Daily Brief

Researchers from Akamai have identified security flaws in Microsoft's DHCP that allow for DNS spoofing attacks without credentials. These vulnerabilities could lead to the compromise of Active Directory domains and unauthorized access to stored secrets. Despite Akamai's report to Microsoft about the vulnerabilities, Microsoft has no current plans to address the issue. Akamai's monitoring suggests that 40% of examined networks are likely vulnerable due to running default configurations of Microsoft DHCP. Akamai has developed a detection tool for sysadmins to identify at-risk configurations and plans to publish code demonstrating the attacks. The DHCP DNS Dynamic Updates feature, which is enabled by default on Microsoft DHCP servers, lacks proper authentication measures, elevating the risk. Additional risks are associated with the DNSUpdateProxy group feature, which miscreants could exploit, and may contain a bug further compromising security. Advised mitigations include disabling DHCP DNS Dynamic Updates and avoiding DNSUpdateProxy, employing consistent DNS credentials across DHCP servers.

Genetic testing provider 23andMe revised its Terms of Use following a significant data breach in October. The breach involved a credential stuffing attack which compromised customer data and affected 6.9 million people. Data leaked included customer details from the 'DNA Relatives' and 'Family Tree' features, impacting users mainly of Ashkenazi Jewish descent and those in the UK. To mitigate future legal repercussions, the company introduced a mandatory arbitration clause to handle disputes, barring jury trials or class action suits. Customers received notification of the changes with a 30-day period to disagree and preserve the original agreement terms. Legal experts suggest the enforceability of these new terms may be questionable due to potential issues with reasonable notice to customers.

Genetic testing company 23andMe updates its Terms of Use following multiple lawsuits due to a data breach. The data breach in October involved a credential stuffing attack that compromised customer data. Attacker tried to sell, then leaked, data of 1 million Ashkenazi Jews and 4.1 million UK residents. In total, 6.9 million individuals were affected, with data scraped via the "DNA Relatives" and "Family Tree" features. The new Terms include a mandatory arbitration clause to prevent jury trials or class action lawsuits. Customers were notified via email about the change and given 30 days to opt-out. Legal experts suggest the updated Terms of Use may not shield the company from lawsuits due to challenging opt-out notice requirements.

WordPress has released version 6.4.2 to address a remote code execution (RCE) vulnerability in the CMS. The vulnerability stems from a Property Oriented Programming (POP) chain that could allow attackers to run arbitrary PHP code. This issue was introduced in WordPress core 6.4 and requires an existing PHP object injection flaw to be exploited to its critical potential. A class called 'WP_HTML_Token' introduced for HTML parsing in the block editor contained exploitable '__destruct' magic method. While the vulnerability alone is not of critical importance, when chained with an object injection flaw, it increases the risk considerably. Patchstack reported that an exploit for this vulnerability was already uploaded to GitHub and integrated into the PHPGGC library. WordPress administrators are advised to update to the latest version immediately and verify if the update was successful, even though updates are typically automatic.

US CISA and EU ENISA have formalized an arrangement for boosting cybersecurity information sharing and collaboration, aiming to fight cybercrime more effectively on an international level. The agreement includes sharing best practices for incident reporting, threat intelligence, and aligning cybersecurity legislation, in anticipation of the EU's NIS2 Directive and Cyber Resilience Act. A unified approach to cybersecurity has been embraced by both the US and the EU despite differing regulatory stances in other tech sectors, emphasizing the importance of cooperation against common cyber threats. The partnership seeks to expedite the detection and mitigation of cyber threats by pooling threat intelligence and resources from a wide range of reliable national and private sector sources. CISA's Joint Cyber Defense Collaborative (JCDC) and similar alliances aim to increase threat awareness and preparedness, leveraging private sector insights alongside national agencies. The collaboration will allow the US to participate more in EU cybersecurity exercises and awareness programs, bolstering transatlantic security efforts. In parallel, the EU's Cyber Solidarity Act, which includes the creation of a European Cyber Shield linking national SOCs, progresses toward adoption, emphasizing the necessity for collective defense against rising cyberattacks.

