Daily Brief

A proof-of-concept (PoC) exploit targets a critical vulnerability in Apache OfBiz ERP software, CVE-2023-51467, with a potential to execute a memory-resident payload. CVE-2023-51467 is a bypass for another high-severity flaw, CVE-2023-49070, which allowed authentication bypass and remote code execution but was patched in a recent update. Cybercriminals have attempted to exploit the vulnerability, and the ability to execute code from memory poses a threat as it leaves minimal traces. Prior security issues with Apache OFBiz, such as CVE-2020-9496 and CVE-2021-29200, have seen exploitation by actors like those behind the Sysrv botnet. The Go-based exploit by VulnCheck circumvents security measures by leveraging groovy.util.Eval functions to launch a cross-platform in-memory Nashorn reverse shell. The exploit demonstrates the feasibility of arbitrary in-memory code execution on affected Apache OFBiz systems, raising concerns for enterprise security. Despite security features designed to prevent unauthorized code execution, the exploit showcases the capability to execute code without leaving traces on disk and operating system independence.

FBot is a Python-based hacking toolkit designed to attack web servers, cloud services, content management systems, and SaaS platforms like AWS, Microsoft 365, and PayPal. SentinelOne's report highlights FBot's capabilities in credential harvesting, AWS account hijacking, and facilitating attacks on PayPal and SaaS accounts. While not directly linked to AndroxGh0st source code, FBot shares similarities with Legion and other cloud hacking tools such as AlienFox, GreenBot, and Predator. Features include generating API keys for AWS and Sendgrid, running reverse IP scanners, validating PayPal accounts, and extracting information from Twilio accounts. The malware leverages a Lithuanian fashion designer's website to authenticate PayPal API requests, a technique also observed in samples of Legion Stealer. It can even extract credentials from Laravel environment files and check for AWS SES email configuration details and EC2 service quotas. SentinelOne found FBot samples dating from July 2022 to the present, indicating ongoing use, but the distribution method and maintenance state are less clear. FBot likely represents a trend of creating private, bespoke cloud attack tools for individual buyers, a practice common with AlienFox builds.

An upgraded Atomic Stealer malware targeting macOS users now employs encrypted payloads to evade detection. Initially released in April 2023 for $1,000/month, Atomic Stealer's subscription now costs $3,000/month, with a temporary discount to $2,000/month. The malware is capable of stealing Keychain passwords, session cookies, files, cryptocurrency wallets, and other sensitive data by tricking users with a fake password prompt. Atomic Stealer distribution includes malvertising, compromised websites, and Google search ads posing as legitimate software updates and tools like Slack. Recent campaigns use obfuscation methods to hide the command-and-control servers, complicating efforts to track and address the threat. Users are advised to download software only from trusted sources to avoid falling victim to malicious ads and decoy sites that facilitate data theft by the malware.

Ransomware incidents have soared, targeting notable organizations, demonstrating a widespread vulnerability to these attacks. Phishing, the main driver behind ransomware, is the origin of 90% of data breaches, with losses exceeding $10 billion. Generative AI is expected to exacerbate the phishing threat by enabling highly sophisticated, personalized attacks that traditional defenses struggle to detect. The increased risks highlight the limitations of legacy Multi-Factor Authentication (MFA) systems and the need to adopt Next-Generation MFA solutions. Next-Generation MFA, which includes wearable devices, offers robust protection by displacing outdated credentials and resisting typical phishing tactics. These advanced MFA solutions employ biometrics and can protect against various strategies attackers use to bypass conventional security measures. Organizations are advised to move towards passwordless authentication and implement next-gen MFA to thwart the anticipated rise in AI-powered phishing attacks effectively.

Mandiant's account was compromised due to a brute-force attack, exploiting a lapse in two-factor authentication during a policy transition. The attack resulted in the dissemination of phishing links by the compromised company account, directing users to a cryptocurrency drainer dubbed CLINKSINK. CLINKSINK has been used by multiple threat actors since December 2023 to steal digital assets from users of Solana cryptocurrency. Analysis revealed a network of at least 35 affiliate IDs and 42 unique wallet addresses associated with the ongoing scam, with perpetrators netting at least $900,000. Victims are lured through social media and chat applications to phishing pages, where they're tricked into connecting wallets and approving fraudulent transactions. The widespread use and accessibility of such drainer scripts, combined with the potential for high profit, indicate that such attacks may continue to proliferate. The incident occurred in a context where legitimate social media accounts, including that of the US SEC, have been targeted to spread cryptocurrency scams, underscoring the rising trend of exploiting social media for financial schemes.

