Daily Brief

Mozilla quickly patched two critical zero-day vulnerabilities exposed during the Pwn2Own hacking competition in Vancouver. Security researcher Manfred Paul discovered the flaws, which could allow out-of-bounds read/write and arbitrary JavaScript execution. The vulnerabilities, now known as CVE-2024-29943 and CVE-2024-29944, affected the desktop version of the Firefox browser. Firefox users need to update to version 124.0.1, released on March 22, to be protected; some users may have to perform a two-step upgrade process. Mozilla's rapid response involved releasing the patch within 24 hours of the exploit's demonstration. Pwn2Own Vancouver saw a total of $1,132,500 awarded for 29 new zero-day disclosures, with Paul earning the top prize and Synacktiv team coming in second.

Researchers have detailed the GoFetch vulnerability affecting Apple M-series and Intel Raptor Lake CPUs, which can leak sensitive data. GoFetch exploits Data Memory-Dependent Prefetchers in CPUs, a feature similar to speculative execution used by previous vulnerabilities like Spectre. A significant flaw with the Apple M1 and M2 chips is that it is not possible to disable this speculative feature to prevent data leakage. Apple's M3 CPUs and Intel's Raptor Lake CPUs can mitigate the vulnerability through software patches by disabling the DMP feature, unlike M1 and M2 chips. The suggested temporary workaround is to run cryptographic operations on Apple's slower Icestorm cores, where the exploit does not have an effect. Even the Icestorm core workaround may not be a long-term solution if future Apple CPUs enable DMP in efficiency cores, thus exposing all operations to potential data leaks. Apple is urged to resolve the DMP issue by either fixing, removing, or replacing the feature to prevent vulnerabilities in future processors.

Hackers compromised several GitHub accounts and the organization account of Top.gg to plant malicious code, conducting a supply chain attack. The threat actors utilized stolen browser cookies for account takeovers, verified malicious commits, a fake Python package mirror, and published rogue packages on PyPI. Sensitive information, including passwords and credentials, has been stolen through trojanized versions of popular Python packages like colorama hosted on a typosquatted domain. The attack was partly revealed earlier by an Egyptian developer and involves obfuscated malware that established persistence and stole data from various personal accounts and wallets. An active repository on GitHub still contains references to the malicious version of colorama, and the compromised accounts have written permissions to the Top.gg repositories. The malware conducts a multi-stage infection, changing Windows Registry entries, and exfiltrates target data using file-sharing services or HTTP requests. This incident emphasizes the need for vigilance when installing packages from even trusted sources like GitHub and PyPI and maintaining robust security practices.

Microsoft experienced a breach orchestrated by Russian-state hackers using a password spray technique. The attackers gained access through a low-activity non-production Microsoft account, highlighting account security's importance. Sensitive internal information, including emails from senior leadership, was compromised over a seven-week period. Microsoft responded quickly upon detection to halt the attackers' activities and strengthen their defenses. The incident stresses the necessity of safeguarding all user accounts, not just those with elevated privileges. Password spray attacks exploit weak and outdated passwords, making continuous password security measures critical. The breach serves as a warning for organizations to implement strong password policies and multi-factor authentication. Measures like Specops Password Policy can assist in defending Active Directory by blocking compromised credentials.

The British Library suffered a significant ransomware attack last October, with lasting impacts and systems yet to be restored or permanently lost. A recent detailed report released by the British Library outlines the factors that led to the IT disaster and offers insights for the broader industry. The Library's IT infrastructure challenges resonate across many organizations: outdated systems, insufficient resources, and complexity-induced inertia. The report serves as a rare and valuable resource for auditing current practices within enterprise IT infrastructures and can aid in promoting better management and prioritization. Despite the opportunity for learning and reform, there is skepticism about whether the lessons will be effectively communicated to top-level policymakers who influence organizational infrastructure strategies. There is no robust mechanism for mandating improvements, similar to the aviation industry's safety regulations, resulting in a lack of enforceable standards and accountability. The report can be used subversively within organizations to highlight parallels and encourage proactive changes by drawing attention to the risks of neglected IT practices. The analogy with the Library of Alexandria suggests that political challenges and resource constraints often contribute to the decline of important institutions, a lesson that echoes in the present scenario.

