Daily Brief

Kaspersky has uncovered a sophisticated spyware attack targeting Apple iOS devices, active since 2019. The attack chain exploited four zero-day vulnerabilities, achieving deep access to siphon sensitive data from devices up to iOS 16.2. Attackers initiated a zero-click iMessage exploit to deploy spyware, bypassing hardware security and accessing kernel memory through undocumented MMIO registers in Apple's A12-A16 Bionic SoCs. Apple released patches for some vulnerabilities in January and September 2023, raising the year's total to 20 fixed zero-days. The exploit's existence and the knowledge of undisclosed hardware features by attackers remain a mystery. This incident reflects the dangers of relying on "security through obscurity," highlighting the risks of hidden hardware features. The revelation coincides with Apple's conflict with the Indian government regarding state-sponsored spyware warnings to journalists and opposition politicians.

ESET has identified a new malware loader named Win/TrojanDownloader.Rugmi, which has seen a dramatic increase in daily detections. Rugmi is used to distribute various information stealers such as Lumma Stealer, Vidar, RecordBreaker, and Rescoms. The loader is equipped with different components for downloading and executing encrypted payloads from both internal resources and external files. Threat actors use the loader to spread malware through various methods, including malvertising, fake updates, and compromised software such as VLC and OpenAI's ChatGPT. The malware is also disseminated via Discord's CDN, exploiting users by offering them incentives to download malicious executables. Cybercriminal marketplaces list Lumma Stealer on a subscription basis, with prices ranging up to $20,000 for complete source code access and resale rights. McAfee Labs recently uncovered a new variant of NetSupport RAT, indicating the constant evolution of cybercriminal tactics to deploy malware and RATs for information gathering and control over target victims.

The Ohio Lottery was subjected to a cyberattack on Christmas Eve, affecting several internal applications. Essential services such as gaming systems remain operational, but mobile cashing and certain prize claims are disrupted. An investigation is underway, and efforts are being made to restore full services; however, customer options for checking winning numbers and cashing prizes are limited. Prizes up to $599 can be cashed at Ohio Lottery Retailer locations; for larger prizes, alternative claim methods are necessary. The newly emerged DragonForce ransomware gang has claimed responsibility, alleging encryption of devices and theft of sensitive data, including Social Security Numbers and birth dates. The attack's details imply a level of sophistication, suggesting that the perpetrators may have experience in ransomware operations, possibly as a rebranded existing group.

The Katholische Hospitalvereinigung Ostwestfalen (KHO) network in Germany was hit by a Lockbit ransomware attack on December 24, affecting three hospitals. Critical IT systems supporting hospital operations in Bielefeld, Rheda-Wiedenbrück, and Herford were compromised, with data being encrypted by the attackers. The hospitals shut down their IT systems for security measures, and relevant parties and institutions have been notified. Investigations are ongoing to assess the full extent of the damage and to determine whether any data theft occurred during the incident. While patient treatment and essential clinic operations continue, albeit with some restrictions, emergency care services at the affected hospitals are currently suspended. Patients in need of urgent medical assistance are being redirected to other facilities, which could lead to potentially critical delays in emergency care. The Lockbit ransomware gang has not yet listed KHO on its extortion portal, leaving the possibility of stolen sensitive data uncertain at this stage. Backups have been successfully restored, allowing access to crucial patient information despite the cyberattack.

Mortgage servicing firm LoanCare has announced a data breach affecting 1.3 million individuals due to a cyberattack at Fidelity National Financial, its parent company. Fidelity National Financial, a significant title insurance provider, disclosed the breach in an SEC filing, prompting LoanCare to inform authorities and affected customers. Unauthorized access was detected around November 19, 2023, leading to the theft of sensitive customer information that could be exploited for malicious activities such as phishing. The exposed data includes personal details that can significantly increase risks of identity theft and financial fraud for impacted individuals. LoanCare has offered a two-year identity monitoring service through Kroll to help customers monitor and protect their personal information post-breach. A similar cyberattack was reported by First American Financial Corporation, another title insurance company, which is still in the process of system restoration without clear timelines for returning to regular operations. Customers of LoanCare are advised to be vigilant against unsolicited communications that may attempt to use the stolen information.

