Daily Brief

Cisco has issued security updates for a critical flaw in Ultra-Reliable Wireless Backhaul Access Points, identified as CVE-2024-20418 with a CVS score of 10.0. The vulnerability allows remote attackers to execute commands with root privileges via crafted HTTP requests to the web-based management interface. This specific vulnerability affects Cisco products operating in URWB mode only and does not impact other modes. It was discovered during Cisco's internal security testing and has been addressed in the Cisco Unified Industrial Wireless Software version 17.15.1. Users utilizing software versions 17.14 or earlier are advised to update immediately to avoid potential exploitation. Cisco confirms there is currently no evidence of the security flaw being actively exploited in the wild.

The Canadian government has instructed ByteDance-owned TikTok to dissolve its operations in Canada due to national security concerns. Minister François-Philippe Champagne cited advice from Canada's security and intelligence community in making this decision. The dissolution order is aligned with the Investment Canada Act, which oversees foreign investments that might threaten national security. Although the government stopped short of banning TikTok entirely, Canadians are still able to access and create content on the platform. Previously, in February 2023, the Canadian government had banned the use of TikTok on all government devices. The government encouraged Canadian citizens to practice good cybersecurity habits and be wary of the risks involved in sharing data on foreign-operated social media. Following the government’s decision, TikTok announced the loss of hundreds of jobs in Canada and plans to challenge the order legally. Related international actions include restrictions on TikTok in the U.S., with a deadline for ByteDance to divest its U.S. operations or face a ban, and complete bans in countries like Afghanistan, India, Nepal, and Pakistan.

The EU, U.S., and South Korea express concerns over a tech-for-troops deal between Russia and North Korea amid the Ukraine conflict. Russia is suspected of providing North Korea with technology in exchange for military assistance, including 10,000 troops. North Korea, which withdrew from the Treaty on Non-Proliferation of Nuclear Weapons in 2003, faces international sanctions aimed at preventing weapons development. U.S. Secretary of State Antony Blinken highlights the strategic desperation behind Russia's recruitment of North Korean soldiers. There is ongoing uncertainty on the specifics of the technology possibly being transferred to North Korea, but it could include sensitive military technology. Reports indicate some North Korean soldiers are using their deployment as a chance to defect. South Korean officials believe they can counter any technological gains by North Korea through superior technology and international alliances. The U.S. and South Korea have strengthened their strategic and economic ties, further consolidating opposition to North Korea’s potential advancements.

Cybercriminals using Gootloader malware are unexpectedly targeting individuals in Australia researching Bengal cats. Gootloader, first noticed in 2014, functions as an infostealer and occasionally as a precursor for ransomware attacks. The attackers exploit SEO poisoning to distribute the malware, focusing on users querying the legality of Bengal cats in Australia. An SEO-poisoned forum appeared top in search results; clicking a link in the forum initiates a malware download via a deceptive ZIP file. Following the initial malware download, further malicious payloads including Gootkit and tools for ransomware deployment are delivered. Sophos started an intensive investigation into Gootloader after discovering a new variant in March and noted an increase in SEO poisoning for malware delivery. National cybersecurity agencies are working to combat malvertising and SEO poisoning due to their prevalent use in ransomware campaigns. Despite the efforts against SEO poisoning, this tactic continues to grow, showing the challenge of combating such cyber threats effectively.

Hackers are increasingly using the Winos4.0 framework to target Windows users through game-related apps. This malicious framework facilitates post-exploitation activities similar to well-known tools like Sliver and Cobalt Strike. Originally documented by Trend Micro, the Winos4.0 was used by threat actor Void Arachne/Silver Fox to distribute modified software in China. Fortinet's recent report indicates an evolution in hacker tactics, now leveraging games to deploy malware. The infection process includes multiple stages beginning with downloading a DLL file, establishing persistence, and connecting to a command-and-control (C2) server. The malware checks for the presence of specific security tools on the system to determine if it needs to adjust its behavior or terminate itself, enhancing its stealth. The ongoing use and adaptation of Winos4.0 suggest its increasing role in malicious cyber operations. Details including Indicators of Compromise (IoCs) are available in cybersecurity reports from both Fortinet and Trend Micro.

