Daily Brief

US law enforcement recently undermined a Chinese state-sponsored hacking operation—dubbed Volt Typhoon—targeting American critical infrastructure. Ongoing federal operations were enabled by court-ordered permissions, allowing the disruption of parts of the Chinese cyber campaign. The Volt Typhoon group, which became known in May 2023, infiltrated US organizations using compromised internet-facing devices since at least 2021. Chinese hackers exploited routers, cameras, and similar devices to siphon credentials and sensitive data, escalating concerns over potential disruptions to military, utility, and ISP networks. The Volt Typhoon's activities signify a move beyond espionage to preparation for potential sabotage in conjunction with geopolitical events, such as an invasion of Taiwan. The operation against Volt Typhoon follows a CISA emergency directive for federal agencies to secure Ivanti Connect Secure VPN devices after hacks attributed to similar Chinese actors. US officials maintain ongoing vigilance towards Chinese cyber activities, concerned they align with known tactics of state-backed groups like Volt Typhoon.

Cybercriminals are exploiting Microsoft Teams to distribute DarkGate malware via group chat invites. Attackers send malicious Teams chat requests using what appears to be compromised user accounts, targeting over 1,000 victims. Upon acceptance of the chat request, victims are tricked into downloading malware disguised with a double file extension. The malware communicates with a known command-and-control server, indicating an active infrastructure for the DarkGate malware family. Microsoft Teams' default External Access setting, which allows external communication, is a vulnerability that organizations are advised to disable if not needed. AT&T Cybersecurity emphasizes the importance of end-user training in recognizing unsolicited messages and the various forms of phishing beyond emails. DarkGate malware attacks have increased following the disruption of the Qakbot botnet, with the malware offering multiple capabilities attractive to cybercriminals. A security issue in Microsoft Teams allows attackers to bypass client-side protections and deliver malicious payloads with tools like TeamsPhisher.

A critical remote code execution (RCE) vulnerability, CVE-2024-23897, in Jenkins servers affects approximately 45,000 publicly accessible instances. The majority of vulnerable servers are located in the US and China, with thousands more across India, Germany, Korea, France, and the UK. Exploits for the flaw were publicly released just days after the coordinated disclosure, increasing the risk of potential cyberattacks. The vulnerability involves the built-in CLI feature of Jenkins which can be exploited to read sensitive files like SSH keys, credentials, and source code. Attackers primarily targeting Jenkins instances on Windows may have a higher success rate due to the feasibility of reading binary secrets. Jenkins has issued patches for the vulnerability, but many admins have yet to apply fixes. Disabling the CLI feature is recommended as a temporary safeguard. Jenkins advises against certain configuration settings that could exacerbate the risks by granting unnecessary read permissions to unauthorized users.

Brazilian Federal Police have arrested individuals linked to the Grandoreiro malware operation, executing arrest and search warrants across several states. Slovak cybersecurity firm ESET identified a flaw in Grandoreiro's network protocol, aiding in the investigation that mapped victim patterns. Grandoreiro, a Latin American banking trojan active since 2017, has targeted countries such as Spain, Mexico, Brazil, and Argentina, stealing data and bank details. The malware uses phishing tactics to deploy and then allows remote control of infected machines, frequently monitoring browser windows for banking activity. The malware's command-and-control (C&C) infrastructure utilizes domain generation algorithms and major cloud services like AWS and Azure, with a high frequency of active and new C&C IP addresses daily. ESET's investigation revealed an average of 551 victims connected to C&C servers per day, with an additional 114 unique victims on average connecting daily, primarily across Brazil, Mexico, and Spain. The Brazilian operation targeted the higher levels of the Grandoreiro hierarchy, signifying a significant blow to the malware's operations.

GitLab has issued an urgent update to address a critical flaw with a CVSS score of 9.9, affecting multiple versions of its CE and EE. The vulnerability, identified as CVE-2024-0402, enables authenticated users to write files arbitrarily on the GitLab server during workspace creation. The patched versions include GitLab 16.5.8, 16.6.6, 16.7.4, and 16.8.1, among others. The latest security update also fixes four medium-severity issues related to ReDoS, HTML injection, and email address disclosure. This release comes on the heels of previous critical security updates, emphasizing the need for users to upgrade to the latest patched versions immediately. GitLab.com and dedicated GitLab environments have already been updated to these secured versions. The article concludes by highlighting an upcoming webinar on the 2024 Customer Data Platform Report, unrelated to the security fixes.

