Daily Brief

The UK communications regulator, Ofcom, has published proposals for age verification as part of the Online Safety Act to protect children from inappropriate online content. Methods suggested for age checks include credit card checks, facial age estimation, and photo ID matching, raising significant privacy concerns. Service providers may face challenges balancing the implementation of these checks with adhering to privacy regulations. Prior age verification proposals were criticized for potentially creating large repositories of personal data vulnerable to breaches. Ofcom's proposals demand robust methods for age verification, rejecting simpler measures such as self-declaration of age by users. These rules will apply to online services targeting the UK market or those with a "significant number" of UK users, though the criteria for "significant number" remain undefined. The regulator is advising against directing users to VPN information or links, as this could encourage exploration of technology that poses its own risks. Final guidance is expected in early 2025, with subsequent enforcement by the UK government.

The AlphV/BlackCat ransomware group has allegedly breached accounting software firm Tipalti's systems, claiming to have stolen over 265GB of data. BlackCat is threatening to directly extort Tipalti's clients, including high-profile companies like Roblox and Twitch, due to an estimated low probability of receiving a payoff from Tipalti themselves. The ransomware group has threatened to release stolen data slowly over months to maximize reputational damage to the victim companies. Tipalti is actively investigating the ransomware group's claims and asserts strong security measures are in place within their systems. Security experts note that ransomware groups are testing new negotiation tactics, emphasizing the need for organizations to prepare defenses not only for their data but also for their supply chains and partnerships. Despite outreach to many of Tipalti's high-profile clients listed on their website, such as Discord, Canva, GoDaddy, and Twitter/X, most have not responded with comments regarding the incident.

DSPM provides insight into locating sensitive data, access permissions, usage, and security configurations, emphasizing the importance of protecting data at its source. The concept of DSPM isn't new; it's a data-centric approach that Varonis has advocated for years, though it's recently been formalized with a specific term. The scope of DSPM extends beyond cloud infrastructure and DevOps, covering data stored in SaaS applications, on-premises, in development environments, and throughout its lifecycle. Discovery is only the initial stage of DSPM; it leads to informed decision-making on security policy and risk reduction, not just identifying data storage. In-depth visibility into data platforms and applications is necessary for effective risk measurement and the establishment of actionable security controls. Workflows and automations play a critical role in fixing data security issues, but they must address root causes and scale with data growth, not just symptoms. Varonis emphasizes the significance of a reliable DSPM solution to protect data across all storage environments, including cloud, on-prem, and SaaS repositories. The Varonis DSPM dashboard and platform offer risk assessment, remediation policies, least privilege automation, user identity monitoring, and proactive incident response for robust data security management.

The Cybersecurity and Infrastructure Security Agency (CISA) disclosed twin cyberattacks on federal agency servers due to an unpatched Adobe ColdFusion flaw. Both servers were compromised several months after CISA had set a deadline for fixing the critical ColdFusion vulnerability, CVE-2023-26360. The first attack involved gaining access using the CVE, dropping a remote access trojan, and performing reconnaissance but was thwarted in later stages. The second attack started with exploiting the CVE, scanning the system, and inserting code to obtain credentials, which ultimately was ineffective due to newer ColdFusion versions. Despite the failed attempts to exfiltrate data and decrypt passwords, the incidents raised concerns over the delayed patching of known vulnerabilities. CISA could not provide details on whether the servers are now secure, who was responsible for the attack, or any potential links between the two incidents. The agency recommends vigilance and timely updates to prevent such exploitations, stressing the importance of adhering to advised deadlines for patching vulnerabilities.

Fancy Bear, associated with Russia's GRU, is targeting US and European government, defense, and aerospace networks through phishing campaigns. Microsoft identified vulnerabilities CVE-2023-23397 (Outlook) and CVE-2023-38831 (WinRAR) that were being exploited by the adversary. Polish Cyber Command observed compromised email accounts, granting unauthorized access to high-value information even after attackers lost direct access. Proofpoint detected over 10,000 phishing emails from Fancy Bear primarily targeting the defense, aerospace, technology, government, and manufacturing industries. Fancy Bear utilized compromised routers for their attacks and occasional campaigns were noted against higher education, construction, and consulting sectors. Despite patches for the vulnerabilities, ineffective update implementation has left networks susceptible to the attacks. Security professionals predict continued exploitation of these vulnerabilities by Fancy Bear and recommend thorough patching and defense measures.

