Daily Brief

The SEC has expanded its cybersecurity disclosure and preparedness rules to include data stored in SaaS systems and associated third-party applications. New regulations require public companies to report cyber incidents promptly, without distinction between on-premise, cloud, or SaaS data storage environments. The SEC’s actions reflect a growing concern about the frequency of cybersecurity incidents, particularly in the SaaS space, despite organizations believing their cybersecurity maturity is sufficient. SaaS-to-SaaS connections, often established without IT department approval, are exposing organizations to new risks, as traditional security tools cannot detect these configurations. A significant number of enterprises have undocumented SaaS-to-SaaS connections, which could provide unauthorized pathways into sensitive data. The SEC's move is motivated by its responsibility to protect investors, as data breaches can be as material to investors as physical asset losses. The rules not only focus on incident disclosure but also on preventative measures, mandating CISOs to detail cybersecurity risk management processes. SaaS Security Posture Management (SSPM) tools are recommended to monitor configurations and permissions across SaaS applications and to manage compliance with the new SEC regulations.

A threat actor identified as UNC4990 is exploiting weaponized USB devices to distribute cryptojacking malware across various industries in Italy. The campaign, known for utilizing USBs to spread the EMPTYSPACE downloader, leverages third-party websites for hosting additional malicious payload stages. UNC4990 has been operational since late 2020, likely based in Italy, with their end goals remaining somewhat ambiguous, although cryptocurrency mining has been observed in at least one incident. The infection process is initiated by executing a malicious LNK file on the USB device, leading to PowerShell scripts downloading further malware, including a backdoor named QUIETBOARD. Popular sites such as GitHub, Vimeo, and Ars Technica are being used to host the non-malicious looking components of the malware, posing no direct risk to general users of these platforms. The QUIETBOARD backdoor comes with extensive features, including command execution, wallet address manipulation for cryptocurrency theft, and the ability to spread to other removable drives. Mandiant researchers highlight the modular and adaptive nature of the threat actor's tools, indicating a sophisticated and evolving approach to their campaigns.

Hackers have exploited zero-day flaws in Ivanti Connect Secure VPNs to implement the KrustyLoader malware. Identified vulnerabilities CVE-2023-46805 and CVE-2024-21887 enable remote code execution without authentication. Ivanti has yet to release patches but has provided a temporary mitigation solution. The Chinese nation-state actor UTA0178, also known as UNC5221, has been utilizing these vulnerabilities since early December 2023. The Rust-based KrustyLoader serves as a tool for downloading and executing the Sliver post-exploitation framework on affected hosts. Since the public disclosure of the Ivanti flaws, a broader range of attackers has exploited them, also to deploy cryptocurrency mining malware. While Cobalt Strike remains dominant, alternative post-exploitation tools like Sliver, Viper, and Meterpreter show increased usage among cyber attackers. Recorded Future's recent report emphasizes the evolving landscape of offensive security tools utilized by threat actors.

A newly discovered security flaw in the GNU C library (glibc) allows malicious local users to gain full root access on Linux systems. The vulnerability, identified as CVE-2023-6246, affects the __vsyslog_internal() function in glibc, a core component of major Linux distributions such as Debian, Ubuntu, and Fedora. Special conditions are required for exploitation, but the impact is significant due to the universal application of glibc in system logging. In addition to CVE-2023-6246, researchers also uncovered two related vulnerabilities in the same function and another bug in the glibc qsort() function, which has impacted versions since 1992. These vulnerabilities underscore the urgency of implementing robust security protocols in the development of fundamental software libraries. The flaws were disclosed by the Threat Research Unit at Qualys, which emphasizes the importance of continuous security review and updates for software components.

A newly discovered local privilege escalation (LPE) vulnerability, CVE-2023-6246, affects the GNU C Library (glibc) and allows unprivileged attackers to gain root access on major Linux distributions. The flaw, introduced in glibc version 2.37 and backported to 2.36, is due to a heap-based buffer overflow within the "__vsyslog_internal()" function. Debian, Ubuntu, and Fedora distributions have been confirmed as vulnerable in their default configurations by security researchers at Qualys. The vulnerability's exploitation requires specific conditions but has widespread impact, as glibc is extensively used in Linux-based applications and systems. Qualys has also identified three additional vulnerabilities in glibc, including two related to "__vsyslog_internal()" and one in the "qsort()" function, awaiting assignment of a CVE ID. This discovery emphasizes the continued importance of robust security practices in software development, especially for core components integral to multiple systems and applications. Historically, Qualys has identified several critical Linux vulnerabilities, with some such as CVE-2023-4911, being actively exploited in the wild shortly after their discovery.

