Daily Brief

A newly discovered malware loader, CherryLoader, is impersonating a legitimate note-taking app, CherryTree, to deploy exploits for privilege escalation on compromised hosts. Analysis by Arctic Wolf Labs has identified the loader in two intrusions, using it to drop the privilege escalation tools PrintSpoofer or JuicyPotatoNG. CherryLoader features modularity, enabling attackers to swap exploits without needing to recompile the malware’s code. The distribution method of CherryLoader is uncertain, but observed attack chains indicated it uses a RAR file hosted on a specific IP address. The malware uses process ghosting, an evasive fileless technique, to run its payload, avoiding detection by antivirus systems like Microsoft Defender. After successful privilege escalation, the malware establishes persistence on the victim's device with a batch file script that also attempts to disarm Microsoft Defender. Security experts warn that CherryLoader is a sophisticated multi-stage downloader with encryption and anti-analysis techniques designed to deploy public privilege escalation exploits stealthily.

Russian hackers, linked to the Kremlin and known as APT29, have infiltrated HP Enterprise's cloud email environment, leading to data exfiltration. The breach, reported in an SEC filing by HPE, involved unauthorized access to mailboxes of key personnel in cybersecurity and other vital departments. The intrusion at HPE, reported to have begun in May 2023, lasted over six months before detection, with the company notified on December 12, 2023. The same Russian group is believed to have conducted a similar attack against Microsoft's corporate systems in November 2023. A prior security event, also attributed to APT29, occurred with SharePoint files being exfiltrated as early as May 2023, with HPE alerted in June 2023. HPE claims the recent security breach has not significantly impacted its business operations, although details of the theft's extent remain undisclosed. APT29 is linked to the Russian SVR and is known for its involvement in several high-profile cyber-attacks, including the 2016 DNC hack and the 2020 SolarWinds incident.

Hewlett Packard Enterprise (HPE) announced that suspected Russian entity Cozy Bear breached its cloud email system. The malicious activity began in May 2023 and was first detected by HPE in June 2023, but initial containment measures seemed ineffective. Cozy Bear, also known as Midnight Blizzard, accessed and exfiltrated data from select HPE mailboxes. Affected email accounts were related to cybersecurity, sales, and other business operations of HPE. HPE launched an immediate response to investigate, contain, and remediate the breach, claiming to have eradicated the cyber intrusion. Despite the security breach, HPE reported that the incident did not materially impact its operations or future financial projections. HPE's stock price remained stable following the announcement, reflecting investor perception that such breaches are expected risks for technology companies. This breach raises concerns about the reliability of major tech companies' security offerings, especially as Microsoft and HPE both disclosed security breaches within the same week.

US judge refuses to dismiss Apple's lawsuit against NSO Group for deploying spyware on iDevices. Apple accuses NSO of violating US Computer Fraud and Abuse Act and other laws via Pegasus spyware. NSO must now respond to Apple's allegations by February 14 following court's decision to proceed. Pegasus allowed unauthorized access to phone calls, messages, and device cameras and microphones. NSO has faced US sanctions and claims of misuse of its spyware by targeting journalists and activists. The court ruled that Apple's loss fits within the anti-hacking law, dismissing NSO's motion. Apple continues fight against spyware through new security features and civil society support grants. NSO Group to continue legal battle, claiming their technology is vital for law enforcement and safety.

HPE disclosed that Russian hackers, known as Midnight Blizzard, accessed their Office 365 email environment, targeting cybersecurity team among others. Midnight Blizzard is attributed to various attacks, including the 2020 SolarWinds breach, and is believed to be part of Russia's SVR. Hackers exfiltrated data from HPE mailboxes since May 2023, as revealed in a recent SEC filing. HPE's investigation relates this incident to an earlier breach of their SharePoint server in May 2023. HPE is working with external cybersecurity experts and law enforcement to further investigate the breach. HPE activated immediate cyber response protocols upon discovery to investigate and mitigate the breach. There has been no operational impact on HPE’s business, and no significant financial impact is anticipated. The breach at HPE follows a separate, but potentially similar, incident involving Midnight Blizzard's data theft from Microsoft's corporate email accounts.

