Daily Brief

Multiple proof-of-concept (PoC) exploits have been made public for a critical Jenkins vulnerability allowing unauthenticated file access. Jenkins is a pivotal automation server in numerous software development processes, particularly in Continuous Integration and Deployment. Researchers at SonarSource identified two vulnerabilities, one (CVE-2024-23897) that permits the reading of arbitrary files, and the other (CVE-2024-23898) that enables execution of arbitrary CLI commands. CVE-2024-23897 exposes systems to potential admin privilege escalation and remote code execution under specific conditions. The second flaw exists due to browsers inconsistently enforcing protective policies, leaving systems at risk despite security measures. Jenkins has released updates to address these issues and urges users to patch their systems immediately. Security researchers have observed active exploitation in the wild, as attackers leverage the disclosed PoCs against unpatched Jenkins servers.

Governments have increasingly taken action against ransomware criminals; sanctions and prison sentences were given this past week to notable figures. Aleksandr Gennadievich Ermakov, linked to the REvil ransomware group and the Medibank hack, faced sanctions from Australia, the US, and the UK. Vladimir Dunaev, a Russian national involved with TrickBot malware and related ransomware assaults on US entities, received a prison sentence of five years and four months. Multiple large-scale ransomware attacks were reported, including on IT service provider Tietoevry, water services company Veolia North America, and fintech firm EquiLend, with the latter claimed by the LockBit group. The mortgage lender loanDepot disclosed a data breach impacting 16.6 million people due to a ransomware incident earlier in the month. Security analysts observed new ties between recently active ransomware variants and established cybercrime groups like Conti and Royal. The UK's National Cyber Security Centre warned that AI advancements might exacerbate the ransomware threat landscape. Researchers have highlighted the consequences of the ransomware surge, tracking activity that disproportionately affects healthcare and manufacturing sectors in the US and EU.

Kansas City Area Transportation Authority (KCATA) was hit by a ransomware attack affecting communications but not service operations. The attack occurred on January 23 and disrupted KCATA's call centers by targeting their landline communication systems. KCATA services continue to run as scheduled despite the attack, maintaining all bus routes and paratransit services. Temporary alternative phone lines have been provided for customers needing to schedule Freedom and Freedom-On-Demand Paratransit services. The online platform ridekc.org and the transit app remain functional for users to access bus schedule information. KCATA is collaborating with cybersecurity professionals to restore full system functionality as swiftly as possible. Potential risks to personal and payment information of customers have not been specifically addressed by the agency. No ransomware groups have claimed responsibility for the incident at the time of the article's publication.

A new spear-phishing campaign is distributing a modified version of the AllaKore RAT malware targeting Mexican financial institutions. BlackBerry researchers linked the malware to an unidentified Latin American threat group focused on financial fraud. The threat actor has crafted emails that mimic official communications from the Mexican Social Security Institute (IMSS) and included legitimate document links. AllaKore RAT has been enhanced with capabilities for banking fraud, targeting Mexican banks and cryptocurrency platforms, collecting clipboard data, and executing additional payloads. The malware checks for the victim's Mexican geolocation before executing and maintains control over infected machines, possibly for extended fraud operations. Large Mexican firms across various sectors, particularly those with over $100 million in revenue, are the primary targets. There are also related cybersecurity concerns following the discovery of vulnerabilities in Lamassu Douro bitcoin ATMs, which could allow attackers to compromise the machines—these were patched in October 2023. The campaign represents a continued and persistent targeting of Mexican entities for financial gain by the same threat actor for more than two years.

Microsoft confirmed a Russian espionage team, Midnight Blizzard (APT29/Cozy Bear), carried out a successful cyber-attack by exploiting accounts without multi-factor authentication (MFA). The attack began with a "password spray" tactic on a non-production legacy test account at Microsoft, which led to broader system access. Attackers compromised a legacy OAuth application, allowing them to create malicious OAuth applications and gain full access to certain Microsoft employees' mailboxes. The espionage group used residential broadband networks as proxies to disguise their activities, making the malicious traffic appear legitimate. Microsoft has acknowledged the need to expedite the implementation of MFA and strengthen security measures across legacy systems. The breach was not detected until two months after the fact, and it revealed gaps in Microsoft’s internal security practices, despite the company’s leadership in the cybersecurity industry. Microsoft is using the incident to underscore the importance of MFA and to fast-track MFA deployment to enhance security measures, even if it disrupts current business processes.

