Daily Brief

A study of 2.5 million vulnerabilities discovered in customer assets reveals a significant portion related to Windows 10. The majority of the unique findings, 79%, are categorized as 'High' or 'Medium' severity, with about half considered 'Critical' or 'High'. There is an improvement compared to previous years, with serious vulnerabilities decreasing by over 52%. Critical and high-severity vulnerabilities are usually addressed quickly, but 35% of reported issues remain unresolved for 120 days or more. The Construction industry outperforms other sectors, showing fewer findings per asset, while Mining and Oil and Gas exhibit high numbers of critical vulnerabilities. Ethical hacking and penetration testing are highlighted as proactive defense strategies for businesses, with 17.67% of findings reported by ethical hackers rated as 'Serious'.

LADH Limited, a financial services company, was fined £50,000 by the UK Information Commissioner’s Office for sending over 31,000 unsolicited spam texts. The texts were sent without valid consent and failed to provide recipients with an opt-out option, violating Privacy and Electronic Communications Regulations. During a six-week period in March and April 2022, recipients were promised debt relief of up to 85% without evidence of consent from the recipients. The ICO's investigation revealed that LADH Limited relied on "verbal assurance" of consent from a third party, without written confirmation. There were 106 complaints made to Britain’s Spam Reporting Service regarding the company's unsolicited messages. Only 26 percent of ICO fines were collected in 2022, posing challenges in enforcement and collection of the penalties. Company directors are now held personally responsible for such fines, although an appeals process is available and may delay payments. LADH Limited has the option to pay the fine with a discount by February 12 or proceed with an appeal.

Ransomware remains a top cybersecurity threat, leading to irreversible data loss and demanding payment for data restoration. Sterling Wilson of Object First emphasizes the critical need to protect the invaluable asset of data, which is often targeted by ransomware attacks. The UK has identified ransomware as a major threat, with ramifications including disruption of government services, economic loss, and long-term recovery challenges. Zero trust security principles are advocated, including the use of Object First's Ootbi, which offers immutable, ransomware-proof backup storage. Object First's Ootbi is integrated with Veeam software, providing fast, reliable, and secure backup storage that's easy to deploy. Veeam's 2023 Data Protection Trends Report indicates 85 percent of global organizations experienced cyberattacks in the past year, suggesting the need for improved data protection strategies. Prodatix, a Veeam certified engineering company, partnered with Object First to utilize Ootbi for enhanced on-premises and immutable storage, showcasing its benefits for data protection. AI-generated cyberattacks are on the rise, stressing the importance of maintaining backups in secure, on-premises, and immutable storage appliances.

The U.S. Federal Trade Commission (FTC) has prohibited InMarket Media from selling or licensing precise user location data. FTC's action follows allegations that InMarket did not obtain consumer consent before using their location information for advertising. The company must destroy all collected location data, provide withdrawal options for consumers, and prevent future sales of sensitive location data products. InMarket, like previously banned Outlogic, harvested location data from proprietary and third-party apps, affecting over 420 million devices since 2017. The FTC criticized InMarket's insufficient consent verification process from third-party apps and the excessive five-year data retention policy. The company is now ordered to implement a sensitive location data program to ensure compliance with privacy regulations. Concurrently, a study disclosed Meta's Facebook receiving user data from a staggering number of companies, highlighting widespread data-sharing practices.

Security researchers have observed exploitation of a serious flaw in Apache ActiveMQ, with attackers deploying the Godzilla web shell on vulnerable hosts. The flaw, tracked as CVE-2023-46604 with a CVSS score of 10.0, allows for remote code execution and has been exploited for various malicious activities including ransomware and DDoS botnets. Apache ActiveMQ's JSP engine executes the web shell, which attackers are hiding within unknown binary formats to bypass security scanners. The Godzilla web shell enables attackers to remotely execute commands, view network info, and manage files through HTTP requests, gaining full control over the affected systems. Despite the use of unconventional binary formats, the threat actors' JSP code gets converted into Java code and runs through the Jetty Servlet Engine. Users are urged to update Apache ActiveMQ to the most recent version to prevent exploitation of this vulnerability. The article also mentions a “SaaS Security Masterclass” webinar providing insights based on a study of 493 companies.

