Daily Brief

Cisco has patched a critical flaw (CVE-2024-20253) in its Unified Communications and Contact Center Solutions, which could allow hackers to execute arbitrary code remotely. The vulnerability, with a CVSS score of 9.9, arises from incorrect processing of user input that can be exploited via specially crafted messages. An attacker leveraging this flaw could gain privileges equivalent to the web services user and potentially obtain root access to the device. Julien Egloff, a security researcher at Synacktiv, is recognized for identifying and reporting the issue. Affected Cisco products do not have direct workarounds; however, Cisco recommends using access control lists to restrict access to vulnerable systems as a temporary mitigation. The flaw's announcement comes after recent fixes for another critical Cisco security issue (CVE-2024-20272) affecting Unity Connection. Cisco advises users to apply the updates immediately and to enforce access control lists if immediate patching isn't feasible.

Vladimir Dunaev, a former Trickbot malware developer, was sentenced to over five years in prison for his involvement in cybercrimes. Dunaev's activities included creating infections to steal banking credentials and facilitate further malware attacks against US hospitals and businesses. His offenses caused substantial financial damage, with tens of millions of dollars in losses reported by victims. The Trickbot gang has extorted at least $180 million from global organizations according to the UK National Crime Agency. Dunaev's role extended from writing malicious code and browser modifications to laundering the proceeds of the cybercriminal operation. One of Dunaev’s cohorts, Alla Witte, has already been sentenced as the US continues its crackdown on international cybercriminals. Trickbot started as a banking trojan but evolved into a comprehensive malware-as-a-service operation before being shut down in 2022. The US and UK have sanctioned several individuals associated with distributing various ransomware and the Trickbot trojan.

Genetic testing company 23andMe confirmed a data breach resulting from a credential stuffing attack, impacting customer accounts over five months. Health reports and raw genotype data of millions were compromised, some of which appeared on hacking forums and a subreddit. Stolen login credentials from other breaches were used to access 14,000 user accounts, downloading data of almost 6.9 million customers. Affected features included DNA Relatives and Family Tree, potentially exposing detailed profile information. 23andMe implemented mandatory password resets and two-factor authentication to strengthen account security following the breach. The company faces multiple lawsuits and updated its Terms of Use to limit customer participation in class action lawsuits, claiming improvements to the arbitration process.

A previously unidentified threat actor, named Blackwood, has been conducting sophisticated cyberespionage attacks since at least 2018. Blackwood employs a complex malware termed NSPX30 to target companies and individuals, aligning with perceived Chinese state interests. NSPX30 malware distribution is achieved through the update mechanisms of legitimate software such as WPS Office, Tencent QQ, and Sogou Pinyin. ESET researchers indicate that Blackwood may intercept traffic to disguise command and control (C2) server communications and collaborate with other Chinese APT groups. NSPX30 has evolved from a basic backdoor created in 2005 to a multilayered malware with capabilities including system information collection, keylogging, and anti-detection techniques. The malware's backdoor functionality includes stealing of chat logs and sensitive information, remote control features, and the evasion of Chinese anti-malware solutions. The group uses adversary-in-the-middle (AitM) attacks to hijack legitimate update processes, a method that differs from traditional supply-chain attacks. ESET has provided detailed technical insights and indicators of compromise for organizations to detect and defend against NSPX30 infections.

Russian national Vladimir Dunaev sentenced to 64 months in prison for participating in the Trickbot malware operation that targeted hospitals, companies, and individuals. Dunaev developed a component of the TrickBot malware that facilitated browser injections to siphon sensitive information from victims. Arrested in South Korea and extradited to the U.S., he pleaded guilty to charges including computer fraud and identity theft. Prosecutors highlighted the significant disruption and financial damage caused by the malware attacks orchestrated by Dunaev and co-defendants. The TrickBot malware has evolved from stealing banking credentials to becoming a sophisticated tool used by cybercriminals to launch ransomware attacks. Despite takedown attempts, the Conti group continued its operations using TrickBot, which had links to Russian intelligence. Internal communications of the Conti group were leaked, leading to the exposure of their association with TrickBot and contributing to the group's disbandment into new ransomware entities.

