Daily Brief

Qualcomm has disclosed information on three serious security flaws that faced targeted exploitation previously. Google's teams identified the vulnerabilities, which were part of limited attacks, including CVE-2022-22071 with an 8.4 CVSS score. Security professionals luckyrb, the Google Android Security team, and Google Project Zero members reported these security issues. Specifics on how the vulnerabilities were exploited and the identities of the attackers remain undisclosed. CISA has listed the vulnerabilities in its KEV catalog, mandating federal agencies to patch them by December 26, 2023. The announcement comes as Google's December security updates for Android aim to resolve 85 different flaws, highlighting a critical system issue enabling code execution without user interaction.

Atlassian has issued important software updates to rectify four critical security flaws that could lead to remote code execution. The identified vulnerabilities include a template injection issue (CVE-2023-22522) in Confluence that could allow code execution through user input. Another flaw involves the Assets Discovery agent, enabling attackers to perform privileged remote code execution on connected machines. CVE-2023-22524 presents a risk where attackers could use WebSockets to sidestep blocklists and protections in Atlassian Companion and macOS Gatekeeper. Previously, Atlassian addressed a severe security weakness in Apache ActiveMQ (CVE-2023-46604) affecting Bamboo Data Center and Server products. Versions released to correct these issues are 9.2.7, 9.3.5, and 9.4.1 or later, with urgent updates recommended due to increased attacks on Atlassian tools.

Unidentified threat actors exploited a high-severity Adobe ColdFusion vulnerability to gain unauthorized access to U.S. federal agency servers. The compromised vulnerability, tracked as CVE-2023-26360, allowed for improper access control and arbitrary code execution on affected systems. The Cybersecurity and Infrastructure Security Agency (CISA) reported that at least two public-facing federal servers running outdated versions of ColdFusion were compromised. The CISA added the vulnerability to its Known Exploited Vulnerabilities catalog after identifying active exploitation. Adversaries used the flaw to deploy malware, including variants designed to steal web browser cookies and decrypt passwords, as well as a modified remote access Trojan. No data exfiltration or lateral movement within networks was observed, suggesting the possibility of a reconnaissance operation. The incidents involved uploading malicious artifacts and attempting to exfiltrate sensitive data, though no actual password decryption activities were detected on the victim system.

The digital landscape poses numerous growing security threats, challenging resource-limited security teams. Automation in security operations helps to streamline repetitive tasks, decrease human error, and allows focus on higher-level tasks, yet requires standardization for success. Lack of well-documented processes and resources hinder successful automation in many organizations. Effective automation demands identification of feasible-to-automate processes and evaluation of an organization's maturity and ability to maintain SOAR systems. Three critical investigation processes that can be automated to various extents are: evidence gathering, analysis, and remediation, though analysis and remediation may still require human oversight. A stepwise, iterative approach is recommended for building a tactical automation foundation that integrates with security operations workflows. When implemented properly, automation in security operations can significantly reduce response times and improve the efficacy of threat detection and resolution within organizations.

Google's December 2023 Android security updates remediate 85 vulnerabilities, including a critical zero-click remote code execution (RCE) bug. The zero-click RCE vulnerability, tracked as CVE-2023-40088, is found in Android's System component and can be exploited without user interaction. The exact implications of the CVE-2023-40088 bug aren't fully disclosed, but its severity suggests a significant risk if exploited. In addition to CVE-2023-40088, three other critical severity bugs related to privilege escalation and information disclosure have been patched. Past zero-days, including two from October and one from September 2023, highlight the ongoing risk and active exploitation of android vulnerabilities. Google has released two sets of patches; the more comprehensive 2023-12-05 security level includes additional fixes for proprietary and kernel components not necessary for all devices. Manufacturers except for Google Pixel may experience delays in rolling out these security updates as they conduct compatibility testing for different hardware configurations.