Russian Anatoly Legkodymov pleaded guilty to operating Bitzlato, a cryptocurrency exchange used for laundering over $700 million by cybercriminals. As a principal stakeholder, Legkodymov agreed to disband Bitzlato and forfeit about $23 million in seized assets following his plea agreement. Bitzlato was known for its lax KYC procedures, allowing users to register with minimal identification, fostering an environment conducive to illicit transactions. Chainalysis reported that nearly half of Bitzlato's transactions between 2019 and 2021 were deemed illicit, linking to darknet markets, scams, and ransomware. $966 million of the exchange's funds were associated with high-risk transactions, including $9 million from ransomware attacks, notably with Hydra Market users. French authorities, with international collaboration, dismantled Bitzlato's infrastructure and seized domains earlier this year. FinCEN designated Bitzlato as a "primary money laundering concern," highlighting its role in enabling Russian cybercriminals, including ransomware group Conti with potential Russian government links. Legkodymov, arrested in Miami and held in Brooklyn, faces a maximum of five years in prison following his involvement with Bitzlato.

The Russian hacking group "Callisto Group," linked to Russia's FSB, has been targeting organizations globally with spear-phishing attacks aimed at stealing credentials and data. The UK National Cyber Security Centre (NCSC) and Microsoft have issued warnings and taken action to disrupt and counter Callisto's cyber activities. Microsoft had previously disabled accounts used by the group for attacks, and reported domains linked to their phishing campaigns, enhancing defense against their methods. The NCSC bulletin highlights ongoing spear-phishing threats by Callisto throughout 2023, particularly targeting governmental organizations, defense industries, NGOs, and think tanks. The attackers utilize social engineering, engaging targets via personal email addresses and luring them to phishing sites that capture credentials and bypass two-factor authentication. Two members of the Callisto hacking group have been identified and sanctioned by the UK and US governments for cyber attacks that compromised UK entities and threatened democratic processes. Amidst these sanctions, the US government's Rewards for Justice program is offering a reward for information leading to further exposure of Callisto Group's operations.

Microsoft has reported on the evolving tactics of a Russian-linked hacking group known as COLDRIVER, which also operates under multiple aliases including Star Blizzard. The group, connected to Russia's FSB, has been targeting entities with strategic interests to Russia, such as those involved in international affairs, defense, and support to Ukraine. COLDRIVER has improved their methods to evade detection and continues to engage in spear-phishing and credential theft, setting up fake domains impersonating targeted companies. Since April 2023, the group has utilized server-side scripts to hinder automated scanning and uses sophisticated means to filter its victims. Microsoft observed the threat actor using email services like HubSpot and MailerLite to initiate phishing campaigns and has also updated its domain generation algorithm to create more random domain names. Two members of Star Blizzard, linked to COLDRIVER, have been sanctioned by the U.K. government for their efforts to interfere in U.K. political processes and for the unauthorized exfiltration of sensitive data.

Meta has announced the implementation of default end-to-end encryption (E2EE) across all Messenger and Facebook chats and calls. Previously optional, E2EE now offers default protection of data, making it readable only for the communicating parties. E2EE works by encrypting messages on the sender's device and decrypting them on the recipient's device, securing data during transmission. Meta can't access the content of encrypted messages and calls, aligning with privacy-enhancing measures for users. Messenger's new E2EE leverages the open-source Signal protocol, ensuring a robust and well-regarded encryption standard. Meta introduces encrypted storage system 'Labyrinth' for maintaining availability of communications across multiple devices, detailed in a whitepaper. Testing for E2EE in group messaging is underway, with plans to roll out in future updates. New Messenger features include the ability for users to edit sent messages within 15 minutes and 'disappearing messages' that last 24 hours.

Security researchers have identified three vulnerabilities in Azure HDInsight's services: Apache Hadoop, Kafka, and Spark. These vulnerabilities can lead to privilege escalation for authenticated Azure HDInsight users, especially via Apache Ambari and Apache Oozie. Two privilege escalation flaws allow attackers to craft network requests that could grant them cluster administrator privileges. An XXE (XML External Entity) vulnerability allows for root-level file reading and another privilege escalation due to inadequate user input validation. The ReDoS (Regular Expression Denial of Service) vulnerability in Apache Oozie can cause service disruptions and performance issues by triggering an intensive loop operation through improperly validated inputs. Microsoft has addressed these security issues with updates released on October 26, 2023, following responsible disclosure protocols. These vulnerabilities follow the disclosure of eight other issues in the service three months prior, also potentially exploitable for data access and malicious activities.

