Daily Brief

Threat actors are exploiting critical ServiceNow RCE flaws, compromising various sectors including government and energy. ServiceNow issued fixes for these critical vulnerabilities on July 10, 2024, which include a high-risk input validation flaw that allows unauthenticated remote code execution. Despite the release of patches, tens of thousands of systems remain at risk, with nearly 300,000 ServiceNow instances exposed online. Attackers use publicly available exploits to chain vulnerabilities, allowing them to access databases and extract sensitive data such as user credentials. Resecurity observed active exploitation shortly after the vulnerabilities and associated exploits were publicized. Some instances exposed plaintext credentials, heightening the risk and potential impact of these breaches. Cybercriminals are showing heightened interest in these vulnerabilities on underground forums, particularly focusing on infiltrating IT service desks and corporate portals. ServiceNow has urged all users to apply the available patches immediately to mitigate the risk of exploitation.

Researchers from Truffle Security discovered that deleted GitHub repositories may still expose data due to Cross Fork Object Reference (CFOR) vulnerabilities. Deleted or forked repository data, including sensitive information like API keys, can still be accessed post-deletion. GitHub recognizes this behavior as an intentional design decision, framing it as a feature rather than a security flaw. An example highlighted involved a tech company that deleted a repository with a sensitive private key, which remained accessible through a previously created fork. Truffle Security's test on public repos from major AI firms uncovered 40 valid API keys from deleted forks. The issue stems from 'dangling commits'—data entries that remain accessible within GitHub's architecture even after their deletion in the user interface. Despite the potential risks, a GitHub spokesperson reiterated that this behavior is by design and documented, suggesting that it is an expected consequence of how fork networks operate. Truffle Security suggests that GitHub should modify its handling of forked repository data to enhance user privacy and data security.

The U.S Department of Justice has indicted Ping Li, a 59-year-old U.S citizen of Chinese descent, for allegedly spying on behalf of China since at least 2012. Li, who resided in Wesley Chapel, Florida, worked for a major U.S telecommunications company and an international IT firm, relaying sensitive information to China’s Ministry of State Security (MSS). The indictment details Li's involvement in gathering data on a variety of subjects, including information on U.S cyberattacks linked to state-sponsored groups in China, and details about banned religious groups like Falun Gong. Li is accused of complying with MSS directives swiftly, even providing biographical details of individuals and corporate information shortly after receiving orders. He reportedly used anonymous online accounts for communication and traveled to China to meet with MSS personnel directly. The activities span diverse espionage efforts from collecting trade secrets to detailed intelligence about U.S-based dissidents, emphasizing China's broad intelligence-gathering tactics that even extend to its former citizens now in the U.S.

The U.S. State Department is offering up to $10 million for information leading to North Korean hacker Rim Jong Hyok. Rim Jong Hyok, linked to the Andariel hacking group, is implicated in the Maui ransomware attacks on U.S. infrastructure and healthcare. Hyok faces charges including conspiracy to commit computer hacking and money laundering in the U.S. The attacks have affected U.S. Air Force bases, healthcare providers, defense contractors, and NASA’s Office of Inspector General. The ransomware encrypted essential systems in healthcare, disrupting services and extorting ransom to fund further malicious activities. Andariel is also believed to have stolen military and sensitive information valuable to North Korea's nuclear and defense endeavors. A joint advisory was issued by CISA and the FBI, highlighting ongoing threats from Andariel to global industry sectors. Information about Andariel can be reported through a dedicated Tor SecureDrop server set up by the State Department.

Meta has eliminated 63,000 Instagram accounts based in Nigeria involved in large-scale sextortion scams. The operation included a tightly organized network of 2,500 accounts managed by 20 individuals targeting American men. These Instagram accounts were part of a broader cybercrime group known as ‘Yahoo Boys,’ also responsible for coordinating scams via 1,300 Facebook accounts, 200 Pages, and 5,700 Groups. The social media giant has implemented advanced measures to prevent the scammers from creating new accounts, enhancing their capability to block suspicious activities. Sextortion, the central crime committed by these accounts, involves coercing victims into sending private images and then demanding payment under threats of public exposure. Meta has intensified its effort to detect and disable such fraudulent accounts using a combination of human investigations and new technical signals. The FBI notes an upsurge in sextortion crimes, especially targeting young males, with some instances leading to severe emotional distress or suicidal actions. Victims are urged to report incidents of sextortion to the FBI and seek guidance on how to handle such extortion schemes effectively.