Russian state-sponsored hackers APT28 are exploiting a critical vulnerability, CVE-2023-23397, in Microsoft Outlook to gain access to Exchange accounts. Affected sectors include government, energy, and transportation across the US, Europe, and the Middle East. APT28 also targets other known vulnerabilities in WinRAR and Windows MSHTML to enhance their attacks. The Outlook flaw has been under exploitation since April 2022 and allows for email theft via a zero-day vulnerability, despite Microsoft's patch. The French cybersecurity agency reported similar attacks against diverse French organizations. Microsoft warns attacks are ongoing due to unpatched systems still vulnerable to the Outlook exploit. Polish Cyber Command Center has played a key role in detecting and mitigating these cyber attacks. Microsoft advises prioritizing patch management and reducing the attack surface to prevent such cyber threats.

Researchers at Palo Alto Networks' Unit 42 have noticed a shift in the P2Pinfect botnet's focus to target devices with 32-bit MIPS processors. MIPS chips are commonly found in various embedded systems, including routers and IoT devices, due to their efficiency. The botnet, initially spotted in 2023 attacking Redis servers, has evolved to infect a broader array of systems including those in the US, Germany, the UK, Asia, and others. The MIPS variant of P2Pinfect exploits weak SSH credentials, spreading through SFTP and SCP, and also targets the Redis server on MIPS devices using an OpenWRT package. Advanced evasion techniques have been incorporated in the recent version of P2Pinfect, complicating its detection and analysis for security professionals. Despite concerted efforts to track and understand the P2Pinfect botnet, the ultimate goals of the perpetrators behind the malware remain unclear, with potential uses including cryptocurrency mining, DDoS attacks, traffic proxying, and data theft.

SpyLoan Android malware, disguised as loan apps, downloaded over 12 million times from Google Play and other sources. These malicious apps steal personal data, including accounts, device info, and metadata from images, and exploit users for money. Victims are lured with offers of fast loans, tricked into high-interest payments, and then blackmailed. ESET identified 18 SpyLoan apps; Google removed 17 from Play Store, with one app reappearing with changed permissions. SpyLoan has been increasingly prevalent since 2020, with a significant uptick in 2023 across several countries. Apps bypass Google's defenses by presenting compliant privacy policies and transparent permissions during submission. SpyLoan apps break Google's Financial Services policy, using deceptive privacy policies to justify invasive permissions for extortion. Users are advised to only trust established financial institutions, scrutinize app permissions, and heed Google Play user reviews for signs of fraud.

Cyberattacks against e-commerce businesses surge by 200% around the holiday season, targeting service desks among other entry points. Service desks are vulnerable due to high-risk events, including account recovery processes when users forget passwords. Holiday periods offer hackers heightened opportunities for attacks as customer traffic increases and staff vigilance may decrease. The service desk's ability to reset passwords, create accounts, and bypass multi-factor authentication makes it an attractive target for cybercriminals. Social engineering is a prevalent method for attackers to exploit service desk protocols and gain unauthorized network access. Specops Software emphasizes the importance of continuous cybersecurity measures and offers tools like uReset and Secure Service Desk to protect organizations. Companies are advised to adopt advanced password security management solutions to strengthen their defenses, particularly during high-risk periods such as holidays.

Hackers have exploited a critical Adobe ColdFusion vulnerability, CVE-2023-26360, to gain access to U.S. government servers. The flaw, which allows arbitrary code execution, affected servers running Adobe ColdFusion 2018 Update 15 or earlier and 2021 Update 5 or earlier. Adobe released patches for the vulnerability in mid-March, but despite CISA's warnings, some federal agencies had unpatched systems that were breached in June. Two incidents involving the exploitation of the vulnerability were reported, including malware installation, credential harvesting, and access to sensitive directories and files. The attackers used the vulnerability to install web shells and remote access trojans to perform reconnaissance without data exfiltration. In both instances, the cyber intrusions were caught and contained quickly, with compromised systems isolated within 24 hours. CISA recommends updating to the latest version of ColdFusion, improving network segmentation, utilizing firewalls or WAFs, and enforcing policies for signed software execution to reduce risks.

