Daily Brief

Chinese operatives exploited critical bugs in F5 and ConnectWise software, gaining access to US and UK networks. Mandiant assesses, "with moderate confidence," that group UNC5174, posing as Uteus, carried out the attacks, working for China's MSS. The group's activities included selling access to compromised networks, including US defense and UK government agencies. UNC5174 used custom software and the C2 framework SUPERSHELL to infiltrate networks via the F5 BIG-IP bug, then attempted to sell the access. In their campaigns, UNC5174 also exploited other vulnerabilities in Atlassian Confluence, Linux kernels, and Zyxel Firewall OS. The attackers targeted universities, think tanks, and government entities, engaging in reconnaissance, scanning, and aggressive fuzzing for vulnerabilities. After gaining access, the Chinese espionages created admin accounts and deployed malware like SNOWLIGHT, GOHEAVY, and GOREVERSE for sustained access and control. Mandiant's report warns of the continued threat from China-nexus actors and provides indicators of compromise for network defense.

A Russian hacking group associated with the SVR is now attacking German political parties using WineLoader malware. The shift in focus from diplomatic entities to political parties signifies an operational change for the group known as APT29, NOBELIUM, or Cozy Bear. WineLoader enables remote access and espionage activities, and is the latest in a series of sophisticated tools used by APT29. The campaign, noticed since late February 2024, involves phishing emails impersonating the Christian Democratic Union to distribute malware. Previously targeting cloud services and email environments, APT29 demonstrates persistent and evolving cyber threats. Mandiant researchers identified the recent use of WineLoader in various countries, indicating a broad and continued espionage effort. WineLoader's complexity and evasion techniques reflect APT29's technical sophistication and adaptability.

Mozilla has released updates to fix two zero-day vulnerabilities that were exploited in the Firefox browser during the Pwn2Own Vancouver 2024 event. Researcher Manfred Paul received a $100,000 reward for discovering and demonstrating the flaws, which allowed for remote code execution and sandbox escape. The first vulnerability allowed arbitrary code execution through Firefox's event handlers, while the second involved an out-of-bounds write on a JavaScript object. The vulnerabilities, identified as CVE-2024-29944 and CVE-2024-29943, were patched in versions Firefox 124.0.1 and Firefox ESR 115.9.1. Fixes were issued just one day after the zero-day exploits were reported at the contest, significantly quicker than the typical 90-day disclosure deadline provided by Trend Micro's Zero Day Initiative. In total, participants at the Pwn2Own Vancouver 2024 earned over $1 million for exploiting 29 zero-day vulnerabilities, with Manfred Paul leading the event in cash prizes and points. The event showcased the vulnerabilities of major browsers, including Firefox, Safari, Chrome, and Edge, and emphasized the ongoing importance and value of ethical hacking in cybersecurity.

Security flaws in Saflok keycard locks, made by dormakaba, potentially affect 3 million doors globally, posing a significant risk to hotel security. The exploit, named "Unsaflok," impacts locks commonly used in hotels, elevators, and parking garages across 131 countries. Researchers disclosed the vulnerabilities in September 2022, with a fix being developed in November 2023; however, only 36% of affected locks have been updated. The exploit requires a keycard from the targeted property and involves creating two new cards using commercially available tools to gain unauthorized access. Upgrading to address the issue is not just limited to the locks but also requires updating hotel management software, keycard encoders, and the keycards themselves. While there is no evidence of previous exploitation, the vulnerability has existed for over 36 years, potentially allowing undetected intrusions. Details of the exploit have not been fully disclosed to prevent widespread misuse while hotels are in the process of upgrading their security systems. Other keycard systems have been compromised in the past, but Unsaflok is the most recent example of a widespread security vulnerability in hotel access control.

German authorities have dismantled the Nemesis Market, a prominent darknet platform involved in cybercrime, seizing its infrastructure in Germany and Lithuania. About $100,000 in cash was confiscated as law enforcement took down the website on March 20, 2024. Nemesis Market was known for selling illegal drugs, stolen data, credit cards, and services for ransomware, phishing, and DDoS attacks. The marketplace, launched in 2021, accommodated over 150,000 users and 1,100 sellers, with a significant 20% of users from Germany. The investigation into Nemesis Market, initiated in October 2022, was a collaboration between German, Lithuanian, and American agencies, including the FBI, DEA, and IRS-CI. Although the Nemesis website now shows a seizure notice, authorities have not yet disclosed if arrests have been made of the server administrators or main operators. Earlier busts by German police include the German-speaking 'Crimemarket' in March 2024 and 'Kingdom Market' in December 2023, demonstrating the ongoing effort to tackle cybercrime on darknet platforms. The largest takedown was of the 'Hydra' market in April 2022, which had over 17 million members and 19,000 sellers.