The Akira ransomware group has been actively targeting small to medium-sized businesses (SMBs), with demands ranging from $200,000 to over $4 million. SMBs are vulnerable due to limited IT support and lax security procedures, making them easier targets for cybercriminals seeking entry points to larger enterprises. In 2022, 56% of SMBs experienced cyberattacks, with breaches often causing significant financial and reputational damage. The average cost of a data breach for SMBs is nearly $150,000, which includes indirect costs like customer trust erosion and data loss. Implementing cybersecurity best practices, such as NIST's framework for SMBs, can mitigate risks, including robust password policies and multi-factor authentication (MFA). Blocking the use of known compromised passwords and regularly auditing Active Directory accounts are critical steps in preventing unauthorized access. Training end-users to recognize phishing and other credential theft attempts can substantially reduce the risk of breaches, as human error is a leading cause. Specops Software offers solutions to reinforce password protection and enhance cybersecurity postures for SMBs, with tools like Specops Password Policy and free trials.

New York Attorney General Letitia James has filed a lawsuit against Citibank for not protecting customers from fraud and failing to reimburse those affected. The suit argues that Citibank violated the Electronic Fund Transfer Act by denying reimbursement to victims of unauthorized electronic transactions. Citibank is accused of using loopholes to avoid compensating customers and of having inadequate systems to detect and respond to fraudulent activity. The bank's inadequate response to customer fraud reports included long phone waits and misleading assurances, exacerbating the theft of funds. The New York AG's office seeks restitution for victims from the past six years, along with penal fees and the cessation of Citibank's deceptive practices. Citibank's statement in response to the lawsuit claims adherence to regulations and emphasizes efforts in fraud prevention and client education, noting a reduction in client wire fraud losses.

The Federal Police of Brazil, in collaboration with ESET, Interpol, Spain's National Police, and Caixa Bank, has disrupted a banking malware operation known as Grandoreiro. Five arrests and thirteen search and seizure actions were carried out across several Brazilian states, targeting a group responsible for electronic banking fraud. The criminal structure allegedly moved approximately 3.6 million euros through fraudulent activities since 2019. Grandoreiro, a Windows banking trojan active since 2017, primarily targets Spanish-speaking countries, using fake pop-ups and keystroke logging to commit financial theft. The malware necessitates manual interaction from attackers for financial theft, implying a highly targeted and hands-on approach. ESET tracked Grandoreiro servers using DGA analysis, revealing a daily average of 551 connections to its infrastructure with 114 new victims daily. Authorities disrupted the malware operation leading to a complete cessation of its activities; however, the roles of the arrested individuals and the possibility of the malware's return using new infrastructure remain uncertain.

Juniper Networks disclosed four previously unreported vulnerabilities following an investigative article. Apologies were issued to customers for the oversight in communication regarding these security flaws. The four separate vulnerabilities were reported by watchTowr but initially did not receive individual CVE identifiers. Newly issued advisories now list distinct CVEs for each vulnerability, with severity scores ranging from 5.3 to 8.8. Affected products include the J-Web component in Junos OS on SRX Series and EX Series, which required updates to fix authentication and cross-site scripting issues. The US Cybersecurity and Infrastructure Security Agency (CISA) has alerted users to review the bulletin and update their systems. Juniper's patch scheduling policy and prior decision not to assign CVEs earlier in the process have been questioned for potentially increasing exploitation risk. Juniper claims non-technical reasons typically delay their CVE application process, which they are now reviewing after these incidents.

China-linked cyber group Mustang Panda reportedly targeted Myanmar's Ministry of Defence and Foreign Affairs with backdoor attacks. Cybersecurity organization CSIRT-CTI identified the hacking campaigns occurring in November 2023 and January 2024. Attackers exploited legitimate software, such as a B&R binary and Windows 10 components, to sideload malicious DLLs. Mustang Panda, active since 2012, has a history of cyberespionage against various government entities in Southeast Asia. One attack vector involved a phishing email with a ZIP file to drop a custom loader and the PlugX malware. The group attempted to camouflage their command-and-control traffic as legitimate Microsoft update activity. A separate campaign deployed a bespoke loader called TONESHELL from an unreachable C2 server to likely install the same PlugX malware. The attacks by Mustang Panda are believed to coincide with Chinese geopolitical interests, particularly following unrest near the Myanmar-China border.

