Daily Brief

Sophisticated backdoor was discovered in the xz software library, a tool commonly used across many systems. The infected library could have allowed remote control over affected machines via SSH. Rogue contributor had inserted the malicious code, impacting upcoming releases of Linux distributions like Debian Unstable and Fedora. The backdoor was identified and addressed before widespread deployment, avoiding potential widespread damage. The incident raises questions about the security of open source projects and the resources provided by corporations benefiting from them. Discussion on this issue has been featured in a Kettle series episode with cybersecurity experts and The Register's journalists. The episode explores the balance between the fragility and strength of open source ecosystems and strategies for their protection.

The U.S. Department of Health and Human Services (HHS) warns about social engineering attacks directed at IT help desks in the Healthcare and Public Health sector. Attackers gain system access by impersonating employees and enrolling rogue multi-factor authentication (MFA) devices after convincing help desk personnel. By pretending to be from the financial department and using stolen ID details, attackers manipulate IT helpdesk to facilitate MFA changes. Once MFA is compromised, attackers access and divert company funds to their own accounts, including international transfers. These tactics echo those of Scattered Spider, notorious for breaching high-profile networks, although these specific health sector incidents have not been explicitly attributed to them. Companies are advised to implement stringent verification processes and educate help desk personnel on social engineering tactics to prevent such breaches.

Over 92,000 D-Link NAS devices have been identified with a backdoor account vulnerability, discovered by a threat researcher known as Netsecfish. The flaw, tracked as CVE-2024-3273, is due to a hardcoded account with an empty password and a command injection issue in the HTTP GET Request Handler script. Attackers exploiting the vulnerability could execute arbitrary commands on the devices, potentially leading to unauthorized data access, system modification, or denial of service. D-Link confirmed that theses NAS devices are end-of-life and are no longer supported, with no patches available to rectify the newly identified security issues. D-Link has published a security bulletin to alert users to retire or replace their old devices and has set up a dedicated support page for legacy device owners to download the last available security updates. The company advises against exposing NAS devices to the internet, as they are frequent targets for data theft and ransomware attacks.

A critical security flaw, CVE-2024-20720, in Magento has been exploited to inject malicious code into e-commerce websites, allowing the theft of payment data. Adobe acknowledged and patched the flaw, with a CVSS score of 9.1, on February 13, 2024, which allowed remote code execution through special elements. The attackers used a layout feature in Magento combined with the beberlei/assert package to execute the 'sed' command and insert a backdoor. When customers access the checkout cart on an infected store, the malicious block executes and deploys a Stripe payment skimmer. The skimmer captures financial information and exfiltrates it to another compromised Magento store. Separately, the Russian government has charged six individuals with stealing credit card data from foreign e-commerce stores using skimmer malware since 2017. The cybercrime group captured information from nearly 160,000 payment cards and sold the data on dark web platforms.

Ransomware threats are increasingly targeting virtual machine platforms such as VMware ESXi, causing significant operational disruptions. Panera Bread experienced a week-long IT outage due to ransomware encryption of their virtual machines, with restoration from backups taking nearly a week. Omni Hotels also suffered a ransomware attack that led to a massive IT outage, affecting reservation and key card systems, with guest access to rooms impacted. Chilean hosting provider IxMetro Powerhost fell victim to SEXi ransomware, resulting in encrypted VMware ESXi servers and customer backups, with a demand for bitcoin payments. The Chilean government's CSIRT has issued an advisory urging enterprises to update VMware software and apply enhanced security measures to protect against these ransomware attacks. Security professionals are advised to apply the latest security updates, use unique administrative credentials, and implement strict access controls to safeguard virtual machine platforms. Virtual machine platforms' centralization of company servers makes them attractive targets for ransomware, underlining the need for improved, specific security practices in this area.