Progress Software has issued a warning to patch a critical remote code execution flaw in Telerik Report Server. The vulnerability, tracked as CVE-2024-6327, allows attackers to execute remote code on unpatched servers. It affects all versions up to 2024 Q2 (10.1.24.514) and is addressed in a patch released in version 2024 Q2 (10.1.24.709). Progress advises updating to Report Server 2024 Q2 (10.1.24.709) or later to eliminate the risk. Temporary mitigation involves changing the Report Server Application Pool user to one with limited permissions. Previous instances show other Telerik vulnerabilities have been exploited by attackers, notably by foreign threat groups. A proof-of-concept exploit has been developed targeting similar vulnerabilities in Telerik Report servers, indicating the critical nature of the issue.

French police, in collaboration with Europol, are releasing a self-deleting program to exterminate the PlugX malware across infected devices in France. This cleanup action is led by the French National Gendarmerie's Center for the Fight Against Digital Crime (C3N) with help from cybersecurity firm Sekoia. The PlugX malware, commonly linked to Chinese cyber espionage, is being remotely removed from systems through a sinkholed command and control server. The cybersecurity firm Sekoia had previously taken control of the command server for a botnet variant of PlugX, which had infected approximately 2.5 million devices. Sekoia developed a disinfection solution that issues self-deletion to infected devices and was shared with French authorities ahead of the Paris 2024 Olympic Games. The cleanup operation began on July 18, 2024, targeting not only France but also other European countries like Malta and Austria and is set to continue for several months. Potential complications include legal challenges linked to the deployment of Sekoia's solution due to concerns over unauthorized access and possible data loss from infected USB drives.

North Korean threat group APT45, historically linked to espionage, now engages in ransomware attacks to support financial motives. Tracked under various aliases including Andariel and Nickel Hyatt, APT45 has targeted critical infrastructure in South Korea, Japan, and the U.S. Ransomware strains deployed by APT45 include SHATTEREDGLASS and Maui, documented in global cybercrime incidents in 2021 and 2022. The group utilizes tools like the Dtrack backdoor, previously used against India's Kudankulam Nuclear Power Plant in 2019. APT45's activities, supported by North Korea's premier military intelligence, the Reconnaissance General Bureau, align with the regime's shifting geopolitical priorities. Mandiant’s insights reveal APT45’s role in generating funds not only for operational sustenance but also for broader North Korean state objectives. The case of a North Korean IT worker using stolen identity for employment at US-based KnowBe4 highlights North Korea's sophisticated use of identity theft and remote systems to infiltrate foreign companies.

Docker has discovered a critical vulnerability, CVE-2024-41110, impacting Docker Engine versions since 2019, which had been originally patched in early 2019 but was mistakenly not carried over to later updates. The vulnerability arises from the mishandling of authorization plugins (AuthZ) in Docker, where a specially crafted API request with a body content length of zero bypasses normal security checks, potentially allowing unauthorized command execution. The exploit requires low-level access and no user interaction, with Docker assessing the overall attack complexity as low but the potential impact on system confidentiality, integrity, and availability as high. National Vulnerability Database rates the severity of this vulnerability at 9.9 out of 10, indicating a near-maximum threat, while a separate assessment by the Moby project gives it a perfect score of 10. Affected Docker Engine versions include all releases from 19.03 onward; users are advised to upgrade to the versions above v23.0.14 and v27.1.0 to mitigate the risk. Docker Desktop is also affected, although a fix (v4.33) is pending, and the impact is deemed less severe due to the default configuration and the limited scope of potential privilege escalation within the Docker Desktop VM. Docker emphasizes that the vulnerability affects only setups using AuthZ plugins, and systems not using these plugins or running Mirantis Container Runtime are not vulnerable.

Google Chrome introduces new warning systems for downloading password-protected files, enhancing user alerts on potential risks. The browser has implemented a two-tier warning system using AI-powered malware assessments from its Safe Browsing service, enabling quicker risk evaluations. Users will encounter either a warning for suspicious files (indicated by lower confidence levels) or alerts for dangerous files (indicated by stronger confidence and higher risks). Enhanced Protection mode in Google Chrome now requires users to input passwords to scan contents of protected archives thoroughly, ensuring higher security but raising concerns over data privacy. Files and passwords sent to Google servers for scanning in Enhanced Mode are promised to be deleted after analysis to ensure privacy protection, although some companies may still opt out due to data security concerns. Changes to the Chrome download experience include simplified alerts aimed at enhancing clarity and improving user behavior towards potential threats. Despite increased protections, corporate skepticism remains regarding the submission of sensitive data to external servers for scanning.

