Daily Brief

Microsoft has deactivated the MSIX ms-appinstaller protocol handler due to its exploitation by cybercriminal groups to spread malware. Attackers exploited the CVE-2021-43890 vulnerability in the Windows AppX Installer to bypass security features like Defender SmartScreen and browser executable file download warnings. Threat actors employed malicious ads for well-known software and phishing via Microsoft Teams to distribute signed malicious MSIX packages. The exploit has been linked to various financially motivated groups, including Storm-0569, Storm-1113, Sangria Tempest (FIN7), and Storm-1674. These cybercriminals have also been offering a malware kit utilizing the MSIX file format and ms-app installer protocol as a service. The FIN7 group, also involved with major ransomware operations such as REvil and Maze, leveraged the same vulnerability. Microsoft suggests installing the patched App Installer version 1.21.3421.0 or disabling the protocol via Group Policy to prevent exploitation.

Kroll has disclosed that personal information of FTX bankruptcy claimants was exposed during a data breach in August. The breach revealed data such as coin holdings and balances, which attackers can use to identify wealthy cryptocurrency investors. Affected personal data includes names, email addresses, phone numbers, addresses, claim numbers, claim amounts, FTX account IDs, and in some cases, dates of birth. Kroll assures that no FTX systems or digital assets were compromised and they do not hold FTX account passwords. The company warned customers of potential phishing attacks trying to obtain unauthorized access to cryptocurrency accounts. Kroll recommends using cold wallets to protect crypto assets and staying vigilant about suspicious communication. This breach also affected a limited number of individuals associated with BlockFi and Genesis creditors, though the full extent of exposed information has not been disclosed. After a Kroll employee's phone number was stolen via a SIM-swapping attack, phishing emails began targeting affected customers, leading to potential theft of their wallet's seed phrases.

Ukraine's Computer Emergency Response Team (CERT) detected a new phishing campaign from Russian state-sponsored hackers using novel MASEPIE malware. The APT28 group, also known as Fancy Bear, carried out the attacks between December 15 and 25, targeting Ukrainian entities with phishing emails containing malicious links. The MASEPIE malware downloader establishes persistence on an infected device and leads to additional malware downloads and data theft. APT28 employs additional tools like STEELHOOK to extract information from Chrome-based browsers and OCEANMAP, a C# backdoor for stealthy command execution. OCEANMAP employs the IMAP protocol for command and control, using email drafts to issue commands and store results, reducing detection risk. The attackers also utilized IMPACKET and SMBEXEC for network reconnaissance and lateral movement, indicating a sophisticated and swift attack methodology. The Ukrainian CERT highlighted the efficiency of the threat actors, being able to deploy these tools and start their attack within an hour of the initial system compromise.

Two Las Vegas casinos, Caesars Entertainment and MGM Resorts, suffered ransomware attacks by the same cybercrime group. Caesars reportedly negotiated a ransom down to $15 million after the attackers stole its customer loyalty program database. MGM chose not to pay the ransom, resulting in a week of IT system outages and operational disruptions, with an estimated $100 million in losses. The decision to pay or not to pay a ransom involves various factors including data type compromised, backup availability, potential downtime costs, and the extortionist group involved. Paying ransoms fuels the ransomware economy, encouraging further attacks and potentially funding weapons and oppressive regimes. Government sanctions can impact the decision to pay ransoms, as payments to sanctioned entities or individuals can be illegal. Efforts to secure networks and crack down on the infrastructure facilitating cybercrime are critical in combating the persistent threat of ransomware attacks.

A critical vulnerability in Apache OFBiz allows for remote code execution without authentication and is actively exploited. Attackers employ public PoC exploits to target systems, looking for vulnerable Confluence servers, which usually contain sensitive data. The original fix provided by Apache for CVE-2023-49070 was incomplete, but a new patch for the subsequent issue, CVE-2023-51467, was released in OFBiz version 18.12.11. Despite the availability of the patch, many systems remain unupdated and at risk due to the wide circulation of PoC exploits. Shadowserver has observed numerous scans using a PoC for CVE-2023-49070 and anticipates similar activities for CVE-2023-51467. To prevent potential attacks and mitigate risks, Apache OFBiz users are urged to upgrade to the latest patched version promptly.

