Daily Brief

Security researchers have identified vulnerabilities in Dormakaba electronic RFID locks used in millions of hotel rooms worldwide. The flaws could allow attackers to create forged keycards and gain access to any room in a hotel. Vulnerable lock models include the Saflok MT, Quantum, RT, Saffire, and Confidant series, which coupled with certain management software, affect over three million locks in 13,000 properties across 131 countries. Dormakaba has reportedly updated or replaced 36% of the impacted locks since November 2023. Attackers can initiate the breach by using a reading device on any keycard from the property, including expired ones, and then creating forged keycards to unlock doors. The researchers utilized tools such as Proxmark3, Flipper Zero, or NFC-capable Android phones to demonstrate the exploit. Hotels can audit locks for suspicious activities through the HH6 device, but the researchers note that some attack traces might attribute entries to the wrong keycard or staff member. No confirmed real-world exploitation of these vulnerabilities has been reported, but their existence raises significant security concerns for the hospitality industry.

TheMoon, a botnet first detected in 2014, has resurfaced, taking control of outdated routers and IoT devices to grow its network for a proxy service named Faceless. Over 40,000 compromised bots from 88 countries were part of TheMoon’s network in early 2024, offering anonymity services for other threat actors at a low cost. The compromised devices are primarily utilized for password spraying, data exfiltration, and concealing the origins of malicious traffic from malware operators. Black Lotus Labs discovered the resurgence of TheMoon in late 2023, where attackers infect end-of-life devices with an updated version of the malware to integrate them into the Faceless service. The malware employs various techniques, including spreading via a worm module, configuring iptables rules to manage incoming traffic, and evading sandboxes by checking internet connectivity through legitimate NTP servers. Analysis showed significant persistence with 30% of infections lasting more than 50 days, indicating the strength of the Faceless proxy service within cybercriminal circles. The elderly and vulnerable status of target devices, such as unsupported routers and IoT products, underscores the importance of protecting and updating hardware to prevent exploitation.

Automation and AI are revolutionizing network penetration testing, making it more accessible and affordable for companies. Traditional manual pen testing is expensive and often only conducted annually due to compliance requirements, leaving security weaknesses undetected. The scarcity of cybersecurity professionals has led the National Institute of Standards in Technology (NIST) to predict a significant cybersecurity workforce shortage by 2025. Automated penetration testing provides comparable results to manual testing at a fraction of the cost, making it a financially viable option for frequent security assessments. Regular automated pentesting allows for proactive detection and mitigation of vulnerabilities, reducing the risk of costly cyberattacks. Automated solutions like vPenTest offer comprehensive, on-demand network penetration testing that is fast, accurate, and cost-effective. By leveraging automation, IT teams can perform more extensive network assessments and remediate vulnerabilities before they are exploited by attackers. Vonahi Security is a pioneer in the field of automated offensive cybersecurity consulting services, offering its vPenTest SaaS platform to a range of service providers and IT teams.

A new vulnerability, CVE-2024-28085, named WallEscape, affects the Linux "wall" command, risking user password leaks and clipboard hijacking. The issue arises from improper neutralization of escape sequences in command line arguments, allowing unprivileged users to broadcast arbitrary text to other users' terminals. Unique conditions in distributions like Ubuntu 22.04 and Debian Bookworm, where the command has setgid permissions and message utility set to "y," make them susceptible. An attacker could potentially create a fake SUDO prompt to phish for user passwords or manipulate the clipboard on affected systems. The vulnerability, present since August 2013, is fixed in util-linux version 2.40, and users are urged to update their systems. Certain Linux distributions, like CentOS, RHEL, and Fedora, are not affected by the CVE-2024-28085 due to different default settings for the wall command. Another Linux kernel vulnerability, CVE-2024-1086, related to the netfilter subsystem, capable of causing DoS or code execution, has been addressed. The article also includes references to cloud security strategies and backups for Atlassian Cloud, along with promoting Censys Search for security teams.

