Daily Brief

North Korean threat actors, known as ScarCruft or APT37, targeted media and experts on North Korean affairs with a malware campaign in December 2023. The attackers used a false threat research report as a lure, likely aimed at those who consume threat intelligence, such as cybersecurity professionals. ScarCruft is believed to be associated with the North Korean Ministry of State Security, separate from other known groups like Lazarus Group and Kimsuky. Their tactics involve spear-phishing to install RokRAT and other backdoors for covert intelligence relevant to North Korea's strategic interests. The campaign included a targeted phishing effort using a ZIP archive with malicious Windows shortcut (LNK) files, leading to the delivery of the RokRAT backdoor. SentinelOne's analysis revealed additional malware pointing to the group's active planning for future campaigns, aiming to evade detection by modifying their methods. The espionage activities of ScarCruft are aimed at gathering strategic intelligence and understanding international perceptions to influence North Korea's decision-making.

Hackers can exploit abandoned Java and Android libraries in a software supply chain attack named "MavenGate." An attacker can purchase expired domain names associated with these libraries to inject malicious code or compromise the build process. More than 200 companies, including industry giants like Google and Facebook, have been notified of the vulnerability. Apache Maven, widely used in Java project management, is at risk due to its handling of dependencies with unique groupIds. Oversecured's demonstration of the attack shows how malicious versions of libraries can be pushed to public repositories, potentially leading developers to unknowingly use compromised dependencies. Sonatype, which manages Maven Central, claims to have security measures in place to prevent such attacks, but has taken additional precautions after the report. It's stressed that developers need to be vigilant about directly checking the security of dependencies and be aware of transitive dependency risks.

The Electronic Frontier Foundation (EFF) has introduced the Street Surveillance Hub to inform Americans about local law enforcement surveillance tactics. The Hub details various surveillance methods, including bodycams, biometric systems, predictive policing, gunshot detection, and drone usage by police. Citizens can access the Atlas of Surveillance, which reveals specific law enforcement tools in use locally and partnerships with third parties like Ring. EFF's Matthew Guariglia highlights concerns regarding the massive data collection by police and private operators, leading to significant privacy incursions. Guariglia criticizes the federal government for neglecting its duty to protect privacy, pointing out that meaningful legislation is emerging at city and state levels. The Register discusses the inefficiency and cancellation of expensive high-tech devices and software contracts by several U.S. cities due to their limited utility. There is an increasing reliance on private technology companies by police to supplement their surveillance data, raising questions about the reach of law enforcement into personal devices. The public is encouraged to contribute to the Atlas of Surveillance effort to monitor and report on local police technology deployments.

Mortgage lender loanDepot reported that personal information of around 16.6 million people was stolen during a ransomware attack. The company experienced a cyberattack on January 6, which led to partial shutdowns of its systems for containment. loanDepot ensured customers that recurring automatic payments would not be affected, despite delays in payment history updates. The attackers encrypted files on compromised devices, revealing the nature of the attack as ransomware. Victims of the data breach will be notified and offered free credit monitoring and identity protection services. As a major mortgage lender, loanDepot has significant amounts of sensitive customer financial information, raising the risk of phishing and identity theft. The details of the specific data accessed have not been disclosed by loanDepot. This cyber incident follows a previous data breach disclosed by loanDepot in May 2023, resulting from an August 2022 cyberattack.

Major technology companies Ivanti and Juniper Networks are under scrutiny for their handling of vulnerability disclosures. Security researcher Aliz Hammond identified unnamed vulnerabilities in Juniper's systems, some without CVE IDs, not disclosed in line with established protocols. Ivanti faces criticism for bundling multiple vulnerabilities under a single CVE ID, contrary to CVE Program's expectations for independently fixable vulnerabilities. Ivanti claims that the vulnerabilities grouped under one CVE will be addressed by the same fix to avoid confusion and assure customer safety. Juniper did fix vulnerabilities in line with its regular schedule, despite not assigning specific CVE IDs, which raises concerns about transparency and possible exposure risks. Industry experts assert the importance of timely CVE registration to manage vulnerabilities effectively and responsibly. The incidents raise broader issues about disclosure practices, transparency, and the CVE Program's guidelines.

