Daily Brief

Apple released emergency security updates to patch a zero-day flaw exploited in attacks which targeted iPhone and iPad users, this strong issue is caused by a weakness in the XNU kernel. Devices including models of iPhone, iPad and iPod touch were impacted by this vulnerability, significantly identified as CVE-2023-42824. An additional zero-day vulnerability, tracked as CVE-2023-5217, was also addressed; it is associated with a heap buffer overflow in the VP8 encoding of the open-source libvpx video codec library, found and reported by Google's Threat Analysis Group (TAG). Over the course of the year, Apple has fixed 17 zero-day vulnerabilities exploited in attacks including three (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) recently patched, these were used in spyware attacks to install Cytrox's Predator spyware. Citizen Lab recently disclosed two zero-days (CVE-2023-41061 and CVE-2023-41064) that were fixed by Apple, they were used in zero-click exploit chains to infect fully patched iPhones with NSO Group's Pegasus spyware. Although Apple has addressed these issues with improved checks, the company has not yet identified the parties who discovered and reported the initial flaw.

The Cybersecurity and Infrastructure Security Agency (CISA) is banned from liaising with social media companies to prevent the spread of misinformation, as per a ruling by the US Fifth Circuit Court of Appeals. The new judgement modifies a decision made in September that found several US government agencies, namely the White House, surgeon general, CDC, and FBI, exceeded their bounds by asking platforms like Facebook and Twitter to limit or delete posts containing disinformation related to elections or COVID-19. CISA was listed by the states of Missouri and Louisiana, along with a few individual plaintiffs, as violating their First Amendment rights to free speech. The injunction will disrupt a major part of the Biden administration's request for moderations to social media platforms as the court concluded CISA to have acted as a "switchboard" for directing moderation requests to social media firms. While CISA declined to comment on the ongoing litigation, executive director Brandon Wales stated the agency doesn't censor speech or enable censorship. There is rising speculation the case may be heard by the Supreme Court following increasing confusion around the initial opinion given by the Fifth Circuit Court of Appeals.

Australian software firm Atlassian has issued critical security updates addressing a zero-day vulnerability found in its Confluence Data Center and Server software that has been exploited in attacks. This serious privilege escalation flaw, tracked as CVE-2023-22515, affects Confluence Data Center and Server 8.0.0 and later and is remotely exploitable in low-complexity attacks without user interaction. Atlassian urges customers with vulnerable software versions to upgrade to a fixed version or, if immediate patching is not possible, to isolate the impacted instances from internet access. Customers should also prevent access to /setup/* endpoints on Confluence instances and inspect for signs of compromise. The company emphasises the urgency of securing Confluence servers given their history of being a target for malicious actors, including previous incidents involving ransomware, Linux botnet malware, and crypto miners. Last year, the US agency CISA ordered federal entities to resolve a different critical vulnerability in Confluence that had been taken advantage of in the wild.

Approximately 100,000 industrial control systems (ICS) are exposed on the internet, leaving them open to cyber attacks. These systems include power grids, traffic light systems, and water systems, among others. Cybersecurity firm BitSight reported the issue, stating that the threat affects many Fortune 1000 companies across 96 countries. BitSight was able to identify the vulnerability through mass-scale scans of the global IP address space and by analyzing generated logs. Education, Technology, Government, Business Services, Manufacturing, Utilities, Real Estate, Energy, Hospitality, and Finance sectors were the least secure in terms of ICS security. Though BitSight has noted a decrease in the number of exposed devices since 2019, there remains a large number of vulnerable ICSs. It’s difficult, however, to estimate how many among these are exploitable or the potential degree of damage an attack could cause. To ensure secure remote access to these systems, researchers suggest implementation of basic security measures such as VPN access, multi-factor authentication, role-based access control, and network segmentation.

Cisco has released patches for the Cisco Emergency Responder (CER) to repair a vulnerability that could allow attackers to log into unsecured devices using default, static root account credentials. The security flaw, known as CVE-2023-20101, exposes the devices to potential unauthenticated attackers who can execute arbitrary commands as the root user. The vulnerability only affects CER version 12.5(1)SU4, discovered during internal security tests, and there is no known public disclosure or malicious exploitation related to the flaw at this time. There are currently no workarounds to mitigate this security flaw, requiring administrators to perform system updates as soon as possible to eliminate the threat. The recent flaw follows a series of vulnerabilities identified by Cisco, including a zero-day vulnerability in its IOS and IOS XE software, along with another zero-day vulnerability in its Adaptive Security Appliance and Firepower Threat Defense system.

