Daily Brief

Ivanti has released patches for three critical vulnerabilities in its Cloud Services Application (CSA), impacting versions up to 5.0.2. The most severe flaw, CVE-2024-11639, is an authentication bypass vulnerability that allows unauthenticated administrative access, scoring a perfect 10 on the CVSS scale. Two additional vulnerabilities, CVE-2024-11772 and CVE-2024-11773, enable remote code execution and SQL injection for admin users, both rated 9.1 on the CVSS scale. These vulnerabilities are particularly concerning due to the admin web console's pivotal role in managing IT systems and accessing sensitive organizational data. Ivanti recommends customers upgrade immediately to the newly released version 5.0.3 to mitigate these risks. No exploitations of these vulnerabilities have been reported prior to their public disclosure, which was conducted by CrowdStrike's Advanced Research Team through a responsible disclosure program. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously highlighted similar vulnerabilities in the CSA admin web console, underscoring ongoing security challenges.

Suspected China-based threat actors targeted high-profile organizations in Southeast Asia since October 2023. Victims included government ministries, air traffic control, a telecom company, and a media outlet. Attack techniques involved open-source, living-off-the-land tactics, and tools previously linked to Chinese APTs such as Rakshasa, Stowaway, and PlugX. The sophisticated attacks featured asset discovery, keylogging, password stealing, and customized DLL files for credential interception. Attackers maintained persistent access to compromised networks, harvested passwords, and mapped networks. Collected data was compressed and uploaded to cloud storage, indicating organized data extraction strategies. The activities reflect the complex geopolitical tensions in Southeast Asia and ongoing territorial disputes. Recent related disclosures include China-nexus cyber espionage operations in Southern Europe and a breach of a large U.S. organization by Chinese actors.

EagleMsgSpy, an Android surveillance tool possibly linked to Chinese police, has been active since 2017, collecting extensive user data including messages, call logs, and location. Discovered by Lookout, the tool is attributed to Wuhan Chinasoft Token Information Technology Co., Ltd., based on source code and infrastructure overlaps. The spyware necessitates physical access to target devices for installation, relying on an installer module to deliver the payload. EagleMsgSpy secretly collects data across various apps and services, with gathered data sent to a command-and-control server after encryption. Researchers uncovered internal documents hinting at an iOS version, though such instances haven't been detected in practical use yet. The administrative control panel for EagleMsgSpy uses AngularJS, requiring authentication to access detailed user data and admin functions. The surveillance tool appears thoroughly maintained and employed by various entities likely within law enforcement in China. Legal patent filings by the associated company indicate an ongoing development focus on law enforcement data analysis tools, including relationship diagrams among tracked individuals.

Microsoft has addressed a total of 72 security vulnerabilities in its latest Patch Tuesday update, with 17 labeled as Critical and 54 as Important. Among the patches, a specific fix was issued for an actively exploited privilege escalation flaw in the Windows Common Log File System (CLFS) driver, identified as CVE-2024-49138, with a CVSS score of 7.8. The exploitation of the CLFS driver has been a noted method by ransomware operators, using such vulnerabilities to gain elevated system privileges and initiate network-wide attacks. Microsoft has implemented a new security feature for the CLFS by adding Hash-based Message Authentication Codes (HMAC) to log files to detect unauthorized modifications. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-49138 to its Known Exploited Vulnerabilities catalog, mandating remediation by the end of the year for Federal Civilian Executive Branch agencies. Other significant vulnerabilities fixed include a high-severity remote code execution flaw in Windows LDAP and other critical flaws in Windows Hyper-V and Remote Desktop Client. Outside of the patches, Microsoft continues its shift from NTLM to Kerberos for authentication, enhancing security across several services including Exchange Server and Active Directory Certificate Services with new security improvements set to default in future software releases.

The U.S. has charged Chinese national Guan Tianfeng with exploiting a zero-day vulnerability affecting around 81,000 Sophos firewalls worldwide. Guan allegedly developed and used this security flaw to infiltrate firewalls, causing damage and extracting sensitive data. This zero-day vulnerability, identified as CVE-2020-12271, enabled remote code execution through SQL injection. Sophos detected the exploitation after receiving a bug bounty report, linked to Guan's employer, Sichuan Silence Information Technology. Sichuan Silence, allegedly a contractor for Chinese intelligence services, has been sanctioned by the U.S. Treasury for its role. The exploitation efforts included deploying the Asnarök trojan and a variant of Ragnarok ransomware to maintain access and control. The U.S. Treasury highlighted that over 23,000 of compromised firewalls were in the U.S., including some protecting critical infrastructure. The U.S. State Department is offering rewards for information on Guan and Sichuan Silence, emphasizing the serious threat posed to national security.

