Daily Brief

A multimedia corporation with $10 billion annual revenue leveraged Adaptive Shield's SaaS Security Posture Management (SSPM) to significantly improve their security posture. Forrester Consulting's Total Economic Impact™ (TEI) study highlighted a 201% ROI and notable qualitative security improvements after the SSPM implementation. Prior to SSPM deployment, the company contended with misconfigurations and communication gaps between app owners and security teams, along with regulatory compliance issues. The study found that SSPM usage resulted in a 30% increase in security posture, better collaboration across teams, and improved operational efficiencies. Automation features of SSPM allowed security staff to shift focus from configuration interviews to strategic security management and continuous compliance. Operational efficiency, compliance review improvements, and enhanced collaboration collectively led to $2.18 million in benefits over three years against costs of around $724,000. The payback period was under six months, justifying the investment in SSPM by demonstrating significant, measurable return on investment and operational advantages in SaaS security.

Over 25 new ransomware gangs emerged in 2023, with Akira and 8Base being the most noteworthy, signaling persistent allure for high ransom profits. Increased law enforcement scrutiny and high competition led to the dissolution of five nascent ransomware operations within their first year. Existing successful groups such as LockBit and ALPHV/BlackCat force newcomers to offer competitive incentives and strong ransomware payloads to attract affiliates. Many new gangs are linked to or are rebrands of previous operations, with at least 12 of the 25 new groups having connections to prior entities. Akira, associated with the infamous Conti group, and 8Base, related to Phobos, accounted for a significant portion of ransomware incidents in 2023, with Akira growing swiftly. International law enforcement efforts have successfully shut down several ransomware operations, including Hive, Ragnar Locker, and Trigona, but the lack of a ban on ransom payments dilutes the impact of these takedowns. The newly established WereWolves group rose rapidly in prominence towards the end of the year, suggesting ongoing challenges in the fight against ransomware.

Hackers, known as ResumeLooters, targeted employment platforms in the Asia-Pacific region, stealing data from millions of job seekers. Approximately 65 job search websites were compromised between November and December 2023, with over 2 million unique email addresses exposed. The threat actor used SQL injection attacks to access sensitive information, including personal details, employment history, and resumes. Stolen data was subsequently sold in Telegram channels, emphasizing the financial motivation behind the attacks. Group-IB discovered evidence of cross-site scripting (XSS) infections on legitimate job search sites, which loaded malicious scripts for phishing and stealing admin credentials. The majority of breaches occurred in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, with additional incidents in Brazil, the U.S., Russia, Mexico, and Italy. ResumeLooters utilized tools like sqlmap, BeEF, Metasploit, dirsearch, and xray to execute their cyberattacks, alongside poor security and database management by the victims. Group-IB warns of the continued prevalence and effectiveness of SQL injection attacks in the APAC region, despite being a well-known exploit method.

A server-side request forgery (SSRF) vulnerability in Ivanti VPN products is being exploited en masse following public disclosure. Security researchers observed more than 170 unique IP addresses attempting to exploit CVE-2024-21893 to establish a reverse shell. The SSRF flaw, also known as CVE-2023-36661, had been previously fixed in the Shibboleth XMLTooling library in June 2023. Ivanti has released official patches after their initial mitigation was bypassed by attackers. A proof-of-concept exploit released by Rapid7 highlighted the combination of this vulnerability with another to execute remote code without authentication. The SSRF flaw's mass exploitation began after the vulnerability details became public and a PoC exploit was made available. Ivanti VPN appliances are reported to have outdated components, posing additional security risks. Numerous instances (28,474) of Ivanti Connect Secure and Policy Secure were found to be exposed globally, with 610 confirmed compromises.

'ResumeLooters' threat group has compromised 65 job listing and retail websites, stealing personal data of over two million individuals. Victims are predominantly from the APAC region, including countries such as Australia, China, and India, with stolen data including names, contact details, and employment history. The primary attack methods used were SQL injection and XSS attacks, allowing for unauthorized data access and phishing attempts. Open-source penetration testing tools were utilized to identify vulnerabilities before injecting malicious scripts across the websites. Group-IB detected the sale of stolen data on Telegram and identified the hackers' operational security error, which provided insights into their methods and access level. Indicators suggest ResumeLooters may be a China-based group, given the language used in communications and tool preferences. The data is being sold for financial gain to other cybercriminals, posing a significant threat to those affected.