Researchers discovered a hardware-level vulnerability in Apple Silicon processors that can leak cryptographic keys. The flaw, named GoFetch, involves data memory-dependent prefetchers (DMPs) that may inadvertently leak data resembling a pointer. The vulnerability opens up risks for cryptographic operations, allowing malicious apps to extract keys if they're running on the same CPU cluster. The team demonstrated successful attacks on M1 chips and found base-model M2 and M3 CPUs also display similar weaknesses. Disabling DMP can mitigate the issue, but this workaround would substantially degrade performance. The vulnerability is more challenging for Apple processors than for Intel's 13th Gen Raptor Lake microarchitecture, which has more restrictive DMP activation criteria. The researchers’ findings necessitate that third-party cryptographic programs enhance their implementations to prevent successful exploits.

Researchers uncover a side-channel attack, named GoFetch, that targets Apple's M1, M2, and M3 processors, risking exposure of cryptographic keys. The GoFetch attack exploits the data memory-dependent prefetchers in modern Apple CPUs, violating constant-time cryptographic execution principles. Capable of pilfering private keys for algorithms such as OpenSSL Diffie-Hellman and CRYSTALS Kyber, this hardware vulnerability lacks a direct fix in affected chips. Apple was informed about the vulnerability on December 5, 2023, yet any potential software mitigation might result in a performance degradation for cryptographic operations. Intel's latest CPUs exhibit a more restrictive prefetcher implementation, seemingly impervious to this specific attack methodology. Defensive tactics recommended for developers include input blinding and DMP activation masking, but no simple solution exists for end-users apart from general safe computing practices. Apple has limited comments on the GoFetch issue, with advised mitigations available on a developer page, devoid of indicating concrete plans for a security patch.

Cybersecurity researchers have identified a series of phishing attacks using StrelaStealer malware affecting over 100 organizations across the E.U. and the U.S. The attacks involve spam emails with varying types of attachments designed to evade detection and launch the malware's DLL payload. StrelaStealer is capable of extracting email credentials from popular email clients and sending the information to servers controlled by attackers. Recent campaigns have shown a trend toward using invoice-themed emails with ZIP attachments containing a JavaScript file to initiate infection. The malware utilizes advanced obfuscation and anti-analysis techniques to complicate detection within sandboxed environments. Broader cybersecurity observations note the prevalence of other stealers like Stealc and RATs such as Revenge RAT and Remcos RAT, often packed using cryptors-as-a-service platforms. Separately, a social engineering scam involving fake obituary notices and SEO poisoning has been discovered, primarily aimed at pushing adware and other unwanted programs. The use of malware-as-a-service (MaaS) is highlighted, showing how relatively unskilled threat actors can conduct large-scale, successful attacks leveraging readily available tools and malware.

The U.S. National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) is undergoing a significant slowdown in adding analysis to reported vulnerabilities. NIST announced on February 15th, 2024, that users will experience delays in analysis efforts amid the transition to a new consortium aimed at improving the NVD program. Without the standard analysis, cybersecurity professionals struggle to assess and manage vulnerabilities effectively, as NIST's insights and scores (like CVSS) are critical for understanding the severity of security holes. The current halt in updates has resulted in thousands of Common Vulnerabilities and Exposures (CVEs) going without any record of NVD analysis, posing challenges for scanning and assessing software risks. Alternative sources like Open Source Vulnerabilities (OSV) or GitHub Security Advisory DB are available, but many organizations, especially government contractors, are mandated by law to use NIST's CVSS and NVD. Attempts are being made to compensate for the missing NVD data, such as Anchore's open-source project called NVD Data Overrides, which aims to provide a stopgap solution minus CVSS scores.

AWS has patched a critical vulnerability in AWS Managed Workflows for Apache Airflow (MWAA), named 'FlowFixation' by Tenable. The flaw enabled potential session hijacking and remote code execution on the underlying instances of the service. Attackers exploiting this weakness could have accessed connection strings, modified configurations, and triggered directed acyclic graphs (DAGS), leading to possible remote code execution (RCE) and lateral movement across services. The security issue stemmed from a session fixation exploit combined with an AWS domain misconfiguration enabling cross-site scripting (XSS) attacks. Tenable emphasizes the broader risk associated with cloud providers' domain architecture, pointing out potential for same-site attacks, cross-origin issues, and cookie tossing. AWS and Azure have taken steps to address the domain misconfiguration by adding affected domains to the Public Suffix List (PSL). Google Cloud, however, has not deemed the issue severe enough to warrant a fix. The report highlights the significant risks in cloud environments, including cookie-tossing attacks and bypassing of CSRF protections via session fixation vulnerabilities.

