Daily Brief

Two malware botnets, named Ficora and Capsaicin, have increased activity exploiting vulnerabilities in outdated or end-of-life D-Link routers. Targeted models include DIR-645, DIR-806, GO-RT-AC750, and DIR-845L, using exploits linked to four CVEs from 2015 to 2024. Attackers utilize the HNAP interface of compromised D-Link devices to execute commands and potentially steal data. Ficora, an adaptation of the Mirai botnet, has surged its activity notably in October and November, focusing on random targets worldwide. Capsaicin, associated with Keksec group and a variant of Kaiten, demonstrated a brief intense activity targeting East Asian countries. Both botnets possess capabilities for DDoS attacks, including UDP flooding, TCP flooding, and DNS amplification. Security recommendations include updating firmware, replacing end-of-life devices, using strong unique passwords, and disabling unnecessary remote access.

Hackers accessed ZAGG customer credit card information through a compromised third-party FreshClicks app used by BigCommerce. The breach occurred between October 26 and November 7, 2024, during which the malicious code scraped credit card details during the checkout process. ZAGG, a major consumer electronics accessories maker, did not disclose the number of customers affected but has offered free credit monitoring services. In response to the breach, ZAGG has notified law enforcement and federal regulators and taken remediation measures to enhance security. BigCommerce confirmed that its systems were intact and not directly compromised, attributing the issue solely to the third-party app. Following the discovery, the compromised FreshClicks App was promptly uninstalled from customer stores by BigCommerce to prevent further data loss. Customers impacted by the breach were advised to monitor their financial accounts closely and consider additional security measures like placing fraud alerts and credit freezes.

Volkswagen’s subsidiary, Cariad, inadvertently exposed data from approximately 800,000 electric vehicles online. The breach included sensitive information such as precise vehicle locations and could potentially link to driver identities. Data vulnerability arose due to misconfigured IT applications, allowing access to cloud-stored data of VW, Seat, Audi, and Skoda vehicles. The exposed data was discoverable with minimal technical expertise, despite pseudonymization and other security measures. Ethical hacking group Chaos Computer Club identified and reported the issue, prompting a quick security fix by Cariad. Affected data included geo-location precision up to ten centimeters for some vehicles and involved international vehicle registrations. No evidence suggests that the exposed data was accessed by parties other than the ethical hackers or that it was misused. The incident underlines the importance of robust data management and security practices in protecting digital and personal customer information.

Volkswagen's software company, Cariad, exposed data from around 800,000 electric cars due to an IT configuration error. Personal information and precise vehicle locations were accessible, including data on vehicles used by police and potentially intelligence services. The breach was discovered by ethical hackers from the Chaos Computer Club, who accessed the data via vulnerabilities in Amazon cloud storage. Affected vehicles included those from popular brands such as VW, Seat, Audi, and Skoda, with some location data accurate to ten centimeters. The security lapse was reported responsibly, leading Cariad to quickly restrict access and address the vulnerability within hours of notification. No evidence suggests that the exposed data was accessed or misused by third parties other than the ethical hackers. Cariad emphasizes the importance of collected data for developing future automotive technologies but assures strong data protection practices are in place.

RansomHub emerged earlier this year, exploiting the vacuum created by the takedown of LockBit and the exit of ALPHV/BlackCat, quickly becoming a prominent ransomware group. Within six months, RansomHub has targeted over 200 organizations, including high-profile victims such as Christie's and Rite Aid, drawing significant attention from law enforcement agencies like the FBI and CISA. The group has gained notoriety for offering lucrative splits to affiliates, proposing a 90-10 revenue share, which is more generous than the typical 80-20 or 70-30 found in other ransomware operations. RansomHub uses aggressive marketing tactics and maintains transparency with affiliates, helping to quickly build a large base and significantly increase attack volume. Analysts at ZeroFox report that RansomHub accounted for about 20% of all ransomware and data exfiltration incidents by the end of 2024, signaling a major shift in the cybercriminal landscape. Despite their success, the visibility of their operations and the number of high-profile attacks might shorten their operational lifespan due to increased scrutiny from both national security agencies and competing cybercriminal groups. Security experts predict that RansomHub's influence will continue growing into early 2025 but acknowledge the cyclical nature of ransomware groups and the constant emergence of new threats.

