Daily Brief

Hackers are exploiting a critical vulnerability in the Hunk Companion WordPress plugin to install outdated, vulnerable plugins. These older plugins have known security flaws allowing for remote code execution, SQL injection, and cross-site scripting. WPScan identified the issue and found active exploitation of CVE-2024-11972, enabling unauthenticated plugin installations. The exploited vulnerability also allowed hackers to implement a PHP dropper for persistent backdoor access. Hunk Companion, used by over 10,000 sites, complements ThemeHunk WordPress themes, enhancing their functionality. Despite a previous update to patch a similar flaw, the new version 1.9.0 was urgently released to address this zero-day vulnerability. Roughly 8,000 websites have not updated and thus remain at risk following the initial patch download figures.

Senator Ron Wyden criticized the FCC for not implementing required security standards in the telecom sector, highlighting recent hacks by a group known as Salt Typhoon. The proposed Secure American Communications Act mandates minimum cybersecurity standards for U.S. telecom carriers to protect against nation-state hacks. The proposal requires the FCC to create binding cybersecurity rules for telecom systems in consultation with the U.S. Cybersecurity and Infrastructure Security Agency and the National Intelligence Director. Victims of the Salt Typhoon hack reportedly included high-profile figures such as president-elect Donald Trump and current VP Kamala Harris's campaign workers. The legislation stresses preventing unauthorized interception of communications and includes annual testing and independent audits to ensure compliance. Outgoing FCC chair Jessica Rosenzweuel also suggested similar rules to protect the nation’s telecom infrastructure from foreign espionage. This legislative push follows Wyden’s previous efforts to secure communications and limit the export of U.S. citizens’ personal data to adversarial nations.

Cynet reached 100% Visibility and 100% Protection in the 2024 MITRE ATT&CK Evaluation, surpassing other cybersecurity vendors. The company successfully detected and blocked all simulated threats during the evaluation, with no false positives and without needing any configuration changes. MITRE ATT&CK Evaluations are extensive tests that assess the ability of security solutions to detect and prevent cyber threats using real-world attack techniques. This performance marks a consistent achievement for Cynet, following their historic performance in the previous year's evaluation. The evaluations do not rank vendors or declare winners but provide critical data for businesses to determine the best security solutions for their specific needs. Cynet's results underscore its capability to protect Windows, MacOS, and Linux platforms comprehensively. The company credits its cutting-edge, all-in-one cybersecurity platform for their continued success in effectively safeguarding SMEs and MSPs.

Cynet was the only vendor to score 100% in both Detection Visibility and Protection in the 2024 MITRE ATT&CK Evaluation. The All-in-One Cybersecurity Platform detected and blocked every threat and attack step tested, achieving this without any false positives. The evaluation did not find Cynet missing any of the 77 malicious sub-steps assessed, which covered multiple operating systems including Windows, MacOS, and Linux. Cynet's capability allowed them to prevent all attacks at the initial sub-step, proving significant early threat mitigation. The 2024 results build on Cynet's past performance, highlighting consistent improvement and leading capability in threat detection and protection. MITRE ATT&CK Evaluations are crucial as they benchmark the effectiveness of cybersecurity solutions in realistic scenarios without ranking or declaring winners. Cybersecurity leaders are encouraged to analyze MITRE's results to choose appropriate protection suited to their specific needs.

A new Android spyware named "EagleMsgSpy" has been identified and is reportedly used by Chinese law enforcement to monitor mobile devices. The spyware was developed by Wuhan Chinasoft Token Information Technology Co., Ltd., active since at least 2017. Lookout's research links the spyware to its creators through IP addresses of C2 servers, domain overlaps, internal documentation, and public contracts. Installation of EagleMsgSpy is typically manual, conducted by law enforcement on unlocked devices during arrests. The malware is not available on Google Play or third-party app stores, indicating restricted distribution among a limited group of operators. EagleMsgSpy features include data encryption, hidden storage, and real-time surveillance capabilities through a control panel termed "Stability Maintenance Judgment System." Wuhan Chinasoft Token Information Technology is confirmed as the developer, with direct evidence tying them to the malware's operational infrastructure. Lookout's findings suggest the spyware's administration panels are used systematically by government agencies, including public security bureaus.

