Daily Brief

Two Microsoft vulnerabilities are actively being exploited, with a need for immediate patching. The first exploited vulnerability, CVE-2024-21412, allows attackers to bypass security features via malicious shortcut files. Water Hydra, a cybercriminal group, used the bypass flaw to target financial traders with the DarkMe remote-access trojan. The second vulnerability, CVE-2024-21351, involves a SmartScreen security feature bypass that could be exploited for code execution or data exposure. Adobe released six patches for 29 vulnerabilities, including two critical remote code execution flaws. SAP addressed a critical code injection and several other security issues with 16 Security Notes, some with high priority. Intel's 35 advisories covered 79 vulnerabilities, including escalation of privilege and denial of service risks. Cisco and Google also issued fixes for various vulnerabilities, with Google addressing a critical Android system component vulnerability.

A critical vulnerability called KeyTrap in DNSSEC could allow a single malicious DNS packet to disable DNS servers, disrupting global internet connectivity. DNSSEC is an enhancement to DNS that provides authentication of DNS queries to prevent tampering, but it does not encrypt the data for privacy. The vulnerability, assigned CVE-2023-50387, has been present for over two decades but was difficult to detect due to the complexity of DNSSEC validation requirements. KeyTrap can force public DNS services like Google's and Cloudflare's to conduct CPU-intensive calculations, potentially stalling the servers for up to 16 hours with a single packet. The ATHENE research team worked with vendors and public DNS providers to coordinate a release of patches to address the flaw, with no current evidence of its exploitation. A revision of the DNSSEC standard may be necessary to fully mitigate and eliminate the vulnerability as the issued patches do not completely prevent high CPU usage. DNSSEC's vulnerability highlights the delicate balance between internet security features and the risk of unforeseen exploits in widely adopted protocols.

Prudential Financial experienced a data breach, with unauthorized access gained on February 4, leading to the theft of employee and contractor data. The company manages approximately $1.4 trillion in assets and is the second-largest life insurance company in the United States. The incident was disclosed in an 8-K form filed with the U.S. Securities and Exchange Commission, indicating that Prudential detected the breach on February 5. Prudential suspects the involvement of a cybercrime group and has engaged law enforcement and regulatory authorities. No indication as of yet that customer or client data was accessed or obtained by the attackers. The company claims the incident has not materially impacted its operations or financial condition. Over 320,000 Prudential customers had data exposed in May 2023 due to a third-party vendor breach by the Clop cybercrime gang. Prudential is currently conducting an investigation to assess the complete impact and scope of the breach.

Microsoft patched a Windows Defender SmartScreen zero-day (CVE-2024-21412) used by hackers to deploy DarkMe malware. The cybercriminal group Water Hydra, also known as DarkCasino, exploited the vulnerability against foreign exchange traders. Attackers used spearphishing techniques on forex trading forums and stock trading Telegram channels, leveraging compromised trading information sites. The exploited zero-day was designed to evade security checks and involved manipulating internet shortcuts and WebDAV components. The attackers employed social engineering, offering fraudulent trading advice and fake financial tools to induce malware installation. Microsoft's patch follows the repair of a related vulnerability (CVE-2023-36025) that was previously utilized to bypass Windows security prompts. Water Hydra has exploited zero-days in the past, including one in WinRAR software, linked to multiple nation-state backed hacking groups.

Microsoft released fixes on its February 2024 Patch Tuesday for 73 vulnerabilities, encompassing critical issues like denial of service and remote code execution. The Patch Tuesday updates addressed two zero-day flaws that were actively exploited in the wild. One of the patched zero-days involved a Windows SmartScreen security feature bypass, which could allow attackers to evade detection by SmartScreen. The other fixed zero-day allowed attackers to bypass the Mark of the Web (MoTW) security checks using specially crafted Internet Shortcut files, a vulnerability exploited by the DarkCasino APT group targeting finance professionals. The security updates do not include six Microsoft Edge flaws and one Mariner flaw which were fixed earlier in February. Additional non-security updates were released for Windows 11 and Windows 10, the details of which can be found in separate dedicated articles. Other technology vendors also released updates or advisories in February 2023, highlighting the importance of regular system updates across the tech industry.

