Daily Brief

A UEFI Secure Boot vulnerability (CVE-2024-7344) with a CVSS score of 6.7 allows attackers to bypass security measures and execute untrusted code during system boot-up. The flaw was found in a UEFI application signed with Microsoft's third-party UEFI certificate dated 2011, used across multiple recovery software suites by Howyar Technologies and others. Attackers exploiting this vulnerability can deploy UEFI bootkits that are undetectable by standard OS and endpoint security systems, affecting any operating system. The malicious code can persist through reboots and OS reinstalls, potentially loading harmful kernel extensions. Elevated privileges are required to deploy the malicious files, specifically local administrator access on Windows or root access on Linux. The vulnerability was addressed by Howyar Technologies following disclosure by ESET, leading Microsoft to revoke the compromised binaries in their January 2025 Patch Tuesday update. The incident exposes systemic issues with Secure Boot as a security feature and the challenges in managing third-party UEFI software security.

Threat actors are using images to conceal and deliver malware such as VIP Keylogger and 0bj3ctivity Stealer in ongoing campaigns. Malicious code is hidden in images on archive[.]org and deployed via a .NET loader following phishing emails that appear as invoices or purchase orders. Upon opening the email attachments, a known vulnerability in the Equation Editor (CVE-2017-11882) is exploited to trigger a malicious download starting with a VBScript. The scripting eventually leads to the execution of a .NET executable that acts as a loader for the malware, either delivering a keylogger or a data-stealing payload. Both campaigns exhibited technical similarities suggesting the use of standard malware kits, which simplify the attack process and reduce the need for extensive technical skills. Additionally, there are signs of HTML smuggling and the use of GenAI in crafting malicious files to enhance efficacy and complicate attribution efforts. Beyond individual malware campaigns, there has been a noticeable trend of advertising compromised software on platforms like GitHub to deploy malware, illustrating the commoditization of cybercrime tools.

A London-based security company, Assist Security, inadvertently exposed over 120,000 files on an unsecured server, containing sensitive personal information. The exposed data includes personal identifying information (PII), payroll details, job application forms, TrustID validated documents, and Security Industry Authority (SIA) cards. The files were discovered by an independent security researcher, JayeLTee, in October 2024 and were publicly accessible online, amounting to 46.48 GB of data. Among the compromised data were invoices dating back to 2005, as well as detailed information on guard job applicants, including national insurance numbers, headshots, and assignment details. Some directories contained extensive data on individuals who had either been denied employment or had resigned, highlighting a retention issue with sensitive data. Assist Security responded to the exposure by closing off access within six days of being notified and claimed to have taken sufficient corrective measures to mitigate any risk. The Information Commissioner’s Office (ICO) has not been notified of the breach as of the article's publication, and it remains unclear if the exposed data was accessed by unauthorized parties. Assist continues to review the extent of potential data compromise and is working to ensure that any unlawally retained data by the researcher is securely deleted.

Cybersecurity researchers from GuidePoint Security discovered a Python-based backdoor used in deploying RansomHub ransomware across a network. Initial access was achieved using SocGholish, a JavaScript malware distributed through deceptive updates prompted from compromised legitimate websites. The Python backdoor enables persistent access by acting as a reverse proxy that leverages a SOCKS5 protocol tunnel to facilitate lateral movement within the network. The backdoor script, first noted in early December 2023, has undergone minor modifications aimed at enhancing its obfuscation techniques to evade detection. Vulnerabilities in outdated WordPress SEO plugins like Yoast and Rank Math PRO were exploited for initial access in recent campaigns. Further insights revealed sophisticated error handling and structure within the malware script, indicating possible assistance from AI tools in its development. GuidePoint’s analysis also mentioned that this Python backdoor is one of several precursors to ransomware deployment, highlighting a broader trend of sophisticated preparatory tools in cyber attacks.

