Daily Brief

VMware has released critical security updates for Cloud Foundation, vCenter Server, and vSphere ESXi. The updates address vulnerabilities that could lead to privilege escalation and remote code execution. Identified vulnerabilities include two discovered by researchers at QiAnXin LegendSec and one by Deloitte Romania. Affected versions are specifically vCenter Server versions 7.0 and 8.0; patches are available in newer subversions. Prior similar issues were patched in October 2023, involving the DCE/RPC protocol. VMware advises users to apply these critical patches promptly despite no current active exploitation reports.

Singapore Police Force has extradited two Malaysians linked to an Android malware scam targeting Singapore citizens. The suspects allegedly used phishing campaigns to install malicious apps on victims' devices to steal personal data and banking credentials. In collaboration with Hong Kong and Malaysian police, a lengthy investigation linked the suspects to a criminal syndicate. The malware disguised as discounted goods apps allowed remote access to victims' devices, capturing sensitive data and enabling unauthorized transactions. Assets including cryptocurrency and real estate worth over $1.33 million have been seized in related arrests, with 16 criminals captured so far. The malicious operations have affected over 4,000 victims, highlighting the extensive impact of the scam. One suspect faces up to ten years in prison and $500,000 in fines, underlining the severity of the penalties for such cybercrimes.

VMware, now owned by Broadcom, has disclosed two critical vulnerabilities in its vCenter Server product, used to manage virtual machines and hosts. Identified as CVE-2024-37079 and CVE-2024-37080, both vulnerabilities are rated 9.8 out of 10 for severity and involve heap-overflow issues in the DCE/RPC protocol implementation. A malicious actor could exploit these vulnerabilities by sending a specially crafted network packet, potentially leading to remote code execution. Although patched versions of vCenter Server and Cloud Foundation are available, there is no information about the applicability of these fixes to older vSphere versions 6.5 and 6.7, which are widely used but no longer supported. VMware also reported a third, less critical vulnerability, CVE-2024-37081, related to local privilege escalation due to sudo misconfiguration, scoring it as important (7.8). There are currently no known exploits of these vulnerabilities "in the wild," according to VMware. The discovery of these vulnerabilities was credited to Matei "Mal" Badanoiu from Deloitte Romania.

Researchers from Seoul National University, Samsung Research, and Georgia Institute of Technology have discovered vulnerabilities in ARM's Memory Tagging Extensions (MTE). The vulnerabilities allow attackers to breach memory tags 95% of the time through speculative execution techniques. MTE was designed to protect against commonly exploited memory safety vulnerabilities in C/C++ programming, like buffer overflows and heap-use-after-free attacks. The effective bypass raises concerns about MTE’s ability to secure applications on Arm processors, despite Arm’s reassurances. Findings challenge earlier works, including those by Google's Project Zero, which did not identify side-channel attacks capable of breaking MTE. Researchers demonstrated their technique's efficacy by extracting MTE tags from Google Chrome on Android and Linux, using proof-of-concept code now available on GitHub. The suggested mitigation involves placing speculation barriers and limiting gadget construction in affected software like Chromium and Linux kernel code. Despite acknowledging the issue, Arm insists the value of MTE stands, although they recommend additional mechanisms to prevent speculative execution oracles.

Guidehouse and Nan McKay and Associates (NMA) agreed to pay $11.3 million to settle allegations related to cybersecurity failures. The settlements were the result of inadequate cybersecurity testing for New York’s emergency rental assistance program during the COVID-19 pandemic. Both firms failed to effectively test the ERAP system before deployment, resulting in sensitive data leakage shortly after the system went live. About 12 hours post-launch, it was discovered that personal information was leaking onto the internet. Although an investigation indicated no unauthorized use of Personally Identifiable Information (PII), the exposure triggered a formal "Information Security Breach" protocol. In addition to the data breach, Guidehouse admitted to using unauthorized third-party cloud software for storing PII. The US Attorney emphasized the importance of fulfilling cybersecurity obligations, especially when handling sensitive information under federal contracts.