The U.S. has introduced visa restrictions on individuals connected to the unlawful use of commercial spyware against civil society members. Secretary of State Antony Blinken emphasizes the threat to privacy and basic freedoms posed by the misuse of such spyware. The new policy aims to promote accountability and covers not only the users of the spyware but also those who profit from it financially and the companies developing and selling these tools. The enforcement of these restrictions for individuals from visa waiver countries remains unclear, potentially requiring these individuals to apply for visas. The decision follows reports of illegal surveillance activities in the Middle East, with journalists and activists being targeted by NSO Group's Pegasus spyware. Previous measures include U.S. sanctions against spyware vendors like NSO Group and Candiru and a presidential executive order barring federal agencies from using suspect commercial spyware. Two further companies, Intellexa and Cytrox, were added to the U.S. trade blocklist in July 2023. A GCHQ assessment reports that over 80 countries have acquired commercial cyber intrusion software over the past decade.

Google has donated $1 million to the Rust Foundation to enhance the interoperability between Rust and C++, boosting memory safety in software development. C++ has faced criticism for memory safety issues, leading to increased advocacy for the memory-safe programming language Rust. The funding is expected to lower the barrier for adopting Rust in legacy systems and Android, where currently C++ is widely used alongside other languages. Google's grant follows a similar $1 million contribution from Microsoft, which also pledged $10 million to integrate Rust as a "first-class language" in its engineering systems. Over 1,000 Google developers have committed Rust code, with significant adoption seen in Android, while Google has been developing tools to facilitate Rust and C++ code communication. The Rust Foundation has launched an Interop Initiative to streamline the process of integrating Rust with C++ in existing projects and workflows.

Microsoft is probing an issue with Outlook where opening .ICS files triggers security warnings after the December 2023 Patch Tuesday update. Users encounter alerts about potential security concerns with .ICS calendar files saved locally, a bug acknowledged by Microsoft. The warnings relate to a fix for CVE-2023-35636, a vulnerability that could expose Windows credentials through malicious files. Microsoft has offered a registry key workaround that disables these security notices, with caution that it also affects other file types. A full resolution is yet to be released, and Microsoft has previously resolved separate Outlook connectivity and crash issues earlier in the month.

Multiple attackers are exploiting a new Ivanti vulnerability, SSRF (CVE-2024-21893), which was publicly disclosed on January 31. Ivanti had already been addressing two other zero-day bugs (CVE-2023-46805 and CVE-2024-21887) when this latest flaw was discovered. The new vulnerability can be used in conjunction with CVE-2024-21887, allowing unauthenticated command injection with root privileges. Proof-of-concept (PoC) exploits have been published, and a notable increase in attack attempts has been recorded, with over 170 IP addresses involved so far. Prior Ivanti flaws were reportedly exploited by Chinese nation-state actors, but the perpetrators behind the new attacks remain unidentified. Ivanti has released patches for the vulnerabilities, and the US Cybersecurity and Infrastructure Security Agency issued an emergency directive for federal agencies to disconnect affected Ivanti products by February 2.

The US State Department has introduced new visa restrictions targeting individuals connected to the misuse of commercial spyware. These restrictions are part of broader US efforts to combat the exploitation of surveillance tools that infringe on human rights and pose security threats. Specific incidents of commercial spyware misuse have involved severe human rights violations, including arbitrary detentions and extrajudicial killings. An Executive Order has been issued prohibiting US government use of potentially risky mercenary surveillance tools. The Commerce Department added four European spyware firms to its Entity List for their role in distributing hacking tools used against high-risk individuals internationally. Previous actions in November 2021 saw the sanctioning of four other companies from Israel, Russia, and Singapore for similar offenses in spyware development and distribution. The Biden administration, in coordination with the Freedom Online Coalition of 36 governments, emphasizes principles to prevent the misuse of surveillance technology and uphold human rights. The US reaffirms its stance on human rights and pledges to hold accountable those who abuse commercial spyware.