Less than half of cybersecurity professionals claim to have high or complete visibility into their organization’s vulnerabilities, highlighting the need for regular security posture assessments to identify and mitigate risks. Inadequate vulnerability management programs, deficiencies in detection and monitoring systems, and a lack of formalized cybersecurity policies and procedures are key weaknesses in many organizational security postures. Regular testing practices, such as penetration testing and third-party assessments, are critical to reveal potential security gaps and test the efficacy of incident responses. Training and cyber awareness for staff play a vital role in reducing human error-related security breaches, emphasizing the importance of ongoing cybersecurity education and a culture of security mindfulness. Adoption and proper implementation of cybersecurity frameworks, like NIST Cybersecurity Framework, CIS, or SANS, guide organizations in developing and maintaining a structured approach to cybersecurity. Understanding an organization’s risk appetite is fundamental for aligning cybersecurity strategies with the overall risk management goals and directing resource allocation effectively. The article underscores the continuous nature of cybersecurity efforts and the importance of vigilance in addressing the ever-evolving threat landscape to protect an organization's assets and reputation.

Italy's data protection authority alleges privacy violations by OpenAI's ChatGPT under the EU GDPR. An investigation into ChatGPT's handling of personal data was launched after a temporary ban on the service. OpenAI has implemented privacy controls and reinstated access to ChatGPT but now has 30 days to respond to new findings. The concerns involve ChatGPT collecting personal data without proper consent and potential exposure of sensitive information. Separate but related, Google's Bard chatbot bug led to private conversations being indexed and exposed via Google search. Amidst privacy debates, Apple opposes the U.K.'s proposed law that it believes could undermine global user privacy and security. The webinar on SaaS security masterclass provides insights from a study of 493 companies, emphasizing important security practices.

The outgoing UK biometrics and surveillance commissioner, Dr Fraser Sampson, highlights serious governance issues in the Home Office in his final report. Sampson's tenure experienced challenges with limited engagement from Whitehall and insufficient resources to perform his duties effectively. The upcoming Data Protection and Digital Information (DPDI) Bill will dissolve the commissioner's role, transferring responsibilities to the Investigatory Powers Commissioner's Office (IPCO) with less oversight on biometrics. Technical problems within systems that manage National Security Determinations (NSDs) for biometric data retention have led to inaccuracies and inability to perform mandated duties. Ethical concerns are raised regarding the procurement and testing of surveillance technology within UK police forces, particularly the use of potentially compromised Chinese technology. Sampson moves to the private sector, continuing his work in biometric governance as a director at a retail face biometrics company, Facewatch. Tony Eastaugh is appointed as the new commissioner, tasked with transitioning powers to the IPCO, amid concerns over the future of UK biometrics and surveillance governance.

Security researchers have detected a revived campaign deploying a new variant of the ZLoader malware with upgraded features and 64-bit Windows compatibility. This resurgence comes nearly two years after a coordinated disruption effort led by Microsoft in April 2022 effectively dismantled the botnet responsible for the malware's distribution. The updated ZLoader now includes RSA encryption and a refined domain generation algorithm to aid in evading detection and analysis. The malware, which originated from the Zeus banking trojan, typically spreads through phishing and malvertising, and serves as a loader for other malicious payloads. The latest versions of ZLoader demonstrate advanced tactics to avoid analysis, including inserting junk code, employing string obfuscation, and requiring specific filenames to execute. Despite the disruption of its infrastructure in 2022, researchers anticipate that ZLoader's comeback could precipitate new ransomware attacks due to the persistence of the threat group behind it. Microsoft has taken steps to mitigate the threat by disabling the MSIX protocol handler by default since it had been increasingly exploited to spread malware, including ZLoader, since July 2023. The return of ZLoader is part of a broader trend of new malware variants emerging, like Rage Stealer and Monster Stealer, that are also used to pilfer information and launch further attacks.

Juniper Networks has issued out-of-band updates for high-severity vulnerabilities in its SRX and EX Series products. The flaws, identified as CVE-2024-21619 and CVE-2024-21620, could allow attackers to gain control over affected systems. Security firm watchTowr Labs identified and reported these critical issues. Users are advised to either disable the J-Web component or restrict access to it as immediate mitigation steps. The CVE-2023-36846 and CVE-2023-36851 vulnerabilities, disclosed in August and known to be exploited in the wild, are also covered in the KEV catalog by CISA. Juniper Networks previously addressed another critical vulnerability (CVE-2024-21591) that potentially allowed DoS attacks and remote code execution. A related SaaS Security Masterclass webinar provides insights into SaaS security practices based on the study of 493 companies.