Daily Brief

Orange Spain's RIPE account was compromised, resulting in misconfigured BGP routing and RPKI. The breach allowed the attacker to reroute internet traffic and caused an outage in Orange Spain's services. Cloudflare explains BGP relies on trust, but RPKI standards help prevent hijacking by verifying correct AS number origins. The hacker used a false AS number to create invalid RPKI records for Orange Spain's IP addresses, disrupting service. The outage, lasting roughly one and a half hours, was confirmed by Orange Spain, stating no customer data was compromised. The company's lack of two-factor authentication on their RIPE account may have facilitated the breach. Orange Spain is working on restoring their services, though it's unclear how exactly the hacker gained access to the account.

A Nigerian hacker, Olusegun Samson Adejorin, was arrested in Ghana for defrauding U.S.-based charitable organizations of over $7.5 million through business email compromise (BEC) attacks. The fraud took place between June and August 2020, with Adejorin unlawfully accessing email accounts and impersonating charity organization employees to request fund transfers. Adejorin misled one charity into transferring millions to bank accounts under his control by posing as another charity that received investment services from them, using stolen credentials. He faces up to 20 years in prison for wire fraud, in addition to five years for unauthorized computer access and a mandatory two-year sentence for aggravated identity theft, potentially extended by seven years for domain name abuse. The U.S. Department of Justice highlighted the extent of damage BEC attacks can cause, citing an FBI report detailing billions in losses. Defense strategies against BEC attacks include multi-factor authentication, email filtering, and establishing verification procedures for wire transfers, such as confirming changes in banking details through a secondary communication channel.

Adult media conglomerate Aylo has restricted access to its websites, including PornHub, in Montana and North Carolina due to new age verification laws effective January 1st. The laws stipulate that adult content providers use "reasonable age verification methods," with non-compliance opening them to lawsuits from individuals. Besides PornHub, Aylo's blockade affects its other properties such as RedTube and Brazzers, which now show a video statement explaining the decision upon access attempts from the restricted states. Aylo argues that the legislation, while well-meaning, could lead to fewer safeguards and compromises user privacy by requiring frequent ID checks. The measures have reportedly led to a surge in VPN usage, although providers may need to block VPNs or assume all VPN traffic originates from the regulated states to comply fully. Concerns have been raised over the potential switch to less secure VPNs in response to the crackdown, which may expose users to malware and security risks.

LastPass mandates a 12-character minimum for master passwords to enhance security for all users, replacing the previously allowed shorter passwords. This enforcement follows historic default settings from 2018 and coincides with measures to counteract compromised credentials. New or reset passwords are compared against a database of credentials known to be exposed on the dark web, and users are alerted if matches are found. Users experienced significant disruptions due to a forced multi-factor authentication (MFA) re-enrollment process initiated in May 2023. The security enhancements stem from breaches in August and November 2022, where attackers accessed LastPass' development environment and customer vault data. As a consequence of the breaches, hackers exploited stolen data to steal $4.4 million in cryptocurrency by cracking LastPass master passwords. LastPass will start informing B2C customers about these changes immediately and B2B customers starting January 10th, ensuring all accounts employ the updated security protocols.

HealthEC LLC experienced a data breach impacting an estimated 4.5 million individuals who received care from the company's clients. Unauthorized access to HealthEC's systems occurred between July 14 and July 23, 2023, resulting in theft of files containing sensitive patient data. The breach was reported on December 22, 2023, following an investigation that concluded on October 24. Patient data types compromised include personal and health information, necessitating vigilance against identity theft and fraud. Patients are advised to monitor account statements, benefit explanations, and credit reports for unusual activities. A recent report to Maine's Attorney General disclosed that 112,005 individuals were affected from just one client, MD Valuecare, highlighting a fraction of the total breach. The U.S. Department of Health and Human Services' breach portal updated to reflect the larger scale of the breach, with 4,452,782 total affected individuals across 17 healthcare providers and systems including notable entities such as Corewell Health and the State of Tennessee – Division of TennCare.