VexTrio is a traffic distribution system (TDS) controlling over 70,000 domains for cybercrime purposes. TDS networks like VexTrio redirect users to malicious sites, including phishing pages and malware distributors. Active since 2017, VexTrio partners with at least 60 affiliates to orchestrate wide-reaching cyber attacks. Infoblox's report uncovers the extensive collaboration between VexTrio and notorious campaigns like ClearFake and SocGholish. VexTrio's affiliates leverage the Keitaro TDS service for an additional layer of redirection, complicating detection efforts. The operation generates illicit revenue through abuse of legitimate referral programs, further intertwining its activities with genuine services. Users are advised to browse SSL-certified sites only, block push notifications, and use ad-blockers to mitigate threats posed by VexTrio. Infoblox emphasizes that the intricate nature of VexTrio's operation makes it difficult to eradicate, but identification of its network is a critical countermeasure.

Over 5,300 GitLab servers are at risk due to a critical zero-click account takeover flaw (CVE-2023-7028) with a CVSS score of 10.0. Attackers can reset targeted account passwords and redirect them to their email addresses, potentially bypassing accounts without 2FA. Vulnerable versions include GitLab Community and Enterprise Editions across multiple release lines, with patches released in multiple versions as of January 11, 2024. ShadowServer found the majority of the affected servers are in the US, Germany, Russia, China, France, the U.K., India, and Canada. Unpatched instances are susceptible to supply chain attacks, code disclosures, and leaks of API keys among other threats. GitLab recommends that admins who discover breaches should rotate all sensitive credentials and enforce 2FA, as well as check for tampering within developer environments. Despite no reported exploitations of the vulnerability to date, GitLab urges immediate action to mitigate potential compromise.

The Caravan and Motorhome Club (CAMC) is experiencing a significant IT outage, with systems down for five days. Over 1 million members are affected, with disruptions to booking systems and digital services, raising suspicions of a cyberattack. CAMC has reported the incident to the Information Commissioner's Office (ICO), implying a serious data security event. The onset of the outage coincided with a scheduled maintenance period, but issues have persisted, leading to external teams being brought in for resolution. Members report near-total digital disruption and concerns over the potential leak of sensitive data, including holiday schedules and home addresses. CAMC is facing criticism from members for insufficient communication regarding the nature and extent of the problem. Official communications maintain there's no evidence of member data compromise, but the ICO's involvement suggests other data may be at risk. Social media and member sentiments suggest frustration over the lack of transparency and updates from CAMC.

The UK's National Cyber Security Centre (NCSC) cautions that artificial intelligence (AI) will significantly enhance ransomware capabilities in the near future. AI is expected to lower the barrier to entry for initiating sophisticated cyberattacks, allowing less experienced hackers to execute complex operations. Cybercriminals are increasingly using AI to streamline various phases of cyberattacks, including reconnaissance and the creation of phishing lures and malware. Specialized generative AI services, like WormGPT, have emerged outside secure environments, offering malicious content generation for criminal activities. High-skill threat groups (APTs) could potentially utilize AI to create malware designed to bypass current security systems. Intermediate and low-skilled hackers will benefit from AI in aspects like social engineering and data extraction but will still struggle with lateral movements without human expertise. The NCSC emphasizes the role of AI in evolving and enhancing existing cyber threats, with a particular concern about the difficulty of detecting AI-powered phishing and social engineering attacks.

New York-based financial technology firm, EquiLend, experienced a cyberattack that caused system outages on January 22, 2024. The cyberattack led to unauthorized access to the company's network; EquiLend immediately initiated an investigation to secure its systems. EquiLend is currently collaborating with third-party cybersecurity experts to expedite service restoration and understand the breach's impact. The company informed its clients about potential service disruptions lasting several days but hasn’t confirmed any data compromise yet. This cybersecurity incident follows the announcement that EquiLend will be acquired by Welsh, Carson, Anderson & Stowe, with the transaction expected to close in Q2 2024. EquiLend, a prominent entity established by a consortium of major banks and broker-dealers, services over 190 firms globally with its securities lending trading platform.

