Daily Brief

Nudge Security is designed to adapt to business needs, allowing IT and security leaders to manage SaaS usage without hindering employee productivity. It provides a comprehensive inventory of SaaS accounts and activity by analyzing machine-generated email messages for security-relevant events. The platform includes tools for monitoring access methods, such as MFA and SSO enrollment, while assessing risks associated with OAuth grants and scopes. Nudge Security helps monitor and minimize the organization's SaaS attack surface, providing data on vendor security profiles and alerting on relevant breaches. The service aims to control SaaS sprawl and reduce shadow IT by automating employee engagement and guiding users toward security best practices. It offers automated workflows to handle common SaaS security tasks, enhancing efficiency and reducing the burden of manual oversight. Organizations can start a 14-day free trial to evaluate Nudge Security's impact on their SaaS security and governance.

Russian state-sponsored actors, also known as Midnight Blizzard or Cozy Bear, compromised Microsoft's corporate systems, stealing leadership emails. The breach occurred in late November 2023 but was only detected on January 12, 2024, with Redmond yet to assess the full financial impact. Microsoft's statement emphasized that customer environments, production systems, source code, or AI systems were not accessed during the attack. Cozy Bear had previously infiltrated Microsoft in the SolarWinds supply-chain attack and other subsequent breaches by various attackers have occurred since. US Senator Ron Wyden criticized Microsoft for failing to implement multi-factor authentication in its legacy systems, which might have prevented the breach. Despite the security lapses, Microsoft continues to dominate in enterprise and government contracts, with cybersecurity revenue exceeding $20 billion. Industry experts criticize Microsoft for potential security weaknesses due to reliance on its products for various IT infrastructure and services.

The reliance on open-source software components in application infrastructures is increasing, highlighting the attack surface including supply chain vulnerabilities. Incorporating one open-source library often means adding multiple dependent libraries, exposing applications to any vulnerabilities within those libraries. Software Composition Analysis (SCA) platforms help detect and fix known vulnerabilities but are not fully equipped to handle unknown risks, such as supply chain attacks. Gartner predicts that by 2025, up to 45% of organizations will experience supply chain attacks, stressing the urgency to prepare and defend against them. Traditional SCA tools are insufficient for supply chain attack prevention, necessitating a new approach to tackle both known and unknown supply chain risks. A comprehensive cheat sheet is available for download, offering insights into five types of critical supply chain attacks and 14 best practices for defense. The article also highlights the importance of differentiating between vulnerabilities and attacks, suggesting a more robust protection strategy is needed. Executives are encouraged to consider a masterclass on SaaS security which is based on insights from a study of 493 companies, for practical dos and don'ts in the field.

The U.S., U.K., and Australia have sanctioned a Russian national believed to be involved in the Medibank ransomware attack. Identified as Alexander Ermakov, he is associated with the now-defunct REvil cybercrime group. The Medibank breach in October 2022 affected around 9.7 million individuals, exposing sensitive personal and medical data. Financial sanctions criminalize any transactions with Ermakov's assets, imposing penalties of up to 10 years in prison. Australia has additionally enforced a travel ban on Ermakov to hinder his movements. The U.K.'s actions align with efforts to deter cybercrime undermining national prosperity and security. The U.S. Treasury has criticized Russia for cultivating cybercriminals and called for stronger action against cybercrime operating within its borders. Underlining the resolve to protect critical infrastructure, the sanctions aim to disrupt ransomware actors threatening the economies of allied nations.

A database without password protection, estimated to hold 1.3 million Dutch COVID-19 test records, was found unsecured on the internet. Personal information exposed included names, birth dates, passport numbers, email addresses, test certificates, appointment records, and testing samples. The database is believed to be associated with CoronaLab, which is recommended by the US Embassy in the Netherlands for COVID-19 testing. Security researcher Jeremiah Fowler discovered the breach but received no response from CoronaLab or parent company Microbe & Lab after multiple contact attempts. The database remained open for nearly three weeks before the cloud hosting provider was contacted and the database was finally secured. The CoronaLab website is currently down, and there's no indication of whether European data protection authorities have been informed, as required by the GDPR. Patients and customers affected by the breach appear to be unaware of their data exposure.

