Daily Brief

Ivanti's zero-day vulnerabilities in VPN products have been exploited by suspected spy group UNC5221, potentially since December. Mandiant, which is providing expertise in managing this incident, observed less than 20 confirmed victims, a number which is expected to rise as more organizations assess their networks. The two zero-days, CVE-2023-46805 and CVE-2024-21887, can allow unauthenticated remote code execution, representing a significant threat to compromised organizations. Mandiant has linked the exploitation to a group believed to be sponsored by the Chinese state, named UNC5221, using custom malware and hijacked VPN appliances to command and control victims' networks. Five unique malware families have been detected, including Zipline, a sophisticated backdoor, and Warpwire, a credential harvester. Ivanti is preparing to release patches, and in the meantime, urges customers to implement immediate mitigations to prevent further exploitation. Mandiant has shared indicators of compromise to assist organizations in detecting any breach and strongly recommends immediate mitigation measures.

Windows Defender SmartScreen bypass vulnerability, CVE-2023-36025, is actively being exploited to infect PCs with Phemedrone Stealer malware. Microsoft patched the flaw in November, but the vulnerability was reverse-engineered, enabling widespread attacks. Phemedrone Stealer scans for sensitive data such as passwords, cookies, and authentication tokens on infected machines. Trend Micro researchers detail the info-stealer's operation, including its targeting of browsers, applications, cryptocurrency wallets, and messaging platforms. Attackers infect victims by tricking them into opening a malicious .url file that downloads further malicious components while circumventing SmartScreen prompts. The malware employs obfuscation techniques to avoid detection and uses Telegram or remote servers for data exfiltration. Microsoft advises updating Windows systems to prevent infection from this and similar exploits.

LoanDepot suffered a ransomware attack, disrupting IT systems and online payment capabilities. Mr. Cooper's cyber incident exposed data pertaining to 14 million individuals; First American Financial and Fidelity National Financial also faced ransomware attacks. The Toronto Zoo faced a ransomware attack without adverse effects on animal welfare or daily operations. LockBit malware claimed responsibility for an attack on the Capital Health hospital network with threats of data leakage. Akira ransomware is reportedly targeting Finnish companies and erasing backups, increasing cybersecurity alertness. A joint effort by Dutch police and Cisco Talos resulted in the arrest of a ransomware operator and the retrieval of decryption keys for Tortilla, a Babuk ransomware variant. Cybersecurity researchers highlighted new ransomware variants and a trend of cybercriminals impersonating security experts offering to counter-hack ransomware gangs.

A ransomware gang has reportedly developed an exploit for a critical Microsoft SharePoint vulnerability, CVE-2023-29357, enabling remote code execution (RCE). The vulnerability, identified by Nguyễn Tiến Giang of STAR Labs, was first disclosed at Pwn2Own 2023 and combined with another bug for an RCE attack. CISA has added the vulnerability to its known exploited vulnerabilities (KEV) catalogue, indicating active exploitation by cybercriminals. The severity of CVE-2023-29357 is rated 9.8, and Microsoft issued patches in June 2023, with SharePoint-specific patches required for full protection. The delay in active exploitation suggests the complexity of developing an operational exploit chain, as detailed by Jang's year-long research effort to achieve pre-auth RCE. IT administrators are advised to apply manual patches quickly as the attacker does not require privileges and users need not take any action for exploitation to occur. There is no publicly known PoC code for the second vulnerability, CVE-2023-24955, necessitating discreet development by attackers for its use.

CISA has issued an alert on the active exploitation of a critical Microsoft SharePoint vulnerability, tracked as CVE-2023-29357. The vulnerability allows remote attackers to gain administrative privileges on unpatched SharePoint servers by using spoofed JWT authentication tokens. It can be combined with another critical SharePoint bug, CVE-2023-24955, for remote code execution, posing a severe security risk. The exploit chain was demonstrated at Pwn2Own 2023 by researcher Jang (Nguyễn Tiến Giang), who received a $100,000 reward. A proof-of-concept (PoC) exploit for CVE-2023-29357 has been released on GitHub, increasing the risk of widespread exploitation by lowering the technical barrier for cybercriminals. Following the PoC release, additional exploits have appeared online, further exacerbating the threat. CISA has mandated U.S. federal agencies to patch this vulnerability by January 31 to mitigate the risk of exploitation.

