Daily Brief

Hackers exploit cracked macOS apps to install information-stealing malware, targeting macOS Ventura and later. Kaspersky uncovered the malware delivery through hidden scripts in DNS records, cloaked within PKG files of illegitimate apps. Upon installation, a fake Activator window prompts for administrative permissions, which triggers the malware's execution. The malware downloads base64-encoded Python scripts as domain TXT records, camouflaging the payload in seemingly normal DNS traffic. The executed scripts enable backdoor access and collect system information, with updates suggesting ongoing development of the threat. Malicious code checks for Bitcoin Core and Exodus wallets, swaps them with compromised versions, and can exfiltrate wallet credentials to the attackers. Kaspersky findings highlight the risks of downloading and using cracked applications, a common vector for introducing malware onto users' devices.

Aerospace leader AerCap reported a ransomware attack but has not disclosed financial loss from the incident. Ransomware group Slug claims responsibility for the breach, boasting a theft of 1TB of AerCap's data. AerCap has engaged cybersecurity experts for investigation and has reported the event to law enforcement, maintaining control over IT systems. LoanDepot suffers a separate ransomware incident, with personal details of roughly 16.6 million individuals compromised. LoanDepot has been working with forensic and security experts to restore its systems and recover from the cyberattack. Both companies have made disclosures to the SEC regarding their respective cybersecurity incidents and ongoing investigations. The extent of data exfiltration in both breaches is still being assessed as part of continuous investigations.

Security researchers at Palo Alto Networks' Unit 42 have been analyzing over 10,000 scripts from the Parrot traffic direction system (TDS), highlighting a trend towards greater stealth. Parrot TDS targets vulnerable WordPress and Joomla sites, infecting them with JavaScript code that redirects users to malicious sites, and has been operational since 2019. Parrot TDS has infected at least 16,500 websites, selling redirected traffic to threat actors for profiling and scamming visitors. The evolution of Parrot TDS shows increased script obfuscation to avoid detection, with four major versions identified. The latest version accounts for 75% of analyzed samples. The malicious scripts assess user environments and discreetly fetch payload scripts to redirect the victims to phishing or malware-delivering sites. Payload script analysis reveals nine variants, with the majority using a non-obfuscated version, while others include intricate layers of obfuscation. Advice to website owners includes: checking for unauthorized PHP files, scanning for specific Parrot TDS keywords, employing firewalls, and using URL filtering to block malicious traffic.

Mortgage lender loanDepot experienced a ransomware attack on January 6, leading to a significant data breach. Personal information of approximately 16.6 million individuals was compromised. The attack disrupted loanDepot's systems, affecting automatic payments, online portals, and customer service operations. After the breach, affected customers will receive notifications and offers of free credit monitoring and identity protection services. Ransomware gangs often use stolen data for double-extortion schemes, increasing risks of phishing and identity theft for victims. The extent of personal information accessed and stolen remains unspecified by loanDepot. This incident follows a previous disclosure of a cyberattack in August 2022 that also exposed customer data. loanDepot is a significant player in the U.S. mortgage sector, servicing over $140 billion in loans.

Apple has fixed its first zero-day vulnerability of the year, identified as CVE-2024-23222, affecting iPhones, Macs, and Apple TVs. This WebKit confusion issue could allow attackers to execute arbitrary code on vulnerable devices by convincing users to visit a malicious web page. Apple is aware that this security flaw has been exploited but has not released specifics on the nature of the attacks. Security updates have been released for devices running iOS 16.7.5 and later, iPadOS 16.7.5 and later, macOS Monterey 12.7.3 and higher, and tvOS 17.3 and later. A wide range of Apple devices, both new and old, are vulnerable to this exploit, prompting advice for immediate installation of the updates. Apple has also provided patches for two additional WebKit zero-days from last November, backporting them to older iPhone and iPad models. In the previous year, Apple countered a total of 20 zero-days that were actively exploited, addressing severe security risks within their ecosystem.