Over 39,000 WordPress sites have been affected by the 'Sign1' malware campaign over the past six months. The latest variant of 'Sign1' has infected at least 2,500 sites in the past two months, using malicious JavaScript to redirect users to scam sites. Malware injects rogue JavaScript into HTML widgets and plugins, allowing remote execution of scripts that lead users to scam pages only if visiting from major sites like Google or Facebook. Attackers employ dynamic URLs changing every 10 minutes to evade blocklists, using domains registered just days before their use in cyberattacks. Sign1 appears to leverage brute-force attacks or exploit vulnerabilities in WordPress themes and plugins for site access, often using legitimate plugins to hide malicious code. The malware remains undetected for long periods as it doesn't place any malicious code into server files, instead using WordPress custom HTML widgets for code injection.

A China-linked threat group, UNC5174, exploited software flaws to infiltrate networks and deliver malware. The attackers targeted Southeast Asian and U.S. research, education, Hong Kong businesses, NGOs, and government entities. The group used vulnerabilities in multiple software including Atlassian Confluence, ConnectWise ScreenConnect, F5 BIG-IP, Linux Kernel, and Zyxel. Post-intrusion actions involved reconnaissance, scanning for vulnerabilities, creating admin accounts, and deploying SNOWLIGHT and GOREVERSE malwares. The threat actor also used tools like GOHEAVY for lateral movement and employed atypical practices such as applying patches to exploited vulnerabilities. UNC5174 appears to be acting as an initial access broker, potentially associated with China's Ministry of State Security (MSS). There are operational similarities between UNC5174 and another access broker, UNC302, indicating a collaborative MSS-backed cyber espionage effort. The Chinese MSS has issued warnings about foreign hackers targeting domestic entities, though without specifying the responsible group or origin.

The ThreatLocker® Zero Trust Endpoint Protection Platform advocates for a deny-by-default approach, enhancing organizational security against cyber threats. The platform aligns with multiple compliance frameworks, providing confidence in protection against devastating attacks such as ransomware. Cybersecurity compliance frameworks assist in developing strong security measures but can be ambiguous and complex in their requirements. Key cybersecurity practices include access management, multi-factor authentication, privileged access management, and antimalware solutions. Organizations are encouraged to implement firewall solutions, intrusion detection/prevention, and secure data encryption, among other robust security measures. Regular security reviews and adherence to written policies are emphasized to ensure continuous protection against potential threats. ThreatLocker® offers a free guide, "The IT Professional's Blueprint for Compliance", to help professionals navigate and fulfill diverse compliance obligations.

The U.S. Department of Justice, joined by 16 state and district attorneys, has filed a lawsuit against Apple, alleging the company maintains an unlawful monopoly in the smartphone market. Apple is accused of leveraging security and privacy as a pretext for anticompetitive behavior, such as selectively degrading text message security for non-iPhone users. The suit claims Apple's refusal to make iMessage interoperable with Android devices purposely undermines cross-platform communication security. Third-party attempts to enable secure messaging across platforms, like the Beeper Mini client for Android, have been stifled by Apple, citing security concerns. The DoJ argues that Apple's practices strengthen network effects, compelling consumers to stay within the Apple ecosystem and deterring them from switching to competitors. Apple plans to support the RCS messaging protocol and encryption in its Messages app, combining instant messaging features with enhanced security. Cupertino vows to "vigorously defend" against the lawsuit, asserting that a DoJ victory would set a "dangerous precedent" in government interference with technology design.

Pwn2Own Vancouver 2024 concluded with security researchers awarded $1,132,500 for demonstrating 29 zero-days. Participants successfully compromised various software and a Tesla Model 3, highlighting system vulnerabilities even in fully patched configurations. The event covered multiple categories including web browsers, virtualization, enterprise applications, and automotive systems. Top awards went to Team Synacktiv for a Tesla Model 3 win and Manfred Paul earning the "Master of Pwn" title with $202,500 in total prize money. Hacking highlights include gaining remote code execution on web browsers using sophisticated exploits and breaching the Tesla ECU in under 30 seconds. Vendors affected by the zero-day vulnerabilities now have a 90-day window to issue security patches before public disclosure by the Zero Day Initiative.