Daily Brief

Toyota Financial Services experienced a data breach with personal and financial data of customers exposed. The breach was identified following a ransomware group's claim of compromising Toyota systems in Europe and Africa. Medusa ransomware demanded an $8 million ransom, threatening to leak data unless paid within ten days. Toyota Kreditbank GmbH in Germany acknowledged unauthorized access to customer data, with the potential for phishing and identity theft. Toyota responded to the incident by taking affected systems offline, impacting customer service functionality. Although the full extent of the breach is not yet known, exposed data includes names, birth dates, and payment information. Toyota has committed to keeping customers updated as the internal investigation progresses and more information becomes available. There has been no comment regarding the total number of customers affected or if Toyota intends to pay the ransom.

Two years after the Log4Shell vulnerability was revealed, about 25% of applications remain susceptible due to outdated Log4j libraries. Research by Veracode found many apps have never updated Log4j, with 32% using versions before the 2015 end-of-life (EOL). Despite the risks, 79% of developers don't update third-party libraries post-integration, contributing to the current security lapse. Log4Shell remains a threat with nearly 35% of apps vulnerable, and in total, 40% are at risk of high or critical-rated remote code execution flaws. Even post-patch efforts demonstrate a reversion to neglecting library updates, as only a minority of developers maintain their software with the latest security patches. A significant volume of Log4j downloads, about 26%, still contain vulnerable versions, showing ongoing security risk management issues. The initial response to Log4Shell was swift, mitigating some potential damages, yet long-term maintenance and patching habits lag behind, leaving applications vulnerable.

Spanish police apprehend a Venezuelan national believed to be a leader within 'Kelvin Security’—a hacking collective linked to 300 cyberattacks globally. Arrest follows a lengthy inquiry into Kelvin Security’s activities, with cyberattacks targeting critical infrastructure and government institutions in multiple countries. The group is known for breaching public systems, stealing confidential data, and trading it on platforms like RaidForums and BreachForums. High-profile breaches include attacks on Vodafone Italia and U.S. firm Frost & Sullivan, with compromised data offered for sale on hacker forums. Kelvin Security's operations were recently tied to ARES, which trades databases stolen from state organizations. Post-arrest investigations aim to unveil more about the group's network, using seized electronic devices to trace co-conspirators and data buyers. The Spanish National Police's intensive multi-unit operation against cybercrime underscores the complexity of tracking and prosecuting international cybercriminals.

Researchers revealed tactical and targeting similarities between the Sandman APT group and a China-based threat cluster using the KEYPLUG backdoor. SentinelOne, PwC, and Microsoft Threat Intelligence have reported overlaps in malware used by both groups within the same victim networks. The overlapping infrastructure and malware suggest shared development practices, indicating coordination between Sandman and the Chinese threat actors tracked as Storm-0866 and Red Dev 40. KEYPLUG backdoor connections have been made to the notorious APT41 group and RedGolf, both associated with Chinese state-sponsored cyber activities. Commonalities include the use of Lua programming language and the QUIC and WebSocket protocols for command and control (C2) communications between the malware and their operators. This linkage emphasizes the complex nature of the Chinese cyber threat landscape, with nation-state aligned actors often interacting or sharing resources with cybercrime groups.

Multi-cloud environments present complex security challenges and potential blind spots due to their unique and continuously evolving nature. A generic, one-size-fits-all approach to cloud security is ineffective in these diverse and scalable hybrid cloud deployments. Minor security issues in cloud environments can escalate rapidly into significant threats given the built-in scalability of cloud services. Artificial Intelligence (AI) is proposed as a means to comprehend and adapt to specific cloud environments, enhancing the ability to protect against cyber threats. An upcoming webinar, "Securing Your Cloud Starts by Understanding It," aims to address how to detect and respond to security incidents in cloud infrastructures. The webinar, hosted by The Register's Tim Phillips and featuring Nabil Zoldjalali from Darktrace, will discuss techniques for real-time understanding of cloud activities and the implementation of autonomous threat response strategies. Interested participants are encouraged to sign up for the webinar scheduled for 18 December to gain insights into securing cloud environments.

