Daily Brief

Nissan Oceania experienced a cyberattack in December 2023, with the Akira ransomware group claiming responsibility. The attack resulted in a significant data breach involving personal information of around 100,000 current and former employees and customers. Compromised data includes government identification such as Medicare cards, driver's licenses, passports, and tax file numbers, as well as loan documents and employment details. Akira has already leaked some of the stolen data on the dark web. Nissan is in the process of contacting the affected individuals directly to provide details and support, with efforts to reduce redundancies in the contact list. Up to 10% of the impacted individuals had their government IDs exposed, and the remaining had other personal data compromised. Nissan is offering free identity protection services, credit monitoring, and reimbursement for replacing compromised government IDs to support those affected. Customers are advised to exercise increased vigilance for potential scams, to use multi-factor authentication, and update their passwords regularly.

A high-severity vulnerability in Kubernetes which allowed remote code execution on Windows nodes has been disclosed. Identified as CVE-2023-5528, the vulnerability affected kubelet versions starting from 1.8.0. The flaw was patched on November 14, 2023, and is specific to Kubernetes clusters using in-tree storage plugins for Windows nodes. Exploitation could result in an attacker gaining SYSTEM privileges and potential full control over all Windows nodes within a cluster. The vulnerability stems from using insecure function calls and lack of input sanitization, particularly when mounting local volumes in a pod. Kubernetes developers have replaced the vulnerable command line call with a native Gö function to remove injection risks. The disclosure is accompanied by news of a separate critical security flaw in Uniview ISC camera model 2500-S being exploited to spread the NetKiller Mirai botnet variant.

The Russian-speaking cybercrime group, RedCurl, has been exploiting the legitimate Windows Program Compatibility Assistant (PCA) for corporate espionage. The PCA tool (pcalua.exe), which resolves compatibility issues with older programs, is being manipulated for command execution and security bypass. RedCurl, operating since 2018, has targeted organizations in multiple countries, including Australia, Canada, Germany, Russia, the U.K., and the U.S., to steal corporate secrets and employee data. The attack begins with phishing emails containing malicious .ISO or .IMG attachments, which initiate a multi-stage process involving cmd.exe and a legitimate curl utility to deliver a loader (ms.dll or ps.dll). The malicious DLL exploits PCA to start a downloader process, which establishes a connection to fetch the loader; the Impacket open-source tool is also used for further unauthorized command execution. Connections to the RedCurl group are evident from shared command-and-control infrastructure and similar downloader artifacts used previously. Trend Micro's report highlights the group’s sophisticated tactics aimed at evading detection, including misusing PowerShell, curl, and PCA. Meanwhile, the Russian nation-state group Turla has been implementing a new Pelmeni wrapper DLL that deploys the Kazuar backdoor through DLL side-loading techniques, signifying an overarching theme of advanced threat groups employing evasive maneuvers.

CISOs use Cato SSE 360 from the Cato SASE Cloud platform to achieve a balance between security and productivity without compromise. Leveraging Cato yields comprehensive visibility into the organization's security, networking, and connectivity, much like an SIEM. The platform provides real-time threat prevention with built-in security capabilities such as IPS, Anti-Malware, and daily security updates; it safeguarded against Log4j quickly. Cato supports data sovereignty through DLP and CASB functionalities, aiding in sensitive information protection and controlled SaaS application interaction. The article also mentions easy policy enforcement and minimal configuration, ensuring protection against the latest threats across all users and locations. It positions Cato as a future-proof solution for CISOs, implying that it accommodates growth and evolves with security needs with no barriers to deployment or onboarding.

Blind Eagle, a cybercrime group, has been using Ande Loader malware to deploy RATs such as Remcos RAT and NjRAT. The malware primarily targeted Spanish-speaking individuals in the manufacturing sector in North America through phishing emails. The threat actor employs phishing emails containing RAR or BZ2 archive files, which initiate the infection chain through a malicious VBScript. The Ande Loader malware establishes persistence by adding to the Windows Startup folder and then releases the selected RAT payload on the victim's system. There have been cases where malware was distributed via Discord CDN links, showcasing an evolution in the attack methodology. Blind Eagle utilizes crypters from known developers, one of which has hardcoded servers involved in the campaign. The report also references a SonicWall study exposing a different loader malware family (DBatLoader), which uses a compromised driver to bypass security measures.

