Daily Brief

Cloudflare reported a significant loss of customer logs, specifically 55% during a 3.5-hour window on November 14, 2024, due to a bug in their logpush service. The bug originated from a misconfiguration in Logfwdr, a component designed to forward logs to downstream systems. This misconfiguration triggered a series of failsafe failures, resulting in an overwhelming spike in log volumes and the ultimate shutdown of Buftee, Cloudflare's log buffering system. The impact led to a substantial temporary loss of logging data crucial for customers' security incident investigations, traffic monitoring, and site optimizations. Cloudflare responded with enhancements including a misconfiguration detection system, proper configuration of buffering mechanisms, and routine stress tests for system overload scenarios. These measures aim to bolster the resilience of Cloudflare’s logging service against future configuration errors or unexpected surges in data volume.

A severe security flaw in ProjectSend, a file-sharing application, is actively exploited by unknown actors. The vulnerability, tracked as CVE-2024-11680 with a CVSS score of 9.8, was initially fixed in May 2023 but only released in version r1720 in August 2024. The flaw allows attackers to execute arbitrary PHP code by bypassing authorization checks, enabling unauthorized actions like user registration and file uploads. Exploitation attempts targeting public-facing servers began in September 2024, focusing on leveraging exploit code from Project Discovery and Rapid7. Attackers exploit the flaw to install web shells in a predictable server location, leading to further unauthorized access and control. Only 1% of internet-exposed ProjectSend servers are updated to the patched version r1750, leaving a vast number of servers vulnerable. Users are urged to update their ProjectSend servers to the latest version promptly to address this critical security issue.

Security researchers have identified "Bootkitty," the first-ever UEFI bootkit targeting Linux, discovered on VirusTotal earlier this month. The bootkit currently affects only a limited number of Ubuntu releases and seems to be a proof of concept, not actively developed for wider implementation. Unlike more advanced Windows-targeting bootkits like BlackLotus, Bootkitty cannot bypass Secure Boot and runs only on Linux systems without Secure Boot enabled. ESET's analysis highlights that Bootkitty employs basic methods to modify kernel images, limiting its effectiveness to specific Ubuntu versions and potentially causing system crashes. The malware features modularity indicating placeholders for potential future expansion in capabilities. Bootkitty loads ELF binaries and a dropper, possibly originating from the same developers, with connections loosely suggested to "BlackCat" but not linked to known ransomware groups. The discovery of Bootkitty dispels prior assumptions that UEFI bootkits were exclusive to Windows, indicating an important evolution in the UEFI threat landscape. Despite its current non-threat status, the existence of Bootkitty underscores the need for ongoing vigilance and preparedness against potential UEFI threats.

Harman Kaur from Tanium will speak at a webinar hosted by The Register on efficient endpoint management, focusing on the role of automation in enhancing security strategies. The discussion will address the complexities of managing a growing number of devices and software updates, highlighting how legacy tools are inadequate for modern security needs. Automation in patching and vulnerability scans will be emphasized as a way to reduce human error, speed up response times, and shift IT focus to more strategic tasks. Real-time solutions offered by Tanium will be showcased, demonstrating how they can provide better visibility and control in endpoint management. The webinar will present ways in which organizations can incorporate these autonomous technologies into their existing systems to stay secure against evolving threats. The goal of the webinar is to help organizations modernize their IT operations through automated endpoint management solutions.

Black Friday 2024 features significant discounts on cybersecurity products including VPN subscriptions, antivirus software, and IT security courses. VPN deals include up to 86% off on 2-year subscriptions from providers like NordVPN, SurfShark, and ProtonVPN. Antivirus software from vendors such as Avast, ESET, and Malwarebytes is available for up to 70% off. Discounts on IT and security courses are being offered by StackCommerce, PuralSight, and Udemy, with some courses priced as low as $9.99. Additional Black Friday promotions include deals on security specific hardware and services like firewall solutions from Firewalla and data removal services from DeleteMe. LastPass and Yubico are offering up to 40% off on password management solutions and hardware security keys. Sales include a mix of direct discounts and additional coupon codes for further savings. BleepingComputer.com benefits from affiliate links included in the sale, earning a commission on purchases made through these links.

