Daily Brief

CISA and the FBI have issued a joint advisory to technology manufacturing executives to review software for SQL injection vulnerabilities. SQL injection attacks exploit security weaknesses, allowing unauthorized access, data breaches, and potentially full system takeovers. The agencies advocate the use of parameterized queries to prevent SQL injection, as this method cannot be interpreted as SQL code by malicious inputs. SQL injection vulnerabilities are ranked third among MITRE’s top 25 most dangerous software weaknesses. The alert was prompted by a Clop ransomware campaign exploiting a zero-day SQLi in the Progress MOVEit Transfer app, impacting numerous organizations. Despite many victims, Clop's ransomware has resulted in estimated payments of $75-100 million. The agencies emphasized the continued presence of SQLi vulnerabilities in software, insisting on immediate implementation of mitigations. The White House ONCD has also recommended the adoption of memory-safe programming languages to mitigate similar security issues, and CISA has advised on securing SOHO routers against coordinated cyberattacks.

Top.gg, a prominent Discord bot platform with over 170,000 members, suffered a supply-chain attack delivering malware designed to steal sensitive data. The attackers have been active since at least November 2022, uploading malicious Python packages to PyPI (Python Package Index) using techniques like account hijacking and typosquatting. The perpetrators set up a fake Python package repository to distribute poisoned versions of legitimate packages, tricking users and development systems. Checkmarx researchers identified a breach in early 2024 when a top.gg maintainer's GitHub account was compromised, leading to malicious commits on Top.gg repositories. The malware establishes persistence by altering the Windows Registry and exfiltrates stolen data via HTTP requests, alongside uploads to file-hosting services. The full extent of the user impact from this campaign remains unknown, but the incident underlines the risks associated with the open-source supply chain and emphasizes the need for secure coding practices.

Over 170,000 users impacted by a sophisticated supply chain attack targeting Python PyPI packages. Malware disseminated via fake packages and doppelganger domain to steal data from browsers, Discord, and crypto wallets. The attack focused on the Top.gg GitHub organization, a Discord server community, with malware-infected clones of popular Python packages like Colorama. Attackers compromised the GitHub accounts of trusted community members to insert malicious code into repositories. The pypihosted.org doppelganger domain was created to mirror the official Python package hosting domain, hiding malware within legitimate package downloads. The inserted malicious code was concealed with obfuscation tactics, including appending extra spaces to make it invisible without scrolling. After the compromise was detected by Top.gg users, efforts to address the breach were initiated, but the full extent of affected users remains unknown. The incident highlights ongoing challenges in securing open-source package ecosystems against multi-vector cyberattacks.

The Top.gg Discord bot community was hit by a supply-chain attack, posing a risk to its 170,000 members. Malicious actors hijacked GitHub accounts and distributed malware-laden Python packages. The attacker's TTPs involved social engineering and setting up a fake Python package infrastructure. Checkmarx identified data theft as the primary objective of this campaign, where stolen information is likely sold for profit. The attackers gained access to Top.gg's GitHub repositories, allowing them to make malicious commits using a maintainer's compromised account. The malware downloaded by the poisoned packages ensures persistence and steals sensitive data to be sent to a command and control server. This supply-chain vulnerability serves as a warning about the risks associated with open-source projects and the necessity for developers to vet their dependencies thoroughly.

A new phishing-as-a-service platform, 'Tycoon 2FA', is actively targeting Microsoft 365 and Gmail accounts to circumvent two-factor authentication (2FA). Discovered by Sekoia analysts in October 2023, Tycoon 2FA has been operational since at least August of that year and is distributed through private Telegram channels. Similarities with other phishing platforms suggest potential collaboration between cybercriminals or code reuse, with ongoing development making it more stealthy. The phishing kit operates by using a reverse proxy server to steal session cookies through an adversary-in-the-middle (AitM) attack, enabling hackers to access authenticated user sessions. Significant updates made to Tycoon 2FA in 2024 enhance evasion and phishing capabilities, including better blocking of traffic from bots and analytical tools. Sekoia's report indicates a broad cybercriminal user base for Tycoon 2FA, with over 1,800 Bitcoin transactions linked to its operators, reflecting the large scale of the phishing campaign. Security professionals have access to a repository of indicators of compromise (IoCs) connected to Tycoon 2FA to aid in detection and prevention efforts.