A critical vulnerability identified as CVE-2024-12856 affects select Four-Faith router models, specifically F3x24 and F3x36. The flaw, an OS command injection bug, has a CVSS score of 7.2 and is currently being exploited actively. Attackers are using default credentials on the routers to gain unauthorized access and execute malicious commands remotely. The exploitation allows attackers to establish a persistent reverse shell, increasing the threat of continual remote exploitation. Over 15,000 internet-facing devices possibly impacted by this vulnerability, according to Censys data. Continuous attempts to exploit similar vulnerabilities in Four-Faith routers have been documented, indicating persistent interest from cyber threat actors. No patch information currently available; reported to Four-Faith by VulnCheck on December 20, 2024. Origin of the exploitation traced to an IP address previously known for similar cyber attacks.

The White House has attributed a ninth U.S. telecom breach to the Chinese cyber-espionage group Salt Typhoon, also known under multiple other aliases. Salt Typhoon has been active since at least 2019, focusing primarily on government entities and telecoms in Southeast Asia and the United States. Anne Neuberger, Deputy National Security Adviser, announced the latest breach and emphasized ongoing vulnerabilities in U.S. critical infrastructure prone to Chinese cyberattacks. The Biden administration has issued new guidance to assist telecom admins in detecting and mitigating intrusion attempts by Chinese hackers. The increasing tension has led to actions such as potential bans on China Telecom and TP-Link routers, reflecting rising national security concerns. CISA has recommended senior U.S. officials to use end-to-end encrypted messaging services, and new legislative measures are being proposed to strengthen telecom network security. No evidence currently suggests that classified communications were compromised, but there is uncertainty about whether adversaries have been completely evicted from the networks.

North Korean operatives have launched the Contagious Interview campaign, using social engineering to distribute JavaScript malware named OtterCookie by posing as job recruiters. The malware is deployed via corrupted video-conferencing apps and npm packages, often hosted on GitHub or official nodes. OtterCookie establishes control by connecting to a remote server, using the malware to command operations and steal sensitive data including file contents and cryptocurrency wallet keys. Recent updates to the malware have improved its capabilities in stealing cryptocurrency directly, indicating active development and refinement by the hackers. The campaign operates under various aliases including Famous Chollima and Tenacious Pungsan, as per findings by Palo Alto Networks and Group-IB. This operation is distinct but shares similarities with another North Korean campaign, Operation Dream Job, aimed at infiltrating organizations through job-related lures. South Korea's Ministry of Foreign Affairs has responded by sanctioning 15 individuals and one organization linked to a separate but related fraudulent IT worker scheme. The sanctioned operations are said to funnel funds back to North Korea, supporting its nuclear and missile development programs and posing significant international security threats.

A new known issue with Windows 11 24H2 affects installations via removable media, stopping systems from receiving security updates. This problem surfaces when removable media used for installation carries the October or November 2024 security updates, making further updates impossible. Microsoft advises users to avoid installing Windows 11, version 24H2, with these specific outdated security updates and to use media including the December 2024 update or later. The installation issue does not impact devices that update through Windows Update or the Microsoft Update Catalog website. Although most users are not expected to encounter this issue, those using customized installation media should be particularly cautious. Currently, there is no available fix for this issue, but Microsoft has announced they are working towards a resolution. This is part of a series of recent issues identified with the Windows 11 24H2 update, contributing to user frustration and concerns over software stability.

Palo Alto Networks has identified an active exploitation of the CVE-2024-3393 vulnerability impacting their firewalls. The exploitation involves a Denial of Service (DoS) attack that forces firewalls to reboot by sending a malicious DNS packet. Continuous exploitation may lead the affected devices to enter maintenance mode, requiring manual restoration. The vulnerability affects devices where 'DNS Security' logging feature is enabled, across multiple versions of PAN-OS software. Remediation patches have been issued for PAN-OS versions 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3. PAN-OS 11.0, also affected, will not receive a patch as it reached end-of-life status as of November 17. Palo Alto Networks has published several mitigation steps for various configurations of their network security products.

