Daily Brief

Microsoft has confirmed that a newly identified critical security flaw in Exchange Server, tracked as CVE-2024-21410, is actively being exploited. CVE-2024-21410 is a privilege escalation issue with a CVSS score of 9.8, enabling attackers to use leaked NTLM credentials to gain privileges on the Exchange Server. The exploitation allows attackers to authenticate as the user on the Exchange Server by relaying the user's leaked Net-NTLMv2 hash. Microsoft has updated the Exchange Server 2019 with Cumulative Update 14 (CU14) to enable Extended Protection for Authentication (EPA) by default to address the vulnerability. Specifics about the nature of the exploitation or the identity of the attackers remain undisclosed, although similar tactics have been used by Russian state-affiliated groups like APT28. Apart from CVE-2024-21410, Microsoft addresses other actively exploited vulnerabilities during its Patch Tuesday update, including CVE-2024-21351 and CVE-2024-21412, the latter exploited by the Water Hydra APT group. CVE-2024-21413 is also patched, a critical flaw in Outlook that allows for remote code execution and can bypass security measures such as Protected View by exploiting the incorrect parsing of hyperlinks.

North Korea is allegedly operating a revenue-generating scheme that involves selling gambling websites pre-loaded with malware. The operation is linked to the North Korean IT organization Gyeongheung, associated with the secretive "Office 39" of the ruling Workers Party of Korea. South Korean cybercriminal groups have reportedly purchased these websites, which cost around $5,000 monthly, with an additional $3,000 for technical support. The malicious code embedded in the websites' automatic betting features is designed to steal personal information from gamblers for subsequent sale. The cyber operation was profitable, potentially earning billions for its operators, while also offering tech support and bonuses for collecting banking details of Chinese nationals. To avoid UN sanctions, the North Korean IT workers posed as Chinese, using forged IDs and stolen professional credentials, and they laundered money through Chinese-named bank accounts. Some clients did business with the sanctioned North Korean operators, enticed by low costs and language commonalities. This activity not only compromises cybersecurity but also functions as a financial resource for North Korea, circumventing international sanctions.

OpenAI identified and shut down five accounts associated with government agents from China, Iran, Russia, and North Korea, aimed at creating phishing emails and malicious software. The terminated accounts include two China-affiliated threat actors Charcoal Typhoon and Salmon Typhoon, the Iran-affiliated Crimson Sandstorm, the North Korea-affiliated Emerald Sleet, and the Russia-affiliated Forest Blizzard. These threat actors were allegedly using OpenAI's services for activities such as language translation, finding coding errors, and generating code, which could support cyberattacks and phishing campaigns. OpenAI collaborated with Microsoft to detect and disable these malicious accounts and stressed the limited capabilities of GPT-4 in performing malicious cybersecurity tasks. Microsoft’s Threat Intelligence provided additional details on the specific nature of activities conducted by these groups, such as translating technical papers and researching cybersecurity. OpenAI emphasized that their systems are designed to prevent misuse and filter out requests for harmful information and malicious code, suggesting that their AI models are not particularly effective in aiding cybercrime.

Microsoft confirmed that a critical vulnerability in Exchange Server was exploited as a zero-day before a patch was issued on Patch Tuesday. The vulnerability, identified as CVE-2024-21410, allows remote, unauthenticated attackers to escalate privileges via NTLM relay attacks. NTLM relay attacks involve attackers coercing network devices to authenticate against a server they control, enabling privilege escalation and impersonation. Exchange Server 2019 Cumulative Update 14 (CU14) mitigates this issue by enabling NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA). EPA is an enhancement to Windows Server authentication designed to combat relay and man-in-the-middle attacks. Extended Protection (EP) will automatically be enabled on all Exchange servers with the latest CU14 update, but admins can also manually enable it on older versions. Microsoft advises administrators to review the potential impact on their environments, referencing documentation for the ExchangeExtendedProtectionManagement PowerShell script, to avoid functional disruptions. An unrelated critical remote code execution (RCE) vulnerability in Outlook was incorrectly reported as being exploited but has since been patched.