CISA advisor Jack Cable highlighted that 23 of the top 24 computer science programs in the US don't require cybersecurity courses for graduation. Even years later, the situation remains largely unchanged, with UC San Diego being the possible exception. Cybersecurity is often seen as a subdiscipline rather than an essential part of a developer's education, a perspective that is deemed unacceptable by experts. The White House's National Cybersecurity Strategy suggests application makers should be liable for security flaws, necessitating better training for programmers. A skills gap persists as private companies have not prioritized security in hiring, which in turn influences academic curricula. CISA hosted a workshop to address the issue of security in computer science education and identified a lack of private sector demand as a major obstacle. CISA issued a Request for Information seeking input on the integration of security into computer science education, with responses due by February 20.

Ukrainian pro-Ukrainian operatives reportedly destroyed 2 petabytes of data from the Russian "planeta" research center. Planeta, associated with Roscosmos, provides critical data for weather prediction and natural disaster monitoring to different sectors. The cyberattack is attributed to the "BO Team," focusing on Planeta's Far Eastern branch, deleting information from 280 servers. Ukrainian intelligence estimates a financial impact of $10 million due to the loss of meteorological, satellite data, and years of research. The breach purportedly disrupted not only data but also the operation of supercomputer clusters and HVAC/power supply systems. This cyber incident poses a significant restoration challenge for Russia, partly due to sanctions affecting their ability to replace advanced technology. Ukraine has previously admitted to conducting cyber operations against key Russian agencies, including transportation and taxation sectors.

23andMe failed to detect unauthorized access to user accounts for five months due to credential stuffing attacks. The breach was discovered not by internal security but from a Reddit post indicating the sale of stolen data. A total of 14,000 accounts with the DNA Relatives feature were compromised, potentially exposing data of 6.9 million individuals. Exposed information included profile details, DNA sharing percentages, family relationships, and optionally, detailed ancestry reports. The company has since mandated two-factor authentication (2FA), which was not the standard until after the breach was detected. 23andMe has been criticized for blaming users for the breach, citing their reuse of login credentials from other compromised sites. Users's ability to take legal action may be hampered by a new 60-day dispute resolution clause in 23andMe's terms of service.

Russian hackers, identified as the Midnight Blizzard group, breached Microsoft Exchange Online accounts of top executives and other organizations. The cyberespionage group, linked to the Russian Foreign Intelligence Service, engaged in a sophisticated attack using password spraying and residential proxies to evade detection. Microsoft's investigation uncovered that a "legacy, non-production test tenant account" without Multi-Factor Authentication (MFA) was compromised, enabling further access. The attackers exploited a legacy test OAuth application with elevated permissions to create new malicious OAuth applications and gain extensive access to Microsoft's corporate mailboxes. Microsoft recognized the breach by analyzing Exchange Web Services logs and familiar tactics synonymous with Russian state-sponsored groups. Microsoft's threat intelligence has notified other targeted organizations that might be victims of similar attacks by Midnight Blizzard. Hewlett Packard Enterprise also reported unauthorized access to its Microsoft Office 365 email environment by the same group, suggesting a wider pattern of targeted cyberespionage. Microsoft has released detailed guidance for defenders to detect and counteract APT29's malicious activities, including targeted hunting queries in Microsoft Defender XDR and Microsoft Sentinel.

Cybersecurity architecture is essential for protecting digital assets and requires a robust, multi-layered approach. Open Source Software, like Wazuh, offers a cost-effective, flexible alternative to proprietary security solutions. Wazuh is a free, open source security platform providing Unified XDR and SIEM protection for diverse environments. The solution offers real-time data collection and correlation, active response, compliance monitoring, and File Integrity Monitoring. Wazuh supports compliance with major standards (PCI DSS, HIPAA, GDPR, NIST SP 800-53, TSC) and enhances security data with contextual information. Its real-time detection and response capabilities prioritize and remediate high-priority incidents efficiently. Wazuh is widely adopted with over 20 million annual downloads and an active open source community providing extensive support. For detailed information on Wazuh's functionalities and integrations, the Wazuh documentation is recommended.