The U.S. Treasury Department has sanctioned Chinese individuals and a company linked to APT31 for attacks on U.S. critical infrastructure. Wuhan-based Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), believed to be a front for China's MSS, is targeted by these sanctions. Two Chinese nationals, Zhao Guangzong and Ni Gaobin, have been designated for their involvement in cyber-attacks endangering U.S. national security. The coordinated action includes the Department of Justice, FBI, Department of State, and UK authorities, with the UK also imposing sanctions. The Justice Department has unsealed indictments against seven individuals for their roles in malicious operations. As a result of sanctions, all property and interests in the U.S. linked to the targets are frozen, and U.S. transactions with them are prohibited. Financial institutions and entities dealing with these sanctioned individuals and entities may face sanctions or enforcement actions themselves. This action follows similar sanctions by the European Union against individuals and a company connected to the APT10 group in July 2020.

Researchers at ETH Zurich discovered ZenHammer, a variant of the Rowhammer attack targeting AMD Zen CPUs. ZenHammer exploits DDR4 and DDR5 DRAM vulnerabilities previously thought to affect Intel and ARM more than AMD. The technique involves inducing bit flips in DRAM, potentially allowing unauthorized access to data and system privileges. By reverse-engineering DRAM addressing functions and synchronizing attacks with refresh commands, researchers bypassed mitigations like Target Row Refresh. ZenHammer has been shown to affect AMD Zen 2 and Zen 3 platforms, with limited success on the more secure Zen 4/DDR5 setups. The attack is highly technical, requiring in-depth knowledge of both software and hardware to execute successfully. AMD CPU users are urged to apply software patches and firmware updates and consider hardware with built-in protection against Rowhammer attacks.

The Communications Workers Union (CWU) in the UK is dealing with a cyberattack that has caused significant IT and email outages. Third-party cybersecurity experts have been engaged for onsite investigation since March 21, following the detection of a serious IT outage. The extent of the cyberattack is still under evaluation, with some CWU systems taken offline as a precautionary measure. CWU has notified the Information Commissioner's Office and warned its members, which number over 185,000, of potential phishing risks. It is currently unclear if any member personal data has been breached, but digital forensic analysis is underway to identify the specifics of the incident. A spokesperson for the ICO confirmed that the CWU reported the incident and assessment is in progress according to the set guidelines. There have been claims that the cyberattack may have also compromised the CWU's data backup systems, potentially hindering recovery efforts.

Mozilla quickly patched two critical zero-day vulnerabilities exposed during the Pwn2Own hacking competition in Vancouver. Security researcher Manfred Paul discovered the flaws, which could allow out-of-bounds read/write and arbitrary JavaScript execution. The vulnerabilities, now known as CVE-2024-29943 and CVE-2024-29944, affected the desktop version of the Firefox browser. Firefox users need to update to version 124.0.1, released on March 22, to be protected; some users may have to perform a two-step upgrade process. Mozilla's rapid response involved releasing the patch within 24 hours of the exploit's demonstration. Pwn2Own Vancouver saw a total of $1,132,500 awarded for 29 new zero-day disclosures, with Paul earning the top prize and Synacktiv team coming in second.

Researchers have detailed the GoFetch vulnerability affecting Apple M-series and Intel Raptor Lake CPUs, which can leak sensitive data. GoFetch exploits Data Memory-Dependent Prefetchers in CPUs, a feature similar to speculative execution used by previous vulnerabilities like Spectre. A significant flaw with the Apple M1 and M2 chips is that it is not possible to disable this speculative feature to prevent data leakage. Apple's M3 CPUs and Intel's Raptor Lake CPUs can mitigate the vulnerability through software patches by disabling the DMP feature, unlike M1 and M2 chips. The suggested temporary workaround is to run cryptographic operations on Apple's slower Icestorm cores, where the exploit does not have an effect. Even the Icestorm core workaround may not be a long-term solution if future Apple CPUs enable DMP in efficiency cores, thus exposing all operations to potential data leaks. Apple is urged to resolve the DMP issue by either fixing, removing, or replacing the feature to prevent vulnerabilities in future processors.

