Daily Brief

CISA, with FBI collaboration, has directed SOHO router manufacturers to enhance security measures due to attacks by the Volt Typhoon group (Chinese state-sponsored hackers). Manufacturers are asked to fix vulnerabilities in router web management interfaces and improve default configurations to increase update automation and security. The Volt Typhoon group is exploiting numerous SOHO routers to attack U.S. critical infrastructure, using the devices as a platform for further intrusions. Cybersecurity measures include the requirement for disclosing vulnerabilities through the CVE program and accurate CWE classification. The Volt Typhoon group, also linked to the KV-botnet malware, has been actively targeting such devices since August 2022. U.S. critical infrastructure, including military bases in Guam and other key entities, has been compromised by these state-sponsored attacks. Some of Volt Typhoon's infrastructure reportedly dismantled by U.S. government actions, signaling ongoing countermeasures against the group's operations.

Ivanti has released patches for Connect Secure and Policy Secure gateways vulnerabilities, while two more zero-days have been discovered. The currently exploited vulnerabilities allow remote, unauthenticated code execution, and Ivanti is patching versions based on the number of installs. Admins are urged to reset devices to factory settings before patching, to remove any attacker persistence. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted that attackers have found ways to bypass Ivanti's previous mitigations. Ivanti's latest patches address high-severity zero-days, CVE-2024-21888 (privilege escalation) and CVE-2024-21893 (server-side request forgery). Despite the patch release, some product versions remain unpatched, and customers must apply mitigations and monitor for suspected compromises actively. Ivanti emphasizes the critical need for customers to apply these patches immediately to protect against potential attacks.

Johnson Controls International faced a ransomware attack in September 2023, resulting in $27 million in direct expenses and significant data theft. The cybersecurity incident initially began with a breach in the company's Asia offices before spreading across its network, disrupting IT infrastructure and impacting customers. The Dark Angels ransomware gang claimed responsibility for the attack, demanding a $51 million ransom and allegedly stealing over 27 TB of confidential data. The attack's financial impact included lost and deferred revenues, with expenses related to response and remediation, partially offset by insurance recoveries. Johnson Controls confirmed the nature of the incident in a U.S. SEC filing, detailing unauthorized access, data exfiltration, and deployment of ransomware on part of its IT systems. The company is working with external cybersecurity experts to manage ongoing risks and expects the financial impact to increase as the full extent of the data breach is evaluated. Despite the attack, Johnson Controls assures that all unauthorized activity has been contained and that its digital products and services are fully operational.

Ivanti announced the discovery of two security vulnerabilities, one being a zero-day actively exploited, affecting its Connect Secure, Policy Secure, and ZTA gateways. The zero-day vulnerability (CVE-2024-21893) allows attackers to bypass authentication due to a server-side request forgery issue in the gateways' SAML component. A second flaw (CVE-2024-21888) enables threat actors to escalate their privileges to the level of an administrator on affected devices. While the company indicates limited known impact, they released patches for the vulnerabilities, including two additional zero-days previously disclosed in January. Security patches were accompanied by mitigation instructions and steps for recovery to help compromised organizations restore their systems. The Emergency Directive (ED 24-01) from CISA mandates federal agencies to address the Ivanti zero-day flaws, highlighting the severity and widespread nature of the exploitation. The exploits have been used in attacks leading to lateral movement within networks, data theft, and persistent access, with victims ranging from small businesses to Fortune 500 firms in various sectors. Cybersecurity firms have observed the deployment of custom malware, webshells, and cryptocurrency miners on compromised systems.

Ivanti has disclosed two high-severity zero-day vulnerabilities in its Connect Secure and Policy Secure products. One vulnerability, CVE-2024-21893, is currently being exploited by attackers targeting specific entities. Although no impacts have been reported for CVE-2024-21888, Ivanti warns of an expected uptick in exploitation attempts post-disclosure. Patches have been released for various product versions; Ivanti suggests a factory reset before applying the patch for increased security. Mitigation steps include importing a specific XML file as a stopgap measure until patches can be applied. These disclosures follow the exploitation of other Ivanti product flaws, leading to unauthorized deployments of backdoors and malware.