A new vulnerability named "GoFetch" has been identified in Apple's M-series chips, which could allow attackers to extract secret encryption keys. The flaw utilizes a microarchitectural side-channel attack, exploiting data memory-dependent prefetching features to target cryptographic operations. Apple was informed about the vulnerability in December 2023, and it affects constant-time cryptographic implementations in the CPU's cache. The vulnerability works by misleading the prefetcher, a system that anticipates and preloads memory data, to unintentionally reveal secure data. To launch an attack, a threat actor would need to run malicious code on the same machine and CPU cluster as the victim. GoFetch cannot be mitigated in existing M-series CPUs; instead, developers must update cryptographic libraries to prevent exploitable conditions, potentially impacting performance. On M3 chips, enabling data-independent timing (DIT) can disable the problematic prefetching, but this is not an option on M1 and M2 processors. Apple advises developers to use measures to prevent timing-based leakage and to avoid using secret data in conditional branches and memory access, to prevent secret inference.

Iran-linked threat group MuddyWater initiated a phishing campaign against Israeli organizations using the Atera RMM tool for surveillance. Targets included entities in manufacturing, technology, and information security, with a focus on phishing emails with PDF attachments linking to malicious content. MuddyWater has historically used various legitimate remote desktop and management software to infiltrate and control systems within victim organizations. The campaign involved hosting malicious files on file-sharing platforms and then duping victims into installing the Atera Agent via a PDF document and ZIP archive. A related incident by Iranian hacktivist group Lord Nemesis involved a software supply chain attack on Rashim Software, compromising numerous Israeli academic institutes. Lord Nemesis allegedly bypassed weak MFA protections to access sensitive information and alerted the customers of Rashim Software of the breach four months after initially gaining access. The incidents highlight the trend of nation-state actors targeting smaller companies within supply chains, seeking to compromise broader ecosystems for political and espionage objectives.

The United Nations has reported on various methods North Korea employs to evade international sanctions and fund its weapons programs, including money laundering through restaurants and cyber attacks on cryptocurrency companies. North Korea is purportedly operating eateries in China, Laos, Thailand, and Russia, potentially laundering upwards of $700 million annually through these businesses. The UN details 58 suspected North Korean cyber attacks on crypto-related companies between 2017 and 2023, aiming to acquire resources for weapons of mass destruction. In 2023 alone, North Korea is believed to have obtained $750 million in cryptocurrencies through illicit activities. Recommendations to combat these activities include international cooperation, implementing stricter compliance measures, and adopting essential infosec practices like multi-factor authentication and zero-trust principles. The UN suggests the creation of systems for reporting and sharing information on North Korean cyber threats, particularly with the cryptocurrency industry and private sectors. The report also calls on all crypto platforms and protocols to strengthen anti-money-laundering and know-your-customer measures to prevent North Korea's cryptocurrency schemes. Beyond cyber operations and restaurants, the report lists various other sanction evasion tactics by North Korea, reflecting the complexity and extent of these activities in a comprehensive 615-page document.

Microsoft acknowledged a memory leak issue in its March security update for Windows Server, causing crashes and reboots. The problem affected the Local Security Authority Subsystem Service on Windows Server versions 2012 R2, 2016, 2019, and 2022. The leak was triggered by Kerberos authentication requests on Active Directory Domain Controllers. Microsoft has identified the root cause and released a patch to address the issue. A severe vulnerability in Atlassian Bambo (CVE-2024-1597), rated CVSS 10.0, was disclosed, stemming from a non-Atlassian component. A new and more potent variant of AcidRain wiper malware, dubbed AcidPour, has been linked to Russian threat actors and is designed to target a broader range of Linux systems. According to Proofpoint's Data Loss Landscape report, 85% of companies experienced data loss in the past year, with 71% attributing it to careless employees. Privileged users, such as those in HR and finance, are considered the greatest insider threat, although just 1% of users were responsible for the majority of data loss events.

