Week of June 28th, 2024

Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.

Here are this week’s top takeaways:

Just In: Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability

As first reported on by The Hacker News, a newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is seeing early exploitation attempts in the wild shortly after details of the bug were publicly disclosed this Tuesday.

The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions -

• From 2023.0.0 before 2023.0.11
• From 2023.1.0 before 2023.1.6, and
• From 2024.0.0 before 2024.0.2

"Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass," the company stated in their official advisory.

This is on the heels of MOVEit playing a role in one of Canada’s largest cyberattacks in 2023, when accounting giant Ernest&Young and Quebec-based insurance company Beneva had to release statements to clients stating that their data was copied when the MOVEit servers of each respective organization were hacked.

In Beneva's case, it was reported that less than 1% of its 3.5 million Canadian customer base was affected, resulting in the data of approximately 30,000 people being compromised.

For EY, however, the fallout was not as quickly contained: 62 clients of the "big four" accounting firm appeared on the Clop ransomware group's data leak site. The ransomware group's supply chain attack on the frequently-used MOVEit file transfer software leaked an estimated three terabytes of critical information about EY's clients including, but not limited to, financial reports and accounting documents in client folders, passport scans, risk and asset management documents, contracts and agreements, credit agreements, audit reports, account balances, and more.

Impacted victims included Air Canada, Altus, Amdocs, Constellation Software, EY-Continental Transition, Laurentian Bank of Canada, LendLease, Sierra Wireless, SSC Fraud Risk Assessment, St. Mary's General Hospital Surgical Services Review, Staples Canada, Sun Life Assurance of Canada, and United Parcel Service Canada Ltd. 

Microsoft Informs Customers of Espionage

Russian hackers who broke into Microsoft’s infrastructure, opened new tab systems, and spied on staff inboxes earlier this year also reportedly stole emails from its customers, the tech giant said in a public statement yesterday–six months after it first disclosed the intrusion.

The disclosure emphasizes the depth of the breach as Microsoft faces increasing regulatory scrutiny over the security of its software and systems against foreign threats. This comes on the heels of, allegedly, a Chinese hacking group that separately breached Microsoft last year and subsequently encrypted thousands of U.S. government emails.

"This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," a Microsoft spokesperson said in their emailed statement. 

When it comes to how long a cyberattack lasts–and takes to be reported on–the average duration across North America is an estimated 24 days.

However, this is highly dependent on an organization's cybersecurity efforts. Other critical statistics surrounding the length of cyberattacks in 2024 include, but aren't limited to:

• On average, companies take about 197 days to identify and 69 days to contain a breach according to IBM
• Ahead of the year's close, there have already been 5 billion cyberattacks in 2024 around the globe
• The average cost of a cyberattack has risen by 15% over the past three years, now sitting at a staggering USD $4.45 million

However, ensuring that an organization's cybersecurity is up to regulatory standards can help diminish both the risk of an attack and the financial and reputational losses that may be faced in the wake of a successful one. The breaches of Microsoft emphasize the importance of proactive cybersecurity for all organizations, from SMBs to enterprises.

Polyfill Supply Chain Attack Impacts Over 110,000 Websites

It’s official: Polyfill.io, a domain used by over 110,000 websites worldwide to deliver javascript code, has been used in a sophisticated supply chain attack. This could potentially lead to significant data theft and clickjacking attacks. 

The site offered widely used fragments of code for older or outdated browsers that allowed the use of modern Javascript features. These fragments serve the purpose of easing the workload of developers and permitting compatibility with a broader range of browsers. 

However, because the malicious code was inserted into these fragments, web users utilizing an infected website could unwittingly implement the malware in their browser.

Security professionals have found that the malicious code used generates payloads that differ based on HTTP headers, which, in turn, grant greater obfuscation by activating only on specific devices, delaying execution, and avoiding admin users–making detection more difficult.