Ivanti Connect Secure and Poly Secure gateways face a critical RCE vulnerability that could impact around 16,500 internet-exposed instances. The vulnerability, identified as CVE-2024-21894, is a heap overflow in the IPSec component that could allow unauthenticated remote code execution or denial of service. Initial reports from Shodan and Shadowserver indicated between 18,000 to 29,000 exposed instances, with a subsequent Shadowserver report narrowing it down to 16,500 vulnerable gateways worldwide. Ivanti has released updates to mitigate the flaw and has not observed active exploitation against its customers but urges system administrators to apply the updates immediately. The majority of vulnerable instances are located in the United States, Japan, and the UK, with other countries also having significant exposure. Past Ivanti product vulnerabilities were exploited by state-sponsored actors and hacking groups to deploy custom web shells for unauthorized access to devices. A Mandiant report uncovers in-depth recent bug exploitation incidents involving Ivanti endpoints and details the 'SPAWN' malware family used by Chinese hackers in these attacks. Administrators are strongly advised to implement available mitigations and fixes for CVE-2024-21894 according to Ivanti's guidance.

Hackers used Facebook ads to lure users into downloading malware by impersonating popular AI services. Impersonated services include MidJourney, SORA, ChatGPT-5, and DALL-E, promising previews of new features. Malware types distributed include Rilide, Vidar, IceRAT, and Nova, targeting the theft of browser-stored data. The fake MidJourney Facebook page gathered 1.2 million followers before being shut down after almost a year of activity. Attackers targeted predominantly male users aged 25-55 in Europe, employing sophisticated social media-based malvertising strategies. Even after the shutdown of the original fake page, new pages quickly emerged, continuing the distribution of malware. Researchers stress the importance of being cautious with online ads and the ongoing challenges in moderating content on vast social networks like Facebook.

Acuity, a technology consulting firm and federal contractor, experienced a breach where hackers obtained non-sensitive government data from its GitHub repositories. The U.S. Department of State is investigating a purported cyber incident after threat actor IntelBroker leaked information suggesting the theft of U.S. government and military data. CEO Rui Garcia stated that Acuity swiftly applied security updates to address a zero-day vulnerability once detected, with subsequent analysis indicating no impact on sensitive client data. IntelBroker has released thousands of records from various U.S. agencies, such as the Justice Department and the FBI, and claims to have Five Eyes intelligence documents. The breach, carried out by threat actor Sangierro alongside IntelBroker, reportedly happened on March 7 by exploiting an Acuity Tekton CI/CD server vulnerability to steal GitHub credentials. IntelBroker has a history of targeting and leaking data from multiple U.S. government agencies and is also linked to cyberattacks on corporations like Hewlett Packard Enterprise and General Electric Aviation.

The US government has criticized Microsoft for inadequate security practices that enabled Chinese cyber espionage but continues to contract its services. Microsoft's security lapses have historically allowed nation-states like Russia and China to infiltrate government and corporate systems. Despite harsh criticism from the US Cybersecurity and Infrastructure Security Agency (CISA), there are no signs of reduced government spending on Microsoft products, with $498.5 million in payments recorded in FY 2023. Microsoft pledges to enhance security through its Secure Future Initiative, aiming to harden infrastructure and improve detection mechanisms. US Senator Ron Wyden advocates for strict cybersecurity standards for vendors and consequences for non-compliance, including holding senior executives accountable. Industry experts acknowledge the difficulty of replacing Microsoft as a primary government vendor but emphasize the need for the company to bolster internal security measures. Microsoft's significant revenue from the US government includes non-competitive and "limited sources" procurement processes, drawing criticism from cybersecurity professionals. Microsoft has been involved in several high-profile breaches over recent years, including the SolarWinds attack and compromises by Lapsus$ and foreign nation-state actors.

AI-as-a-service providers face critical security risks with potential for privilege escalation and cross-tenant access exploits. Researchers identified Hugging Face as vulnerable to attacks allowing unauthorized access to customer's models and manipulation of CI/CD pipelines. Threats involve running untrusted models in pickle format and container escape techniques to compromise the service infrastructure. Findings show a risk for sensitive data leakage through shared environments and recommend using IMDSv2 with Hop Limit for mitigation. Hugging Face has rectified the vulnerabilities, advising users to rely on trusted model sources, enable MFA, and avoid pickle files in production. Research also highlights risks associated with generative AI models distributing malicious code and the need for caution using large language models for code solutions. A related issue is "many-shot jailbreaking," potentially bypassing safety protections in language models by inundating them with enlarged context windows for harmful queries.