The LockBit ransomware group has claimed responsibility for a cyberattack on Fulton County, Georgia. Fulton County's IT systems, including phone, court, and tax services, were disrupted during the last weekend of January. Nearly three weeks post-incident, services remain impacted, with property tax systems still offline and phone lines only partially restored. Fulton County officials report no confirmed sensitive data theft as of now but acknowledge the breach did occur. LockBit has threatened to publish confidential documents, including citizens' personal data, unless a ransom is paid by February 16. The county is considering using insurance to recover its systems, which suggests they may not pay the ransom to LockBit. Despite service disruptions, penalties for delayed water bill payments will be waived for residents.

Microsoft Outlook has a critical vulnerability, CVE-2024-21413, that allows for remote code execution (RCE) and circumvents Protected View. Discovered by Check Point, attackers can exploit the bug by sending emails with malicious links that open harmful Office files in editing mode, not just read-only. The Preview Pane in Outlook can trigger the exploit without needing to open the email, as it previews maliciously crafted Office documents. No user interaction is necessary for the exploitation, which can be done remotely and without authentication. Successful exploitation allows attackers to gain high privileges for reading, writing, and deleting, stealing NTLM credentials, and executing arbitrary code. The vulnerability affects Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Microsoft has retracted an initial statement that the issue was being exploited in the wild, stating it was an error to report active exploitation. Users are strongly urged to apply the official patch immediately to protect against potential attacks exploiting this vulnerability.

Chinese government-associated group Volt Typhoon has compromised a major US city's emergency network and probed telecom providers. Dragos, an industrial cybersecurity firm, reports that the espionage efforts have been focused on American electric companies and have targeted their strategic assets. The activities of Volt Typhoon involve strategic reconnaissance, with the group's interest in regions extending beyond the US to include electric companies in Africa. The pace of network penetration by Volt Typhoon is increasing, with one American electric company's IT network breached for over 300 days. Although the operational technology (OT) network was not breached, the spies did obtain valuable geographic information system data. Volt Typhoon exploited vulnerabilities in various IT infrastructures, such as routers and VPNs, using legitimate tools and stolen credentials for lateral movement within networks.

A critical privilege escalation vulnerability was found in Zoom's Windows applications. The flaw could potentially allow unauthenticated attackers to gain elevated privileges on a user's system. The vulnerability, marked CVE-2024-24691, was discovered by Zoom's own offensive security team, with a high severity score of 9.6. Affected Zoom products include the desktop client, VDI client, and Meeting SDK for Windows. The software, widely used for video conferencing, became even more popular during the COVID-19 pandemic, peaking at 300 million daily participants. User interaction such as clicking a link or opening an attachment is required to exploit the vulnerability. Zoom has released a security update (version 5.17.7) to patch this and six other vulnerabilities, urging users to update immediately.

Microsoft has issued a security advisory about a critical remote code execution (RCE) vulnerability in Outlook that has been exploited as a zero-day. The vulnerability, identified as CVE-2024-21413, was uncovered by Check Point and can be triggered by simply opening an email containing a malicious link. Attackers can bypass Outlook's Protected View, enabling the opening of harmful Office files in editing mode and leading to potential NTLM credential theft and RCE. The Preview Pane in Windows Explorer is also susceptible, making it possible for attacks to succeed without any direct user interaction with the email. The vulnerability affects various Microsoft Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and older versions of Outlook still under extended support. The exploitation technique involves using a 'file://' protocol with an added exclamation mark to bypass security restrictions in Outlook. Given that the critical vulnerability lies in the core Windows/COM APIs, other software using the same APIs could potentially be at risk. Microsoft strongly recommends that all Outlook users apply the available patch to protect against this security flaw.

The US Air Force is reinstating warrant officer ranks, focusing on luring tech talent for the cyber and IT fields. Warrant officers have technical expertise and hold ranks above enlisted members but have limited command duties. This initiative is part of a strategy to enhance capabilities against advanced threats from nations like China and Russia. The reintroduction of warrant officer ranks aims to attract individuals who are skilled in areas like coding and network attacks. Commissioned officers and enlisted airmen will also see the addition of new technical career paths. The Air Force's 16th Air Force group will be elevated to a separate service component command, and a new Information Dominance Systems Center will be established. Specific implementation plans and roles are still under development, with urgency emphasized to be ready for potential conflicts.