Russian cyber-espionage group Turla, linked to Russia's FSB, exploits infrastructure of different hacking groups to target Ukrainian military communications via Starlink. Microsoft discovers Turla using Pakistani hacker group Storm-0156 infrastructure and the Amadey botnet for clandestine operations. Turla's campaign involved deploying malware families Tavdig and KazuarV2 on Ukrainian systems to gather intelligence on front-line military operations. The group initiates attacks via phishing emails that download reconnaissance tools and custom malware to identify and prioritize military targets. Microsoft indicates uncertainty over whether Turla hijacked or purchased access to Amadey botnet; used for initial malware deployment. Tavdig functions as a surveillance backdoor while KazuarV2 handles long-term intelligence collection, including data theft and execution of commands. Microsoft released mitigation strategies and detection techniques to combat these specific threats and broader tactics related to Turla's activities.

Krispy Kreme experienced unauthorized access to part of its IT systems on November 29, leading to disruptions particularly in online ordering. The incident was serious enough to potentially have a material impact on the company’s operations and financial condition. Cybersecurity experts were hired to investigate, contain, and remediate the cybersecurity incident. The exact nature of the cyber threat has not been disclosed by Krispy Kreme, keeping details of whether it was ransomware or data theft under wraps. Costs related to the cyber incident are expected to include lost revenue from digital sales, fees for cybersecurity expertise, and system restoration expenses. The company retains cybersecurity insurance which is anticipated to cover part of the incident-related costs. Operational disruptions persisted even as the company took steps to restore normal service, stating that doughnuts remained available in stores and other retail locations. The timing of the disclosure to the SEC could be considered late, raising potential compliance issues.

Russian nation-state actor, Secret Blizzard, utilized malware in cyber operations targeting Ukrainian military systems. The group employed the Amadey bot malware to download custom malware, deploying the Kazuar backdoor. This activity marked the second instance since 2022 where Secret Blizzard has used cybercrime tools for its purposes in Ukraine. Turla, another name for Secret Blizzard, has previously targeted ministries, embassies, and defense departments worldwide for intelligence. Recent tactics include commandeering command-and-control servers from other hacking groups to mask their operations. Microsoft and Lumen Technologies Black Lotus Labs discovered the misuse of infrastructure from a Pakistani hacking group by Turla. Microsoft continues to investigate how Secret Blizzard gained access to use the Amadey bots and other tools. The findings exemplify how state-sponsored actors obscure their operations using third-party tools and infrastructures.

Russian group Turla, associated with FSB, exploited infrastructure of other cyber actors to target Ukrainian devices connected to Starlink. Turla operational tactics included use of phishing and malware like the Amadey botnet for initial access, followed by deployment of custom malware. Amadey botnet, previously just a tool for malware delivery, was used distinctly by Turla to deploy reconnaissance tools and download PowerShell droppers. The attackers focused on devices showing potential military use, especially those connected via Starlink, indicating high-priority intelligence gathering. Microsoft detailed how Turla used a tool called Cookbox, exploiting a WinRAR vulnerability to deliver payloads on Ukrainian devices. Turla's malware components, Tavdig and KazuarV2, were utilized for establishing foothold, surveillance, system manipulation, and sensitive data extraction. Microsoft advised cybersecurity defenses and monitoring measures in light of the observed sophisticated methods employed by Turla.

Law enforcement from 15 countries collaborated to dismantle 27 DDoS-for-hire services under Operation PowerOFF. Three platform administrators were arrested, and 300 users were identified, signaling a significant crackdown on cybercrime. These DDoS services used botnets to execute pay-to-order attacks that cause significant disruptions, especially during high-traffic periods like holidays. High-profile sites such as zdstresser.net, orbitalstress.net, and starkstresser.net were among those seized, now displaying law enforcement seizure notices. In the Netherlands, four individuals between ages 22-26 were arrested, with one responsible for over 4,000 attacks. Dutch authorities are targeting roughly 200 suspected users of these services, ranging from issuing warnings to pursuing legal action. Europol's J-CAT provided essential support in analytical work, cryptocurrency tracing, and forensic investigations. Previous related efforts include the takedown of the large DDoS platform Dstat.cc and the closure of DigitalStress by the UK's NCA.