A new malware campaign uses fake error messages from popular applications like Google Chrome, Microsoft Word, and OneDrive to deceive users into running malicious PowerShell scripts. The campaign involves various threat actors, including ClearFake, ClickFix, and TA571, noted for their spam operations that spread malware and ransomware. The method involves social engineering to convince users that there is a legitimate issue with their software, offering a PowerShell "fix" as a solution, which instead instigates malware installation. Techniques employed in these attacks include malicious overlays on websites, deceptive JavaScript in HTML attachments, and emails masquerading as official documents that prompt PowerShell command execution. Representative malware payloads delivered by these scripts include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. Proofpoint analysts identified three primary attack chains, suggesting a progressive refinement and testing of techniques to increase infection rates. Overall, attackers exploit user trust and lack of technical awareness, coupled with Windows' limitations in blocking such intrusions initiated by PowerShell.

Federal agents arrested Thomas Pavey and Raheim Hamilton, alleged operators of the dark-web marketplace Empire Market, accused of facilitating illegal transactions valued over $430 million. Empire Market, active from 2018 through 2020, offered a wide range of illicit goods including drugs, stolen account credentials, counterfeit money, and malware. The marketplace supported an ecosystem of thousands of vendors and was accessed via specialized software, with transactions exclusively in cryptocurrency to maintain anonymity. The site encouraged the use of cryptocurrency tumblers to obscure the origins of transaction funds, complicating efforts by law enforcement to trace illegal activities. In addition to current charges, Pavey and Hamilton were previously involved in selling counterfeit U.S. currency on another now-defunct dark-web market, AlphaBay. Authorities seized $75 million in cryptocurrency, along with cash and precious metals, during the investigation. The charges against the individuals include drug trafficking, computer fraud, money laundering among others, which could lead to life imprisonment. Both suspects remain detained awaiting federal arraignment.

Panera Bread likely paid a ransom following a ransomware attack in March, which disrupted their operations for a week. The attack encrypted all virtual machines, affecting Panera's website, mobile app, point-of-sale, and internal systems. Data including employee names and social security numbers were stolen, and Panera started sending data breach notifications to affected parties. Internal communications suggested Panera received assurances that the stolen data would be deleted and not published. An alleged employee claimed on Reddit that Panera paid the hackers to avoid the public leak of stolen data. No ransomware gang has claimed responsibility for the attack or threatened to leak the data, which is unusual if no payment was made. Ransomware attacks often involve data theft and encryption, using this leverage to demand payment for data deletion and decryption. Paying a ransom does not guarantee data deletion; threat actors may not fulfill their promises as seen in other recent incidents.

Blackbaud, a cloud software company, agreed to pay $6.75 million in a settlement with California's attorney general for cybersecurity negligence during a 2020 ransomware attack. The attorney general criticized Blackbaud for insufficient cybersecurity measures and misleading the public about the breach's impact, which involved personal data exposure. Despite settling with the Federal Trade Commission without a fine, Blackbaud previously settled similar allegations with 49 other states and the District of Columbia for $49.5 million. The ransomware breach resulted in unauthorized access to the sensitive personal information of millions, including social security numbers and medical details. Critical allegations included the use of weak or default passwords and the lack of multi-factor authentication for accessing sensitive areas. The settlement requires Blackbaud to enhance security practices, including better password management, data retention, and infrastructure monitoring. This is viewed as the final settlement in the U.S. related to Blackbaud's 2020 incident after prior multiple state settlements and a smaller fine to SEC.

Suspected Chinese hackers, dubbed 'Velvet Ant,' utilized custom malware on compromised F5 BIG-IP devices to establish persistent network access and clandestinely exfiltrate sensitive data for three years. The hacking group exploited vulnerabilities in outdated F5 BIG-IP appliances used for firewall management and network load balancing, which were exposed online. Velvet Ant deployed various malware, including a modular remote access Trojan (RAT) called PlugX, traditionally favored by Chinese cyber actors for data harvesting. The attackers cleverly disguised their malicious traffic as legitimate, enabling them to bypass corporate security measures and continuously steal customer and financial information without detection. Despite initial eradication efforts by security professionals at Sygnia, the hackers redeployed their tools with updated configurations to evade detection and maintain their foothold. Sygnia underscored the critical need for a layered, comprehensive security strategy for network devices, which are often targets for initial breaches. The report indicated a worrying trend in 2023, where China-linked hackers increasingly exploited network infrastructure vulnerabilities across various devices to gather intelligence and infiltrate further into target networks.