The traditional multivendor cybersecurity stacks are becoming obsolete due to high costs and complex management needs, creating vulnerabilities. Cynet is promoting an All-in-One Cybersecurity Platform that integrates multiple security capabilities into a single platform, simplifying the cybersecurity approach for MSPs and SMEs. This unified platform allows companies to replace several tools with one solution, enhancing return on investment and efficiency in breach protection. The simplicity of the All-in-One solution translates into faster integration and deployment, reducing the time and staff required for security operations. Cynet's platform offers scalability, allowing MSPs to expand their security offerings alongside their client base without additional infrastructure or headcount. With built-in 24/7 MDR support from CyOps, Cynet’s platform helps MSPs improve their clients' security postures and provides immediate incident support. The platform achieved top results in recent MITRE ATT&CK Evaluations, attaining 100% Visibility and 100% Analytic Coverage without needing configuration changes.

Kaspersky has proposed a new "comprehensive assessment framework" to the US Department of Commerce to verify the security of its products, but the proposal was ignored. The framework is designed to mitigate ICT supply chain risks effectively by allowing third-party reviews of Kaspersky’s software updates and threat detection rules. This initiative builds upon Kaspersky's earlier Global Transparency Initiative, which was set up following the US government’s previous bans on Kaspersky products, due to national security concerns. The new framework includes measures such as localizing data processing in the US to prevent access by Kaspersky employees in other countries and verifying data handling through an independent third party. Kaspersky's VP of Public Affairs, Yuliya Shlychkova, emphasized the lack of evidence provided by US agencies to support claims that Kaspersky products pose a national security risk. Despite these efforts, the US has halted sales of new Kaspersky contracts and plans to stop updates to existing customers, leading Kaspersky to wind down its US operations. The company continues to push for a technically robust, evidence-based method to evaluate the trustworthiness of cybersecurity products globally.

Application security testing is crucial in the software development lifecycle to mitigate vulnerabilities before deployment. Six main types of testing complement traditional penetration testing: DAST, SAST, IAST, Fuzz Testing, APSM, and integrated SDLC penetration testing. DAST analyzes running applications from the outside to identify runtime vulnerabilities without accessing the source code. SAST examines source code, bytecode, or binary code to detect insecure coding practices and vulnerabilities without program execution. IAST merges the techniques of SAST and DAST, offering real-time feedback on security issues during application runtime. Fuzz Testing involves sending malformed data to APIs to uncover potential vulnerabilities and unexpected behaviors. APSM continuously manages the security posture of applications, focusing on monitoring, vulnerability management, policy enforcement, and compliance. These methods provide a comprehensive, multilayered approach to application security, addressing unique challenges and enhancing overall security throughout the software development process.

Meta Platforms has eradicated approximately 63,000 Instagram accounts based in Nigeria, implicated in extensive financial sextortion schemes targeting primarily adult men in the U.S. A subset of around 2,500 accounts was linked to a concentrated network operated by about 20 individuals, employing fake profiles to conceal their identities. Some targets included minors, prompting Meta to report these incidents to the National Center for Missing and Explicated Children (NCMEC). Meta also dismantled an additional 7,200 assets, including Facebook accounts, pages, and groups dedicated to recruiting and training scammers, sharing scamming strategies, and resources for creating fake accounts. These activities were attributed to the Yahoo Boys, a notorious cybercrime group, previously highlighted for similar sextortion activities targeting youths across multiple countries, including the U.S., Australia, and Canada. Following a Bloomberg report linking these sextortion cases to suicides, Meta has introduced new detection and prevention techniques specifically aimed at protecting teenagers from such exploitations. This operation coincides with INTERPOL’s Jackal III, which targeted similar cybercrime syndicates across 21 countries, resulting in numerous arrests and significant asset seizures.

The browser represents a critical yet vulnerable component of modern workspaces, heavily utilized but often poorly protected. Or Eshed from LayerX and Christopher Smedberg from Advance Publishing will discuss browser-centric security strategies in an upcoming webinar. Traditional security tools fall short in protecting against the unique threats presented by browsers, necessitating a shift to browser-specific security measures. Approximately 83% of employees rely on browsers for most of their work, necessitating robust protection to secure critical enterprise assets. Attackers target browsers due to their access to user activities, credentials, and sensitive data, exposing businesses to data breaches and account takeovers. Solutions like SWGs and CASBs currently used in enterprises cannot fully address web-based threats due to innate limitations in detecting sophisticated attacks and encryption challenges. Implementing security directly within browsers is advised to effectively mitigate daily risks faced by employees in the modern hybrid-work environment.