North Korea-linked Lazarus Group has exploited Log4j vulnerabilities to deploy remote access trojans (RATs) in a campaign dubbed Operation Blacksmith. Cisco Talos identified the use of three new malware families: NineRAT, DLRAT, and BottomLoader targeting manufacturing, agriculture, and physical security sectors. NineRAT, which utilizes Telegram for command-and-control communications, allows attackers to perform a range of actions from data gathering to system manipulation. The exploitation of Log4Shell remains a potential threat due to the significant number of applications using vulnerable versions of the Log4j library. Lazarus Group has introduced a custom proxy tool, HazyLoad, and the multipurpose DLRAT malware to establish persistent access within compromised systems. The US sanctioned another North Korean group, Kimsuky, for intelligence gathering operations, illustrating the persistent threat from state-sponsored cyber activities.

The role of a vCISO is crucial for organizations that cannot afford a full-time in-house CISO. A vCISO helps establish and develop a company's cybersecurity infrastructure, offering both strategic and actionable services. The initial 100 days are critical for a vCISO to lay the foundation for long-term cybersecurity success and to establish trust within the organization. A new playbook, created by industry leaders Cynomi and PowerPSA, provides a structured 100-day action plan for vCISOs. The playbook is born out of extensive experience working with numerous vCISOs and aims to be a practical guide for new appointments or enhancing service to current clients. Following the steps outlined in the playbook can help vCISOs become strategic decision-makers and protect their organizations effectively.

23andMe acknowledged a data breach where 5.5 million "DNA relatives" profiles were illicitly accessed, compromising names, ancestry information, birth years, and family trees. The breach resulted from credential stuffing attacks, exploiting the common issue of password reuse and lack of multifactor authentication. In response to the breach, 23andMe has updated its terms of service, aiming to limit legal exposure and instituting a 60-day dispute resolution period before initiating arbitration or court proceedings. Customers must formally decline changes to the new terms of service via email within 30 days of notification to opt-out, or they automatically accept the new terms. A 'well-known Bay Area tech' company suffered a theft of hundreds of laptops, but whether the data was compromised or the devices were stolen for resale is uncertain. Henry Schein, a healthcare products and services firm, suffered an attack by the AlphaV/BlackCat ransomware group, with sensitive data from over 29,000 employees stolen; further system disruptions occurred after failed negotiations with the attackers. Previous security lapses at Henry Schein highlight ongoing concerns about the firm's data protection measures, following a notable settlement with the FTC in 2016 over misleading encryption claims.

The upcoming webinar titled "Think Like a Hacker, Defend Like a Pro" emphasizes the significance of social engineering in cyber attacks. Social engineering is highlighted as a key tactic because it exploits human psychology, making it a potent tool for attackers. The webinar promises to offer a deep dive into the psychological underpinnings of social engineering strategies used by cybercriminals. Attendees are expected to gain valuable knowledge that will help them understand the mindset of cyber attackers. The opportunity is touted as a unique chance to learn from a leading cybersecurity expert. The event is free to attend, making it accessible for professionals looking to bolster their cyber defense skills.

VictoriaMetrics, founded in Kyiv, Ukraine, in 2018, has opted for organic growth and has not accepted external investment, unlike many startups in the field. The company develops an open-source time series database monitoring tool that allows customers to track system health and spot issues early. While the open source product remains under an Apache 2 license, VictoriaMetrics offers a closed-source enterprise version with additional features such as improved alerts, machine learning for anomaly detection, and Kafka integration. Co-founder Roman Khavronenko emphasizes their commitment to open-source principles and community feedback but also acknowledges the need to be selective in implementing feature requests to maintain utility for the wider community. VictoriaMetrics recognizes the potential of AI and machine learning to handle the vast amounts of data in monitoring services, especially in pattern recognition and data analysis that would be unmanageable for humans. The company is offering a 60-day free trial for its enterprise product, demonstrating confidence in the value it adds over the open-source version.

