Daily Brief

Ivanti disclosed a high-severity authentication bypass flaw, CVE-2024-22024, which affects certain versions of their products. The vulnerability impacts limited versions of Ivanti Connect Secure, Policy Secure, and ZTA gateways. Ivanti claimed the vulnerability was discovered through internal review, despite watchTowr researchers asserting they reported it first on February 2. Evidence provided by watchTowr suggests a lack of credit for their discovery, raising questions about Ivanti's disclosure practices. Users who applied the mitigation update from January 31 or completed a factory reset are reportedly protected from this vulnerability. There is controversy over whether the vulnerability has been actively exploited, with Ivanti denying such claims. The disclosure comes after multiple zero-day vulnerabilities in Ivanti products were exploited, prompting emergency directives from CISA and advisories from the UK's NCSC. Ivanti has been criticized for its handling of the security issues and the staggered patch schedule for resolving the vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of a critical remote code execution (RCE) bug in Fortinet FortiOS. The bug, identified as CVE-2024-21762, allows unauthenticated attackers to remotely execute arbitrary code via malicious HTTP requests. Administrators unable to update immediately can mitigate risk by disabling SSL VPN on devices. Fortinet initially miscommunicated about two other critical RCE vulnerabilities, CVE-2024-23108 and CVE-2024-23109, but later recognized them as variants of a previously fixed bug. Federal agencies are required to patch affected FortiOS devices by February 16, following the established protocol under binding operational directive (BOD) 22-01. Fortinet devices are frequent targets for cyber espionage and ransomware attacks; a Chinese state-backed group was found leveraging FortiOS SSL VPN flaws to deploy Coathanger malware. The Coathanger remote access trojan (RAT) was recently involved in a cyberattack on the Dutch Ministry of Defence's network security appliances.

The Canadian government intends to ban Flipper Zero devices, citing their misuse in car thefts. Flipper Zero is a multi-protocol device that can interact with hardware and digital devices, effectively used in replay attacks. Industry Minister Champagne announced the move to ban importation, sale, and use of such hacking devices on Twitter. The ban comes as a response to a summit on auto theft, acknowledging the theft of approximately 90,000 vehicles annually. Canadian police have pointed out a significant rise in the Crime Severity Index due to motor vehicle theft. The Government's ISED department is set to collaborate with law enforcement to remove these devices from the market. Contradictorily, Flipper Zero's COO asserts that the device cannot hijack cars made after the 1990s and is intended for security testing. Amazon has ceased the sale of the Flipper Zero in April 2023, following seizure actions in Brazil connected to criminal use.

The Canadian government is considering a ban on the Flipper Zero, a device they claim is used by thieves to steal cars. Flipper Zero is a multi-functional device capable of interacting with various hardware and digital systems such as RFID and Bluetooth. Online videos show the Flipper Zero being used in replay attacks, cloning digital keys, and unlocking cars, raising security concerns. The ban announcement aligns with a national summit on auto theft and alarming statistics showing 90,000 vehicles are stolen yearly in Canada. Canadian authorities assert the ban on devices like Flipper Zero could remove hacking tools from the market and reduce vehicle thefts. Flipper Devices, the maker of Flipper Zero, refutes claims of the device's capability to hijack modern cars and emphasizes its purpose for responsible security testing. Amazon has ceased sales of the Flipper Zero, following Brazilian authorities' actions against the device for its alleged use in criminal activities.

Raspberry Robin malware operators are employing new one-day exploits to facilitate local privilege escalation and complicate detection. The malware acts as a primary access vector for distributing additional malicious payloads, including ransomware, and is connected to multiple e-crime groups. Threat actors have incorporated fresh anti-analysis and obfuscation tactics to hinder analytical efforts by cybersecurity researchers. Exploits for vulnerabilities such as CVE-2023-36802 and CVE-2023-29360 were utilized before public disclosure, indicating a potential purchase of exploits from dark web sources. The increase in sophistication indicates a substantial threat as attackers exploit vulnerabilities quicker than many organizations can patch them. Discord is exploited as a new initial access vector, wherein malicious RAR files containing the malware are being distributed. Lateral movement within target networks has also evolved, with Raspberry Robin opting for PAExec.exe over PsExec.exe, and implementing a more randomized approach to C2 communications.

