Daily Brief

VMware has issued a new patch for the critical remote code execution vulnerability CVE-2024-38812 in vCenter Server, after initial fixes failed. The vulnerability, discovered during the 2024 Matrix Cup hacking contest, allows attackers to execute code remotely without user interaction. This flaw, along with a high-severity privilege escalation issue CVE-2024-38813, affects vCenter versions 7.0.3, 8.0.2, and 8.0.3. VMware strongly urges all customers to apply the updated patches to protect against possible exploitation by attackers. No active exploitation of these vulnerabilities has been reported yet, but VMware historically sees targeted attacks on such flaws. Patches are available for vCenter versions 8.0 U3d, 8.0 U2e, and 7.0 U3t. Older, unsupported versions will not receive updates. VMware’s updated advisory and a companion Q&A provide detailed guidance and emphasize the urgency of applying these patches promptly. Previous exploitations by state-sponsored actors highlight the importance of maintaining updated security measures.

Cybercriminals are exploiting Docker remote API servers using the SRBMiner crypto miner. The attack involves the use of the gRPC protocol over h2c (HTTP/2 without TLS encryption) to bypass security measures. The attackers first perform a discovery of public-facing Docker API hosts to check for HTTP/2 protocol upgrade capabilities. Attack methods include sending a "/moby.buildkit.v1.Control/Solve" gRPC request to create a Docker container for mining XRP cryptocurrency. Additional observed activities include attackers deploying other malware such as perfctl via Docker containers. Recommendations for securing Docker API servers include implementing strong access controls, monitoring for suspicious activities, and applying container security best practices.

Service accounts possess high-level permissions, making them critical but vulnerable aspects of network security. Proper monitoring and management of these accounts are essential to secure enterprise networks from potential security breaches. Identifying service accounts within Active Directory is complex due to the large number of accounts and intricate AD structures. Regularly updating permissions, enforcing strong passwords, and monitoring account activity are key measures for maintaining security. Silverfort's solution automates the discovery and monitoring of service accounts, integrating seamlessly with Active Directory. Automated systems classify behaviors typical of service accounts and enforce security protocols through "virtual fencing." Silverfort’s technology helps prevent misuse of service accounts by detecting and responding to abnormal activities promptly. Implementing effective management tools and strategies for service accounts can substantially enhance an organization’s security posture.

Bumblebee and Latrodectus malware loaders revived with sophisticated phishing tactics following law enforcement operation "Endgame." Both malware types are involved in stealing data and deploying further malicious payloads on compromised systems. Initially disrupted by the Endgame operation which dismantled over 100 servers associated with various malware including IcedID and Bumblebee, Latrodectus quickly recovered to pose a renewed threat. Recent campaigns utilize deceptive emails mimicking legitimate services like Microsoft Azure, Google Cloud, and DocuSign to spread malware. Attack strategies involve the use of malicious PDFs or JavaScript embedded HTML files to trigger malware installations without direct file-writing, enhancing stealth. Latrodectus campaigns have begun targeting financial, automotive, and business sectors with new payload distribution techniques. Bumblebee malware employs a covert ZIP file mechanism to execute payloads directly into memory, bypassing disk storage to evade detection. Cybersecurity entities like Trustwave and Forcepoint highlight the adaptive and persistent nature of these threats amidst ongoing cybersecurity efforts.

Cybersecurity researchers discovered npm packages targeting Ethereum wallets by installing SSH backdoors. These packages, mainly published under usernames like "crstianokavic" and "timyorks," mimic legitimate software to deceit developers. The malicious code in the packages was designed to exfiltrate Ethereum private keys to a controlled domain and modify the SSH authorized_keys file for persistent remote access. This recent strategy requires the developer to actively use the compromised package in their code, a departure from attacks that activate upon package installation. The attack vector included a notable package named ethers-mew, which embodies more complete malicious functionalities compared to other detected packages. Previous incidents in the npm registry involved similar tactics, like the ethereum-cryptographyy package in August 2023, which sent private keys to a server in China. Researchers mentioned that the malicious accounts and packages were quickly removed from the registry, indicating potential testing or limited attack attempts.