Panasonic Avionics Corporation experienced a data breach following a December 2022 cyberattack, compromising undisclosed personal information. The breach was detected on December 30, 2022, with unauthorized access occurring around December 14, 2022. Cybersecurity and forensics experts were engaged to investigate the extent of the incident and the data affected. Exposed information includes names, contact details, dates of birth, medical and health insurance information, financial account numbers, employment status, and government identifiers such as Social Security numbers. There is currently no evidence to suggest the misused data, yet free identity and credit monitoring services are offered to all impacted individuals for 24 months. The scope of the breach regarding whether Panasonic's employees, customers, or business partners are affected remains unclear.

Previously undiscovered Android malware, 'Xamalicious,' has infected around 338,300 devices through Google Play. McAfee identified 14 apps with the malware on the official store, with three apps reaching over 100,000 installs each. The malicious apps have been removed, but users who downloaded them could still be infected and require manual device cleanup. Infection rates were highest among users in the United States, Germany, Spain, and several other countries. Xamalicious can access the Android Accessibility Service to perform advanced actions and downloads additional payloads for execution. There is potential evidence linking Xamalicious to ad fraud activities, like in the case of the 'Cash Magnet' app. The incident underscores the importance of downloading apps only from trusted sources and conducting due diligence on app reviews and developers to avoid malware infections.

A zero-day vulnerability, CVE-2023-51467, has been identified in Apache OfBiz ERP software, leaving businesses vulnerable. The flaw allows attackers to bypass authentication due to an improper fix for a previous high-severity vulnerability, CVE-2023-49070. The issue stems from the handling of authentication with empty username and password fields, combined with a particular URL parameter setting. Attackers can exploit the zero-day to achieve Server-Side Request Forgery (SSRF), gaining unauthorized access to internal resources. The vulnerability was initially a result of an incomplete patch to a deprecated XML-RPC component in Apache OFBiz. SonicWall researchers are urging users to upgrade to Apache OFBiz version 18.12.11 or later to address the security risk. There is an added urgency to address the flaw due to the high privileges that an attacker could acquire through its exploitation.

A spyware campaign named Operation Triangulation targeted iPhones using four zero-day vulnerabilities to bypass hardware security protections. Kaspersky analysts uncovered that the campaign exploited undocumented Apple chip features, suggesting the involvement of a highly sophisticated actor. The exploit chain required no user interaction and left no obvious traces, utilizing a malicious iMessage attachment to begin the attack. Russia's FSB accused Apple of providing a backdoor for the NSA to spy on Russian government officials, but there's no evidence to support this claim. Apple patched two of the vulnerabilities in question with its iOS/iPadOS 16.5.1 and 15.7.7 updates and addressed another critical flaw with iOS/iPadOS 16.6 release. The most crucial vulnerability exploited a feature tied to the iPhone's GPU co-processor that was not intended for consumer use, allowing attackers to bypass memory protection. Kaspersky theorizes the undocumented feature could be a holdover from testing or a mistake, emphasizing security risks of obscurity practices in hardware design. The origin and knowledge source of the attackers regarding the obscure hardware feature remain unknown despite Apple's remediation efforts.

Chinese threat actors used a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances to install backdoors on select systems. The flaw, tracked as CVE-2023-7102, permits arbitrary code execution via a third-party library used by the Amavis scanner. The adversary, UNC4841, was also linked to previous exploitation of another zero-day in Barracuda devices. Attackers used malicious Microsoft Excel email attachments to exploit the vulnerability and deploy persistence-capable malware variants, SEASPY and SALTWATER. Barracuda has released and automatically applied a security update, with an additional patch for affected appliances, requiring no extra customer actions. The original vulnerability in the third-party library remains unpatched, posing a risk that requires downstream user attention. Mandiant has found evidence of impacted private and public sector organizations in at least 16 countries since October 2022. The persistent adaptability of UNC4841 showcases the group's focus on maintaining access to high-value targets by exploiting new security gaps.

