Daily Brief

Microsoft has issued 117 patches, addressing a mixture of vulnerabilities and bugs across their software suite during their routine Patch Tuesday. Two of the patched vulnerabilities were under active exploitation, prompting immediate attention and rapid deployment of fixes. The first actively exploited vulnerability, CVE-2024-43572, rated 7.8, affects the Microsoft Management Console and could allow malicious local code execution via MSC files. Another exploited vulnerability, CVE-2024-43573, with a CVSS score of 6.5, involves a spoofing issue in the now-defunct MSHTML browser engine, affecting various Windows Server and Windows 10 releases. Other significant patches included fixes for previously reported vulnerabilities in curl and Winlogon, which had high CVSS scores and could lead to severe system compromises. The patch release also corrected a critical remote code execution flaw in Microsoft Configuration Manager and a serious privilege elevation flaw in Netlogon. Adobe and SAP also released multiple patches, with SAP addressing previous ineffective patches for severe vulnerabilities in products like BusinessObjects.

An automated scanner targets devices susceptible to the Common Unix Printing System (CUPS) RCE flaw, CVE-2024-47176. The flaw allows remote code execution and can amplify DDoS attacks by 600 times under certain conditions. Security researcher Marcus Hitchins developed the scanner to aid system administrators in identifying vulnerable systems. The vulnerability is linked to CUPS-browsed binding its control port to a wide-access network setting, exposing it to unauthorized commands. The scanner operates by broadcasting a specific UDP packet within the network, identifying systems that respond as vulnerable. Detected vulnerabilities and system responses are logged for further analysis and remediation actions. Although effective for network scanning, the tool’s safety and efficacy have not been independently verified.

Qualcomm has released 20 patches for its chipset firmware, including fixes for a dangerous exploit in its Digital Signal Processor (DSP) software. The critical vulnerability, known as CVE-2024-43047 with a CVSS score of 7.8, has been exploited in the wild, prompting urgent updates from Qualcomm. Both Google’s Project Zero and Amnesty International have reported on this issue, suggesting involvement of nation-state attackers or commercial surveillance vendors. Qualcomm's advisory highlighted targeted exploitation signs necessitating OEMs to expedite update rollout to affected devices like Snapdragon-powered models and 5G modems. Another severe flaw, identified as CVE-2024-33066 in WLAN resource management, scores a 9.8 on the CVSS but has not yet been exploited. Other vulnerabilities resolved include an 8.4-rated memory corruption issue in the camera driver and various other medium and high-severity bugs. Qualcomm prioritizes patches for numerous high-impact issues, including additional protections for WLAN operations and DSP services. Device users are advised to look for updates and install them promptly to protect against potential security breaches.

Mamba 2FA, a phishing-as-a-service platform, is targeting Microsoft 365 accounts through AiTM attacks, bypassing MFA protections. The service is marketed to cybercriminals at $250 per month, offering tools to execute phishing campaigns with high levels of stealth and persistence. Initially documented by Any.Run in June 2024, Mamba 2FA has undergone significant evolution to avoid detection and enhance the effectiveness of its phishing attacks. Infrastructure improvements include the use of proxy servers to disguise relay server IP addresses and rotating phishing link domains to elude security software. The phishing kit includes sophisticated templates mimicking corporate branding to increase the authenticity of the phishing pages, targeting both corporate and consumer accounts. Captured credentials and tokens are transmitted via a Telegram bot, facilitating immediate unauthorized access to compromised accounts. To defend against such PhaaS platforms, recommended measures include the use of hardware security keys, IP geo-blocking, and token lifespan management.

iPhone Mirroring on work-issued Macs poses significant privacy and security risks, potentially exposing personal employee data such as dating apps, health information, and more. Sevco Security identified a flaw that allows employer IT departments to access expansive personal information from employee iPhones mirrored to Macs. The vulnerability can specifically expose sensitive information in regions with strict privacy laws or where certain personal attributes could cause harm or legal issues. This issue creates potential liability for businesses under privacy law, risking lawsuits and enforcement from regulatory bodies. A macOS CLI command, 'mdfind', can reproduce the flaw, proving the risk of full disk access and exposure of personal iOS apps and metadata. Sevco Security has alerted Apple and various enterprise software vendors that could be affected by this privacy vulnerability. Companies are advised to inform employees to refrain from using the Mirroring feature on work devices and to coordinate with IT vendors until Apple releases a fix. Apple is aware of the issue and is reportedly working on a software patch to address the security flaw.

