Daily Brief

North Korea-linked hacking entity Kimsuky is reportedly using a novel Golang-based information stealer named Troll Stealer to target South Korean systems. The Troll Stealer is designed to extract various sensitive data, such as SSH credentials, system information, browser data, and even screen captures. Similarities to previous Kimsuky-associated malware like AppleSeed and AlphaSeed suggest its connection to the notorious group, which has a history of espionage activities. Kimsuky, which faces sanctions from the US Treasury, has recently conducted spear-phishing campaigns against South Korean targets, delivering multiple backdoors. The Troll Stealer masquerades as a legitimate security program installer and uses a stolen certificate from D2Innovation Co., LTD for authenticity. The malware's new capability to target GPKI folders indicates a potential shift in tactics or involvement of another threat actor with access to Kimsuky's tools. The discovery of a Go-based backdoor, GoBear, also points to Kimsuky's continued development of sophisticated tools, with this one adding a SOCKS5 proxy feature not seen in their previous malware.

Cisco released patches for three vulnerabilities in Cisco Expressway Series with CVSS scores up to 9.6, potentially allowing unauthenticated remote CSRF attacks. Fortinet published a second round of updates for FortiSIEM supervisor critical flaw bypasses, with the new vulnerabilities having CVSS scores of 9.8. VMware warned of five moderate-to-high severity flaws in Aria Operations for Networks, advising users to upgrade to version 6.12.0 to mitigate risks. The vulnerabilities could enable attackers to execute arbitrary code or actions, modify system configurations, create privileged accounts, or induce DoS conditions. Patches have been released in specific versions for all the affected products and users are urged to apply them promptly due to the history of active exploitation. Organizations are recommended to prioritize patch management to protect against these newly disclosed vulnerabilities and improve overall security posture.

Fortinet has warned of two critical unpatched vulnerabilities in FortiSIEM—CVE-2024-23108 and CVE-2024-23109—which are patch bypasses for the original CVE-2023-34992 flaw. An initial confusing update suggested these CVEs were duplicates due to an API issue; however, they are confirmed as separate vulnerabilities. The new bugs allow remote, unauthenticated attackers to execute commands on the system through specially crafted API requests. Users are strongly advised to upgrade FortiSIEM to a version that addresses these vulnerabilities, as threat actors frequently target Fortinet flaws. Fortinet's handling of the disclosure has caused confusion, initially misstating the nature of the vulnerabilities. Vulnerability expert Zach Hanley from Horizon3 has been identified as the discoverer of these patch bypasses. Fortinet commits to issuing a reminder in its monthly advisory to alert customers of these critical security issues.

Proposed procurement rules would require IT suppliers to U.S. government agencies to provide complete access to their systems after a security incident and report intrusions within eight hours. The draft update to the Federal Acquisition Regulation (FAR) aligns with Biden’s 2021 executive order and responds to significant security incidents like SolarWinds and Colonial Pipeline. Industry backlash has been significant, with over 80 responses criticizing the burdensome nature of the proposed rules, including the Software Bill of Materials (SBOM) and incident reporting within eight hours. The Cloud Service Providers Advisory Board and Information Technology Industry Council voiced concerns about the impact on providers who service both federal and non-federal customers, fearing loss of business due to the invasive requirements. HackerOne highlighted the risk that federal law enforcement access to contractor systems could inadvertently expose non-government customer data. Different federal agencies have introduced varying incident reporting rules, leading to a lack of alignment; some stakeholders call for CISA to be the central agency for incident reporting. ITIC suggests selecting a single, harmonized incident reporting process across the federal government and regulated sectors to avoid misalignment and confusion.

The U.S. government has issued a warning about Chinese spy groups infiltrating American critical infrastructure, including energy and other essential services. These Chinese cyber-espionage operations are reportedly seeking to steal data and potentially disrupt vital systems upon command from Beijing. The intrusions by groups like Volt Typhoon have sometimes gone undetected for years, posing a risk of significant operational impact. The FBI acted to disrupt Volt Typhoon's activities by wiping out their botnet through a remote kill command. Officials underscore the necessity of robust identity management like phishing-resistant multi-factor authentication for infrastructure operators. Cybersecurity experts express serious concerns about Volt Typhoon's access to operational technology systems, which could lead to severe shutdowns. The Department of Energy has been collaborating with infrastructure owners to detect and eliminate these persistent threats actively positioning themselves on networks. Such state-sponsored activities suggest a reciprocal level of cyber-intrusion might be expected from American agencies regarding foreign critical infrastructure.