The Lynx ransomware gang targeted Electrica Group, a leading electricity provider in Romania. Electrica, listed in both London and Bucharest, serves over 3.8 million users and was not disrupted in critical operations due to the isolation of SCADA systems. The Romanian National Cybersecurity Directorate (DNSC) identified and announced the involvement of Lynx ransomware. A provided YARA script by DNSC will assist other networks in detecting potential compromises. DNSC advises against paying ransom and encourages preventative scans across the IT infrastructure, especially in the energy sector. Lynx ransomware, active since July 2024, has over 78 entities listed as victims, mainly from the U.S. and energy sectors. Self-described as Ransomware-as-a-Service, Lynx could be a continuation or rebrand of previously known INC Ransom malware. Recent global targets of similar ransomware include Yamaha Motor Philippines and NHS Scotland.

A new technique utilizes the Windows UI Automation (UIA) framework to carry out covert operations, undetected by endpoint detection and response (EDR) technologies. This vulnerability can allow malicious parties to execute commands, intercept sensitive data, and misdirect users to phishing sites. The exploit is effective when a user runs a program that leverages UI Automation, potentially impacting applications like Slack and WhatsApp. UI Automation is built into Windows systems as an aid for assistive technologies but can be manipulated to access UI elements and other higher privilege processes. Attack vectors include manipulating on-screen UI elements and caching to execute unseen commands or extract obscured data. Additionally, the research highlighted risks with the Distributed COM (DCOM) protocol where attackers can remotely execute backdoors within a domain. The findings suggest that while this functionality is essential for accessibility and test automation, it also presents significant security risks.

Krispy Kreme detected unauthorized IT system activity on November 29, 2024, impacting their online ordering in the US. Despite the cyberattack, physical stores remain open, and there has been no disruption to daily deliveries to retail and restaurant partners. The attack has materially affected the company's operations and is expected to continue impacting business until full recovery. Digital sales, accounting for 15.5% of revenue, faced setbacks, potentially leading to significant revenue loss during the recovery period. Krispy Kreme has enlisted cybersecurity experts to contain and remediate the incident, though the investigation and full scope of the attack are still ongoing. The company anticipates a "reasonable" financial impact due to lost digital sales revenue, cybersecurity professional fees, and system restoration costs. Following the announcement of the breach, Krispy Kreme's stock price dropped by 2%. Details about the type of cyberattack and whether ransomware was involved remain unclear; no group has claimed responsibility.

Researchers discovered a critical flaw in Microsoft's multi-factor authentication (MFA) allowing unauthorized account access. The vulnerability, named AuthQuake, enabled attackers to bypass MFA protection in around an hour without user interaction or triggering alerts. Attackers could create new sessions and attempt all possible six-digit code combinations due to a lack of rate limits and extended code validation times. The flawed MFA method used a time-based one-time password (TOTP) with a validation window extended up to three minutes, rather than the standard 30 seconds. Microsoft responded by implementing stricter rate limits that activate after several failed attempts and last approximately half a day. Security experts emphasize that deploying MFA requires proper configuration, including rate limits and notifications for failed attempts, to be effective. The incident underscores the importance of correctly configuring security settings to enhance protection against unauthorized access and potential cyber threats.

ZLoader malware has been updated with DNS tunneling for stealthier command-and-control communications. The revised malware version, ZLoader 2.9.4.0, introduces a custom DNS tunnel protocol and an interactive shell for executing commands. These updates have been designed to improve resilience against detection and enable more dynamic responses to system analysis efforts. The ZLoader malware was observed in renewed distribution campaigns after a nearly two-year hiatus following an initial infrastructure takedown. This malware is now commonly linked with Black Basta ransomware attacks and employs techniques such as domain generation algorithms to evade analysis. A new component called GhostSocks is used preliminarily to deploy ZLoader onto targeted systems. ZLoader's latest tactics include the utilization of HTTPS with POST requests and encrypted TLS traffic over DNS, showcasing an evolution in communication security measures. The new enhancements position ZLoader as an effective tool for initial access, particularly for ransomware deployment through methods like remote desktop protocol manipulations.