Recent findings suggest a connection between Android spyware DragonEgg and iOS surveillance tool LightSpy. These malware strains are capable of gathering sensitive data from their respective devices. DragonEgg, known for its association with Chinese nation-state groups, was initially exposed by Lookout in July 2023. Details about LightSpy emerged in March 2020 during Operation Poisoned News. Dutch mobile security firm ThreatFabric highlighted that both malware attack chains involve a trojanized Telegram app that downloads a secondary payload, followed by a third component called Core. The core module of LightSpy, also known as DragonEgg, operates as an orchestrator plugin responsible for gathering the device fingerprint, making contact with a remote server, awaiting instructions, and updating itself. LightSpy features various plugins such as a location module that tracks precise locations, a sound record that can capture ambient sound and WeChat VOIP audio conversations, and a module to gather payment history from WeChat Pay. DragonEgg and LightSpy share infrastructure, with their command and control (C2) servers located in mainland China, Hong Kong, Taiwan, Singapore, and Russia. ThreatFabric also discovered a server housing data from 13 unique phone numbers associated with Chinese cellphone operators, suggesting these could either be test numbers of LightSpy developers or their victims.

Hackers are exploiting Microsoft SQL Servers vulnerable to SQL injection in an attempt to breach Azure cloud environments. Microsoft’s security researchers have observed an attack chain beginning with exploiting an SQL injection vulnerability, allowing threat actors to gain access to a Microsoft Azure Virtual Machine-hosted SQL Server instance. Once access is gained, attackers can access databases, schemas, network configurations, and permissions, effectively giving them a shell in the host if the compromised app has elevated permissions. Attackers attempted to acquire the cloud identity access key from the SQL Server instance to access any cloud resource the identity has permissions to. Although this attempt failed due to errors, the method itself continues to pose a significant threat. Microsoft’s security recommendations include using the Defender for Cloud and Defender for Endpoint protections to catch SQL injections and suspicious SQLCMD activity, and applying the principle of least privilege when granting user permissions to add obstacles to lateral movement attempts.

Traditional cybersecurity models primarily focus on point-in-time assessments where security vulnerabilities are evaluated at specified intervals—usually following an incident or a scheduled audit. However, due to a rise in zero-day vulnerabilities, polymorphic malware, and Advanced Persistent Threats (APTs), there’s a need for continuous, proactive cybersecurity evaluations. Traditional penetration testing is one method for point-in-time assessments, where a team of ethical hackers annually assess vulnerabilities in an organization's network, systems, and apps. On the other hand, Penetration Testing as a Service (PTaaS) offers continuous monitoring by combining manual testing with automated tools for constant vulnerability scanning. PTaaS provides a more proactive security model, allowing organizations to detect potential weaknesses before they can be exploited. The choice between traditional penetration testing and PTaaS depends on an organization's specific needs and challenges. PTaaS is typically more effective for dynamic, constantly changing environments while standard penetration testing may be more suitable when an attack surface doesn't change very often. Beyond securing web applications, other practices such as Endpoint Attack Surface Management (EASM) and Risk-Based Vulnerability Management (RBVM) can also benefit from the continuous monitoring approach, helping organizations gain a holistic view of their external attack surface and prioritizing vulnerabilities based on risk. As cyber threats continue to evolve, organizations must adopt continuous monitoring procedures in their PTaaS, EASM, and RBVM practices to improve their cyber resilience.

Sony Interactive Entertainment (Sony) has acknowledged a cybersecurity breach affecting around 6,800 individuals. The breach exposed personal information of current and former employees and their family members. The breach resulted from exploitation of a zero-day vulnerability within Sony's MOVEit Transfer platform. The vulnerability has been leveraged in wider attacks by the Clop ransomware gang. The intrusion took place on May 28, and was discovered on June 2 when unauthorized downloads were found. The platform was immediately taken offline and the vulnerability has since been remediated. The impact of the incident was limited to the MOVEit Transfer platform with no effect on other Sony systems. However, sensitive information related to 6,791 US individuals was compromised. Recipients of the data breach notification are being offered Equifax credit monitoring and identity restoration services. The services can be accessed until February 29, 2024. Sony experienced another security breach last month resulting in the theft of 3.14GB of data from the company's systems. Sony has confirmed limited security breaches in two different incidents within the last four months.

SaaS security provider, Wing Security, has announced a new tier of security service, designed to provide essential security requirements for businesses and priced at $1,500 a year. The offering includes crucial SaaS security must-haves such as shadow IT discovery, automated vendor risk assessments, and user access reviews for critical business applications. Wing’s services allow companies to generate compliance-ready access reports for auditors and contribute towards ISO 27001 and SOC 2 certification. The average employee uses 28 different SaaS applications, with an average of seven new applications introduced to mid-size organizations each month. Wing's new product enables organizations to meet basic security standards, even if they cannot invest in a complete Secure Software Portfolio Management (SSPM) solution. While the new product tier provides essential security features, the solution is not intended to be comprehensive, suggesting that companies will eventually need to upgrade to a full SSPM solution for complete secure SaaS usage.