French IT firm Atos is in talks with Airbus to sell its Big Data & Security division, seeking to alleviate its financial strain. The potential deal, valued at €1.5-1.8 billion, fits Airbus's aim to expand its cybersecurity capabilities as a European aerospace and defense leader. Atos is considering a "major asset disposal program" to address its maturing debts totaling €4.8 billion between 2024 and 2029. Atos' financial strategies include new bank financing, accessing capital markets, and improving working capital to manage its substantial debt. Previous attempts to sell parts of Atos, including a joint bid of €4.2 billion for BDS rejected by the board, reflect the ongoing restructuring challenges. The company's leadership has seen significant turnover, with three CEOs in the past three years and a shuffle in the board of directors to strengthen finance and transformation expertise. The sales effort comes amidst political concerns in France over national security, with calls for possible nationalization to protect sensitive projects managed by Atos' cybersecurity wing.

Nearly 11 million SSH servers are vulnerable to the recently discovered "Terrapin" attack. Researchers from Ruhr University Bochum in Germany developed the attack, which compromises SSH integrity. The attack specifically manipulates handshake process sequence numbers and can downgrade public key algorithms. An adversary-in-the-middle position is required for attackers to intercept and modify SSH handshakes. The Shadowserver report indicates that approximately 52% of all scanned SSH servers could be affected. The United States has the highest number of vulnerable SSH servers, followed by China and Germany. A vulnerability scanner is available from the research team to check SSH clients and servers for Terrapin susceptibility.

Xerox Corporation confirmed a cybersecurity incident involving unauthorized access to its US subsidiary Xerox Business Solutions (XBS). The attack was made public by INC Ransom, which claimed to have exfiltrated confidential files and posted them on their leak blog. The precise nature of the cyberattack remains uncertain, with no clear indication if ransomware was deployed or if attackers sought extortion by threatening to release sensitive data. Xerox stated the incident was contained to XBS and did not impact Xerox’s main corporate systems, operations, or data, nor did it affect XBS operations. Xerox acknowledges that "limited personal information" may have been compromised and is working with cybersecurity experts to investigate and secure the XBS IT environment. INC Ransom has since removed the leaked information from their blog, hinting at possible negotiations between Xerox and the hacker group. INC Ransom, which surfaced in July 2023, employs various tactics to compromise networks, including spear-phishing and exploiting critical vulnerabilities.

Information-stealing malware is exploiting an undocumented Google OAuth endpoint called MultiLogin to maintain unauthorized access to user sessions. This exploit allows attackers to persist in Google services despite users' passwords being reset, posing a significant threat to account security. The exploit was disclosed by a hacker on Telegram and has been adopted by various malware-as-a-service (MaaS) families, including Lumma, Rhadamanthys, and others. By leveraging the MultiLogin feature designed for synchronizing Google accounts, these malwares regenerate authentication cookies using stolen tokens. Google has acknowledged the attack vector and countered claims that users cannot revoke stolen sessions; signing out or remote revocation is possible. To enhance security, Google has recommended users enable 'Enhanced Safe Browsing' in Chrome, and they continue to improve defenses against such malware attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported two actively exploited vulnerabilities in Chrome and an Excel parsing library. Federal agencies have been directed to address or mitigate these vulnerabilities by January 23 as outlined by CISA. CVE-2023-7101, a remote code execution (RCE) flaw in Spreadsheet::ParseExcel, allows attackers to execute malicious code via specially crafted Excel files. Chinese hackers have exploited this RCE vulnerability in Spreadsheet::ParseExcel to compromise Barracuda Email Security Gateway appliances. Barracuda has released security updates and mitigations after the exploit was used to deploy 'SeaSpy' and 'Saltwater' malware by threat actor UNC4841. CVE-2023-7024 is a heap buffer overflow vulnerability in Google Chrome's WebRTC component that could lead to crashes or code execution. Google has already issued fixes for this vulnerability, which also affects other browsers using the WebRTC component. CISA's Known Exploited Vulnerabilities catalog aids organizations globally in prioritizing and managing known vulnerabilities.