A critical vulnerability in GoAnywhere MFT software, enabling admin access, has been exploited and a working example released by Horizon3 researchers. The exploit is based on an old path traversal flaw and is tracked as CVE-2024-0204, with a severity rating of 9.8. Affected versions are 6.x from 6.0.1 to before 6.7.5, and 7.x to before 7.1.5, advising users to update to avoid potential compromise. As a temporary mitigation, Fortra recommends deleting the InitialAccountSetup.xhtml file or replacing it with an empty one for various deployments. While no exploit attempts have been detected yet, the availability of public proof-of-concept code suggests that attempts could increase soon. The use of GoAnywhere MFT by government and critical infrastructure entities raises concerns about the potential for significant data theft. This vulnerability disclosure comes after a dramatic year for Fortra, with the Clop cybercrime group previously exploiting a GoAnywhere zero-day to target more than 130 companies.

Microsoft detected approximately 1,287 password attacks every second throughout 2022, emphasizing the need for improved password security in organizations. Traditional password advice, such as 8-character passwords with varied characters and mandatory periodic changes, has resulted in weak and predictable passwords due to human tendency for convenience and memorability. The National Cyber Security Centre advocates for passwords comprising three random words, as they are both harder for attackers to guess and easier for users to remember. The National Institute of Standards and Technology recommends tailoring password expiration dates to password length, reducing the frequency of mandatory changes for longer passwords. Specops Software offers a solution with Breached Password Protection to prevent the use of known compromised passwords, enhancing Active Directory account security. Organizations can use sophisticated password security tools that enforce password strength and length-based aging while blocking breached passwords, helping to maintain robust security without inconveniencing users. With these strategies, organizations aim to not only fortify their defenses against cyber threats but also improve the overall end-user experience with simpler, yet secure authentication methods.

Cybersecurity researchers identified a critical vulnerability in Google Kubernetes Engine that could allow any Gmail user to control Kubernetes clusters. Approximately 250,000 active GKE clusters are estimated to be at risk of being compromised due to this issue. The vulnerability arises from a misconception about the system:authenticated group, which is believed to contain only verified identities, but actually includes any Google authenticated account. Attackers could exploit the flaw by using a Google OAuth 2.0 bearer token, enabling unauthorized access and potential activities like lateral movement, cryptomining, and sensitive data theft. The exploitation method does not leave traces that can be readily linked to the specific Gmail or Google Workspace account used. Google has responded by updating GKE to prevent binding of the system:authenticated group to the cluster-admin role in versions 1.28 and above and has advised users not to bind the group to any RBAC roles. Orca Security has cautioned that while no large-scale attacks using this technique have been recorded, the potential risk should not be overlooked, and users are advised to secure their clusters proactively.

Security researchers uncovered 24 zero-day exploits at Pwn2Own Automotive 2024, targeting a Tesla and other automotive technologies. The team from Synacktiv won $295,000 on the first day, successfully exploiting Tesla Modem and various EV charging stations. NCC Group EDG ranked second, earning $70,000 by hacking infotainment systems and an EV charger. After identified vulnerabilities are reported, vendors have 90 days to fix the issues before public disclosure. Pwn2Own Automotive 2024 in Tokyo is part of the larger Automotive World conference, with a focus on vehicle-related cybersecurity. Participants aim to expose vulnerabilities in Tesla's in-vehicle systems and EV charging technologies from multiple brands. The highest reward includes $200,000 plus a Tesla car, for significant exploits in critical vehicle systems. Last year, Pwn2Own Vancouver 2023 saw researchers awarded $1,035,000 and a Tesla Model 3 for demonstrating 27 zero-day exploits.

Kasseika ransomware is deploying BYOVD (Bring Your Own Vulnerable Driver) tactics, a method also used by Akira, AvosLocker, BlackByte, and RobbinHood. This technique involves disabling antivirus processes before deploying ransomware, a method analyzed by Trend Micro. The ransomware shows similarities to the defunct BlackMatter and suggests that experienced threat actors may be leveraging acquired access to BlackMatter's resources. Kasseika's infection process starts with a phishing email, followed by distributing RATs and using tools like PsExec for lateral movements within networks. The group uses a malicious signed driver, "viragt64.sys," on Microsoft's vulnerable driver blocklist, to neutralize 991 security tools. Once the security tools are bypassed, Kasseika launches its ransomware payload, encrypts files with ChaCha20 and RSA, and then demands a ransom paid in Bitcoin. Kasseika's ransomware also attempts to cover its tracks by wiping system event logs to impede detection by security tools.