ASUS has released updates for critical security vulnerabilities in its routers, notably CVE-2024-3080 with a high-risk score of 9.8. The flaw allows unauthenticated remote attackers to bypass authentication mechanisms on some router models. Another related high-severity vulnerability, CVE-2024-3079 (CVSS score: 7.2), enables attackers with admin privileges to run arbitrary commands. An exploit chain using both CVE-2024-3080 and CVE-2024-3079 could allow attackers to bypass security and execute malicious code. Additional vulnerabilities, such as CVE-2024-3912, were patched by ASUS in January, which could let attackers upload files and execute commands remotely. Users are urged to update their router software to the latest version to protect against these security threats. The updated security measures are part of ASUS's ongoing efforts to maintain strong cybersecurity defenses in its devices.

A 22-year-old British national allegedly part of the Scattered Spider hacking group was arrested in Palma de Mallorca, Spain. The individual is accused of leading a cybercrime gang that stole data and cryptocurrencies through phishing and sim-swapping strategies, targeting 45 U.S. companies. Authorities allege the group successfully stole $27 million in cryptocurrencies, exploiting compromised access credentials to access sensitive information and digital wallets. The arrest occurred at Palma airport as the suspect was about to depart for Naples, facilitated by a tip-off and an International Arrest Warrant from the FBI. Confiscated electronic devices, including a laptop and mobile phone, are undergoing forensic analysis for further evidence. Although officially unconfirmed, there are reports linking the suspect to Scattered Spider, a group known for its involvement with the Russian BlackCat ransomware gang and significant breaches like the MGM Resorts attack. The operation highlights ongoing international cooperation in combating sophisticated cybercrime networks.

Spanish police detained a 22-year-old British man believed to be the leader of the Scattered Spider cybercrime gang as he was about to fly to Naples. The investigation that led to his arrest began in May 2023, following a tip from the FBI concerning his activities in Spain. He is accused of orchestrating attacks on 45 companies in the U.S., including high-profile SIM-swapping and casino heists. At the time of arrest, police confiscated a laptop and mobile phone; the suspect allegedly amassed about $26 million from cybercrimes. Another gang member, Noah Michael Urban, was arrested earlier in January facing multiple charges linked to cybercrimes. Scattered Spider, primarily composed of young English-speaking adults, has evolved its operations from SIM-swapping to ransomware and pure extortion schemes. Despite recent arrests, the gang continues its illegal activities, including recent attacks targeting virtual machines and SaaS apps for data theft.

Suspected China-nexus cyber espionage group, Velvet Ant, targeted an East Asian organization for three years using compromised F5 BIG-IP devices. Velvet Ant used the F5 devices as internal command-and-control hubs to persistently collect sensitive customer and financial data. The attackers employed PlugX, a known Chinese-linked modular RAT, utilizing DLL side-loading for initial device infiltration. Two versions of PlugX were deployed; one with external C&C for data exfiltration and another configured without C&C for operation on legacy servers. The campaign involved disabling endpoint security and utilizing tools like Impacket for lateral movement within the network. Forensic analysis revealed additional tools like PMCD for command execution and EarthWorm for network packet capture and tunneling. The exact method of initial penetration—either spear-phishing or exploiting known vulnerabilities—is currently unidentified. This incident is part of a broader pattern of China-linked cyber operations targeting Asia to gather intelligence.

DevSecOps integrates security throughout the software development lifecycle, enhancing collaboration among development, security, and operations teams. By embedding security early in development processes ("shift security left"), DevSecOps enables early vulnerability detection and compliance with regulatory requirements. Traditional security practices, conducted at the end-cycle of development, are inefficient and risk production delays due to the late discovery of vulnerabilities. DevSecOps necessitates profound cultural shifts for success, emphasizing shared responsibility and continuous collaboration across departments. The approach leverages automated tools, AI, and continuous security testing strategies to maintain high development velocity while ensuring software security. Effective DevSecOps implementation helps in managing and securing the increased use of open source and third-party software components in applications. Organizations are compelled to adopt DevSecOps due to increasing regulatory pressures and the evolving threat landscape targeting software vulnerabilities.