GitLab has issued security updates to remediate two critical vulnerabilities, including a zero-click account hijacking risk with a severity score of 10/10, tracked as CVE-2023-7028. The vulnerability allows attackers to send password reset requests to arbitrary email addresses, enabling potential account takeovers, although 2FA still protects against unauthorized access. Users of the DevSecOps platform, across all deployment types, are urged to update promptly to avoid exploitation that can lead to significant security implications such as supply chain attacks. The security flaw, introduced on May 1, 2023, with GitLab version 16.1.0, affects multiple versions; GitLab has since provided patches for 16.7.2, 16.5.6, 16.6.4, and backported fixes to earlier versions. While no active exploitations have been detected, GitLab has communicated signs of compromise for defenders to monitor. A separate critical issue, CVE-2023-5356 with a 9.6 severity score, involves the abuse of Slack/Mattermost integrations to execute commands as other users. GitLab has also resolved other security issues in version 16.7.2 and encourages users to see the official update resources for instructions.

Juniper Networks has patched a critical remote code execution (RCE) bug in its SRX Series firewalls and EX Series switches. The vulnerability, identified as CVE-2024-21591, could allow unauthenticated actors to gain root access or launch DoS attacks. Juniper released a security advisory highlighting the use of an insecure function in the J-Web interface, leading to the vulnerability. Although there are no indications of active exploitation, Juniper advises immediate application of security updates or using workarounds such as disabling J-Web. Over 8,200 Juniper devices with J-Web interfaces are exposed online, which introduces significant risks. CISA alerted about a similar Juniper pre-auth RCE exploit in November, chaining four bugs which was being actively exploited in the wild. Federal agencies have been directed to secure Internet-exposed networking equipment within a two-week window post-discovery as per a recent binding operational directive.

Ukrainian police, with support from Europol and an unnamed cloud service provider, have arrested a 29-year-old individual in connection to a cryptojacking scheme. The suspect allegedly hijacked cloud computing resources to mine cryptocurrencies, amassing over $2 million in illegal proceeds. The operation involved a collaborative effort based on initial information about compromised cloud user accounts provided by the cloud provider to Europol. Europol's European Cybercrime Centre (EC3) offered onsite support during the raid and helped analyze forensic data seized during property searches. The crime demonstrated a significant loss-profit ratio, with Sysdig reporting an estimate of $1 earned by the cryptojacker for every $53 spent by the victim organization. Cryptojacking, defined as the unauthorized use of computational resources to mine cryptocurrencies, often targeting cloud services for quick results, can be lucrative but has become less popular than ransomware due to various factors.

Two zero-day vulnerabilities in Ivanti Connect Secure have been exploited for espionage, affecting a limited number of customers. Identified as CVE-2023-46805 and CVE-2024-21887, these vulnerabilities permit authentication bypass and command injection on the impacted systems. Mandiant's investigation suggests involvement of espionage-focused threat actor UNC5221, utilizing five types of custom malware tools. These tools, including the notable ZIPLINE backdoor, enable webshell planting, command execution, payload dropping, and credential theft. The attackers also leveraged compromised end-of-life Cyberoam VPN appliances in the target region as C2 servers to avoid detection. There is no definitive attribution to a specific nation-state or known threat group, nor enough data to assess the origin of UNC5221 with confidence. No security update is currently available for the two zero-days; Ivanti has suggested immediate mitigation measures for system administrators to implement.

The prevalence of remote working requires enduring security measures to protect organizational IT infrastructures, which often are stretched to their limits. Many business leaders are concerned about the higher perceived risk of cyberattacks and data breaches among remote workers compared to their in-office counterparts. Chief Information Security Officers (CISOs) are urged to confront these security challenges with informed strategies, utilizing up-to-date knowledge and solutions. Zscaler's upcoming webinar, featuring Krishnan Badrinarayanan and Harsha Nagaraju, aims to educate viewers on securing app access and optimizing remote work connectivity. The webinar will cover methods to eliminate inefficient traffic routes, reduce latency, and provide comprehensive visibility into networks, devices, and applications affecting the end-user experience. Operational efficiency and cost reduction are also on the agenda, with a focus on transitioning from traditional VPNs and firewalls to integrated cloud-native solutions. Interested individuals are encouraged to sign up for the webinar, with reminders to be sent out to ensure attendance.

