Daily Brief

The malware HeadCrab, first reported a year ago, has been updated to a new variant called HeadCrab 2.0, targeting Redis database servers for crypto mining. Aqua's researchers report that the number of infected Redis servers has nearly doubled, with an additional 1,100 servers compromised, bringing the total to around 2,300. HeadCrab 2.0 can execute shell commands, load fileless kernel modules, and exfiltrate data, forming a botnet for cryptocurrency mining without the need to store files on disk. The threat actor behind HeadCrab justifies their actions by stating that cryptocurrency mining is legal in their country, aiming to earn $15,000 annually. This updated malware version employs advanced evasion techniques, including a fileless loader and using the MGET command for covert command-and-control communications. The malware's evolution to minimize its forensic trail poses significant challenges for detection and highlights the need for ongoing security research and vigilant monitoring.

Effective vulnerability management requires key metrics to assess program performance and ROI. Prioritization of vulnerabilities based on severity and business impact is critical to maintaining security. Vital metrics include scan coverage, average time to fix, risk score, issue detection time, and progress measurement. Scan coverage should encompass all assets, with attention to changes and growth in your IT environment. The average time to fix indicates the responsiveness of the security team to vulnerabilities. Intelligent results and reduction of false positives help security teams focus on the most critical issues. Attack surface monitoring is essential to keep track of protected assets and detect new services or exposures. Tools like Intruder provide prioritized reporting, simplifying compliance and risk management for organizations.

Google's Mandiant identified new malware exploiting Ivanti VPN vulnerabilities, linked to China-nexus espionage group UNC5221. Custom web shells BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE variant were used in the sophisticated attacks. Attackers exploited zero-days CVE-2023-46805 and CVE-2024-21887, enabling unauthenticated command execution with elevated privileges on Ivanti devices. Germany's BSI reported multiple compromised systems, highlighting the international impact. Ivanti disclosed additional vulnerabilities, CVE-2024-21888 and CVE-2024-21893, and released fixes to combat exploitation. UNC5221's tactics include using open-source utilities for post-exploitation activities such as reconnaissance, lateral movement, and data exfiltration. The malware and associated attacks showcase UNC5221's strategic targeting of industries valuable to Chinese interests.

CISA has identified active exploitation of a severe vulnerability (CVE-2022-48618) in Apple's operating systems. The flaw affects the kernel component in iOS, iPadOS, macOS, tvOS, and watchOS, with a CVSS score of 7.8. Apple has acknowledged that this vulnerability allows attackers to bypass Pointer Authentication, potentially affecting versions of iOS released before iOS 15.7.1. Apple previously patched a similar kernel flaw (CVE-2022-32844) in July 2022 and has since released updates to address CVE-2022-48618 on December 13, 2022. Details on how CVE-2022-48618 is being exploited in attacks remain unclear, but patches have been available since the release of multiple OS updates in December 2022. CISA has advised Federal Civilian Executive Branch agencies to implement the fixes by February 21, 2024. Expanding beyond iOS devices, Apple has recently issued patches for a critical WebKit browser engine flaw (CVE-2024-23222) now covered on the Apple Vision Pro headset, available with visionOS 1.0.2.

FBI Director Christopher Wray and other officials briefed the U.S. House committee on Chinese cyber threats targeting American critical infrastructure. Information discussed includes intent by Chinese hackers to disrupt U.S. water treatment, energy, transportation, and communication systems to incite societal chaos. The FBI disrupted the activities of a Chinese botnet, Volt Typhoon, that had infected outdated routers and attempted to infiltrate critical infrastructure. U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly emphasized the real threat posed by Chinese operatives deeply embedded in U.S. critical systems. The possibility of large-scale disruptions is linked to hypothetical scenarios such as a Chinese invasion of Taiwan and the consequential U.S. support for Taiwan. There is a cyber imbalance, with Chinese cyber spies greatly outnumbering FBI cyber agents, highlighting the need for enhanced private-public cybersecurity partnerships and skills development. Officials stress the need for robust cybersecurity measures, urging software companies to be held accountable for the security of their products and advocate for secure-by-design technologies.

