Daily Brief

A malevolent npm package named "oscompatible" has been discovered distributing a remote access trojan to Windows systems. Once activated, it checks for admin rights, and if absent, uses a legitimate Microsoft process to gain elevated privileges. The trojan uses DLL search order hijacking to decrypt additional payloads including the AnyDesk remote access tool and a custom trojan. The malware establishes communications with a remote server to retrieve instructions and has extensive capabilities like disabling system shutdown and capturing user input. The incident highlights a growing trend of attackers exploiting open-source software supply chains to orchestrate sophisticated cyber attacks. Security firm Aqua's research shows that deprecated npm packages, with potential security flaws, are downloaded billions of times weekly, creating serious security gaps. Industry experts warn against the risks of not properly marking npm packages as deprecated, leaving users exposed to hidden threats.

A German IT consultant was fined €3,000 for accessing and reporting a vulnerability in an e-commerce database. The database contained approximately 700,000 customer records and was easily accessible due to a plaintext password. The security flaw was published in a report by e-commerce writer Mark Steier, which led to a swift but inadequate response by Modern Solution. Modern Solution claimed limited customer data exposure, but allegations suggest a more extensive data breach. September 2021 saw the seizure of the consultant's computers, leading to a charge of unlawful data access. Initially, the district court sided with the consultant, but the verdict was reversed, resulting in his sentencing to a fine and court costs. The verdict, criticized for its impact on security research, is not yet legally binding, and the consultant intends to appeal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a critical flaw in Ivanti Endpoint Manager Mobile (EPMM). The vulnerability, CVE-2023-35082, is an authentication bypass with a 9.8 CVSS score and allows unauthorized remote access to personal data and server modifications. Ivanti's older vulnerabilities, CVE-2023-35078 and CVE-2023-35081, have also been cited as part of attack chains allowing for malicious web shell file uploads. Federal agencies are advised to apply patches to the affected Ivanti EPMM versions by February 8, 2024, to prevent potential breaches. In a separate incident, Ivanti has warned of mass exploitation in Ivanti Connect Secure (ICS) VPN devices, urging customers to rotate configuration secrets post-rebuild. Over 1,700 compromised devices have been identified globally, with initial attacks linked to a suspected Chinese threat actor and now involving multiple threat actors. Researchers at Assetnote discovered an additional exploitable endpoint in older ICS versions, highlighting the risks of seemingly simple security oversights in VPN devices.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that Chinese-made drones might be used for spying. Chinese laws, such as the National Intelligence Law (2017) and Data Security Law (2021), may compel companies to hand over data to the Chinese government. There is a risk that drones operating in critical infrastructure sectors could expose sensitive information to Chinese authorities. CISA and FBI guidance suggests treating drones like IoT devices and securely managing firmware updates and connected accessories to mitigate risks. The US previously grounded its own fleet of drones and has taken action against Chinese drone manufacturers like DJI for security reasons. Concerns include possible exploitation of system vulnerabilities by Chinese authorities and potential IP and security control compromises aiding future cyberattacks.

Ransomware actors are using TeamViewer, a popular remote access tool, to infiltrate and attack organizational networks. The attackers gain initial access through compromised TeamViewer accounts, bypassing the need to exploit software vulnerabilities. TeamViewer was first reported as a vector for Surprise ransomware delivery in March 2016, with credential stuffing as the probable cause. A recent Huntress report highlights two incidents where the same source used TeamViewer to attempt ransomware deployment using a leaked LockBit ransomware builder. In one compromised endpoint, the ransomware was successfully deployed but contained; in the other, antivirus software thwarted the attack. TeamViewer's security team emphasizes the importance of strong passwords, two-factor authentication, whitelisting, and updating to the latest software versions to prevent unauthorized access. TeamViewer condemns the malicious use of its software and offers guidance on best practices for secure unattended access to its users.

CISA alerts that a critical authentication bypass bug in Ivanti's device management software is actively being exploited. The flaw, tracked as CVE-2023-35082, allows unauthorized API access and affects several versions of Ivanti's software. Successful exploitation could lead to access to personal information and potential backdoor creation into compromised servers. Organizations are urged to upgrade to a supported version and apply Ivanti's provided RPM script to mitigate risks. Over 6,300 Ivanti EPMM user portals are exposed online, with some pertaining to government agencies. CISA mandates federal agencies to patch the vulnerability by February 2, in line with a 3-year-old operational directive. Multiple Ivanti Connect Secure zero-days are also under mass exploitation, affecting businesses including Fortune 500 companies. Several Ivanti zero-days have been previously exploited in attacks targeting government, defense, and financial sectors.