QNAP disclosed two flaws, including a zero-day vulnerability, in their network-attached storage devices, leading to confusion over their severity. CVE-2023-50358 received a moderate severity score from QNAP, while Unit 42 and the BSI warned of "critical impact" and "major damage". The National Vulnerability Database is yet to assign an independent rating to the vulnerability. According to Unit 42, over 289,000 devices are publicly exposed, with Germany and the US housing the majority of vulnerable units. Unit 42 shared a technical breakdown on how to exploit CVE-2023-50358, a command injection flaw in QNAP's firmware. QNAP also detailed another vulnerability, CVE-2023-47218, with a similar severity rating, reported by Rapid7. QNAP's advisory focused on numerous patches for different firmware versions, advising users to upgrade or follow mitigation steps. In under two months of the year, QNAP has already issued 15 security advisories for 12 different command injection vulnerabilities.

A threat actor leaked 200,000 records from Facebook Marketplace containing personal user information. The leaked data includes mobile numbers, email addresses, and Facebook profile details, risking phishing and SIM swap attacks. The data was reportedly stolen by a cybercriminal from a Meta contractor managing cloud services for Facebook. BleepingComputer confirmed the authenticity of the sample data shared by the leaker, known as IntelBroker. Meta has yet to comment on the breach; however, the company has faced similar incidents, including a massive leak in April 2021. This leak's perpetrator, IntelBroker, has been linked to several other high-profile cybersecurity incidents in the past.

Integris Health has experienced a significant data breach, compromising the personal information of nearly 2.4 million patients. The data breach was uncovered after patients began receiving extortion emails threatening the sale of their data if Integris Health did not pay the attackers. The attackers have claimed they did not disrupt network operations and exclusively extracted data, thus operations were not hindered. Compromised data features personal information but does not include employment, driver's licenses, account credentials, or financial details. The stolen patient data is reportedly being sold on the dark web, with the potential for widespread misuse by cybercriminals. Integris Health is notifying affected patients and providing guidance on how to protect against identity theft and fraud. Despite not paying the ransom by the set deadline, the exact extent of the data's spread among other cybercriminals is not known.

Trans-Northern Pipelines, a Canadian pipeline operator, has reportedly been compromised by the ALPHV/BlackCat ransomware group, with 190GB of data claimed to be stolen. ALPHV, also connected to previous ransomware entities responsible for significant attacks like the one on Colonial Pipeline, is targeting critical infrastructure. Despite the claims made on ALPHV's site, Trans-Northern has not officially confirmed the breach and has yet to make a public response. This incident raises concerns about the security of vital energy infrastructure, drawing attention to the potential consequences of such breaches. The ALPHV ransomware gang has targeted multiple critical infrastructure organizations recently, including a US utility cooperative and energy providers in Spain and Canada. International cybersecurity expert Brett Callow emphasizes the urgent need for improved security measures to protect critical infrastructure from these types of attacks. The threat from cyber actors like China's Volt Typhoon heightens the risk to infrastructure in various sectors and stresses the importance of the Five Eyes' recent warnings.

Microsoft's February 2024 Patch Tuesday includes updates for 74 security flaws and addresses two zero-day vulnerabilities under active exploitation. The release features five critical updates tackling denial of service, remote code execution, information disclosure, and elevation of privileges issues. The patched zero-day vulnerabilities are CVE-2024-21351, a Windows SmartScreen bypass, and CVE-2024-21412, an Internet Shortcut File bypass that can circumvent security warnings. The SmartScreen bypass flaw was internally discovered by Microsoft's Eric Lawrence, while external researchers identified the Internet Shortcut File bypass, notably the APT group DarkCasino. The updates come alongside other non-security improvements, specifically a noted cumulative update for Windows 11 (KB5034765). In addition to Microsoft's patches, advisories and updates were also released by various vendors addressing security concerns in their respective products throughout February 2023.

