Daily Brief

The Ebury botnet has compromised around 400,000 Linux servers since 2009, with approximately 100,000 still affected as of late 2023. ESET researchers have tracked this financially motivated malware for over a decade, noting significant capability enhancements in 2014 and 2017. Recent attacks involve breaching hosting providers and executing supply chain attacks, often via credential stuffing using stolen credentials. The malware steals SSH keys and other credentials, intercepts SSH traffic, and has also targeted cryptocurrency wallets on the compromised servers. Ebury uses various monetization strategies including credit card theft, traffic redirection for ad revenue, spam distribution, and selling stolen credentials. In 2023, ESET observed new obfuscation methods and a domain generation algorithm to help Ebury evade detection. Collaborative efforts with law enforcement led to the seizure of a backup server used by the malware operators, aiding ongoing investigations.

The UK's National Cyber Security Centre (NCSC) has partnered with leading insurance associations to issue new guidance on handling ransomware. Introduced at the CYBERUK conference, the guidance discourages knee-jerk ransom payments and aims to undermine cybercriminals' business models. The collaborative effort includes the Association of British Insurers (ABI), the British Insurance Brokers' Association (BIBA), and the International Underwriting Association (IUA). Despite not being groundbreaking for cybersecurity professionals, the guide is seen as valuable for organizations lacking detailed cybersecurity knowledge. The guidance emphasizes consulting with experts, involving appropriate organizational members, and investigating the root cause without panicking. Ransomware victims are reminded that paying the ransom does not guarantee the deletion of stolen data and may invite further attacks. NCSC CEO Felicity Oswald stressed the dangers of paying ransoms, noting it encourages criminals and doesn't resolve underlying issues. The guide also acts as an interim solution while the UK government considers more permanent legal measures against ransom payments.

Apple has issued security updates for a zero-day vulnerability in Safari, exposed during the Pwn2Own Vancouver hacking competition. The vulnerability, identified as CVE-2024-27834, affected systems running macOS Monterey and macOS Ventura and was patched to enhance checks. The flaw was part of an exploit chain used by security researcher Manfred Paul to achieve remote code execution, earning him $60,000. Pointer Authentication Codes (PACs), which prevent unauthorized pointer modifications in memory, are integral to the security mechanism breached. It remains unclear if the CVE-2024-27834 bug fix has been applied to other Apple platforms such as iOS, iPadOS, macOS Sonoma, and visionOS. Users can update Safari independently of macOS updates through the Software Update section in System Settings. Other technology vendors, including Google and Mozilla, also quickly addressed zero-day vulnerabilities disclosed at the same Pwn2Own event.

VMware has released patches for severe vulnerabilities in its Workstation and Fusion products. The vulnerabilities could allow unauthorized access to sensitive data, induce DoS attacks, and enable code execution. Affected versions include Workstation 17.x and Fusion 13.x; updates are available in versions 17.5.2 and 13.5.2 respectively. Users are advised to disable Bluetooth support and 3D acceleration as temporary safety measures until patches can be applied. No mitigations are available for CVE-2024-22270 except for updating to the latest software version. The vulnerabilities were highlighted during the Pwn2Own hacking contest by research teams from STAR Labs SG and Theori. This patch follows a previous update that fixed other critical vulnerabilities affecting VMware products, emphasizing ongoing security risks.

Apple has extended critical security updates originally released in March to older iPhone and iPad models, addressing a zero-day vulnerability. The vulnerability, identified as CVE-2024-23296, affects the RTKit real-time operating system, potentially allowing attackers with kernel access to bypass memory protections. Devices receiving these vital patches include iPhone 8, iPhone X, and various older iPad models. While Apple confirmed the exploitation of the zero-day, details on the attackers and the nature of the attacks remain unreported. The patches were initially applied to newer Apple devices in March, and the extension to older models emphasizes the severity and wide applicability of the vulnerability. Alongside usual device updates, Apple has introduced features to warn users about unwanted tracking through Bluetooth devices such as AirTags. Installing these updates is crucial for affected users to safeguard against potential data breaches and system infiltrations facilitated by this vulnerability.