JPMorgan Chase, the largest US bank, faces 45 billion cyberattack attempts per day, a figure that's doubled from the previous year. This claim was made by Mary Callahan Erdoes, CEO of asset and wealth management at JPMorgan, during the World Economic Forum in Davos. Despite the volume of attacks, many are likely to be routine scans rather than sophisticated attempts; however, the sheer quantity could obscure truly malicious activity. JPMorgan employs 62,000 technologists, which Erdoes indicates is more than tech giants like Amazon or Google, to counteract these risks and protect the bank's assets. JPMorgan was recently ordered to face a lawsuit for negligent behavior that allowed a $272 million fraud, highlighting the challenge of staying ahead of increasingly sophisticated cybercriminals. The bank's internal technical errors have also led to regulatory fines, such as a $4 million penalty by the SEC for the accidental deletion of millions of subpoenaed emails. Bank of England reports cyberattacks as the top threat perceived by banking executives, emphasizing the critical need for robust cybersecurity measures in the financial sector.

Kansas State University is responding to a cyberattack that disrupted critical network systems, including VPN, email, and video services. Essential systems were immediately taken offline upon detection of the incident, affecting VPN access, email services, video hosting on Canvas and Mediasite, printing, shared drives, and Listservs. University officials have engaged third-party IT forensic experts to help investigate the nature of the attack. Academic deans have received guidance on maintaining educational continuity using alternative resources while some systems remain unavailable. Students and staff are advised to stay alert for any suspicious activity and report it to the IT help desk. Email services for "K-State Today" are expected to be partially restored with a modified format and content limitations. There has been no indication as of yet that there was a data breach affecting personal information of students or staff. This incident marks the second major cyberattack on an educational institution in 2024, following a ransomware attack on Memorial University of Newfoundland.

The US Cyber Safety Review Board (CSRB) may become a permanent entity amidst calls for increased independence and transparency. The CSRB, established by Executive Order in 2021, has published only two reports on major cybersecurity incidents, analyzing Log4J and the LAPSUS$ group. Experts argue for the board's independence to prevent conflicts of interest, citing the potential for biased reporting from private sector members involved in cybersecurity incidents. There is a suggestion that the CSRB operate like the National Transportation Safety Board, with the authority to conduct in-depth investigations and report findings publicly. The cybersecurity industry relies on private companies for intelligence sharing, and the CSRB aims to provide actionable information without legal restrictions or profit considerations. Subpoena power for the CSRB is debated, with some experts in favor to compel information sharing, while others caution against it until further regulation details are established. The hearing concluded without endorsement from Senator Gary Peters, indicating that discussions are ongoing to define the CSRB's role and capabilities.

Haier has issued a legal takedown notice to a German developer for creating and publishing Home Assistant integration plugins on GitHub. The plugins facilitated control of Haier and its affiliated brands' smart appliances through the open-source Home Assistant automation platform. Haier asserts these plugins cause financial harm and violate copyright laws, demanding their immediate removal to avoid further legal actions. The developer, Andre Basche, has indicated he will take down the projects following Haier's legal threats. The open-source nature of the plugins has stirred a community backlash, with calls to boycott Haier-branded products and support for the developer increasing. The long-term viability of the plugins is uncertain, given Haier's stance, but community support may lead to the code being maintained through forks or clones. Haier has not provided an immediate comment on the situation when contacted by the media.

Ransomware attacks are causing severe psychological and physical health issues for cybersecurity professionals, including cases of hospitalization and suicidal ideation. A financial industry cybersecurity worker attributed a heart attack to the stress of managing ransomware, while a charity security staffer was hospitalized due to health problems exacerbated by a ransomware attack. The Royal United Services Institute (RUSI) research details the extensive psychological harm to infosec workers that goes unrecognized, linking high-stress levels and burnout to the cybersecurity field. Victims often feel personal blame for ransomware incidents, leading to mental anguish, doubt in their abilities, and fear of job insecurity and reputational damage. An engineering business established a PTSD support team recognizing the immense pressure on IT staff post-attack, although PTSD was not clinically diagnosed but rather self-identified by the respondents. The stress of potential regulatory action and accountability for breaches further contributes to the long-term mental strain on cybersecurity defenders. Social impacts included strained personal and professional relationships, with prolonged working hours affecting time spent with family and coworkers' behavior. Financial impacts extend beyond the victim organizations to the individuals, with potential job losses and personal costs for therapy to recover from the ransomware incidents.

