Daily Brief

The US Commerce Department has placed Sandvine, a Canadian network technology company, on the Entity List for exporting networking monitoring tech used for surveillance in Egypt. Sandvine's gear was allegedly utilized for spying on political and human rights activists in Egypt. Entities are added to the list for posing a threat to American national security or foreign policy interests; China's Chengdu Beizhan Electronics also made the list for related activities. Sandvine's head office and branches across several countries, including India, Japan, and the UAE, are affected by the export restrictions. Sandvine has previously been accused of aiding authoritarian regimes in censorship and surveillance, with its PacketLogic devices linked to malware distribution in Turkey and Egypt. The company vows to work with government officials to address the US Commerce Department's concerns and emphasizes its commitment to providing a safe internet.

LabHost, a Phishing as a Service (PhaaS) platform, facilitates cybercriminals in targeting Canadian banking customers with turnkey phishing solutions. Cybercriminal activity linked to LabHost has surged due to specialized phishing kits aimed at Canadian banks, enhancing the platform's popularity since early 2023. Fortra cybersecurity analysts have observed that LabHost has become a leading tool for phishing attacks, surpassing the previously favored PhaaS platform, Frappo. Following an outage in October 2023, LabHost has recovered, conducting several hundred phishing attacks monthly against a range of financial and online services. LabHost offers three membership tiers, with services including bank-targeted phishing kits, a real-time phishing attack management tool named LabRat, and an SMS spamming tool called LabSend. Such PhaaS platforms lower the entry threshold for aspiring cybercriminals and amplify the scale and impact of cybersecurity threats globally. Researchers also highlight the emergence of other PhaaS platforms like 'Greatness' and 'Robin Banks,' which offer advanced features like multi-factor authentication bypass and customizable phishing kits.

Black Basta and Bl00dy ransomware groups exploit critical authentication bypass vulnerability in ScreenConnect servers (CVE-2024-1709). The flaw allows attackers to create admin accounts, delete other users, and fully take over vulnerable instances. Active exploitation began shortly after ConnectWise released patches and proof-of-concept exploits were made public. CISA has ordered US federal agencies to secure their servers against CVE-2024-1709 by February 29. Trend Micro reports the exploitation of the flaw for initial access, network backdooring, and deployment of Cobalt Strike beacons by Black Basta. Bl00dy ransomware utilizes payloads from leaked Conti and LockBit Black builders. Over 10,000 ScreenConnect servers are tracked online, with only a fraction running the updated, secure version. Immediate patching of the software is urged as a critical security requirement to thwart ongoing attacks.

NIST has updated its Cybersecurity Framework to version 2.0, adapting to a decade’s worth of evolving security challenges. The CSF 2.0 expands its applicability to organizations of all sectors and sizes, aiming to assist with varying levels of cybersecurity sophistication. The framework now integrates more comprehensive resources that can be customized for an organization’s changing cybersecurity needs. Key inclusions in the new version are quick-start guides, implementation examples, a mapping catalog for self-assessment, and reference tools. Version 2.0 of the CSF was developed in alignment with President Biden's 2023 National Cybersecurity Strategy. A significant update in CSF 2.0 is the addition of a sixth core function, 'govern', focusing on integrating cybersecurity into the broader enterprise risk management strategy. NIST emphasizes that the updated framework is a living document, inviting feedback from the security community to further enhance its utility and effectiveness.

Russian military hackers from Military Unit 26165, known as APT28 or Fancy Bear, have compromised Ubiquiti EdgeRouters for espionage activities. The FBI, NSA, U.S. Cyber Command, and international partners issued an advisory about these cyberattacks targeting global militaries, governments, and organizations. The hijacked routers are being used to build botnets for credential theft, collecting NTLMv2 digests, and rerouting malicious traffic through victim networks. Ubiquiti routers are vulnerable due to default factory settings, lack of automatic firmware updates, and minimal firewall protections. Previous botnets, such as the one infected with Moobot malware, have been repurposed by APT28 for their extensive cyber espionage operations. The FBI discovered APT28's use of custom tools, phishing techniques, and Python scripts specifically tailored for credential harvesting on hacked routers. Recommendations for reviving compromised routers include measures to remove infections, block unauthorized access, and reporting suspicious activities to authorities. The advisory emphasizes historical patterns of Russian state-sponsored hackers targeting internet routing equipment for espionage and laying groundwork for further cyberattacks.

