Daily Brief

A severe remote-code-execution vulnerability, dubbed ShadowRay, has been discovered in the Ray AI framework, impacting thousands of businesses. Exploits of the flaw, CVE-2023-48022, have been seen in the wild for seven months, targeting sectors like healthcare, education, and video analytics. The vulnerability allows unauthorized job submissions via an exposed API, leading to data theft and illicit cryptocurrency mining. Ray's overseeing body, Anyscale, considered the vulnerability a design decision rather than a bug but plans to add authorization checks in a future release. Attackers have accessed sensitive data such as OpenAI, Stripe, and Slack credentials, with potential for ransomware attacks on compromised servers. With many affected systems running with root privileges, entire cloud environments are at risk, including those hosted on AWS, Google, and Microsoft Azure platforms. Anyscale is developing a script to help users verify configurations and has informed customers of the security issue, claiming they are not affected.

Google updated Chrome to address two zero-day vulnerabilities exploited at the Pwn2Own 2024. The fixed flaws include a high-severity WebAssembly type confusion issue (CVE-2024-2887) and a use-after-free in WebCodecs (CVE-2024-2886). Security researchers demonstrated remote code execution exploits using crafted HTML pages on both Chrome and Edge. Chrome updates released for Windows, Mac, and Linux users, with a global rollout planned. Mozilla also swiftly patched Firefox zero-days showcased by the same researcher. Despite a 90-day grace period to fix Pwn2Own-exposed bugs, Mozilla and Google took one and five days respectively. The Pwn2Own 2024 event in Vancouver saw researchers earning over $1 million for 29 zero-day exploits. Manfred Paul won the highest prize for exploiting vulnerabilities in Safari, Chrome, and Edge.

INC Ransom has targeted NHS Scotland, threatening to release 3TB of sensitive data unless a ransom is paid. Leaked images exposing medical information suggest a significant breach of the National Health Service of Scotland system. NHS Dumfries and Galloway, one part of Scotland’s NHS, has been confirmed as the affected party by a government spokesperson. This data extortion group known as INC Ransom has a track record of attacking various sectors including healthcare and government entities. A recent cyberattack incident on March 15th is likely tied to this data theft and extortion attempt. Authorities including Police Scotland, National Crime Agency, and National Cyber Security Centre are collaborating with the government to assess the damage. NHS Dumfries and Galloway assure that patient services remain unaffected; meanwhile, they are cooperating fully with law enforcement and cybersecurity specialists. The healthcare provider promises to notify and support all individuals whose information has been disclosed.

CISA has identified active exploitation of a Microsoft SharePoint vulnerability (CVE-2023-24955) allowing remote code execution. Attackers can leverage a second vulnerability (CVE-2023-29357) to gain administrative privileges on SharePoint servers without authentication. A $100,000 reward was given to STAR Labs researcher Nguyễn Tiến Giang for demonstrating an exploit chaining these vulnerabilities at Pwn2Own 2023. Proof-of-concept (PoC) exploit code has been released on GitHub, increasing the risk of widespread exploitation by less skilled attackers. Following the discovery, CISA added CVE-2023-29357 to its Known Exploited Vulnerabilities Catalog, with a deadline set for U.S. federal agencies to patch by January 31. CVE-2023-24955 was later added to the list, with a directive for federal agencies to secure their SharePoint servers by April 16. While no evidence suggests the vulnerabilities have been used in ransomware attacks, CISA emphasizes the need for both federal and private organizations to promptly patch to prevent potential cyber-attacks.

Meta (formerly Facebook) is accused of intercepting and analyzing Snapchat's encrypted data traffic through a program called Project Ghostbusters. The scheme involved the use of Onavo's technology, which Meta acquired, and a research app that collected data on user device usage. Participants, including teenagers, knowingly installed the app that allowed Facebook to decrypt and analyze their SSL/TLS encrypted traffic. The intercepted analytics data from Snapchat, Amazon, and YouTube was allegedly used to gain insights for competitive advantage, harming the competition's ad business and allowing Meta to raise ad prices significantly. Internal communications revealed concerns among Meta's security personnel regarding the legal and ethical implications of the data interception practices. Advertisers have filed a lawsuit claiming that Meta's actions constituted criminal wiretapping and anti-competitive conduct. The case has broader implications involving accusations of misuse of AI and sensitive user data for identity matching and price manipulation in the social media advertising market. Meta has not commented on the allegations at the time of the report.

