Daily Brief

The FTC announced a settlement with X-Mode Social, placing a ban on the sale and sharing of sensitive location data. X-Mode, which sold assets to Outlogic, was found to be collecting and selling non-anonymized data from their apps and an SDK used in third-party apps. The settlement obligates Outlogic to delete all previously collected data and to acknowledge user opt-out requests for data collection. Outlogic must also keep a no-collect list for sensitive locations and ensure their data buyers cannot link data to these locations. Several critical vulnerabilities were revealed, with Cisco's Unity Connection web management interface being notably affected (CVE-2024-20272). The TriangleDB malware was discovered to exploit Apple's hardware feature believed to be a debugging feature; raises questions about how exploits were discovered. HMG, a healthcare provider in Texas, disclosed a breach without being able to determine the exact data stolen, raising concerns over its cybersecurity measures. HMG's inability to ascertain the compromised data demonstrates the challenges organizations face post-breach.

There was a significant 55.5% increase in ransomware attack victims globally in 2023, with a total of 4,368 recorded cases, indicating a resurgence after a brief decline in 2022. LockBit 3.0 remained the most prominent group with 1,047 victims, while lesser-known groups like Alphv and Cl0p had 445 and 384 victims respectively. Three upcoming ransomware groups—3AM, Rhysida, and Akira—have diverse tactics and are gaining attention in the cybersecurity field for different reasons. The newcomer 3AM made its presence known with over 20 organizations affected, showing sophistication by using the Rust language, and advanced methods like Cobalt Strike and PsExec for lateral movement and persistence. Rhysida claimed to be a "cybersecurity team" aiding victims by highlighting vulnerabilities, targeting healthcare and government organizations among others, with a noted attack on the British Library and stolen PII selling online. Akira, having claimed 81 victims, displays links to the defunct group Conti, utilizes ransomware-as-a-service, and primarily attacks using compromised credentials, showing lapses in MFA implementation in targeted organizations. The ransomware industry continues to grow with new groups emerging, leveraging high-quality ransomware tools, indicating that these entities could become major threats alongside established groups in 2024.

A critical vulnerability named MyFlaw has been discovered in the Opera web browser, affecting both Windows and macOS versions, which allows remote code execution. The Guardio Labs research team found that this flaw can be exploited via the My Flow feature, which syncs data between mobile and desktop, allowing files to be executed outside the browser's secure environment. The vulnerability was responsibly disclosed on November 17, 2023, and subsequently patched in an update released on November 22, 2023. My Flow utilizes an internal extension "Opera Touch Background" that communicates with a mobile app, and due to insufficient security checks, it can interact with potentially malicious web pages. Guardio Labs uncovered an old and insecure version of the My Flow page that could be used to inject malicious code and execute it on a victim's device through user interaction. The incident underscores a need for improved security measures in browser designs and third-party extensions. Opera responded promptly with a server-side fix and steps to prevent future vulnerabilities, thanking Guardio Labs for their collaboration in enhancing product security.

Rubrik has curated a selection of the top 12 product demonstrations aimed at enhancing ransomware protection strategies. The demos feature Rubrik Security Cloud's capabilities in simplifying data protection across various infrastructures and reducing organizational vulnerabilities. A specialized Ransomware Response Team provides insights into safeguarding Microsoft 365 against increasing cyber threats. Rubrik's collaboration with Microsoft Sentinel is highlighted, presenting strategies for securing sensitive data on the Azure platform. The partnership between Rubrik and Zero Trust specialist Zscaler is introduced to protect information across cloud, datacenter, and SaaS environments. Solutions for managing the challenges of data fragmentation during cloud adoption and migration are demonstrated, highlighting the task's growing urgency due to expanding digital data volumes. Demonstrations show how Rubrik's NAS Cloud Direct tool can automate recovery from ransomware attacks and help pinpoint the initial system impacts for post-incident analysis. Professionals interested in bolstering data protection in 2024 are invited to register for The 12 Days of Demos to access these insights and resources.

High-severity vulnerabilities have been discovered in Bosch smart devices including thermostats and smart nutrunners. Romanian cybersecurity firm Bitdefender uncovered a flaw allowing attackers to implant rogue firmware in Bosch BCC100 thermostats. Bosch has patched the thermostat vulnerability (CVE-2023-49722) in firmware version 4.13.33, which closed an unauthenticated network port. Over 25 flaws have been reported in Bosch Rexroth Nexo smart nutrunners that could permit ransomware installation and operational disruption. Nozomi Networks warns that due to the critical nature of the nutrunner in assembly processes, compromised devices could pose a safety risk. Remediation measures are currently being devised by Bosch, with patches expected by the end of January 2024. Users are advised to restrict device network reachability and review login access. The article also mentions that Pentagrid identified vulnerabilities in Lantronix EDS-MD IoT gateways for medical devices.