Up to 300,000 servers exposed to a new Loop Denial-of-Service (DoS) vulnerability. Vulnerable protocols include TFTP, DNS, and NTP, as well as some legacy services. Largest number of at-risk systems located in China, Russia, and the US. Attack utilizes IP address spoofing to create an infinite error message loop between two servers. Potential to disrupt services without ongoing attack traffic; difficult to stop once initiated. Researchers notified vendors in December for patching and will coordinate with Shadowserver Foundation for a broader notification campaign. Devices produced by Arris, Broadcom, Microsoft, and others, including out-of-support products by Cisco, TP-Link, and Zyxel, are also vulnerable. IT admins urged to update network services and check systems for vulnerabilities using provided detection code.

A widespread StrelaStealer malware campaign has affected over 100 US and European organizations, harvesting email credentials. Initially noticed targeting Spanish speakers, StrelaStealer has expanded its scope to include targets primarily across the US and Europe. Palo Alto Networks' Unit42 observed a considerable increase in related phishing campaigns from November 2023 to early 2024. High-tech industries have been the most affected, with finance, legal, manufacturing, government, and others also compromised. The malware distribution tactics have evolved to use ZIP attachments with JScript and batch files, increasing obfuscation to hinder analysis. StrelaStealer retains its core functionality, extracting login details from Outlook and Thunderbird and conveying them to the attackers' server. Users are cautioned to be skeptical of unsolicited emails linking to payments or invoices and to avoid downloading attachments from unknown sources.

VF Corporation experienced a significant data breach affecting 35.5 million customers, with personal information compromised but no financial details taken. The breach involved customer names, email addresses, phone numbers, billing and shipping addresses, and in some cases, order history and payment method. VF Corporation claims there is no evidence the stolen data has been misused but acknowledges the potential risk of identity theft, phishing, and fraud. The incident, initially reported in December without clear details, has been clarified in a privacy breach notification, though not labeled explicitly as a ransomware attack. The company assures customers that no financial details like credit card or bank account numbers were retained in their systems, thus were not exposed. VF Corporation emphasizes that consumer passwords were not compromised, advising customers to remain vigilant, update passwords, and watch for phishing attempts.

North Korea-linked Kimsuky threat actor is now using Compiled HTML Help (CHM) files to deploy malware. Active since 2012, Kimsuky primarily targets South Korea, North America, Asia, and Europe for sensitive data collection. Weaponized Microsoft Office documents, ISO files, and Windows shortcut files were previously used by the group. Rapid7, a cybersecurity firm, cited moderate confidence in attributing recent activity to the tactics commonly utilized by Kimsuky. The CHM file is usually contained within an ISO, VHD, ZIP, or RAR file and, once opened, it executes scripts that establish persistence and exfiltrate data. Kimsuky also impersonates legitimate applications, deploying Endoor backdoor malware. The group's actions contribute to North Korea's illegal revenue generation estimated at $3 billion, likely funding its nuclear weapons program. The Reconnaissance General Bureau, which oversees the Kimsuky group, is also broadening its scope by exploring the use of artificial intelligence for cyber operations.

German Police have seized the "Nemesis Market," a prominent darknet platform involved in the sale of narcotics, stolen data, and cybercrime services. Over €94,000 in cryptocurrency was confiscated during the raid involving German, Lithuanian, and U.S. law enforcement. The operation occurred on March 20, 2024, concluding an investigation that started in October 2022. Nemesis Market, operational since 2021, had over 150,000 users and 1,100 vendors worldwide, with a significant presence in Germany. The market offered a wide range of illicit goods and services, including drugs, fraudulent data, ransomware, phishing kits, and DDoS attacks. No arrests have been made yet, but investigations continue against users and sellers on the platform. This seizure follows the recent takedowns of other darknet markets and the LockBit ransomware group by German authorities.

Russian group Cozy Bear (APT29) targeted German political entities with a phishing campaign using fake dinner invitations. Emails purported to be from Germany's Christian Democratic Union (CDU) aimed to lure recipients to click a malicious link. The phishing method deployed WINELOADER, a backdoor granting remote control over compromised systems. WINELOADER, identified in January, is a sophisticated malware with obfuscation techniques, avoiding detection by security software. Mandiant linked this activity directly to the Russian Foreign Intelligence Service (SVR) and identified a potential interest in Western political dynamics. This espionage group was previously responsible for the highly-publicized SolarWinds breach, affecting key U.S. government departments. The tactics and targets of Cozy Bear are evolving, posing a continued threat to political bodies and beyond.