Microsoft released updates to fix 118 security flaws, including five zero-day vulnerabilities, during their October 2024 Patch Tuesday. Two of the zero-day vulnerabilities were actively being exploited prior to the patch release. The update addresses critical remote code execution vulnerabilities, improving security across various Microsoft platforms. Specific flaws fixed included a spoofing vulnerability in the MSHTML platform and a remote code execution flaw via malicious Microsoft Saved Console (MSC) files. Other vulnerabilities addressed included a libcurl remote code execution flaw, a UEFI bypass in Windows Hyper-V, and an elevation of privilege in Winlogon. Additional non-security updates were released for Windows 11 and Windows 10, providing further enhancements and stability fixes. Microsoft and other vendors continually recommend immediate updates to mitigate risks associated with newly discovered vulnerabilities.

Ivanti reported active exploitation of three new zero-day vulnerabilities in its Cloud Service Appliance (CSA). The vulnerabilities allow attackers with admin privileges to bypass security restrictions, execute SQL commands, or perform remote code execution. These flaws have been exploited in conjunction with a previously patched vulnerability, CVE-2024-8963, a severe path traversal issue. Affected versions include CSA 4.6 patch 518 and prior, with no recorded exploits against environments running CSA 5.0. Ivanti discovered the vulnerabilities during an investigation into previous exploits of CSA vulnerabilities, including another OS command injection bug, CVE-2024-8190. Ivanti recommends users to inspect CSA for any signs of compromise, such as changes in administrative users, and advises the use of EDR tools for ongoing monitoring. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added another related Ivanti vulnerability to its Known Exploited Vulnerabilities catalog.

Gamers searching for cheats are inadvertently downloading Lua-based malware, capable of adding further malicious payloads and maintaining system persistence. Morphisec and OALabs identified the usage of GitHub for staging the malware, taking advantage of the platform's features to bypass standard security measures. GitHub has responded by enhancing security measures and removing content that violates their Acceptable Use Policies. Malware is delivered more stealthily via obfuscated Lua scripts instead of Lua bytecode to avoid detection. The malicious payload includes several components like a Lua compiler, a runtime interpreter, and a script that contacts a command-and-control server. Affected systems may receive further malicious tasks from the server, such as downloading additional malware variants like RedLine or CypherIT. Information stolen by such malware is subsequently sold on the Dark web, underlining a significant monetization aspect of these attacks. Similar cyber attacks have been reported elsewhere, targeting users searching for pirated software or engaging with cryptocurrency-related content.

Ivanti has issued updates for three newly identified zero-day vulnerabilities in its Cloud Services Appliance (CSA) that were actively exploited in attacks. The exploited zero-days allow attackers to perform SQL injection, command injection, and bypass security through path traversal weaknesses. The vulnerabilities affect versions up to CSA 5.0.1, and users are urged to upgrade to CSA 5.0.2 to mitigate risks. Ivanti also provided advisory for detecting attacks by monitoring for unusual admin user activities and using endpoint detection and response alerts. The company has enhanced its testing and internal scanning to improve the speed of identifying and disclosing security issues. Ivanti emphasized its commitment to a secure design framework, as recognized by CISA’s Secure by Design initiative. Over 40,000 companies and 7,000 partners globally rely on Ivanti for managing IT systems and security, highlighting the critical nature of the vulnerabilities.

An APT group named GoldenJackal exploited air-gapped government systems in Europe, using custom malware to steal sensitive data from various entities, including a South Asian embassy and a European government organization. The breaches occurred multiple times between 2019 and 2024, involving espionage-focused attacks to extract files such as emails, encryption keys, and documents. Initial infection vectors included trojanized software or malicious documents, which propagated malware named GoldenDealer to internet-connected systems. The malware spread to air-gapped systems via USB drives, where additional malicious components like GoldenHowl (a backdoor) and GoldenRobo (a file stealer) were installed. After data theft, the compromised USB drives transferred the stolen data back to the original internet-connected systems and sent it to the attacker’s C2 server. In 2022, GoldenJackal updated their toolkit with a new Go-based modular set, enhancing their capability for controlled operations and introducing tools like GoldenUsbCopy and GoldenUsbGo for more specific file theft. Certain malware components were designed for specific tasks: GoldenBlacklist for email filtering, GoldenMailer for direct emailing of stolen data, and GoldenDrive for uploading data to Google Drive. The sophistication and continuous evolution of GoldenJackal’s toolsets indicate their significant capability in cyber espionage and data exfiltration from highly secured networks.