The Hessen Consumer Center in Germany experienced a ransomware attack affecting its IT systems and consumer service availability. Impact was significant on telephone and email communications, causing temporary disruptions in reaching consumer advocates. The center, providing essential consumer law and advice services, is not part of the government but serves over six million residents. External IT security experts are assisting in restoring all communication channels, although a timeline for full recovery remains unclear. There is concern about a potential data breach, as ransomware attacks often involve data theft; the center is investigating and will notify affected individuals if necessary. A criminal complaint has been filed with the Hessen police and the state's data protection and IT security offices have been notified. At the time of reporting, no known major ransomware groups have claimed responsibility for the attack.

The German state of Hessen has suffered a ransomware attack, leading to a shut down of IT systems and disruptions in its consumer advice center. Frankfurt, a key financial hub, is within Hessen, impacting a significant regional population and potentially critical infrastructure. Initial effects included issues with telephone and email communications, although the state's website remains fully functional. Restoration efforts are being assisted by external IT security experts, but there is currently no timeline for when normal operations will resume. The primary concern is the potential for a data breach, as ransomware attackers typically steal data before encrypting systems, using it for extortion. While it is currently unclear if data was stolen, Hessen officials have committed to informing citizens if personal data compromises are confirmed. Hessen is cautious with data storage on servers, but specifics about the types of data they hold were not disclosed. State authorities have reported the incident to data protection and IT security offices, and a criminal complaint has been filed with the police. No ransomware group has claimed responsibility for the attack yet.

A severe security flaw in the LiteSpeed Cache plugin for WordPress, affecting over 5 million sites, enables privilege escalation without authentication. The vulnerability, identified as CVE-2023-40000, was resolved in the LiteSpeed plugin version 5.7.0.1 released in October 2023. Unauthenticated attackers can utilize this flaw to conduct site-wide cross-site scripting (XSS) attacks, leading to potential theft of sensitive data. LiteSpeed Cache aids in site performance enhancement and its latest version, 6.1, was published on February 5, 2024. The issue arises due to inadequate sanitization of user inputs and insufficient output escaping, specifically within the update_cdn_status() function. An additional XSS vulnerability (CVE-2023-4372) was discovered previously in the LiteSpeed Cache plugin and rectified in the 5.7 version.

Malicious JavaScript code was found in a Tornado Cash governance proposal, causing a leak of user transaction data. The leak has affected all transactions made through certain IPFS gateways since January 1, jeopardizing users' privacy and security. A security researcher discovered the compromise, which involved code sending private deposit notes to an attacker's server. Tornado Cash is an Ethereum-based service providing transaction anonymity, previously sanctioned due to its use in money laundering. The malicious code was introduced through a deceptive proposal by a purported community developer and evaded detection by disguising its exploit mechanics. Tornado Cash developers have acknowledged the issue and urged users to withdraw and regenerate their deposit notes to avoid exposure. Token holders with voting rights are being encouraged to cancel their support for the harmful proposal to undo the implemented protocol changes.

Tornado Cash, an Ethereum blockchain mixer, had malicious code injected through a governance proposal that leaked user transaction data. The code has been active since January 1, compromising privacy and security for users on several IPFS deployments. The vulnerability was discovered by a security researcher known as Gas404, who alerted the community to veto the corrupted governance proposal. Tornado Cash is known for its privacy features using zero-knowledge SNARKs but has faced scrutiny for its use in money laundering activities. The platform's developers have recognized the breach and recommended users withdraw and regenerate their transaction notes. Proposal 47, which introduced the harmful code, is under scrutiny, and token holders are advised to revoke their votes to mitigate the security breach. Users are advised to switch to a specific IPFS ContextHash deployment that is considered secure following a Tornado Cash governance validation.

