Daily Brief

A critical remote code execution flaw, CVE-2023-23897, affects approximately 45,000 online Jenkins automation servers. Multiple public proof-of-concept exploits for the CVE-2023-23897 vulnerability are circulating, placing unpatched systems at high risk. The flaw emerges from a CLI feature that swaps an "@" character followed by a file path with the file's content, potentially exposing sensitive information. Attackers could leverage this flaw to decrypt stored secrets, alter Jenkins server contents, or bypass CSRF protection, depending on permissions and configurations. Security updates 2.442 and LTS 2.426.3 were released by the Jenkins project on January 24, 2024, to address this security issue. Most exposed Jenkins instances are located in China and the United States, with Germany, India, France, and the UK also hosting numerous vulnerable systems. Threat monitoring has detected active scans targeting unpatched Jenkins servers, suggesting imminent exploitation is likely. Jenkins users are being urged to apply security updates or consult the official security bulletin for mitigation strategies if immediate updates are not feasible.

SolarWinds is contesting the SEC's lawsuit, claiming unjust victim blaming after its software was compromised by Russian state-sponsored hackers. The SEC accuses SolarWinds and its CISO of misleading investors about the company's cybersecurity practices since October 2018. SolarWinds' legal representation argues that the firm adequately disclosed risks and fulfilled its obligations to notify about security vulnerabilities. Approximately 18,000 organizations were affected by the Orion software backdoor, but the SEC's lawsuit focuses on alleged misleading investor communications. SolarWinds emphasizes that disclosing detailed cybersecurity weaknesses can be detrimental by giving attackers a potential roadmap to exploit. Legal documents assert that CISO Tim Brown, also targeted by the SEC, did not mislead investors and performed his role competently during the crisis. The SEC has not made a public response to the challenges raised by SolarWinds against the lawsuit.

Schneider Electric's Sustainability Business division was hit by the Cactus ransomware, resulting in the theft of corporate data. The attack occurred on January 17th, causing disruptions and ongoing outages in the Resource Advisor cloud platform. The ransomware gang has stolen terabytes of data and is threatening to leak it unless a ransom is paid. Customers of the affected division include major corporations, which may have had sensitive data regarding power utilization and regulatory compliance compromised. Schneider Electric has acknowledged the attack and is undertaking remediation and recovery efforts, with ongoing forensic analysis and discussions with affected customers. The company asserts that the attack was confined to the Sustainability Business division, with no other parts of the company impacted. This isn't the first cybersecurity challenge for Schneider Electric; they were previously impacted by the Clop ransomware's MOVEit data theft attacks.

The FBI has issued a warning about scammers employing courier services to collect money and valuables from victims of tech support and government impersonation scams. Criminals are instructing mostly senior victims to liquidate assets into cash or buy precious metals for "protection," only to have couriers pick them up. Scammers often pose as tech support, financial institutions, or government officials, claiming the victim's financial accounts are compromised. Victims are coerced into sending cash, converting assets into precious metals, or wiring funds to dealers, who are part of the scam. In-person pickups are arranged by scammers, who give victims a passcode to "authenticate" the fraudulent transactions with the courier. The FBI reports an uptick in this fraudulent activity, with losses over $55 million from May to December 2023. To combat these scams, the FBI advises against sending gold or valuables in response to phone requests and stresses the importance of not meeting with strangers or disclosing personal details. Victims should promptly report cases to the FBI with detailed information on the scammers.

Ransomware payment rates have decreased to a record low at 29% in Q4 of 2023, as reported by Coveware. The decline in payment rates is attributed to better organizational preparedness, distrust in cybercriminals' promises, and legal restrictions in some regions. Despite data theft in cyberattacks, only 26% made payments in the last quarter of 2023. Average ransom payments have decreased by 33% to $568,705, with the median payment at $200,000 in Q4 2023. The median size of organizations targeted by ransomware has decreased as cybercriminals adjust their strategies. Discussions on the impact of potential ransom payment bans suggest that such policies could drive the issue underground and hinder progress in victim and law enforcement cooperation. Coveware advises doubling down on existing measures to continue making ransomware less profitable for criminals. Even as ransomware remains a significant threat, the declining payment trend reflects progress in the fight against cybercrime.