Cisco introduces an AI Assistant for Firewall Policy to improve network security by analyzing and suggesting firewall rule optimizations. The AI tool can assess and recommend changes to policies, identify duplicates or inefficient rules, and enhance the response to security threats. Cisco acknowledges the growing importance of AI in cybersecurity, shifting focus from just defense and response to predicting attacker behavior. Jeetu Patel, Cisco's EVP for security, foresees challenges for point solution providers as AI integration demands high-level platform understanding across multiple security alerts. While the AI Assistant is currently in preview, Cisco is also integrating AI to detect malware activity within encrypted traffic. Cisco warns that the advanced AI services will be monetized as they incur computational costs, though no pricing details have been released as of yet. Patel emphasizes that while there will be a cost associated with AI security services, it should not deter broad usage and adoption among end users.

Microsoft announced the end of full security support for Windows 10 will be on October 14, 2025. Customers reluctant to upgrade can purchase Extended Security Updates (ESU) for three additional years. ESU will provide critical and important security updates but exclude patches for lesser flaws or new features. The pricing for the Windows 10 ESU program has not been disclosed but is expected to be similar to the Windows 7 ESU costs. Windows Enterprise customers can expect ESU at half the price compared to Windows 7 Pro devices. Microsoft is promoting its cloud-based service, Windows 365, for access to Windows 11 on Windows 10 PCs, which includes Windows 10 ESU at no extra charge. The US Public Interest Research Group praised the move for potentially reducing electronic waste by prolonging the life of existing computers. Details on the ESU program's availability for individual consumers are yet to be provided, with a future update promised by Microsoft.

Atlassian issued an email advisory about four critical vulnerabilities across several products, including Bitbucket, Confluence, and Jira. The email contained incorrect links, which initially led to a 'Page Not Found' error, delaying access to vital security information. Affected links were later redirected to the correct pages following realization of the error by Atlassian. The vulnerabilities are rated 9.0 or higher on the CVSS scale and allow remote code execution, posing a severe security risk. Customers are advised to upgrade their Atlassian products to the latest fixed versions to mitigate the threat immediately. Atlassian has publicly recognized the email error and issued an apology for any inconvenience caused to customers.

The protection of mission-critical data, applications, and workloads is essential for businesses to avoid the disastrous consequences of security disruptions. The rise of AI magnifies the cybersecurity challenge, as sensitive and personal data, such as financial transactions and health records, are at risk of being targeted. To secure AI data and allow freedom for AI models, adopting technologies like confidential computing, which uses encryption to protect data in transit and at rest, is crucial. Intel's 4th generation Xeon processors incorporate built-in security features that offer a secure foundation for deploying AI applications while meeting confidentiality requirements. Intel SGX and Intel TDX are innovations that provide additional layers of protection for data during processing, enforcing isolation at the application and VM levels. Tools like Federated Learning enable secure collaboration between organizations by allowing data analysis without exposing sensitive data or machine learning algorithms. Organizations must evolve their approach to securing the technology stack in order to confidently deploy AI-powered applications in alignment with security and compliance standards. Intel backs its hardware data security capabilities with additional services, such as remote attestation and federated learning, to ensure data integrity across AI/ML applications.

A covert actor known as AeroBlade has launched a cyber espionage attack on a U.S. aerospace organization. BlackBerry Threat Research and Intelligence team has been monitoring the group behind the attack, with its origin remaining unidentified. The attackers employed spear-phishing with a weaponized document using remote template injection and malicious macro code to execute the payload. The network infrastructure for the attack was established in September 2022, with the main offensive taking place nearly a year later, in July 2023. The attack method includes a reverse shell via a DLL, enabling attackers to take control of infected machines and exfiltrate data. The malware used has been made stealthy with anti-analysis features and avoids detection by bypassing execution in sandboxed environments. Attackers ensured persistence on the compromised systems by using Task Scheduler, scheduling a task to run daily, indicating a significant effort to maintain access and extract valuable information.

