Daily Brief

The cybersecurity agencies of the UK, US, Canada, Australia, and New Zealand have released their yearly list of the top 15 most exploited software vulnerabilities. The list highlights an increase in attacks on zero-day vulnerabilities, with experts noting that this type of attack is becoming the new norm. Ollie Whitehouse, CTO of the UK's National Cyber Security Centre, emphasized the importance of timely patch application and the adoption of secure-by-design principles in technology development. The Citrix remote code execution bug in NetScaler ADC and Gateway versions 12 and 13 was ranked at the top of the vulnerability list. Vulnerabilities in Cisco’s IOS XE operating system and Fortinet's FortiOS were also prominently featured, underscoring significant risks in popular networking and security technologies. The list also included a persistent issue with the Apache Log4j and new entries from Barracuda Networks and Microsoft, indicating ongoing challenges in securing enterprise and open-source software. The report urges vigilance in vulnerability management and enhanced security focus during the product development life-cycle to mitigate risks effectively.

Russian-linked cyber actors exploited a newly patched NTLM vulnerability, CVE-2024-43451, to deploy RAT malware in Ukraine. The flaw was utilized in phishing scams from a compromised Ukrainian server, leading victims to download a malicious ZIP containing an URL file. Interaction with the URL file, such as right-clicking or dragging, triggers the vulnerability, enabling unauthorized download of Spark RAT. The attackers hosted the malicious files on an official Ukrainian government site under the guise of academic certificate renewal. Once the NTLM Hash is captured via the malware, attackers can perform a Pass-the-Hash attack, bypassing password requirements for system access. Ukrainian CERT links these phishing and malware deployment activities to a Russian threat actor, known as UAC-0194. Additionally, a separate financially motivated campaign using tax-themed lures to deploy LiteManager software has been attributed to another threat actor, UAC-0050.

The U.S. government has identified a significant cyber espionage operation by China-affiliated groups targeting American telecommunications companies. This campaign involved the theft of customer call records and the interception of communications from individuals predominantly in government or political roles. Attackers gained access to systems used for court-ordered surveillance, jeopardizing sensitive law enforcement data. Entities often referenced as "Salt Typhoon" have been implicated in these breaches, which affected major providers including Verizon, AT&T, and Lumen Technologies. The FBI and CISA issued a joint warning, confirming much of the information previously reported over the past month regarding the breaches. In addition to ongoing investigations, federal agencies are aiding the affected companies, enhancing cybersecurity defenses, and urging other potential victims to come forward. This espionage act comes shortly after revelations about another Chinese group, "Volt Typhoon," exploiting vulnerabilities in network infrastructure to facilitate further attacks on critical systems.

Bitdefender has introduced a free decryption tool to unlock files encrypted by ShrinkLocker ransomware, a malware using Windows' BitLocker and VBScript. The decryption tool was developed after a detailed analysis of the ShrinkLocker strain, discovered in May, showcasing a simpler yet effective mechanism employing Group Policy Objects and scheduled tasks. ShrinkLocker has been utilized by criminals targeting industries and government entities in multiple countries, illustrating its global threat landscape. While the tool helps recover data, it does not prevent future ShrinkLocker attacks or the potential sale or leak of already stolen data. Bitdefender advises users to consult their recommendations to enhance BitLocker configuration and minimize ransomware risk. Meanwhile, CISA's ScubaGear software aims to improve Microsoft 365 security by identifying and suggesting fixes for configuration vulnerabilities, recording over 30,000 downloads since its launch.

Hackers have developed a new method using macOS extended attributes to conceal malicious code, deploying a Trojan named RustyAttr. This technique leverages metadata within macOS files and decoy PDF documents to evade detection, reminiscent of tactics used by Bundlore adware in 2020. Group-IB attributes these attacks to the North Korean group Lazarus with moderate confidence, suggesting potential experimentation with malware dissemination methods. None of the security programs on the Virus Total platform detected the malicious files, highlighting the effectiveness of the evasion strategy. The malware leverages an application framework called Tauri, which interacts with a web frontend and executes malicious commands through the "test" attribute into a shell script. During the infection phase, the malware may display decoy PDFs or error dialogs to minimize user suspicion. Samples analyzed were signed with a leaked certificate, already revoked by Apple, showing sophisticated access to secure credentials by attackers. The staging server for the malware connects to a known Lazarus infrastructure endpoint, attempting to pull further malicious payloads, which remain unanalyzed due to retrieval failure.