Numerous iOS apps are exploiting push notifications as a means to initiate background processes that collect extensive user data without user consent. Mobile researcher Mysk has highlighted a significant privacy risk where these apps circumvent Apple’s background activity restrictions to gather information for potential fingerprinting and tracking. Apps are taking advantage of a feature in iOS that allows for quiet background launching to process new push notifications and are using this as an opportunity to send device data back to their servers. Apps that abuse this feature, including TikTok and Facebook, collect various data points such as system uptime, locale, battery status, and display brightness, which could be used for user profiling. Apple plans to address this issue by tightening the use of APIs linked to device signals; starting in Spring 2024, apps must explicitly declare their reasons for API access to remain on the App Store. Until these new Apple policies are in effect, users are advised to disable push notifications entirely to avoid possible data collection, as merely muting them will not prevent the exploitation. Revelations from December indicate that governments have requested push notification records from Apple and Google to monitor users, but Apple is barred from disclosing details about these requests.

Synacktiv Team secured $100,000 for exploiting two zero-day vulnerabilities to compromise Tesla's Infotainment System. They also exploited a three-bug zero-day chain in the Automotive Grade Linux OS, earning an additional $35,000. On the first day, Synacktiv earned $295,000 by rooting a Tesla Modem and hacking various EV charging stations. In total, 48 unique zero-days were discovered during the competition, with prizes amounting to $1,101,500. Vendors are given a 90-day deadline to address the vulnerabilities before they are publicly disclosed by TrendMicro’s Zero Day Initiative. Pwn2Own Automotive 2024 is held as part of the Automotive World conference in Tokyo, with a focus on vehicle and EV charger security. The competition challenges participants to hack EV chargers, operating systems, and infotainment systems, with a top prize of $200,000 and a Tesla car. The event follows a successful Pwn2Own Vancouver 2023 where researchers earned $1,035,000 and a Tesla Model 3.

Cisco has issued a security advisory for a critical remote code execution (RCE) vulnerability affecting several of its Unified Communications Manager and Contact Center Solutions products. The vulnerability, assigned CVE-2024-20253, could allow an unauthenticated, remote attacker to execute arbitrary code on an impacted system. Discovered by Synacktiv researcher Julien Egloff, the severity of the flaw is rated 9.9 out of 10, indicating a critical level of potential impact. Attackers could exploit the flaw by sending a specially crafted message to a listening port on vulnerable devices, potentially gaining command execution with root access. Affected products are at risk in their default configurations, and Cisco has made security updates available as there is no alternative workaround. Cisco advises administrators to set up access control lists (ACLs) to restrict access to affected components until updates can be applied. The company has shared detailed guidance on implementing ACLs and cautions admins to assess, test, and understand the implications of mitigation before deployment to avoid business disruption. There have been no reports of public announcements or malicious exploitation of the vulnerability as of the issuance of the advisory.

Cybersecurity researchers have conducted in-depth analysis of the command-and-control (C2) server infrastructure for SystemBC malware. SystemBC is available for purchase on dark web marketplaces and enables attackers to remotely control compromised hosts and facilitate the delivery of additional payloads. The malware, which first appeared in 2018, is known for using SOCKS5 proxies to obfuscate network traffic and maintain persistent access for post-exploitation activities. The malware package sold includes executables for both Windows and Linux, a PHP-based web panel for the C2 server, and detailed instructions in multiple languages. The C2 server opens multiple TCP ports to manage C2 traffic, inter-process communication, and connections with each infected host. The PHP panel is simple but provides real-time information on active implants and allows operators to run shellcode and arbitrary files on compromised machines. The analysis also covered an updated version of DarkGate, a RAT that compromises victim systems, with researchers identifying a decoding weakness in its custom Base64 alphabet used for exfiltration. The findings contribute to better understanding and identification of cyber threats, highlighting the continuous evolution of malware techniques.

Hackers are exploiting a critical severity flaw in the 'Better Search Replace' WordPress plugin, actively installed on over one million sites. The vulnerability, tracked as CVE-2023-6933, could allow unauthenticated attackers to inject a PHP object due to deserialization of untrusted input. The WP Engine vendor has released an update, version 1.4.5, to address this security issue, which can lead to code execution, data access, and potential denial of service. While 'Better Search Replace' itself isn't directly vulnerable, the flaw can be exploited in conjunction with other plugins or themes that contain a suitable Property Oriented Programming (POP) chain. Wordfence, a WordPress security firm, has reported blocking over 2,500 attacks exploiting this vulnerability in just 24 hours. Although there have been close to half a million downloads of the plugin in the past week, clarity on the update adoption rate amongst users remains uncertain. Users are urged to upgrade to the patched version 1.4.5 immediately to prevent potential security breaches and exploitation.

