19-Jul-23: In Security News Today

Microsoft’s AI Assistant for Security Operations Centers to Enter Early-Access Preview

Microsoft is expanding its Security Copilot service, an AI assistant for Security Operations Centers based on GPT-4, granting access to more customers and technology partners, with an official “early-access preview” set to launch in the fall. The updated version includes user feedback and introduces “promptbooks,” sequences of common AI prompts to assist security professionals, and integration with popular cybersecurity tools to enhance operations efficiency. The early-access preview will also permit Microsoft cybersecurity partners to integrate their tools with Security Copilot and feed data back into the service, facilitating more efficient threat response and intelligence analyses.

Critical Vulnerability in Citrix ADC and Gateway Actively Exploited, Patches Released

Citrix has reported a critical security flaw (CVE-2023-3519, CVSS score: 9.8) in NetScaler Application Delivery Controller (ADC) and Gateway that is currently being exploited. The vulnerability allows unauthenticated remote code execution and impacts several versions of NetScaler ADC and Gateway. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog and Citrix has released patches for the vulnerable versions.

U.S. Adds Spyware Vendors Cytrox and Intellexa to Economic Blocklist for Cyber Espionage

The U.S. government has placed foreign commercial spyware vendors Cytrox and Intellexa on an economic blocklist, citing their exploitation of cyber exploits to conduct unauthorized device access. The move prohibits U.S. companies from conducting transactions with these businesses and their holdings in Hungary, North Macedonia, Greece, and Ireland. This action follows the addition of Israeli companies NSO Group and Candiru to the Entity List in November 2021, and is part of a larger U.S. initiative to restrict the use of commercial spyware.

APT41 Launches Android Attacks with New WyrmSpy and DragonEgg Spyware

The Chinese-linked nation-state actor, APT41, has been associated with two new Android spyware strains: WyrmSpy and DragonEgg. Initial intrusion vectors remain unknown, but both strains request intrusive permissions and contain sophisticated data collection and exfiltration features. Lookout’s findings underline the growing threat posed by advanced Android malware, with the sophisticated spyware capable of harvesting user photos, locations, SMS messages, and audio recordings from infected devices.

CISA and NSA Issue Guidance on Strengthening 5G Network Slicing Security

U.S. cybersecurity agencies, CISA and NSA, have released recommendations for strengthening security within 5G standalone network slicing to better guard against threats. The advisory builds on previous guidance, pointing to the potential threat vectors within network slicing, including denial-of-service, misconfiguration attacks, and adversary-in-the-middle attacks. The agencies advocate for a zero trust architecture (ZTA) approach, implemented through authentication, authorization, and audit (AAA) techniques, to secure network deployments.

Big Head Ransomware Camouflages as Fake Windows Updates and Infector Files

Big Head, an emerging ransomware variant, is being spread via malvertising campaigns masquerading as fraudulent Microsoft Windows updates and Word installers. A multifaceted threat, Big Head not only encrypts victim files for a cryptocurrency ransom but also exhibits stealer behaviors and incorporates a file infector, Neshta, serving as a camouflage technique for the ransomware payload. Cybersecurity professionals need to remain vigilant, as Big Head’s diverse functionalities make it a significant threat with multiple attack vectors requiring separate defensive strategies.

Surge in Rootkit Attacks Exploiting OS Vulnerabilities Pose Growing Threat

Cyberattackers are increasingly using rootkits to exploit operating system vulnerabilities, gaining persistence on targeted systems and bypassing defense measures by signing malicious kernel drivers, posing a significant threat to Windows systems. The China-linked group behind the FiveSys rootkit has had success against code-signing controls, enabling installation of a new rootkit via a malicious signed driver used as a universal downloader. Additionally, malware developers have created rootkits like BlackLotus, bypassing Windows Secure Boot, presenting a growing concern as the sophistication of such attacks escalates, potentially compromising Unified Extensible Firmware Interface (UEFI) firmware.

Insufficient Fix to Google Cloud Build Flaw Poses Continuous Risk

A newly discovered vulnerability, dubbed ‘Bad.Build’, in Google Cloud Build poses a threat by enabling attackers to tamper with and inject malware into images stored in Google’s Artifact Registry. Researchers at Orca Security who uncovered the flaw argue that Google’s fix only partially addresses the issue, as it is fundamentally a design problem related to default permissions that facilitate lateral movement and privilege escalation for adversaries. Google’s stance suggests that customers bear responsibility for further restricting access, indicating the ongoing supply-chain risk necessitates organizations to limit the ‘cloudbuild.builds.create’ permission to mitigate risk.

Microsoft Offers Free Expanded Logging Access for 365 Customers Amid Security Concerns

Following industry criticism, Microsoft has decided to waive fees for expanded logging access to all Microsoft 365 license holders, acknowledging the necessity for more affordable access to logging data. This move, spurred by a recent espionage campaign against Microsoft 365 by Chinese APT group Storm-0558, will allow Microsoft Purview Audit Standard customers to gain deeper insight into security data, including detailed email access logs and other log data types previously exclusive to premium subscribers. Additionally, the company will extend the log retention period from 90 to 180 days.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.