VMware released updates to fix a critical remote code execution vulnerability in vCenter Server. The issue, CVE-2024-38812 scoring 9.8 on the CVSS scale, involved a heap-overflow in the DCE/RPC protocol. A specially crafted network packet could exploit this vulnerability by any malicious actor with network access. The flaw was initially reported by researchers at a cybersecurity contest in China and was not fully patched in previous updates. Updated patches are now available for multiple versions of vCenter Server and VMware Cloud Foundation. There is no current evidence of exploitation in the wild; however, users are urged to update their systems promptly. Regulatory changes in China from 2021 require vulnerabilities discovered locally to be reported both to the government and the manufacturer, potentially influencing global cybersecurity dynamics.

Ghostpulse malware now embeds its payload within the pixels of PNG image files, enhancing its stealth. The malware is used primarily as a loader to install more dangerous malware, including the Lumma infostealer. It utilizes advanced techniques to extract encrypted configuration from PNGs using standard APIs and pixel color values. Social engineering complements this technical stealth, tricking victims into downloading the malicious payload via deceptive CAPTCHA interactions on attacker-controlled sites. This sophisticated method bypasses simple file-based malware detection systems, underscoring the need for updated defensive strategies. Lumma, often distributed through Ghostpulse, targets sensitive data and is available in cybercrime markets, highlighting a pervasive threat. Security researchers stress continued vigilance and adaptation of defense measures in response to evolving malware tactics. Previous safeguards may still function against some stages of this malware, but updates are necessary to address new methodologies effectively.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently catalogued a critical vulnerability in ScienceLogic SL1, labeled CVE-2024-9537, due to active exploitation leading to remote code execution. The vulnerability affected various versions of the application, with patches and fixes now released for versions ranging from 10.1.x to 12.3 and later. Cloud hosting provider Rackspace discovered unauthorized access to three of its internal monitoring web servers due to this zero-day exploit in the ScienceLogic EM7 Portal. In response, Rackspace took significant measures including taking its dashboard offline and notifying all customers potentially impacted by the breach. This breach coincided with another report of Fortinet's ongoing issue with a zero-day exploit in FortiManager, which is suspected to be exploited by China-linked actors, showing a broader trend of cybersecurity threats within industry-leading software. CISA has set a deadline of November 11, 2024, for Federal Civilian Executive Branch agencies to implement the necessary SecurityLogic SL1 patches to mitigate further risk.

China’s pro-PRC group Spamouflage intensified disinformation campaigns against US Senator Marco Rubio, confusing his identity with Ted Cruz. Recent findings from Clemson University researchers highlight renewed attacks on Rubio, including fake news and trolling on platforms like X (formerly Twitter) and Medium. In the run-up to the 2024 elections, the Beijing-backed trolls are employing more sophisticated tactics, featuring deepfake videos and higher quality disinformation content. Over 20,000 messages were posted on X during Rubio’s 2022 reelection, with many accounts displaying coordinated behavior to spread false narratives. Mistakes in the content suggested poor quality control, as Rubio was inaccurately depicted in scenarios involving other US senators. The continuous targeting of Rubio by Spamouflage might serve as a testbed for refining disinformation tactics before broader application. The operations aim to undermine political figures critical of China and cast doubt on the democratic integrity of US elections, aligning with wider goals noted by the FBI and CISA against foreign disinformation efforts.

British security company Sophos, owned by Thoma Bravo, has announced the acquisition of Secureworks for $859 million, a 28% premium on its current stock value. Dell, which retained a majority stake in Secureworks following its semi-successful IPO in 2016, stands to benefit from this deal. Secureworks, known for its Taegis SaaS threat detection platform, will enhance Sophos' existing portfolio and strengthen its market position in threat management and response solutions. The acquisition aligns with Sophos' strategy to expand its cybersecurity capabilities and services globally, contributing to a safer digital environment. Not anticipated to face significant regulatory hurdles, the deal is expected to close next year, further consolidating Thoma Bravo’s significant presence in the cybersecurity sector. This acquisition follows Thoma Bravo’s recent purchases of other major cybersecurity firms, including Darktrace and Proofpoint, indicating a continued investment focus on expanding its security technology portfolio.