Telegram has become a hub for cybercriminal activity, offering tools and data for phishing attacks at low costs. Researchers from Guardio Labs highlighted the "democratization" of phishing, with resources available for both experienced and novice cybercriminals. Phishing kits, tutorials, and hacker-for-hire services are easily accessible on Telegram, which previously were only found on dark web forums. Tools such as Telekopye bot can automate creating fraudulent web pages, emails, and SMS messages for large-scale phishing scams. Telegram marketplaces sell "letters" and "leads" which are convincingly crafted messages and targeted victim data lists with personal information. Compromised but legitimate websites are exploited to host scam pages and send phishing emails that bypass spam filters. Stolen credentials are monetized by selling them to other criminals, showing a significant return on investment for attackers. The prevalence of these services on Telegram underscores the need for site owners to protect their platforms from being misused for malicious purposes.

The SEC has expanded its cybersecurity disclosure and preparedness rules to include data stored in SaaS systems and associated third-party applications. New regulations require public companies to report cyber incidents promptly, without distinction between on-premise, cloud, or SaaS data storage environments. The SEC’s actions reflect a growing concern about the frequency of cybersecurity incidents, particularly in the SaaS space, despite organizations believing their cybersecurity maturity is sufficient. SaaS-to-SaaS connections, often established without IT department approval, are exposing organizations to new risks, as traditional security tools cannot detect these configurations. A significant number of enterprises have undocumented SaaS-to-SaaS connections, which could provide unauthorized pathways into sensitive data. The SEC's move is motivated by its responsibility to protect investors, as data breaches can be as material to investors as physical asset losses. The rules not only focus on incident disclosure but also on preventative measures, mandating CISOs to detail cybersecurity risk management processes. SaaS Security Posture Management (SSPM) tools are recommended to monitor configurations and permissions across SaaS applications and to manage compliance with the new SEC regulations.

A threat actor identified as UNC4990 is exploiting weaponized USB devices to distribute cryptojacking malware across various industries in Italy. The campaign, known for utilizing USBs to spread the EMPTYSPACE downloader, leverages third-party websites for hosting additional malicious payload stages. UNC4990 has been operational since late 2020, likely based in Italy, with their end goals remaining somewhat ambiguous, although cryptocurrency mining has been observed in at least one incident. The infection process is initiated by executing a malicious LNK file on the USB device, leading to PowerShell scripts downloading further malware, including a backdoor named QUIETBOARD. Popular sites such as GitHub, Vimeo, and Ars Technica are being used to host the non-malicious looking components of the malware, posing no direct risk to general users of these platforms. The QUIETBOARD backdoor comes with extensive features, including command execution, wallet address manipulation for cryptocurrency theft, and the ability to spread to other removable drives. Mandiant researchers highlight the modular and adaptive nature of the threat actor's tools, indicating a sophisticated and evolving approach to their campaigns.

Hackers have exploited zero-day flaws in Ivanti Connect Secure VPNs to implement the KrustyLoader malware. Identified vulnerabilities CVE-2023-46805 and CVE-2024-21887 enable remote code execution without authentication. Ivanti has yet to release patches but has provided a temporary mitigation solution. The Chinese nation-state actor UTA0178, also known as UNC5221, has been utilizing these vulnerabilities since early December 2023. The Rust-based KrustyLoader serves as a tool for downloading and executing the Sliver post-exploitation framework on affected hosts. Since the public disclosure of the Ivanti flaws, a broader range of attackers has exploited them, also to deploy cryptocurrency mining malware. While Cobalt Strike remains dominant, alternative post-exploitation tools like Sliver, Viper, and Meterpreter show increased usage among cyber attackers. Recorded Future's recent report emphasizes the evolving landscape of offensive security tools utilized by threat actors.

A newly discovered security flaw in the GNU C library (glibc) allows malicious local users to gain full root access on Linux systems. The vulnerability, identified as CVE-2023-6246, affects the __vsyslog_internal() function in glibc, a core component of major Linux distributions such as Debian, Ubuntu, and Fedora. Special conditions are required for exploitation, but the impact is significant due to the universal application of glibc in system logging. In addition to CVE-2023-6246, researchers also uncovered two related vulnerabilities in the same function and another bug in the glibc qsort() function, which has impacted versions since 1992. These vulnerabilities underscore the urgency of implementing robust security protocols in the development of fundamental software libraries. The flaws were disclosed by the Threat Research Unit at Qualys, which emphasizes the importance of continuous security review and updates for software components.