The UK National Cyber Security Centre (NCSC) warns that by 2025, AI could significantly improve state-backed cyber attackers' capabilities by evading current detection systems. Highly capable states could have the data necessary to train AI models for malware development, increasing the potential for new, sophisticated cyber threats. The NCSC forecasts that AI will enhance attackers' abilities to discover vulnerabilities, analyze data in real-time, and identify valuable files for effective data theft or extortion. Predictions suggest that both highly skilled actors and lower-skilled cybercriminals will benefit from AI advancements, with the latter improving their social engineering and ransomware tactics. The report emphasizes the need for continued investment and expertise in AI to keep up with the evolving threat landscape and advises organizations to follow recommended cyber security practices. The upcoming CYBERUK conference will focus on the challenges of emerging technologies like AI and their national security implications, with a call to manage AI’s cyber threat risks responsibly. The NCSC's report follows initiatives such as The Bletchley Declaration from the AI Safety Summit, aimed at managing AI risks, although such agreements lack enforcement mechanisms.

A critical security flaw (CVE-2024-0204) with a 9.8 CVSS score was found in Fortra's GoAnywhere MFT software, allowing unauthorized creation of admin users. Fortra issued an advisory on January 22, 2024, providing guidance for users who cannot immediately upgrade to the patched version 7.4.1. Workarounds involve deleting or replacing the InitialAccountSetup.xhtml file in the software's install directory, depending on the type of deployment. The vulnerability was identified by researchers Mohammed Eldeeb and Islam Elrfai and was caused by a path traversal weakness. Cybersecurity firm Horizon3.ai released a proof-of-concept (PoC) exploit and explained how to detect compromises by checking for new admin users in the GoAnywhere administrator portal. So far, there is no evidence of active exploitation of this particular vulnerability; however, another flaw (CVE-2023-0669) in GoAnywhere MFT was previously leveraged by the Cl0p ransomware group.

Fortra's GoAnywhere Managed File Transfer (MFT) software faced a critical authentication bypass vulnerability allowing creation of new admin users on unpatched systems. Exploit code for the vulnerability (CVE-2024-0204) is now public, enabling attackers to manipulate unpatched instances through the admin portal. While the bug was silently fixed by Fortra on December 7 with the update of GoAnywhere MFT 7.4.1, public disclosure was delayed, with more details provided in a private customer advisory. Security researchers from Horizon3's Attack Team published technical details and a proof-of-concept (PoC) exploit nearly seven weeks after the patch. Clop ransomware gang exploited a different vulnerability in GoAnywhere MFT to breach over 100 organizations, with high-profile victims including Community Health Systems and Procter & Gamble. The current recommendation for admins unable to immediately update is to remove the attack vector as specified by Fortra, while monitoring for any unexpected additions to admin user groups. This incident is part of a broader pattern of cybercriminals targeting MFT platforms over the years.

Australia, the US, and the UK have sanctioned Aleksandr Gennadievich Ermakov for the Medibank ransomware attack. The Medibank breach in October 2022 led to the leak of data for about 10 million individuals, including sensitive health information. Ermakov, associated with multiple online aliases, was identified as a key member of the REvil ransomware group. This trilateral sanction represents the first coordinated action against cybercriminals by the partnering countries. The sanctions aim to disrupt Ermakov's operations by stripping away his financial resources and anonymity, key elements for cybercriminals. Although Ermakov may attempt to evade these sanctions, international authorities hope to deter others from facilitating his illegal activities, including providing ransom payments. Naming and sanctioning Ermakov marks a significant step in the global fight against ransomware and cybercrime, emphasizing the commitment to accountability.

Sanctions have been announced by Australia, USA, and UK against Russian national Aleksandr Gennadievich Ermakov for his involvement in the Medibank ransomware attack. Ermakov, a member of the notorious REvil ransomware group, is believed to be responsible for the 2022 cyberattack on Medibank, a major Australian health insurer. The Medibank breach resulted in the theft and subsequent leakage of sensitive data pertaining to approximately 10 million individuals, including personal and health information. Investigations led to the identification of Ermakov and his online aliases, presenting evidence of his role in the cyber crime. The coordinated sanctions signify a joint effort by the involved nations to deter cybercriminal activities and hold perpetrators accountable. The public exposure of Ermakov's identity aims to disrupt his operations by removing the protective veil of anonymity critical to cybercriminals. Financial sanctions could impede further illicit transactions, including ransomware payments, by criminalizing any transfer of assets to Ermakov. The collaborative international response reflects growing global intolerance toward cybercriminals targeting critical infrastructure and personal data.