Barracuda Networks remotely patched a zero-day vulnerability affecting Email Security Gateway appliances, targeted by the Chinese hacker group UNC4841. The vulnerability, tracked as CVE-2023-7102, is a result of a flaw in the Spreadsheet::ParseExcel library used by Amavis virus scanner in the company's appliances. Attackers executed arbitrary code on unpatched devices by exploiting this flaw through parameter injection. A second set of security updates was deployed to tackle the SeaSpy and Saltwater malware found on compromised ESG appliances. The CVE-2023-7101 CVE ID was created to track the associated bug within the third-party library, which is yet to be patched. Barracuda's investigation into the breach is ongoing, in collaboration with security firm Mandiant, pointing to the activities of the UNC4841 hacker group, suspected for espionage. The espionage campaign had been operational since at least October 2022, leading to targeted data exfiltration from government and high-tech sectors. Barracuda advised customers to replace all compromised appliances after a similar attack in May, and currently serves over 200,000 organizations globally.

Yakult Australia has confirmed a "cyber incident" after 95 GB of company data was leaked by a cybercrime group named DragonForce. The incident has affected both Australian and New Zealand IT systems, though the offices continue to operate. The cybercrime actor claiming responsibility for the attack, DragonForce, alleges the leaked data includes databases, contracts, passports, and more. The leak site operated by the group suggests they engage in extortion by threatening to release stolen data if their demands are not met. Yakult Australia is currently investigating the breach with the help of cybersecurity experts but has not confirmed the full extent of the incident. BleepingComputer's analysis of the data indicates that it contains business documents and records, including employee information and copies of identity documents. DragonForce has listed 20 victims on its leak site so far, but there is no confirmed connection between this group and the hacktivist group DragonForce Malaysia.

A new Android backdoor, Xamalicious, developed utilizing Xamarin framework, has infected over 327,000 devices with a range of malicious activities. The malware leverages Android's accessibility permissions, gathering device metadata and downloading a second-stage payload to control the infected device. McAfee's Mobile Research Team identified 25 malicious apps, some distributed via the Google Play Store, with the majority of infections in Brazil, Argentina, the UK, the US, and parts of Europe and the Americas. The communication between the malware and its command-and-control server is heavily encrypted, making detection and analysis difficult. The Xamalicious dropper can self-update, potentially transforming the malware into spyware or a banking trojan without user intervention. There's an association between Xamalicious and the ad-fraud app Cash Magnet, which generates illicit revenue through automated ad-clicking. A separate phishing campaign in India uses social messaging apps to distribute rogue banking apps, posing a significant threat to the country's digital banking users.

Attackers are compromising Linux SSH servers for cryptocurrency mining and DDoS attacks, with the potential of breached data being sold on the dark web. Vulnerable servers are identified through dictionary attacks, which attempt to guess SSH credentials using common username and password combinations. Successful intrusions lead to the installation of port scanners and additional malware to extend the attack to other susceptible systems. The malware scans for systems with an active port 22, indicative of SSH service, and uses dictionary attacks to propagate the infection further. The PRG old Team is believed to have created these malicious tools, which attackers then modify slightly for their own use. System administrators are advised to use complex passwords, regular password changes, and ensure systems are kept updated to reduce the risk of attack. Kaspersky reports on the emergence of NKAbuse, a multi-platform threat utilizing NKN protocol for P2P communication in orchestrating DDoS attacks.

GitHub has announced that all users contributing code must enable two-factor authentication (2FA) by January 19th, 2024, to continue having full access to the platform. Users not enrolled in 2FA by the deadline will experience limited functionality on GitHub.com but business and enterprise accounts are exempt from this requirement. The initiative is part of GitHub's efforts to protect accounts from breaches and mitigate potential supply chain attacks by enhancing account security. After the deadline, users without 2FA will be prompted to complete the setup process to gain full access to their accounts. GitHub supports multiple 2FA methods, including security keys, the GitHub Mobile app, authenticator apps, and SMS text messages, and recommends using at least two methods for added security. Users who lose their 2FA credentials may face difficulties in account recovery and are advised to keep their recovery codes as a last resort for account access.