Apple and Google have introduced a new privacy feature across iOS and Android platforms that alerts users to unrecognized Bluetooth tracking devices moving with them. The feature, part of iOS 17.5 and available on Android 6.0+ devices, aims to increase security and privacy by notifying users of potential unwanted tracking. Alerts including "[Item] Found Moving With You" for iOS and "Tracker traveling with you" for Android activate when an unknown Bluetooth device is detected. Users can interact with the alert to see the tracker’s identifier and, if possible, activate the tracker to emit noise for easier location. The update includes guidelines on how to deactivate the unknown tracking device. Accessories like Apple’s AirTag and compatible third-party products adhere to this new security standard, but older trackers without this capability can still operate undetected. The update seeks to curb the misuse of Bluetooth tracking devices, which have been exploited for surreptitious surveillance, despite their intended use for locating personal items.

VMware resolved four security vulnerabilities, including three zero-days exploited at Pwn2Own Vancouver 2024. The most critical flaw, CVE-2024-22267, is a use-after-free bug allowing code execution on the host via a compromised VM. A temporary workaround involves disabling Bluetooth in VM settings to mitigate one of the vulnerabilities. Additional vulnerabilities (CVE-2024-22269 and CVE-2024-22270) related to information disclosure were reported. CVE-2024-22268 involves a heap buffer overflow, enabling potential denial of service if 3D graphics are enabled. Security researchers at Pwn2Own disclosed 29 zero-days and earned significant rewards, highlighting critical software vulnerabilities. Following the competition, Google and Mozilla also quickly issued fixes for their affected products. VMware, along with other vendors, typically has 90 days to release patches after such disclosures by the Zero Day Initiative.

Telegram CEO Pavel Durov criticized Signal, claiming it has ties to US intelligence and questioning its encryption security. Durov's comments followed a City Journal report about Signal’s origins, funded by the US government's Open Technology Fund. The Signal Foundation's current chair, Katherine Maher, has a background with several US-backed entities and governmental roles. Durov suggests that big tech's encryption protocols, including those used by WhatsApp and Facebook Messenger, may be influenced by the US government. He also noted instances of Signal messages appearing in court cases, implying they could be due to compromised encryption, though specific evidence of this was not provided. Durov criticized both WhatsApp and Signal for not allowing full transparency of their source code and reproducibility of their apps, particularly on iOS. The timing of Durov’s remarks coincides with potential financial incentives as Telegram considers going public.

Google has released emergency updates to counter a newly discovered zero-day flaw in Chrome, labeled CVE-2024-4761, which is currently being exploited. The vulnerability is an out-of-bounds write error in the V8 JavaScript and WebAssembly engine, reported anonymously on May 9, 2024. This type of vulnerability can be exploited to corrupt data, cause system crashes, or execute unauthorized code on affected devices. The tech giant has confirmed the live exploitation of this flaw, although specific details of the attacks remain undisclosed to avoid further misuse. The flaw was addressed shortly after the repair of another exploited vulnerability (CVE-2024-4671) in the Chrome Visuals component. Since the beginning of the year, Google has remedied six zero-days, with three exposed during the Pwn2Own event in March 2024. Updates for Chrome are now available in versions 124.0.6367.207/.208 for Windows and macOS and version 124.0.6367.207 for Linux. Users of other Chromium-based browsers, such as Microsoft Edge and Brave, are advised to update their software as patches become available.

Google and Apple have introduced features to alert users if a Bluetooth tracking tag, like an AirTag, is being used to stalk them; compatible with Android 6.0+ and iOS 17.5. The anti-stalking alert system is part of a broader industry-wide specification for Bluetooth tracking devices, to deal with the increased misuse of these gadgets for stalking and harassment. This new feature enables devices to trigger an alert called 'Tracker traveling with you' when a foreign Bluetooth device is detected moving consistently with the user. Both platforms will assist users in locating and potentially disabling these clandestine trackers by prompting the devices to emit a sound. Major Bluetooth tracker manufacturers including Samsung and Tile have endorsed the specification, ensuring future products will incorporate the anti-stalking alert. Mozilla Foundation and EFF praise the update but caution about the potential privacy issues created by the new tracking standards; propose cryptographic solutions to maintain user privacy. Critics argue that the response to stalking threats appears reactive, emphasizing the need for proactive approaches in technology design to safeguard the vulnerable.