Suspected Chinese nation-state actors exploited two zero-day flaws in Ivanti Connect Secure and Policy Secure to breach less than 10 customers. Cybersecurity firm Volexity discovered the breaches, attributing them to China-linked hacking group UTA0178, with indications of the initial compromise dating back to early December 2023. The paired vulnerabilities enabled unauthenticated command execution, allowing attackers to remotely control affected devices without authentication. Ivanti has acknowledged the vulnerabilities and is set to release patches in a staggered schedule starting January 22, 2024, with temporary workarounds advised in the meantime. The attack involved data theft, file modification, and the use of compromised files for logging keystrokes and credential exfiltration during VPN logins. Attackers managed to access further internal systems and establish persistent remote access using a custom web shell named GLASSTOKEN. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by January 31, 2024. Volexity stresses the need for organizations to monitor their critical network systems and respond promptly to any unusual activity, especially on devices that traditionally cannot run security software.

Cisco has released updates for a high-risk vulnerability in Unity Connection software, which allowed for arbitrary command execution. The flaw, designated CVE-2024-20272 with a CVSS score of 7.3, was an arbitrary file upload vulnerability in the web management interface. Security researcher Maxim Suslov identified the vulnerability that resulted from improper API authentication and user data validation. Although there have been no reports of active exploitation, users are urged to update their systems to protect against potential threats. The flaw affects several versions of Cisco Unity Connection, barring the non-vulnerable Version 15. In addition to CVE-2024-20272, Cisco patched 11 other medium-severity issues affecting various software products, but will not update the EoL WAP371 device for its separate command injection bug. Customers using the WAP371 Wireless Access Point, which has a command injection vulnerability (CVE-2024-20287), are advised to migrate to a newer device since it won't receive a fix due to its end-of-life status.

Fidelity National Financial acknowledges that data from 1.3 million customers was stolen during a November cybersecurity incident. The mortgage company, a major player in the US title insurance and settlement services, initially disclosed the event in an SEC filing but did not label it as ransomware. ALPHV/BlackCat, a ransomware gang, claimed responsibility, and FNF completed a forensic investigation on December 13, confirming unauthorized access and malware deployment without self-propagation. Despite the intrusion, FNF asserts there is no evidence of customer-owned systems being directly affected and has not observed reports from customers experiencing such impacts. Affected customers have been notified and offered credit monitoring and identity services; FNF faces several lawsuits tied to the incident but does not anticipate a material impact on its finances. FNF reported over a billion dollars in annual profit for 2022 and suggests it can absorb potential financial repercussions from the cyberattack. Alongside FNF, other financial institutions like Mr Cooper and LoanDepot have reported recent cybersecurity breaches, with LoanDepot's incident resembling a ransomware attack. Fidelity is taking action to secure operations, restore systems, and adequately respond to the cyber incident.

Mandiant's Twitter/X account was compromised by a Drainer-as-a-Service (DaaS) gang, likely through a brute force attack, and used to spread phishing links to its followers. Due to transitions and a 2FA policy change, Mandiant's protections were temporarily lowered, allowing for the cyber-attack, which has been rectified to prevent future incidents. No evidence was found of further malicious activity on Mandiant or Google Cloud systems in the follow-up investigation. Affected users were redirected to phishing pages under the pretense of a token airdrop, which resulted in unauthorized siphoning of cryptocurrency when transactions were authorized. The attackers' campaign, involving 35 affiliate IDs and a common DaaS, uses a strategy where affiliates must give a 20% cut of the stolen funds to the DaaS operators. Estimates suggest that a minimum of $900,000 has been stolen in recent attacks using the CLINKSINK drainer. Multiple verified X accounts, including that of the SEC, have been hacked to spread cryptocurrency scams, with some not having essential security measures like 2FA in place. There's an ongoing pattern of verified accounts being compromised for the promotion of fraudulent cryptocurrency-related sites and operations, signaling a significant cyber threat to users on the platform.

Cisco has fixed a critical security defect in its Unity Connection voicemail and messaging platform, which could have allowed unauthenticated remote attackers to obtain root access to devices. The flaw, identified as CVE-2024-20272, existed in the web management interface and enabled command execution and file upload by unauthorized users. Despite the severity of the vulnerability, Cisco's PSIRT reported no evidence of active exploitation or publicly available exploit code. Additionally, Cisco patched ten medium-severity issues across various products that could lead to privilege escalation, XSS attacks, and command injection. For the command injection vulnerability (CVE-2024-20287) in the WAP371 Wireless Access Point, Cisco will not issue a patch due to the device's end-of-life status, urging users to switch to a newer model. Cisco recently dealt with two zero-day exploits, CVE-2023-20198 and CVE-2023-20273, which had targeted more than 50,000 IOS XE devices in a single week.

