Dataproc clusters due to lax security controls.

Two critical vulnerabilities, CVE-2024-23108 and CVE-2024-23109, have been identified in Fortinet's FortiSIEM product, allowing remote code execution. The vulnerabilities have received the highest severity rating (CVSS score of 10) and can be exploited remotely without authentication or user interaction. Fortinet's advisory linked to a previously addressed issue and has not been updated with new information, causing confusion among users. The impact of the vulnerabilities may extend to additional or updated versions of FortiSIEM, similar to a previously patched vulnerability from October. Details are under review in the National Vulnerability Database, and clarification from Fortinet is pending. Affected versions range from 6.4.0 through the latest 7.1.1, with no public exploit currently available. Customers are urged to upgrade to version 7.1.2 to mitigate risks, while updates for other affected version series are expected soon.