Cambridge University Hospitals NHS Foundation Trust admitted a data breach affecting over 22,000 patients, where sensitive information was inadvertently posted online. The leaked data involved patients from The Rosie Hospital, including names, hospital numbers, birth outcomes, and conception dates, as well as private information of 373 cancer patients. Data was exposed through Excel spreadsheet errors in responses to Freedom of Information (FoI) Act requests, which remained accessible on the website WhatDoTheyKnow from 2020 to 2023. The Trust audited 10 years' worth of FoI responses discovering an additional breach and has since enhanced their FoI response protocol, prohibiting spreadsheets. Affected patients have not been directly contacted to prevent potential distress but can self-identify and access support via the trust's support channels. The Information Commissioner's Office (ICO) has been notified and is assessing the situation, emphasizing the need for public authorities to protect personal data in FoI responses. This breach is part of a series of public sector data leaks in the UK, highlighting systemic issues around handling personal data in government entities.

Humans remain the primary target for cyber attackers, exploiting traits and emotions to compromise security. Attackers manipulate social interactions, cognitive biases, and emotional triggers to influence behavior. Social engineering techniques are crafted to manipulate human responses and achieve attackers' goals. Simple formulas like (Human Mind) + (Emotional Trigger/Trait) + (Social Engineering Technique) = Intended Objective illustrate the process of human-targeted attacks. Phishing attacks, leveraging digital communication channels, exploit human vulnerabilities for various malicious ends. To defend against such attacks, individuals should adopt a questioning mindset and a "stop and assess" approach to interactions. Awareness and proactive defense strategies can mitigate threats to personal and organizational security. The article suggests maintaining vigilance and informing oneself as key strategies against exploitation of the human mind in cybersecurity.

A critical Bluetooth vulnerability, CVE-2023-45866, allows attackers to take control of devices running Android, Linux, macOS, and iOS. The security flaw enables unauthorized device connections and keystroke injections, leading to potential code execution as the user. Security researcher Marc Newlin discovered and reported the flaw to vendors in August 2023. The attack mimics a Bluetooth keyboard connection to execute commands without special hardware, just a Linux computer with a Bluetooth adapter. This vulnerability is especially concerning as it affects a wide range of devices with Bluetooth enabled and could bypass Apple's LockDown Mode. Google has acknowledged the threat and described it as a proximal privilege escalation issue, highlighting its severity. Detailed information about the flaw and how to exploit it will be released in the future, emphasizing the need for rapid mitigation efforts.

Threat intelligence is essential for providing insights into past, present, and potential cyber threats, enabling better security and defensive strategies. Wazuh, an open-source security platform, offers extended detection and response (XDR) and security information and event management (SIEM) across different environments to enhance threat intelligence programs. Integration with threat intelligence feeds like VirusTotal and AlienVault within Wazuh empowers security teams to detect and respond to threats more effectively. Enriching threat data with contextual information allows analysts to understand the scope and severity of threats better, which Wazuh aids by turning raw data into actionable intelligence. Wazuh facilitates the building of custom Indicator of Compromise (IoC) files, essential for a layered cybersecurity approach and tailored to specific organizational needs. Custom detection rules in Wazuh enable detailed investigations and adaptations to evolving attack methods, offering organizations the flexibility to stay ahead. By using Wazuh, organizations can keep pace with the changing threat landscape through real-time detection, analysis, and response, supported by an active open-source community and extensive annual downloads.

Unspecified governments are acquiring push notification records from Apple and Google users to monitor individuals of interest. Apple and Google have acknowledged receiving requests for push notification information but are restricted from disclosing specifics due to U.S. government secrecy. Push notifications are routed through Apple and Google's infrastructure, which enables these companies to access metadata and potentially unencrypted content associated with the notifications. The Washington Post uncovered over two dozen search warrant applications by U.S. federal authorities for push notification data. Senator Ron Wyden advocates for greater transparency from Apple and Google, requesting they disclose such government demands along with aggregate statistics, and inform users about the requests for their data. Apple cited Senator Wyden's letter as providing an opportunity to reveal more about how governments might monitor push notifications and outlined in its Legal Process Guidelines how an Apple ID may be obtained with a subpoena or greater legal process. Google affirms the inclusion of this information in its transparency reports, although specific details about government requests for push notification records aren't separately categorized.