Daily Brief

Cato Networks' Extended Detection and Response (XDR) solution integrates with Secure Access Service Edge (SASE), enhancing data quality for cybersecurity threat detection. The Cato XDR platform correlates security data across different domains, using native sensors from a unified SASE architecture for improved threat identification and incident response. Cato XDR leverages a diverse set of native sensors, including NGFW, IPS, DNS Security, CASB, DLP, and EPP/EDR, providing a comprehensive data view and reducing incident investigation times. The platform works in tandem with leading EDR providers to incorporate existing security solutions, offering a scalable and accessible approach for security teams. A hands-on review of Cato XDR demonstrates its user-friendly interface, AI-powered risk scoring, and efficient triage system, designed for various levels of security analyst expertise. Analysts can analyze, investigate, and document cybersecurity threats within the Cato platform, without the need to switch between different tools. The time to detection and response is significantly reduced, and the process simplifies with Cato XDR, making it a promising solution for organizations looking to enhance their cybersecurity operations.

Patchwork, an advanced threat actor, has leveraged romance scams to distribute VajraSpy malware under the guise of secure messaging apps in Pakistan and India. Over 1,400 downloads of compromised apps were discovered on the Google Play Store between April 2021 and March 2023, potentially impacting 148 devices. VajraSpy malware steals sensitive information such as contacts, files, call logs, SMS messages, WhatsApp and Signal messages, records phone calls, and takes pictures. Google removed one such malicious app, advertised for accessing news, which had accumulated 1,000 downloads before detection. This is part of an ongoing tactic by Patchwork, who has been reported to create fake personas on social platforms like Facebook and Instagram to direct victims to rogue apps. Aside from Patchwork, other South Asian cybercriminals engage in similar schemes, with a focus on financially extorting victims by threatening to leak manipulated nude images created from users' KYC process selfies. This rise in cyber exploitation involving malicious loan apps and sextortion schemes indicates a broader trend affecting users globally, including teenagers in English-speaking countries.

Current cyber security risk management platforms are mostly reactive, leading to alert fatigue and recurrent risks. SecurityHQ's Global SOC Head highlights that proactive risk management can prevent the majority of SOC incidents that are repeat occurrences. SecurityHQ advocates for a platform that integrates multiple frameworks such as NIST, MITRE, and NCSC to improve risk management strategies. These frameworks provide comprehensive approaches for assessing, managing, and mitigating risks effectively, based on real-world observations and global intelligence. SecurityHQ's SHQ Response Platform combines industry knowledge and practices from NIST, NCSC, and MITRE to translate risks into actionable mitigation plans. The platform aims to reduce alert fatigue by focusing on mitigating common risks and offering a library of linked threats, impacts, and controls. Effective use of the SHQ Response platform requires a team of experts capable of analyzing, acting on data, and mitigating risks accordingly.

Nearly three dozen Jordanians, including journalists and activists, targeted with NSO Group's Pegasus spyware; devices infiltrated from 2019 to September 2023. Surveillance involved zero-click and one-click attacks employing iOS exploits and social engineering techniques, with some victims experiencing multiple infections. Attackers often posed as journalists sending malicious links via WhatsApp and SMS to deliver the spyware. NSO Group contends their product is not for mass surveillance and only sold to legitimate agencies, arguing it played a role in counteracting encryption technologies used by criminals. Despite assurances, incidents in Jordan demonstrate the persistent misuse of the spyware tool against civil society, contrary to company claims. NSO Group reports a 'significant decrease' in misuse due to improved due diligence; however, the Jordan cases exhibit ongoing abuse patterns. Access Now highlights the detrimental impact on targeted individuals' privacy, expression rights, and chilling effect on activism and journalism. Call for a moratorium on the sale and use of surveillance technologies until sufficient safeguards are in place.

