Daily Brief

University of Michigan (UMICH) warns staff and students of a recent cyberattack and mandates password resets Failure to change password by September 12 will result in inability to sign into accounts Notifications sent by UMICH CISO and CIO to community members All UMICH community members on various campuses must change their passwords Users advised to consult guidelines on changing to a secure password An issue with the self-service password tool has been addressed Internet connectivity and WiFi restored across all UMICH campuses University does not disclose details regarding the investigation or the reason for the mandatory password resets

Three critical-severity remote code execution vulnerabilities discovered in ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers Vulnerabilities can be exploited remotely and without authentication, potentially allowing threat actors to hijack devices Flaws can lead to remote code execution, service interruptions, and performing arbitrary operations on the device ASUS has released firmware updates to address the vulnerabilities, but users who haven't applied the updates remain vulnerable It is advised to turn off the remote administration feature to prevent unauthorized access to the routers.

Freecycle, a charity aimed at recycling unwanted items, has suffered a data breach. The breach, which exposed usernames, email addresses, and hashed passwords, was discovered on August 30. Freecycle has urged all members to change their passwords and be vigilant for phishing emails. The data breach has been closed and regulatory authorities have been notified. It is unclear how many of Freecycle's 9 million members were affected by the breach. Users are advised not to reuse passwords and to avoid clicking on suspicious links or downloading unknown attachments.

An updated version of the malware loader BLISTER is being used to distribute the Mythic command-and-control framework. BLISTER is embedded within a legitimate VLC Media Player library to bypass security software. BLISTER has been used in tandem with SocGholish to distribute Cobalt Strike and LockBit ransomware. The malware is actively maintained and used to load various types of malware, including clipbankers, information stealers, trojans, ransomware, and shellcode.

Penetration Testing as a Service (PTaaS) offers a comprehensive solution for continuous security monitoring in web applications Traditional pen testing is labor-intensive, time-consuming, and does not offer continuous monitoring PTaaS provides comprehensive coverage, frequent testing, automated processes, and integration with development processes Benefits of PTaaS include continuous security, holistic view of AppSec, and effective protection against cyber-attacks PTaaS is more scalable and effective compared to traditional pen testing PTaaS is suitable for organizations with a large number of applications and frequent release updates.

DDoS attacks are on the rise, with the volume growing by up to 300 percent in 2023. These attacks use compromised computer systems to generate attack traffic, resulting in loss of service, revenue, reputation, and control of network defenses. Being able to detect and mitigate DDoS attacks is crucial in preventing damage. A webinar hosted by The Register and Cloudflare will discuss the scale of DDoS attacks in 2023 and identify the perpetrators. The webinar will provide guidance on how to defend against DDoS attacks and offer best practices for mitigation. Participants will learn how to effectively protect their businesses and build strong defenses against DDoS attacks. The webinar is scheduled for 6th September and registration is available.

The Police Service of Northern Ireland (PSNI) mistakenly published data on 10,000 employees on their website Two men have been released on bail after being arrested under the Terrorism Act in relation to the data breach The breach included details of every serving Northern Ireland police officer, potentially endangering their safety Recent poster attempts to intimidate police officers, but the information contained was incorrect The PSNI has made four arrests in relation to the data breach so far Other police forces in the UK have also experienced data breaches recently, including Cumbria Police and the Metropolitan Police in London

Attackers gained access to data from a UK supplier of high-security fencing for military bases The initial entry point was a Windows 7 PC, highlighting the risks of running obsolete code and hardware The LockBit Ransom group conducted the attack and may have exfiltrated 10GB of data The breach could potentially provide access to sensitive military and research sites in the UK The company stated that no classified information was stored on the compromised system Zaun has notified the National Cyber Security Centre and the UK's Information Commissioner's Office regarding the breach The attack serves as a reminder for enterprises and organizations to be vigilant about security in their supply chains The targeted nature of the attack on a third-party supplier raises concerns about national security and critical infrastructure

Microsoft is disabling TLS 1.0 and 1.1 by default in Windows, potentially causing issues for enterprise administrators. SQL Server 2012, 2014, and 2016 editions may require updates to be compatible. Other applications expected to be broken include Apple's Safari browser for Windows and several security applications. Microsoft has been tracking TLS protocol usage and believes usage of TLS 1.0 and 1.1 is low enough to act. Windows Insiders will be the first to have TLS 1.0 and 1.1 disabled by default from September, followed by future Windows releases. The option to re-enable the protocols will still be available but should only be done as a temporary solution. Microsoft's goal aligns with industry efforts to eliminate deprecated versions of TLS, with the US National Security Agency (NSA) and major tech companies advocating for the move. Microsoft's progress in disabling TLS 1.0 and 1.1 has been delayed but is now planned to be implemented in its flagship operating system.