CyberArk has released an online version of 'White Phoenix,' its open-source decryptor, to aid ransomware victims in file recovery. The tool is designed for non-technical users, enabling them to restore files affected by intermittent encryption without dealing with code. White Phoenix supports common file formats like PDFs, Word, Excel, ZIPs, and PowerPoint but is limited to files under 10MB online; larger files require the GitHub version. The tool exploits a flaw in intermittent encryption used by several ransomware strains, allowing partial data recovery by piecing together unencrypted file segments. CyberArk advises that for successful decryption, specific strings must be present in the files, such as "PK\x03\x04" for ZIPs and "0 obj" and "endobj" for PDFs. The online White Phoenix aims to automate the manual recovery process done by experts, though results may vary based on file type and ransomware used. While White Phoenix is not a complete solution for ransomware attacks, it offers a chance to recover important files when no other decryptors are available. CyberArk recommends downloading and using the tool locally from GitHub for those dealing with sensitive files, to avoid uploading them to external servers.

The U.S. Department of Justice has charged two additional individuals in connection with the hacking of around 68,000 DraftKings accounts in November 2022. A third defendant, Joseph Garrison, was charged in May and pleaded guilty, with his sentencing scheduled for the following Thursday. The attackers, Nathan Austad and Garrison, utilized a credential stuffing attack, employing automated tools with lists of previously breached user credentials. Account hijackers were sold access to DraftKings accounts; they stole approximately $635,000 from almost 1,600 accounts. The defendants instructed the hackers who bought the accounts on how to withdraw all the funds after verifying a new payment method. Evidence of involvement in the DraftKings attack and possession of tools and data for credential stuffing were found on Austad's seized phone and other devices. Garrison operated the "Goat Shop" website, selling hacked DraftKings, FanDuel, and Chick-fil-A customer accounts; Chick-fil-A confirmed a breach of 71,473 accounts due to a similar attack. The incident highlights the ongoing threat and successful execution of credential stuffing attacks, an issue the FBI had previously warned about.

Finnish authorities identified Julius Aleksanteri Kivimäki as the alleged hacker behind the Vastaamo psychotherapy clinic breach by tracing Monero transactions. In 2020, the hacker demanded 40 Bitcoins not to release stolen patient records but later targeted individual patients for smaller Bitcoin payments. The National Bureau of Investigation (KRP) of Finland tracked the payments to Kivimäki after he converted the Bitcoin to Monero and back to Bitcoin. While Monero is designed to be a privacy-oriented and untraceable cryptocurrency, KRP applied heuristic analysis methods to follow the trail. Despite Monero's enhanced privacy features following an August 2022 upgrade, Finnish authorities could link Kivimäki to the crimes through related Bitcoin transactions and bank transfers. The KRP has kept the exact methods of tracing Monero a secret, to protect their investigative techniques. Kivimäki faces multiple charges including aggravated data breach and extortion, potentially leading to a 7-year imprisonment sentence; he denies all allegations.

Researchers at RedHunt Labs discovered a publicly accessible GitHub token that exposed Mercedes-Benz's internal source code. Mercedes-Benz is renowned for its advanced vehicular software, which was potentially at risk due to the exposure. The leaked data included sensitive intellectual property such as database connection strings, cloud access keys, and design documents. Exposure of this data could lead to competitors reverse-engineering products or hackers exploiting vulnerabilities in vehicle systems. The incident was reported by RedHunt Labs and acknowledged by Mercedes-Benz, who revoked the token and are analyzing the extent of the breach. Mercedes-Benz confirmed that customer data was not affected, but did not provide details on detecting unauthorized access. The mishap draws parallels to a previous security lapse at Toyota, showcasing a systemic issue with the management of GitHub repository access. Mercedes-Benz maintains a vulnerability disclosure program for collaboration with security researchers.

US law enforcement recently undermined a Chinese state-sponsored hacking operation—dubbed Volt Typhoon—targeting American critical infrastructure. Ongoing federal operations were enabled by court-ordered permissions, allowing the disruption of parts of the Chinese cyber campaign. The Volt Typhoon group, which became known in May 2023, infiltrated US organizations using compromised internet-facing devices since at least 2021. Chinese hackers exploited routers, cameras, and similar devices to siphon credentials and sensitive data, escalating concerns over potential disruptions to military, utility, and ISP networks. The Volt Typhoon's activities signify a move beyond espionage to preparation for potential sabotage in conjunction with geopolitical events, such as an invasion of Taiwan. The operation against Volt Typhoon follows a CISA emergency directive for federal agencies to secure Ivanti Connect Secure VPN devices after hacks attributed to similar Chinese actors. US officials maintain ongoing vigilance towards Chinese cyber activities, concerned they align with known tactics of state-backed groups like Volt Typhoon.