Nudge Security emphasizes the critical nature of maintaining comprehensive visibility into an organization's SaaS landscape to effectively manage cyber risks. The adoption of SaaS applications significantly expands the attack surface, leading to heightened risks of identity-based breaches involving compromised credentials. Real-time discovery tools provided by Nudge Security enable automatic inventorying of all SaaS accounts and deliver security alerts for new applications, streamlining governance. Managing OAuth risks is essential, requiring regular reviews to ensure that integrations between SaaS applications do not contravene data privacy or compliance standards. Continuous monitoring of the SaaS attack surface is crucial to identify and protect externally visible corporate assets from supply chain breaches. Expanded use of Single Sign-On (SSO) is recommended to centralize access management for SaaS applications, with tools to facilitate easier SSO onboarding of new apps. Extending Multi-Factor Authentication (MFA) to all user accounts forms another layer of defense, reducing the susceptibility to unauthorized access. Nudge Security's tools not only improve visibility but also help eliminate shadow IT, secure unauthorized accounts, and automate security processes without hindering productivity.

A newly identified exploitation method, SMTP smuggling, allows attackers to send spoofed emails that bypass typical security checks. Threat actors can exploit vulnerable SMTP servers to send emails from seemingly legitimate sender addresses, facilitating targeted phishing campaigns. SMTP smuggling works by exploiting inconsistencies in handling end-of-data sequences between outbound and inbound SMTP servers, enabling command injection. The technique is similar to HTTP request smuggling and affects servers from Microsoft, GMX, Cisco, Postfix, and Sendmail, allowing attackers to bypass DKIM, DMARC, and SPF email authentication systems. Microsoft and GMX have addressed the vulnerabilities; however, Cisco treats the issue as a feature and has not altered default configurations, leaving systems potentially exposed. SEC Consult advises Cisco users to adjust settings from "Clean" to "Allow" to mitigate the risk of receiving spoofed emails that pass DMARC validation.

Emsisoft has suggested a complete ban on ransom payments following a significant rise in ransomware attacks. At least 2,207 US hospitals, schools, government organizations, and private-sector businesses were affected by ransomware in 2023. Ransomware incidents typically cost around $1.5 million per attack for recovery, with the average ransom demand hitting this amount. High-profile victims in 2023 included Boeing and MGM Resorts, with disclosures of such attacks expected to rise due to SEC rules. MOVEit attacks by the Clop ransomware gang, which caused over $15 billion in damages, were not included in Emsisoft's 2023 statistics. The International Counter Ransomware Initiative's member countries agreed not to pay ransom, but this does not apply to private-sector companies. Experts are divided on an outright ban due to potential implications and the current cyber resilience maturity across the economy. US government advises against paying ransoms and emphasizes the need for resilience and the implementation of preventive measures.

The U.S. Department of Justice (DoJ) has fined XCast Labs $10 million for operating an extensive illegal robocall service. XCast violated the Telemarketing Sales Rule (TSR) since at least January 2018 by transmitting billions of robocalls, including ones falsely claiming to be from government agencies. The robocalls included pre-recorded messages sent to numbers on the National Do Not Call Registry, contained deceptive or false information, and sometimes mimicked official agencies to solicit payments from victims. The financial penalty is suspended due to XCast's inability to pay, but the company must comply with stringent future regulations, including the establishment of a customer screening process. The order requires XCast to terminate relationships with any company that does not comply with U.S. telemarketing laws and implement technologies to prevent calls with invalid caller ID numbers. The FTC has separately banned Response Tree from conducting or aiding in robocall operations and has accused them of using misleading tactics to collect personal information, which was sold to telemarketers for making illegal calls.

Steam has officially ended support for Windows 7, 8, and 8.1 as of January 1, urging users to upgrade to more recent versions of Windows for enhanced security. The gaming platform will no longer provide software or security updates for installations on these older operating systems, and technical support will be unavailable for related issues. Microsoft has already ceased support for Windows 7 in January 2020, and its extended security updates for Windows 8.1 expired in January 2023. This shift may not significantly affect the user base since only 0.89% of Steam users were on these versions as per the latest hardware survey. Steam's dependency on an embedded version of Google Chrome, which is incompatible with older Windows versions, necessitates this move to ensure access to essential Windows feature and security updates. There's a risk associated with using outdated Steam versions on unsupported OS, including vulnerability to malware designed to steal credentials, heightening the importance of the transition for security reasons. Valve has introduced SMS-based security checks for developers releasing game updates, but stronger multi-factor authentication methods are suggested to protect against more sophisticated threats like SIM swapping attacks.