The US Departments of Treasury and Justice named a Chinese company and its employee responsible for exploiting a zero-day flaw in Sophos firewalls in 2020. The exploited SQL injection vulnerability, CVE-2020-12271, led to 81,000 compromised firewalls, including ones used by US government agencies. Guan Tianfeng, identified as a security researcher for Sichuan Silence Information Technology Co., was actively engaged in cybersecurity competitions and exploiting vulnerabilities on behalf of the company. Sichuan Silence, described as a cybersecurity government contractor for Chinese intelligence services, allegedly provides services like network exploitation and public sentiment manipulation. The US has indicted Guan and offered up to $10 million for information leading to his location, applying sanctions that prevent US entities from engaging with him or his company. Sophos responded quickly to the attack with a hotfix, yet the attacker attempted to modify the malware to deliver Ragnarok ransomware, which was unsuccessful. The US asserts a strong stance against threats to critical infrastructure, underlining the necessity for continuous innovation and transparency in cybersecurity defenses.

Ivanti has issued security updates for its Cloud Services Application (CSA) and Connect Secure products. The updates address multiple critical vulnerabilities that could permit privilege escalation and remote code execution. Although there are no reports of these vulnerabilities being actively exploited, the urgency to update remains high. Past incidents have shown that Ivanti products have been targeted by state-sponsored attackers. Users are strongly encouraged to install the latest updates promptly to mitigate potential security risks.

U.S. Senator Ron Wyden proposed the "Secure American Communications Act" to bolster cybersecurity in American telecom companies after breaches by Chinese state hackers, known as Salt Typhoon. The legislation mandates the Federal Communications Commission (FCC) to issue binding cybersecurity rules, enforcing telecom providers to secure their networks as required by a law established in 1994. Telecom companies will need to conduct annual security vulnerability assessments, implement patches, and document corrective actions. They must also hire independent auditors for annual compliance checks against FCC rules. FCC Chairwoman Jessica Rosenworcel supported the urgency of the situation, emphasizing enhanced security measures to protect telecommunications networks. The breaches, confirmed by CISA and the FBI, involved major U.S. telecoms including T-Mobile, AT&T, Verizon, and Lumen Technologies, with Chinese hackers potentially accessing the networks for extended periods. In response to the breaches, encrypted messaging apps have been recommended to the public to safeguard communications, alongside issued guidance to telecom infrastructure admins to mitigate further attacks. The White House and CISA have not found evidence of compromised classified communications, yet cannot definitively confirm the expulsion of the adversaries from the hacked networks.

Microsoft's final Patch Tuesday of the year included 72 updates, with a significant focus on security enhancements for several products, including Windows 10 and 11, and Server 2019 and later versions. One particularly concerning vulnerability, CVE-2024-49138, is currently being actively exploited, permitting escalation of privilege attacks that potentially allow attackers to gain full system access. The most severe vulnerability patched by Microsoft this month is CVE-2024-49112, with a CVSS score of 9.8, related to the Windows Lightweight Directory Access Protocol, although difficult to exploit. Microsoft suggests workarounds for enterprises unable to immediately patch, including blocking inbound RPCs to domain controllers from untrusted networks or disconnecting them from the internet. Six other vulnerabilities were highlighted by Microsoft as likely to be exploited soon, with issues ranging from privilege escalation to remote code execution vulnerabilities. Adobe concurrently released fixes for 167 vulnerabilities across its product lineup, with critical updates to Adobe Experience Manager, Adobe Connect, and other applications. Among the Adobe updates, Adobe Connect received attention for correcting six critical issues, mainly cross-site scripting and a severe access control flaw with a CVSS rating of 9.3.

A high-severity vulnerability in WPForms, a popular WordPress plugin, allowed unauthorized Stripe refunds and subscription cancellations. The flaw, identified as CVE-2024-11205, affected versions 1.8.4 through 1.9.2.1 and was patched in version 1.9.2.2. Over six million WordPress sites using the free edition of WPForms were at risk due to this security issue. The vulnerability arose because the plugin failed to properly verify user roles and permissions for certain AJAX functions. Financial and reputational damages were significant risks for businesses using the plugin, due to potential unauthorized transactions. Security researcher 'vullu164' reported the vulnerability through Wordfence’s bug bounty program, which led to a prompt security fix from the developers. Despite the release of a patched version, approximately 3 million sites may remain vulnerable, particularly those not updated to the latest version. It is highly recommended for website owners to update to the latest version of WPForms or deactivate the plugin to avoid exploitation.