Simon Byrne, Chief Constable of the Police Service Northern Ireland (PSNI), has resigned amid a data breach and disciplinary controversy The PSNI mistakenly published spreadsheet data containing details of every single serving Northern Ireland police officer following a Freedom of Information request The sensitive information included personal details of officers and staff, making them vulnerable to potential targeting by dissident republican groups An independent review is currently underway to investigate the data breach In addition to the data breach, Byrne was facing backlash over a court ruling related to disciplinary actions taken against two junior officers The court ruled that the officers had been unlawfully disciplined to appease Sinn Féin's support for policing in Northern Ireland The ruling undermined Byrne's credibility and authority, contributing to his decision to resign Deputy Chief Constable Mark Hamilton is expected to temporarily lead the PSNI while a new leader is sought.

Organizations heavily depend on digital assets in today's digital age The real battleground in cybersecurity has shifted to user identities Many organizations are unaware of security gaps and vulnerabilities Silverfort commissioned a comprehensive study on the Identity Attack Surface The webinar aims to provide insights and actionable steps to improve cybersecurity The digital landscape is evolving with new threats, and organizations need to stay ahead Attendees will discover ways to transform their perception of cybersecurity Registration is open for the webinar to fortify organizations' cybersecurity.

The average cost of a data breach rose to $4.45 million, a 15% increase over the last three years. Healthcare organizations suffered the highest average loss of $10.93 million, followed by the finance industry at $5.9 million. Organizations with fewer than 500 employees experienced higher average data breach costs in 2023 ($3.31 million) compared to previous years. Phishing and stolen credentials are still the most common initial attack vectors, with phishing costing an average of $4.76 million and stolen credentials costing an average of $4.62 million. Integrating a third-party tool into the Active Directory can provide added control and visibility over compromised passwords. Rapid incident response is crucial to mitigating the financial impact of a data breach, as companies that detected compromises within 200 days lost $3.93 million compared to those that identified the issue later. Understanding and securing the cloud is essential, as 82% of breached data was stored in the cloud. Misconfigured cloud configurations and supply chain attacks were prevalent in the surveyed organizations. External Attack Surface Management (EASM) and risk-based vulnerability management can significantly reduce the time to identify and contain a data breach and lower breach costs.

Andariel, a North Korean threat actor, has been using various malicious tools in cyber assaults against corporations and organizations in South Korea The attacks involve malware strains developed in the Go language Andariel is a sub-cluster of the Lazarus Group, active since 2008 Financial institutions, defense contractors, government agencies, universities, cybersecurity vendors, and energy companies are targeted Initial infection vectors include spear-phishing, watering holes, and supply chain attacks Malware families employed by Andariel include Gh0st RAT, DTrack, YamaBot, NukeSped, and more Andariel recently exploited security flaws in Zoho ManageEngine ServiceDesk Plus using QuiteRAT The group has been carrying out attacks for financial gains and national security-related information

A reworked variant of the Chaes malware is targeting the banking and logistics industries The malware has been rewritten in Python, making it harder to detect by traditional defense systems Chaes primarily targets e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information The threat actors behind the malware, known as Lucifer, have breached over 800 WordPress websites to deliver Chaes to users The latest version, called Chae$ 4, includes significant transformations and enhancements, such as expanded credential theft capabilities and clipper functionalities The malware is delivered through compromised websites, with the victims being prompted to download an installer for Java Runtime or an antivirus solution ChaesCore, the primary orchestrator module, establishes a communication channel with the command-and-control server to fetch additional modules The malware now targets cryptocurrency transfers and instant payments via Brazil's PIX platform, highlighting the threat actors' financial motivations.

Hackers are targeting IT service desk agents in social engineering attacks Their goal is to trick agents into resetting multi-factor authentication (MFA) for high-privileged users The attackers aim to hijack Okta Super Administrator accounts to abuse identity federation features for impersonation They were able to compromise Super Admin accounts through authentication flow tampering or having passwords for privileged accounts Once they gain admin access, they elevate privileges for other accounts, reset enrolled authenticators, and remove 2FA protection Hackers use a second Identity Provider to impersonate users and access applications through Single-Sign-On authentication Okta recommends security measures to protect admin accounts from external actors Indicators of compromise and IP addresses associated with the attacks have been provided by Okta for additional protection measures.