Three former employees of the Department of Homeland Security (DHS) have been sentenced for stealing government software and the personal data of 200,000 federal employees. The individuals include a former Acting Inspector General and two members of the IT staff, with sentences ranging from probation to 1.5 years in prison. The theft encompassed government property and the intent to defraud the United States, with illegal activities occurring between 2019 and 2022. The stolen data and software were given to software developers in India with the intent to create and sell a similar commercial product to government agencies. Among the stolen databases was one with personally identifiable information (PII) of DHS-OIG and USPS-OIG employees. At least one of the individuals attempted to delete evidence linked to the scheme when learning about the investigation, further obstructing justice. The status of the Indian developers and the securement of the stolen data remains uncertain, and actions to recover or secure the data may be too late.

A serious vulnerability was discovered in Microsoft Outlook potentially allowing attackers to access hashed NTLM v2 passwords. Tracked as CVE-2023-35636 with a CVSS score of 6.5, Microsoft issued a patch in December 2023 as part of its Patch Tuesday updates. Attack vectors included phishing emails or web-based attacks where victims would be tricked into opening a malicious file. The NTLM hash leakage was possible via the calendar-sharing function in Outlook through inserting specific headers in an email. While patches addressed the main vulnerability, related risks using Windows Performance Analyzer and Windows File Explorer haven't been patched. Researchers highlighted the flaws of NTLM authentication and Microsoft's move to phase it out in Windows 11 for the safer Kerberos protocol. Enhanced security practices and awareness are crucial to avoid falling victim to such exploitation techniques.

97% of companies are exposed to severe risks due to unsecured SaaS applications. 20% of these organizations are battling internal data threats. The upcoming webinar by Wing Security COO, Ran Senderovitz, will offer in-depth insights into SaaS security challenges. The event promises a comprehensive analysis of data from 493 companies, identifying statistics and trends in SaaS security. Attendees will receive actionable tips for immediate implementation to enhance their organization's security posture. The webinar will provide a forecast of SaaS security threats expected in 2024 and strategies to combat them. IT and security professionals will gain valuable knowledge and tools to proactively defend against SaaS-related threats. The session aims to transform SaaS security challenges into opportunities for strengthening organizational defenses.

AI has become critical in cybersecurity, offering advanced features from spam filtering to predictive analytics and AI-assisted responses. The democratization of AI technology presents a significant challenge, arming attackers with sophisticated means to launch advanced cyber threats. Early 2000s malware like ILOVEYOU and the Zeus banking trojan highlighted the need for evolving security solutions. The second wave (2010–2020) saw an increasingly dynamic IT landscape with cloud computing and SaaS, coupled with an uptick in sophisticated cyber threats. AI-based cybersecurity tools, such as those pioneered by Cylance, have been instrumental in outpacing increasingly sophisticated malware and attacks. The third wave (2020-present) showcases a profound shift where AI is also being used by adversaries, necessitating an informed and well-equipped defense strategy. As cyber threats continue to grow in both scale and sophistication, the dual use of AI demands continuous innovation and vigilance in cybersecurity practices.

Fortinet FortiGuard Labs identified the Faust variant of Phobos ransomware using an Excel document to deliver malware. The new ransomware, including Albabat and Kuiper, leverage advanced programming languages Rust and Golang to avoid common code issues and enhance cross-platform capabilities. Faust ransomware doesn't specifically target industries or regions and uses multiple threads for its file encryption attack, making it more resilient and efficient. Kuiper ransomware, linked to threat actor RobinHood, was advertised on underground forums and developed to target multiple operating systems. NONAME ransomware imitates the data leak site of the known LockBit group, suggesting potential connections or shared strategies. The links among the Royal/BlackSuit ransomware, the 3 AM ransomware, and the remnants of the Conti cybercrime group indicate shared tactics and infrastructures. Ransomware attacks continue to exploit common remote access tools like TeamViewer and misuse legitimate-looking documents, such as resumes in Word format, to execute attacks.

The NSA has been purchasing internet browsing records from third-party data brokers to identify websites and apps used by Americans, avoiding the need for a court order. Senator Ron Wyden condemns this practice as both unethical and illegal, and challenges the legitimacy of funding such a "shady industry." Metadata about users' browsing habits purchased by the NSA could reveal personal details, including visits to sensitive websites related to health and personal assistance. The NSA contends that it uses such data in compliance with privacy standards and minimizes collection of U.S. persons' information. The agency asserts it does not buy or use phone location data or vehicle telematics from within the U.S. without a court order. This practice of purchasing private data without a warrant reflects broader issues with law enforcement agencies acquiring sensitive information from third-party companies. The FTC has recently taken action against companies selling precise location information without informed user consent. Concerns are raised about third-party apps not notifying users that their data, collected for advertising or national security purposes, is shared or sold.