DarkGate malware uses a recently patched Microsoft vulnerability (CVE-2024-21412) to bypass Windows SmartScreen, enabling zero-day attacks. Phishing emails contain PDF attachments with Google DoubleClick open redirects leading to malicious sites that distribute fake Microsoft (.MSI) installers loaded with DarkGate malware. The attack targets financial institutions and deploys through convincing social engineering, using bogus software such as iTunes and NVIDIA. Multiple malware families like Planet Stealer and Tweaks are exploiting popular platforms and social engineering to steal sensitive data. Cybercriminals are increasing their reach through ad campaigns and legitimate platform exploits to deliver various information stealers and remote access trojans. Security experts warn users to be vigilant and only trust software installers from official channels to prevent infections.

Fortinet has disclosed a critical SQL injection vulnerability in FortiClientEMS software, potentially leading to unauthorized code execution. The security flaw, designated CVE-2023-48788, has a high severity level with a CVSS score of 9.3 and affects Horizon3.ai, among other versions. Exploitation of this vulnerability could lead to remote code execution as SYSTEM on the server, with plans to release technical details and a PoC exploit shortly. This vulnerability was identified by Thiago Santana of the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC). Additionally, Fortinet has rectified two other critical bugs in FortiOS and FortiProxy that also enable execution of arbitrary code via captivated portal HTTP requests. There have been no active exploitations reported for these flaws, yet it's crucial for users to apply the provided software updates swiftly due to prior instances of unpatched Fortinet appliances being targeted by cybercriminals.

The U.S. House of Representatives has passed the Protecting Americans from Foreign Adversary Controlled Applications Act, targeting TikTok specifically. If passed, the bill would force TikTok's parent company ByteDance to sell the app's US operations or potentially face a ban. The bill, gaining bipartisan support, passed with 352 votes, citing concerns over potential intelligence gathering and surveillance by Beijing through TikTok. The Senate is yet to consider the bill, with some senators indicating plans to slow the process due to free speech concerns and the potential impact on TikTok users. The practicality of disentangling TikTok's US operations from its global infrastructure is in question and past rumors of big tech acquisitions have emerged again. The bill's advancement is set against the backdrop of China's ban on non-Chinese social networks, highlighting an asymmetry in social network regulations between the two nations.

Nissan Oceania is contacting around 100,000 Australian and New Zealand individuals affected by a data breach in December 2023. The breach may have been executed by the Akira ransomware gang, which claims to have stolen thousands of ID documents. Compromised data includes government IDs, with up to 10% of victims having sensitive documents like Medicare cards, driving licenses, passports, and tax file numbers stolen. Other stolen data may consist of loan transactions, employment, and salary details and could include personal information like dates of birth. Customers from associated financial services for other automakers marketed by Nissan are also affected. Nissan is offering free credit monitoring services and assistance replacing stolen ID documents, with support from IDCARE to protect against data misuse. The Akira group, responsible for significant attacks on other entities, boasts about the data on their website, suggesting they did not receive a ransom from Nissan.

Nissan Oceania will inform approximately 100,000 individuals from Australia and New Zealand about a data breach that occurred in December 2023. The breach may involve the Akira ransomware gang, who claim to have stolen thousands of ID documents along with other sensitive personal information. Stolen data includes government IDs, Medicare cards, driving licenses, passports, and tax file numbers, affecting about 10% of the victims. The remaining 90% may have had loan, employment, or salary information compromised. The breach extends beyond Nissan, impacting customers from other automakers for whom Nissan provides finance services, such as Mitsubishi and Renault. Nissan Oceania is offering affected individuals in Australia and New Zealand credit monitoring services and the potential reimbursement for replacing ID documents. The Akira group has publicly shared data supposedly belonging to Nissan, indicating the possibility of a ransomware attack, but Nissan has not confirmed this. Akira ransomware has been active since March 2023, targeting several major organizations including Lush and Stanford University.