Hackers exploited a stolen private key to illegitimately mint and steal over $290 million in PLA cryptocurrency from PlayDapp, a blockchain-based gaming platform. On February 9, 2024, unauthorized minting of 200 million PLA tokens valued at $36.5 million was detected, with security experts suggesting a private key leak. PlayDapp responded by shifting all its tokens to a new secure wallet, offering a $1 million "white hat" reward for the return of the stolen assets, and threatening legal action. Despite these measures, hackers proceeded to mint an additional 1.59 billion PLA tokens, bringing the total theft to $290.4 million and prompting a suspension of all PLA trading. Subsequent to the breach, PlayDapp is suspending deposits and withdrawals, freezing the hacker's wallets on major exchanges, and advising users to stay alert for scams. Elliptic, a cryptocurrency analysis firm, observed ongoing money laundering attempts with the stolen tokens, which have tanked in value, adversely affecting legitimate holders. The style of the attack suggests potential links to the Lazarus Group, known for similar large-scale thefts, although no definitive attribution has been established.

100 Romanian hospitals affected by a ransomware attack resulting in encrypted databases and systems taken offline. The Hipocrate Information System, managing medical and patient data, specifically targeted by hackers. While 25 hospitals confirm encryption of data, others have gone offline as a precaution; incident under active investigation. The Romanian Ministry of Health and National Cyber Security Directorate (DNSC) are assessing recovery options and investigating the impact. Backmydata ransomware, part of the Phobos family, identified as the malware used in the attack. Most impacted hospitals have recent backups, except for one with 12-day-old data; ransom demanded is 3.5 BTC (approximately €157,000). Day-to-day hospital operations, including prescription writing and record keeping, revert to paper methods due to system shutdowns. No public statement from Hipocrate healthcare system's software provider; ongoing investigations continue to assess scope, and as of now, there's no evidence of data theft.

Bumblebee malware has resumed attacks in a phishing campaign after a four-month hiatus, primarily targeting U.S. organizations. Discovered in April 2022, Bumblebee was developed by the Conti and Trickbot syndicate to replace the BazarLoader backdoor. The malware distributes through fake voicemail-themed phishing emails, containing malicious Word documents that use macros to download payloads. Despite Microsoft's efforts to block macro-based threats by default, attackers are using this method, potentially to target outdated systems or avoid detection. Proofpoint identifies the resurgence as a potential threat increase for the year ahead, but cannot attribute the campaign to a specific threat actor group. With the disruption of QBot, Bumblebee and other malware like DarkGate and Pikabot are filling the void in payload distribution markets. Zscaler reports a simplified version of Pikabot post-hiatus, indicating potential preparation for more sophisticated future versions.

Cybersecurity risks in Microsoft Teams and similar SaaS chat apps are often underappreciated. Criminal threat actors target Microsoft Teams using phishing, malware, and sophisticated social engineering tactics. Microsoft Teams has seen a rise in cyber incidents, including the DarkGate malware campaign, leveraging its vast user base. Attackers can exploit Microsoft Teams' default External Access setting, allowing outside contacts to join chats and share files. Recent vulnerabilities and tactics used in attacks on Teams include inviting targets to group chats and bypassing file-sharing restrictions. Adaptive Shield recommends measures such as limiting external access, blocking external invitations, and using Microsoft Defender to enhance Teams security. It is crucial to educate employees on the diverse nature of phishing attacks and encourage reporting of suspicious activities in messaging apps. Organizations must be proactive in securing their SaaS platforms to protect against evolving cyber threats.

The Glupteba botnet has been updated with a sophisticated UEFI bootkit, significantly improving its evasiveness. Researchers at Palo Alto Networks Unit 42 revealed Glupteba's ability to control the OS boot process, which hinders detection and removal efforts. Glupteba serves as an information stealer and backdoor, capable of engaging in crypto-mining, proxy deployment, and gathering private user data. The botnet maintains persistence through the Bitcoin blockchain, using it as a resilient command-and-control backup system. In recent campaigns, Glupteba distribution has involved pay-per-install services and multi-stage malware infection chains that bypass traditional security measures. The malware incorporates a modified version of an open-source project, EfiGuard, to thwart security features at boot time. Cybersecurity experts underscore Glupteba's exemplar role in illustrating the complexity and innovation of current cyber threats.