Daily Brief

A significant buffer overflow vulnerability, CVE-2024-0762, impacts the UEFI firmware in numerous Intel CPUs across multiple device manufacturers. Discovered by Eclypsium, the vulnerability exists within the TPM configuration of Phoenix SecureCore UEFI firmware, affecting Secure Boot processes. The flaw could allow attackers to execute malicious code at the firmware level, potentially installing bootkit malware that is hard to detect and remove. Phoenix and Lenovo have confirmed the vulnerability affects a wide range of Intel processors including Alder Lake, Coffee Lake, and Comet Lake among others. Manufacturers such as Lenovo, Dell, HP, and Acer might see hundreds of their models impacted due to the widespread use of the vulnerable firmware. Lenovo has already started rolling out firmware updates to mitigate the flaw, covering over 150 device models, with more updates planned. This vulnerability highlights the escalating focus of threat actors on exploiting UEFI firmware because of its foundational role in system boot processes and security mechanisms.

The Biden administration has officially banned the sale and distribution of Kaspersky products in the United States. Starting July 20, Kaspersky will be prohibited from entering contracts with new U.S.-based customers; existing customers must transition by October. The Commerce Secretary cited national security risks due to potential exploitation by the Russian government. Kaspersky is also barred from distributing software updates and malware signatures to U.S. customers after September 29. Violations of the ban could result in fines or criminal charges against sellers or resellers. The decision reflects ongoing concerns about Russian cyber operations and their potential impact on American digital security. The U.S. government's investigations concluded that risks associated with Kaspersky’s operations could not be mitigated without a total ban.

CDK Global, a major software provider for nearly 15,000 US car dealerships, experienced a severe cyber incident, leading to repeated systems shutdowns. Initial system closure occurred early on June 19, with an attempt to restore services, including the Dealer Management System and other key platforms. Shortly after restoration, CDK Global was forced to shut down systems again due to a subsequent cyber incident, raising concerns about the security of restored services. The company has engaged third-party cybersecurity experts to assess the situation and has not provided a timeline for when services will be fully operational again. The cyber attacks were speculated to be timed with the Juneteenth public holiday to maximize disruption. There is an implication that the incident could involve ransomware, although CDK Global has not confirmed this detail. Dealerships have resorted to manual processes in response to the outage, with uncertainties around the duration of system downtime affecting business operations.

"CosmicSting" vulnerability remains largely unpatched in Adobe Commerce and Magento platforms, affecting 75% of sites. The vulnerability enables XML external entity injection (XXE) and Remote Code Execution (RCE), posing severe security threats. Rated with a critical CVSS score of 9.8, CosmicSting could lead to unauthorized data access and system control. Adobe released updates to mitigate the flaws, but many sites have not yet applied these critical patches. Sansec warns that the combination of CosmicSt while using the vulnerable glibc library on Linux escalates the risk of attack. Administrators are urged to apply the provided patches or implement suggested emergency measures to prevent exploitation. Sansec compares the potential impact of CosmicSting to notable past e-commerce breaches, indicating high severity and risk.

RansomHub, a ransomware-as-a-service (RaaS), now targets VMware ESXi environments with a specialized Linux encryptor, affecting global corporate sectors. The operation has associations with other major ransomware groups like ALPHV/BlackCat and Knight, and has impacted over 45 entities in 18 countries. RansomHub's new ESXi variant is crafted in C++ and features advanced functionalities such as execution delay, targeted VM exclusion, and targeted directory encryption. It employs a partial encryption method for efficiency, encrypting just the beginning of larger files and adding unique identifiers to the encrypted files. Recorded Future discovered a flaw in this variant that allows defenders to induce a perpetual loop, neutralizing the ransomware threat temporarily. The ransom message is displayed prominently on the system's login screens and web interfaces to ensure visibility immediately upon system compromise. The ESXi-specific ransomware disables critical system logs and can delete itself following execution to elude detection and forensic analysis.