Kaspersky's Global Research and Analysis Team discovered an unknown hardware 'feature' in iPhones that allowed attackers to bypass memory protection. The vulnerability, tracked as CVE-2023-38606, affected iPhones up to iOS 16.6 and has been patched since July 2023. It is believed that this hardware feature was intended for testing or debugging purposes but was undocumented, making it a subtle attack vector. The issue involved the use of unknown Memory-Mapped IO addresses to circumvent the kernel's hardware-based protection. The discovery process was particularly challenging due to the complexity and closed nature of the iOS ecosystem, requiring extensive reverse-engineering of hardware and software. The flaw was pivotal in "Operation Triangulation," a cyber campaign that included deploying spyware and harvesting user data from targeted devices. Kaspersky notified Apple of the exploitation which led to a swift mitigation of the vulnerability. The case exemplifies how advanced hardware protections can be compromised by sophisticated attacks, especially when "security through obscurity" fails to obscure exploitable flaws.

Google Cloud has patched a medium-severity privilege escalation flaw affecting their Kubernetes services, specifically within the Fluent Bit logging container and Anthos Service Mesh. The vulnerability, if exploited, could allow an attacker to escalate privileges within a Kubernetes cluster, leading to potential data theft, the deployment of malicious pods, and cluster operation disruptions. No real-world exploitation of this flaw has been reported, but updates have been made available in new versions of the Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM). To exploit this flaw, an attacker would need to have already compromised a FluentBit container, which could occur through initial access methods like remote code execution flaws. Google has taken action by removing the access Fluent Bit had to Kubernetes service account tokens and reconfiguring the Anthos Service Mesh to curtail excessive permissions. Security experts stress the risks associated with system pods automatically created by cloud vendors, highlighting that they often run with elevated privileges and are not directly managed by users.

A blockchain developer was tricked by a fake recruiter on LinkedIn into downloading malicious npm packages that led to the theft of his cryptocurrency. As part of a phony interview process, Murat Çeliktepe downloaded two GitHub repositories, resulting in his MetaMask wallet being drained of over $500. The fake job ad appeared legitimate, offering payment for fixing website bugs, leveraging the common practice of take-home coding exercises in tech interviews. Çeliktepe attended a Google Meet session to discuss his solutions but found his Ethereum balance gone a few hours later. Community members suggest the malicious npm projects could have created a reverse shell or intercepted network traffic; however, the precise attack method remains unknown. Several other developers reported similar recruitment approaches, indicating a targeted scam operation against blockchain professionals. Security experts advise conducting job exercise tasks on a separate virtual machine to protect against such scams.

Kaspersky has uncovered a sophisticated spyware attack targeting Apple iOS devices, active since 2019. The attack chain exploited four zero-day vulnerabilities, achieving deep access to siphon sensitive data from devices up to iOS 16.2. Attackers initiated a zero-click iMessage exploit to deploy spyware, bypassing hardware security and accessing kernel memory through undocumented MMIO registers in Apple's A12-A16 Bionic SoCs. Apple released patches for some vulnerabilities in January and September 2023, raising the year's total to 20 fixed zero-days. The exploit's existence and the knowledge of undisclosed hardware features by attackers remain a mystery. This incident reflects the dangers of relying on "security through obscurity," highlighting the risks of hidden hardware features. The revelation coincides with Apple's conflict with the Indian government regarding state-sponsored spyware warnings to journalists and opposition politicians.

ESET has identified a new malware loader named Win/TrojanDownloader.Rugmi, which has seen a dramatic increase in daily detections. Rugmi is used to distribute various information stealers such as Lumma Stealer, Vidar, RecordBreaker, and Rescoms. The loader is equipped with different components for downloading and executing encrypted payloads from both internal resources and external files. Threat actors use the loader to spread malware through various methods, including malvertising, fake updates, and compromised software such as VLC and OpenAI's ChatGPT. The malware is also disseminated via Discord's CDN, exploiting users by offering them incentives to download malicious executables. Cybercriminal marketplaces list Lumma Stealer on a subscription basis, with prices ranging up to $20,000 for complete source code access and resale rights. McAfee Labs recently uncovered a new variant of NetSupport RAT, indicating the constant evolution of cybercriminal tactics to deploy malware and RATs for information gathering and control over target victims.