BreachForums' former admin "Pompourin" (Conor Brian Fitzpatrick) has been sentenced to 20 years of supervised release after pleading guilty to charges related to running the data leak site. Pompourin breached his pretrial release terms, leading to incarceration prior to his sentencing, which could have seen him face up to ten years in prison. Critical UEFI vulnerabilities named PixieFail found; they endanger network-booted systems using IPv6 and can allow remote code execution and other malicious activities. Researchers announce patches available for the UEFI vulnerabilities, stressing urgency for deployment to prevent potential active exploitation. iOS device log files have been revealed by Kaspersky researchers as a method for detecting infections from spyware such as Pegasus, Predator, and Reign. A spearphishing attack on the US Department of Health and Human Services resulted in the theft of $7.5 million in grant money intended for high-need community projects.

Tietoevry, a Finnish IT services company, faced a ransomware attack that impacted its cloud hosting customers in Sweden. The Akira ransomware gang is reportedly responsible for the attack, which occurred in one of Tietoevry's Swedish data centers. The attack caused service outages for various Swedish firms and institutions, including Filmstaden cinemas, universities, and government agencies. Tietoevry has isolated the affected platform and is working on restoring infrastructure and services using a well-tested methodology. The company had previously experienced a similar ransomware attack in 2021, resulting in disconnections of client services. The Finnish National Cyber Security Center (NCSC) has warned about ongoing Akira ransomware attacks targeting companies due to weak Cisco VPN implementations. To mitigate such risks, Cisco advises the implementation of multi-factor authentication (MFA) for all VPN accounts and the use of remote syslog servers to secure logs for analysis post-breach.

A widespread Facebook phishing campaign is exploiting users' trust by using posts from friends' hacked accounts. The posts, underpinned by an emotional message claiming "I can't believe he is gone. I'm gonna miss him so much," lead to sites that steal Facebook credentials. Despite Facebook's efforts, the campaign persists through new posts, although reported posts are being neutralized by deactivating the embedded links. The scam prompts users on mobile devices to a fake news site that requests Facebook login details to view a supposed video. Desktop users are redirected to various other scams, including sites promoting VPNs, browser extensions, or affiliate programs. The stolen Facebook credentials may be used to propagate the phishing scam further through the hacked accounts. It is recommended that Facebook users enable two-factor authentication using an authenticator app to prevent unauthorized logins should they fall for such scams, as phone numbers can be compromised in SIM swapping attacks.

Brave Software moves to deprecate 'Strict' fingerprinting protection in its browser to avoid website compatibility problems. 'Strict' mode aggressively blocks fingerprinting APIs, causing many websites to break or malfunction for users. Only 0.5% of Brave users employ 'Strict' mode, which ironically makes them more trackable due to their small numbers. The company's focus will be on enhancing 'Standard' mode, which provides extensive fingerprinting protection and is used by the majority. Despite the reduction in protection modes, Brave pledges to continue strengthening privacy features for all users. The transition away from 'Strict' fingerprinting protection will occur with the release of version 1.64 of the browser for desktop and Android. Over 330,000 users are estimated to be affected by this change, based on the number of active users and the percentage using 'Strict' mode.

A German programmer was fined €3,000 for hacking by a court after disclosing a cybersecurity issue in merchandise management software. The programmer discovered unauthorized access to the data of about 700,000 customers due to a security gap in the software by Modern Solution GmbH. After identifying the issue, the programmer and a tech blogger promptly informed the vendor and publicly disclosed the issue on the same day. Modern Solution GmbH disputed the existence of a security gap and reported the programmer for unauthorized data access and data spying. The programmer had retrieved a plaintext password from a software executable to investigate the issue, leading to charges based on Germany's hacking laws. Despite the programmer's intentions to inform the public about the security issue, the court ruled the data access as unauthorized under German law. Acknowledging the programmer's clean record, the judge issued a lower fine than the maximum possible. The defendant plans to appeal the decision. The impending appeal in a higher regional court could set a significant legal precedent regarding the handling of cybersecurity disclosures.