Hackers compromised several GitHub accounts and the organization account of Top.gg to plant malicious code, conducting a supply chain attack. The threat actors utilized stolen browser cookies for account takeovers, verified malicious commits, a fake Python package mirror, and published rogue packages on PyPI. Sensitive information, including passwords and credentials, has been stolen through trojanized versions of popular Python packages like colorama hosted on a typosquatted domain. The attack was partly revealed earlier by an Egyptian developer and involves obfuscated malware that established persistence and stole data from various personal accounts and wallets. An active repository on GitHub still contains references to the malicious version of colorama, and the compromised accounts have written permissions to the Top.gg repositories. The malware conducts a multi-stage infection, changing Windows Registry entries, and exfiltrates target data using file-sharing services or HTTP requests. This incident emphasizes the need for vigilance when installing packages from even trusted sources like GitHub and PyPI and maintaining robust security practices.

Microsoft experienced a breach orchestrated by Russian-state hackers using a password spray technique. The attackers gained access through a low-activity non-production Microsoft account, highlighting account security's importance. Sensitive internal information, including emails from senior leadership, was compromised over a seven-week period. Microsoft responded quickly upon detection to halt the attackers' activities and strengthen their defenses. The incident stresses the necessity of safeguarding all user accounts, not just those with elevated privileges. Password spray attacks exploit weak and outdated passwords, making continuous password security measures critical. The breach serves as a warning for organizations to implement strong password policies and multi-factor authentication. Measures like Specops Password Policy can assist in defending Active Directory by blocking compromised credentials.

The British Library suffered a significant ransomware attack last October, with lasting impacts and systems yet to be restored or permanently lost. A recent detailed report released by the British Library outlines the factors that led to the IT disaster and offers insights for the broader industry. The Library's IT infrastructure challenges resonate across many organizations: outdated systems, insufficient resources, and complexity-induced inertia. The report serves as a rare and valuable resource for auditing current practices within enterprise IT infrastructures and can aid in promoting better management and prioritization. Despite the opportunity for learning and reform, there is skepticism about whether the lessons will be effectively communicated to top-level policymakers who influence organizational infrastructure strategies. There is no robust mechanism for mandating improvements, similar to the aviation industry's safety regulations, resulting in a lack of enforceable standards and accountability. The report can be used subversively within organizations to highlight parallels and encourage proactive changes by drawing attention to the risks of neglected IT practices. The analogy with the Library of Alexandria suggests that political challenges and resource constraints often contribute to the decline of important institutions, a lesson that echoes in the present scenario.

A new vulnerability named "GoFetch" has been identified in Apple's M-series chips, which could allow attackers to extract secret encryption keys. The flaw utilizes a microarchitectural side-channel attack, exploiting data memory-dependent prefetching features to target cryptographic operations. Apple was informed about the vulnerability in December 2023, and it affects constant-time cryptographic implementations in the CPU's cache. The vulnerability works by misleading the prefetcher, a system that anticipates and preloads memory data, to unintentionally reveal secure data. To launch an attack, a threat actor would need to run malicious code on the same machine and CPU cluster as the victim. GoFetch cannot be mitigated in existing M-series CPUs; instead, developers must update cryptographic libraries to prevent exploitable conditions, potentially impacting performance. On M3 chips, enabling data-independent timing (DIT) can disable the problematic prefetching, but this is not an option on M1 and M2 processors. Apple advises developers to use measures to prevent timing-based leakage and to avoid using secret data in conditional branches and memory access, to prevent secret inference.

Iran-linked threat group MuddyWater initiated a phishing campaign against Israeli organizations using the Atera RMM tool for surveillance. Targets included entities in manufacturing, technology, and information security, with a focus on phishing emails with PDF attachments linking to malicious content. MuddyWater has historically used various legitimate remote desktop and management software to infiltrate and control systems within victim organizations. The campaign involved hosting malicious files on file-sharing platforms and then duping victims into installing the Atera Agent via a PDF document and ZIP archive. A related incident by Iranian hacktivist group Lord Nemesis involved a software supply chain attack on Rashim Software, compromising numerous Israeli academic institutes. Lord Nemesis allegedly bypassed weak MFA protections to access sensitive information and alerted the customers of Rashim Software of the breach four months after initially gaining access. The incidents highlight the trend of nation-state actors targeting smaller companies within supply chains, seeking to compromise broader ecosystems for political and espionage objectives.