Daily Brief

Apache Software Foundation has issued updates to rectify critical vulnerabilities in MINA, HugeGraph-Server, and Traffic Control. The vulnerabilities have severity ratings of up to 10/10 and involve risks like remote code execution and authentication bypass. The flaw in Apache MINA is related to its ‘ObjectSerializationDecoder’ and involves unsafe Java deserialization. Users are advised to upgrade to the newly released versions and adjust settings to reject all classes not explicitly allowed. The authentication bypass in HugeGraph-Server resulted from flaws in the authentication logic, fixed in version 1.5.0. Traffic Control's SQL injection vulnerability allowed attackers to execute arbitrary SQL commands; it is resolved in version 8.0.2. Patch implementation is critical, especially during the holiday season when patching response might be slower and risks heightened.

North Korean hackers operate the Contagious Interview campaign, utilizing OtterCookie malware to attack software developers via deceptive job offers since December 2022. OtterCookie, introduced in September with a new variant in November, can operate independently or alongside other malware such as BeaverTail. The malware is delivered through loaders disguised in Node.js projects or npm packages on GitHub or Bitbucket, recently also leveraging Qt or Electron applications. Once activated, OtterCookie communicates with command and control servers using Socket.IO WebSocket to execute commands and extract sensitive data including cryptocurrency wallet keys. The capabilities of OtterCookie expanded from September to November, with changes including the methods used for stealing sensitive data and clipboard contents to extract additional information. Researchers have observed commands for reconnaissance within infected systems, suggesting preparation for deeper infiltration or lateral movement. Potential employers' information should be verified by software developers to avoid running unsafe codes propagated through fake job offers.

Microsoft has identified an installation media bug in Windows 11, version 24H2, that prevents the system from receiving further security updates. The issue arises when using CD or USB flash drives created with security updates from October or November 2024. This bug does not affect systems updated via Windows Update or the Microsoft Update Catalog website. Microsoft advises using the most recent December 2024 security update in the installation media to avoid this bug. The bug adds to a series of issues with Windows 11 24H2, including audio problems, Outlook launch issues, and game performance disruptions. A permanent fix for the installation media bug is currently being developed by Microsoft. Users experiencing this issue can avoid it by employing the latest update until a permanent solution is implemented.

Brazilian hacker, Junior Barros De Oliveira, charged in the US for extorting $3.2 million in Bitcoin. Accused of hacking 300,000 customer accounts from a Brazilian subsidiary of a New Jersey-based company. Threatened to release stolen customer data unless paid 300 Bitcoins, about $3.2 million at the time. Follow-up threats included a demand for an additional 75 Bitcoins for consulting fees to fix the security flaw. Indictment details four counts each of extortionate threats and threatening communications. Maximum penalties include up to 5 years in prison and fines of $250,000 or twice the gain/loss per count of extortionate threats. Each count of threatening communications could also lead to 2 years in prison and similar fines.

Researchers at Claroty uncovered multiple security flaws in Ruijie Networks' cloud management platform, potentially endangering around 50,000 devices. Among the detected vulnerabilities, three are rated as Critical, allowing for possible remote execution of malicious code. The vulnerabilities compromised devices could be remotely controlled by using the "Open Sesame" attack facilitated through known device serial numbers. Attackers could perform a variety of actions, including launching denial-of-service attacks or sending false data via MQTT communication protocol. An attacker with proximity to the Wi-Fi network could also exploit these vulnerabilities by obtaining device serial numbers through raw Wi-Fi beacons. All reported vulnerabilities have been addressed by Ruijie in an update, and no further action is required from users. The research highlights broader issues with the security of IoT devices and their possible use in facilitating network-wide attacks.