Meta faces criticism for failing to remove fake Instagram accounts despite obvious signs of impersonation and catfishing. Scammers on Instagram exploit real accounts of public figures and influencers to establish credibility and conduct scams, often targeting the follower lists of the impersonated individuals. Reports of catfishing to Instagram are frequently dismissed, with technology-assisted review processes failing to take action even after appeals for human review. Authors and users express frustration over Instagram's inaction, hinting at a potential push for paid verification services as a motive. Meta's 'Meta Verified' paid service claims to offer account protection and verification, but questions remain on its effectiveness in preventing impersonation. Users are encouraged to take individual precautions to secure their accounts and images from being misused by scammers and imposters on social media platforms.

Security researchers discover connections between the new 3AM ransomware operation and the notorious Conti and Royal cybercrime gangs. 3AM uses innovative extortion tactics, including notifying victims' social media followers of data leaks and employing bots to target high-profile Twitter accounts. The investigation reveals overlaps in tactics, infrastructure, and communication channels used by 3AM, Conti, and rebranded Royal gang 'Blacksuit'. Technical analysis indicates similarities between the tools and infrastructure used by 3AM and other malware associated with Conti, such as Cobalt Strike and IcedID. Intrinsec uncovers evidence pointing to testing of a new extortion technique involving bot-driven Twitter campaigns to pressure victims. Despite appearing less sophisticated, 3AM is warned not to be underestimated due to its potential for criminal activity and links to experienced cybercrime groups. Conti syndicate recognized as the precursor of several splinter cells contributing expertise to various stages of ransomware attacks post-dissolution.

Instagram has seen an increase in fake profiles used for catfishing, with Meta failing to remove these accounts even after they've been reported. Examples reveal that even when evidence of impersonation is clear, Instagram's system, which appears partly automated, often does not take action against the fake accounts. Victims of impersonation have critiqued Instagram for not acting on reports and speculated whether this is to push them to pay for verification services, which promise added protection. Despite paid verification, there is no full-proof protection against impersonation and undue account suspension, as evidenced by some verified users’ experiences. Meta's policy and the effectiveness of handling reports of impersonation have been questioned, indicating a need for improved moderation practices. Social media users are encouraged to take their own steps to protect their images and accounts to deter imposters and enhance platform safety.

An sophisticated cyber espionage group with ties to China, designated as UNC3886, has been exploiting a critical VMware vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021. This vulnerability is a severe out-of-bounds write with a CVSS score of 9.8, and allows privileged access to vCenter, with potential to compromise attached ESXi hosts and guest virtual machines. UNC3886 employs stealth tactics and zero-day vulnerabilities, aiming to bypass detection recently confirmed by Mandiant. VMware patched the flaw on October 24, 2023, following Mandiant's disclosures of UNC3886's stealthy exploitation of previously unknown VMware vulnerabilities. The hackers deployed VIRTUALPITA and VIRTUALPIE malwares to maintain access to Windows and Linux systems through backdoors installed on compromised VMware setups. Apart from VMware vulnerabilities, UNC3886 leverage a Fortinet FortiOS flaw (CVE-2022-41328) to implant THINCRUST and CASTLETAP, for command execution and data exfiltration. VMware vCenter Server users are strongly recommended to update their systems to the latest version to protect against these threats. These series of attacks underscore the group's focus on exploiting vulnerabilities in firewall and virtualization technologies that typically lack support for endpoint detection and response (EDR) systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to Federal Civilian Executive Branch (FCEB) agencies. Directive targets two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure that are under active exploitation. Threat actors can execute arbitrary commands on the system or move laterally, perform data exfiltration, establish persistent system access, and fully compromise target information systems. Ivanti is expected to release an update next week, but temporary workarounds are available via an importable XML file for configuration changes. Organizations using affected Ivanti products are advised to apply the mitigation, use an External Integrity Checker Tool, revoke and reissue certificates, and reset passwords. Cybersecurity firms have observed the deployment of web shells and backdoors using the exploits, with 2,100 devices reportedly compromised. The initial attacks in December 2023 were linked to a Chinese nation-state group, while recent activities show exploitation by various actors, including for financial gains through cryptocurrency mining.