Daily Brief

A zero-day vulnerability, CVE-2023-51467, has been identified in Apache OfBiz ERP software, leaving businesses vulnerable. The flaw allows attackers to bypass authentication due to an improper fix for a previous high-severity vulnerability, CVE-2023-49070. The issue stems from the handling of authentication with empty username and password fields, combined with a particular URL parameter setting. Attackers can exploit the zero-day to achieve Server-Side Request Forgery (SSRF), gaining unauthorized access to internal resources. The vulnerability was initially a result of an incomplete patch to a deprecated XML-RPC component in Apache OFBiz. SonicWall researchers are urging users to upgrade to Apache OFBiz version 18.12.11 or later to address the security risk. There is an added urgency to address the flaw due to the high privileges that an attacker could acquire through its exploitation.

A spyware campaign named Operation Triangulation targeted iPhones using four zero-day vulnerabilities to bypass hardware security protections. Kaspersky analysts uncovered that the campaign exploited undocumented Apple chip features, suggesting the involvement of a highly sophisticated actor. The exploit chain required no user interaction and left no obvious traces, utilizing a malicious iMessage attachment to begin the attack. Russia's FSB accused Apple of providing a backdoor for the NSA to spy on Russian government officials, but there's no evidence to support this claim. Apple patched two of the vulnerabilities in question with its iOS/iPadOS 16.5.1 and 15.7.7 updates and addressed another critical flaw with iOS/iPadOS 16.6 release. The most crucial vulnerability exploited a feature tied to the iPhone's GPU co-processor that was not intended for consumer use, allowing attackers to bypass memory protection. Kaspersky theorizes the undocumented feature could be a holdover from testing or a mistake, emphasizing security risks of obscurity practices in hardware design. The origin and knowledge source of the attackers regarding the obscure hardware feature remain unknown despite Apple's remediation efforts.

Chinese threat actors used a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances to install backdoors on select systems. The flaw, tracked as CVE-2023-7102, permits arbitrary code execution via a third-party library used by the Amavis scanner. The adversary, UNC4841, was also linked to previous exploitation of another zero-day in Barracuda devices. Attackers used malicious Microsoft Excel email attachments to exploit the vulnerability and deploy persistence-capable malware variants, SEASPY and SALTWATER. Barracuda has released and automatically applied a security update, with an additional patch for affected appliances, requiring no extra customer actions. The original vulnerability in the third-party library remains unpatched, posing a risk that requires downstream user attention. Mandiant has found evidence of impacted private and public sector organizations in at least 16 countries since October 2022. The persistent adaptability of UNC4841 showcases the group's focus on maintaining access to high-value targets by exploiting new security gaps.

Barracuda Networks remotely patched a zero-day vulnerability affecting Email Security Gateway appliances, targeted by the Chinese hacker group UNC4841. The vulnerability, tracked as CVE-2023-7102, is a result of a flaw in the Spreadsheet::ParseExcel library used by Amavis virus scanner in the company's appliances. Attackers executed arbitrary code on unpatched devices by exploiting this flaw through parameter injection. A second set of security updates was deployed to tackle the SeaSpy and Saltwater malware found on compromised ESG appliances. The CVE-2023-7101 CVE ID was created to track the associated bug within the third-party library, which is yet to be patched. Barracuda's investigation into the breach is ongoing, in collaboration with security firm Mandiant, pointing to the activities of the UNC4841 hacker group, suspected for espionage. The espionage campaign had been operational since at least October 2022, leading to targeted data exfiltration from government and high-tech sectors. Barracuda advised customers to replace all compromised appliances after a similar attack in May, and currently serves over 200,000 organizations globally.

Yakult Australia has confirmed a "cyber incident" after 95 GB of company data was leaked by a cybercrime group named DragonForce. The incident has affected both Australian and New Zealand IT systems, though the offices continue to operate. The cybercrime actor claiming responsibility for the attack, DragonForce, alleges the leaked data includes databases, contracts, passports, and more. The leak site operated by the group suggests they engage in extortion by threatening to release stolen data if their demands are not met. Yakult Australia is currently investigating the breach with the help of cybersecurity experts but has not confirmed the full extent of the incident. BleepingComputer's analysis of the data indicates that it contains business documents and records, including employee information and copies of identity documents. DragonForce has listed 20 victims on its leak site so far, but there is no confirmed connection between this group and the hacktivist group DragonForce Malaysia.

