Daily Brief

APIs have become crucial to digital economies but are vulnerable to security risks, such as data breaches and fraud, due to increased attack surfaces. Shadow APIs, often outdated or undocumented, exacerbate security vulnerabilities and compliance issues as they are overlooked and poorly managed. F5 Distributed Cloud Services provide AI and ML-based solutions to detect shadow APIs, authenticate users, authorize access, and prevent data leakage. The F5 platform offers a dynamic API security console for real-time monitoring and management, as well as predictive analytics to pre-emptively block suspicious activities. Dashboards facilitate in-depth visibility into API security, revealing the most attacked APIs, sensitive data types, and risk scores to aid in prioritization of security measures. F5's Distributed Cloud Platform supports the API lifecycle across various computing environments, thereby enhancing consistent policy enforcement and flexible deployment. The combination of AI and behavioral analytics used in the F5 solution allows for the identification of complex attack patterns and zero-day vulnerabilities beyond traditional rule-based systems.

Suspected nation-state spies infiltrated Cloudflare via credentials obtained from an October Okta breach. Access was gained to Cloudflare's internal Atlassian installation and Bitbucket source code management system. Cloudflare initially failed to rotate compromised service tokens, believing them to be unused. Attackers conducted reconnaissance on Cloudflare's network, accessing internal wiki, Jira database, and installing backdoor access. 36 Jira tickets related to security protocols, and 120 Bitbucket repositories were of particular interest to the attackers. Cloudflare took immediate action to rotate potentially compromised secrets and strengthen security measures. A thorough internal response, named "Code Red," was conducted with assistance from Crowdstrike, with ongoing work in credential and software security.

Blackbaud, a cloud-based software provider, has settled with the FTC following accusations of insufficient security practices leading to a significant data breach in May 2020. The FTC charged Blackbaud with failing to monitor for hacking attempts, segment data, enforce data deletion, and properly implement multifactor authentication among other security shortcomings. The settlement obliges Blackbaud to improve security measures, maintain accurate data security and retention protocols, and establish a comprehensive information security program. The company must also create a detailed data retention schedule, delete unnecessary customer data, and report future breaches to the FTC promptly. The breach impacted over 13,000 Blackbaud customers, leaking sensitive data including social security numbers and banking details, and resulted in multiple lawsuits and a hefty settlement payment. Blackbaud was criticized for initially downplaying the breach's severity in its SEC filings and faced penalties amounting to $3 million and a separate $49.5 million settlement with US states' attorneys general. FTC officials have emphasized the company's responsibility to secure consumer data and the consequences of inadequate breach disclosure to affected individuals.

Cloudflare reported a breach of its internal Atlassian server by a nation state attacker who accessed the company's Confluence wiki and Jira bug database. The attackers gained initial access on November 14, then established persistent access and accessed Bitbucket source code management on November 22. Stolen credentials from the October 2023 Okta breach were used to penetrate Cloudflare's systems; this includes one access token and three service account credentials. Cloudflare detected and cut off the hacker's access between November 23 and 24, with a thorough investigation starting on November 26. Despite the breach, Cloudflare customer data, services, and global network systems remained secure and unaffected. The incident is taken seriously by Cloudflare, although operational impact is considered limited due to limited access to documentation and source code. The attack is believed to be a nation-state effort aiming to gain long-term access to Cloudflare's global network; the Security Incident Response Team's quick actions minimized impact.

PurpleFox malware campaign has hit over 2,000 devices in Ukraine, sowing uncertainty regarding its full impact on state entities and private individuals. Ukraine's CERT-UA has sounded the alarm on the issue and is providing guidance for detecting and eradicating the persistent malware known as PurpleFox, or DirtyMoe. First detected in 2018, PurpleFox carries capabilities like a rootkit for concealment and can be leveraged for backdoor access, downloading additional payloads, and enabling DDoS attacks. Recent PurpleFox iterations have been noted for using WebSocket protocols for less detectable C2 communications, and there have been instances of it being distributed as a fake Telegram desktop app. CERT-UA’s investigation revealed a range of IP addresses mostly in China, connected to the malware's control servers, and a list of steps to counter and remove PurpleFox. The agency stresses the importance of isolating outdated systems, reinforcing network security, and creating specific firewall rules to block common attack vectors to prevent further PurpleFox infections.

