Daily Brief

Microsoft's April 2024 Patch Tuesday included updates for 150 security vulnerabilities, with a focus on correcting 67 remote code execution (RCE) flaws. Over half of the RCE issues pertained to Microsoft SQL drivers exhibiting a potentially shared vulnerability. Notably, this update cycle addressed two zero-day vulnerabilities that were being actively exploited in malware attacks, which Microsoft initially failed to report as exploited. One of the zero-days involved a driver spoofing vulnerability signed with a valid Microsoft Hardware Publisher Certificate, used to deploy a known backdoor. Another zero-day allowed attackers to bypass Microsoft Defender SmartScreen prompts, aiding the deployment of the DarkMe RAT in spearphishing campaigns targeting financial trading platforms. The patch also included fixes for 26 Secure Boot bypass issues, with contributions from other vendors like Lenovo. Microsoft faces ongoing challenges with unpatched vulnerabilities in SharePoint, which allow covert file access and exfiltration.

Romanian hacker group RUBYCARP operates a sophisticated botnet targeting corporate networks, primarily exploiting vulnerabilities for financial gain. Over 600 compromised servers are controlled via IRC channels, with 39 Perl-based shellbot variants identified, showing low detection rates. The botnet, active for at least a decade, occasionally shares tactics with the Outlaw APT group but remains distinct in its operations. Recent attacks focus on brute-forcing SSH servers, exploiting Laravel applications, and deploying phishing schemes using credential dumps. Compromised servers are utilized for DDoS attacks, financial fraud, phishing, and cryptocurrency mining, affecting multiple digital assets. RUBYCARP employs advanced evasion techniques, frequently rotating their command and control infrastructure to avoid detection. The group’s activities include the sale of cyber weapons and tools, indicating a significant threat capability beyond typical botnet operations.

A Romanian hacker group, RUBYCARP, has been found to operate a botnet targeting crypto mining, DDoS attacks, and phishing. Active for over a decade, RUBYCARP exploits public vulnerabilities and brute-force attacks to deploy its botnet. The group uses IRC networks for communication and may share methods with another hacking entity, Outlaw. ShellBot malware is utilized by RUBYCARP to compromise and control servers, which are then used for various cybercriminal activities. The IRC-controlled botnet network comprises over 600 hosts, and is utilized for coordinated cryptocurrency mining and other malicious operations. Personal identifying information such as credit card details is harvested through phishing, which RUBYCARP may use for infrastructural purchases or sell on the underworld market. RUBYCARP also engages in the creation and distribution of cyber weapons, showcasing a diverse range of tactics in their cybercriminal endeavours.

Containerization has brought changes that necessitate strict adherence to security standards for reliability and compliance. Wazuh is an open-source security platform that offers log analysis, threat detection, and incident response for containerized environments. Wazuh facilitates compliance with regulations like PCI DSS and NIST by monitoring and analyzing container activities and vulnerabilities in real-time. For Docker containers, Wazuh agents collect logs and security events to monitor activities and resource utilization thresholds. Kubernetes clusters are monitored through a webhook listener on Wazuh server, enhancing security with real-time audit log analysis and threat detection. Wazuh supports container vulnerability scanning by integrating with tools and custom scripts, helping to promptly identify and fix security gaps. The drive for compliance in containerized systems necessitates solutions like Wazuh that offer comprehensive security insights and facilitate best practices adherence.

Hackers focusing on human rights activists in Morocco and Western Sahara have launched a new malicious campaign using deceitful Android apps and phishing for credential harvesting on Windows. Cisco Talos has named the threat actor Starry Addax, which specifically targets the Sahrawi Arab Democratic Republic (SADR) activists. Victims are lured through spear-phishing emails that persuade them to install fake mobile apps or visit counterfeit social media login pages to hijack their credentials. The custom Android malware, named FlexStarling, can download further malicious components and exfiltrate sensitive user data upon installation. FlexStarling malware demands excessive permissions, indicating the threat actors' intention for prolonged, undetected presence on victim devices, emphasizing stealth in their operations. This targeted cyber-attack utilizes a bespoke infrastructure with the aim of maintaining long-term covert surveillance and data harvesting from high-value individual targets. The security landscape is further complicated by the sale of a new commercial Android remote access trojan (RAT), Oxycorat, which possesses extensive data gathering abilities.

