Daily Brief

Hackers are exploiting a zero-day remote code execution vulnerability in Cleo's managed file transfer software, targeting corporate networks for data theft. The vulnerability, identified as CVE-2023-34362, affects Cleo LexiCom, VLTrader, and Harmony versions up to 5.8.0.21 and allows attackers to bypass security measures from a previously patched flaw. The attacks are believed to be orchestrated by the Termite ransomware gang, which has been previously linked to breaches in various supply chain software systems. Security researchers from Huntress have detected active exploitation of this flaw, with attackers utilizing sophisticated methods such as file manipulation and PowerShell commands to download additional payloads and maintain persistent access. Impacting a range of industries including consumer products, food, trucking, and shipping, the exploitation has been confirmed in at least ten organizations, with potential unknown additional victims. Recommended immediate actions include moving Cleo systems behind firewalls, disabling autorun features, and inspecting systems for signs of compromise as updates to patch this vulnerability are awaited. The majority of vulnerable servers are located in the United States.

An advanced phishing campaign was uncovered, involving a deceptive email mimicking a trusted international shipping company's CEO, which allowed threat actors to infiltrate an organization. The phishing email used sophisticated tactics including a deletion rule set from a U.S. IP address that targeted emails from a specific domain, effectively erasing the trace of the attack. The malicious email included a link to a PDF document hosted on an AWS server, which redirected to a fake Microsoft authentication page, deceiving recipients into providing their login credentials. The attack was part of a broader phishing campaign that targeted multiple companies, employing enhanced deception techniques to avoid detection by standard email security systems. Despite the sophisticated nature of the attack, the organization's quick response, including resetting the affected user's credentials, helped mitigate potential damage. The incident underscores the importance of user security awareness and robust technical measures in defending against increasingly sophisticated phishing threats. The Varonis Managed Data Detection and Response (MDDR) team played a crucial role in identifying and containing the incident, highlighting the value of specialized security expertise in handling complex cyber threats.

Cybersecurity experts uncovered a mobile phishing campaign using fake job offers to distribute the Antidot banking trojan. Attackers pose as recruiters from a seemingly legitimate company, offering attractive job opportunities to deploy the trojan via malicious apps. The malware, dubbed AppLite Banker, can capture device unlock codes, remotely control the device, and perform unauthorized operations. The phishing sites mimic employee-customer relationship management apps and prompt victims to enable external app installations under the guise of keeping their phones protected. New features of the trojan include launching keyboard settings, managing overlays to steal login credentials, and blocking calls from certain numbers. The campaign targets users proficient in multiple languages including English, Spanish, and French, among others. Enhanced capabilities of the trojan include keylogging, SMS theft, and remote device interaction through VNC. The urgent need for robust protection measures is emphasized to prevent potential data and financial losses due to such advanced malware threats.

Researchers identified ongoing exploitation of a patched vulnerability in three Cleo file management products, impacting systems believed secure. The affected products include Harmony, VLTrader, and LexiCom, which had received patches for a remote code execution bug as early as October. Despite previous patches, over 1,700 Cleo servers monitored by Huntress have seen exploit attempts, with potentially higher unmonitored impacts. The exploited vulnerability allowed unauthorized remote code executions, involving malicious file imports and PowerShell command executions for attacker persistence. Attacks have affected businesses primarily in consumer goods, food industry, trucking, and shipping sectors. Huntress has engaged with Cleo, and an updated patch is in development; meanwhile, mitigation measures like firewall deployment have been advised. Early signs of the exploitation date back to December 3, with indications of a wide geographical spread in attack attempts.

Artivion, a manufacturer of heart surgery devices, reported a ransomware attack on November 21, leading to stolen and encrypted files. The attack, which was described in an SEC filing, involved unauthorized data acquisition, indicative of a double extortion ransomware tactic. In response to the attack, Artivion has taken certain systems offline, launched investigations, and engaged external cybersecurity, legal, and forensic experts. The attack has impacted order and shipping processes and other corporate operations, although some mitigation has been achieved. Artivion is leveraging its cyber insurance to cover most of the financial implications of the attack but recognizes ongoing additional costs. The company has yet to see a material financial impact from the incident but remains cautious about potential future implications. Artivion's third-quarter revenues showed an increase from the previous year, illustrating financial stability despite the cybersecurity challenges.