The malware Balada Injector has compromised over 7,100 WordPress sites by exploiting vulnerabilities in the Popup Builder plugin. Doctor Web initially documented the malware in January 2023, with waves of attacks dating back to 2017, impacting more than 1 million sites. The malware redirects visitors to fraudulent tech support, lottery scams, and unwanted push notifications. The campaign utilizes a significant security flaw in Popup Builder, CVE-2023-6000, which was patched in version 4.2.3 following WPScan's disclosure. Attackers have established persistent access to affected sites by injecting malicious JavaScript, creating rogue admin users, and uploading backdoors. Upon detection of admin cookies, the malware uses the privileges to install a backdoor plugin, trigger a second-stage payload, and spread the infection to other directories. Security companies recommend updating the vulnerable plugin and stress the importance of monitoring potential security weaknesses in WordPress extensions.

A massive 61,839% increase in HTTP DDoS attacks on the environmental services industry was reported in 2023. The surge in cyberattacks coincided with the COP 28 climate conference, underscoring the nexus between environmental issues and cybersecurity. Cryptocurrency remains the most targeted sector, while the environmental services sector is becoming a new focus for attackers. The United States and China are the main sources of HTTP DDoS attack traffic, jointly accounting for over a quarter of global traffic. In Q4 2023, the gaming and gambling and telecommunications industries were the second and third most attacked sectors, respectively. The Palestinian banking and IT sectors saw a 1,126% quarter-over-quarter increase in DDoS attacks amidst regional conflict and online operations. Akamai reports that DDoS attacks are becoming more frequent, sophisticated, and focused, with attackers targeting multiple IP destinations in the same event. Cloudflare highlights the threat of unmanaged or unsecured API endpoints, as they may allow potential data exfiltration and are commonly targeted by malicious actors.

China has highlighted a flaw in Apple's AirDrop protocol, stressing the need to align with socialist principles and enforce real identity disclosure. AirDrop's peer-to-peer network makes it difficult for the Chinese government to monitor, having been used to share anti-government material in the past. Beijing's police identified the sharing of problematic content via AirDrop, which evades conventional network monitoring due to its offline nature. Research suggests that the pseudonymity offered by AirDrop can be breached using "rainbow table" techniques to decrypt hashed information. Matthew Green, an infosec academic, acknowledges the plausibility of the vulnerability and the risk it poses to users globally, not just in China. Apple has been aware of the vulnerability since at least 2019 but has not fixed it, potentially due to the technical complexity and political considerations within the lucrative Chinese market. Users are advised to use complex Apple IDs to protect themselves, and Apple could implement more robust cryptography, though this may intensify political tensions with China.

The GrapheneOS team reported firmware vulnerabilities affecting Android devices, especially Google Pixel and Samsung Galaxy phones. These vulnerabilities can be exploited to steal data and spy on users when devices are not in the "at rest" state (turned off or not unlocked after booting). GrapheneOS suggests introducing an auto-reboot feature in Android to make it harder for these firmware flaws to be exploited. Auto-reboot would disrupt potential ongoing compromises by frequently resetting the device's protection systems and requiring user authentication upon startup. GrapheneOS' own version of the auto-reboot feature currently resets devices every 72 hours, but developers believe this interval should be shortened. The team also cautions that flight mode may not effectively reduce the attack surface due to Wi-Fi, Bluetooth, NFC, and USB Ethernet capabilities. Google acknowledged the reported issues and is reviewing the vulnerabilities to determine necessary actions. Security experts support regular device reboots to protect against persistent mobile threats that lack robust persistence mechanisms.

AdGuard VPN is offering discounted subscriptions for its service, with savings of up to $315. Their VPN utilizes a custom-designed protocol for faster, more secure connections, even on unsecure public Wi-Fi. Discounts are available for one-year, three-year, and five-year plans, catering to varying needs of users globally. AdGuard VPN maintains a no-log policy to enhance data privacy, ensuring no data is collected that could be compromised. The service can protect up to ten devices simultaneously and supports multiple platforms including Windows, Mac, Android, and iOS. AdGuard VPN is acclaimed, with high ratings on the Apple Store (4.6/5) and Google Play (4.5/5), and positive mentions in reputable publications. The promotional VPN deals are available through January 14th, with different savings tiers based on subscription length. The offer is a StackCommerce deal in partnership with BleepingComputer.com, which earns a commission from sales through StackCommerce.

