Daily Brief

CISA has announced the active exploitation of critical vulnerabilities in both Progress Kemp LoadMaster and VMware vCenter Server. CVE-2024-1212, a high-severity flaw in Progress Kemp LoadMaster, enables unauthenticated remote attackers to execute arbitrary system commands. This particular vulnerability was patched by Progress Software in February 2024 but continues to be exploited. In addition, Broadcom reported that attackers are exploiting two patched vulnerabilities in VMware vCenter Server following their public demonstration earlier this year. Despite patches being issued, continued exploitation highlights persistent risks and the importance of comprehensive patch management. CISA has mandated Federal Civilian Executive Branch agencies to remediate the highlighted vulnerabilities urgently, with a deadline of December 9, 2024. These incidents underscore continuous challenges in cybersecurity threat management and the need for agile responses to emerging cyber threats.

Ford Motor Company is currently investigating a reported data breach involving 44,000 customer records, allegedly posted on a cybercrime forum. The breach was claimed by a user named EnergyWeaponUser, who stated that they breached Ford’s network this month with help from another BreachForums user, IntelBroker. The leaked data is said to include customer names, locations, and details of purchased products. Maxar Space Systems also reported a breach where an unknown hacker accessed employee data including social security numbers and contact details. The Maxar breach involved personal data of employees from their California-based operations and was reported to have occurred using a Hong Kong-based IP address. Max Media stated there was no operational impact from the breach, and they are providing identity theft and credit protection services to affected employees. No financial information or birth dates were involved in the Maxar data breach.

Brave Browser 1.71 for iOS has launched a new feature called "Shred" that allows users to delete site-specific browsing data. The Shred function targets cookies, local storage, and caches related to network activities, aiding in enhanced privacy measures. Users can control the Shred feature manually or set it to automatically activate, either when a site is closed or upon browser restart. This feature is unique because it allows deletion of data from individual sites without logging out of other active sessions. Shred is accessible via a long-press on the browser's tabs button or through the Shields menu under Advanced Control settings. Although currently only available on iOS, Brave plans to extend the Shred feature to Android and desktop platforms. Limitations exist due to Apple restrictions, but further enhancements are expected in future updates.

Broadcom initially patched two critical VMware vCenter server vulnerabilities (CVE-2024-38812 and CVE-2024-38813) on September 17th, which were inadequate and later revised in October. The heap-overflow vulnerability (CVE-2024-38812) is rated 9.8 out of 10 on the CVSS scale, allowing remote code execution via specially crafted network packets. CVE-2024-38813, rated 7.5 for severity, allows attackers to escalate privileges to root if they have network access. Exploitations of these vulnerabilities have occurred in the wild, as confirmed by Broadcom following their second patching attempt. Both vulnerabilities impact VMware vCenter Server versions 7 and 8 and VMware Cloud Foundation versions 4 and 5. VMware vCenter is a critical tool used by administrators to manage large numbers of virtual machines, making it a significant target for cybercriminals and nation-state actors. The nature and extent of the exploitation, along with details on the attackers, remain unpublished as of now.

Chinese threat actors, known as "BrazenBamboo," exploited a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal user credentials. The attacks specifically aimed to capture VPN credentials using a custom toolkit named 'DeepData,' which targets data in FortiClient's memory. Although Volexity reported the vulnerability to Fortinet in July 2024, the problem remains unaddressed with no CVE assigned as of the report. The DeepData toolkit includes a plugin that identifies and decrypts JSON objects containing sensitive information, which it then exfiltrates. By compromising VPN accounts, these hackers gain initial network access, enabling further malicious activities such as lateral movements and espionage. The identified vulnerability resembles a similar flaw from 2016 but is unique to recent versions of the software, indicating ongoing security gaps. Volexity has suggested restricting VPN access and monitoring unusual login activities as temporary measures until Fortinet addresses the issue.

