Cyber Briefing: 2023.07.25
👉 What’s the latest in the cyber world today? Ivanti Update, Apple Update, India, Akira Ransomware, Lazarus APT, South Korea, Japan, Smishing Campaign, SpyNote Malware, Norwegian Government, Yamaha Music, Teachers’ Association, Cl0p Ransomware, Azimut, Eurostar, Biometrics, Google, OneTrust, Thales, Imperva.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Subscribe.
🚨 Cyber Alerts
1. Zero-Day Alert: Update EPMM Now!
Ivanti’s Endpoint Manager Mobile (EPMM) software, formerly known as MobileIron Core, faces an immediate threat from an actively exploited zero-day vulnerability. The flaw, marked with the highest CVSS severity rating of 10, allows unauthorized access to restricted functions and data without authentication. Attackers could potentially gain access to users’ personally identifiable information, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of the risks and urge immediate updates to the latest patched versions (11.8.1.1, 11.9.1.1, and 11.10.0.2) as disclosed by security researcher Kevin Beaumont.
2. Apple Releases Updates to Patch Zero-Days
Apple has taken swift action to address zero-day vulnerabilities that were actively exploited in attacks aimed at iPhones, Macs, and iPads. The two vulnerabilities, identified as CVE-2023–37450 and CVE-2023–38606, allowed attackers to manipulate WebKit and iOS Kernel, respectively, potentially leading to unauthorized access to sensitive data. In response, Apple has rolled out Rapid Security Response (RSR) updates, reinforcing checks, and state management to protect its users from potential cyber threats.
3. Indian Govt Issues Alert on Akira Ransomware
The Indian Computer Emergency Response Team (CERT-In) has issued a stern warning about the emergence of Akira ransomware, a dangerous virus targeting both Windows and Linux-based systems. The ransomware group behind Akira is not only encrypting victims’ data but also stealing vital personal information, conducting double extortion to force ransom payments. To gain access to victim environments, the group takes advantage of VPN services, particularly where multifactor authentication is not enabled, and utilizes tools like AnyDesk, WinRAR, and PCHunter to evade detection. Taking basic online hygiene measures, maintaining offline backups, and implementing strong password policies with multi-factor authentication are crucial in defending against this perilous cyber threat.
4. Lazarus APT Attacks Windows IIS Web Servers
Lazarus, the North Korean state-sponsored APT group, has been detected deploying a watering hole technique to infiltrate Korean websites and exploit the vulnerability in INISAFE CrossWeb EX V6 to target Windows IIS web servers. Through this method, the group installs malware, such as SCSKAppLink.dll and JuicyPotato, to gain control over compromised systems and fetch additional malware strains from external sources. Lazarus has been linked to various high-profile attacks, including the recent breach at JumpCloud and the theft of millions from Atomic Wallet, underscoring the importance of implementing proactive security measures and regularly patching vulnerabilities to counteract such threats effectively.
5. Sophisticated SpyNote Malware Targets Android
McAfee researchers have discovered a new smishing campaign that targets Japanese Android users by deploying an updated version of the SpyNote malware. Hackers impersonated a power and water infrastructure company to send SMS alerts about payment issues, leading victims to a rogue website, where their devices were infected with the remote-controlled SpyNote malware. This spyware exploits accessibility services and device administrator privileges in Android devices, allowing it to steal sensitive user information, device location, contacts, SMS messages, and phone calls. The malware poses as the Tokyo Waterworks Bureau and TEPCO Power Transmission, deceiving users with legitimate app icons to appear authentic, and has previously targeted financial institutions, including the Bank of Japan in April 2023.
6. Atera Software Faces Zero-Day Vulnerabilities
Atera’s remote monitoring and management software was found to have zero-day vulnerabilities in its Windows Installers, posing serious risks of privilege escalation attacks. Discovered by Mandiant and remediated by Atera in subsequent versions, the flaws could allow attackers to execute arbitrary code with elevated privileges, opening up potential avenues for exploitation. Additionally, Kaspersky’s revelations of a severe privilege escalation flaw in Windows, actively exploited by threat actors, add to the urgency for software developers to thoroughly review and secure their systems against such escalating threats.
đź’Ą Cyber Incidents
7. Norwegian Ministries Hit by Cyber Attack
The Norwegian government’s ICT platform, used by twelve ministries, experienced a cyberattack after hackers exploited a zero-day vulnerability in third-party software. Although sensitive data might have been accessed or exfiltrated during the attack, the government assures that work activities continue as normal, and they have implemented security measures to protect the affected ICT platform. Authorities are investigating the incident, and the Norwegian Data Protection Authority has also been notified about the potential data breach.