The first Pwn2Own Automotive contest concluded with participants earning $1,323,750 for unveiling 49 zero-day vulnerabilities in electric car systems. Tesla vehicles were hacked twice, with Team Synacktiv claiming $450,000 for multiple exploits, including gaining root access and escaping the infotainment system sandbox. The event took place during the Automotive World conference in Tokyo and focused on electric vehicle chargers, infotainment and car operating systems. After hacking, vendors are provided with a 90-day window to patch the reported vulnerabilities before public disclosure by Trend Micro's Zero Day Initiative. Synacktiv also earned significant winnings at the Pwn2Own Vancouver 2023 event and promoters have announced the Pwn2Own Vancouver 2024 with a prize pool of over $1,000,000. The competition showcases the increasing importance of cybersecurity in the automotive industry, particularly for electric vehicles and their connected systems.

Akira ransomware gang claims to have stolen 110 GB of data from Lush, a global cosmetics brand, including passport scans and company documents related to accounting, finances, tax, projects, and clients. The data theft potentially involved access to staff-related data systems during the hiring process, with no evidence of customer data exposure at this stage. Akira operates a "name-and-shame" website categorizing victims into those who have and have not paid the ransom, with threats to publish stolen data. Lush has acknowledged an "incident" on January 11, taking steps to secure systems and has engaged forensic experts for investigation, in line with typical responses to ransomware attacks. Insider posts in Lush's unofficial Reddit community suggest staff were instructed to send in laptops for "cleaning," consistent with mitigating a cybersecurity breach. Sophos researchers are unsure whether Lush's incident involved encryption-based ransomware or simple extortion, but the group is known for attacking using vulnerable network components and lacking multifactor authentication. Akira has established a reputation for targeting various industries in multiple countries, demanding sizable ransoms, and is possibly linked to the defunct Conti ransomware group.

Defense-in-Depth, or multi-layered defense, is an established cybersecurity strategy aiming to protect assets through multiple redundant layers of security controls. Despite its widespread adoption, organizations are facing increased cyber threats and breaches, revealing gaps in the multi-layered approach. Breach and Attack Simulation (BAS) tools have emerged as automated solutions to regularly test and improve the effectiveness of each security layer. Automation in cyber threat intelligence (CTI) is crucial, using Large Language Models (LLMs) to handle and analyze the abundance of threat intelligence reports. BAS tools are used to mimic real-life cyber attacks, allowing organizations to assess and bolster defenses at the network, host, application, and data layers. Security teams can now continuously validate their defenses with BAS, proactively identifying vulnerabilities and ensuring readiness against evolving threats. The article underscores the importance of regular testing and adaptation of security strategies to match the dynamic nature of cyber threats, as championed by Picus Security.

Chinese-speaking users have been targeted with malicious ads that falsely offer messaging apps like Telegram, WhatsApp, and LINE. The ads direct users to download fake versions of these apps, which are actually Remote Administration Trojans (RATs) giving attackers full machine control. This campaign, named FakeAPP, exploits Google advertiser accounts to display fraudulent ads that redirect to malware-laden downloads via Google Docs and Google Sites. The fake apps associated with the campaign can deploy dangerous trojans like PlugX and Gh0st RAT. Two advertiser accounts from Nigeria, Interactive Communication Team Limited and Ringier Media Nigeria Limited, have been identified as sources of the fraudulent ads. PhaaS platform Greatness is highlighted for its role in targeting Microsoft 365 users for credential harvesting, offering tools for phishing email attacks. Email phishing lures have been used to distribute malware, such as AsyncRAT, to South Korean companies, employing false urgency and spoofed identities of trusted entities.

Microsoft has identified expanding espionage activities by state-sponsored Russian hacking group APT29 targeting various organizations worldwide. The attacks focus on governments, diplomatic entities, NGOs, and IT service providers, predominantly in the U.S. and Europe, aiming to extract sensitive information for Russia's strategic interests. APT29, also known as The Dukes or Cozy Bear, utilizes compromised accounts and OAuth applications to evade detection and maintain long-term access to target environments. Microsoft's notification follows an admission by Hewlett Packard Enterprise (HPE) of their systems being compromised by the same group. In the November 2023 attack on Microsoft, the threat actors executed a password spray attack through residential proxies, compromising a non-production account lacking multi-factor authentication. Microsoft stresses the importance of defense measures against rogue OAuth applications and password spraying to counter the sophisticated tactics employed by APT29.