Automated internal and external pentesting is emerging as a vital tool for proactive cybersecurity, addressing both internal and external threats. Traditional manual pentesting methods are becoming insufficient due to their inherent cost, resource demands, and inability to keep pace with frequent and evolving cyber threats. Internal pentesting targets vulnerabilities from within the network, such as insider threats and compromised credentials, by simulating internal attacks. External pentesting focuses on defending internet-facing infrastructure by mimicking external cyberattack tactics. Combined, these automated pentests provide a comprehensive view of an organization's security posture, enhancing the ability to detect and mitigate risks efficiently. The introduction of tools like vPenTest from Vonahi Security demonstrates significant advancements in pentesting technology, offering speed, precision, and ease of use for continuous security assessments. Automated pentesting shifts the cybersecurity approach from reactive to proactive, ensuring constant readiness against potential cyber threats. Organizations are encouraged to adopt automated pentesting solutions to ensure robust security measures are in place and to remain compliant with industry standards.

Belgian and Dutch authorities arrested eight suspects for operating a large-scale phone phishing scheme. The cybercriminals impersonated police and bank officials to deceive elderly victims and steal their financial data and money. Law enforcement conducted 17 searches, seizing cash, firearms, luxury items, and electronic devices. The operation utilized phishing via email, SMS, and WhatsApp, alongside vishing through fake bank helpline calls. Criminals laundered the stolen funds through luxury purchases and holidays, showcasing their lavish lifestyles on social media. The investigation began in Belgium in 2022, extending to the Netherlands after uncovering the gang's leadership in Rotterdam. Victims were located across at least ten countries, suffering significant financial losses due to the scam.

A suspected China-affiliated cyber espionage group attacked Southern European IT service providers as part of Operation Digital Eye. The cyber intrusions occurred between late June and mid-July 2024, involving the abuse of Visual Studio Code and Microsoft Azure for command-and-control. Attack methods included SQL injection using SQLmap, deployment of a PHP-based web shell called PHPsert, and leveraging Visual Studio Code Remote Tunnels. Threat actors employed legitimate tools and cloud infrastructure to blend malicious activities with normal traffic, evading detection. The attack chains facilitated initial access, persistence, credential harvesting, and lateral movement within compromised networks. Custom tool modifications, such as Mimikatz variants, suggest the involvement of a digital quartermaster within the Chinese APT ecosystem. Cybersecurity firms SentinelOne, SentinelLabs, and Tinexta Cyber together detected and neutralized the threats before data exfiltration could occur. The operation highlights strategic attacks on digital supply chains, aiming to compromise downstream entities through trusted technology platforms.

Chinese hackers have been exploiting Visual Studio Code (VSCode) tunnels to maintain persistent remote access to systems in large IT service providers in Southern Europe. This activity, part of 'Operation Digital Eye', was detected by SentinelLabs and Tinexta Cyber between June and July 2024; they suspect possible links to Chinese APT groups like STORM-0866 or Sandman. VSCode tunnels, usually a secure feature for remote software development, were manipulated to create backdoor access without raising security alarms, thanks to use of Microsoft-signed executables and routing through Microsoft Azure. Attackers initially accessed systems using sqlmap for automated SQL injection, then deployed a PHP-based webshell and used techniques like RDP and pass-the-hash for lateral movement. On compromised devices, attackers installed a legitimate but portable version of VSCode, configured as a persistent Windows service to create development tunnels. Active connections to the breached systems typically occurred during normal working hours in China, suggesting the location of the threat actors. SentinelLabs warns that though this tactic of using VSCode tunnels is not widespread, its emergence signals a potential trend requiring increased vigilance, including monitoring of VSCode activities and scrutinizing outbound connections in network logs.

Netflix has launched a documentary titled "Biggest Heist Ever," about the 2016 theft of nearly 120,000 Bitcoins from Bitfinex by Ilya Lichtenstein and Heather Morgan. At the time of the theft, the stolen Bitcoins were valued at approximately $69 million, a figure that would exceed $11 billion by today's exchange rates. The film portrays Lichtenstein and Morgan as the modern-day "Bitcoin Bonnie and Clyde," showcasing behind-the-scenes footage and their eventual capture. Lichtenstein recently received a five-year prison sentence for orchestrating the heist, while Morgan served 18 months in prison following a 33-month house arrest period. Heather Morgan has maintained a presence online through her rap persona, Razzlekhan, even releasing a new song she composed while in solitary confinement. The documentary features interviews with IRS investigator Chris Janczewski, who noted the uniqueness of the couple’s profile in cybercrime history. Despite the dramatic portrayal, the documentary has received lukewarm reviews from audiences and critics, scoring 6.1/10 on IMDb and 3.25/5 from Rotten Tomatoes.