A new cyberattack campaign targeting vulnerable Docker services has been discovered, utilizing both cryptocurrency mining and fake website traffic generation as monetization methods. The malware deploys XMRig, a tool for mining Monero (XMR) cryptocurrency, and 9Hits Viewer, software that simulates traffic to websites to earn credits within an exchange service. Security experts note this is the first time the 9Hits application has been employed as part of a malware payload, demonstrating threat actors' evolving strategies. Attackers are potentially scanning for open Docker API ports using search engines like Shodan, then installing malicious containers to exploit these services. Once breached, the servers run two containers—one for the 9Hits Viewer to accrue traffic credits fraudulently, and another for the XMRig miner to exploit CPU resources for cryptocurrency mining. Legitimate server workloads suffer due to resource exhaustion caused by the malware, and there's a risk of further compromise, such as adding a remote shell for more severe breaches. The scale and profitability of this campaign remain unknown since the XMRig miner connects to a private mining pool, concealing its activities.

The U.S. government has suggested a 15-year prison sentence for Conor Brian Fitzpatrick, creator and lead admin of the cybercrime forum BreachForums. BreachForums, successor to RaidForums, hosted vast quantities of stolen data, with over 888 databases and 14 billion records. Fitzpatrick, known as "Pompompurin", was arrested on March 15, 2023, and was released on bond, only to be re-arrested for breaching release terms. His role in facilitating cybercrime is highlighted by the fact that he brought together over 300,000 members to trade stolen databases and personal data on a large scale. In acting as a middleman, Fitzpatrick greatly facilitated the distribution of stolen data, encouraging the sharing of data samples before transactions. Child pornography was found amongst the confiscated materials, contributing to the gravity of the charges. The defendant's cooperation with the authorities, lack of a violent crime record, and an early plea deal may have influenced his recommended lower-end sentence. The government's proposal includes imprisonment, a fine for possession of child pornography, supervised release, restitution to victims, and forfeiture of assets.

Two new vulnerabilities in Citrix NetScaler ADC and Gateway products have been exploited in the wild before a fix was available. CVE-2023-6548 allows for remote code execution, though it requires an authenticated user with low-level privileges and access to certain management IPs. CVE-2023-6549 poses a denial-of-service threat with an 8.2 CVSS rating, impacting appliances configured as a gateway or AAA virtual server. Even though Citrix's configuration instructions recommend keeping management interfaces private, over 1,400 interfaces were reportedly exposed online. Only customer-managed NetScaler ADC and Gateway instances are affected; cloud-managed services are not vulnerable to these flaws. Citrix and Tenable security researchers urge customers to apply the provided patches immediately to prevent widespread exploitation. The US Cybersecurity and Infrastructure Security Agency has added both CVEs to its Known Exploited Vulnerabilities Catalog, underscoring the seriousness of these exploits.

Infostealer malware represents a significant risk as it captures browser-stored credentials, session cookies, and other data, often self-terminating after data exfiltration. Organizations face ongoing threats from leaked credentials, commonly resulting from password reuse across multiple applications, enabling brute force attacks on various services. Flare monitors over 40 million stealer logs and 14 billion leaked credentials, providing insights into how threat actors acquire and utilize this information. Tier 1 leaked credentials come from third-party breaches and are distributed on the dark web, while Tier 2 credentials are stolen directly through malware, posing a greater risk. Fresh stealer logs (Tier 3) are critical as they might contain active session cookies, enabling attackers to perform session hijacking and potentially bypass 2FA and MFA controls. Implementing strong defense strategies such as employee email monitoring, password resets, password managers, and limited TTL for application sessions can mitigate these cyber risks. Two-factor authentication (2FA) is not foolproof, and attackers employ various tactics, such as social engineering and SIM swapping, to bypass these additional security measures. Flare offers a platform for detection and monitoring of leaked employee credentials on the dark web and other channels, with a setup time of just 30 minutes and a free trial option.