A new Android backdoor, Xamalicious, developed utilizing Xamarin framework, has infected over 327,000 devices with a range of malicious activities. The malware leverages Android's accessibility permissions, gathering device metadata and downloading a second-stage payload to control the infected device. McAfee's Mobile Research Team identified 25 malicious apps, some distributed via the Google Play Store, with the majority of infections in Brazil, Argentina, the UK, the US, and parts of Europe and the Americas. The communication between the malware and its command-and-control server is heavily encrypted, making detection and analysis difficult. The Xamalicious dropper can self-update, potentially transforming the malware into spyware or a banking trojan without user intervention. There's an association between Xamalicious and the ad-fraud app Cash Magnet, which generates illicit revenue through automated ad-clicking. A separate phishing campaign in India uses social messaging apps to distribute rogue banking apps, posing a significant threat to the country's digital banking users.

Attackers are compromising Linux SSH servers for cryptocurrency mining and DDoS attacks, with the potential of breached data being sold on the dark web. Vulnerable servers are identified through dictionary attacks, which attempt to guess SSH credentials using common username and password combinations. Successful intrusions lead to the installation of port scanners and additional malware to extend the attack to other susceptible systems. The malware scans for systems with an active port 22, indicative of SSH service, and uses dictionary attacks to propagate the infection further. The PRG old Team is believed to have created these malicious tools, which attackers then modify slightly for their own use. System administrators are advised to use complex passwords, regular password changes, and ensure systems are kept updated to reduce the risk of attack. Kaspersky reports on the emergence of NKAbuse, a multi-platform threat utilizing NKN protocol for P2P communication in orchestrating DDoS attacks.

GitHub has announced that all users contributing code must enable two-factor authentication (2FA) by January 19th, 2024, to continue having full access to the platform. Users not enrolled in 2FA by the deadline will experience limited functionality on GitHub.com but business and enterprise accounts are exempt from this requirement. The initiative is part of GitHub's efforts to protect accounts from breaches and mitigate potential supply chain attacks by enhancing account security. After the deadline, users without 2FA will be prompted to complete the setup process to gain full access to their accounts. GitHub supports multiple 2FA methods, including security keys, the GitHub Mobile app, authenticator apps, and SMS text messages, and recommends using at least two methods for added security. Users who lose their 2FA credentials may face difficulties in account recovery and are advised to keep their recovery codes as a last resort for account access.

Integris Health, Oklahoma's largest not-for-profit healthcare network, confirmed a cyberattack resulting in the theft of patient data. Affected patients received emails demanding payment to prevent the sale of their stolen personal data to other threat actors. The data breach was discovered by Integris Health on November 28, 2023, with potential unauthorized access on their systems. Patients reported the extortion emails included accurate personal information, suggesting the theft of over 2 million patients' data. The blackmailers operate a dark web site allowing data removal for $50 or viewing of information for $3, showcasing data from October to December 2023. Integris Health advises patients not to engage with the extortion emails and updated their security notice accordingly. The incident mirrors a similar extortion email strategy used against Fred Hutchinson Cancer Center patients by the Hunters International ransomware gang. Payment of ransom is discouraged as it doesn't guarantee data removal and may lead to further extortion attempts.

The Carbanak banking malware has been updated to perform ransomware attacks, adopting new tactics and distribution methods. Compromised websites are being used to spread malicious versions of legitimate business software like HubSpot, Veeam, and Xero. Carbanak, linked to the cybercrime group FIN7, originally focused on data theft and system control but has now diversified into ransomware deployment. A spike in ransomware attacks was observed in November 2023, with 442 incidents reported, bringing the year's total to 4,276, close to the combined total for 2021 and 2022. The most affected sectors are industrials, consumer cyclicals, and healthcare, predominantly in North America, Europe, and Asia. While the notorious BlackCat ransomware operation was dismantled by authorities, it's yet unknown how this will affect future cyberattack patterns. The ransomware ecosystem has shifted away from reliance on the now-disrupted QBot, incorporating alternative malware and vulnerabilities into their operations. Cybersecurity company Kaspersky highlighted that some ransomware operators are exploiting several Windows driver vulnerabilities for privilege escalation.