Security researchers from Bitdefender identified multiple vulnerabilities in LG smart TVs running webOS. The weaknesses could be exploited to bypass security measures and obtain root access to the televisions. LG has addressed these issues through software updates released on March 22, 2024. The vulnerabilities, with CVE IDs ranging from CVE-2023-6317 to CVE-2023-6320, affect certain versions of webOS. An attacker could chain specific CVEs to elevate device permissions and execute commands as the dbus user. Over 91,000 internet-connected LG smart TVs with exposed vulnerable services were identified worldwide, primarily in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia. The flaws were initially reported to LG in November 2023, leading to the recent fixes to mitigate potential risks.

Over 90,000 LG smart TVs are susceptible to remote attacks due to four vulnerabilities found in the WebOS operating system by Bitdefender researchers. The security flaws enable unauthorized access, allowing for actions like authorization bypass, privilege escalation, and command injection through a service that connects to smartphones. Shodan internet scans show that many of these smart TVs are visible online, indicating a large number of devices being at risk. The affected models and WebOS versions span from webOS 4.9.7 to 7.3.1-43 across various LG smart TV models. LG was notified about the vulnerabilities in November 2023 and took until March 2024 to issue security updates, which users need to apply manually. The importance of timely WebOS updates has been underscored as vulnerable devices might serve as entry points for further attacks on connected devices and networks. Smart TVs, due to their role in users' digital lives, could be leveraged for botnet DDoS attacks, cryptomining, or to hijack associated streaming service accounts.

Researchers uncovered two methods allowing hackers to stealthily extract files from Microsoft SharePoint without triggering major audit log alerts. SharePoint is widely utilized by organizations for document management, necessitating stringent audit measures to detect unauthorized data access. The first technique exploits SharePoint's "Open in App" function to download files and only logs an "Access" event, typically given less attention by administrators. The second technique involves falsifying the User-Agent string to resemble Microsoft SkyDriveSync, making the download appear as a routine file synchronization action. Microsoft deems the flaws moderate in severity and has slated them for future patching, but no immediate fixes are planned. Companies are advised to closely monitor access activity for signs of bulk file downloads and unusual patterns, such as new device logins from atypical locations. Detection of suspicious activity requires heightened monitoring of file synchronization logs for irregularities in frequency and volume of data transfer.

The UK government's cybercrime statistics for 2024 reveal a lack of preparedness among UK businesses in dealing with security breaches. Only 22% of surveyed businesses have a formal incident response plan, with experts expressing astonishment at the nonchalant attitude toward cybersecurity. Despite detecting disruptive breaches, 10% of businesses report to the police, and fewer to the National Cyber Security Centre (NCSC); the Information Commissioner's Office (ICO) is rarely notified. A surprising 39% of businesses take no action post-breach, while some implement minor staff training, firewall updates, or anti-malware enhancements. Medium to large businesses are more proactive in responding to breaches than small and micro businesses, with 74% and 86% respectively making changes to prevent future incidents. Even when breaches have a material impact, such as data theft, 18% of businesses do not respond, showing a glaring gap in risk management. There is a declining trend in businesses seeking cybersecurity information or engaging with official security sources like the NCSC, especially among micro and small businesses. Financial impact varies by business size, with average costs of breaches at £1,206, and significantly higher for material outcomes, emphasizing the potential financial risks associated with cyber incidents.

CL0P ransomware, tied to Russian origin, escalated its activities significantly in 2023, making it one of the top ransomware groups. Targeting organizations across finance, manufacturing, and healthcare, CL0P uses "steal, encrypt, and leak" tactics and operates a Ransomware-as-a-Service (RaaS) model. Data leaks from non-compliant victims are published on the gang's Tor-hosted site, with a threat to expose unmet ransom demands. Recent exploits by CL0P include the Fortra GoAnywhere MFT zero-day vulnerability affecting over 100 organizations and vulnerabilities within PaperCut and MOVEit software. CL0P's aggressive approach includes quadruple extortion, directly contacting stakeholders and executives after initial data leaks and threats are ignored. SecurityHQ recommends organizations apply timely patches, monitor for suspicious activities, and engage in proactive threat intelligence gathering to defend against CL0P. The SecurityHQ Threat Intelligence team continues to monitor and research cybersecurity threats, offering insights and actionable intelligence to its global clientele.