The White House is set to propose rules requiring US hospitals to meet cybersecurity standards to qualify for federal funding. The Centers for Medicare and Medicaid Services (CMS) is developing rules connecting hospital IT security with federal support, expected to be effective by year's end. The move responds to the increasing threat of ransomware attacks and sophisticated extortion techniques targeting hospitals and health clinics. New standards emphasize implementing "high-impact cybersecurity practices" with proposed legislation to offer financial aid and incentives for compliance. In 2021, 46 US hospital corporations were affected by ransomware, with at least 32 instances of patient data theft. Cybercriminals have resorted to contacting patients directly, leaking sensitive patient information, and other aggressive extortion methods. Some experts argue that withholding federal funding may paradoxically weaken hospitals' abilities to enhance cybersecurity infrastructure. The CMS has a concept paper outlining the HHS cybersecurity strategy and seeks stakeholder feedback while maintaining policy confidentiality pre-proposal.

Fidelity National Financial, a major U.S. title insurance company, has been the victim of a cyberattack with 1.3 million customers' data compromised. The attack happened on November 19, 2023, and employed non-self-propagating malware used by the attackers to steal data. The security breach was contained within a week, and an investigation concluded by December 13, 2023, providing details of the data exfiltration. Affected customers and regulators have been notified, with FNF offering credit monitoring and identity theft restoration services to the affected parties. FNF asserts that the incident is unlikely to materially impact its financial condition or operations and is preparing to defend against class action lawsuits. The BlackCat ransomware gang, which claimed the attack but has not disclosed stolen data details, is named as responsible for the incident. This breach is part of a series of recent cyberattacks against the mortgage and housing sector, though not all affected companies have disclosed the nature of the incidents.

Ransomware continues to be a significant threat with evolving extortion tactics that pressure organizations and individuals. A debate is ongoing regarding the effectiveness of a total ban on ransomware payments to deter future attacks. Opinions vary on how such a ban would influence the behavior of cybercriminals and the spread of ransomware. Criminals are resorting to increasingly unethical measures, such as threatening to involve law enforcement against victims, to compel payment. The podcast episode discusses the nuanced perspectives on whether forbidding ransom payouts could be an effective strategy. With no straightforward solution to halt ransomware, the focus is on finding the most effective means to reduce its impact and prevalence. Relevant discussions can be accessed through various podcast platforms, highlighting the current state and potential strategies against ransomware threats.

Pro-Ukraine hacktivist group 'Blackjack' claims responsibility for a cyberattack on Russian internet service provider M9com, in retribution for a previous attack on Ukraine's largest telecom Kyivstar. The attack on Kyivstar disrupted services and involved preparation since May of the previous year, with a major incident in December where thousands of virtual servers and computers were wiped. Blackjack group announced that they breached M9com, disrupted its internet services, and stole confidential data including 50GB of call data and employee/customer account credentials. The group published proof of their attack and data theft, showing server file deletions, backup wipes, and access to systems and databases via a Tor URL and ZIP archives. BleepingComputer contacted M9com for a comment on the leaked information's authenticity but received no response at the time of publication. Blackjack defaced M9com's official website and warned of further attacks in retaliation for the Kyivstar incident. Russian hacktivist attacks usually focus on DDOS, but Blackjack's server wiping has long-term impacts on data recovery; an estimated 20 terabytes of data were reported deleted in the attack.

Ivanti has reported two zero-day vulnerabilities within its Connect Secure and Policy Secure products being actively exploited. Exploitation allows remote attackers to bypass authentication and execute arbitrary commands on affected gateways. The vulnerabilities were identified by Mandiant and Volexity and affect all supported product versions. Ivanti is releasing mitigation measures while working on patches scheduled for distribution between late January and mid-February. Fewer than ten customers are confirmed to be directly impacted, with Ivanti suggesting all customers use an external integrity checker. Over 15,000 Ivanti gateways are exposed online, with security experts warning of MFA bypass and code execution risks. Ivanti previously experienced zero-day exploits targeting their Endpoint Management and Mobile software, used by state hackers against Norwegian government organizations. Ivanti's suite of products, widely used for IT asset and system management, supports over 40,000 companies globally.