Trezor, a hardware cryptocurrency wallet provider, reported a data breach affecting their third-party support ticketing portal. Unauthorized access led to the potential exposure of personal data of about 66,000 customers who interacted with Trezor Support since December 2021. Exposed data may include users' names, usernames, and email addresses, but no funds were reported compromised from users' wallets. Attackers have used the exposed information to conduct phishing attempts, persuading users to reveal their wallet recovery seeds. Trezor confirmed 41 cases of such exploitation, where phishing emails requested users' recovery seeds under the guise of "firmware validation." Despite the breach and phishing attempts, Trezor reports no known successful account breaches, affirming the security of the users' digital assets remains intact. The company has contacted potentially affected users to be on alert for phishing attempts and reminded them to never share their recovery seed phrases. Trezor has since terminated unauthorized access to its support system and mitigated the risks associated with the breach.

LockBit ransomware gang claims to have breached the database of Subway, stealing sensitive data about the company's financial operations. Subway has not publicly acknowledged the cyberattack but has confirmed that they are investigating the legitimacy of the claims. LockBit suggests they've extracted gigabytes of data, including employee salaries and franchise financial details, hinting at potential data extortion. The group has hinted at giving Subway a chance to protect the data before considering selling it to competitors, suggesting a typical ransomware approach to data theft. LockBit has revisited its approach to ransom demands, now with strict guidelines for affiliates, which may affect how they handle the Subway incident. There is no mention of the exact ransom demanded, but given Subway's size, it could be in the tens of millions of dollars. Subway's response to the incident is yet to unfold, but past security measures on their Android app indicate they may opt for a detailed recovery process over paying the ransom.

Security researchers have observed active exploitation of a critical Atlassian Confluence remote code execution vulnerability, CVE-2023-22527. The flaw affects Confluence versions released before December 5, 2023, and allows unauthenticated attackers to execute code remotely. Atlassian has released fixes for the vulnerability in Confluence Data Center and Server versions 8.5.4 and later. The Shadowserver Foundation detected over 39,000 exploitation attempts, mainly originating from Russian IP addresses, impacting systems worldwide. Attackers have been checking for vulnerabilities by executing the 'whoami' command to assess system access and privileges. Out of 11,100 Atlassian Confluence instances accessible online, not all are necessarily running the vulnerable software versions. Atlassian has been unable to provide specific indicators of compromise for this vulnerability, making detection of exploitation more challenging. Administrators are urged to update their Confluence servers to the latest versions and to consider pre-update instances as potentially compromised.

Researchers have discovered the NS-STEALER, a sophisticated Java-based information stealer using Discord bots to exfiltrate data. The malware spreads through ZIP files disguised as cracked software, deploying malicious JAR files onto the victim's system. NS-STEALER harvests screenshots, credentials, autofill data, and more from over 24 web browsers, in addition to Discord tokens and session data from Steam and Telegram. Extracted sensitive information is sent to a Discord Bot channel, exploiting Discord as a low-cost command and control (C2) infrastructure. The malware uses X509Certificate authentication and the Java Runtime Environment (JRE) to efficiently steal information. In a related development, the Chaes malware (version 4.1) has been updated with enhanced capabilities to steal login credentials and intercept cryptocurrency transactions. Chaes malware distributors use Portuguese legal-themed email lures for infection, and its developers have cheekily thanked security researcher Arnold Osipov within the code for helping them refine their "software." A SaaS Security Masterclass webinar offers insights from a study of 493 companies, including critical security best practices and benchmarks.

A study of 2.5 million vulnerabilities discovered in customer assets reveals a significant portion related to Windows 10. The majority of the unique findings, 79%, are categorized as 'High' or 'Medium' severity, with about half considered 'Critical' or 'High'. There is an improvement compared to previous years, with serious vulnerabilities decreasing by over 52%. Critical and high-severity vulnerabilities are usually addressed quickly, but 35% of reported issues remain unresolved for 120 days or more. The Construction industry outperforms other sectors, showing fewer findings per asset, while Mining and Oil and Gas exhibit high numbers of critical vulnerabilities. Ethical hacking and penetration testing are highlighted as proactive defense strategies for businesses, with 17.67% of findings reported by ethical hackers rated as 'Serious'.