The U.S. government's "voluntary" cybersecurity performance goals for healthcare organizations are likely to become mandatory regulations in the future. Taylor Lehmann, director at Google Cloud's Office of CISO, advises hospitals to take new cybersecurity goals seriously as they will form the basis of forthcoming regulations. HHS intends to establish enforceable security standards and provide financial support for healthcare facilities to adopt high-impact cybersecurity practices. Recent ransomware attacks and data thefts at healthcare organizations emphasize the urgency of improving cyber defenses. Essential cybersecurity goals outlined include mitigating vulnerabilities, multi-factor authentication, email security, and secure data encryption. Healthcare networks, especially in rural areas, face challenges updating technology and hiring security support staff, with some affected hospitals being forced to close. The strategy focuses on prevention but might undervalue the importance of resilience and recovery during cyberattacks. Lehmann highlights the need to balance data confidentiality with the critical availability of healthcare services, suggesting a shift in security priorities.

Hewlett Packard Enterprise (HPE) is investigating claims of a data breach after a seller on a hacking forum offered data purported to be from HPE. HPE has communicated no evidence of a breach or impact on their products and services, and no ransom demand has been made. The seller, known as IntelBroker, claims the data includes HPE credentials, system logs, configuration files, and more but has not revealed the source or method of acquisition. This development follows recent admissions by HPE of infiltration by Russian APT29 hackers who accessed and exfiltrated data from its Office 365 email environment since May 2023. The Russian hackers are believed to have stolen files from HPE's cybersecurity team and maintained cloud infrastructure access until December 2023. HPE has previously suffered breaches, including a notable attack in 2018 by Chinese APT10 hackers and a 2021 compromise of its Aruba Central platform's data repositories.

AnyDesk has acknowledged an IT security incident that allowed criminals to access their remote-desktop software systems. The incident disrupted services and is reportedly not related to a ransomware attack. Attackers obtained AnyDesk's code signing certificate, potentially enabling malware distribution disguised as legitimate AnyDesk software. All security certificates have been revoked, and AnyDesk is transitioning to a new code signing certificate. Additionally, portal passwords have been reset. AnyDesk customer credentials are allegedly being sold on the dark web, but their connection to this breach is unclear. AnyDesk engaged CrowdStrike for incident response and has communicated that the scenario is under control, encouraging users to update to the latest version. Threat intelligence experts report that stolen AnyDesk credentials are marketed for scams, sourced from prior infostealer malware incidents.

Belarusian and Cypriot national Aliaksandr Klimenka is facing U.S. charges for his involvement with the BTC-e crypto exchange and its alleged $4 billion money laundering operation. Klimenka, arrested in Latvia, could receive up to 25 years in prison for money laundering and operating an unlicensed money services business. BTC-e is accused of functioning as a hub for cybercrime including hacking, ransomware, and drug trafficking, due to its high anonymity trading features. The exchange lacked anti-money laundering (AML) and know-your-customer (KYC) policies, violating U.S. federal laws. The story also mentions recent indictments of other cybercriminals, including the 19-year-old Noah Michael Urban of Florida for wire fraud and identity theft linked to cybercrime group Scattered Spider. Three individuals were charged in connection with a SIM swapping attack targeting the crypto exchange FTX, which included Robert Powell, Carter Rohn, and Emily Hernandez.

A server-side request forgery (SSRF) zero-day vulnerability, CVE-2024-21893, in Ivanti products is being widely exploited by attackers. Ivanti had warned about the vulnerability at the end of January 2024, noting limited active exploitation at that time. The defect allows unauthenticated access to restricted resources on affected Ivanti Connect Secure and Policy Secure versions 9.x and 22.x. The exploitation activity has surged, with 170 distinct IP addresses targeting the flaw, suggesting an increased focus on this vulnerability by attackers. A proof-of-concept (PoC) exploit was published by researchers, but attackers were observed exploiting the vulnerability before its release. Nearly 22,500 Ivanti Connect Secure devices are exposed online, though it's unclear how many are actually vulnerable to CVE-2024-21893. Due to the severity of ongoing exploitations, CISA has directed federal agencies to disconnect affected Ivanti devices, only reconnecting after a factory reset and firmware update. Fewer patches are available for certain product versions, prompting federal agencies and private organizations alike to evaluate the security of their Ivanti deployments.