Daily Brief

SentinelOne reports the deployment of upgraded 'AcidPour' malware targeting Ukrainian telecoms, potentially impacting four providers. AcidPour is connected to AcidRain malware and appears to be associated with Russian military intelligence activities, specifically to the Sandworm team. The malware predominantly aims to disable Linux x86 systems embedded in networking, IoT, RAID storage devices, and even Industrial Control Systems (ICS). Uniquely coded like the CaddyWiper, AcidPour possesses a self-deletion feature and various device-specific wiping approaches. The hacking group UAC-0165, linked with Sandworm, is allegedly responsible for the attacks on Ukrainian infrastructure, having targeted 11 telecom service providers from May to September 2023. The disclosure of the Ukrainian telecoms attack follows the claims of the Solntsepyok actor, with GRU ties, compromising four telecom operators on March 13, 2024. The evolving tactics of these threat actors indicate a strategic approach to cause disruptive and long-lasting impacts on critical infrastructure and communication systems.

A study from Colorado State University reveals serious security flaws in Electronic Logging Devices (ELDs) used by US commercial truck fleets. Over 14 million trucks could be affected by these vulnerabilities, allowing hackers to potentially take control of vehicles and spread malware. ELDs are mandated for tracking driving hours and vehicle data but lack robust security controls, making them susceptible to Bluetooth or Wi-Fi attacks. Researchers demonstrated a worm that can jump from truck to truck via wireless connections, using default passwords and predictable SSIDs to spread. The potential for such a cyberattack poses severe safety and operational risks to the US commercial transportation sector. The flaws have been disclosed to the manufacturers and the US Cybersecurity and Infrastructure Security Agency (CISA) for rectification. The researchers highlight the urgency for the transportation industry to improve cybersecurity, as current ELD systems expose vehicles to significant threats.

The U.S. government has issued guidance to protect critical infrastructure from DDoS attacks. The alert follows warnings about destructive cyber activities from China and occurs alongside a new cybersecurity task force for the water sector. Agencies including CISA, FBI, and MS-ISAC recommend that organizations follow their report to defend against these threats. The guide clarifies the difference between DoS and DDoS attacks and outlines three main attack techniques: volume-based, protocol-based, and application-layer attacks. A set of 15 best practices is provided, including risk assessments, network monitoring, regular traffic analysis, and implementing Captchas. Implementing DDoS mitigation strategies, maintaining updated software, and conducting regular employee training are also advised. The guide stresses the importance of incident response plans, data backup, and network redundancy to protect service availability during an attack.

Bipartisan US criticism targets Microsoft for allegedly censoring Bing search results in China on topics like human rights and democracy. Republican Senator Marco Rubio and Democrat Senator Mark Warner have condemned Microsoft's actions, advocating for Bing's withdrawal from China. A Bloomberg report suggests that Bing removes search content to align with Chinese government censorship policies. Google and Yahoo have ceased using their search engines in China, while other Western services are blocked. Microsoft argues Bing is the least censored search option in China, providing important information despite legal content removal obligations. The company contends leaving the Chinese market would deprive users of access to information through Bing, counter to the criticism of compliance. Previous incidents reveal that Bing has a history of censoring content and providing pro-state results in sensitivity to China's censorship practices.

The US House of Representatives has passed the Protecting Americans' Data from Foreign Adversaries Act of 2024 with unanimous support, prohibiting the sale of Americans' data to certain foreign entities. This bill targets data brokers and restricts them from selling personal information to adversarial nations such as North Korea, Russia, China, and Iran. Comprehensive categories of data are included in the bill, such as government IDs, financials, biometrics, and private communications. The bill grants enforcement authority to the Federal Trade Commission and aligns with President Biden's previous executive order, though does not encompass all countries listed in the EO. No public instances of data brokers selling to the mentioned adversaries have been reported, but a classified ODNI report indicates that PII is at risk of being utilized by foreign intelligence. The Duke University report highlights the availability of sensitive data belonging to US military personnel, adding to the justification for the bill. Next steps for the bill to become law include being introduced and passed in the Senate, with no set date for the Senate hearing.