Gartner reports deepfake technology is undermining confidence in facial biometric security systems. Organizations doubt standalone identity verification methods due to AI-generated deepfakes. Enhanced security measures, including "liveness detection," are being bypassed by sophisticated deepfakes. Experts suggest adding layers to security, such as device location and IP verification, to counteract deepfake threats. Security systems employing AI to detect deepfakes must look for inconsistencies like replicated patterns in synthesized images. A defense-in-depth strategy utilizing multiple security layers is advocated to better protect against deepfake exploits. The urgency to adapt security measures follows incidents like manipulated AI-generated images of celebrities shared virally online.

Malware named VajraSpy was discovered in 12 Android applications, with 6 being distributed through Google Play. Apps infected with VajraSpy could steal personal data, record phone calls, and gain extensive access to infected devices. The Patchwork APT group, known as the operator and active since 2015, was identified as behind the VajraSpy campaign. These malicious apps posed as messaging or news applications and were primarily targeting users in Pakistan. The VajraSpy malware functions as a RAT and spyware with modular capabilities, depending on the permissions it acquires. Victims likely installed the fake apps after being deceived through romance scams. ESET researchers recommend against downloading unknown chat apps to avoid such malware infections. Despite new security policies, threat actors continue to successfully distribute harmful applications via Google Play.

The Biden administration has declared a strong opposition to efforts by Congress to invalidate the SEC's data breach reporting rule. Senate Joint Resolution 50 and House Joint Resolution 100 aim to nullify the SEC requirements for companies to report cyber incidents within four days. These SEC rules focus on incidents that can significantly affect a company's financial health and investor risk. The White House believes that increased transparency about cyber incidents will encourage better investment in cybersecurity. President Biden is prepared to use his veto power against the resolution that seeks to roll back the SEC's reporting requirement. The current debate reflects a larger dispute about the roles of the SEC, CISA, and FTC in managing cyber incident reporting obligations. Despite objections from some lawmakers, the requirement for prompt breach reporting is seen as beneficial in reducing ransomware payment rates and reinforcing economic security.

CERT-UA warns of PurpleFox malware infecting at least 2,000 computers across Ukraine. PurpleFox, also known as DirtyMoe, is a modular Windows botnet malware with rootkit capabilities for concealment and persistence. The malware serves multiple functions including acting as a downloader for further payloads, providing backdoor access, and enabling DDoS attacks. New versions of PurpleFox have switched to WebSocket for C2 communications, increasing stealth, with disguised campaigns like a counterfeit Telegram desktop app. Ukrainian computers were identified as infected through IoCs provided by Avast and TrendMicro, monitored over January 20-31, 2024. CERT-UA advises isolation and network segmentation for outdated systems alongside specific removal recommendations due to the challenges posed by PurpleFox's rootkit component. The majority of identified control server IP addresses associated with infections are located in China, hinting at the potential origin of attacks. The agency provides guidance on detecting infections and emphasizes the significance of firewall rules to prevent re-infection.

The FritzFrog P2P botnet has resurfaced with a new variant that exploits the Log4Shell vulnerability for internal network propagation. Originally detected in 2020, the Golang-based malware targets internet-facing servers with weak SSH credentials, primarily aiming at the healthcare, education, and government sectors. The current technique takes advantage of unpatched internal systems, even if external defenses are updated, by targeting non-public assets. The updated FritzFrog version uses SSH brute-force attacks with enhanced targeting, leveraging system log enumeration on infected hosts. The malware now incorporates PwnKit, tracked as CVE-2021-4034, to achieve local privilege escalation. FritzFrog is designed to remain undetected, avoiding file drops on the disk by using in-memory payloads via /dev/shm and memfd_create. Akamai's report also noted a separate InfectedSlurs botnet that exploits patched vulnerabilities in DVR devices from Hitron Systems for DDoS attacks.