RustDoor, a macOS malware camouflaged as a Visual Studio update, is written in Rust and delivers backdoor access capabilities to hackers targeting systems running on Intel and ARM architectures. Detected by cybersecurity firm Bitdefender, the malware campaign began in November 2023 and has continuously distributed evolving variants; some infrastructural elements suggest links to the ALPHV/BlackCat ransomware group. The analysis revealed RustDoor's association with four command and control (C2) servers, three of which have ties to activities potentially connected to ransomware operators. While conclusive evidence is lacking, shared server use among cybercriminals suggests possible connections between RustDoor and ransomware groups like BlackBasta and ALPHV/BlackCat. RustDoor is disguised under various names and avoids conventional distribution channels like Application Bundles or Disk Images, which helps it evade detection by security tools. Once installed, RustDoor can persist through system reboots and blend in with legitimate applications by modifying system files and employing scheduled tasks. Bitdefender has identified at least three RustDoor variants with increasing sophistication and has published a list of indicators of compromise for organizations to detect potential breaches.

Americans reported a staggering $10 billion lost to various scams in 2023, a 14% rise from the previous year. Investment scams topped the charts with $4.6 billion in reported losses, followed by nearly $2.7 billion lost to imposter scams. The FTC received 2.6 million consumer fraud reports and 1.1 million reports of identity theft. Payment methods resulting in most losses were bank transfers and cryptocurrencies, outstripping other methods. Despite the high volume of reports, this likely represents only a portion of actual fraud, as many incidents go unreported. FTC's Sentinel database aids law enforcement in tracking and combatting fraudulent activity by analyzing trends. Victims are encouraged to report fraud and identity theft through designated FTC platforms for support and to aid in data collection and prevention efforts.

Critical vulnerability in FortiOS's SSL VPN, CVE-24-21762, allows remote code execution and may have already been exploited as a zero-day. Affected FortiOS versions require immediate patching; unsupported versions need upgrading, with disabling SSL VPN as the only current workaround. Fortinet mishandled the disclosure of two severe vulnerabilities, CVE-2024-23108 and CVE-2024-23109, initially claiming they were errors, then confirming their validity. The vulnerabilities were inadvertently linked to a previous advisory, and Fortinet received criticism for a delayed and confusing response to the media. A bizarre claim of a malware-laden toothbrush participating in a DDoS attack was reported and then attributed to a "translation problem" by Fortinet, which led to further public relations challenges. Fortinet's communication issues came amid reports of Chinese cyberspies exploiting FortiGate vulnerabilities with custom malware. The company is set to refocus on timely and transparent communication with customers as part of its security incident response efforts.

A growing reliance on AI technologies has amplified potential cyber threats and vulnerabilities. Many organizations may be unaware of AI usage, which increases due to ease of deployment and affordability. Cybercriminals are finding new ways to exploit AI models and applications, raising security concerns. Cloudflare is hosting a webinar to educate on protecting AI applications from cyber risks. The webinar will cover unexpected ways AI consumption and deployment can expand an organization's attack surface. Industry experts will discuss tools, techniques, and services to mitigate AI-related vulnerabilities. Attendees will learn practical steps to secure their AI applications in the ever-evolving cyber landscape.

A new variant of the MoqHao Android malware has been discovered with the capability to auto-execute upon installation. This malware affects Android users in various countries such as France, Germany, India, Japan, and South Korea and is linked to a Chinese cybercrime group. The infection begins with SMS phishing that deploys malware on Android devices, while iPhone users are redirected to a fake iCloud login page. The latest MoqHao variant obtains permissions and starts malicious activities without the need for the user to launch the app. The malware is distributed through SMS messages containing links shortened by URL shorteners and content sourced from fake Pinterest profiles. MoqHao can stealthily acquire sensitive data, silently call numbers, and manipulate Wi-Fi settings, among other capabilities. Google has been notified and is reportedly working on mitigating the auto-execution mechanism in future Android versions. In a separate report, a cybercrime syndicate named Bigpanzi has been linked to the creation of a botnet using compromised Android smart TVs and boxes in Brazil for DDoS attacks and illegal streaming.