Cybersecurity experts disclosed the discovery of "Bootkitty," the first known UEFI bootkit targeting Linux systems. Developed as a proof-of-concept by an entity named BlackCat, also known as IranuKit, Bootkitty has not been observed in active real-world attacks. This malware aims to disable kernel signature checks and preload unknown binaries during the Linux startup process. Bootkitty operates by tampering with UEFI authentication protocols and the GRUB bootloader to bypass integrity verifications, thus enabling unauthorized modifications to the Linux kernel. The bootkit is signed with a self-signed certificate, limiting its execution to systems that don't have UEFI Secure Boot enabled or have been compromised to accept the unauthorized certificate. Researchers also identified an associated unsigned kernel module capable of hiding files, processes, and potential additional intrusive activities. This development represents a significant shift, demonstrating that UEFI bootkit threats are not exclusive to Windows and could pose a similar risk to Linux environments. The cybersecurity community is urged to prepare for these potential new forms of UEFI threats, signaling an evolution in the cyber threat landscape.

Multi-stage cyber attacks use complex chains of events to avoid detection and exploit victims. Attack vectors include malicious URLs embedded in documents and QR codes, leading to phishing sites. The ANY.RUN Sandbox tool offers an interactive platform to safely analyze and understand these attacks. Examples of attacks include malicious PDF files with embedded QR codes directing to fake Microsoft pages, and chained redirects using trusted domains to mask phishing URLs. New attack trends focus on archives in email attachments to bypass security measures and deploy malware like FormBook. ANY.RUN's sandbox allows automatic interaction with malicious content, providing insights and detailed reporting on threats. Organizations should use tools like ANY.RUN for proactive threat detection, benefiting from their special Black Friday offer.

APT-C-60, linked to South Korea, exploited a vulnerability in WPS Office to deploy the SpyGlace backdoor in a Japanese organization. The attack utilized a phishing email with a job application lure, and the malware was delivered via a link to Google Drive. The malware installation triggered through a Windows shortcut in a virtual hard disk, with initial payload named "SecureBootUEFI.dat." Attackers used legitimate web services such as StatCounter and Bitbucket for malicious operations, including victim identification and payload retrieval. The final payload, SpyGlace backdoor, enables data theft, plugin loading, and further command execution, maintaining contact with a command-and-control server. Identical campaigns and techniques were also reported by cybersecurity entities, confirming the ongoing activity of APT-C-60 alongside related subgroup APT-Q-12. Use of non-standard delivery techniques like virtual disks highlights an evolving tactic to bypass existing security measures.

A report by Cracked Labs highlights the rise of surveillance technologies in offices, using motion sensors and wireless networking to monitor employee activities. Offices are compared to web browsers in terms of the tracking technologies embedded within them, with both U.S. and European settings being scrutinized for such practices. The tracking data includes individual movements and behaviors which can be exploited for various undisclosed corporate purposes. Notable technologies mentioned include Cisco's Spaces, which uses networking infrastructure to monitor and analyze the movement of people and objects within office spaces. Personal data collected via these systems has prompted concerns and regulatory attention, such as from the FTC, emphasizing the need for privacy in employee monitoring. Instances of backlash have occurred, such as at Northeastern University where students protested against the intrusive use of motion sensors. Critics argue that while some applications of surveillance technologies could be beneficial, the lack of robust safeguards to protect employee privacy and prevent data misuse remains a significant issue. Legal frameworks in Europe, like the GDPR, impose stringent requirements on employers, whereas calls for similar protective laws are intensifying in the U.S. to shield employees from excessive monitoring.

CrowdStrike reported a record $1.01 billion revenue in Q3, yet encountered a $17 million loss due to a failed software update in July which impacted millions of computers globally. The financial effects of the Falcon software debacle remain uncertain, affecting both investor confidence and sales forecasts. CFO Burt Podbere highlighted extended sales cycles and heightened scrutiny in customer purchasing decisions following the incident. The company introduced customer commitment packages offering incentives like flexible payment terms, but the impact on Q4 results is still unclear. Despite the challenges, CrowdStrike secured slightly larger deals post-incident, indicating some continued customer trust. Delta Airlines has filed a lawsuit seeking $500 million in damages due to disruptions caused by the software failure, contributing to broader financial uncertainties for CrowdStrike. CrowdStrike's stock value dropped significantly in after-hours trading, reflecting investor concerns over the company's short-term financial health.