Microsoft is implementing Extended Protection (EP) by default through the latest Cumulative Update (CU14) for Exchange Server 2019. The EP feature strengthens authentication mechanisms to thwart authentication relay and Man-in-the-Middle (MitM) attacks. Administrators are advised to review their server environments for compatibility issues before enabling EP, as certain configurations may cause disruptions. Microsoft provides an ExchangeExtendedProtectionManagement PowerShell script to manage EP settings, including the option to disable the feature if necessary. Extended Protection support, introduced in August 2022, was Microsoft's response to address critical vulnerabilities allowing for privilege escalation attacks. Systems running the August 2022 security update or later already support EP, while older systems without the update are considered persistently vulnerable. Microsoft emphasizes the importance of keeping on-premises Exchange servers updated to deploy security patches promptly and maintain optimal protection.

Prudential Financial, a top life insurance company, reported unauthorized access to their IT systems, impacting company and customer data. The breach, confirmed via an 8K filing with the SEC, happened on February 4, 2024, with detection on the following day. External cybersecurity experts were engaged immediately to investigate, contain, and remediate the cybersecurity incident. Although admin and user data were accessed, there's currently no evidence of the cybercriminal group taking any customer or client data. The extent of the data breach is still under investigation to determine if additional information or systems were compromised. Prudential Financial has notified law enforcement and is in the process of informing regulatory authorities. The company maintains that the incident has not materially impacted its operations or its financial position.

German battery manufacturer VARTA AG was the victim of a cyberattack leading to a shutdown of IT systems and halting production across five plants. The incident occurred on the night of February 12th, 2024, with the company taking proactive measures to shut down and disconnect IT systems for security. VARTA's history spans over a century, and the company's products are known globally, contributing to over $875 million in annual revenue. The full extent and damage of the cyberattack are currently being assessed; VARTA's primary focus is on maintaining data integrity. An emergency plan was activated, including the formation of a task force with cybersecurity experts for system restoration. The nature of the cyberattack remains unclear, with no confirmation of it being a ransomware attack or any group claiming responsibility. The company's share price experienced a 4.75% drop after news of the cyberattack became public. VARTA has yet to release further details on the cyberattack, including whether data encryption was involved.

Hackers exploited PlayDapp, a blockchain-based gaming platform, by minting 1.79 billion PLA tokens using a stolen private key. The intruders initially minted 200 million PLA tokens valued at $36.5 million and later added 1.59 billion tokens worth approximately $253.9 million. Security firm PeckShield suggested the compromise involved a leaked private key, prompting PlayDapp to move all tokens to a new secure wallet. PlayDapp offered a $1 million "white hat" reward for the return of stolen assets, threatening legal action; the hackers declined and continued their attack. Due to the excess minting, the total number of PLA tokens created exceeded the number in circulation, devaluing the currency from $0.18 to $0.14 per token. PlayDapp paused all PLA trading, suspended deposits and withdrawals, and is working to freeze the hacker's wallets on exchanges to contain the situation. Token holders have been advised to halt transactions and be cautious of phishing attempts during the migration to a secure system. Although no specific threat actors are identified, the nature of the attack is reminiscent of those conducted by the North Korean "Lazarus Group."

Ubuntu's 'command-not-found' utility has a logic flaw that can promote malicious snap packages, posing a serious security threat. Attackers could impersonate legitimate packages due to a lack of validation when the utility suggests snap packages for missing commands. Approximately 26% of APT commands could be mimicked by malicious snaps, significantly raising supply chain risks for Linux and WSL users. The issue isn't exclusive to Ubuntu and affects any Linux distribution using 'command-not-found' and the Snap package system. Malicious snaps can exploit system features or deliver new exploits via auto-update, even potentially escaping sandboxing when kernel flaws are present. Attackers can use typo-squatting, unclaimed snap names, or unreserved aliases for existing APT packages to trick users into installing malware. The exact scale of exploitation is unknown; however, some incidents have already been reported, indicating the risk is not merely theoretical. Users and developers must be vigilant, ensuring package authenticity and securing associated package names to mitigate these risks.