Hackers have targeted Indian government and energy firms, using malware disguised as an Air Force invite to steal sensitive data via phishing emails. The Dutch cybersecurity firm, EclecticIQ, has observed the campaign since March 7, 2024, and named it Operation FlightNight, noting the use of Slack channels for data exfiltration. Affected entities include those in electronic communications, IT governance, national defense, and private energy companies, with approximately 8.81 GB of data reported as stolen. The malware, HackBrowserData, has been modified to steal a wide array of documents, use Slack for communication, and leverage obfuscation techniques for evasion. A decoy PDF file is used as a lure, while the malware simultaneously harvests documents and browser data, relaying it to the adversary's Slack channel. The methods employed by the attackers resemble previous attacks by using open-source tools and repurposing legitimate services, such as Slack, to minimize detection and costs. This incident highlights an evolving cyber threat landscape where threat actors utilize open-source tools and mainstream platforms to conduct espionage with minimal risk of detection.

Google's Threat Analysis Group (TAG) and Mandiant observed a 64% increase in zero-day exploits targeting enterprise tech in 2023, compared to 2022 levels. Overall, 97 zero-day vulnerabilities were exploited in 2023, up from 62 the previous year, with a significant shift towards enterprise-focused attacks. Notable improvements in software security by major vendors like Apple, Google, and Microsoft have been made, with innovative features designed to prevent common exploitation techniques. Criminals are increasingly exploiting vulnerabilities in third-party components and libraries, affecting multiple end-user products simultaneously. The top exploited enterprise technologies in 2023 included Barracuda Email Security Gateways, Cisco Adaptive Security Appliances, and products by Ivanti and Trend Micro. The majority of zero-day exploits were attributed to commercial surveillance vendors and government-backed cyber spies, with a lesser contribution from financially motivated criminals. China remained the most prolific nation-state actor in zero-day exploits, with evidence of sophisticated attack paths using multiple vulnerabilities to breach networks.

Ransomware-as-a-Service (RaaS) has become the dominant business model amongst cybercriminal groups, with significant developments occurring in the last three months. LockBit's blog takedown and BlackCat's departure from the ransomware ecosystem signal noteworthy shifts, while smaller ransomware groups emerge. RaaS relies on a complex supply chain: operators create ransomware, affiliates distribute it, and initial access brokers provide entry points to target IT infrastructures. There is fierce competition for high-quality affiliates, leading groups to offer better terms and potentially compromise their "returns" to attract sophisticated criminals. Recent law enforcement actions against LockBit and BlackCat have shaken affiliate confidence due to the perceived instability of these large groups. Cybercrime groups build reputations to attract experienced affiliates and maintain trust, reducing the risk that affiliates and victims will be disincentivized from participating. The RaaS ecosystem may fragment, similar to the aftermath of Raid Forums' takedown, with more small groups potentially forming. Security recommendations include monitoring for stolen credentials, patching exploited vulnerabilities, implementing multi-factor authentication, and integrating proactive threat exposure management solutions.

The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical remote code execution vulnerability in Microsoft SharePoint Server (CVE-2023-24955) due to active exploitation. Affected SharePoint Server versions allow an authenticated attacker with Site Owner privileges to remotely execute arbitrary code. Microsoft addressed the issue in its May 2023 Patch Tuesday updates after discovery of the vulnerability. An exploit chain consisting of CVE-2023-24955 and another SharePoint flaw (CVE-2023-29357) was previously demonstrated at a hacking contest, earning researchers $100,000. No specific information has been released about the attackers or potential misuse of the combined exploits. Federal Civilian Executive Branch (FCEB) agencies must implement the patch by April 2024 to mitigate potential threats. Automatic updates for Windows with "Receive updates for other Microsoft products" enabled provide automatic protection against this vulnerability.

The number of zero-day vulnerabilities exploited in attacks in 2023 shot up to 97, marking a significant 50% increase from the previous year. Google's Threat Analysis Group (TAG) and Mandiant reported that spyware vendors and their government clients were behind many of the exploits. Approximately half of the zero-day exploits were connected to commercial surveillance vendors (CSVs) targeting end-user platforms and enterprise technologies. Notably, Chinese state-sponsored actors were responsible for exploiting 12 zero-day vulnerabilities, evidencing a growing trend in their cyber operations. CSVs were behind 75% of the zero-day exploits targeting Google products and the Android ecosystem in 2023. Google has recommended security measures, such as Memory Tagging Extension (MTE) and Lockdown mode, for high-risk users to defend against zero-day attacks. In response to the malicious use of spyware, the U.S. imposed sanctions and visa restrictions on individuals and firms linked to commercial spyware operations, including Predator spyware operators and their founder.

