Daily Brief

PJ&A, a medical transcription service provider, experienced a cyberattack that compromised the data of nearly 9 million patients. The network breach occurred between March 27 and May 2, 2023, and the company began notifying affected individuals on October 31, 2023. Exposed data includes personal health information, but financial details and account credentials were not accessed. The total number of impacted patients was confirmed by a report to the U.S. Department of Health and Human Services Office for Civil Rights. Cook County Health and Northwell Health, both major healthcare providers, are among the entities impacted by the breach, with CCH ending its relationship with PJ&A. Over 3.8 million Northwell Health patients had their sensitive information stolen over a period of about two weeks due to PJ&A's network being compromised. An additional four million patients associated with various other healthcare providers have yet to be notified about their data exposure.

The U.S. dismantled the IPStorm botnet, and its Russian-Moldovan creator pleaded guilty to cybercrimes. Sergei Makinin developed malware that infiltrated devices globally across multiple operating systems from 2019 to 2022. Infected devices were turned into proxies for a profit, with access sold to other cybercriminals via specific websites. The botnet utilized the InterPlanetary File System (IPFS) peer-to-peer network to disguise malicious traffic. Makinin, facing up to 30 years in prison, profited at least $550,000 from the botnet scheme. The plea agreement includes the forfeiture of cryptocurrency wallets associated with the criminal activity. Collaboration between law enforcement and the cybersecurity sector was pivotal in leading to the botnet's takedown and the perpetrator's arrest.

The article emphasizes the importance of the OWASP Top 10 as a resource for identifying critical web application security risks, valuable for developers and security professionals. The OWASP Top 10 outlines prevalent vulnerabilities such as Broken Access Control, Cryptographic Failures, and Injection Flaws, offering guidance for testing and mitigating these issues. The list also includes Insecure Design, Security Misconfiguration, and the use of Vulnerable and Outdated Components, pinpointing common areas of neglect that can lead to security breaches. Flaws in Identification and Authentication, Software and Data Integrity Failures, and Security Logging and Monitoring reflect deeper systemic issues within web application frameworks. Server-Side Request Forgery (SSRF) highlights complex attack vectors that exploit the web application's interaction with other internal or external systems. The article underscores the necessity for regular security testing and vigilance, especially as rapid development cycles can introduce new vulnerabilities. Pen Testing as a Service (PTaaS) is presented as a solution for continuous security testing, combining manual and automated penetration tests to ensure overall application security.

Fraudsters are using fake social media accounts to impersonate cryptocurrency scam investigators and blockchain security companies. The scammers promote phishing sites by warning users of non-existent security breaches in cryptocurrency exchanges like Uniswap and Opensea. Victims are deceived into visiting malicious websites that claim to help safeguard their assets by revoking permissions, ultimately leading to fund theft. Notable figures and organizations in the crypto community have been impersonated, including CertiK and ZachXBT, with scammers creating similar sounding social media account names. The fraudulent campaign was significant enough to trend hashtags related to the fake exploits within the U.S. Even savvy community members, such as vx-underground, have been tricked into sharing the scam information, highlighting the effectiveness of the impersonation tactic. The article advises users to be vigilant by double-checking the authenticity of accounts and claims before taking action to protect their assets, and to use cold wallets for enhanced security.

FBI Director Christopher Wray appealed to US lawmakers to preserve FISA Section 702 without new warrant requirements. Section 702, set to expire in December, allows warrantless spying on foreign communications, incidentally collecting data on US persons. Law enforcement agencies argue that a proposed amendment requiring warrants would effectively cripple surveillance capabilities. A bipartisan bill suggests reforming Section 702, adding new limits and warrant requirements for surveilling US person data, with some exceptions for emergencies. The White House and FBI strongly oppose the warrant requirement, considering it a non-negotiable "red line." Wray conceded past FBI abuses of Section 702 but emphasized steps taken to improve compliance and accountability. The FBI has implemented measures to reduce unauthorized queries and introduced consequences for misuse, including potential dismissal.