A cybercriminal group, UNC4990, uses USB devices to deploy malware by embedding payloads in legitimate online platforms like GitHub, Vimeo, and Ars Technica. The malicious campaign, primarily targeting Italian users since 2020, initiates with victims unknowingly activating a harmful LNK shortcut from a USB drive. The shortcut triggers a PowerShell script that downloads an intermediary payload disguised as benign content on popular sites, which then installs the EMPTYSPACE malware downloader. These intermediary payloads, hidden in plain sight and encrypted, are downloaded from platforms often considered trustworthy, allowing them to evade typical security detection methods. The EMPTYSPACE loader subsequently installs a multi-functional backdoor named QUIETBOARD and cryptocurrency miners that have generated over $55,000 for the attackers. Mandiant researchers emphasize the challenge of such attacks, as they exploit conventional trusted sources and complicate the identification and removal of the malicious payloads. The sophisticated nature of QUIETBOARD allows for persistent and modular attacks, reflecting the threat actor's ongoing refinement of tactics and experimentation with their attack chains.

Multiple flaws have been discovered in the runC command line tool that could lead to container escapes and unauthorized host access. The vulnerabilities, identified as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, allow attackers to potentially access sensitive data and escalate privileges. runC, integral to Linux container creation and originally part of Docker, is now a critical independent open-source component. CVE-2024-21626 is particularly severe as it involves misusing the `WORKDIR` command to achieve a container escape. There are currently no known exploits in the wild leveraging these vulnerabilities. Updates fixing these vulnerabilities are available in runC version 1.1.12, and immediate updating is advised. Users are recommended to check for updates from all vendors providing container runtime environments to ensure security. In the past, runC had addressed a similar high-severity flaw that also allowed attackers to obtain root access on the host.

The FBI successfully issued a remote command to dismantle the Volt Typhoon botnet, which infected outdated routers to compromise US critical infrastructure. Attackers from China exploited weaknesses in end-of-life Cisco and Netgear routers to establish a network aiming at communication, energy, transportation, and water sectors. The FBI infiltration led to the harvesting of critical data from the botnet and the subsequent erasure of malware from the affected devices. Law enforcement utilized court-approved warrants to remotely search for and eliminate the malicious software on compromised routers, seizing pivotal information regarding the illicit activities. Federal authorities along with international partners first identified the threat in May 2023 and released a public warning about vulnerabilities in small office/home office (SOHO) router interfaces. The US Cybersecurity Agency and the FBI have urged manufacturers to fix defects and enhance security in SOHO routers to protect against such infiltrations in the future.

Europcar denies a data breach after a seller claimed to offer details for 50 million users on a hacking forum. Shared customer data in the post was declared fake by Europcar, citing inconsistencies and artificial data generation. The data sample allegedly contained names, addresses, and driver's license numbers but was inconsistent with Europcar's records. Security expert Troy Hunt asserts the data was fabricated but not by artificial intelligence, noting discrepancies in email and username matches. Some of the email addresses in the sample were involved in past breaches, indicating a potential compilation of previously leaked info. Security researchers highlight that there are tools available to create realistic-looking fake data, which might have been used in this case. The incident highlights the complexity in validating the authenticity of data in potential breaches and the misuse of buzzwords like "AI" for credibility.

Ransomware payments have decreased to 29% of victims, a significant drop from 85% in 2019. Awareness and better preparation, such as improved data backups, have contributed to this decline. Coveware's report highlights a growing skepticism towards ransomware groups honoring their promises. Payment rates for data exfiltration incidents have also dropped, with only 26% choosing to pay, compared to 53% two years ago. Coveware cautions against a nationwide ban on ransomware payments, suggesting it may lead to more under-the-table transactions and less compliance with reporting. Effective responses include safe harbor provisions, collaboration with law enforcement, and continued promotion of cybersecurity awareness. The report asserts that changing the incentives for victims and imposing greater costs on threat actors is crucial in battling ransomware.