A newly discovered local privilege escalation (LPE) vulnerability, CVE-2023-6246, affects the GNU C Library (glibc) and allows unprivileged attackers to gain root access on major Linux distributions. The flaw, introduced in glibc version 2.37 and backported to 2.36, is due to a heap-based buffer overflow within the "__vsyslog_internal()" function. Debian, Ubuntu, and Fedora distributions have been confirmed as vulnerable in their default configurations by security researchers at Qualys. The vulnerability's exploitation requires specific conditions but has widespread impact, as glibc is extensively used in Linux-based applications and systems. Qualys has also identified three additional vulnerabilities in glibc, including two related to "__vsyslog_internal()" and one in the "qsort()" function, awaiting assignment of a CVE ID. This discovery emphasizes the continued importance of robust security practices in software development, especially for core components integral to multiple systems and applications. Historically, Qualys has identified several critical Linux vulnerabilities, with some such as CVE-2023-4911, being actively exploited in the wild shortly after their discovery.

CyberArk has released an online version of 'White Phoenix,' its open-source decryptor, to aid ransomware victims in file recovery. The tool is designed for non-technical users, enabling them to restore files affected by intermittent encryption without dealing with code. White Phoenix supports common file formats like PDFs, Word, Excel, ZIPs, and PowerPoint but is limited to files under 10MB online; larger files require the GitHub version. The tool exploits a flaw in intermittent encryption used by several ransomware strains, allowing partial data recovery by piecing together unencrypted file segments. CyberArk advises that for successful decryption, specific strings must be present in the files, such as "PK\x03\x04" for ZIPs and "0 obj" and "endobj" for PDFs. The online White Phoenix aims to automate the manual recovery process done by experts, though results may vary based on file type and ransomware used. While White Phoenix is not a complete solution for ransomware attacks, it offers a chance to recover important files when no other decryptors are available. CyberArk recommends downloading and using the tool locally from GitHub for those dealing with sensitive files, to avoid uploading them to external servers.

The U.S. Department of Justice has charged two additional individuals in connection with the hacking of around 68,000 DraftKings accounts in November 2022. A third defendant, Joseph Garrison, was charged in May and pleaded guilty, with his sentencing scheduled for the following Thursday. The attackers, Nathan Austad and Garrison, utilized a credential stuffing attack, employing automated tools with lists of previously breached user credentials. Account hijackers were sold access to DraftKings accounts; they stole approximately $635,000 from almost 1,600 accounts. The defendants instructed the hackers who bought the accounts on how to withdraw all the funds after verifying a new payment method. Evidence of involvement in the DraftKings attack and possession of tools and data for credential stuffing were found on Austad's seized phone and other devices. Garrison operated the "Goat Shop" website, selling hacked DraftKings, FanDuel, and Chick-fil-A customer accounts; Chick-fil-A confirmed a breach of 71,473 accounts due to a similar attack. The incident highlights the ongoing threat and successful execution of credential stuffing attacks, an issue the FBI had previously warned about.

Finnish authorities identified Julius Aleksanteri Kivimäki as the alleged hacker behind the Vastaamo psychotherapy clinic breach by tracing Monero transactions. In 2020, the hacker demanded 40 Bitcoins not to release stolen patient records but later targeted individual patients for smaller Bitcoin payments. The National Bureau of Investigation (KRP) of Finland tracked the payments to Kivimäki after he converted the Bitcoin to Monero and back to Bitcoin. While Monero is designed to be a privacy-oriented and untraceable cryptocurrency, KRP applied heuristic analysis methods to follow the trail. Despite Monero's enhanced privacy features following an August 2022 upgrade, Finnish authorities could link Kivimäki to the crimes through related Bitcoin transactions and bank transfers. The KRP has kept the exact methods of tracing Monero a secret, to protect their investigative techniques. Kivimäki faces multiple charges including aggravated data breach and extortion, potentially leading to a 7-year imprisonment sentence; he denies all allegations.

Researchers at RedHunt Labs discovered a publicly accessible GitHub token that exposed Mercedes-Benz's internal source code. Mercedes-Benz is renowned for its advanced vehicular software, which was potentially at risk due to the exposure. The leaked data included sensitive intellectual property such as database connection strings, cloud access keys, and design documents. Exposure of this data could lead to competitors reverse-engineering products or hackers exploiting vulnerabilities in vehicle systems. The incident was reported by RedHunt Labs and acknowledged by Mercedes-Benz, who revoked the token and are analyzing the extent of the breach. Mercedes-Benz confirmed that customer data was not affected, but did not provide details on detecting unauthorized access. The mishap draws parallels to a previous security lapse at Toyota, showcasing a systemic issue with the management of GitHub repository access. Mercedes-Benz maintains a vulnerability disclosure program for collaboration with security researchers.