Cisco has addressed a highly critical vulnerability, CVE-2024-20418, in its Ultra-Reliable Wireless Backhaul (URWB) access points. The flaw exists in the web-based management interface of Cisco's Unified Industrial Wireless Software, allowing unauthenticated attackers to execute root-level commands. Attackers can exploit the vulnerability via simple, crafted HTTP requests without needing user interaction. Affected units include Catalyst IW9165D, IW9165E, and IW9167E access points, only vulnerable when configured in URWB mode. Cisco has found no evidence of actual exploitation or publicly available exploit codes for this vulnerability yet. Administrators are advised to check the presence of URWB operating mode through specific CLI commands as a mitigation step. This update follows other security measures by Cisco addressing command injection and denial-of-service vulnerabilities across different products. Cisco's proactive fixes come in response to industry-wide calls for better security against command injection flaws, emphasized by CISA and the FBI.

SteelFox malware activates by exploiting vulnerable drivers to gain SYSTEM privileges on Windows PCs. The malware spreads through forums and torrent trackers under the guise of software cracks for legitimate applications like JetBrains and AutoCAD. Once installed, SteelFox can mine cryptocurrency and harvest sensitive data like credit card information from users. Kaspersky detected the malware's presence since February 2023 and has blocked it 11,000 times during its spreading phase. SteelFox uses a vulnerable WinRing0.sys driver from the XMRig Monero mining program to escalate its privileges. The malware establishes secure communication with its command-and-control server using advanced SSL and TLS methods. SteelFox does not target specific victims but has a higher incidence rate in several countries including Brazil, China, and Russia. Malware analysis reveals that its developers are proficient in C++ and capable of incorporating complex external libraries to enhance functionality.

VEILDrive campaign identified in September 2024, leveraging Microsoft services like Teams, SharePoint, and OneDrive to distribute Java-based malware. Attackers exploited “Org C,” a U.S. critical infrastructure organization, using spear-phishing and compromised credentials from another organization ("Org A"). The malware uses Microsoft services for command-and-control operations, enhancing evasion capabilities against traditional monitoring systems. The attackers facilitated initial access by impersonating Org C's IT team members and using Microsoft Teams' “External Access” feature. Malware delivery was achieved through a deceptive SharePoint link containing a ZIP file with remote access tools and the Java-based malware. Attackers configured the victim’s system to regularly run malware using scheduled tasks, demonstrating sophisticated persistence tactics. This operation indicates a growing trend of cyber actors utilizing legitimate cloud platforms to complicate real-time detection and bypass security defenses. The malware's design is noted for its clarity and lack of obfuscation, which contrasts with typical evasion-focused malware.

Unauthorized network activity detected in Washington state court systems, causing extensive system outages since Sunday. The Administrative Office of the Courts (AOC) responded swiftly to secure and begin restoration of judicial information systems, websites, and associated services. Essential services and most court proceedings continue with minimal disruptions, despite significant system shutdowns. Some local courts, such as those in Pierce County, maintain partial service availability and online access, with expected service modifications throughout the week. Public advised to verify service availability directly with customer service counters in affected areas. Ongoing investigations and recovery efforts are being assisted by cybersecurity experts to ensure safe restoration of services. The cyberattack bears similarities to a previous incident in Kansas last year where court systems were targeted, resulting in the theft of sensitive data.

Interpol conducted a large-scale global operation named Operation Synergia II, targeting cybercriminals involved in phishing, ransomware, and data theft. The operation involved law enforcement across 95 countries and led to the arrest of 41 individuals and the seizure of 59 servers along with 43 computing devices. Collaborative efforts included major cybersecurity firms like Group-IB, Trend Micro, Kaspersky, and Team Cymru, highlighting the importance of public-private partnerships in combating cybercrime. The crackdown resulted in the shutdown of 22,000 IP addresses, significantly disrupting malicious online infrastructure. As part of Operation Synergia II, 65 additional suspects are currently under investigation, indicating ongoing efforts to curb cybercrime activities. Neal Jetton, head of Interpol's Cybercrime Directorate, emphasized the global requirement for a coordinated response to the challenge of cybercrime. This operation is a continuation of the first Synergia raids and showcases Interpol's capability and extended reach with support from 196 member nations, lacking only a few countries worldwide.