Google's Chrome Safety Check feature now operates in the background, checking for compromised passwords. Desktop users will be alerted to dangerous extensions, outdated Chrome versions, and whether Safe Browsing is enabled. The automatic Safety Check will revoke permissions for unused websites and flag sites with too many notifications. Safety Check, introduced in December 2020, screens login credentials against data leaks and identifies weak passwords. An upcoming Chrome update will allow users to save tab groups and continue browsing sessions across desktop devices. Chrome's Memory Saver mode provides detailed information on tab memory usage, with options to keep specific sites always active. All Chrome users now benefit from automatic HTTP to HTTPS upgrades, improving overall internet security. Google's Safe Browsing feature now includes real-time phishing protection using a local list of malicious URLs.

The source code for Grand Theft Auto 5 was reportedly leaked online on Christmas Eve. This event follows over a year after Rockstar Games was hacked by Lapsus$ threat actors. The stolen source code was shared across multiple platforms, including Discord and a dark web site, with links posted by 'Phil' in a Telegram channel previously used by hackers. The post paid tribute to Lapsus$ hacker Arion Kurtaj, who had a role in previous GTA leaks and was recently sentenced to indefinite hospitalization. The original hack in 2022 compromised Rockstar's internal Slack server and Confluence wiki, leading to claims of stolen GTA 5 and 6 data. The motivation behind the early leak, according to the leaker, was to address scams in the GTA V modding scene. The authenticity of the leaked source code appears legitimate but has not been independently verified, as Rockstar did not respond to queries during the holiday period. The Lapsus$ group, known for their expert social engineering and SIM swapping attacks, faded in activity after arrests but some members may now be part of another hacking collective, Scattered Spider.

Cloud Atlas, an enigmatic cyber espionage group, has launched spear-phishing attacks on Russian agricultural and research companies. The cybersecurity company F.A.C.C.T. identified the attacks, noting that Cloud Atlas has been active since at least 2014, targeting multiple countries including Russia. The threat actor utilizes a known Microsoft Office vulnerability (CVE-2017-11882) in its attack chain, starting with phishing emails containing malicious documents. Recent attacks feature a multi-stage sequence, deploying a PowerShell-based backdoor and DLL payloads that communicate with a controlled server. Cloud Atlas avoids detection by employing legitimate cloud storage services and software features, coupled with the use of unique payload requests and validation techniques. The group's methodology includes the exploitation of outdated vulnerabilities and reliance on sophisticated tactics to hide their malware and avoid detection tools. Attacks from this group continue to be an issue, displaying both persistence in their campaigns and a selective approach to their malware and attack vectors.

Google Chrome's Safety Check feature will now continuously run in the background, checking for compromised passwords. The browser will alert users to harmful extensions, prompt updates to the latest Chrome version, and verify that Safe Browsing is active. Automatic revocation of permissions for unused websites will be introduced to enhance user privacy. Safety Check will begin to flag sites that bombard users with notifications and offer quick options to disable them. Since its 2020 debut, Safety Check has been protecting users by comparing credentials against data from breaches and identifying weak passwords. New functionality will enable desktop users to save tab groups and continue their sessions on other devices, improving multitasking and workflow continuity. Chrome's performance is being optimized with detailed insights into memory usage, including a focus on tabs that can be rendered inactive to save resources. Google continues securing web browsing by defaulting all HTTP requests to HTTPS and expanding real-time phishing protection with an updated list of malicious URLs.

Two British teenagers associated with the cybercrime group LAPSUS$ have received sentences for their involvement in numerous high-profile cyber attacks. Arion Kurtaj, who is autistic and deemed unfit for trial, received an indefinite hospital order due to his expressed intent to return to cybercrime. A 17-year-old accomplice, whose identity remains confidential due to his age, was sentenced to a Youth Rehabilitation Order with intensive supervision. Both individuals were part of an attack campaign targeting major corporate entities including Microsoft, NVIDIA, and Uber, and were arrested and re-arrested throughout 2022. Arion Kurtaj breached bail conditions by continuing cyber attacks until his subsequent arrest, illustrating the challenge of deterring determined cybercriminals. The actions of LAPSUS$ were documented in a report by the U.S. Department of Homeland Security, highlighting their use of SIM-swapping and public extortion tactics. The rise of LAPSUS$ has also led to the creation of similar groups, indicating a growing trend in youth-led cybercriminal organizations. Law enforcement underscored the risks and serious legal repercussions for young people engaging in cybercrime, emphasizing the importance of guiding tech-savvy youth towards positive pursuits.