A new zero-day flaw, known as EventLogCrasher, allows attackers to remotely crash the Event Log service on Windows devices. The vulnerability impacts all versions of Windows, from Windows 7 to Windows 11, and Server editions from 2008 R2 to Server 2022. Microsoft has acknowledged the flaw but has not provided an official patch, stating that the issue was a duplicate of a 2022 vulnerability. Varonis, a software company, disclosed a similar unpatched flaw named LogCrusher, which could be exploited by any domain user to crash the Event Log service. To exploit the zero-day, attackers require network access to the target device and any valid credentials, enabling them to disrupt logging and evade detection. The Event Log service crash affects SIEM and IDS systems, preventing the ingestion of new events and thus hindering security alerts. 0patch, a micropatching service, has released free unofficial patches for the vulnerability, available until Microsoft issues official security updates. Users can apply the unofficial patches without a system restart by creating a 0patch account and installing the 0patch agent on their Windows systems.

Ransomware group LockBit attacked Saint Anthony Hospital in Chicago, demanding a $800,000 ransom, despite the hospital's non-profit status. The hospital confirmed the cyberattack and stated that files containing patient information were copied, but no medical or financial records were accessed. Patient care continued without interruption, and Saint Anthony Hospital has taken steps to enhance security and is cooperating with investigations by the FBI and regulatory bodies. LockBit has previously shown leniency towards non-profits, even apologizing and providing a decryptor for a similar incident involving Toronto's SickKids hospital. The criminal organization is now demonstrating a more ruthless approach, indicating a shift in their policy and highlighting potential ignorance or disregard for the nature of non-profit entities. All patients have been advised to monitor for identity or financial fraud and offered a year of free credit monitoring as Saint Anthony reviews and notifies those affected by the data theft.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered the disconnection of Ivanti VPN appliances due to exploitation of multiple security vulnerabilities. Federal agencies must disconnect Ivanti Connect Secure and Policy Secure VPN appliances by Saturday to avoid potential breaches. Ivanti has released patches for certain software versions and provided mitigations for its Connect Secure, Policy Secure, and ZTA gateways. Ivanti recommends factory resetting vulnerable devices before patching to eliminate any attackers' foothold. Over 22,000 Ivanti ICS VPNs are exposed online, and nearly 390 devices were found compromised as of January 31. After disconnecting, agencies must hunt for signs of compromise and monitor at-risk authentication services, audit privileges, and isolate systems. A comprehensive recovery plan includes factory resets, software rebuilds using patched versions, revocation of exposed credentials, and assuming domain account compromise with necessary resets and revocations. Federal agencies must report progress and status to CISA and regularly update until all required actions are completed or the directive is otherwise terminated.

Exploitation of internet-facing Docker API endpoints by a sophisticated cryptojacking campaign dubbed Commando Cat. Security researchers from Cado Security reported the attackers deploy benign containers to escape and execute multiple payloads on Docker hosts. Active since early 2024, Commando Cat follows on the heels of a similar campaign targeting vulnerable Docker hosts for cryptocurrency mining. Commando Cat's modus operandi consists of gaining initial access via Docker, establishing persistence, exfiltrating credentials, and deploying the XMRig miner. Attackers use a crafted container with the chroot command to break out of container restrictions and run various checks to avoid competition with other malware. Additional payloads include backdooring the host, adding a rogue user, collecting credentials, and employing evasion tactics like using memory-backed file storage for operations. The campaign culminates in the deployment of XMRig after removing competing miners, indicating a focus on financial gain through cryptojacking. Linkage to previous cryptojacking groups such as TeamTNT suggests the possible involvement of a copycat group or related actors.

The U.S. government has disrupted a China-linked botnet, known as KV-botnet, that compromised small office/home office (SOHO) routers. Law enforcement activities were aimed at a threat actor called Volt Typhoon (aka DEV-0391, Bronze Silhouette, Vanguard Panda) with suspected state sponsorship. Most affected routers were end-of-life Cisco and NETGEAR devices no longer supported by security updates, making them vulnerable to exploitation. The botnet facilitated covert data transfer and anonymized cyber espionage activities by creating encrypted channels through compromised routers. An FBI operation remotely removed the botnet malware and took additional steps to cut off the connection to the command-and-control network. Victims were being notified about the botnet and the infection, while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released new guidelines for SOHO device security. The measures to remove the routers from the botnet are temporary and devices could be reinfected upon reboot. The Chinese government denied any involvement, terming the allegations a "disinformation campaign."