Chinese hackers, identified as Salt Typhoon, breached multiple U.S. broadband providers, compromising government officials’ private communications. The attack, confirmed by the FBI and CISA, involved the theft of customer call records and information subject to U.S. law enforcement requests. Compromised data includes networks used for court-authorized wiretapping, affecting several providers including AT&T, Verizon, and Lumen Technologies. Hackers maintained prolonged access to telecom networks, potentially for months, gathering substantial internet traffic data affecting millions. The breach is part of broader hostile activities targeting U.S. and Canadian government agencies, political parties, and critical infrastructure. Salt Typhoon has been active since at least 2019, primarily targeting governmental and telecommunication entities in Southeast Asia. In parallel, another group, Volt Typhoon, exploited a zero-day to breach multiple ISPs and MSPs in the U.S. and India, underscoring a continued cyber threat from Chinese linked groups.

Over 183 million employment-related records potentially stolen from data broker Pure Incubation/DemandScience have surfaced for sale on a cybercrime forum. The seller, identified as KryptonZambie, priced the data at $6,000 and provided a 100,000-record sample to attract buyers. Compromised data includes corporate emails, names of employers, job titles, physical addresses, and links to social media profiles. Despite the breach, DemandScience claims the information consists of publicly available business contact details and not sensitive personal data. DemandScience's investigation suggests the data could have been leaked from legacy systems or through third-party partners; no direct breach of current systems has been confirmed. The breach was first noticed and reported by cybersecurity entities like Have I Been Pwned and its founder, who verified his personal information was part of the leaked dataset. DemandScience continues to monitor the situation and emphasized the ongoing use of scraped public data in their lead generation processes, reinforcing typical practices within the data brokerage industry.

In February 2024, a threat actor named 'KryptonZambie' began selling 132.8 million records on BreachForums, alleged to be stolen from Pure Incubation, now DemandScience. DemandScience, a B2B data aggregator, was initially unaware of any breach according to their corporate communications, despite the large volume of business contact information leaked, including names, addresses, and job details. Despite the use of security measures like firewalls, VPNs, and intrusion detection systems, the breach involved data collected from decommissioned systems not currently in operational use. The leaked dataset, priced trivially at 8 credits on BreachForums as of August 15, 2024, suggests access or theft occurred on a system that had been out of use for approximately two years. Security researcher Troy Hunt confirmed the authenticity of the data and announced that all unique email addresses involved have been added to Have I Been Pwned to alert potential victims. As investigations continue, no current systems were identified as compromised, shifting focus to historical data storage and decommissioning processes.

Suspected Russian hackers exploited a Windows zero-day vulnerability, CVE-2024-43451, targeting Ukrainian entities. The flaw allows attackers to steal NTLMv2 hash values through phishing emails with malicious internet shortcut files. ClearSky security researchers identified the vulnerability after detecting suspicious activities in June. The exploit necessitates minimal user interaction with the malicious file to trigger a remote server connection for malware download. Microsoft addressed the security issue in their November 2024 Patch Tuesday updates, emphasizing the need for patch application across all Windows versions. The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted this vulnerability in its Known Exploited Vulnerabilities Catalog, requiring federal networks to patch by December 3. The ongoing threat underscores significant security concerns for both governmental and non-governmental organizations in Ukraine.

American Associated Pharmacies (AAP) reportedly fell victim to a ransomware attack by the Embargo group, involving 1.469 terabytes of data theft and file encryption. Embargo claims AAP has already paid $1.3 million for decryption and is demanding an additional $1.3 million to prevent data leakage. AAP, which manages thousands of independent pharmacies, has neither confirmed the attack nor responded to media inquiries, but suspicions arise from forced password resets and nondescript inventory issues mentioned on its website. The criminals employed a double extortion tactic, threatening to leak stolen data by a set deadline and publicizing details of individuals they hold accountable if their demands are not met. FBI statistics indicate that the ransom demanded is above average, noting the usual ransom amount is around $1.5 million. Embargo, a new but increasingly noted ransomware group, uses sophisticated tools including EDR killing capabilities to deploy its ransomware. AAP, formed in 2009 from a merger, oversees more than 2,000 independent pharmacies across the U.S. but has remained quiet about the alleged cyber incident.