Mispadu, a banking Trojan, is exploiting a patched Windows SmartScreen flaw, affecting users chiefly in Mexico. The Delphi-based malware, observed since 2019, is known for stealing information in the Latin American region. Since August 2022, Mispadu has harvested over 90,000 bank account credentials via spam emails. It bypasses SmartScreen by using a specially crafted internet shortcut that points to a malicious network share. After execution, Mispadu assesses the victim's location and system before contacting a C2 server for data exfiltration. Other cybercrime groups have also exploited this Windows flaw, delivering various malware strains, including DarkGate and Phemedrone Stealer. The banking Trojan is part of a larger trend of cyberattacks in Mexico, involving information stealers and RATs like AllaKore RAT and AsyncRAT. The report coincides with revelations about FIN7's DICELOADER malware, known for its sophisticated methods and past distribution via malicious USB drives.

A massive SIM-swapping cybercriminal ring was recently indicted, potentially exonerating Sam Bankman-Fried (SBF) from accusations related to the theft of $400 million in cryptocurrency from FTX on the day it declared bankruptcy. The indictment names three individuals responsible for a series of SIM swap attacks across 13 US states, with the biggest heist matching the amount and date of the FTX theft, suggesting FTX is likely "Victim Company-1." Blockchain analytics firm Elliptic supports the possibility that the SIM swap ring might be connected to the FTX cryptocurrency theft but the responsibility for the heist remains unconfirmed. Despite these developments, SBF remains convicted of separate fraud charges concerning FTX's mismanagement, with a potential sentence of 110 years in prison. In other cybersecurity news, Apple preemptively patches a vulnerability in its unreleased Vision Pro headset, showing proactive steps against known WebKit exploit. Security research group Qualys has identified several new vulnerabilities in the GNU C Library (glibc), potentially giving local users unauthorized root access to many Linux systems. A Wisconsin teenager was recently sentenced to 18 months in prison for stealing $600,000 from DraftKings users, with two more co-conspirators being indicted in the case.

Microsoft introduced the concept of integrating the Linux 'sudo' command into the upcoming Windows Server 2025, enhancing administrative privilege management. The 'sudo' feature allows users with lower privileges to execute commands with elevated rights, traditionally as the root user, adding a layer of security. In a leaked preview build of Windows Server 2025, new settings for the 'sudo' command were discovered, indicating its early development stage. The command is not fully operational yet and is revealed to have options to run applications in various modes, such as in a new window or with disabled input. Currently, Windows uses User Account Control (UAC) prompts to elevate privileges, but 'sudo' could offer a streamlined method for specific administrative tools. Microsoft's history shows that not all features tested in preview builds may be included in the final product, leaving the 'sudo' command's future integration uncertain.

"Leaky Vessels" vulnerabilities discovered, allowing hackers to escape Docker, runc containers and access host system data. Security researcher Rory McNamara from Snyk identified the flaws in November 2023 and disclosed them responsibly. No signs of active exploitation of the vulnerabilities in the wild have been detected yet. The vulnerabilities affect runc and Buildkit, widely used in container management systems like Docker and Kubernetes. Patch released for Buildkit version 0.12.5 and runc version 1.1.12 to address the flaws; Docker updated to version 4.27.0. Major cloud service providers AWS, Google Cloud, Ubuntu, and CISA issued security bulletins and alerts to users for mitigation. Urgent recommendations for system admins to apply security updates to protect against potential exploitation.

Clorox encountered a cyberattack in August 2023, leading to significant operational disruptions and decreased product availability. The cyberattack had tremendous financial implications, with Clorox incurring $49 million in related expenses by the end of the year. Costs include payments for third-party consulting, IT recovery, forensic investigations, and additional operational expenses due to the attack. Clorox's report suggests a progressive recovery, with aims to restore distribution, rebuild retailer inventories, and focus on growth and margin improvement. CEO Linda Rendle reports strong execution on the recovery plan and anticipates reduced future costs associated with the cyberattack. In a related incident, Johnson Controls International also reported a loss of $27 million due to a September 2023 ransomware attack leading to a data breach. The cyberattack on Clorox is suspected to be the work of Scattered Spider, a collective known for social engineering and ties to the BlackCat/ALPHV ransomware gang.