Cacti has patched 12 security issues, including two critical vulnerabilities allowing arbitrary code execution. Flaws primarily affect all Cacti versions up to and including 1.2.26, resolved in the recently released version 1.2.27. The two most severe vulnerabilities involve potential SQL injection and file inclusion attacks. Additional critical vulnerabilities previously identified have led to active exploitations, enabling attackers to use Cacti servers to distribute botnet malware. Users are urged to upgrade to the latest version to prevent exploitation, particularly due to publicly available proof-of-concept exploits. The ongoing vulnerability management underscores the importance of regular updates and monitoring in safeguarding network frameworks from emerging threats.

Organizations often skip conducting comprehensive risk assessments before implementing advanced authentication, leaving vulnerabilities unaddressed. Failure to integrate authentication systems properly with existing infrastructure, especially legacy systems, can lead to compatibility issues and security gaps. Reliance on single-factor authentication does not meet current security standards; multifactor authentication is necessary for adequate protection. Overlooking the user experience in authentication design can lead to frustration and poor compliance, jeopardizing the system's effectiveness. Regular monitoring of authentication activities and user behavior is crucial, but often neglected, which hinders the detection of potential threats. Educational programs for users on the importance and use of advanced authentication methods are inadequate, increasing the risk of security breaches. Implementing role-based access controls (RBAC) to ensure that users access only the data and applications necessary for their roles helps in minimizing insider threats.

Cybersecurity researchers have identified an ongoing social engineering scam aimed at enterprise environments. The attackers bombard potential victims with spam emails and follow up with phone calls, posing as the company’s IT support. Impacted users are tricked into installing remote desktop software supposedly to resolve email issues, granting attackers remote access. Once in, threat actors download additional malicious payloads including scripts to establish links with command-and-control servers. The campaign has involved tools like AnyDesk, ConnectWise ScreenConnect, and NetSupport RAT, referencing overlaps with known ransomware groups like Black Basta and FIN7. Although no deployment of ransomware was observed in the studied incidents, the tactics align with those used in broader ransomware and malvertising campaigns. Also mentioned in related research, a new LockBit Black ransomware campaign leverages the Phorpiex botnet to spread high volumes of malicious emails.

Chris Cheyne, SOC Director at SecurityHQ, draws parallels between medieval castle defenses and modern cybersecurity strategies. Cheyne emphasizes the importance of breaking down cyber risks into their components to effectively identify weaknesses. Many organizations fail to fully grasp the scope and potential impact of cybersecurity risks on their operations. The need for a data-driven strategy in cybersecurity risk management is highlighted as being crucial for today's fast-evolving threat environment. Cheyne advocates for quantifying risks, understanding their actual impacts, and determining specific adversary threats. He proposes using a "risk centre" as a central platform to manage and prioritize actions to mitigate cybersecurity risks. SecurityHQ offers round-the-clock managed services including defense, risk management, and security to address these needs.

NHS Digital has issued a warning about active exploits targeting Arcserve UDP software vulnerabilities. Proof of Concept (PoC) code for these vulnerabilities was released by Tenable a day after their initial disclosure in March. The vulnerabilities include a critical authentication bypass, path traversal bug, and a denial of service issue, with CVSS scores up to 9.8. Arcserve UDP is extensively used for data protection and disaster recovery, raising significant concerns about the impact of these vulnerabilities. Despite the urgency, specific details about the observed exploitations or the timing of attacks remain undisclosed. NHS has strongly recommended that organizations patch their systems as advised in Arcserve's published security advisory. The Centre for Cybersecurity Belgium has labeled the threats as critical, urging immediate action to patch and monitor systems for potential intrusions. There has been no response from Arcserve regarding whether their customers have been notified about these exploit attempts.