EquiLend, a major US securities lender, took systems offline due to an unauthorized access incident, impacting Wall Street transactions. Systems restoration is anticipated to take several days, with external cybersecurity firms aiding in the investigation and recovery efforts. The cyber attack was noticed on January 22, 2024, and the company is now operating manually, which may affect transaction efficiency and quality. LockBit ransomware group claims responsibility for the breach and asserts ongoing negotiations with EquiLend. Manual operations may lead to reduced performance and increased costs but typically have a manageable impact on financial services. The cybersecurity incident occurs amid EquiLend's recent agreement to sell a majority stake to a private equity firm, which could be valued at up to $700 million. This attack follows a series of high-profile cybersecurity breaches in the US financial industry, including Fidelity National Financial, Mr Cooper, and loanDepot.

Jenkins has resolved nine security issues, including a critical remote code execution (RCE) vulnerability, identified as CVE-2024-23897. The flaw stems from an arbitrary file read vulnerability via the built-in command line interface, caused by a feature in the command parser. Attackers could exploit this to read arbitrary files on the Jenkins server, with limitations on certain binary file contents due to encoding. Those with "Overall/Read" permission could potentially access entire files, leading to escalated attack possibilities. Jenkins has released fixes in versions 2.442 and LTS 2.426.3, and advises disabling CLI access as a short-term mitigation strategy. The discovery of this critical vulnerability comes after Jenkins addressed serious security issues almost a year prior. Users are urged to patch their systems immediately to prevent potential exploitation of this vulnerability.

LODEINFO, an evolving fileless backdoor malware, has been updated with new anti-analysis techniques and remote code execution features. Spear-phishing campaigns distribute the malware, which originally targeted Japanese entities but now includes broader language settings. Stone Panda, a Chinese nation-state actor, has been identified as being behind the attacks that deploy LODEINFO via malicious Microsoft Word document macros. Recent versions of LODEINFO implement remote template injection to retrieve malicious macros and use language checks for Microsoft Office settings. LODEINFO version 0.7.1 adds an intermediate stage that involves downloading a file mimicking a Privacy-Enhanced Mail which then loads the backdoor into memory. The latest techniques underscore the necessity for memory-scanning cybersecurity solutions to detect and mitigate fileless malware threats. The article also alludes to a SaaS Security Masterclass for critical security insights based on a study of 493 companies.

The Axur Threat Landscape Report for 2023/2024 reveals a significant increase in cyberattacks and the convergence of cyber risk with business risk, urging organizations to revamp security strategies. Geopolitical tensions notably affect the cybersecurity sector, influencing cybercriminal tactics, as seen in the Russia-Ukraine conflict. Ransomware evolves to prioritize data exposure over encryption, pressing organizations with higher risks of data breach fines. The use of AI in cyber threats has escalated, enabling more sophisticated scams including deepfake videos and automated social engineering. The report notes a threefold increase in leaked credit and debit card details, credential leaks remain stable but with changes in sources. Axur highlights the importance of brand protection due to increased detection of brand misuse, and reports on innovative fraud tactics such as "apphishing". The successful execution of takedowns by Axur and their rapid response times are emphasized as key in mitigating cyber threats. Insights from the Deep & Dark Web show an urgent need for comprehensive monitoring and swift response to preemptive cybersecurity. Axur introduces Polaris, an AI-powered threat management tool, to streamline threat intelligence and heighten organizational response capabilities.

A China-backed APT group, known as Blackwood, has been hijacking legitimate software updates to deliver "NSPX30" spyware, active since at least 2018. The attacks predominantly target manufacturing, trading, and engineering companies in China, Japan, and the U.K., along with individuals within these regions. NSPX30 includes multiple components designed to hide its infrastructure and is capable of bypassing Chinese antivirus programs. Origins of the backdoor date to Project Wood from 2005, having evolved through various iterations, now exploiting unencrypted HTTP protocols to intercept and deliver malicious updates. ESET suggests that compromised network appliances like routers may be used to distribute the malware, although the exact delivery mechanism remains unclear. Once deployed, the NSPX30 orchestrator component executes, leading to the download of a backdoor that enables file collection, reverse shell creation, process termination, keystroke logging, and self-uninstallation capabilities. The recently identified activities of APT group Volt Typhoon highlight an ongoing trend of attackers leveraging outdated network infrastructure to facilitate espionage and data exfiltration.