8. Yamaha Canada Hit by Cyberattack
Yamaha’s Canadian music division faced a recent cyberattack, with two different ransomware groups claiming responsibility for targeting the Japanese manufacturing giant known for producing musical instruments and audio equipment. While Yamaha Canada Music confirmed unauthorized access and data theft, they responded swiftly, collaborating with experts and their IT team to contain the attack and prevent further damage. The company is now focusing on mitigating adverse consequences and bolstering network defenses to ensure enhanced security moving forward, reflecting a concerning cybersecurity trend of victim organizations being targeted by multiple ransomware groups.
9. Teachers Association 2.6M Client Breach
The Teachers Insurance and Annuity Association of America (TIAA) reveals a major data breach involving more than 2.63 million customers, making it one of Clop ransomware gang’s largest victims. Initially downplaying the impact, TIAA has now disclosed that names and Social Security numbers of millions of customers may have been stolen, putting their sensitive information at risk. The managed file transfer software, MOVEit Transfer, suffered from a zero-day vulnerability, allowing attackers to access and download data stored within the system, leading to the massive breach.
10. Azimut Fights BlackCat Cyber Attack
Italian asset manager Azimut reported successfully thwarting a cyberattack without compromising its customers’ sensitive data, despite receiving a ransom request that was rejected. The attack, attributed to the notorious ransomware group BlackCat (ALPHV), targeted Azimut among 23 other organizations in July. Palo Alto Networks Unit 42 confirmed BlackCat’s involvement, highlighting the group’s widespread and sophisticated attacks across the U.S. and Europe, impacting various industries such as law firms, healthcare systems, and engineering firms.
📢 Cyber News
11. Eurostar Facial Verification Check-In
Eurostar, the high-speed international rail service, is set to launch SmartCheck, a contactless facial biometric check-in system, at London St. Pancras Station, allowing passengers to automate gate check-ins and UK exit checks. While the system aims to save time and streamline processes, it has sparked debates over the potential cybersecurity risks of biometric technology. Developed by iProov, SmartCheck leverages Genuine Presence Assurance technology to verify the passenger’s face remotely, but concerns arise about data privacy and potential vulnerabilities that malicious actors could exploit.
12. Google Blocks Internet Access for Some Staff
In an effort to bolster cybersecurity, Google is reportedly blocking certain employees’ access to the internet, restricting them to internal web-based tools and Google-owned sites. Additionally, the pilot program removes root access, preventing users from running sysadmin commands or installing software. While this measure may enhance computer security and productivity, it raises questions about Google’s mission to make information universally accessible and could lead to discontent among employees who feel limited and less trusted by their employer.
13. OneTrust raises $150M from Al Gore’s firm
OneTrust, an Atlanta-based company, secured $150 million in funding to accelerate its growth in trust intelligence software, despite slashing its valuation by $800 million. Led by Al Gore’s Generation Investment Management, the funding valued OneTrust at $4.5 billion, a decrease from its previous $5.3 billion valuation. The company’s CEO, Kabir Barday, emphasized the importance of technology in managing privacy, security, ethics, and ESG requirements amidst changing regulations and new business initiatives.
14. EU Rejects Central Cyber Agency’s Role
In a recent proposal, EU governments have rejected the idea of requiring manufacturers to report actively exploited vulnerabilities directly to the European Union Agency for Cybersecurity (ENISA). Instead, the amended version of the proposed Cyber Resilience Act calls for manufacturers to disclose vulnerabilities to their national Computer Security Incident Response Team (CSIRT). The CSIRT will then share this information through a new intelligence sharing platform operated and maintained by ENISA. However, concerns have been raised about ENISA potentially becoming a target for hostile states and criminals, and the legislation may provoke conflicts between incident response teams across Europe with differing roles and affiliations.
15. Thales Acquires Imperva: Cyber Merger
Thales, the Paris-based conglomerate, is set to purchase Silicon Valley’s Imperva for $3.6 billion, marking a significant move into the application and API security market while enhancing its data security offerings. The acquisition will create a $2.66 billion cybersecurity giant, with an expected $500 million security revenue boost to Thales’ portfolio. The deal is projected to generate cost and revenue synergies of $110 million, driving organic sales growth and reinforcing Thales’ position as a world-class global cybersecurity integrated.