Cybercriminals are exploiting Microsoft Teams to distribute DarkGate malware via group chat invites. Attackers send malicious Teams chat requests using what appears to be compromised user accounts, targeting over 1,000 victims. Upon acceptance of the chat request, victims are tricked into downloading malware disguised with a double file extension. The malware communicates with a known command-and-control server, indicating an active infrastructure for the DarkGate malware family. Microsoft Teams' default External Access setting, which allows external communication, is a vulnerability that organizations are advised to disable if not needed. AT&T Cybersecurity emphasizes the importance of end-user training in recognizing unsolicited messages and the various forms of phishing beyond emails. DarkGate malware attacks have increased following the disruption of the Qakbot botnet, with the malware offering multiple capabilities attractive to cybercriminals. A security issue in Microsoft Teams allows attackers to bypass client-side protections and deliver malicious payloads with tools like TeamsPhisher.

A critical remote code execution (RCE) vulnerability, CVE-2024-23897, in Jenkins servers affects approximately 45,000 publicly accessible instances. The majority of vulnerable servers are located in the US and China, with thousands more across India, Germany, Korea, France, and the UK. Exploits for the flaw were publicly released just days after the coordinated disclosure, increasing the risk of potential cyberattacks. The vulnerability involves the built-in CLI feature of Jenkins which can be exploited to read sensitive files like SSH keys, credentials, and source code. Attackers primarily targeting Jenkins instances on Windows may have a higher success rate due to the feasibility of reading binary secrets. Jenkins has issued patches for the vulnerability, but many admins have yet to apply fixes. Disabling the CLI feature is recommended as a temporary safeguard. Jenkins advises against certain configuration settings that could exacerbate the risks by granting unnecessary read permissions to unauthorized users.

Brazilian Federal Police have arrested individuals linked to the Grandoreiro malware operation, executing arrest and search warrants across several states. Slovak cybersecurity firm ESET identified a flaw in Grandoreiro's network protocol, aiding in the investigation that mapped victim patterns. Grandoreiro, a Latin American banking trojan active since 2017, has targeted countries such as Spain, Mexico, Brazil, and Argentina, stealing data and bank details. The malware uses phishing tactics to deploy and then allows remote control of infected machines, frequently monitoring browser windows for banking activity. The malware's command-and-control (C&C) infrastructure utilizes domain generation algorithms and major cloud services like AWS and Azure, with a high frequency of active and new C&C IP addresses daily. ESET's investigation revealed an average of 551 victims connected to C&C servers per day, with an additional 114 unique victims on average connecting daily, primarily across Brazil, Mexico, and Spain. The Brazilian operation targeted the higher levels of the Grandoreiro hierarchy, signifying a significant blow to the malware's operations.

GitLab has issued an urgent update to address a critical flaw with a CVSS score of 9.9, affecting multiple versions of its CE and EE. The vulnerability, identified as CVE-2024-0402, enables authenticated users to write files arbitrarily on the GitLab server during workspace creation. The patched versions include GitLab 16.5.8, 16.6.6, 16.7.4, and 16.8.1, among others. The latest security update also fixes four medium-severity issues related to ReDoS, HTML injection, and email address disclosure. This release comes on the heels of previous critical security updates, emphasizing the need for users to upgrade to the latest patched versions immediately. GitLab.com and dedicated GitLab environments have already been updated to these secured versions. The article concludes by highlighting an upcoming webinar on the 2024 Customer Data Platform Report, unrelated to the security fixes.

The Akira ransomware group has been actively targeting small to medium-sized businesses (SMBs), with demands ranging from $200,000 to over $4 million. SMBs are vulnerable due to limited IT support and lax security procedures, making them easier targets for cybercriminals seeking entry points to larger enterprises. In 2022, 56% of SMBs experienced cyberattacks, with breaches often causing significant financial and reputational damage. The average cost of a data breach for SMBs is nearly $150,000, which includes indirect costs like customer trust erosion and data loss. Implementing cybersecurity best practices, such as NIST's framework for SMBs, can mitigate risks, including robust password policies and multi-factor authentication (MFA). Blocking the use of known compromised passwords and regularly auditing Active Directory accounts are critical steps in preventing unauthorized access. Training end-users to recognize phishing and other credential theft attempts can substantially reduce the risk of breaches, as human error is a leading cause. Specops Software offers solutions to reinforce password protection and enhance cybersecurity postures for SMBs, with tools like Specops Password Policy and free trials.