Microsoft patched a serious vulnerability in Edge browser, tagged as CVE-2024-21388, that allowed silent installation of malicious extensions. Discovered by Guardio Labs and responsibly disclosed, the flaw had a CVSS score of 6.5 and was fixed in the Edge stable version released on January 25, 2024. Attackers could exploit Microsoft's private API, initially for marketing use, to install extensions with extensive permissions covertly. The bug stems from a lack of proper validation, permitting any extension identifier to be installed without user interaction. Guardio's research indicated that JavaScript run on pages like bing[.]com or microsoft[.]com could trigger unauthorized extension installations from the Edge store. Microsoft's advisory acknowledged the vulnerability could lead to a browser sandbox escape and required attackers to prepare the target environment. Although there is no evidence of active exploitation, Guardio Labs highlighted the potential risks of how browser customizations can lead to security compromises.

The Big Issue, a newspaper assisting the homeless, suffered a cybersecurity incident claimed by the Qilin ransomware gang. Qilin claims to have stolen 550 GB of sensitive data from The Big Issue, including personal details of employees and subscribers. Leaked information potentially includes the CEO's driving license, salary details, and employee passport scans. Subscribers' personal email addresses and bank details, such as account numbers and sort codes, might also have been compromised. The Big Issue Group has responded by restricting system access and working with IT security experts, law enforcement, and regulatory agencies while starting system restoration. The publication and distribution of The Big Issue are unaffected, and services to vendors continue, emphasizing the organization's social mission. The ICO has been notified, implying a review of data protection and security practices at The Big Issue.

SASE solutions are increasingly used by organizations to secure their cloud-based network and improve network performance. A new report identifies significant gaps in SASE's ability to defend against web-borne cyber threats, including phishing and malicious browser extensions. Secure browser extensions are critical for a comprehensive security strategy, offering real-time protection and granular visibility against sophisticated threats. The report uses three use cases to illustrate the shortcomings of SASE and the added value of browser extensions: phishing attacks, malicious extensions, and account takeovers. As SaaS applications become the norm, the browser's role as the main workspace has expanded, making it a critical point of vulnerability. LayerX emphasizes that network security alone is not enough; organizations need to adopt additional measures such as secure browser extensions to mitigate risks. For full insights on how secure browser extensions can provide real-time protection and complement SASE, the report is available for download.

A critical vulnerability in the Anyscale Ray AI platform is being exploited for cryptocurrency mining. Attackers exploit CVE-2023-48022 to execute arbitrary code, affecting various sectors, including education and biopharma. The campaign named ShadowRay has been active since September 2023 and targets AI workloads. Big industry players like OpenAI, Uber, and Netflix use the Ray platform, heightening the potential impact. Anyscale acknowledges the issue but has chosen not to fix it, citing design decisions and future authentication plans. Security firm Oligo observed hundreds of Ray GPU clusters compromised, leading to data leaks, including sensitive credentials. Attackers not only mined cryptocurrency but also gained persistent remote access and cloud environment elevation. The exploitability of the flaw underscores the importance of securing AI computing frameworks against cyber threats.

A new phishing campaign has been detected using a novel malware loader to deliver the Agent Tesla keylogger. Victims receive a phishing email that pretends to be a bank payment notice, with a malicious attachment designed to initiate the malware deployment. The loader conceals itself through obfuscation and polymorphic behavior, bypassing antivirus programs and leveraging proxies to disguise traffic. Two variants of the .NET-written loader use different decryption methods to obtain the payload from a remote server and evade Windows Antimalware Scan Interface (AMSI). Agent Tesla is executed in memory, allowing attackers to secretly harvest data and send it via SMTP using a compromised email account. Trustwave's findings point to a significant evolution in Agent Tesla's deployment methods, emphasizing its sophistication and stealth capabilities. The article also references related phishing activities by other cybercrime groups and the use of phishing kits like Tycoon targeting Microsoft 365 users.