SANS Institute offers complimentary resources to cybersecurity professionals to enhance knowledge and skills. Access to a range of open-source cybersecurity tools is available for free to aid in efficient and cost-effective security implementation. Free workshops provide hands-on experience with new tools and techniques, moderated by leading industry instructors. SANS provides informational posters and cheat sheets on various topics including Cloud Security and Incident Response at no charge. Cybersecurity webcasts from SANS feature quality speakers discussing various security topics, accessible live and for free. The SANS blog delivers insights into Cloud Security, Industrial Control Systems, and other cybersecurity areas, aiding in continuous learning. Virtual summits hosted by SANS allow global cybersecurity professionals to learn, network, and exchange information. Individuals and organizations can join the SANS community for free to leverage these valuable educational resources.

A newly discovered technique allows attackers to execute code in memory by exploiting a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604. The flaw has a severity rating of 10.0 and was patched in recent ActiveMQ versions, but it is actively being exploited by ransomware groups. Ransomware such as HelloKitty and a variant akin to TellYouThePass, along with SparkRAT, a remote access trojan, have been deployed using this vulnerability. Researchers at VulnCheck have developed an improved exploit that remains memory-resident, making it more stealthy and capable of obtaining a reverse shell. The exploit involves loading malicious XML through the ClassPathXmlApplicationContext or the newly mentioned FileSystemXmlApplicationContext without writing to the disk. Though the exploit is discreet, it still triggers an exception message in the activemq.log file, which requires attackers to clean up to avoid forensic detection. Security professionals are urged to patch their ActiveMQ servers and consider removing them from public internet access to mitigate the risk of this stealthy exploit.

Insider threats pose a significant challenge due to the inherent access to sensitive data by organization insiders. Varonis utilizes a data security triad approach "sensitivity, access, and activity" to mitigate insider risks. Sensitivity involves the discovery, classification, and control of sensitive data, which Varonis automates through a preconfigured rule library that identifies PII, PCI, PHI, etc. Access control is achieved by limiting data exposure through least privilege automation and removing unnecessary access to reduce the insider attack "blast radius." Monitoring data activity is vital, as insider actions may not trigger standard alarms; Varonis' UEBA (User and Entity Behavior Analytics) establishes behavioral patterns and alerts for suspicious activities. Varonis provides real-time security posture visualization, automated remediation policies, and intelligent access management to limit insider threats. Organizations can quickly investigate security incidents with Varonis' detailed forensics log and incident response team support, improving proactive threat detection and response.

Cybercriminals are increasingly disabling or wiping logging and telemetry capabilities to avoid detection, complicating incident response. In 42% of cases, organizations lacked the necessary logs to analyze security incidents properly, with attackers responsible for the absence in 82% of those cases. Attackers erase logs to evade identification and maintain access, impacting a quarter of affected organizations that already started with inadequate logging due to ignorance or resource constraints. Sophos emphasizes that complete and accurate logging is crucial for fast and effective incident response, allowing defenders to track attack origins and system activities. Microsoft and CISA offer free resources to enhance organizational logging capabilities, with Microsoft offering free logging on basic licenses and CISA maintaining the Logging Made Easy (LME) project. Ransomware attacks are getting faster, with 'fast attacks' occurring within five days, and some supply chain attacks seeing ransomware deployment within six hours.

Intel patched a high-severity vulnerability, codenamed Reptar, affecting desktop, mobile, and server CPUs. CVE-2023-23583 vulnerability, with a CVSS score of 8.8, could lead to privilege escalation, information disclosure, or denial of service. Google Cloud identified the severe impact in multi-tenant virtualized environments, where exploitation on a guest machine could crash the host. Researcher Tavis Normandy found the flaw could be used to corrupt system state and cause a machine-check exception. Intel issued microcode updates in November 2023 for all affected processors; a full list of impacted CPUs is available. No evidence currently suggests active exploitation of this vulnerability, which requires the execution of arbitrary code for malignant use. The release of Intel's patches coincided with AMD addressing a separate vulnerability, CacheWarp (CVE-2023-20592), affecting AMD processors.