Maxar Space Systems, a prominent U.S. satellite manufacturer, has reported a cybersecurity incident resulting in unauthorized access to personal data of its employees. Hackers exploited the company's network using a Hong Kong-based IP address, gaining entry to files containing sensitive employee information. The intrusion was detected on October 11, 2024, with the attackers having potential access for approximately one week before discovery. The compromised data did not include bank account details; however, the breach involved employees' personal information. In response to the breach, Maxar has provided current employees with IDShield identity protection and credit monitoring, and former employees have the option to enroll in IDX identity theft services until mid-February 2025. The company has been a key contributor to significant aerospace projects including NASA’s Psyche mission and the Artemis Moon exploration program. Following the data breach, concerns persist about the security of Maxar's proprietary technical data, especially in light of previous security incidents within its parent company.

Palo Alto Networks has released updates for two zero-day vulnerabilities in its Next-Generation Firewalls. The vulnerabilities include an authentication bypass and a privilege escalation flaw, identified as CVE-2024-0012 and CVE-2024-9474, respectively. CVE-2024-0012 allows remote attackers to obtain administrative privileges without needing authentication, while CVE-2024-9474 lets malicious PAN-OS administrators execute commands with root privileges. The company first alerted customers about a potential CVE-2024-0012 RCE flaw on November 8 and officially disclosed both vulnerabilities recently. Threat monitoring platforms have identified over 11,000 IP addresses with exposed PAN-OS management interfaces vulnerable to these exploits. The U.S. cybersecurity agency (CISA) has included these vulnerabilities in its Known Exploited Vulnerabilities Catalog, mandating federal agencies to apply the patches by December 9. CISA has also highlighted a previously patched critical vulnerability (CVE-2024-5910) in Palo Alto’s Expedition firewall tool, which had been actively exploited.

T-Mobile US is actively monitoring a pervasive cyber-espionage campaign, dubbed Salt Typhoon, believed to be orchestrated by Chinese government-backed entities targeting American telecommunications networks. The Wall Street Journal reported that this campaign, which has been ongoing for several months, also affected other major telecom providers like AT&T, Verizon, and Lumen Technologies. Despite widespread concerns in the industry, a T-Mobile spokesperson stated that there have been "no significant impacts to T-Mobile systems or data" and there is no evidence suggesting any sensitive customer information was accessed or exfiltrated. The espionage efforts reportedly aimed at gathering high-value intelligence by exploiting telecommunications networks to access private communications and customer call records, particularly those involving individuals in governmental or political positions. This disclosure follows a security advisory from the FBI and the US Cybersecurity and Infrastructure Security Agency, acknowledging a "broad and significant cyber espionage campaign" by entities linked to the Chinese government. In response to previous security breaches, T-Mobile has committed to a $31.5 million investment to enhance its cybersecurity measures and has agreed to pay a civil penalty to the US Treasury as part of a settlement with the FCC.

Evgenii Ptitsyn, a Russian national, was extradited from South Korea to the U.S. to face charges related to his role as the administrator of the Phobos ransomware. Phobos, part of the Crysis ransomware family, is a ransomware-as-a-service operation contributing to 4% of all 2023 ransomware activity reported to the ID Ransomware service. The U.S. Justice Department claims the Phobos operation breached over 1,000 entities globally, amassing over $16 million in ransom payments. Ptitsyn allegedly provided ransomware payloads to affiliates, managed darknet operations, and promoted Phobos on criminal online platforms under monikers. Phobos affiliates executed attacks using stolen credentials to infiltrate networks, encrypt data, and demand ransoms under threat of leaking the data if unpaid. A unique alphanumeric string linked each attack to its specific decryption key, and ransom payments were processed through designated cryptocurrency wallets. Ptitsyn faces a 13-count indictment with potential penalties varying from 5 to 20 years for charges including wire fraud, computer fraud, and extortion related to hacking. The U.S. highlighted the significant role of international cooperation in tackling top-tier cybercrime threats through this indictment.

Broadcom has issued an updated advisory about two vCenter Server vulnerabilities actively exploited, including a critical RCE flaw. The RCE vulnerability (CVE-2024-38812) discovered during a hacking contest affects products like VMware vSphere and Cloud Foundation via a heap overflow in the DCE/RPC protocol. A second vulnerability, a privilege escalation flaw (CVE-2024-38813), allows attackers to gain root access with specially crafted network packets. Originally patched in September, further updates were necessitated as the initial patch for CVE-2024-38812 proved incomplete. No workarounds exist; applying the latest security patches immediately is critical to prevent ongoing exploits. Broadcom also released a supplemental advisory with additional deployment information for the security updates. Previous exploits of similar vulnerabilities by state-sponsored groups and ransomware gangs highlight the ongoing risk to VMware vCenter environments.