The Apache Software Foundation released updates for a critical SQL injection flaw in Apache Traffic Control. Vulnerability, identified as CVE-2024-45387, can allow arbitrary SQL command execution. This flaw, rated 9.9 on the CVSS scale, affects Traffic Ops in Apache Traffic Control versions 8.0.0 to 8.0.1. The vulnerability enables privileged users with specific roles to exploit it via a specially-crafted PUT request. Apache Traffic Control serves as an open-source Content Delivery Network solution. The discovery of the vulnerability is credited to researcher Yuan Luo from Tencent YunDing Security Lab. A timely patch has been implemented in Apache Traffic Control version 8.0.2. ASF continues to mitigate additional security risks, having recently addressed vulnerabilities in Apache HugeGraph-Server and Apache Tomcat.

Rob Joyce, former NSA cyberspy and White House Cybersecurity Coordinator, spoke about his hobby of hacking Christmas lights at Shmoocon, revealing a lighter side to his technical skills. Joyce's interest in festive light displays began with a family tradition of viewing neighborhood Christmas lights, inspiring him to create his own elaborate setup using computer-controlled LEDs synchronized to music. He detailed the technical aspects of his hobby, explaining the use of an open-source software called xLights and hardware that involves custom-made and securely-controlled systems to enhance his house's display every Christmas. Despite the high initial effort required to set up, Joyce continues to refine his display, employing carefully secured technology to prevent tampering and ensure smooth operation. His elaborate displays attract significant local attention, occasionally causing traffic and frustrations among neighbors, although many also appreciate the festive spirit it adds to the community. Joyce contributes to the Christmas lights enthusiast community, sharing updates and advice, while interacting with a network of hobbyists worldwide, showing the growth and international interest in programmed light displays. The hobby not only serves as a personal joy for Joyce and his family but also engages a broader community of tech and Christmas enthusiasts yearly, demonstrating an unexpected application of cybersecurity skills in a festive context.

Iranian APT group Charming Kitten, affiliated with the IRGC, has developed a new variant of BellaCiao malware named BellaCPP. Russian cybersecurity firm Kaspersky discovered BellaCPP on a compromised machine in Asia, previously infected with the original BellaCiao malware. The new variant, unlike its .NET predecessor, is a C++ based DLL file named "adhapl.dll". BellaCPP retains similar functionality to BellaCiao, with capabilities to load additional DLLs, likely for creating SSH tunnels, but omits the web shell features. BellaCiao was used for attacks in the U.S., the Middle East, and India, exploiting vulnerabilities in applications like Microsoft Exchange Server. The group uses sophisticated social engineering tactics in its cyberattacks, previously targeting publicly accessible systems. Kaspersky noted that BellaCPP uses domains historically associated with Charming Kitten, indicating a persistent use of the same infrastructure by the actor.

A new Mirai-based botnet has been exploiting unpatched vulnerabilities in DigiEver NVRs and outdated TP-Link routers since October. The botnet utilizes a remote code execution flaw in the DigiEver DS-2105 Pro NVRs, allowing attackers to execute commands like 'curl' and 'chmod' on affected devices. Akamai researchers observed the active exploitation of this flaw since mid-November, with indications that the campaign began as early as September. The botnet also targets other devices such as Teltonika RUT9XX routers using CVE-2018-17532 and TP-Link using CVE-2023-1389. Infected devices are used for DDoS attacks and further malware spread by leveraging exploit sets and credential lists. The Mirai variant employs advanced encryption methods like XOR and ChaCha20, highlighting evolving tactics by botnet operators. Akamai provides indicators of compromise and Yara rules in their report to help identify and mitigate this botnet activity.

The official European Space Agency (ESA) web store was hacked, introducing a malicious JavaScript code. This code generated a fake Stripe payment page during the checkout process, misleading customers to input their payment card details. Sansec, an e-commerce security firm, detected the malicious script and noted the risk it could pose to ESA's internal systems. The hacked domain was similar to the legitimate one but used a different top-level domain, complicating detection for users. Source Defense Research confirmed that the fake payment page looked authentic and was embedded seamlessly into the ESA web store. Despite removing the fake payment page, the malicious script remained on the website, indicating continued vulnerability. ESA clarified that the store is managed by an external vendor, not hosted on its own infrastructure, and it does not manage the data collected through the store.