Cybersecurity researchers have uncovered a complex phishing scam employing invoice-themed emails to spread malware. The attack uses SVG file attachments which trigger malware delivery using the BatCloak obfuscation engine and ScrubCrypt. BatCloak is known for bypassing traditional detection methods by loading next-stage malicious payloads. The malware variants distributed include Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer. Venom RAT, a variant of Quasar RAT, allows attackers to remotely control systems and deploy additional plugins for data theft. The campaign demonstrates sophisticated obfuscation and evasion techniques, including bypassing AMSI and ETW protections and using various scripts. Security researchers stress the intricacy of the attack and the versatility of the malware, exemplified by its plugin distribution system.

Two high-severity vulnerabilities, tracked as CVE-2024-3272 and CVE-2024-3273, affect nearly 92,000 D-Link network-attached storage (NAS) devices, which are now at end-of-life (EoL). Threat actors have been scanning for and exploiting these security flaws, with potential for arbitrary command execution, sensitive data exposure, system configuration alteration, or DoS attacks on affected units. D-Link has declined to provide a patch for the obsolete devices, advising customers to replace their vulnerable units instead. Attacks observed by GreyNoise involve the notorious Mirai botnet malware, indicating that compromised devices could be remotely controlled by cybercriminals. The Shadowserver Foundation recommends that users disconnect these NAS devices from the internet or limit remote access with stringent firewall rules to prevent exploitation. These security incidents highlight the evolving threat landscape wherein cyber attackers, including financially driven and nation-state groups, exploit network device vulnerabilities, adapting their methods and malware accordingly. Palo Alto Networks Unit 42 exposes a trend where malware on infected hosts initiates network vulnerability scanning, which helps attackers conceal their activities, bypass defense mechanisms, and expand the reach of their botnets.

Targus, a company specializing in laptop and tablet accessories, experienced a cyberattack that compromised their file servers. The incident was disclosed in an SEC filing by parent company B. Riley Financial, INC., revealing that the attack occurred on April 5th, 2024. Upon detecting the intrusion, Targus immediately implemented its incident response protocols, with external aid, to investigate and mitigate the effects. Containment measures to eliminate unauthorized access caused a temporary halt to Targus's business operations. There's currently no confirmation on whether data was exfiltrated, but the initial breach involved servers that store sensitive information. Targus has reported the breach to regulatory authorities and law enforcement and is working on recovery with external cybersecurity experts. No cybercriminal groups have yet claimed responsibility for the breach, and further details regarding the nature of the attack are not provided.

Attackers are targeting 92,000 D-Link Network Attached Storage (NAS) devices with a critical remote code execution (RCE) zero-day vulnerability. The flaw involves a hardcoded account with an empty password and a command injection issue, enabling attackers to deploy Mirai malware variants. Cybersecurity firms observed the exploitation began on Monday; the issue was previously disclosed by a security researcher. D-Link confirmed the affected devices are end-of-life and will not receive patches, recommending users to replace these devices. An advisory and a legacy support page were issued by D-Link, but no firmware updates will fully secure the outdated devices. Threat actors are using the compromised devices to add them to botnets for potential large-scale DDoS attacks.

U.S. insurance companies are increasingly using drone photos to evaluate property risks and deny home insurance policies. Major insurers like State Farm and Allstate are selecting only the least risky properties for coverage, using aerial imagery to make their assessments. The Geospatial Insurance Consortium provides detailed imagery to insurers, including post-disaster photos, aided by AI technology from its partnership with Vexcel. Privacy and accuracy concerns arise as some homeowners report being dropped based on outdated or incorrectly analyzed aerial photos. A case in California highlighted the issue, with a homeowner denied renewal despite an independent inspection contradicting the aerial photo assessment. Reports suggest that some insurers, such as Farmers Insurance, have used minor issues depicted in aerial photos to justify dropping claims or policies. State regulations generally protect consumers by restricting the reasons an insurer can deny coverage; however, questionable aerial photos may provide a loophole. The situation pressures homeowners to maintain their properties up to insurers' standards, as evidenced by aerial surveillance, or face the risk of losing their insurance coverage.