Initial claims connected Russia-linked Sandworm to cyberattacks on 22 Danish energy organizations in May 2023. New analysis from Forescout indicates two separate attack waves, not linked to each other or to Sandworm. First wave exploited a Zyxel firewall vulnerability on May 11; second wave used Mirai botnet variants from May 22 to 31. Second wave's attacks aligned with a broader pattern of targeting unpatched firewalls, not just Danish infrastructure. Evidence suggests these cyberattacks began as early as February 16, utilizing various exploits in Zyxel devices. Ongoing attacks across Europe and the U.S. indicate that the flaws were not exclusively exploited against Danish targets. The report underscores the need for robust cybersecurity measures beyond the immediate incidents in Denmark.

A 29-year-old man in Ukraine was arrested for orchestrating a cryptojacking scheme that illegally mined cryptocurrency using 1 million virtual servers. Europol disclosed that the suspect hijacked cloud computing resources, significantly impacting the CPU and GPU performance of the victimized organizations. The cybercriminals profited by siphoning computing power to mine $2 million worth of cryptocurrency, at great expense to compromised entities in increased power usage. The criminal activity was uncovered in January 2023 by a cloud service provider who noticed compromised accounts, leading to a collaborative investigation with law enforcement. The operation used brute-force attacks to gain administrative privileges on compromised accounts, dating back to activity starting in 2021. Europol and Ukrainian police, through their investigation, seized evidence including computer equipment and electronic media linked to the cryptojacking activities. The suspect used TON cryptocurrency wallets for transactions of the illegally obtained funds. Counties are recommended to strengthen their cloud security measures, including regular monitoring for abnormal usage patterns, applying software updates, utilizing 2FA for administrative accounts, and employing intrusion detection and endpoint protection systems.

A 29-year-old in Ukraine was arrested for cryptojacking, having created one million virtual servers for mining cryptocurrency. The scheme resulted in approximately $2 million worth of cryptocurrency mined, using hijacked cloud computing resources. The compromised servers caused performance issues and increased power costs for the affected organizations. Europol, with the assistance of Ukrainian police and a cloud service provider, identified and arrested the hacker, seizing related equipment and evidence. The hacker, active since 2021, gained access to cloud resources by brute-forcing passwords, before escalating privileges to create virtual machines for mining. The threat actor utilized TON cryptocurrency wallets to launder the proceeds from the illegal mining operation. The article also discusses measures to mitigate against cryptojacking, such as monitoring for unusual activity, implementing endpoint protection, intrusion detection, and regular security updates, as well as enabling 2FA for administrative accounts.

Juniper Networks has fixed a critical remote code execution (RCE) vulnerability in its SRX firewalls and EX Series switches, labeled CVE-2024-21591 with a CVSS score of 9.8. The vulnerability allowed unauthenticated network-based attackers to execute code or cause denial-of-service (DoS), potentially gaining root privileges on the devices. Specific versions of Junos OS were affected by the out-of-bounds write issue, which has been addressed in multiple recent software releases. Juniper recommends disabling J-Web or limiting access to trusted hosts as interim measures until patches can be applied. Another high-severity bug in Junos OS, CVE-2024-21611, was also patched. This vulnerability could lead to a DoS attack. There's evidence that similar vulnerabilities in Juniper’s products were previously exploited, implying active interest from cybercriminals in targeting these devices. Users and administrators of Juniper devices are advised to apply the updates as soon as possible to safeguard against potential exploitation of the flaws.

A 29-year-old from Ukraine has been detained for orchestrating a large-scale cryptojacking operation, accruing over $2 million. European law enforcement agencies in collaboration with Europol and an impacted cloud service provider led the arrest. The Europol got involved after the affected cloud provider reported compromised user accounts earlier in January. Multiple properties were searched to collect evidence against the suspect who had been tapping into cloud services for cryptocurrency mining. Cryptojacking involves unauthorized use of computing resources to mine cryptocurrencies, frequently through compromised credentials and escalated privileges. Perpetrators exploit cloud infrastructures, often leveraging free trials or breaching legitimate accounts to conduct their illegal activities. Prior reports by Palo Alto Networks Unit 42 reveal related incidents where AWS credentials were hijacked from GitHub for cryptojacking within minutes of exposure.