Google has begun testing the elimination of third-party cookies on Chrome, currently affecting approximately 1% of users worldwide. Third-party cookies are used for tracking browsing habits for targeted ads; Google is aiming to replace them with Privacy Sandbox APIs for privacy-centric personalized advertising. Browsers like Firefox and Safari have already stopped default access to third-party cookies, with Google planning to phase them out by 2024. The change signifies a major shift in online advertising, pushing advertisers toward adopting new technologies that preserve user privacy. Developers are in collaboration with Google to balance web dynamism and accessibility with increased privacy. Google provides methods to check if you're part of the cookie deprecation test, including the presence of an "eye" icon in the address bar and specific settings changes. Users can manually opt into the testing phase by enabling a flag in Chrome's experimental features should they wish to participate ahead of the broader rollout.

Mastodon has patched a serious vulnerability, identified as CVE-2024-23832, which could permit attackers to impersonate users and take over accounts. The issue affects all Mastodon versions prior to 3.5.17, 4.0.13, 4.1.13, and 4.2.5, and has a high severity rating of 9.4. Administrators of Mastodon instances are urged to update their servers to version 4.2.5 promptly to mitigate the risk of hijacking user accounts. User accounts could be compromised if admins of their respective instance don't update to the secure version by mid-February. Server administrators are notified of the need for this critical update through a prominent banner within the platform. The implications of such an exploit are severe, with the potential to affect individual users, communities, and overall platform integrity. In July 2023, another critical bug, CVE-2023-36460, was resolved, which allowed attackers to execute commands leading to full server compromises.

Security researchers have discovered a vulnerability in Flysmart+ Manager, an app used by Airbus pilots for safe aircraft operations. The app, which had disabled important security controls, could potentially be exploited to manipulate takeoff and landing data. An attacker would need to be within Wi-Fi range and time their intercept with the EFB's monthly data update cycle to exploit the vulnerability. Despite the complexity, a proof-of-concept exploit revealed the possibility of accessing sensitive aircraft performance data. Airbus has been praised for addressing the issue within 19 months, considered reasonable in aviation tech circles. The vulnerability is a concern for pilots, who might not notice manipulated data, potentially leading to unsafe takeoff procedures. Airbus and EASA have confirmed that existing security checks can validate critical flight data, and improvements have been made to the app.

The U.S. Treasury Department sanctioned six Iranian intelligence officials for cyber attacks on critical infrastructure. These individuals are connected to the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Sanctioned officials executed cyber operations, including disrupting the programmable logic controllers of an Israeli tech firm, Unitronics. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) linked these actors to an attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The sanctioned group, known as Cyber Av3ngers, has been active since 2020, targeting various entities across the U.S., Europe, and Israel. The Treasury Department emphasized the danger such attacks pose to public safety and humanitarian consequences. Another pro-Iranian cyber group, Homeland Justice, has been targeting Albania and recently deployed wiper malware against the country's statistics institution.

A critical security vulnerability in Mastodon allows attackers to impersonate and take over any account on the decentralized social network. The issue, identified as CVE-2024-23832 with a severity rating of 9.4, was reported by a security researcher known as arcanicanis. This flaw is described as an "origin validation error," which presents a significant risk as it may grant attackers access to functionalities not intended for external sources. Versions of Mastodon at risk include all before 3.5.17, as well as versions prior to 4.0.13, 4.1.13, and 4.2.5 depending on the release series. Mastodon has deferred releasing further technical details about the flaw until February 15, 2024, to allow server instance administrators time to apply necessary updates. Due to Mastodon's federated structure, each independently hosted server instance requires its administrator to update promptly to mitigate any security risks. This disclosure follows up on Mastodon addressing two other critical vulnerabilities roughly seven months prior, which could lead to DoS attacks or enable remote code execution.

AnyDesk announced a security breach resulting in production system compromise detected after a security audit. The incident was not a ransomware attack, and authorities have been notified; compromised systems have been remediated or replaced. AnyDesk revoked all previous security certificates and is issuing new ones, while also urging users to reset passwords. Users are advised to download the latest AnyDesk version featuring a new code signing certificate to ensure safety. Specific details on the date and method of the breach were not provided, and it's unclear if data was stolen. There is currently no evidence suggesting that end-user systems have been compromised due to this breach. AnyDesk services over 170,000 customers globally and had recently experienced maintenance issues and service disruptions. This announcement followed a separate disclosure by Cloudflare about a breach due to stolen credentials suspected to be a nation-state activity.