Ov3r_Stealer malware is being spread via fraudulent Facebook job advertisements targeting users to steal credentials and cryptocurrency. The scam leads victims to a Discord link that executes a PowerShell script to download the malware from GitHub. Trustwave analysts uncovered the campaign, noting the danger due to Facebook's widespread use, despite non-novel tactics. The infection process deceives users with a fake PDF, redirecting to a malicious payload disguised as a DocuSign document. The malware aims to harvest data from various applications and searches the system registry areas to potentially expand its breach. Collected data, including geolocation and a synopsis of pilfered information, is sent every 90 minutes to a Telegram bot controlled by the attackers. Investigations reveal links to software cracking forums and code resemblance to a known C# stealer, Phemedrone, suggesting possible origins or associations of the malware creators.

Half of cybersecurity professionals surveyed by Kaspersky assert their higher education in cybersecurity does not translate effectively to practical work applications. Only 29% of respondents found their academic knowledge to be "extremely useful," with smaller percentages rating their education as "very useful." The survey included 1,012 infosec professionals from 29 countries, highlighting a perception of disconnect between academic preparation and real-world demands. The rapid pace of technological change is cited as a contributing factor to the obsolescence of educational content, with tech quickly becoming "legacy" within a few years. There is a notable regional variance in the perceived practical experience of cybersecurity educators, with Latin America reporting the highest levels of instructor industry engagement, and the Middle East, Turkey, and Africa the lowest. An overwhelming majority of professionals with 2-5 years of experience (83%) consider the availability of useful infosec courses in higher education to be poor, pointing to a gap in training for handling real-life security incidents.

The Danish data protection authority has issued an injunction preventing schools from sending student data to Google. The decision affects the use of Google Workspace and Chromebooks across 53 municipalities in Denmark. Concerns were raised about the misuse of student data and potential future impact on individuals. Schools must now modify their data processing practices to align with the authority’s new requirements. Permitted uses of data are limited to specific educational services and fulfilling legal obligations. The decision does not outright ban Chromebooks but places restrictions on data sharing with Google. Municipalities are given until March 1, 2024, to outline compliance plans, with full implementation required by August 1, 2024. The action, welcomed by many, was criticized for the delay in the authority’s response to the issue.

Chinese cyber-espionage group Volt Typhoon infiltrated U.S. critical infrastructure networks and remained hidden for around five years. A joint advisory by CISA, the NSA, the FBI, and the Five Eyes intelligence alliance revealed Volt Typhoon's stealth operations and living off the land (LOTL) tactics. The group targeted specifically the communications, energy, transportation, and water/wastewater sectors, putting a spotlight on their ability to leverage stolen accounts for persistent access. U.S. authorities are concerned that Volt Typhoon might leverage its network footholds to disrupt critical infrastructure during times of high tension or conflict. Recent efforts have been made to harden U.S. cyber defense systems against such threats and to understand the full scope of Volt Typhoon's activities. The FBI and CISA recently disrupted a Volt Typhoon-controlled botnet, highlighting ongoing counter-cyber espionage measures. Cybersecurity agencies have released technical guides to help network defenders detect Volt Typhoon activities and protect critical infrastructure from similar threats.

The US and 11 international government agencies issued a warning about China's Volt Typhoon group targeting critical infrastructure. Volt Typhoon has infiltrated IT networks across the communications, energy, transportation, and water sectors in the US and its territories. The group's conduct suggests a departure from espionage goals, with a focus on pre-positioning for potential disruptive or destructive cyberattacks. The US agencies, including CISA, NSA, and FBI, express high confidence in Volt Typhoon's intent to exploit network access amid geopolitical tensions. The FBI cautioned that Chinese hackers are equipped to "wreak havoc" on US infrastructure, with recent malware infections on Cisco and Netgear equipment. Canada, Australia, and New Zealand's infrastructure could be affected due to interconnectedness and shared vulnerabilities with the US. Governments have provided a list of technical details, observed TTPs, detection recommendations, and urged immediate actions to mitigate threats, such as applying patches, enabling MFA, and maintaining centralized logging systems.