A deceptive package has been discovered within the npm package registry, delivering an open-source rootkit named r77. This is the first time a rogue package has used rootkit technology. The rogue package, "node-hide-console-windows", mimics a legitimate npm package and is part of a typosquatting campaign. It was downloaded 704 times over two months before it was detected and removed. The package downloads a Discord bot that enables the deployment of the r77 rootkit. This underscores the potential for open-source projects to be opportunistically used to distribute malware. The malicious code fetches and automatically runs a C#-based open-source trojan known as DiscordRAT 2.0, which can remotely commandeer a victim host over Discord, collect sensitive data, and disable security software. Two versions of the deceptive package were found to fetch an open-source information stealer known as Blank-Grabber alongside DiscordRAT 2.0, posing it as a "visual code update." The campaign uses components that are freely available online, which requires minimal effort by cybercriminals and indicates the potential for even the low-stake attackers to exploit the supply chain. The findings highlight the need for vigilance among developers when installing packages from open-source repositories. The malicious actors made concerted efforts to make their packages appear trustworthy, which can easily go unnoticed without thorough checks.

Microsoft's security researchers detailed how attackers unsuccessfully attempted to breach a cloud environment through a SQL Server instance, exploiting a SQL injection vulnerability in an application. The attackers gained access and elevated permissions on a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). They then attempted to move laterally to additional cloud resources by abusing the server's cloud identity, which was assumed to have potential elevated access to perform various malicious actions in the cloud. Microsoft did not find any evidence to suggest that the attackers successfully breached the cloud resources using this technique. The attackers used a tool called webhook[.]site for potential data exfiltration, exploiting the fact that outgoing traffic to this service is deemed legitimate and unlikely to be flagged. The attempted cyberattack underscores the increased sophistication of cloud-based attack techniques, with ill-intentioned actors constantly searching for over-privileged processes and accounts to conduct further malicious activities. Having secure cloud identities is crucial to prevent similar risks, as these attacks can cause severe impact not only on the SQL Server instances but also on the associated cloud resources.

A new Linux security vulnerability named Looney Tunables has been detected in the GNU C library's dynamic loader. If exploited, the flaw could lead to a local privilege escalation and allow an attacker to gain root privileges. The vulnerability, tracked as CVE-2023-4911, is a buffer overflow affecting the processing of the GLIBC_TUNABLES environment variable in the dynamic loader. Discovered by cybersecurity firm Qualys, the bug was introduced in a code commit made in April 2021 and affects major Linux distributions including Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. The GNU C library (glibc) is integral to Linux-based systems and the dynamic loader is responsible for preparing and running programs, making the vulnerability significant. Alpine Linux is not affected as it uses the musl libc library instead of glibc. Red Hat has alerted to the vulnerability and offered temporary mitigation by terminating any setuid program invoked with GLIBC_TUNABLES in the environment. This adds to a growing list of privilege escalation flaws found in Linux in recent years such as CVE-2021-3156 (Baron Samedit), CVE-2021-3560, CVE-2021-33909 (Sequoia), and CVE-2021-4034 (PwnKit).

Security researchers have identified three vulnerabilities, collectively known as “ShellTorch,” affecting TorchServe, an open-source tool for PyTorch machine learning models. Software bill of material management firm, Oligo Security, reveals that these flaws made "tens of thousands of exposed instances" susceptible to server takeover and remote code execution (RCE). Meta, the maintaining firm, has downplayed the issues and confirmed their resolution, advising developers to use the latest version of TorchServe. Amazon, co-manager of the open-source project, echoed Meta's advice, noting an update to TorchServe version 0.8.2 had addressed the issues. Customers using AWS PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 through EC2, EKS, or ECS are recommended to update to TorchServe version 0.8.2. Despite no sign of actual ShellTorch exploitation, Oligo’s CEO warned that it could be easily executed using basic knowledge of TorchServe and its configuration. Oligo also suggested altering management console default settings to obstruct remote access and updating allowed_urls in the config.properties file to ensure models are only fetched from trusted domains.

The trial against former FTX CEO Sam Bankman-Fried began in New York. The ex-cryptocurrency tycoon is accused of diverting billions of dollars of customer funds for personal use before the company's collapse. Bankman-Fried also filed a lawsuit against his insurance company, Continental Casualty Company (CNA), claiming that it has not adhered to the terms of his insurance policy supposed to cover his legal defense costs. FTX, now overseen by liquidators, has filed for bankruptcy protection while customers demand their money back. Bankman-Fried denies any wrongdoing. Previously, an eight-count indictment for fraud, money laundering, and campaign finance offenses was brought against Bankman-Fried by federal prosecutors. Later, five additional charges were added and six of the total 13 counts were moved to a second criminal trial slated to start in March 2024. Four former FTX associates, including co-founder Gary Wang and former Alameda Research co-CEO Caroline Ellison, have pleaded guilty in related cases and some are expected to testify against Bankman-Fried as the trial progresses.