UNC3886, a suspected Chinese threat actor, utilizes open-source Linux rootkits 'Reptile' and 'Medusa' on VMware ESXi virtual machines for stealth and persistence. Mandiant has closely followed UNC3886, noting their focus on critical sectors such as government, telecom, tech, aerospace, defense, and energy. The attackers deploy the rootkits after exploiting zero-day vulnerabilities, gaining profound control over VMs to conduct espionage and maintain long-term access. 'Reptile' provides backdoor access with capabilities for command execution and file transfers, while 'Medusa' is used for credential logging and command execution logging. UNC3886 has customized these rootkits for enhanced evasion and persistence, adjusting configuration settings and deployment scripts. In addition to rootkits, UNC3886 employs custom malware tools like 'Mopsled' and 'Riflespine', leveraging platforms like GitHub and Google Drive for command and control. The group's recent targets include organizations across North America, Southeast Asia, Oceania, Europe, Africa, and other parts of Asia. Detailed technical information on UNC3886’s tools and methods, including VMCI backdoors, will be disclosed by Mandiant in future reports.

Kraken, a major cryptocurrency exchange, has charged three security researchers from CertiK with exploiting a vulnerability to steal $3 million and then attempting extortion. The alleged security breach involved a UX update that improperly credited user accounts before deposits were confirmed, creating potential for false account value inflation. Kraken’s CSO, Nicholas Percoco, claims the issue was quickly identified internally, yet the researchers involved exploited it rather than reporting it responsibly. Despite initial cooperative discussions on the vulnerability, tensions escalated with CertiK allegedly demanding further compensation beyond the return of the stolen funds. CertiK has denied withholding the funds deliberately and has highlighted aggressive demands and threats from Kraken's security team. The dispute has stirred significant attention on social media, where further allegations about CertiK’s activities involving sanctioned entities have surfaced. Kraken is treating the incident as a criminal case and is coordinating with law enforcement, asserting that the actions of the researchers were not in line with ethical hacking practices.

The CVE-2024-28995 vulnerability in SolarWinds Serv-U is being exploited, risking sensitive data through unauthorized file access. Exploits and a proof-of-concept are publicly available, notably published by Rapid7 and an independent researcher. The vulnerability allows unauthenticated attackers to read arbitrary files on the system using specific HTTP GET requests. Over 5,500 to 9,500 internet-exposed instances may be vulnerable to this high-severity directory traversal flaw. SolarWinds has released a hotfix (version 15.4.2.157) to address this vulnerability by enhancing validation mechanisms. Attack attempts vary from manual to automated, with attackers adapting techniques based on server responses. Files most targeted in these attacks are crucial for gaining elevated privileges or further network compromise. SolarWinds urges system administrators to install the available updates promptly to mitigate the vulnerability.

CDK Global, a SaaS provider for car dealerships, experienced a second cyberattack while recovering from an earlier breach. The initial cyberattack caused CDK to shut down its data centers and IT systems, severely disrupting operations for car dealerships. Restoration attempts were underway when a subsequent cyber incident prompted another shutdown of most systems. The company is assessing the impact of the breaches with the help of external cybersecurity experts. Industry professionals have expressed concerns that CDK may be rushing to restore services, potentially increasing security risks. The repeated outages have impacted both car dealerships and customers, affecting vehicle sales and servicing capabilities. CDK is engaging with its customers minimally, with plans to bring systems back online by June 21. There is ongoing worry that not fully resolving security issues before resuming operations could lead to additional cyberattacks and data theft.

Cybersecurity experts have identified a significant vulnerability in Phoenix SecureCore UEFI firmware, impacting numerous Intel CPU families. The flaw, known as CVE-2024-0762, is a buffer overflow issue in the TPM configuration that could allow attackers to execute malicious code. This vulnerability enables local attackers to escalate privileges and manipulate UEFI firmware, a foundational component for system security. The exploitation of such vulnerabilities is akin to firmware backdoors, enabling attackers to maintain persistence and bypass OS-level security measures. Phoenix Technologies released a patch in April 2024, with additional updates provided by Lenovo to address the affected systems. The CPUs affected include AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. This vulnerability underscores the critical nature of securing UEFI firmware due to its high-level privileges and role in the initial system boot process. These vulnerabilities pose significant risks to the supply chain, potentially impacting numerous devices and vendors globally.