Ivanti warned against pushing new device configurations post-mitigation to prevent vulnerabilities in VPN appliances. Pushing configurations may disable key web services and nullify existing mitigations due to a race condition. The advisory followed an emergency directive by CISA to mitigate two zero-day flaws widely exploited by various attackers. Over 21,400 Ivanti ICS VPN appliances are exposed online, with more than 700 compromised on a single day in January. UTA0178, a suspected Chinese-backed threat group, installed backdoors in more than 2,100 Ivanti appliances with a GIFTEDVISITOR webshell. Other attackers utilized malware and XMRig miners on breached systems, attackers are harvesting sensitive data from various targeted sectors.

North Korean threat actors, known as ScarCruft or APT37, targeted media and experts on North Korean affairs with a malware campaign in December 2023. The attackers used a false threat research report as a lure, likely aimed at those who consume threat intelligence, such as cybersecurity professionals. ScarCruft is believed to be associated with the North Korean Ministry of State Security, separate from other known groups like Lazarus Group and Kimsuky. Their tactics involve spear-phishing to install RokRAT and other backdoors for covert intelligence relevant to North Korea's strategic interests. The campaign included a targeted phishing effort using a ZIP archive with malicious Windows shortcut (LNK) files, leading to the delivery of the RokRAT backdoor. SentinelOne's analysis revealed additional malware pointing to the group's active planning for future campaigns, aiming to evade detection by modifying their methods. The espionage activities of ScarCruft are aimed at gathering strategic intelligence and understanding international perceptions to influence North Korea's decision-making.

Hackers can exploit abandoned Java and Android libraries in a software supply chain attack named "MavenGate." An attacker can purchase expired domain names associated with these libraries to inject malicious code or compromise the build process. More than 200 companies, including industry giants like Google and Facebook, have been notified of the vulnerability. Apache Maven, widely used in Java project management, is at risk due to its handling of dependencies with unique groupIds. Oversecured's demonstration of the attack shows how malicious versions of libraries can be pushed to public repositories, potentially leading developers to unknowingly use compromised dependencies. Sonatype, which manages Maven Central, claims to have security measures in place to prevent such attacks, but has taken additional precautions after the report. It's stressed that developers need to be vigilant about directly checking the security of dependencies and be aware of transitive dependency risks.

The Electronic Frontier Foundation (EFF) has introduced the Street Surveillance Hub to inform Americans about local law enforcement surveillance tactics. The Hub details various surveillance methods, including bodycams, biometric systems, predictive policing, gunshot detection, and drone usage by police. Citizens can access the Atlas of Surveillance, which reveals specific law enforcement tools in use locally and partnerships with third parties like Ring. EFF's Matthew Guariglia highlights concerns regarding the massive data collection by police and private operators, leading to significant privacy incursions. Guariglia criticizes the federal government for neglecting its duty to protect privacy, pointing out that meaningful legislation is emerging at city and state levels. The Register discusses the inefficiency and cancellation of expensive high-tech devices and software contracts by several U.S. cities due to their limited utility. There is an increasing reliance on private technology companies by police to supplement their surveillance data, raising questions about the reach of law enforcement into personal devices. The public is encouraged to contribute to the Atlas of Surveillance effort to monitor and report on local police technology deployments.

Mortgage lender loanDepot reported that personal information of around 16.6 million people was stolen during a ransomware attack. The company experienced a cyberattack on January 6, which led to partial shutdowns of its systems for containment. loanDepot ensured customers that recurring automatic payments would not be affected, despite delays in payment history updates. The attackers encrypted files on compromised devices, revealing the nature of the attack as ransomware. Victims of the data breach will be notified and offered free credit monitoring and identity protection services. As a major mortgage lender, loanDepot has significant amounts of sensitive customer financial information, raising the risk of phishing and identity theft. The details of the specific data accessed have not been disclosed by loanDepot. This cyber incident follows a previous data breach disclosed by loanDepot in May 2023, resulting from an August 2022 cyberattack.

