Daily Brief

The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical remote code execution vulnerability in Microsoft SharePoint Server (CVE-2023-24955) due to active exploitation. Affected SharePoint Server versions allow an authenticated attacker with Site Owner privileges to remotely execute arbitrary code. Microsoft addressed the issue in its May 2023 Patch Tuesday updates after discovery of the vulnerability. An exploit chain consisting of CVE-2023-24955 and another SharePoint flaw (CVE-2023-29357) was previously demonstrated at a hacking contest, earning researchers $100,000. No specific information has been released about the attackers or potential misuse of the combined exploits. Federal Civilian Executive Branch (FCEB) agencies must implement the patch by April 2024 to mitigate potential threats. Automatic updates for Windows with "Receive updates for other Microsoft products" enabled provide automatic protection against this vulnerability.

The number of zero-day vulnerabilities exploited in attacks in 2023 shot up to 97, marking a significant 50% increase from the previous year. Google's Threat Analysis Group (TAG) and Mandiant reported that spyware vendors and their government clients were behind many of the exploits. Approximately half of the zero-day exploits were connected to commercial surveillance vendors (CSVs) targeting end-user platforms and enterprise technologies. Notably, Chinese state-sponsored actors were responsible for exploiting 12 zero-day vulnerabilities, evidencing a growing trend in their cyber operations. CSVs were behind 75% of the zero-day exploits targeting Google products and the Android ecosystem in 2023. Google has recommended security measures, such as Memory Tagging Extension (MTE) and Lockdown mode, for high-risk users to defend against zero-day attacks. In response to the malicious use of spyware, the U.S. imposed sanctions and visa restrictions on individuals and firms linked to commercial spyware operations, including Predator spyware operators and their founder.

Microsoft patched a serious vulnerability in Edge browser, tagged as CVE-2024-21388, that allowed silent installation of malicious extensions. Discovered by Guardio Labs and responsibly disclosed, the flaw had a CVSS score of 6.5 and was fixed in the Edge stable version released on January 25, 2024. Attackers could exploit Microsoft's private API, initially for marketing use, to install extensions with extensive permissions covertly. The bug stems from a lack of proper validation, permitting any extension identifier to be installed without user interaction. Guardio's research indicated that JavaScript run on pages like bing[.]com or microsoft[.]com could trigger unauthorized extension installations from the Edge store. Microsoft's advisory acknowledged the vulnerability could lead to a browser sandbox escape and required attackers to prepare the target environment. Although there is no evidence of active exploitation, Guardio Labs highlighted the potential risks of how browser customizations can lead to security compromises.

The Big Issue, a newspaper assisting the homeless, suffered a cybersecurity incident claimed by the Qilin ransomware gang. Qilin claims to have stolen 550 GB of sensitive data from The Big Issue, including personal details of employees and subscribers. Leaked information potentially includes the CEO's driving license, salary details, and employee passport scans. Subscribers' personal email addresses and bank details, such as account numbers and sort codes, might also have been compromised. The Big Issue Group has responded by restricting system access and working with IT security experts, law enforcement, and regulatory agencies while starting system restoration. The publication and distribution of The Big Issue are unaffected, and services to vendors continue, emphasizing the organization's social mission. The ICO has been notified, implying a review of data protection and security practices at The Big Issue.

SASE solutions are increasingly used by organizations to secure their cloud-based network and improve network performance. A new report identifies significant gaps in SASE's ability to defend against web-borne cyber threats, including phishing and malicious browser extensions. Secure browser extensions are critical for a comprehensive security strategy, offering real-time protection and granular visibility against sophisticated threats. The report uses three use cases to illustrate the shortcomings of SASE and the added value of browser extensions: phishing attacks, malicious extensions, and account takeovers. As SaaS applications become the norm, the browser's role as the main workspace has expanded, making it a critical point of vulnerability. LayerX emphasizes that network security alone is not enough; organizations need to adopt additional measures such as secure browser extensions to mitigate risks. For full insights on how secure browser extensions can provide real-time protection and complement SASE, the report is available for download.