Germany's Federal Ministry of Justice has drafted a law to legally protect security researchers who identify and report vulnerabilities responsibly. The draft law aims to exempt security researchers from criminal liability when they operate within legal guidelines to improve IT security. The new legislation, amending Section 202a of the Criminal Code, will protect not only researchers but also companies engaged in legitimate security testing. The amendment also includes more severe penalties for criminal activities such as data spying and interception, especially targeting critical infrastructure. Under the proposed law, actions performed for detecting and addressing security vulnerabilities will not be considered "unauthorized". The amendment is currently under review by federal states and associations, with a deadline for feedback set before it proceeds to parliamentary discussion. This move aligns with international trends, similar to the U.S. Department of Justice's amendments to the Computer Fraud and Abuse Act in 2022, promoting safe and authorized security research.

Winos 4.0, a sophisticated malware, is being spread via gaming-related applications including installation tools and optimization utilities. Originally developed from Gh0st RAT, Winos has modular components for various malicious activities. The malware lures victims through black hat SEO, social media, and messaging platforms, specifically targeting Chinese-speaking users. Upon running the infected applications, a multi-stage infection process starts with the downloading of a fake BMP file, which converts into a DLL initiating further malware deployment. Additional downloads setup the execution environment and download further malware payloads, including one named '学籍系统', hinting at potential targets within educational institutions. The malware establishes a connection to a command-and-control server to download more components and enable functionalities like data harvesting, screenshot capturing, and backdoor operations. Winos 4.0 supports extended backdoor functionalities similar to known frameworks like Cobalt Strike, allowing deep control over compromised systems.

Microlise, a telematics technology company, experienced a cyberattack, initially disclosed on October 31, which compromised some employee data but did not affect customer data. Following the breach announcement, Microlise's share price on the AIM dropped by 16 percent and has not fully recovered. The attack has been characterized with signs of ransomware, though no specific cybercrime group has claimed responsibility. Microlise expects full service restoration by the end of the week, with substantial progress reported in containing the threat and resuming online services. Investigations are ongoing, with Microlise working alongside third-party cybersecurity experts to minimize customer disruption and enhance security measures. Major clients like DHL and Serco reported disruptions, affecting delivery tracking and security systems respectively, although no long-term service interruptions were reported. The UK’s Information Commissioner's Office has been notified about the breach, and affected individuals will be contacted as per regulatory obligations.

CTEM (Continuous Threat Exposure Management) is crucial for proactive cybersecurity, shifting focus from reactive responses to active threat anticipation and prevention. Effective CTEM enables real-time monitoring and vulnerability identification, allowing organizations to address weaknesses before they are exploited. Customized to each organization's specific risk profile, CTEM enhances the prioritization and mitigation of the most critical threats. Integrating CTEM can significantly reduce the costs related to security breaches, including regulatory fines, lawsuits, and recovery expenses. Organizations with robust CTEM programs enjoy enhanced operational continuity, safeguarding productivity and revenue against potential disruptions. Continuous updates and adaptability of the CTEM framework ensure readiness against evolving cyber threats, supporting long-term organizational resilience. Positioning CTEM as pivotal in budget discussions for 2025 is not only strategic but also aligns with industry trends towards more proactive security investments.

INTERPOL announced the takedown of over 22,000 malicious servers as part of Operation Synergia II. The initiative lasted from April 1 to August 31, 2024, focusing on infrastructure behind phishing, ransomware, and info stealers. Approximately 30,000 suspicious IP addresses were identified during the operation, with 76% successfully neutralized. A total of 59 servers were seized, along with 43 electronic devices including laptops, mobile phones, and hard disks. The operation resulted in 41 arrests, with an additional 65 individuals currently under investigation. Partners such as Group-IB, Kaspersky, Team Cymru, and Trend Micro aided by identifying and analyzing malicious cyber activity across 84 countries. The earlier phase of Operation Synergia, conducted from September to November 2023, led to 31 arrests and the identification of numerous cyber threat infrastructures.