A PoC exploit for a local privilege elevation flaw in Android, impacting at least seven OEMs, is available on GitHub. The vulnerability, tracked as CVE-2023-45779, was discovered by Meta's Red Team X and fixed in the December 2023 security update. Compromised APEX modules signed with test keys can lead to local privilege elevation and full device compromise. Android devices patched with the security level 2023-12-05 or later are protected against this vulnerability. Affected devices include models from ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, and Fairphone. The vulnerability highlights the need for improvements in Android's Compatibility Test Suite (CTS) and documentation. The exploit requires physical access, making the risk to unpatched devices modest, but it poses a threat in combination with other exploits. Google, Samsung, Xiaomi, OPPO, Sony, Motorola, and OnePlus devices were not affected thanks to the use of private keys for signing APEX modules.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a kernel security flaw in Apple devices being actively exploited in the wild. The vulnerability, identified as CVE-2022-48618, affects iPhones, Macs, Apple TVs, and watches, potentially allowing attackers arbitrary read and write access. Apple's security researchers discovered the flaw, which can bypass Pointer Authentication, a critical memory corruption mitigation feature. Devices running iOS 16.2, iPadOS 16.2, macOS Ventura, tvOS 16.2, and watchOS 9.2 or later have received security updates to address this issue. CISA has mandated federal agencies to patch affected systems by February 21st, under the authority of a binding operational directive from November 2021. Apple's recent updates also addressed the first zero-day bug of the year and two additional WebKit zero-days for various Apple device models.

A nearly four-year-old Cisco vulnerability is suspected to be exploited by the Akira ransomware group. The Cisco flaw, CVE-2020-3259, could potentially let attackers access sensitive information such as usernames and passwords. TrueSec's incident response engagements reveal this vulnerability as an entry point, despite it being patched in May 2020. There is no public exploit code available, suggesting the exploit used by attackers might be privately developed or acquired. TrueSec advises organizations running Cisco AnyConnect to assess when the non-vulnerable patch was implemented. In the absence of conclusive evidence, suggested indicators such as use of legitimate credentials and lack of phishing or password attacks point to exploit use. Organizations are recommended to enforce broad password resets and enable Multi-Factor Authentication (MFA). The vulnerability was originally discovered by a Russian security firm sanctioned by the US, hinting at the possibility that cybercriminals and nation-states might share resources or knowledge.

The FBI successfully disrupted the KV Botnet, aligning with "Chinese Volt Typhoon" state hackers, and cleared malware from numerous small office/home office (SOHO) routers. Affected devices included Netgear ProSAFE, Cisco RV320s, and DrayTek Vigor routers, and Axis IP cameras, potentially blending malicious traffic with legitimate network activity. The botnet was part of a broader campaign by Chinese hackers against U.S. critical infrastructure sectors, including communications, energy, transportation, and water. Initiated with a court order on December 6th, the FBI's operation hacked into the botnet's C2 server, disconnecting infected devices and preventing reconnection. The operation removed the botnet's malware and blocked future communication with the controlling devices to mitigate further threats. Vendors of SOHO routers were advised by CISA and the FBI to automate security updates and prioritize security during the design phases to prevent similar vulnerabilities. Past disclosures revealed that the KV Botnet has been part of incursions into U.S. military, telecom, and other vital organizations since at least mid-2021.

Volt Typhoon, a Chinese government-backed cyberespionage group, has infiltrated U.S. energy, satellite, and telecommunications systems, with a focus on strategic sites important in conflicts. The FBI recently disabled parts of Volt Typhoon's cyber campaign, following Dragos CEO Robert Lee's revelation of the group's targeting of industrial control systems (ICS) for about 18 months. Lee warns that Volt Typhoon possesses the resources and expertise to develop advanced industrial malware akin to Pipedream, capable of causing physical destruction across a variety of industries. Pipedream, also known as Incontroller, allows operators to disrupt critical industrial equipment without exploiting specific system vulnerabilities, a threat that cannot be mitigated by software or firmware updates alone. U.S. government agencies have issued warnings against potential attacks by Pipedream on programmable logic controllers and servers from notable vendors, indicating that critical infrastructure remains at risk. The spread of these sophisticated ICS cyber tools to criminals is a concerning possibility, as it could lead to more common and destructive attacks outside of national conflict scenarios. The ease of access to such cyber weapons for criminal groups could result in a surge of devastating attacks on industrial and OT environments, echoing the widespread adoption of tools like Cobalt Strike by ransomware gangs.