Google initiated a pilot program to combat financial fraud on Android by preventing sideloading of apps that request risky permissions. Sideloading APK files from third-party sites is common, but poses risks due to the absence of security vetting, potentially leading to malware and financial fraud. Google reported over $1 trillion in user losses due to Android scams in 2023, with 78% of users encountering at least one scam attempt. Google Play Protect now scans APKs in real-time; the new feature has identified and prevented over 515,000 unwanted app installations. In Singapore, the pilot will block installations from third-party sources if the APKs require certain permissions, addressing a key vulnerability exploited by malware. Google's future plans for global rollout of the blocking feature are pending, while users are urged to be cautious with APKs and use Play Protect scans.

Reports emerged claiming 3 million electric toothbrushes were hacked to launch a DDoS attack, causing significant financial damage. Fortinet, allegedly the source of the claim, has not confirmed the incident and no corroborating evidence has been found. DDoS attacks, while common, typically employ compromised IoT devices, routers, and servers, not traditionally consumer goods like toothbrushes. The toothbrushes in question lack direct internet connection capabilities, connecting only through Bluetooth to mobile apps, making the reported attack implausible. A scenario involving electric toothbrushes as part of a DDoS botnet appears to be hypothetical, possibly misinterpreted by the original reporting source. Security experts widely dispute the event, considering the nature of how electric toothbrushes connect to networks. The article serves as a cautionary tale, underscoring the importance of securing all internet-connected devices against potential recruitment into DDoS botnets.

Cisco fixed critical vulnerabilities in its Expressway Series gateways, protecting against CSRF attacks. The patched issues include two critical-rated CSRF vulnerabilities that allow remote unauthenticated attacks. Exploitation could lead to unauthorized actions, including code execution, admin privilege escalation, and new account creation. The vulnerabilities, identified as CVE-2024-20252 and CVE-2024-20254, could be exploited through malicious links sent to users. Another vulnerability, CVE-2024-20255, could result in system configuration alterations and denial of service. Cisco will not provide updates for the TelePresence Video Communication Server (VCS) due to end-of-support status. Cisco’s PSIRT has not observed any active exploitation or publicly available proofs of concept for these issues.

A news report claimed 3 million electric toothbrushes were hacked to conduct a DDoS attack, causing significant damage. Cybersecurity firm Fortinet was cited as the source, but they have not confirmed the story and it lacks evidence. Security experts doubt such an attack due to the toothbrushes’ lack of direct internet connectivity—they rely on Bluetooth. The narrative suggests a potential supply chain attack to install malicious firmware, yet no records of such an incident exist. The story serves as a reminder of the risks facing any Internet-exposed device, underlining the need for security updates and strong passwords. Despite the plausibility of Internet-connected devices being hijacked, this specific incident involving electric toothbrushes is likely fictional. The concern highlights the importance of securing the growing number of IoT devices, which could be exploited in DDoS botnets.

Microsoft's Threat Analysis Center reports on Iran's increasingly sophisticated cyber operations potentially targeting the upcoming 2024 U.S. elections. Tactics developed against Israel, such as effective influence campaigns, could be repurposed for meddling in U.S. electoral processes. Spike in English-speaking traffic to Iranian state-affiliated news sites during Israel-Hamas conflict signals successful propaganda reach. First instance of an AI-generated newscaster in an Iranian influence operation detected, showcasing technological advancement. The U.S. previously indicted Iranians for cyber activities intended to undermine the 2020 presidential election, highlighting the threat to election integrity. Microsoft anticipates that Iran, alongside Russia and China, may engage in interference attempts during the 2024 elections, posing an unprecedented challenge. Iran's cyber capabilities demonstrated through disruptive attacks in Israel and other nations friendly to Israel, such as Bahrain and Albania.