Myrror Security's platform addresses modern software supply chain threats by going beyond traditional Static Code Analysis (SCA) tools, which often provide irrelevant vulnerability scores without considering organizational-specific context. Traditional SCA tools fail to adequately detect and prioritize real-world supply chain attacks like code injection and CI/CD attacks, leading to prioritization of less critical issues. Myrror's approach involves binary-to-source analysis for every third-party package and a proprietary reachability vulnerability analysis algorithm to accurately prioritize issues based on their actual exploitability in production. The platform streamlines the AppSec process by allowing organizations to actively scan repositories, take inventory of open-source dependencies, and generate prioritized risk overviews with actionable insights. Myrror's dashboards and issues screens provide detailed analytics on security issues impacting the codebase, including reachability and exploit confirmations, to target the most critical vulnerabilities. The solution also offers a remediation plan generator that helps teams understand the implications of patching, including new vulnerabilities that may be introduced and issues that will remain after fixes. By addressing alert fatigue and offering a clear strategy against undiscovered supply chain attacks, Myrror’s platform aids organizations in effectively managing and defending against sophisticated security risks in the software supply chain.

A new banking trojan named Coyote targets 61 Brazilian banks, using advanced techniques for distribution and infection. Coyote exploits the Squirrel installer, Node.js, and the Nim programming language, enhancing complexity and evading detection. The malware deploys a multi-stage attack chain, with a Squirrel installer initiating a Node.js application that eventually executes the Nim-based loader. The Coyote trojan waits for specific banking applications or websites to open before fetching instructions from a command-and-control server. It can perform various malicious actions, such as logging keystrokes, displaying fake overlays, moving the mouse cursor, and even shutting down the victim's machine. This new threat emerges as Brazilian authorities crack down on the Grandoreiro operation, signalling increased efforts to combat cybercrime. An unrelated Python-based information stealer linked to Vietnamese hackers is also reported, indicating a broader landscape of escalating cyber threats.

Cloud computing offers benefits like scalability and cost-efficiency, but introduces cybersecurity risks. Wazuh is an open-source cybersecurity platform providing XDR and SIEM capabilities for on-premises and cloud environments. With the adoption of cloud services, organizations face challenges such as knowledge gaps, reliability issues, and security threats. Wazuh integrates with various cloud platforms including AWS, Azure, GitHub, and GCP for real-time threat detection and incident response. Cybersecurity strategies must evolve to address the unique challenges of securing cloud infrastructures. Wazuh's flexible architecture helps protect against emerging threats and enhances security posture within dynamic cloud ecosystems. By leveraging Wazuh, organizations can maintain robust security, detect threats in real-time, and safeguard their applications and data.

An Islamic non-profit in Saudi Arabia has been targeted in a sophisticated cyber espionage campaign, deploying an undetected backdoor known as Zardoor. Cisco Talos identified the activity starting from at least March 2021, with continuous surveillance and data exfiltration observed roughly twice a month. Attackers used “living-off-the-land binaries” (LoLBins) to deploy backdoors, establish command-and-control (C2) communications, and maintain discreet long-term access. The initial breach point remains unknown, but it led to Zardoor installation for persistence, and C2 was established using open-source proxy tools. The threat actors utilized Windows Management Instrumentation (WMI) for lateral movement and to spread attacker's tools, including the Zardoor backdoor. Two backdoor modules— "zar32.dll" and "zor32.dll" — were used for C2 communications and ensuring privileged deployment. The backdoor is capable of data exfiltration, remote code execution, C2 IP address updates, and self-deletion to evade detection. The identity and origin of the threat actors are unclear, with no overlap with known groups; nevertheless, they are considered an advanced threat actor.

Fortinet disclosed a critical security flaw in FortiOS SSL VPN, identified as CVE-2024-21762 with a CVSS score of 9.6, which could allow remote, unauthenticated attackers to execute arbitrary code or commands. The vulnerability has been acknowledged as potentially being actively exploited in the wild, though specifics about the exploitation techniques and the identities of the attackers have not been provided. Impacted versions of the software have been identified, and it is noted that FortiOS 7.6 is unaffected by this issue. Fortinet also released patches for other vulnerabilities, specifically CVE-2024-23108 and CVE-2024-23109, relating to FortiSIEM supervisor. The Netherlands government recently reported that Chinese state-sponsored actors exploited known flaws in Fortinet FortiGate devices to deliver the COATHANGER backdoor into military network systems. Fortinet mentioned that its past N-day vulnerabilities are being exploited by several activity clusters targeting various sectors, with earlier instances of Chinese threat actors using zero-day flaws for attacks. The U.S. government warned of a Chinese nation-state group, Volt Typhoon, targeting critical infrastructure using known and zero-day flaws in network appliances from several vendors, including Fortinet. The attacks highlight the increased threat to internet-facing devices due to lack of EDR support, and they illustrate ongoing concerns about cyber espionage and cybercrime activities, particularly those attributed to state-sponsored actors.