Veolia North America, part of the global conglomerate Veolia, has experienced a ransomware attack affecting its Municipal Water division's systems and online bill payment services. The company took immediate defensive actions, temporarily disabling certain systems to prevent further impact and has since restored affected systems and servers. Customers' payments were not affected, and no penalties or interest will apply for late payments during the service disruption; water treatment and wastewater services continued without interruption. A limited number of individuals potentially had their personal information compromised; Veolia is collaborating with law enforcement and cybersecurity experts to evaluate the incident's ramifications. Veolia provides essential services across the U.S. and Canada, treating billions of gallons of water daily; the broader Veolia group serves millions worldwide with water and waste treatment. Similar ransomware attacks have targeted other water service providers, including Southern Water in the UK, prompting cybersecurity agencies to push for enhanced security measures in the water sector. Increasing cyber threats to water infrastructure have led to advisories by CISA and partner agencies, emphasizing the need for robust incident response plans to protect critical utilities.

An exposed API on the project management tool Trello allowed a threat actor to link private email addresses to public Trello profiles. Approximately 15 million Trello users' data has been compromised, with the actor attempting to sell the information online. Trello, owned by Atlassian, claims the data was scraped rather than stolen by unauthorized access to their systems. The threat actor reportedly used a list of 500 million email addresses to query the API, which did not initially require authentication. Proxy servers were used to circumvent Trello's API rate limits, enabling the actor to perform constant queries. Trello has updated the API to prevent unauthenticated requests but maintains functionality for authenticated users. The incident highlights potential risks for targeted phishing attacks and has been added to the Have I Been Pwned breach notification service. It mirrors a similar leak involving a Twitter API bug that linked private contact details to public Twitter profiles.

X, formerly known as Twitter, has rolled out the use of passkeys for iOS user logins in the United States. Passkeys are designed to provide a more secure authentication method, protecting against phishing and unauthorized access by leveraging public key cryptography. The new system does away with the need for passwords, reducing user burden and increasing security. Passkeys will synchronize across iOS devices via iCloud Keychain, ensuring backup in case of a device loss and enabling recovery through iCloud Keychain escrow if all devices are lost. Users can set up a passkey by accessing the security settings on their X account and following a guided process. The move to implement passkeys comes in the wake of several high-profile account hijacks on X, aiming to enhance security and prevent similar incidents. Although highly recommended, the use of passkeys by iOS users in the U.S. is optional and not mandatory at present.

Kasseika ransomware uses a technique called BYOVD to disable antivirus software before file encryption. The ransomware leverages an antivirus driver from TG Soft's VirtIT Agent System to shut down protective measures. Trend Micro analysts noted similarities between Kasseika and the defunct BlackMatter ransomware, suggesting a connection. The attack starts with a phishing email and progresses through credential theft, PsExec tool abuse, and lateral movement within the targeted network. Kasseika terminates crucial processes, including those related to security tools, before executing its encryption routine using ChaCha20 and RSA algorithms. Once files are encrypted, Kasseika issues a ransom note, changes the desktop wallpaper, and demands payment within 72 hours to prevent an increase in ransom amount. After the encryption process, Kasseika attempts to erase its tracks by clearing system event logs. Trend Micro has released indicators of compromise for organizations to detect Kasseika-related activities.

CISA Director Jen Easterly was the victim of a swatting attempt on December 30, at her home following a fake report of a shooting. The dangerous trend of swatting has been targeting politicians, election officials, judges, and even gamers, posing severe risks to the individuals and responding law enforcement officers. In her statement, Easterly emphasized the harassment threat to public officials and pledged CISA’s support to safeguard election officials and the democratic process. Swatting incidents have escalated and been leveraged in extortion attempts, with criminals targeting hospitals and medical clinics, demanding ransoms. The incident was initially reported by local news, with the Arlington County police investigating the hoax 911 call. However, the identity of the perpetrator or motives behind the targeting remains undisclosed. Recent swatting incidents in the US have affected various public figures, including Maine's Secretary of State and individuals related to cases against Donald Trump, highlighting the practice’s increase as the 2024 presidential election approaches.