Daily Brief

Trend Micro has fixed a remote code execution zero-day vulnerability (CVE-2023-41179) rated as "critical," which was being actively exploited in attacks. The flaw was detected in Trend Micro's Apex One endpoint protection solution, used by businesses of varying sizes. The vulnerability resided in a third-party uninstaller module included with the security software. If exploited, it could allow an attacker, who has system privilege access, to execute arbitrary code. Trend Micro noted that exploitation of the vulnerability required the attacker to have previously stolen the product's management console credentials. Customers are strongly advised to upgrade to the latest versions of the software as soon as possible as a mitigating measure. Other effective workarounds include limiting access to the product's administration console to trusted networks. The Japanese CERT has issued an alert about the active exploitation and urged users to upgrade their software to a secure release immediately.

Fraudsters are impersonating the bankruptcy claim agent for crypto lender Celsius to attempt to steal from cryptocurrency wallets. Celsius filed for bankruptcy in July 2022 and froze withdrawals from user accounts, leading to customers filing for claims against the company. Email recipients have reported phishing attempts where the fraudsters pretend to be from Stretto, the Claims Agent for the Celsius bankruptcy proceeding, offering a 7-day window to claim frozen funds. One such email is using the email address no-reply@stretto.com and includes a link to a site called case-stretto[.]com, which redirects to claims-stretto[.]com. By asking for the visitor's email address and connection of their wallet to withdraw their claim, the phishing site gains access to all the information stored within the wallet, and so can disguise transactions and drain assets. The phishing emails managed to pass Sender Policy Framework (SPF) checks by originating from an IP address linked to the email marketing firm SendGrid, allowing them to be delivered. As these attacks are likely utilizing older contact lists stolen from hacked cryptocurrency marketing accounts, individuals who never had a Celsius account or filed a claim have also reported receiving the phishing emails.

A new variant of the Mirai malware botnet has been found infecting inexpensive Android TV set-top boxes for DDoS attacks The malware is a version of the 'Pandora' backdoor that first appeared in 2015 Low-cost Android TV boxes with quad-core processors are the primary targets for this campaign The malware arrives on the devices through malicious firmware updates or pirated content apps Persistence is achieved through a background service that runs on device boot The malware can perform various DDoS attacks over TCP and UDP protocols Budget-friendly Android TV boxes have a higher risk of containing preloaded malware It is recommended to use streaming devices from trusted brands like Google, Apple, NVIDIA, Amazon, or Roku.

Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump The attackers used the stolen key to breach Exchange Online and Azure Active Directory accounts of government agencies in the United States The key was leaked into a crash dump after a consumer signing system crashed in April 2021 The threat actors found the key after compromising a Microsoft engineer's corporate account The compromised key provided the hackers widespread access to Microsoft cloud services Microsoft revoked all valid signing keys and relocated recently generated access tokens to prevent unauthorized access Microsoft agreed to expand access to cloud logging data for free to help network defenders detect similar breach attempts Redmond faced criticism for impeding organizations from promptly detecting the attacks

The Flipper Zero portable wireless pen-testing and hacking tool can be used to aggressively spam Bluetooth connection messages at Apple iOS devices. The tool allows for the spoofing of Bluetooth advertising packets, leading to confusion and disruption of workflows for iOS users. The attack can be used to send bogus connection requests, making it difficult to discern legitimate devices among a large number of fakes, or to mimic trusted devices for phishing attacks. The Flipper Zero firmware needs to be updated to enable Bluetooth functionality, and specific code needs to be generated to create fake notifications. The attack can work even if the target device is in airplane mode, as Apple has no mitigations or safeguards in place to prevent this abuse scenario.

University of Michigan (UMICH) warns staff and students of a recent cyberattack and mandates password resets Failure to change password by September 12 will result in inability to sign into accounts Notifications sent by UMICH CISO and CIO to community members All UMICH community members on various campuses must change their passwords Users advised to consult guidelines on changing to a secure password An issue with the self-service password tool has been addressed Internet connectivity and WiFi restored across all UMICH campuses University does not disclose details regarding the investigation or the reason for the mandatory password resets

Three critical-severity remote code execution vulnerabilities discovered in ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers Vulnerabilities can be exploited remotely and without authentication, potentially allowing threat actors to hijack devices Flaws can lead to remote code execution, service interruptions, and performing arbitrary operations on the device ASUS has released firmware updates to address the vulnerabilities, but users who haven't applied the updates remain vulnerable It is advised to turn off the remote administration feature to prevent unauthorized access to the routers.