A now-patched Windows Defender SmartScreen vulnerability, CVE-2024-21412, is being exploited by hackers to deliver DarkGate malware. The malicious campaign utilizes fake software installers to bypass SmartScreen security warnings and automatically execute malware. Attackers send phishing emails with PDF attachments containing links that redirect through Google's services, evading email security measures. The attack chain involves multiple steps, including the use of .url files and a remote WebDAV server to trigger automatic execution of a malicious MSI file. The DarkGate malware, which can steal data and allow remote access, uses advanced evasion techniques and determines its operational tactics through encrypted configuration parameters. Trend Micro recommends applying Microsoft's February 2024 Patch Tuesday update to remediate the vulnerability and has published indicators of compromise for organizations to detect potential attacks.

DarkGate malware operators are exploiting a Windows Defender SmartScreen flaw, CVE-2024-21412, which was recently patched by Microsoft. The flaw allowed attackers to bypass security warnings and automatically execute malicious software installers. Attackers distributed emails with a rigged PDF that redirected victims through Google's services to compromised servers harboring malicious .url files. These .url files automatically triggered the execution of fake installer MSI files that appeared to be from reputable sources like NVIDIA and Apple. The MSI files would then deploy a DLL sideloading technique to decrypt and run the DarkGate malware, enabling data theft, payload delivery, and unauthorized remote access. The latest version of DarkGate, 6.1.7, includes enhanced encryption and configuration options for better evasion and targeted attacks. Users and organizations are urged to apply the February 2024 Patch Tuesday update to protect against this exploitation, and Trend Micro has listed all IoCs related to this campaign.

The U.S. Department of Health and Human Services (HHS) is investigating a ransomware attack on UnitedHealthcare Group’s subsidiary Optum, which operates Change Healthcare. The attack, attributed to the BlackCat ransomware gang, may have resulted in the theft of protected health information. Change Healthcare, a widely-used payment platform in the U.S. healthcare system, was hit by the attack, causing significant service disruptions. HHS' Office for Civil Rights (OCR) is focusing on whether Health Insurance Portability and Accountability Act (HIPAA) rules were violated during the breach. The BlackCat gang claims to have stolen 6TB of data, including sensitive information from critical healthcare providers and U.S. military healthcare systems. There was an increase of 141% in individuals affected by large breaches in 2023 compared to 2022, with hacking accounting for 79% of the reported breaches.

Fortinet fixed a critical remote code execution bug in its FortiClient Enterprise Management Server software after being alerted by the UK's National Cyber Security Centre and a Fortinet developer. The vulnerability, identified as CVE-2023-48788, affects versions 7.0 and 7.2 of the FortiClient EMS software, resulting in the potential for attackers to execute code with SYSTEM privileges on impacted servers. The SQL injection flaw in the software's DB2 Administration Server component is particularly dangerous because it can be exploited by unauthenticated attackers in low-complexity attacks without user interaction. No evidence has been disclosed on whether this vulnerability had been exploited before the patch was issued. Fortinet also fixed another critical vulnerability in the FortiOS and FortiProxy squid proxy, as well as two high-severity vulnerabilities in FortiWLM and FortiClient EMS. Attackers have previously exploited Fortinet vulnerabilities in ransomware and cyber espionage campaigns, highlighting the critical importance of applying security patches promptly.

A new version of the PixPirate Android banking trojan employs innovative hiding techniques to remain undetected on devices. PixPirate specifically targets users of the Brazilian Pix payment platform and manages to operate covertly, even after its dropper app has been removed. IBM Trusteer researchers discovered that PixPirate doesn't use an app icon, making it invisible on all recent Android versions, including version 14. The malware functions by using a 'downloader' app to install a 'droppee' app, which contains the encrypted PixPirate malware and is activated by device events rather than a launcher icon. PixPirate listens for system events like device boot or connectivity changes to execute in the background, facilitating hidden fraudulent transactions. The malware has Remote Access Trojan (RAT) capabilities, automating the theft process, including capturing credentials and performing unsanctioned money transfers. PixPirate also has mechanisms to disable Google Play Protect, further reducing the chances of detection and removal by the user or system defenses. Although the malware spreads through common phishing tactics via WhatsApp or SMS, its icon-less design and event-based activation present a challenging new threat vector.