LADH Limited, a financial services company, was fined £50,000 by the UK Information Commissioner’s Office for sending over 31,000 unsolicited spam texts. The texts were sent without valid consent and failed to provide recipients with an opt-out option, violating Privacy and Electronic Communications Regulations. During a six-week period in March and April 2022, recipients were promised debt relief of up to 85% without evidence of consent from the recipients. The ICO's investigation revealed that LADH Limited relied on "verbal assurance" of consent from a third party, without written confirmation. There were 106 complaints made to Britain’s Spam Reporting Service regarding the company's unsolicited messages. Only 26 percent of ICO fines were collected in 2022, posing challenges in enforcement and collection of the penalties. Company directors are now held personally responsible for such fines, although an appeals process is available and may delay payments. LADH Limited has the option to pay the fine with a discount by February 12 or proceed with an appeal.

Ransomware remains a top cybersecurity threat, leading to irreversible data loss and demanding payment for data restoration. Sterling Wilson of Object First emphasizes the critical need to protect the invaluable asset of data, which is often targeted by ransomware attacks. The UK has identified ransomware as a major threat, with ramifications including disruption of government services, economic loss, and long-term recovery challenges. Zero trust security principles are advocated, including the use of Object First's Ootbi, which offers immutable, ransomware-proof backup storage. Object First's Ootbi is integrated with Veeam software, providing fast, reliable, and secure backup storage that's easy to deploy. Veeam's 2023 Data Protection Trends Report indicates 85 percent of global organizations experienced cyberattacks in the past year, suggesting the need for improved data protection strategies. Prodatix, a Veeam certified engineering company, partnered with Object First to utilize Ootbi for enhanced on-premises and immutable storage, showcasing its benefits for data protection. AI-generated cyberattacks are on the rise, stressing the importance of maintaining backups in secure, on-premises, and immutable storage appliances.

The U.S. Federal Trade Commission (FTC) has prohibited InMarket Media from selling or licensing precise user location data. FTC's action follows allegations that InMarket did not obtain consumer consent before using their location information for advertising. The company must destroy all collected location data, provide withdrawal options for consumers, and prevent future sales of sensitive location data products. InMarket, like previously banned Outlogic, harvested location data from proprietary and third-party apps, affecting over 420 million devices since 2017. The FTC criticized InMarket's insufficient consent verification process from third-party apps and the excessive five-year data retention policy. The company is now ordered to implement a sensitive location data program to ensure compliance with privacy regulations. Concurrently, a study disclosed Meta's Facebook receiving user data from a staggering number of companies, highlighting widespread data-sharing practices.

Security researchers have observed exploitation of a serious flaw in Apache ActiveMQ, with attackers deploying the Godzilla web shell on vulnerable hosts. The flaw, tracked as CVE-2023-46604 with a CVSS score of 10.0, allows for remote code execution and has been exploited for various malicious activities including ransomware and DDoS botnets. Apache ActiveMQ's JSP engine executes the web shell, which attackers are hiding within unknown binary formats to bypass security scanners. The Godzilla web shell enables attackers to remotely execute commands, view network info, and manage files through HTTP requests, gaining full control over the affected systems. Despite the use of unconventional binary formats, the threat actors' JSP code gets converted into Java code and runs through the Jetty Servlet Engine. Users are urged to update Apache ActiveMQ to the most recent version to prevent exploitation of this vulnerability. The article also mentions a “SaaS Security Masterclass” webinar providing insights based on a study of 493 companies.

BreachForums' former admin "Pompourin" (Conor Brian Fitzpatrick) has been sentenced to 20 years of supervised release after pleading guilty to charges related to running the data leak site. Pompourin breached his pretrial release terms, leading to incarceration prior to his sentencing, which could have seen him face up to ten years in prison. Critical UEFI vulnerabilities named PixieFail found; they endanger network-booted systems using IPv6 and can allow remote code execution and other malicious activities. Researchers announce patches available for the UEFI vulnerabilities, stressing urgency for deployment to prevent potential active exploitation. iOS device log files have been revealed by Kaspersky researchers as a method for detecting infections from spyware such as Pegasus, Predator, and Reign. A spearphishing attack on the US Department of Health and Human Services resulted in the theft of $7.5 million in grant money intended for high-need community projects.