Kali Linux 2023.4 has been released featuring GNOME 45 and fifteen new tools for ethical hacking and cybersecurity. The update brings new functionalities aimed at penetration testers and security professionals, although the core OS has few new features. GNOME 45, known as "Rīga," enhances user interface and performance, offering a refreshed experience for those preferring GNOME over KDE. The Linux Kernel has been upgraded to version 6.3.7, promising improved system stability and performance. Kali Linux is now available on cloud platforms such as Amazon AWS and Microsoft Azure for both AMD64 and ARM64 architectures. Deploying Kali Linux on Microsoft's Hyper-V is now simpler with added Vagrant support, allowing command-line interface management. A new dedicated image for the Raspberry Pi 5 has been released, with options for building your own Kali Linux image for the device. Instructions for upgrading existing installations to Kali Linux 2023.4 are available, along with a complete changelog on the Kali website.

A critical vulnerability in a widely-used open-source library poses a significant threat to multiple NFT collections, including those on Coinbase. The flawed library affects pre-built smart contracts, potentially compromising their security and integrity. Thirdweb, a Web3 development platform, identified the vulnerability on November 20 and issued a fix two days later without disclosing specific details to avoid alerting cybercriminals. Smart contract owners are urged to implement mitigation measures for all pre-built contracts created prior to November 22, 2023, such as locking the contracts and migrating them to a new, secure version. Thirdweb has contacted the library maintainers and other protocols, offered detailed findings and mitigations, and provided tools and tutorials to assist users in securing their contracts. Coinbase NFT and Mocaverse, among others, have assured their users that funds are safe and necessary steps are being taken to address the vulnerability. Despite these measures, the community has expressed frustration over the lack of transparency and the absence of a CVE identifier, leading to concerns about the extent and management of the risk.

HTC Global Services has confirmed a cyberattack following the leak of sensitive data by the ALPHV ransomware group. ALPHV, also known as BlackCat, is believed to be a reinvention of the DarkSide and BlackMatter ransomware groups. Stolen data displayed on the ransomware gang's site includes passports, emails, and confidential documents. Cybersecurity expert suggests the attack exploited the Citrix Bleed vulnerability in HTC's CareTech unit. ALPHV has a history of targeting large enterprises and adapting tactics, showing an increase in attacks with English-speaking affiliates. The ransomware group's recent victims include organizations in critical infrastructure sectors, raising potential for heightened law enforcement response. HTC is engaging cybersecurity professionals to resolve the incident and assure clients about the integrity of their data.

A suite of 21 vulnerabilities labeled "Sierra:21" has been identified in Sierra Wireless AirLink routers, which are essential for operational technology (OT) and the Internet of Things (IoT) in critical infrastructure sectors. These security flaws allow for remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks, with potential for severe impact on essential services. Forescout researchers found that some vulnerabilities can be exploited without authentication, particularly dangerous as they offer a pathway for attackers to gain control of routers without significant barriers. Over 86,000 internet-connected AirLink routers were found online in crucial industries, with a large majority based in the United States. Less than 10% of these routers had been patched against previously disclosed vulnerabilities, heightening their risk profile. To mitigate risks, administrators should upgrade to the latest version of the AirLink Embedded Operating System (ALEOS), and apply updates from OpenNDS. No fix will be available for TinyXML-related vulnerabilities as it is now abandonware. Forescout emphasizes the growing threat landscape targeting routing and network infrastructure, indicating the strategic importance of these devices for threat actors in establishing persistence, conducting espionage, and facilitating other criminal activities.

Redesigned SysJoker backdoor malware, now written in Rust, is evading detection across multiple operating systems. Initially discovered by Intezer, the malware targets Windows, Linux, and macOS with sophisticated in-memory payloads and evasion techniques. Check Point's research indicates a possible association between SysJoker and the Gaza Cybergang, involved in the 'Operation Electric Powder' targeting Israel. The updated SysJoker variant employs randomized sleep intervals and complex encryption, enhancing its stealth capabilities. The backdoor modifies system registries for persistence, uses a OneDrive URL for C2 communication, and could potentially download additional payloads. Although currently lacking command execution features, SysJoker continues to gather and send system information to its operators. Check Point's findings are not definitively conclusive but suggest parallels with previous cyber-attacks linked to Hamas-affiliated groups.