The Ohio Lottery was subjected to a cyberattack on Christmas Eve, affecting several internal applications. Essential services such as gaming systems remain operational, but mobile cashing and certain prize claims are disrupted. An investigation is underway, and efforts are being made to restore full services; however, customer options for checking winning numbers and cashing prizes are limited. Prizes up to $599 can be cashed at Ohio Lottery Retailer locations; for larger prizes, alternative claim methods are necessary. The newly emerged DragonForce ransomware gang has claimed responsibility, alleging encryption of devices and theft of sensitive data, including Social Security Numbers and birth dates. The attack's details imply a level of sophistication, suggesting that the perpetrators may have experience in ransomware operations, possibly as a rebranded existing group.

The Katholische Hospitalvereinigung Ostwestfalen (KHO) network in Germany was hit by a Lockbit ransomware attack on December 24, affecting three hospitals. Critical IT systems supporting hospital operations in Bielefeld, Rheda-Wiedenbrück, and Herford were compromised, with data being encrypted by the attackers. The hospitals shut down their IT systems for security measures, and relevant parties and institutions have been notified. Investigations are ongoing to assess the full extent of the damage and to determine whether any data theft occurred during the incident. While patient treatment and essential clinic operations continue, albeit with some restrictions, emergency care services at the affected hospitals are currently suspended. Patients in need of urgent medical assistance are being redirected to other facilities, which could lead to potentially critical delays in emergency care. The Lockbit ransomware gang has not yet listed KHO on its extortion portal, leaving the possibility of stolen sensitive data uncertain at this stage. Backups have been successfully restored, allowing access to crucial patient information despite the cyberattack.

Mortgage servicing firm LoanCare has announced a data breach affecting 1.3 million individuals due to a cyberattack at Fidelity National Financial, its parent company. Fidelity National Financial, a significant title insurance provider, disclosed the breach in an SEC filing, prompting LoanCare to inform authorities and affected customers. Unauthorized access was detected around November 19, 2023, leading to the theft of sensitive customer information that could be exploited for malicious activities such as phishing. The exposed data includes personal details that can significantly increase risks of identity theft and financial fraud for impacted individuals. LoanCare has offered a two-year identity monitoring service through Kroll to help customers monitor and protect their personal information post-breach. A similar cyberattack was reported by First American Financial Corporation, another title insurance company, which is still in the process of system restoration without clear timelines for returning to regular operations. Customers of LoanCare are advised to be vigilant against unsolicited communications that may attempt to use the stolen information.

Panasonic Avionics Corporation experienced a data breach following a December 2022 cyberattack, compromising undisclosed personal information. The breach was detected on December 30, 2022, with unauthorized access occurring around December 14, 2022. Cybersecurity and forensics experts were engaged to investigate the extent of the incident and the data affected. Exposed information includes names, contact details, dates of birth, medical and health insurance information, financial account numbers, employment status, and government identifiers such as Social Security numbers. There is currently no evidence to suggest the misused data, yet free identity and credit monitoring services are offered to all impacted individuals for 24 months. The scope of the breach regarding whether Panasonic's employees, customers, or business partners are affected remains unclear.

Previously undiscovered Android malware, 'Xamalicious,' has infected around 338,300 devices through Google Play. McAfee identified 14 apps with the malware on the official store, with three apps reaching over 100,000 installs each. The malicious apps have been removed, but users who downloaded them could still be infected and require manual device cleanup. Infection rates were highest among users in the United States, Germany, Spain, and several other countries. Xamalicious can access the Android Accessibility Service to perform advanced actions and downloads additional payloads for execution. There is potential evidence linking Xamalicious to ad fraud activities, like in the case of the 'Cash Magnet' app. The incident underscores the importance of downloading apps only from trusted sources and conducting due diligence on app reviews and developers to avoid malware infections.