A critical vulnerability in the Anyscale Ray AI platform is being exploited for cryptocurrency mining. Attackers exploit CVE-2023-48022 to execute arbitrary code, affecting various sectors, including education and biopharma. The campaign named ShadowRay has been active since September 2023 and targets AI workloads. Big industry players like OpenAI, Uber, and Netflix use the Ray platform, heightening the potential impact. Anyscale acknowledges the issue but has chosen not to fix it, citing design decisions and future authentication plans. Security firm Oligo observed hundreds of Ray GPU clusters compromised, leading to data leaks, including sensitive credentials. Attackers not only mined cryptocurrency but also gained persistent remote access and cloud environment elevation. The exploitability of the flaw underscores the importance of securing AI computing frameworks against cyber threats.

A new phishing campaign has been detected using a novel malware loader to deliver the Agent Tesla keylogger. Victims receive a phishing email that pretends to be a bank payment notice, with a malicious attachment designed to initiate the malware deployment. The loader conceals itself through obfuscation and polymorphic behavior, bypassing antivirus programs and leveraging proxies to disguise traffic. Two variants of the .NET-written loader use different decryption methods to obtain the payload from a remote server and evade Windows Antimalware Scan Interface (AMSI). Agent Tesla is executed in memory, allowing attackers to secretly harvest data and send it via SMTP using a compromised email account. Trustwave's findings point to a significant evolution in Agent Tesla's deployment methods, emphasizing its sophistication and stealth capabilities. The article also references related phishing activities by other cybercrime groups and the use of phishing kits like Tycoon targeting Microsoft 365 users.

Two Chinese advanced persistent threat (APT) groups target ASEAN countries in a cyber espionage campaign, focusing on geopolitical intelligence. Mustang Panda, one group involved, utilized phishing emails and malware packages to compromise targets in Myanmar, the Philippines, Japan, and Singapore. Malware tactics include DLL side-loading and use of benign software's renamed copies to deploy the Mustang Panda malware, PUBLOAD. Unit 42 also detected network traffic between an ASEAN-affiliated entity and the command-and-control infrastructure of a second unnamed Chinese APT group. A separate threat actor, Earth Krahang, has targeted 116 entities across 35 countries using spear-phishing and vulnerabilities in servers to deliver various types of malware. Leaked documents from I-Soon, a Chinese government contractor, expose the sale of malware to Chinese government entities and the presence of “digital quartermasters” supplying multiple state-sponsored cyber groups. The Tianfu Cup, China's hacking contest, is implicated as a source for the Chinese government's accumulation of zero-day exploits and vulnerability exploitation. The leaks provided insight into China's outsourcing of cyber operations to third-party companies, showcasing a competitive market for independent hacker-for-hire entities supporting state espionage objectives.

The trend towards remote working has persisted post-pandemic, posing challenges for IT security teams in safeguarding sensitive data across varied locations. Forcepoint Data Security Everywhere aims to address these challenges by automating data loss prevention (DLP) for both managed and unmanaged devices. The platform enforces DLP policies on data regardless of its location, be it behind a corporate firewall, in the cloud, or on remote user devices, thereby alleviating manual policy implementation across different domains. An AI engine within the platform scans for structured and unstructured data across numerous fields and file types, regulating access permissions and preventing improper data exfiltration. Forcepoint's solution offers a large selection of pre-defined DLP classifiers, policies, and templates to facilitate immediate implementation without extensive IT resource investment. Organizations can easily integrate and enforce robust compliance and privacy standards using the out-of-the-box frameworks provided by Forcepoint's platform.

Finland's Police have confirmed that APT31, a hacking group with ties to the Chinese Ministry of State Security, was responsible for the 2021 breach of its parliament. The breach, initially disclosed in March 2021, involved access to multiple email accounts within the parliament, including those of Finnish MPs. A complex investigation involving Finland's Security and Intelligence Service and international agencies has identified a suspect and detailed a "complex criminal infrastructure." The U.S. Treasury Department sanctioned two APT31 operatives, who are also charged by the Justice Department for involvement in a 14-year span of cyber-operations. The UK has imposed sanctions on the same individuals and their associated front company for attacks on British targets, including parliamentarians and the Electoral Commission. The U.S. Department of State is offering rewards for information on APT31 that could help apprehend any of the seven Chinese MSS hackers linked to the group. APT31 is notorious for extensive cyber-espionage, including the theft of the NSA's EpMe exploit and targeting individuals linked to Joe Biden's presidential campaign.