After the dissipation of the Mozi botnet, a new botnet named Androxgh0st has emerged, quickly becoming a significant global cyber threat. Security analysts suggest that Androxgh0st is likely operated by Chinese threat actors, potentially aligned with state-sponsored interests. Check Point has identified Androxgh0st as the most prevalent malware affecting 5% of organizations worldwide recently, highlighting its broad impact. The botnet has enhanced capabilities inherited from Mozi, allowing it to target a wider range of systems including IoT devices and major web servers. Androxgh0st is capable of executing large-scale DDoS attacks, conducting mass surveillance, and stealing data across critical networks. The malware shows robust adaptability and an increasing capability to exploit web application vulnerabilities, projected to rise significantly by mid-2025. U.S. agencies like the FBI and CISA have officially warned about the threat posed by Androxgh0st, emphasizing its capability to steal cloud credentials and deploy webshells.

The Clop ransomware group is threatening 66 companies with exposure unless they engage in ransom payment negotiations within 48 hours. Victims are being directly contacted by the cybercriminals and provided with secure chat links for ransom discussions. Clop has utilized a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products, marking a significant data theft operation. A prior security patch was issued for the exploited software versions, but recent disclosures reveal potential bypass of the security fix. The exploit, identified as CVE-2024-50623, allows unauthorized file uploads/downloads and remote code execution. Researchers have demonstrated a proof-of-concept showing active exploitation risks even after patching. The complete effect of this data breach is still uncertain; Cleo's products are used by over 4,000 organizations globally. Clop announced they will delete older attack data from their platform as they initiate this new cycle of extortion.

North Korean hackers, identified as the group TraderTraitor, stole $308 million in cryptocurrency from the Japanese exchange DMM Bitcoin. The attack began in late March 2024 when a hacker, posing as a recruiter, contacted an employee at Ginco via LinkedIn, later sending them malicious code through a supposed job-test on GitHub. The malicious code allowed the hackers to access Ginco’s systems and subsequently move laterally to DMM Bitcoin. By mid-May 2024, the hackers exploited session cookie information to impersonate the compromised Ginco employee, gaining access to unencrypted communication systems. The final theft occurred in late May 2024 through manipulation of a transaction request, leading to the loss of 4,502.9 BTC. The FBI has been monitoring TraderTraitor since 2022, noting their associations with various cybercrimes, including a significant social engineering campaign reported by GitHub in 2023. Following the incident, DMM Bitcoin imposed restrictions on account registrations, cryptocurrency withdrawals, and trading activities pending further investigation.

Researchers have identified two harmful packages named zebo and cometlogger on the Python Package Index (PyPI) which have features harmful to users. These packages, which were downloaded numerous times before removal, could steal sensitive information, including keystrokes and social media account data. Zebo used obfuscation tactics and could capture keystrokes and screenshots, sending this data to a remote server through obfuscated HTTP requests. It also ensured its permanence on infected machines by setting up a script in the Windows Startup folder to run each time the computer restarted. Cometlogger was designed to harvest extensive user data from various applications and performed system checks to avoid discovery in virtualized systems. The package could terminate browser processes and used asynchronous execution to efficiently exfiltrate a large amount of data quickly. Security experts recommend scrutinizing code thoroughly before execution and avoiding scripts from unverified sources to prevent such malware infections.

Clop ransomware gang has issued a 48-hour deadline to 66 companies to negotiate ransom payments, threatening to leak their data. Victims were contacted directly by the cybercriminals and provided secure chat links for ransom negotiations, along with contact emails. The affected entities are users of Cleo products, with data stolen via a zero-day vulnerability in Cleo's software. The exploitation involves Cleo LexiCom, VLTransfer, and Harmony products, enabling unauthorized file uploads and downloads. A security patch is available, but recent reports suggest that the patch can be bypassed, highlighting ongoing vulnerability. Clop has a history of exploiting zero-day vulnerabilities in various software to gain unauthorized access to corporate networks. Despite listing 66 companies, the actual number of affected entities could be higher, as this list only includes those who haven't responded to Clop’s initial contact.