Ivanti has issued security updates to rectify several vulnerabilities in its products, including Avalanche, Application Control Engine, and Endpoint Manager (EPM). Four critical vulnerabilities in EPM were highlighted with a CVSS score of 9.8, which allowed remote unauthenticated attackers to expose sensitive information via absolute path traversal flaws. The critical security issues affected versions up to the 2024 November security update and the 2022 SU6 November security update of EPM. The vulnerabilities were discovered by Horizon3.ai researcher Zach Hanley, who reported the findings to Ivanti. Additional high-severity vulnerabilities in Avalanche and Application Control Engine were also patched, addressing authentication bypass and information leakage. Ivanti confirmed there has been no evidence of these vulnerabilities being exploited in the wild and has increased its scanning and testing measures to improve security. Simultaneously, SAP addressed two critical vulnerabilities in its NetWeaver ABAP Server and ABAP Platform, urging customers to apply patches promptly to safeguard their systems.

A new hacking group named "Belsen Group" released configuration files, VPN credentials, and IP addresses for over 15,000 FortiGate devices on the dark web. The leaked data includes sensitive information from both governmental and private sectors globally, published to establish the group's notoriety. The 1.6 GB data dump, sorted by country and device IP addresses, contains configurations and potentially unencrypted passwords. The leak is linked to the exploitation of a 2022 zero-day vulnerability, CVE-2022–40684, which allowed unauthorized downloading of device configurations. German news outlet Heise confirmed that the compromised devices were running FortiOS versions susceptible to the CVE-2022–40684 flaw. Despite fixes released in later versions of FortiOS, Kevin Beaumont warned that the leaked configurations still pose significant security risks. Beaumont plans to release a list of affected IP addresses to help network administrators secure compromised devices. The release happened over two years after the data was first harvested, increasing the potential misuse of the exposed data by other cybercriminals.

GoDaddy criticized by the FTC for failing to deploy basic security measures, misleading customers about data security from 2018. Despite its large scale, GoDaddy lacked essential practices like patch management, risk assessment, and network segmentation. Multiple security breaches occurred between 2019 and December 2022 due to inadequate security, with unauthorized access to customer data. The FTC proposed a settlement requiring GoDaddy to develop a comprehensive information security program within 90 days. The settlement includes mandatory implementation of SIEM, MFA, and other security tools, but imposes no financial penalties on GoDaddy. Although GoDaddy has begun addressing some issues, it neither admits nor denies the FTC’s allegations. Public comments are invited on the proposed order for 30 days, and GoDaddy faces potential civil penalties for future non-compliance.

DJI, the largest drone manufacturer globally, has reduced its geofencing restrictions, which previously prevented drones from entering no-fly zones automatically. This policy change arrives as the FBI actively searches for an operator whose drone collided with a firefighting aircraft in California, and amidst ongoing mystery drone sightings in New Jersey. DJI's altered policy now displays former no-fly zones as Enhanced Warning Zones, providing in-app alerts to drone operators about nearby FAA controlled spaces. The modification was made to shift responsibility back to the operators, aligning with FAA regulatory principles that emphasize operator accountability. The update to the geofencing policy in the U.S. follows a similar implementation in the European Union last year, motivated by advancements in global drone regulations and increased geo-awareness. DJI is concurrently involved in legal battles in the U.S., suing the government for being wrongly tagged as affiliated with the Chinese military. Legislation that could ban DJI drones is under deliberation, with elements included in the 2025 National Defense Authorization Act. Meanwhile, California officials report multiple drone-related disruptions in wildfire containment efforts, highlighting the ongoing risk as DJI relaxes its flight restrictions. The incident and policy shift underline the balance DJI seeks between operator flexibility and the need for stringent safety measures amidst evolving drone use regulations and national security concerns.

SAP has resolved two critical vulnerabilities in its NetWeaver web application servers during its January Security Patch Day. These vulnerabilities could have allowed unauthorized privilege escalation and access to sensitive information. Along with these fixes, SAP also released updates to patch 12 additional issues of medium and high severity across other products. The security update is particularly crucial as SAP products are integral to operations in critical sectors like manufacturing, finance, and healthcare. SAP strongly urges customers to download and apply these security patches immediately to safeguard their systems from potential cyber threats. Historical data shows that unpatched or misconfigured SAP systems have been targets for cyber attacks. SAP NetWeaver serves as a fundamental platform for ABAP applications and Internet Communication Framework. SAP BusinessObjects platform also received updates, essential for reporting and analytics.