The U.S. Department of Justice has indicted Connor Riley Moucka and John Erin Binns for breaching over 165 companies and extorting $2.5 million using Snowflake cloud storage vulnerabilities. The hackers accessed accounts using stolen credentials facilitated by malware, focusing on targets lacking multi-factor authentication. They stole around 50 billion customer call and text records from a major U.S. telecommunications provider, believed to be AT&T, and received ransom in cryptocurrency. The indictment details attempts to launder the cryptocurrency, converting it into Monero to obscure its trail. In cases of non-compliance with ransom demands, stolen data was sold on hacking forums, affecting millions of customers across multiple sectors, including telecommunications and retail. Double extortion tactics were used, demanding additional payments from victims who had already paid ransoms. Moucka was arrested in Canada and Binns in Turkey; both face numerous charges, potentially leading to lengthy prison sentences and the seizure of their assets.

Critical vulnerability identified in end-of-life D-Link NAS devices, enabling attackers to inject commands. Affected models include DNS-320, DNS-320LW, DNS-325, and DNS-340L, all no longer supported by D-Link. Exploitation involves unauthenticated HTTP GET requests, as detailed by security researcher Netsecfish. Over 41,000 vulnerable devices detected online, despite D-Link recommending decommissioning these products. D-Link states it will not issue patches for these models due to their end-of-life status, urging customers to upgrade. Attacks started shortly after D-Link’s public acknowledgment of the device’s vulnerabilities. Shadowserver and Netsecfish reports highlight the ongoing targeting and potential risks from exposed devices. Users advised to disconnect devices from the Internet and consider upgrading to mitigate security risks.

Google has launched a new AI-based feature on Pixel devices to detect scam calls during conversations. The feature analyzes speech patterns to identify potential scams, such as impersonation or urgent requests following breach alerts. A real-time alert will notify users of a potential scam, allowing them to disconnect the call immediately. The anti-scam service, which operates fully on-device to protect privacy, is initially available on Google Pixel 6 and newer models in the US. Google Play Protect has introduced "Live Threat Detection" to identify harmful apps, focusing initially on stalkerware. This protection system also operates locally on devices and is part of Android’s effort to enhance user security against various cyber threats, including future expansions to cover more types of malware. Both features are part of Google’s ongoing commitment to leveraging advanced AI for improving security across its device ecosystem.

Microsoft’s latest Patch Tuesday update addressed several critical issues for Windows 11 24H2 and Windows Server 2025, alongside other security enhancements. The update included quality improvements and resolved a reported Task Manager bug that failed to show active application counts correctly. A notable fix was applied for Windows Server 2025, addressing operational disruptions on systems with 256 or more logical processors, which previously led to installation failures and extended restart times. The Patch Tuesday release also provided solutions for Dev Drive access complications in the Windows Subsystem for Linux and installation delays affecting certain hardware configurations. Microsoft continues to address a list of ongoing issues with Windows 11 24H2 which includes problems with fingerprint sensor functionality affecting user authentication. Resolved and ongoing issues have prompted Microsoft to implement update blocks or safeguard holds to prevent affected users from encountering malfunctioning features. The update reflects Microsoft's commitment to improving user experience and system stability, as articulated in the company's Windows Release Health dashboard updates.

Microsoft's November 2024 Patch Tuesday addressed 89 security vulnerabilities, including four zero-days. Two of the zero-day vulnerabilities were actively exploited, with one allowing NTLM hash disclosures and the other permitting elevation of privileges via Windows Task Scheduler. Additional disclosed vulnerabilities included a Microsoft Exchange spoofing issue and an Active Directory Certificate Services elevation of privilege flaw. Fixes also addressed vulnerabilities in various categories, notably remote code execution and elevation of privileges. Continuous updates and patches are crucial for maintaining system integrity and protecting against emerging cyber threats. Microsoft collaborates with security researchers to identify and address vulnerabilities, showcasing the importance of community in cybersecurity. Users are urged to update their systems immediately to mitigate potential security risks from these vulnerabilities.