GoldenJackal APT group infiltrated European air-gapped government systems using bespoke malware named GoldenDealer and GoldenHowl among others, allowing them to exfiltrate sensitive data. Documented breaches include attacks on a South Asian country's embassy in Belarus and a European government organization, spanning from 2019 to 2024. The group utilized USB drives infected with GoldenDealer to penetrate isolated networks and then installed additional malware to collect and transmit data. GoldenJackal introduced a new Go-based toolset in 2022 enabling role-specific tasks among infected machines and hardened their operational security by using non-encrypted, hardcoded instructions for data theft. Stolen data ranged widely from emails, encryption keys, and OpenVPN configurations to images and document archives, significantly endangering diplomatic and state security. The APT's techniques included monitoring infected internet-connected systems for USB activity to propagate malware to the air-gapped environments. This breach incident highlights the critical vulnerability of air-gapped systems to physical cybersecurity threats and the complex strategies employed by state-aligned actors targeting government entities.

Japanese technology company Casio has experienced a cyberattack, leading to unauthorized access and disruption of its IT systems on October 5. The incident affected various services, although specific details on what services were impacted have not been disclosed. Casio is conducting an ongoing investigation with the help of external cyber security experts to ascertain if any personal data or confidential information was compromised. Following the discovery of the breach, Casio implemented measures to prevent further unauthorized access and has reported the incident to the relevant data protection authorities. This cyberattack is not the first for Casio; about a year ago, the company faced a data breach on its ClassPad education platform, impacting customer data across 149 countries. The attack comes at a financially tumultuous time for Casio, as the company recently announced significant upcoming losses related to large-scale personnel restructuring.

Awaken Likho, also known as Core Werewolf and PseudoGamaredon, has been actively targeting Russian government entities and industrial sectors since at least August 2021. Recent campaigns, identified by Kaspersky, began in June 2024 and show a shift in tactics, including the use of MeshCentral to replace previously utilized UltraVNC for remote system access. The attacks predominantly employ spear-phishing methods, where malicious executables camouflaged as legitimate documents (.doc or .pdf) are sent to infiltrate systems. These attacks often culminate in the installation of remote access tools that grant attackers full control over compromised hosts. Among targeted entities are Russian military bases, governmental agencies, their contractors, and critical infrastructure providers. The attackers have innovated by using self-extracting archives to stealthily install malware while presenting a benign document to deceive the target. Kaspersky reports that MeshAgent is installed via a scheduled command task, resulting in persistent system access connected to an external command and control server.

An online retailer was targeted by cybercriminals using a fake "evil twin" checkout page to steal customer payment info. The attack utilized a malicious redirect from the legitimate site to a fraudulent page, almost identical to the original. This deceptive stratagem involved typosquatting—a subtle URL change making detection difficult for unsuspecting users. The fake page collected sensitive data, risking significant financial loss and potential dark web exposure for victims. The incident's investigation suggests that attackers possibly exploited the site via cross-site scripting (XSS) attacks. Reflectiz, a web security provider, utilized deep behavioral analysis to identify and deobfuscate the malicious script. Prompt action by the retailer, informed by Reflectiz’s detailed threat analysis, prevented extensive damage and data loss. Continuous, robust web security monitoring proved essential in protecting both the retailer’s assets and its customers.

AI technologies play a crucial role in bolstering identity management systems, enhancing security, and improving user experience. AI-powered identity systems utilize machine learning to detect behavioral anomalies and signals of cyberattacks, such as data exfiltration events. One Identity and OneLogin utilize advanced AI models and analytics to improve risk detection and access management, enabling effective identification and mitigation of potential security threats. AI facilitates unified identity platforms, allowing disparate business areas to synergize over a shared goal of heightened security and streamlined operations. User and Entity Behavior Analytics (UEBA) is employed to establish normal user behavior baselines and identify deviations that may indicate security risks. Automation in role-based entitlement management is improved through AI, ensuring continuous and precise access control with less manual oversight. Organizations adopting AI-enhanced identity management systems can effectively lower the cybersecurity skills barrier and respond better to sophisticated identity-based threats.