Cybercriminals offer a Raspberry Pi software called 'GEOBOX' to transform the device into an anonymous cyberattack tool. Sold on Telegram for $80/month or $700/lifetime, GEOBOX provides a means for even inexperienced hackers to conduct various online crimes. The tool was discovered by Resecurity during the investigation of a banking theft affecting a high-profile corporation. GEOBOX devices operate as proxies without storing logs, complicating law enforcement efforts to track and investigate cybercrimes. Raspberry Pis, as low-cost, lightweight computers, serve as perfect vehicles for discreet cyberattacks due to their portability and concealability. GEOBOX equips users with an array of capabilities such as network spoofing, VPN and TOR access, and proxy services, tailored even for low-skilled threat actors. The tool enables a wide range of illicit activities, including financial fraud, malware distribution, and disinformation campaigns, enhancing anonymity for cybercriminals. While GEOBOX's individual functions are not novel compared to other tools or distributions like Kali Linux, its user-friendly bundle appeals to novices in the cybercriminal community.

The German Federal Office for Information Security (BSI) warns of 17,000 vulnerable Microsoft Exchange servers online. Approximately 37% of all German Exchange servers are severely vulnerable due to outdated versions or unpatched security flaws. Critical vulnerabilities could lead to remote code execution attacks, especially on servers running outdated Exchange versions from 2010 and 2013. Vulnerabilities persist despite previous warnings and the declaration of an 'IT threat situation red' by the BSI in 2021, due to the negligence of server operators in updating their systems. BSI advises admins to use current Exchange versions, apply all security updates, and configure web-based services securely, potentially limiting access or using VPN. Microsoft has responded by enabling Extended Protection by default on updated Exchange servers and continues to stress the importance of keeping on-premises servers up-to-date.

A sophisticated hacking campaign, "ShadowRay," is exploiting an unpatched flaw in the Ray open-source AI framework, impacting numerous sectors. Companies affected include those in education, cryptocurrency, biopharma, and more, exposing sensitive data and computing resources. Ray, credited with over 30,500 stars on GitHub, enables distributed AI processing and is used globally by leading firms for ChatGPT training. Five vulnerabilities were disclosed by Anyscale in November 2023; four were patched, but one critical remote code execution flaw remained unaddressed based on a design decision. Attackers have taken advantage of the disputed vulnerability, CVE-2023-48022, to gain unauthorized access to servers for activities including cryptocurrency mining and obtaining sensitive information. Oligo's investigation uncovered exploitation of public Ray servers, leading to compromised AI models, credentials, and cloud access tokens. Recommended defense strategies include following best practices for securing Ray deployments and using tools to enhance the security posture of clusters.

A suspicious package named SqzrFramework480 has been discovered in the NuGet package manager. Security firm ReversingLabs reports that the package seems to target developers working with tools from a Chinese industrial manufacturer, Bozhon Precision Industry Technology Co., Ltd. SqzrFramework480 has been downloaded almost 3,000 times and includes a DLL capable of taking screenshots and transmitting them to a remote IP address. The purpose of the package remains unclear, with possibilities ranging from industrial espionage to accidental exposure by a developer. The use of open source repositories to distribute possibly malicious packages underscores the growing challenge of supply chain threats in the software industry. Researchers urge users to thoroughly inspect libraries prior to use to mitigate risks associated with supply chain vulnerabilities. The incident draws attention to the importance of developer diligence and the need for enhanced security practices in cloud environments.

The U.S. federal authorities are urging software vendors to conduct formal code reviews to eliminate SQL injection vulnerabilities. FBI and CISA referenced the MOVEit supply chain attacks, facilitated by SQL injection flaws, to illustrate the potential damage. The Cl0p ransomware group exploited the MOVEit MFT vulnerability, impacting 2,769 organizations and about 95 million individuals. Authorities are also pressing customers to demand accountability from vendors regarding the security of their software products against SQL injection exploits. Software developers must implement a "Secure by Design" approach from the initial development stages to protect against cyber threats. Prepared statements and parameterized queries were recommended as mitigation strategies, rather than the less reliable input sanitization techniques. Agencies highlighted the importance of transparent vulnerability disclosure, encouraging the use of the CVE program. Emphasizing security from the beginning can protect not just individual software but also contribute to national security and economic stability.