INTERPOL’s Operation Serengeti led to the arrest of 1,006 people across 19 African countries and the dismantling of 134,089 malicious networks between September and October 2024. The operation targeted cybercriminals involved in ransomware, business email compromise (BEC), digital extortion, and various online scams. Victims of these crimes totaled over 35,000 individuals worldwide, with financial losses nearing $193 million. Significant arrests included eight individuals in Senegal associated with a $6 million online Ponzi scheme, where authorities confiscated numerous devices and 900 SIM cards. A virtual casino in Luanda, Angola was also shut down; it specifically targeted Brazilian and Nigerian gamblers, fraudulently promising them a share in winnings for recruiting new members. Private sector partners like Group-IB and Kaspersky contributed by identifying DDoS attacks, phishing domains, and sharing data on threat actors and malware. INTERPOL emphasized the ongoing threat of cybercrime and the importance of international cooperation to mitigate these risks and prevent future victims.

A 59-year-old Florida-based telecommunication engineer, Ping Li, was sentenced to 48 months in prison for spying for China's Ministry of State Security. Li, a US citizen and Chinese immigrant, collaborated with Chinese intelligence since 2012, providing sensitive information from his employers, believed to be Verizon and Infosys. His espionage activities included gathering intelligence on Chinese dissidents, US-based NGOs, and internal cybersecurity details from his employer. Li communicated with Chinese intelligence through anonymous email accounts and traveled to China for meetings, acting as a "cooperative contact" for the MSS. He provided China with data on Verizon’s operations in China, training materials, and information on cyber attacks like the SolarWinds incident, which China is suspected of exploiting. Besides the prison term, Li was fined $250,000 and sentenced to three years of supervised release. This sentencing highlights growing US concerns regarding Chinese-backed espionage, notably the activities of the cyber espionage group "Salt Typhoon," which has targeted major US telecom firms.

The Matrix campaign is focusing on creating a botnet by exploiting misconfigurations and vulnerabilities in IoT devices. The threat is suspected to be orchestrated by a lone actor of Russian origin, driven by financial gains using DDoS attacks as a service. The targeted devices include IP cameras, DVRs, routers, and telecom equipment across multiple countries, with significant attacks concentrated in China and Japan. Misconfigured servers such as Telnet, SSH, and Hadoop are also being exploited, with targets including major cloud service providers like AWS, Azure, and Google Cloud. Deployed malware variants include Mirai and other DDoS tools sourced from GitHub, with some aiming to disable security features like Microsoft Defender. The service is marketed through a Telegram bot called "Kraken Autobuy," offering tiered DDoS services in exchange for cryptocurrency. The campaign underscores the need for basic security measures like changing default credentials, securing admin protocols, and updating firmware to protect against such attacks. Separate but related, NSFOCUS identified another botnet, XorBot, targeting specific brands of cameras and routers, also offering DDoS rental services and adopting methods to evade detection.

AmberWolf security researchers have identified vulnerabilities in Palo Alto and SonicWall SSL-VPN clients, dubbed "NachoVPN." Attackers are exploiting these vulnerabilities by tricking users into connecting to rogue VPN servers, which can install malicious updates. The vulnerabilities allow threat actors to steal login credentials, execute code with elevated privileges, and perform code-signing forgery or man-in-the-middle attacks. SonicWall patched the CVE-2024-29014 vulnerability in July, while Palo Alto Networks released updates for the CVE-2024-5921 flaw recently. Users are advised to update their VPN clients to the latest versions recommended by SonicWall and Palo Alto Networks to mitigate risks. AmberWolf released a tool named NachoVPN, an open-source simulator for rogue VPN servers, aimed at helping researchers identify and adapt to vulnerabilities in various VPN clients. The tool supports multiple VPN products and is designed for extensibility and community contributions to enhance corporate network defense strategies.

Nicholas Michael Kloster, a 31-year-old from Kansas City, has been accused of several cybercrimes including breaking and entering, and credit card abuse. Kloster's alleged crimes include damaging property at a non-profit valued at $5,000 and misusing a company credit card to purchase personal items such as a thumb drive designed to break into computers. The indictment outlines Kloster’s short employment period at "Company Victim 1", where he was fired shortly after his alleged criminal activities surfaced. Kloster allegedly attacked a health club chain, gained illegal access to their security systems, reduced his gym membership fee to $1, and erased his account photograph. He used his professional email to confess his actions to the health club owner, showcasing his access to their systems and suggesting an offer for his security services. Klooster faces charges for accessing and obtaining information from a protected computer and causing reckless damage to another, with his trial scheduled for April 2025.