KDE alerted Linux users about the risks of installing global themes that can execute arbitrary code and advised extreme caution. Themes and plugins from the KDE Store have no pre-upload review, creating potential for malicious content to be submitted. A user's experience shared on Reddit highlights the danger: a global theme executed 'rm -rf', leading to the loss of all their personal files. While the harmful theme has been removed, KDE acknowledged the existing risk with other unvetted themes in its repository. KDE plans to start vetting the content of its store and improving the warnings to users while also urging the community to report any suspicious software. KDE team highlighted the importance of user diligence, recommending review of content and looking for trusted sources before installation. In the interim, KDE will continue to caution users about potentially unstable or unfunctional content from its store.

A group of researchers revealed critical vulnerabilities in Saflok electronic RFID hotel door locks, potentially affecting millions of doors globally. The security flaws, collectively termed "Unsaflok," enable the creation of master keycards capable of unlocking any door within an affected hotel. Discovered during a private hacking event, these vulnerabilities have been present for over 36 years with no confirmed real-world exploits reported thus far. Dormakaba, the manufacturer of Saflok locks, was informed in November 2022 and is currently working on mitigations, including replacing or upgrading the compromised locks. As of March 2024, the process is ongoing, and approximately 64% of doors equipped with Saflok locks remain vulnerable to this exploit. Malicious keycards designed to exploit these vulnerabilities can bypass additional security measures such as deadbolts. The researchers plan to withhold the complete technical details of the vulnerabilities until the majority of affected properties have completed their security upgrades.

The Russia-linked Turla group compromised systems at a European NGO to implant the TinyTurla-NG backdoor. Initial system breach and establishment of persistence were observed, with antivirus exclusions set to aid in avoiding detection. Turla utilized the tool Chisel for data exfiltration and lateral movement within the compromised network since October 2023. The attack appears highly targeted, primarily affecting Polish organizations aiding Ukrainian efforts against the Russian invasion. The attackers configured Microsoft Defender to exclude their tools, then established persistence by mimicking a "System Device Manager" service. TinyTurla-NG enables ongoing reconnaissance, file exfiltration, and the deployment of a modified Chisel tunneling software for C2 communication. Repeat of the attack methodology was noted across newly accessed systems, using the same pattern of setting exclusions, dropping malware, and ensuring persistence. The incident exemplifies sophisticated nation-state level cyber espionage focused on entities engaged in supporting geopolitical adversaries.

Over 39,000 WordPress websites have been infected by a malware campaign named Sign1 within six months. Sign1 inserts malware into custom HTML widgets and legitimate WordPress plugins, avoiding direct modification of WordPress core files. The security firm Sucuri identified the campaign after detecting popup ads displayed to visitors on a client's site compromised via brute force attack. Attackers leverage time-based URL randomization and recently registered domains to avoid detection and domain blacklists, showing increased sophistication. The malware remains dormant unless a visitor comes from a major site like Google or Facebook and prevents repeat popup ads through cookies, thus reducing chances of detection. The Sign1 campaign has evolved, with current tactics including XOR encoding and random variable names to further elude security measures. Sucuri advises strong password policies and regular updates of WordPress plugins, along with the removal of unnecessary add-ons, to mitigate the risk of such attacks.

US luxury yacht dealer MarineMax was targeted by the Rhysida ransomware group, with a cyberattack disclosed to the SEC on March 10. Despite MarineMax claiming that sensitive data was not compromised, Rhysida is auctioning stolen data with a starting price of 15 Bitcoin ($1.007 million). The majority of leaked documents appear related to accounts and finances, posing potential risks for high-profile clients if the data is misused. MarineMax's business operations continued largely unaffected, but the threat posed by the breach could have significant ramifications for the company and its clients. Rhysida ransomware group is utilizing a unique auction method as a secondary monetization strategy if victims refuse to pay the ransom. CISA has previously reported on similarities between Rhysida and Vice Society ransomware gangs, warning organizations about common vulnerabilities exploited by these groups.