Ongoing zero-day attacks evade detection using corrupted Word and ZIP files, a challenge for most security software. ANY.RUN sandbox successfully detects these corrupted files by allowing manual recovery and analysis within their virtual environment. Phishing campaign exploits QR codes in recovered documents, leading to malicious phishing links. Fileless malware attack featuring Psloramyra loader disperses Quasar RAT via PowerShell, operating solely in memory to avoid detection. Scheduled tasks are created to maintain the presence of the malware, running every two minutes. Azure Blob Storage is being exploited to host credible-looking phishing pages, capturing victim's login credentials. Emmenhtal loader facilitates multiple malware distributions, including Lumma and Amadey, by executing scripts and payloads like Updater.exe. ANY.RUN offers a 14-day trial to explore its advanced sandboxing technology for proactive defense against emerging cyber threats.

CERT-UA revealed a phishing campaign targeting Ukrainian defense and security sectors. Phishing attacks are orchestrated by Russia-linked threat group UAC-0185, active since 2022. Hackers impersonated the Ukrainian League of Industrialists and Entrepreneurs, promoting a fake conference. Malicious emails contain a URL that downloads a file executing harmful scripts for cyber espionage. Attack scheme involves multiple stages leading to the installation of MeshAgent for remote control. Primary objective is to steal credentials for military and messaging applications like Signal, Telegram, and WhatsApp. Google's Mandiant highlighted UAC-0185's use of Android malware and deceptive operations targeting communication platforms and military apps.

WhatsApp has addressed a security flaw in its View Once feature, originally intended for media to self-delete after viewing. The flaw allowed the theft of photos and videos using rogue browser extensions on the web app and was reported by researchers in August. Initial fixes by WhatsApp were incomplete, allowing leaked media to remain accessible despite supposed disappearance. A new software update has now fully corrected this issue, enhancing user privacy protections. Researchers from Zengo, a crypto wallet startup, discovered the original vulnerability and prompted the subsequent updates through their findings. WhatsApp encourages users to send view-once messages only to trusted contacts and to keep their app updated to the latest version for optimal security. The update includes significant improvements preventing browser extensions from bypassing the disappearing messages protocol.

A McDonald's employee in Pennsylvania identified and alerted authorities about Luigi Mangione, the suspect in the murder of UnitedHealthcare CEO Brian Thompson in New York City. Mangione was apprehended with a gun, a sound suppressor, several fake IDs, and a manifesto potentially outlining his motives for the shooting. The suspect managed to evade New York City’s extensive surveillance technology, which includes thousands of cameras and facial recognition systems. Technology such as ShotSpotter was deemed ineffective in this situation, as the shooter used a suppressor and possibly subsonic rounds to avoid detection. Criticism has been raised against the NYPD's reliance on technology, with findings showing inefficiencies like misidentification of sounds by ShotSpotter. The murder weapon was described as a "ghost gun," likely using home-made parts to avoid registration, complicating police efforts to track the firearm. The motive behind the murder may be linked to a grudge against UnitedHealthcare, known for its high rate of claim denials and recent costly ransomware attack aftermath.

Artivion, a key player in heart surgery devices, was hit by a ransomware attack on November 21, causing operational disruptions. The attack led to the encryption of company systems and theft of data, prompting Artivion to take affected systems offline and initiate recovery steps. The company employs over 1,250 people and operates globally with facilities in the U.S. and Germany. In response, Artivion has engaged external cybersecurity, legal, and forensics experts to help contain and remedy the situation. Despite quick mitigation efforts, Artivion anticipates additional financial burdens not covered by their insurance. Current restoration efforts are underway, and corporate functions like order processing and shipping are largely back to normal. No specific ransomware group has claimed responsibility yet, but the situation could escalate if ransom demands are not met. This incident is part of a larger trend of ransomware attacks affecting the U.S. healthcare sector.