Cybersecurity firm Cyberhaven announced a breach involving their Chrome extension after an administrator's account was phished. The compromised extension version 24.10.4 contained code that enabled data theft from users by exfiltrating authenticated sessions and cookies. The malicious package was detected and removed within an hour of its installation, and a safe version (24.10.5) was released shortly after. The attack affected other Chrome extensions as well, with similar malicious code snippets found by Nudge Security researcher Jaime Blasco. Affected users are advised to upgrade to the latest versions of their extensions, revoke non-FIDOv2 passwords, rotate API tokens, and review browser logs for signs of malicious activity. Additional recommended actions for users include uninstalling questionable extensions, resetting important passwords, clearing browser data, and restoring default browser settings. High-profile Cyberhaven clients such as Snowflake, Motorola, Canon, and Reddit among others, potentially impacted by this security breach.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, has been active since 2014 and is engaging in new cyberattacks using VBCloud malware. Over 80% of the cyberattack targets are located in Russia, with additional victims in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam. The malware distribution starts with a phishing email containing a malicious Microsoft Office document exploiting CVE-2018-0802 to download malware. The newly deployed malware, VBCloud, works in conjunction with other tools such as PowerShower and VBShower to facilitate data theft and system infiltration. Kaspersky's research indicates that VBCloud leverages public cloud storage for command and control (C2) communications and is triggered upon user login. The malware collects extensive information from the infected systems, including details on disks, system metadata, and files of specific formats like DOCX, XLSX, PDF, and others. VBCloud also enables further infiltration of the local network and extracting sensitive data, aligning with the threat actor's continuous evolution and sophisticated attack methods.

Palo Alto Networks has released patches to address a critical denial-of-service (DoS) vulnerability in PAN-OS, affecting versions 10.X and 11.X. The vulnerability, designated CVE-2024-3393 with a CVSS score of 8.7, exploits the DNS Security feature, allowing unauthenticated attackers to send malicious packets that reboot the firewall. Impact extends to devices running PAN-OS in default configurations with DNS Security logging enabled, affecting firewall stability and network security. Fixes are available in PAN-OS versions 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3, along with recommendations to upgrade immediately to mitigate risks. As a temporary measure, Palo Alto advises customers to set DNS Security log severity to "none" for firewalls not yet upgraded or managed by Panorama and Strata Cloud Manager. Palo Alto Networks identified the issue during production use after incidents where firewalls entered maintenance mode following repeated malicious DNS packet blocks.

Cybersecurity researchers have noticed an increase in attacks involving outdated D-Link router vulnerabilities exploited by Mirai and Kaiten botnet variants, FICORA and CAPSAICIN. The vulnerabilities, used by attackers to execute remote commands, had been first documented nearly ten years ago but continue to pose threats globally. FICORA has targeted various countries worldwide, deploying malware capable of brute-force attacks and DDoS capabilities via compromised routers. CAPSAICIN botnet, active particularly in East Asia, uses compromised devices to connect to a control server, sending device information and awaiting further malicious commands. Both botnets employ scripts to download main payloads optimally across different Linux architectures, with CAPSAICIN uniquely terminating competing botnet processes to dominate the host. The researcher emphasizes the importance of enterprises updating device kernels and maintaining robust monitoring systems to mitigate such threats. The intensity and geographic focus of the activities, along with technical attack methods, underline the strategic deployment of these botnets in cyber espionage and disruption operations.

The Apache Software Foundation has patched a severe vulnerability in the MINA Java framework that could allow remote code execution. Identified as CVE-2024-52046, this critical flaw has a CVSS score of 10.0 and impacts versions 2.0.X, 2.1.X, and 2.2.X. The vulnerability stems from inadequate security checks in the ObjectSerializationDecoder, which uses Java's deserialization protocol. Attackers can exploit this flaw by sending specially crafted malicious serialized data, potentially leading to remote code execution attacks. Exploitation is conditional on the "IoBuffer#getObject()" method being used in conjunction with specific classes like ProtocolCodecFilter and ObjectSerializationCodecFactory. Apache advises that upgrading alone is not sufficient; users must also implement new methods to restrict the classes that the decoder processes. This disclosure follows recent fixes for multiple other security issues across various Apache products, including Tomcat and Struts, with active exploitation attempts detected. Users are urged to update their software installations immediately to protect against these vulnerabilities.