Freecycle, a charity aimed at recycling unwanted items, has suffered a data breach. The breach, which exposed usernames, email addresses, and hashed passwords, was discovered on August 30. Freecycle has urged all members to change their passwords and be vigilant for phishing emails. The data breach has been closed and regulatory authorities have been notified. It is unclear how many of Freecycle's 9 million members were affected by the breach. Users are advised not to reuse passwords and to avoid clicking on suspicious links or downloading unknown attachments.

An updated version of the malware loader BLISTER is being used to distribute the Mythic command-and-control framework. BLISTER is embedded within a legitimate VLC Media Player library to bypass security software. BLISTER has been used in tandem with SocGholish to distribute Cobalt Strike and LockBit ransomware. The malware is actively maintained and used to load various types of malware, including clipbankers, information stealers, trojans, ransomware, and shellcode.

Penetration Testing as a Service (PTaaS) offers a comprehensive solution for continuous security monitoring in web applications Traditional pen testing is labor-intensive, time-consuming, and does not offer continuous monitoring PTaaS provides comprehensive coverage, frequent testing, automated processes, and integration with development processes Benefits of PTaaS include continuous security, holistic view of AppSec, and effective protection against cyber-attacks PTaaS is more scalable and effective compared to traditional pen testing PTaaS is suitable for organizations with a large number of applications and frequent release updates.

DDoS attacks are on the rise, with the volume growing by up to 300 percent in 2023. These attacks use compromised computer systems to generate attack traffic, resulting in loss of service, revenue, reputation, and control of network defenses. Being able to detect and mitigate DDoS attacks is crucial in preventing damage. A webinar hosted by The Register and Cloudflare will discuss the scale of DDoS attacks in 2023 and identify the perpetrators. The webinar will provide guidance on how to defend against DDoS attacks and offer best practices for mitigation. Participants will learn how to effectively protect their businesses and build strong defenses against DDoS attacks. The webinar is scheduled for 6th September and registration is available.

The Police Service of Northern Ireland (PSNI) mistakenly published data on 10,000 employees on their website Two men have been released on bail after being arrested under the Terrorism Act in relation to the data breach The breach included details of every serving Northern Ireland police officer, potentially endangering their safety Recent poster attempts to intimidate police officers, but the information contained was incorrect The PSNI has made four arrests in relation to the data breach so far Other police forces in the UK have also experienced data breaches recently, including Cumbria Police and the Metropolitan Police in London

Attackers gained access to data from a UK supplier of high-security fencing for military bases The initial entry point was a Windows 7 PC, highlighting the risks of running obsolete code and hardware The LockBit Ransom group conducted the attack and may have exfiltrated 10GB of data The breach could potentially provide access to sensitive military and research sites in the UK The company stated that no classified information was stored on the compromised system Zaun has notified the National Cyber Security Centre and the UK's Information Commissioner's Office regarding the breach The attack serves as a reminder for enterprises and organizations to be vigilant about security in their supply chains The targeted nature of the attack on a third-party supplier raises concerns about national security and critical infrastructure

Microsoft is disabling TLS 1.0 and 1.1 by default in Windows, potentially causing issues for enterprise administrators. SQL Server 2012, 2014, and 2016 editions may require updates to be compatible. Other applications expected to be broken include Apple's Safari browser for Windows and several security applications. Microsoft has been tracking TLS protocol usage and believes usage of TLS 1.0 and 1.1 is low enough to act. Windows Insiders will be the first to have TLS 1.0 and 1.1 disabled by default from September, followed by future Windows releases. The option to re-enable the protocols will still be available but should only be done as a temporary solution. Microsoft's goal aligns with industry efforts to eliminate deprecated versions of TLS, with the US National Security Agency (NSA) and major tech companies advocating for the move. Microsoft's progress in disabling TLS 1.0 and 1.1 has been delayed but is now planned to be implemented in its flagship operating system.

Simon Byrne, Chief Constable of the Police Service Northern Ireland (PSNI), has resigned amid a data breach and disciplinary controversy The PSNI mistakenly published spreadsheet data containing details of every single serving Northern Ireland police officer following a Freedom of Information request The sensitive information included personal details of officers and staff, making them vulnerable to potential targeting by dissident republican groups An independent review is currently underway to investigate the data breach In addition to the data breach, Byrne was facing backlash over a court ruling related to disciplinary actions taken against two junior officers The court ruled that the officers had been unlawfully disciplined to appease Sinn Féin's support for policing in Northern Ireland The ruling undermined Byrne's credibility and authority, contributing to his decision to resign Deputy Chief Constable Mark Hamilton is expected to temporarily lead the PSNI while a new leader is sought.