Cybersecurity experts have discovered several malicious packages on the Python Package Index (PyPI) that secretly install WhiteSnake Stealer malware. The nefarious packages target Windows operating systems, executing malware that can steal information and execute commands. The malware has the capability to exfiltrate data from web browsers, cryptocurrency wallets, and various applications such as WinSCP, Discord, and Telegram. WhiteSnake Stealer uses Anti-VM mechanisms and communicates with its control server using the Tor network, enhancing its stealth and persistence. The threat actor, dubbed PYTA31, has introduced variations in the payloads of the malicious packages, indicating a focus on stealing particularly cryptocurrency wallet data. Some packages also possess clipper functionality that can replace clipboard content with attacker-controlled cryptocurrency wallet addresses to facilitate unauthorized transactions. Fortinet highlights the ease with which a single malware author can release multiple info-stealing malware packages onto the open-source repository, indicating a significant threat to software supply chain security.

Trend Micro's Zero Day Initiative hosted the first automotive-focused Pwn2Own event, with over $1.3 million awarded for 49 zero-day vulnerabilities. Synacktiv, a French security firm, won the top prize, earning $450,000 for successful exploits on Tesla vehicles, gaining root access to a Tesla Modem, and finding a sandbox escape in the infotainment system. High-value attacks also targeted after-market infotainment systems and electric vehicle (EV) chargers, exposing vulnerabilities in chargers from Emporia, ChargePoint, Ubiquiti, Phoenix, and JuiceBox. One out of three attacks on Automotive Grade Linux succeeded, highlighting potential threats to the infotainment backbone used by major car manufacturers like Subaru, Toyota, and Lexus. Cisco disclosed a critical vulnerability (CVSS 9.9) in its Unified Communications products; the recommended action is to promptly apply the provided patches. Apple fixed an actively exploited WebKit zero-day that allowed arbitrary code execution which could be triggered by malicious web content. The U.S. Securities and Exchange Commission (SEC) acknowledged a SIM swap attack that compromised its Twitter account, after disabling multi-factor authentication and failing to reactivate it. Kaspersky's Securelist reported a new macOS malware family found in cracked apps, aimed at stealing cryptocurrency wallet seed phrases and giving attackers remote control over infected systems.

CloudSEK, an Indian information security firm, discovered a 1.8TB data trove containing information on 750 million Indian mobile subscribers being sold on the dark web. The data includes subscribers' names, phone numbers, addresses, and Aadhaar details, allegedly sourced through illegal means from law enforcement channels, not due to a telecom leak. The breach impacts all major Indian telecom providers and poses serious risks of financial losses, identity theft, reputational damage, and susceptibility to cyber-attacks. Samsung has opted to integrate Baidu's ERNIE model in the China-sold Galaxy S24 for AI features such as real-time call translation and intelligent document summarization. Terraform Labs, a crypto firm, filed for Chapter 11 bankruptcy in the US while facing legal proceedings and attempts to extradite its founder, Do Kwon. India's IT minister announced plans for a $1.2 million public-private supercomputing and quantum computing hub to boost AI capabilities for startups and enterprises. Telstra International has partnered with Trans Pacific Networks on the Echo undersea cable, the first to directly connect the US to Singapore, with increased capacity anticipated by 2029.

The Kansas City Area Transportation Authority (KCATA) has been the victim of a ransomware attack, impacting communication systems. Attack compromised KCATA's ability to receive calls at regional RideKC call centers and affected KCATA landlines. KCATA assures that bus routes and paratransit services are operational, and schedule information remains accessible online and via the transit app. Alternative contact numbers were provided for paratransit customers needing to schedule trips during the disruption. Authorities, including the FBI, have been notified; KCATA is working with cyber professionals to resolve the issue. Data theft concerns arise as personal and payment details of KCATA customers could have been compromised. Medusa ransomware group claimed responsibility for the attack, demanding a $2 million ransom and offering a daily extension of the data leak deadline for $100,000.