A study revealed that over 15,000 Go module repositories on GitHub are susceptible to a "repojacking" cyberattack technique. Repojacking exploits username changes and deletions on GitHub, allowing attackers to take over a repository’s name and disseminate malicious code. Aqua, a cloud security firm, previously warned of the broader risk across GitHub repositories and underscored the need for protective measures upon name changes. The decentralized nature of Go modules, relying on platforms like GitHub, makes them especially vulnerable compared to package managers like npm or PyPI. GitHub’s measure, popular repository namespace retirement, is ineffective against this issue for Go modules because of the caching mechanism used by the Go module mirror. VulnCheck suggests that Go developers must be vigilant about the modules they use and the current status of the repositories they originate from. The discovery coincides with the report of 1,681 exposed API tokens on platforms including GitHub, raising concerns about potential supply chain attacks and data theft.

Microsoft Copilot is an AI tool integrated into Microsoft 365 apps, utilizing user data to improve productivity. Copilot's access to extensive sensitive data presents significant security concerns for information security teams. Around 10% of a company's Microsoft 365 (M365) data is accessible to all employees, which Copilot can also use. Common vulnerabilities include complex permissions, ineffective data labeling, and the potential for AI-generated data breaches. The Varonis Data Security Platform can help organizations enforce least privilege and improve their security posture before rolling out Copilot. Varonis offers a free risk assessment for M365 users to identify sensitive data risks and vulnerabilities in preparation for Copilot implementation.

Wing Security has introduced a free tool for basic third-party risk management (TPRM) to help organizations mitigate risks associated with SaaS vendors. As SaaS usage grows, companies face security challenges due to the interconnected nature of SaaS supply chains, which can lead to potential cybersecurity threats. The article emphasizes the importance of due diligence and security checks before onboarding new SaaS applications, noting that these often bypass traditional IT approval processes. Third-party risk in SaaS involves managing potential cybersecurity, data privacy, compliance, operational, financial, and reputational risks posed by vendors. Five key tips for SaaS security are provided: identification and categorization of third-party connections, due diligence and assessment of vendors, ongoing monitoring of SaaS vendors, robust incident response planning, and thorough documentation and reporting. The consequences of inadequate TPRM practices include cybersecurity breaches, data exposure, financial loss, reputational damage, and non-compliance penalties. Good TPRM fosters improved security, compliance, vendor trust, and regulatory navigation, playing a crucial role in strengthening an organization's overall security posture against SaaS threats.

A Russia-linked influence operation known as Doppelganger is targeting audiences in Ukraine, the United States, and Germany with disinformation campaigns. Doppelganger has been active since at least February 2022 and utilizes a combination of fake news sites and social media accounts to disseminate false narratives. The influence campaigns aim to undermine Ukrainian sovereignty, promote anti-LGBTQ+ sentiments, question U.S. military competence, and highlight social and economic issues in Germany. Advanced obfuscation techniques are used, including brandjacking and the strategic use of website redirects and AI to create false articles, making detection more difficult. Across its campaigns, Doppelganger is said to use over 800 social media accounts and various first and second-stage domains to hide actual content destinations. Engagement with the disinformation content has been minimal, leading to negligible impact in terms of social media interactions such as reshares, likes, and replies. Recorded Future emphasizes the scalable and adaptable nature of Russian information warfare designed to influence public opinion and behavior over time. Meta has taken steps to disrupt multiple influence operations from China and Russia and highlights the lack of current U.S. federal government sharing on foreign election interference threat intelligence.

Jamf Threat Labs reports a deceptive method used by attackers to trick iPhone users into believing they're in Lockdown Mode when they are not. The fake Lockdown Mode technique could be used post-exploitation, allowing malware to run surreptitiously on the device. Apple's Lockdown Mode in iOS 16, designed to protect users from sophisticated threats, does not prevent the execution of malicious payloads on an already compromised device. The novel attack involves manipulating functions linked to the activation of Lockdown Mode, giving users a false sense of security. This deceptive strategy can lead to users being less vigilant and unknowingly exposed to continued spying or data theft. Apple has since moved the implementation of Lockdown Mode to the kernel level in iOS 17 to enhance security and prevent such manipulations without a system reboot. Jamf's research emphasizes the risk of interface tampering and highlights an evolution in social engineering techniques likely to be more exploited in the future.