Major technology companies Ivanti and Juniper Networks are under scrutiny for their handling of vulnerability disclosures. Security researcher Aliz Hammond identified unnamed vulnerabilities in Juniper's systems, some without CVE IDs, not disclosed in line with established protocols. Ivanti faces criticism for bundling multiple vulnerabilities under a single CVE ID, contrary to CVE Program's expectations for independently fixable vulnerabilities. Ivanti claims that the vulnerabilities grouped under one CVE will be addressed by the same fix to avoid confusion and assure customer safety. Juniper did fix vulnerabilities in line with its regular schedule, despite not assigning specific CVE IDs, which raises concerns about transparency and possible exposure risks. Industry experts assert the importance of timely CVE registration to manage vulnerabilities effectively and responsibly. The incidents raise broader issues about disclosure practices, transparency, and the CVE Program's guidelines.

Trezor, a hardware cryptocurrency wallet provider, reported a data breach affecting their third-party support ticketing portal. Unauthorized access led to the potential exposure of personal data of about 66,000 customers who interacted with Trezor Support since December 2021. Exposed data may include users' names, usernames, and email addresses, but no funds were reported compromised from users' wallets. Attackers have used the exposed information to conduct phishing attempts, persuading users to reveal their wallet recovery seeds. Trezor confirmed 41 cases of such exploitation, where phishing emails requested users' recovery seeds under the guise of "firmware validation." Despite the breach and phishing attempts, Trezor reports no known successful account breaches, affirming the security of the users' digital assets remains intact. The company has contacted potentially affected users to be on alert for phishing attempts and reminded them to never share their recovery seed phrases. Trezor has since terminated unauthorized access to its support system and mitigated the risks associated with the breach.

LockBit ransomware gang claims to have breached the database of Subway, stealing sensitive data about the company's financial operations. Subway has not publicly acknowledged the cyberattack but has confirmed that they are investigating the legitimacy of the claims. LockBit suggests they've extracted gigabytes of data, including employee salaries and franchise financial details, hinting at potential data extortion. The group has hinted at giving Subway a chance to protect the data before considering selling it to competitors, suggesting a typical ransomware approach to data theft. LockBit has revisited its approach to ransom demands, now with strict guidelines for affiliates, which may affect how they handle the Subway incident. There is no mention of the exact ransom demanded, but given Subway's size, it could be in the tens of millions of dollars. Subway's response to the incident is yet to unfold, but past security measures on their Android app indicate they may opt for a detailed recovery process over paying the ransom.

Security researchers have observed active exploitation of a critical Atlassian Confluence remote code execution vulnerability, CVE-2023-22527. The flaw affects Confluence versions released before December 5, 2023, and allows unauthenticated attackers to execute code remotely. Atlassian has released fixes for the vulnerability in Confluence Data Center and Server versions 8.5.4 and later. The Shadowserver Foundation detected over 39,000 exploitation attempts, mainly originating from Russian IP addresses, impacting systems worldwide. Attackers have been checking for vulnerabilities by executing the 'whoami' command to assess system access and privileges. Out of 11,100 Atlassian Confluence instances accessible online, not all are necessarily running the vulnerable software versions. Atlassian has been unable to provide specific indicators of compromise for this vulnerability, making detection of exploitation more challenging. Administrators are urged to update their Confluence servers to the latest versions and to consider pre-update instances as potentially compromised.

Researchers have discovered the NS-STEALER, a sophisticated Java-based information stealer using Discord bots to exfiltrate data. The malware spreads through ZIP files disguised as cracked software, deploying malicious JAR files onto the victim's system. NS-STEALER harvests screenshots, credentials, autofill data, and more from over 24 web browsers, in addition to Discord tokens and session data from Steam and Telegram. Extracted sensitive information is sent to a Discord Bot channel, exploiting Discord as a low-cost command and control (C2) infrastructure. The malware uses X509Certificate authentication and the Java Runtime Environment (JRE) to efficiently steal information. In a related development, the Chaes malware (version 4.1) has been updated with enhanced capabilities to steal login credentials and intercept cryptocurrency transactions. Chaes malware distributors use Portuguese legal-themed email lures for infection, and its developers have cheekily thanked security researcher Arnold Osipov within the code for helping them refine their "software." A SaaS Security Masterclass webinar offers insights from a study of 493 companies, including critical security best practices and benchmarks.