Recent research by GitGuardian and CyberArk reveals a 79% incidence rate of IT decision-makers experiencing secrets leaks, increasing from 75% previously. Over 12.7 million hardcoded credentials have been found in public GitHub repositories, posing significant security risks. Remediation of leaked credentials is slow, averaging 27 days, in an environment where non-human identities outnumber human ones by at least 45:1. There is confusion and lack of clarity regarding the ownership and management of non-human identity security within organizations. Permissions for credentials are poorly managed, often overly broad and not regularly updated or documented, increasing the potential for security breaches. Developers face significant pressure to deploy rapidly, often at the expense of thorough and secure permissions management. A shared responsibility model between developers and security teams is proposed to improve the management of permissions and secret rotations, potentially reducing emergency interventions and security incidents. The lack of centralized and standardized documentation on permissions exacerbates security risks, highlighting a crucial area for improvement in collaborative security efforts.

Fake advertisements on Facebook are promoting a counterfeit Bitwarden password manager Chrome extension. The deceptive ads mislead users by claiming they are using an outdated version of Bitwarden and urge them to update. The malicious link directs users to a bogus Chrome Web Store look-alike website where they are prompted to download a ZIP file. Users must disable certain Chrome security features to manually install the rogue extension, bypassing automatic security checks. Once installed, the extension has elevated permissions allowing it to intercept and manipulate user activities and data. Bitwarden advises its users to only install updates and extensions directly from their official website and to be cautious of permissions requested by new extensions. Bitdefender Labs identified this malvertising campaign, which first appeared on November 3, 2024.

Cybersecurity experts have identified a stealthy malware loader, BabbleLoader, distributing WhiteSnake and Meduza stealer malware variants. BabbleLoader employs complex evasion methods designed to circumvent antivirus products and sandboxes, effectively delivering malicious payloads directly into memory. This malware targets individuals and professionals by masquerading as cracked or accounting software, focusing on both English and Russian-speaking users. BabbleLoader stands out by utilizing techniques like junk code and shape-shifting code structures, making detection difficult for both traditional and AI-based systems. Each instance of BabbleLoader is uniquely crafted with distinct strings, metadata, and code patterns, frustrating static analysis tools and complicating manual analyses. The malware serves as an initial stage in attack chains, preparing systems for further exploitation through decrypted shellcode leading to the execution of stealer malware. The development of this malware indicates a broader trend of increasingly sophisticated methods used by cybercriminals to distribute various malware payloads efficiently and stealthily.

Sweden has updated its "If crisis or war comes" guide, the first revision in six years, now distributed to every household. The guide has expanded significantly to address new geopolitical threats and the contemporary challenges of cyberattacks and climate change. With Sweden's recent NATO membership prompted by increased military threats, the guide includes detailed survival and preparedness tips for both war and other crises. Recommendations include stockpiling essentials like water, food, and sanitation supplies, and maintaining good cybersecurity practices at home and work. The updated guide emphasizes unity and resilience, urging all Swedes to participate actively in national defense and preparedness. Additional advice covers maintaining communication during IT outages and being cautious of disinformation campaigns that aim to sow discord. Psychological well-being is also highlighted, reflecting the modern understanding of mental health importance during crises.

Red Hat schedules the State of Linux Security Symposium for December 10th, highlighting strategies to boost Linux security for IT professionals. The symposium will feature six expert sessions focused on essential security practices and securing the supply chain specifically tailored for the Linux ecosystem. Key insights will be shared on the benefits and security features of Red Hat Enterprise Linux (RHEL), demonstrating its popularity among governments and financial institutions. Attendees will explore Red Hat's contributions to Linux security and its open-source approach to developing trustworthy security solutions. The event aims to provide a detailed understanding of Linux security challenges and advancements to better equip IT personnel in managing and safeguarding their systems. Registration is currently open for those interested in furthering their knowledge and capabilities in Linux-based security infrastructure.