PyPI temporarily suspended new user sign-ups due to a surge of malicious package uploads in a typosquatting attack. Over 500 deceptive packages targeted popular libraries, aiming to distribute malware to developers. The malware stole cryptocurrency wallets, browser data, and credentials, and implemented persistence mechanisms. Checkmarx, Mend.io, and Phylum independently reported on the software supply chain threat involving typosquatted versions of legitimate packages. The attackers automated the upload process and disguised each package under different user accounts, complicating identification efforts. Malicious payloads only activated on Windows systems and aimed to achieve long-term access with persistence techniques. This incident underscores the increasing risks associated with software supply chain security and the importance of diligent third-party component scrutiny by developers. This marks the second time PyPI has suspended new registrations due to malicious activity, with prior incidents occurring in May 2023 and December 2023.

A vulnerability in the wall command of Linux systems could be exploited to deceive users into revealing their administrator passwords. Tagged CVE-2024-28085 and named WallEscape, the issue has existed in the util-linux package for over a decade. The vulnerability relies on improper filtering of escape sequences, allowing the creation of fake SUDO prompts. Focused attack scenarios arise in environments with multiple Linux users logged in simultaneously, like educational institutions. Exploitation is condition-dependent, feasible on systems with 'mesg' utility active and wall with setgid permissions, such as Ubuntu 22.04 and Debian 12.5. Proof-of-Concept (PoC) code has been released, demonstrating the potential for fake prompts and clipboard manipulation. Mitigation includes updating Linux utilities to version 2.40 or removing setgid permissions from the wall command. Attack risk is limited due to the requirement for local system access and affects multi-user Linux systems within organizations.

American retailer Hot Topic was targeted by credential stuffing attacks in November, compromising customer personal and partial payment information. The company, which operates over 630 stores, faced two significant automated login attempt waves using stolen credentials. Cybercriminals employed username and password pairs from an unknown third-party source to access Hot Topic Rewards accounts. The compromised data includes names, email addresses, phone numbers, birthdates, mailing addresses, and the last four digits of payment card numbers. Hot Topic's investigation could not conclusively determine which accounts were accessed by unauthorized parties during the attacks. In response to the attacks, the company has implemented bot protection software and mandated affected customers to reset their passwords. Prior to these incidents, Hot Topic had experienced five other credential stuffing attacks throughout the previous year.

The Python Package Index (PyPI) has temporarily stopped new user registrations and project creation due to a malware campaign. Threat actors uploaded around 365 malicious packages disguising as legitimate ones, targeting developers and enabling potential supply-chain attacks. The malware present in the 'setup.py' file of these packages executes upon installation and tries to download additional malicious payloads from a remote server. The info-stealer malware seeks to extract sensitive data such as login credentials, cookies, and cryptocurrency wallet information from web browsers. Check Point Research identified over 500 malicious packages and noted that each was uploaded from a unique maintainer account, suggesting the use of automation in the attack. PyPI had previously taken similar actions on May 20, last year, to prevent the proliferation of malicious packages in the repository. This incident highlights the serious risks associated with open-source repositories and the necessity for developers and maintainers to thoroughly check the security of components in their projects.

Sam Bankman-Fried, former CEO of FTX, has been sentenced to 25 years in prison. Convicted of fraud and money laundering, he faced a possible 110 years but prosecutors sought 40-50 years. FTX, once a top crypto exchange, misused customer funds, leading to an $8 billion deficit when it collapsed. Despite claims of solvency, current FTX CEO states customers will not fully recover funds, countering SBF's assertions. Judge Kaplan rejected defense arguments due to the speculative nature of full restitution for victims. SBF found guilty of perjury and witness tampering, with Judge Kaplan criticizing his misleading testimony. The court declined restitution due to case complexity, opting for the U.S. to compensate victims with forfeited assets. Given SBF's notoriety and vulnerabilities, including autism, a medium-security facility recommendation near San Francisco has been made.

JetBrains TeamCity has recently repaired 26 security issues, but the company has refrained from releasing any details about the vulnerabilities. The reluctance to share vulnerability specifics follows a dispute with Rapid7, which had published exploitation details of earlier patched vulnerabilities, leading to real-world attacks. The release notes for TeamCity version 2024.03 lack the usual information such as CVE IDs, severity ratings, and descriptions, which is atypical for security advisories. Elliot Wilkes, CTO at Advanced Cyber Defence Systems, suggests JetBrains' opaque approach might be due to the recent ransomware exploits and an obligation not to disclose during ongoing response operations. TeamCity has introduced semi-automatic download of critical security updates for on-premise users, paralleling the automatic updates available for cloud users. With TeamCity managing CI/CD pipelines, improving security is critical to prevent supply chain attacks, an increasingly common and devastating form of cybercrime as evidenced by incidents like SolarWinds, MOVEit MFT, and 3CX.