Microsoft has released patches for 63 security issues, including five new zero-day vulnerabilities, three of which are actively being exploited. Among the vulnerabilities, three are rated Critical, 56 Important, and four Moderate in terms of severity, with updates also covering over 35 Edge browser issues. CVE-2023-36033 and CVE-2023-36036 enable SYSTEM privilege escalation, while CVE-2023-36025 allows bypassing of Windows Defender SmartScreen checks. There is no detailed information from Microsoft on the exploitation tactics or identities of the threat actors utilizing these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these three exploited vulnerabilities in its KEV catalog, advising federal agencies to implement the patches by December 5, 2023. The update includes critical fixes for remote code execution flaws and a significant heap-based buffer overflow flaw in the curl library. An information disclosure vulnerability in Azure CLI could permit attackers to access plaintext passwords and usernames, for which Microsoft has now hardened Azure CLI commands to prevent secret exposure. Security updates from other vendors have also been issued to address additional vulnerabilities.

VMware has issued a warning about a critical, unaddressed security vulnerability (CVE-2023-34060) in Cloud Director. The flaw, rated 9.8 in severity, allows attackers to bypass authentication on upgraded instances to version 10.5 via ports 22 and 5480. This authentication bypass does not affect new installations of VMware Cloud Director Appliance 10.5 or access through port 443. The vulnerability originates from an outdated version of sssd in Photon OS, which VMware Cloud Director utilizes. Dustin Hartle from Ideal Integrations is credited with discovering the issue, which has not yet been resolved by VMware. A temporary workaround is available through a provided shell script, which requires no system downtime and does not impact functionality. This advisory follows recent patches for another significant vulnerability in VMware's vCenter Server.

Microsoft's November Patch Tuesday remediated roughly 60 vulnerabilities, including three exploited in the wild. PATCHED: CVE-2023-36033 and CVE-2023-36036 are critical Windows vulnerabilities allowing elevation of privilege to SYSTEM level. A Windows Defender SmartScreen bypass (CVE-2023-36025) exploited in phishing campaigns was among the patched vulnerabilities. Two other vulnerabilities CVE-2023-36038 (DoS in ASP.NET Core) and CVE-2023-36413 (Microsoft Office security bypass) are publicly known but not yet exploited. The highest severity issue from Microsoft, CVE-2023-36397, rated 9.8, allows remote code execution in specific Windows environments. An Azure Command Line Interface flaw (CVE-2023-36052) disclosed sensitive information, leading to changes across multiple Microsoft products. Adobe released patches for 76 flaws across various products, but none of these had been actively exploited. VMware addressed CVE-2023-34060, a critical authentication bypass vulnerability in Cloud Director appliances.

The FBI has successfully dismantled the IPStorm botnet, a network that allowed cybercriminals to anonymously channel malicious traffic. The Russian-Moldovan national behind IPStorm, Sergei Makinin, pleaded guilty to computer fraud charges with a potential sentence of up to 10 years in prison. IPStorm facilitated anonymous online activity for scammers by utilizing over 23,000 proxies across various device platforms, including Windows, Linux, Mac, and Android. Victims of the botnet had their devices commandeered for cybercrime use, resulting in bandwidth theft and the potential for further malware infection. The botnet operated from at least June 2019 to December 2022, turning infected devices into proxies as part of a profitable scheme advertised on Makinin's websites. Makinin profited at least $550,000 from selling proxy services and has agreed to forfeit the cryptocurrency derived from the criminal proceeds. Though the botnet infrastructure has been taken down, affected victim computers have not been addressed by the law enforcement operation. Law enforcement agencies from several countries, including Spain, the Dominican Republic, and the U.S., collaborated in the investigation and takedown of the IPStorm network.

The WP Fastest Cache plugin for WordPress has a severe SQL injection vulnerability, potentially affecting over 600,000 websites. Unauthenticated attackers can exploit the vulnerability to access sensitive information from the site's database. WP Fastest Cache is a popular plugin that enhances website performance and search engine ranking by improving page load times. The specific flaw is within the 'is_user_admin' function, where unsanitized user input can lead to database access and data leakage. WordPress site databases often contain personal user data, passwords, and configuration settings, all of which could be compromised. Security team WPScan from Automattic released the vulnerability details, tracked as CVE-2023-6063 with a high-severity score of 8.6. A proof-of-concept (PoC) exploit will be published by WPScan, raising the urgency for administrators to patch the issue. The developer of WP Fastest Cache has released an updated version (1.2.2) that patches the vulnerability, and users are urged to update immediately.