French diplomatic entities have been subject to targeted cyber attacks by state-sponsored actors with ties to Russia. The attacks are attributed to Midnight Blizzard, also known under various aliases such as APT29 and Nobelium, linked to the Russian Foreign Intelligence Service (SVR). ANSSI identifies separate threat clusters including Midnight Blizzard and Dark Halo, noted for different cyber attack strategies. Attack methods primarily include phishing campaigns using compromised legitimate email accounts from diplomatic staff. Phishing emails sent by Nobelium were recently aimed at European embassies in Kyiv including the French embassy in May 2023. Additional attacks targeted the French Embassy in Romania leveraging security flaws in JetBrains TeamCity servers but were unsuccessful. Nobelium’s infiltration attempts extend to IT and cybersecurity entities, enhancing their espionage capabilities and posing a sustained threat. The Polish government also reported a DDoS attack by Russian hackers against Telewizja Polska during a broadcast in June 2024.

France's CERT-FR has revealed ongoing cyber espionage operations by Nobelium, a Russian-linked cyber group, aimed at French national security and democratic processes. Nobelium, differentiated from APT29 and Dark Halo by ANSSI, targets diplomatic emails via sophisticated phishing attacks and business email compromise (BEC) tactics. Notable incidents include repeated attempts to infiltrate the French Ministry of Foreign Affairs and other public sector entities, using themes like embassy closures and diplomatic appointments to deploy Cobalt Strike tools. The cybersecurity report underscores Nobelium's persistence and strategic targeting, hinting at state-sponsored operations aimed at gathering intelligence and influencing political outcomes. French officials are concerned about potential Russian interference in upcoming elections and diplomatic relations, especially with the impending Olympic and Paralympic Games hosted by France. Russia has also been implicated in disinformation campaigns, including attempts to influence previous French presidential elections and spread misleading narratives about socio-economic issues in France.

MSPs manage a vast array of cybersecurity tools, making integration and management complex. Recent surveys indicate 36% of MSPs utilize over 10 different cybersecurity tools, increasing the risk of security gaps. An excess of tools often leads to alert fatigue, causing delays in response and potentially undetected vulnerabilities. The Guardz Unified Cybersecurity Platform offers a centralized solution to manage risks and streamline operations. Guardz integrates multiple security functions like email and endpoint security, phishing simulations, and cyber insurance. The platform enhances threat detection and response, ensuring consistent security policies across all environments. Continuous Attack Surface Discovery and Penetration Testing help MSPs stay ahead of threats by prioritizing critical vulnerabilities.

Qilin ransomware group orchestrated a deliberate attack on Synnovis, causing a significant healthcare crisis in London hospitals, demanding a $50 million ransom. The group claims the attack was politically motivated, targeting entities linked to political elites who allegedly withhold high-quality medicines. Despite their claim, experts and analysts suggest Qilin's traditional operations have been financially motivated rather than politically, questioning the authenticity of their stated ideology. So far, the attack has led to over 1,500 cancellations of operations and appointments, seriously impacting patient care and hospital functions. Qilin alleges to have used a zero-day vulnerability to initiate the attack, though specifics about the vulnerability remain unconfirmed by Synnovis and UK's NCSC. Synnovis is currently investigating the breach, in coordination with The Information Commissioner’s Office (ICO) and other relevant authorities, assessing the extent of data impacted. Qilin's claims and previous activities suggest a sophisticated level of operational capability, likely supported by advanced cybercriminal techniques and tools.

Chinese cyber espionage groups linked to infiltrating telecom operators in Asia, ongoing since at least 2021. The attacks involve placing backdoors into networks, credential theft, and targeting an additional services company and university. Symantec identifies use of known Chinese cyber tools such as COOLCLIENT, QuickHeal, and RainyDay, which capture sensitive data and connect to C2 servers. Initial access methods to target systems remain unclear; the campaign includes port scanning and Windows Registry hive dumping. The operations may involve collaboration or independent actions of different espionage collectives known as Mustang Panda, RedFoxtrot, and Naikon. Motives likely include intelligence gathering on telecom sectors and potentially establishing capabilities for future disruptions in critical infrastructure. Parallel reporting by Kaspersky in November 2023 exposes a related ShadowPad malware attack exploiting Microsoft Exchange vulnerabilities in Pakistani telecom infrastructure.