Kaspersky detects a Linux variant of DinodasRAT targeting entities in China, Taiwan, Turkey, and Uzbekistan. Originally known as XDealer, this C++ malware harvests sensitive data from compromised systems. A Windows version of DinodasRAT was used in an espionage campaign against a Guyanese government entity. Earth Krahang, linked to China, has incorporated DinodasRAT in recent government-targeted attacks. The malware maintains persistence using startup scripts and communicates with C2 servers for commands. DinodasRAT can manage files, alter processes, execute shell commands, and self-update or uninstall. The malware evades detection tools and encrypts communications with the Tiny Encryption Algorithm (TEA). DinodasRAT is primarily used for sustained access to Linux servers, enabling expansive control for data theft and espionage.

Finland's police pins the 2020 cyberattack on the Parliament to Chinese hacking group APT31. Ongoing investigation is complex due to the sophisticated criminal infrastructure employed. The breach occurred between fall 2020 and early 2021, believed to be a cyber espionage operation. APT31 is a state-backed entity active since 2010, also known under several other names. The U.S. and U.K. have recently charged seven APT31 operatives, imposing sanctions and highlighting their cyber espionage campaigns. U.S. previously condemned APT31 for exploiting Microsoft Exchange servers, which China denies and accuses the Five Eyes alliance of spreading disinformation. Chinese officials call for an end to cybersecurity politicization and denounce unfounded accusations while vowing to protect national interests.

Cisco issued an alert on password-spraying attacks aimed at Remote Access VPN (RAVPN) services on their Secure Firewall devices. Password-spraying techniques involve using the same password to access multiple user accounts during unauthorized attempts. Indicators of Compromise (IoCs) and mitigation steps have been provided by Cisco to help organizations recognize and defend against these incidents. Security researcher Aaron Martin associates these attacks with the 'Brutus' malware botnet, involving 20,000 IP addresses across various global infrastructures. The botnet has targeted VPN appliances from multiple vendors and has expanded to web apps using Active Directory, using rotating IPs and specific usernames not found in public data breaches. There's concern over how the attackers obtained the usernames, suggesting a potential undisclosed breach or zero-day exploit. Some IP addresses linked to the Brutus botnet's activities have past associations with APT29, a Russian-linked espionage group.

Nvidia's ChatRTX AI application received updates to patch two serious security vulnerabilities. The flaws, identified as CVE‑2024‑0082 and CVE‑2024‑0083, allowed for privilege escalation and remote code execution. These vulnerabilities affected all versions of ChatRTX up to version 0.2, which runs on local Nvidia GPU hardware. CVE‑2024‑0083, with a medium severity rating, could lead to denial of service attacks, data theft, and RCE. CVE‑2024‑0082, considered a high-level threat, enabled data theft, data tampering, and privilege escalation. Although these issues are serious, with CVE‑2024‑0083 allowing for RCE and CVE‑2024‑0082 for privilege escalation, no known exploitations have been reported as of yet. Users are advised to update their ChatRTX app to version 0.2, with Nvidia noting a confusing overlap in version numbers between the affected and updated versions. To ensure safety, a full reinstallation of ChatRTX might be recommended due to the version number confusion.

A Phishing-as-a-Service (PhaaS) network named Darcula is exploiting over 20,000 fake domains to conduct large-scale attacks in 100+ countries. Darcula evades SMS firewalls by utilizing iMessage and RCS, effectively targeting established postal services, including the USPS, and other organizations. The service is advertised on Telegram with about 200 customizable templates that mimic legitimate brands, aiding cybercriminals in setting up convincing fake sites. The phishing sites, registered under domains resembling the spoofed brands, implement advanced features and anti-detection techniques to resist takedown efforts. Smishing messages often prompt victims to respond, enabling links to become clickable in iMessage, which avoids Apple's safety measures against unknown senders. Google recently tightened RCS security by prohibiting its use on rooted Android devices as a countermeasure against spam and abuse. The article notes a concerning trend of phishing attacks exploiting Apple’s password reset feature and the abuse of eSIM transfers to hijack online services. The broader implication is the lowering of entry barriers for cybercriminals, allowing even those with limited skills to carry out sophisticated attacks.