Cybersecurity researchers have uncovered 18 Android loan apps engaging in fraudulent activities, collectively downloaded over 12 million times. The apps, known as SpyLoan, specifically targeted users in Southeast Asia, Africa, and Latin America, offering deceptive high-interest-rate loans and harvesting personal and financial information for blackmail. Google has removed the harmful apps from the Play Store, which were initially spread through SMS, social media, and alternative downloading platforms like scam websites and third-party app stores. Victims were coerced into repayment through threats of releasing their private photos and videos on social media. The malicious apps used misleading privacy policies and required extensive permissions, including access to media files, camera, contacts, call logs, and SMS messages, under the guise of legitimacy. Experts advise users to download apps only from official sources, verify the authenticity, and scrutinize reviews and permissions to mitigate the risks of such spyware. The incident is part of a larger trend of malicious loan apps uncovered by security firms and serves as a stark warning about the dangers of online financial services. Separately, the resurgence of an enhanced Android banking trojan named TrickMo, capable of advanced theft and obfuscation techniques, has been reported.

A new process injection methodology, PoolParty, evades numerous endpoint detection and response (EDR) systems, raising security concerns for Windows environments. Discovered by SafeBreach researcher Alon Leviev, PoolParty consists of eight advanced techniques that outperform previous methods by operating across any process without restrictions. Initially revealed at Black Hat Europe 2023, these techniques exploit the Windows user-mode thread pool to run arbitrary code stealthily in any target process. PoolParty manipulates Windows worker factories that manage thread pool worker threads, using them to execute malicious shellcode. SafeBreach has demonstrated a 100% evasion success rate against well-known EDR vendors such as CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne. The disclosure comes after a similar process injection technique, Mockingjay, highlighting an ongoing challenge for security tools to detect and prevent such sophisticated threats. Experts warn that security practitioners must remain vigilant and proactive to defend against these evolving and innovative techniques employed by advanced threat actors.

Over 38% of applications employing Apache Log4j are running outdated versions susceptible to significant security vulnerabilities. Notably, Log4Shell—a severe unauthenticated remote code execution flaw—remains a threat due to the continued use of vulnerable Log4j versions. Despite extensive outreach efforts to patch the critical vulnerability identified in December 2021, numerous organizations persist in using compromised software. Veracode's report reveals 2.8% of applications use Log4j versions directly vulnerable to Log4Shell, with additional apps using other insecure versions. Developers often neglect to update third-party libraries, fearing functionality issues, despite most open-source library updates being minor and safe. On average, it takes projects over two months to address high-severity flaws, with understaffing and lack of information exacerbating the delay. Security experts advocate for an urgent and thorough upgrade strategy for open-source library versions to mitigate the potential risks.

A novel attack method, named AutoSpill, has been developed to steal credentials from Android password managers during the autofill process. The vulnerability can be exploited without JavaScript injection, but if JavaScript injections are enabled, the risk is even higher. Researchers from IIIT Hyderabad have shown that several popular password managers, including 1Password, LastPass, and others, are susceptible to AutoSpill attacks using Android’s autofill framework. The weakness lies in Android's lack of clear guidelines for secure handling of autofilled data, potentially allowing rogue apps to capture auto-filled credentials. Although Google Smart Lock and DashLane use different technical approaches and are not as easily compromised, they are still vulnerable when JavaScript injection is utilized. The research team has reported the issue to affected software vendors and Android's security team, and while the reports are acknowledged, no comprehensive plans for fixing the vulnerability have been publicly detailed yet. Vendors such as 1Password and LastPass have commented on the issue, detailing their existing mitigations and planned updates to enhance security further.

A new side-channel vulnerability named SLAM, affecting Intel, AMD, and Arm CPUs, has been uncovered by researchers. SLAM leverages a CPU feature intended for security, ironically increasing the risk of Spectre attacks and enabling kernel data leaks. The vulnerability could allow unauthorized access to sensitive information, such as root password hashes from kernel memory. Implementations of Linear Address Masking and analogous features in CPUs inadvertently expanded the Spectre attack surface. This novel exploit creates a covert channel through non-canonical address translation, compromising future CPU models. Arm and AMD point to existing mitigations for Spectre as defenses against SLAM, while Intel is working on software guidance for future processors. In response to the vulnerability, Linux maintainers have taken action to disable the implicated CPU feature by default. The disclosure of SLAM follows another mitigation approach called Quarantine, aiming to isolate security domains and prevent covert channel attacks via CPU cache.