Ivanti announced a critical authentication bypass vulnerability in its Cloud Services Appliance (CSA), identified as CVE-2024-11639. Attackers can gain administrative access on devices running older CSA versions (5.0.2 or earlier) without needing user credentials. The vulnerability was discovered by CrowdStrike and can be remedied by updating to CSA version 5.0.3, for which Ivanti has provided upgrade guidance. This flaw is one among several others patched recently, including in other Ivanti products like Desktop and Server Management, and Security Gateways. There have been no reported exploitations of the new CSA vulnerability in the wild, according to Ivanti’s latest security advisories. The announcement comes as part of Ivanti’s increased efforts in vulnerability testing and patch management, following previous incidents where its products were exploited. Ivanti services over 40,000 organizations, emphasizing the broad impact and critical need for timely updates to mitigate potential risks.

The US Navy, Air Force, and Marine Corps have grounded their entire fleets of Osprey V-22 aircraft following a recent incident where one made an emergency landing. Naval Air Systems Command (NAVAIR) called for an "operational pause" for all Osprey variants as a precautionary measure, highlighting that the safety of the crew is their highest priority. This grounding decision follows a history of technical challenges with the Osprey's complex tiltrotor design, which has experienced unreliability and previous fatal accidents. Despite a decrease in total flying hours, the Osprey has seen a 46% increase in the most serious types of incidents from 2019 to 2023, with overall safety issues rising by 18%. Issues predominantly involve engine failures, which have also been implicated in last month's incident prompting the fleet-wide grounding. In spite of these challenges, the military continues to pursue tiltrotor technology, with plans to introduce the Bell V-280 Valor, another tiltrotor, intended to replace the Black Hawk by 2027.

Microsoft released security updates addressing 71 vulnerabilities, including a critical zero-day on their December 2024 Patch Tuesday. One of the vulnerabilities fixed, CVE-2024-49138, was an actively exploited zero-day that affected the Windows Common Log File System Driver, allowing elevation of privilege. The zero-day flaw enabled attackers to obtain SYSTEM privileges on compromised Windows devices. Microsoft fixed sixteen critical vulnerabilities, all characterized as remote code execution vulnerabilities. The December updates do not include two Edge flaws previously addressed on December 5th and 6th. Other software vendors also issued updates and advisories in December 2024 for enhanced security. Full details on each vulnerability and affected systems are available in Microsoft's full report for the December Patch Tuesday.

The U.S. Treasury Department imposed sanctions on Sichuan Silence, a Chinese cybersecurity firm, and its employee for their roles in the Ragnarok ransomware attacks targeting global businesses and U.S. critical infrastructure. During April 2020, the sanctioned parties exploited a zero-day vulnerability in firewall products to deploy malware and steal sensitive data from approximately 81,000 firewalls worldwide. Over 23,000 of the compromised firewalls belonged to U.S. businesses, including 36 that were part of critical infrastructure sectors such as energy, potentially endangering human lives. The attack method involved the use of Ragnarok ransomware and was originally detected in firewall systems specifically Sophos XG, through SQL injection vulnerabilities leading to remote code execution. Post-detection, Sophos responded with patches and the removal of the malicious Asnarök Trojan scripts, but the attackers had implemented a 'dead man switch' to trigger further ransomware attacks. The U.S. Department of Justice unsealed an indictment against Guan Tianfeng, also known as GbigMao, and the U.S. State Department has offered a reward of up to $10 million for information on the activities of Guan or Sichuan Silence. As a result of the sanctions, U.S. entities are barred from transacting with Guan and Sichuan Silence, with strong penalties being threatened for non-compliance, including freezing of assets and financial restrictions.

Researchers from KU Leuven, the University of Lübeck, and the University of Birmingham disclosed a vulnerability in AMD's Secure Encrypted Virtualization (SEV) impacting its integrity. The attack, termed "BadRAM," manipulates the Serial Presence Detect (SPD) chip to create memory aliases and bypass security in SEV-enabled systems, potentially exposing encrypted data. A simple setup including a Raspberry Pi Pico, a DDR socket, and a 9V battery is used, highlighting the attack’s feasibility with minimal hardware. The vulnerability requires physical system access or administrator-level privileges, positioning it as a concern in scenarios like rogue admin attacks. Intel’s scalable SGX and TDX, and Arm's CCA employ countermeasures against similar attacks, exposing a unique vulnerability in AMD's approach. Findings will be discussed at the 2025 IEEE Symposium on Security and Privacy, with prior disclosure made to AMD on February 26, 2024. AMD acknowledges the issue and is set to release a firmware update to mitigate the risks, while also recommending the usage of memory modules that lock SPD and emphasize physical security best practices.