Panera Bread experienced a week-long IT outage due to a ransomware attack that encrypted numerous virtual machines, disrupting access to data and applications. The specifics of the ransomware group responsible remain unknown, with no claims of responsibility, indicating the possibility of ongoing ransom negotiations or a settled payment. Despite attempts to reach out, Panera Bread has not publicly commented on the incident, leading to concerns among employees about transparency and data security. The ransomware attack had a widespread impact on Panera Bread’s operations, disabling internal systems, point-of-sale services, and customer-facing applications, and forcing cash-only transactions alongside disruptions to the reward program. The outage started on March 22, affecting 2,160 cafes in the U.S. and Ontario, which had to accommodate operational challenges like scheduling and payment processing. In a parallel case, Omni Hotels also suffered a sizable IT outage, with ransomware being the suspected cause behind problems with reservations, check-in procedures, and door lock systems. The cyberattack on Omni Hotels was confirmed without details on the incident, aligning with a similar lack of transparency observed in the Panera Bread attack.

A self-service check-in terminal at Ibis budget hotel leaked room keycodes. The security bug could allow attackers to obtain guest room access without technical skills. Martin Schobert from Pentagrid found the flaw, which could potentially affect hotels across Europe. By entering six consecutive dashes as a booking reference, booking details and room keycodes could be retrieved. The vulnerability was accidentally discovered in Hamburg and could impact personal safety and property. Accor Security validated and fixed the issue within a month of discovery. The article also mentions recent vulnerabilities in hotel door locks and IT issues at Omni Hotels.

Compliance frameworks are increasingly detailed and numerous, making adherence a complex task for CISOs, demanding exceptional communication and organizational skills alongside security expertise. CISO perspectives on compliance vary based on factors like company size, industry sector, and regulatory environment, with each requiring tailored approaches to meet specific security and privacy requirements. Some mature cybersecurity organizations consider compliance as a baseline, aiming to exceed requirements for enhanced protection. Effective compliance is integral to business strategy, entailing clear communication of the business value and risks of non-compliance, including reputational damage, financial penalties, and operational disruptions. CISOs often use compliance frameworks not only to fulfill legal obligations but as tools to guide their cybersecurity strategies, prioritizing actions based on regulatory models. Collaboration is key among CISOs, legal teams, privacy officers, and compliance committees to stay abreast of evolving regulations and effectively demonstrate adherence. Advanced compliance management tools like GRC systems, continuous compliance monitoring, and risk registers are leveraged to facilitate compliance and provide evidence to auditors. With overlapping requirements across compliance frameworks, organizations aim to 'comply once, apply to many,' streamlining the process and leveraging commonalities like PAM practices to satisfy multiple regulations.

Bogus Adobe Acrobat Reader installers are being used to distribute Byakugan, a new multifunctional malware. The malware campaign begins with a PDF file in Portuguese that, when opened, prompts the user to download a fake Reader application. Researchers at Fortinet discovered the campaign, which includes an attack chain that effectively bypasses Windows security features and deploys a legitimate PDF reader to obscure malicious activities. Byakugan is capable of collecting system data, executing commands from a C2 server, and includes functionalities like keystroke logging and desktop monitoring with OBS Studio. Security firm ASEC noted a growing trend where threat actors combine clean software with malicious components to complicate analysis and detection. Additionally, ASEC reported a separate campaign distributing the Rhadamanthys information stealer and the use of a tampered Notepad++ installer to spread WikiLoader malware.

A new form of JSOutProx malware is targeting financial organizations across the Asia-Pacific (APAC) and Middle East and North Africa (MENA) regions. The malware leverages JavaScript and .NET for attacks and utilizes various plugins for data exfiltration and other malicious operations. Spear-phishing campaigns with malicious JavaScript attachments disguised as PDFs or ZIPs with rogue HTA files are used to deploy this heavily obfuscated malware. JSOutProx is capable of a wide array of functions, including capturing clipboard content, accessing Microsoft Outlook details, and intercepting one-time passwords. The malware uses a unique mechanism for C2 communications, transmitting data via the Cookie header field. A spike in malicious activity was observed from February 8, 2024, with the attack infrastructure hosted on GitHub and GitLab, which both have since taken measures against it. The threat actor's origins are suspected to be China or an affiliated group, based on the sophistication of the attacks and victim profiles. The article details concerns over a new dark web-promoted software, GEOBOX, that enables fraud and anonymization through spoofed GPS and network settings, heightening the risk of various cybercrimes.