Suspected nation-state actors have used two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances to deploy five malware families. The attack involved an authentication bypass flaw and a code injection vulnerability, allowing unauthorized access and post-exploitation activities. The campaign seems to be highly targeted, affecting less than 10 Ivanti customers, with patches for the vulnerabilities forthcoming. Malware families identified include THINSPOOL, LIGHTWIRE, WIREFIRE, WARPWIRE, and ZIPLINE, serving various functions from web shells to credential stealing and backdoor access. Mandiant, the threat intelligence firm, is tracking the involved threat actor under the name UNC5221, noting the attacks' sophistication and persistence on the edge of networks. There is no definitive link between UNC5221 and any known group or country, but their methods are consistent with advanced persistent threat (APT) actors. UNC5221's techniques indicate a focus on maintaining long-term presence on high-value targets, highlighting the ongoing risk to edge infrastructure security.

Medusa ransomware group has increased activity, utilizing a dark web site to post sensitive information from non-compliant victims. The actors provide extortionate options when publishing data leaks, charging for time extensions, data deletion, or download of data. Medusa ransomware is known for targeting a variety of industries and has affected around 74 organizations in multiple countries. Attacks begin with the exploitation of internet-facing assets and unauthorized account use, often via initial access brokers. The threat actors employ living-off-the-land tactics and kernel drivers to terminate security software, aiding in evasion. The ransomware encrypts files while sparing certain file extensions and presents victims with details of the ransom and threats of data release. The group's sophisticated approach includes a public relations channel on Telegram to share files and exert further pressure on victims. Recent incidents of ransomware attacks have also involved secondary extortion attempts by malicious parties pretending to be security researchers.

GitHub's widespread use by over 100 million developers makes it difficult to block and ideal for legitimate users as well as malicious actors. The site has become attractive to criminals for malware delivery, exploiting GitHub's reliable hosting and familiarity with developers. While GitHub's infrastructure does have limitations, such as file size restrictions and no PHP backend services, its advantages outweigh these for malware authors. Criminals use GitHub for several illicit purposes, including payload delivery, command-and-control operations, and data exfiltration. Recorded Future reports have cited instances of malware distribution through GitHub, with adversaries using the platform to blend in with legitimate traffic. Organizations are advised to monitor GitHub services closely and implement defensive strategies to prevent misuse by identifying and blocking suspicious activities. GitHub acknowledges the challenge and has dedicated teams to detect and remove content that violates policies, employing manual reviews and machine learning detection methods.

GitLab has issued security updates for two critical vulnerabilities with potential for severe exploitation, including unauthorized account access. The most severe vulnerability, tracked as CVE-2023-7028, scored 10.0 on the CVSS scale, could allow attackers to reset passwords through unverified email addresses and facilitate account takeovers. The flaw affects all self-managed versions of GitLab Community Edition (CE) and Enterprise Edition (EE) since it was introduced on May 1, 2023, in version 16.1.0. Updated versions 16.5.6, 16.6.4, and 16.7.2 have been released, with backported fixes available for versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. Even users with two-factor authentication (2FA) enabled are vulnerable to password reset attacks, though 2FA can prevent full account takeover. Another critical flaw, CVE-2023-5356 (CVSS score: 9.6), was corrected, which previously allowed users to execute commands as another user through Slack/Mattermost integrations. It's paramount for organizations using GitLab to upgrade to the patched versions immediately and enforce 2FA, especially for users with administrative access to mitigate risks.

Breach and Attack Simulation (BAS) is crucial for testing and strengthening an organization's cybersecurity measures against real-world scenarios. Studies indicate cybersecurity defenses are often insufficient, with only a fraction of attacks being detected or triggering alerts, emphasizing the need for continuous security validation. BAS tools simulate various cyber threats, adapting to evolving tactics, techniques, and procedures (TTPs) to maintain preparedness against current and future security challenges. Regular BAS exercises provide valuable data, enabling organizations to prioritize responses to vulnerabilities, refine security controls, and implement better prevention and detection strategies. Integrating BAS into cybersecurity strategies involves tailoring simulations to the organization's specific threat landscape, scheduling consistent simulations, and applying insights to enhance security measures. Quantitative metrics should measure BAS impact on cybersecurity, assessing improvements in defensive capabilities and response efficiencies to fine-tune security measures continually. Picus Security pioneered BAS technology and continues to aid organizations in improving cyber resilience, providing insights into security postures and preparing defenses against sophisticated cyberattacks.