A new remote access trojan (RAT) named Xeno RAT has been uploaded to GitHub, posing as a freely available cybersecurity threat. Xeno RAT is compatible with Windows 10 and 11 and includes advanced features such as a SOCKS5 reverse proxy, real-time audio recording, and a hidden VNC module for remote access. The RAT is developed by a user known as moom825, who has also developed DiscordRAT 2.0, previously spread through a malicious npm package. Cyfirma has reported that Xeno RAT is being disseminated via Discord's content delivery network with a multi-stage payload delivery method. The dissemination strategy involves a shortcut file disguised as a WhatsApp screenshot that downloads and executes a malicious payload from Discord's CDN. Xeno RAT uses techniques to evade detection and analysis, including DLL side-loading and establishing system persistence. The report coincides with AhnLab Security Intelligence Center's discovery of Nood RAT, a Gh0st RAT variant targeting Linux systems, once again indicating the prevalent risk of RATs in the cybersecurity landscape.

Security Operations Centers (SOCs) contend with an overwhelming number of alerts, often leading to uninvestigated events due to the sheer volume and time required to sift through them. The manual process of investigating alerts from disjointed sources contributes significantly to delays, creating challenges in distinguishing true threats from false alarms. ANY.RUN's Threat Intelligence Lookup (TI Lookup) provides a centralized platform that aggregates Indicators of Compromise (IOCs) from their sandbox sessions, enhancing visibility into threats for quicker analysis. Users can search across various data points, including URLs, file hashes, IP addresses, and more, for comprehensive investigations. TI platforms facilitate rapid threat intelligence gathering, thus aiding in swift incident response and decision-making during security events. Active threat hunting capabilities using known IOCs can help unearth risks earlier, potentially preventing larger-scale breaches. Detailed insights into the nature and behavior of malware threats allow security teams to make informed decisions about containment, remediation, and future defenses, strengthening the organization's overall security posture.

The Five Eyes intelligence alliance has issued a joint advisory about APT29, a Russian state-sponsored cyber threat actor. APT29, also known as The Dukes or Cozy Bear, is linked with the Russian Foreign Intelligence Service and is known for sophisticated cyber espionage. The threat group has recently targeted Microsoft, Hewlett Packard Enterprise (HPE), and other entities, capitalizing on the shift to cloud infrastructures. The advisory underscores the need for robust defenses against APT29's methods of gaining initial access to cloud systems. Upon breaching a network, APT29 deploys advanced techniques like MagicWeb for maintaining access and control. The bulletin emphasizes the importance of vigilance as organizations modernize and transition to cloud-based systems, which APT29 is exploiting.

A critical security flaw in Hugging Face's Safetensors conversion service allows for potential supply chain attacks. Compromise of the service can enable attackers to send malicious pull requests and hijack AI models hosted on the platform. Attackers might masquerade as the official conversion bot, creating opportunities to tamper with trusted machine learning models. The service's vulnerability allows for the execution of arbitrary code when users attempt to convert models, posing significant risks to their projects. Private repository conversions could lead to token theft and internal data poisoning, amplifying the threat's impact. Public repository conversions are equally at risk, with the potential to alter widely used models and pose a considerable supply chain threat. This alarming revelation follows a report on a memory leak vulnerability affecting various GPGPUs, highlighting ongoing security challenges in ML systems.

In 2023, 70% of ransomware infections within industrial organizations struck the manufacturing industry, according to a report by Dragos. Manufacturing is a more attractive target due to earlier adoption of digital transformation, leading to a higher number of insecure, connected systems. Dragos' findings indicate that manufacturing is particularly challenged in network segmentation, increasing the risk of intruders moving across systems. Attackers target operational technology (OT) because it impacts the revenue-generating processes of companies, prompting faster and higher ransom payments. The ransomware incident at PSI Software disrupted the company's IT systems and highlighted supply-chain vulnerabilities within the manufacturing sector. Attacks often start within traditional IT environments before moving to OT, as seen with a recent process followed by the ransomware group LAURIONITE exploiting Oracle iSupplier vulnerabilities. Although the focus has been on manufacturing, the report suggests that other critical infrastructure sectors might follow the same trend.