Threat actors exploited a stored XSS vulnerability (CVE-2024-37383) in Roundcube Webmail, targeting governmental bodies in the CIS region. The cyber-attack campaign began in June, as identified in research by Positive Technologies. Hackers sent seemingly blank emails with a .DOC attachment containing a hidden JavaScript payload to execute malicious activities. The payload could download misleading documents and inject unauthorized login forms to steal user credentials. Compromised data was transmitted to a recently registered server, using managed infrastructure provided by Cloudflare. The vulnerability affects versions up to Roundcube 1.5.6 and from 1.6 to 1.6.6; updating to versions 1.5.7 or 1.6.7 and higher is strongly recommended. Similar XSS vulnerabilities in Roundcube have been previously exploited by various hacker groups targeting essential organizations globally.

Billionaire Dan O'Dowd, founder of Green Hills Software, claims to have developed an "unhackable" operating system, Integrity-178B, utilized by high-security entities including the U.S. military and FBI. O'Dowd’s operating system boasts simplicity and a high Evaluation Assurance Level, attributing to its security claims, though it faces skepticism from experts like Bruce Schneier. Apart from his software pursuits, O'Dowd launched a vehement campaign against Tesla’s Full Self-Driving (FSD) technology, criticizing its safety and effectiveness. His anti-Tesla efforts include founding the Dawn Project which actively publicizes the flaws in Tesla’s FSD through significant advertising spends including Superbowl ads and full-page NYT ads. O'Dowd ran for U.S. Senate in 2022 on a platform dedicated to regulating autonomous vehicles but was not elected despite a substantial self-funded campaign. The Dawn Project’s aggressive tactics against Tesla’s FSD technology have drawn legal attention, resulting in a cease-and-desist letter from Tesla, which O'Dowd publicly mocked. Despite his controversial statements and campaigns, O'Dowd's financial success and influence continue to fuel his advocacy against what he views as dangerous technology in autonomous vehicles.

Over 6,000 WordPress sites have been infiltrated to deliver deceptive software updates and error messages via malicious plugins. The campaigns, identified as ClearFake and ClickFix, utilize fake browser update banners and software error messages to spread information-stealing malware. Malicious actors exploit these campaigns to distribute malware through fake alerts on popular platforms like Google Chrome and Facebook. GoDaddy identified a surge in these activities, noting that plugins mimicking legitimate ones or using generic names are employed to deceive site administrators. The installed malicious scripts inject JavaScript that triggers downloads from a Binance Smart Chain contract, executing the malware delivery. Login behaviors observed from web server logs suggest that perpetrators are using stolen credentials to automate their malicious installations. WordPress administrators are urged to inspect their plugins and reset admin passwords to mitigate the impact of these campaigns.

Bumblebee malware loader has resurfaced in recent attacks, post-Europol's May disruption during 'Operation Endgame'. Previously disrupted, the malicious software is linked to the TrickBot group and is known for deploying ransomware and stealing information via phishing and malvertising tactics. Newly observed attacks begin with a phishing email that deceives victims into downloading a malicious ZIP file, further unfolding a complex infection mechanism. The infection executes a disguised .MSI file, mimicking a legitimate update, which silently installs malware without user interaction. The malware deploys in memory, avoiding new noisy processes, and utilizes a DLL within the MSI to continue its operations stealthily. Researchers observed renewed activity and the use of updated decryption keys and campaign IDs, pointing to a sophisticated evolution in its deployment methods. Preliminary reports lack detailed impact assessment or payload specifics, but the observed resurgence signals a rising threat level and potential future impacts.

Microsoft has identified a severe vulnerability in macOS tracked as CVE-2024-44133, which could potentially allow malicious entities to access the camera, microphone, and location data of users. The flaw exploits Apple’s Transparency, Consent, and Control (TCC) system, which manages app permissions for accessing sensitive features. An exploit, named HM Surf by Microsoft, has been developed that manipulates Safari’s configuration files to bypass TCC protections. The vulnerability, which has been patched in the recent macOS Sequoia update, may already be exploited by the Adloader malware family, although conclusive evidence is lacking. Apple has responded by introducing new APIs that strengthen System Integrity Policy (SIP) to prevent unauthorized changes to configuration files. Microsoft has updated its Defender software to detect suspicious modifications in Safari’s directory, enhancing protection against potential exploits. Users of macOS are strongly urged to update their systems immediately to mitigate any risks associated with this vulnerability.