A proof-of-concept (PoC) exploit has been released for a critical SQL injection vulnerability, CVE-2023-48788, in Fortinet's FortiClient Enterprise Management Server (EMS). This bug enables unauthenticated remote code execution with SYSTEM privileges and is being actively exploited in attacks. Affected versions include FortiClient EMS 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). The vulnerability allows attackers to execute unauthorized code or commands via crafted requests without user interaction. Fortinet has updated its security advisory, initially released last week, to confirm that CVE-2023-48788 is exploited in the wild. Security researchers from Horizon3 have published a PoC that verifies system vulnerability but requires modification for RCE attacks. According to Shodan and Shadowserver, over 300 EMS servers, mostly located in the United States, are currently exposed online. Fortinet products are commonly targeted for ransomware attacks and cyber espionage, with critical vulnerabilities like CVE-2024-21762 in FortiOS and FortiProxy being previously exploited.

Over 800 npm packages found to have discrepancies potentially exploitable by threat actors through a technique dubbed 'manifest confusion'. Security firm JFrog's research highlighted potential risks in software supply chain due to npm registry's lack of validation between package manifests and registry data. Manifest confusion allows malicious hidden dependencies to be stealthily installed during package setup, posing a significant threat to developers. Although not all discrepancies are malicious, JFrog identified 18 packages specifically designed to exploit manifest confusion, including one that shares the IP address of the install machine. To date, no evidence suggests that this attack vector has been actively exploited, but the inherent risk remains due to unresolved issues in npm's system. Developers and organizations are urged to establish verification procedures to ensure the security and trustworthiness of the packages they use, especially to detect hidden dependencies. JFrog's findings indicate the critical need for more rigorous checks to prevent such vulnerabilities in package management systems.

Ransomware continues to pose significant threats to organizations across various sectors, with the recent attack on Change Healthcare, affecting nearly 70,000 pharmacies. Veolia North America experienced a ransomware attack that disrupted their back-end applications, highlighting that critical infrastructure is also a target. VF Corporation suffered a ransomware attack resulting in data theft of 35 million customers’ information and disruptions in customer services. To counteract ransomware risks, organizations are advised to implement robust email and endpoint security, properly encrypt sensitive data, and pursue smart backup strategies. Patch management is crucial given that exploiting vulnerabilities in public-facing apps is a common initial access tactic for ransomware. Automation of security tasks can greatly enhance protection against ransomware, allowing for rapid responses and the efficient performance of security protocols without manual efforts.

AndroxGh0st is a tool targeting Laravel applications to extract sensitive data and compromise cloud credentials. The malware exploits vulnerabilities in Apache HTTP Server, Laravel Framework, and PHPUnit for initial access, privilege escalation, and persistence. U.S. cybersecurity agencies have alerted about the botnet activities associated with AndroxGh0st, which also involve known vulnerabilities such as CVE-2021-41773 and CVE-2017-9841. Attackers use the malware to steal .env file contents, including AWS, SendGrid, and Twilio credentials, to deliver additional payloads and establish control. Juniper Threat Labs reports a rise in activity around CVE-2017-9841 and emphasizes the urgency for software updates. Observations reveal most attacks against honeypot infrastructure originated from several countries, including the U.S., the U.K., and China. The article mentions additional cyber threats, including the exploitation of WebLogic servers in South Korea and the infiltration of AWS instances by the Meson Network for bandwidth and storage resource exchanges. The cloud continues to be an attractive target for cybercriminals, stressing the need for updated software and vigilant monitoring of suspicious activities.

Leicester City Council is currently managing a "cyber incident," with details suggesting a probable ransomware attack despite the council's non-disclosure. A criminal investigation is underway, and the council remains tight-lipped about whether resident data has been compromised. Security experts, including Kevin Beaumont, stress the need for transparency and better management of such incidents by the UK government. Estimated recovery time has been extended from a few days to at least two weeks, affecting various council services and direct debits collection. Essential services such as child protection, homelessness, and housing repairs maintain emergency contact lines during system recovery. The council assures residents that its website is secure and emails from council sources are safe to trust, including any attachments. Apologies have been issued to the public for disruptions and inconveniences caused by the cyber incident as efforts to restore normal operations continue.