CISA issued new guidelines to enhance the use of Microsoft 365's expanded cloud log capabilities for forensic and compliance investigations. These capabilities are designed to improve threat detection, focusing on events like mail activities and user interactions in specific Microsoft online services. Expanded logging was a direct response to a breach in 2023, where Chinese hackers accessed high-level U.S. government emails via Microsoft Exchange Online. The logs aim to boost security operations against sophisticated threats such as business email compromise (BEC), nation-state attacks, and insider risks. The 60-page playbook provides detailed instructions on how to navigate and utilize these logs in Microsoft 365, integrating them with systems like Microsoft Sentinel and Splunk SIEM. Enhanced logging enabled the State Department's Security Operations Center to detect malicious activities that initially went unnoticed during the cyberattack. After the incident, there was significant criticism towards Microsoft for not making advanced logging capabilities widely available, potentially delaying the discovery of the breach.

Jen Easterly, director of CISA, reported detection of Chinese espionage group "Salt Typhoon" within US federal networks prior to recognition in US telecom systems. The cyber group had infiltrated telecom infrastructures like AT&T and Verizon to potentially spy on millions via geolocating, accessing internet traffic, and recording phone calls. This espionage activity hinted at broader Chinese cyber operations targeting American critical infrastructures and possibly involved disruptive attacks. Initial surveillance by "Salt Typhoon" linked to a broader campaign known as "Volt Typhoon," which targeted more pronounced critical infrastructure sectors such as water, power, and emergency services. The FBI and other agencies escalated their investigations following these discoveries, employing legal measures to access the espionage infrastructure used by the Chinese spies. Easterly emphasized the severity of the Chinese cyber threat, even as she prepares to step down due to administrative change, highlighting ongoing risks to national security. The bigger concern revolves around threats to critical infrastructures that could be potential targets in geopolitical tensions over Taiwan, possibly leading to severe consequences for US support in Asian crises.

A botnet comprising 13,000 MikroTik devices exploited misconfigurations in SPF DNS records to send malware-laden emails. Approximately 20,000 domains had SPF records set to "+all", allowing unauthorized email spoofing and malware dissemination. The malspam campaign impersonated legitimate companies, such as DHL Express, to distribute malware via fake freight invoices containing a ZIP file with malicious JavaScript. This JavaScript, once executed, connects to a command and control server known to be associated with Russian hackers. Infoblox discovered the network during an investigation into abnormal SMTP server activity and email header information. The botnet's devices were also configured as SOCKS4 proxies, facilitating not only email spoofing but also DDoS attacks and data exfiltration. Device owners are urged to update MikroTik systems, change default credentials, and restrict remote access to mitigate vulnerabilities and prevent misuse.

Avery Products Corporation experienced a data breach resulting in theft of customer credit card information. Hackers installed a card skimmer on the avery.com website, which operated from July 18, 2024, to December 9, 2024. The breach was identified on December 9, 2024, prompting an immediate forensic investigation. Sensitive payment data, not including Social Security or driver's license numbers, were stolen and could lead to fraudulent transactions. The breach impacted 61,193 customers, leading Avery to offer 12 months of free credit monitoring through Cyberscout. Customers should monitor their accounts for suspicious activity and report any irregularities to their banks or authorities. Avery has established a dedicated assistance line for affected customers to address any concerns related to the breach.

Cybercriminals are using Google search ads to lure individuals into phishing sites that steal Google Ads credentials. Phishing pages are hosted on Google Sites, which allows URLs to mimic the ads.google.com domain, making them appear legitimate. This sophisticated scam involves at least three cybercrime groups from Brazil, Asia, and Eastern Europe. Malwarebytes Labs has identified this as a significant malvertising operation that undermines the core of Google's advertising business. Stolen Google Ads accounts are valuable in the cybercrime community, often resold or used in further malicious campaigns. Google is actively working to mitigate these attacks by investigating and addressing violations of their policies. Despite Google's efforts to eliminate deceptive ads, including blocking and removing millions in 2023, new malicious ads continue to emerge.

Researchers at PeopleTec discovered that minimal makeup application can disrupt facial recognition algorithms by targeting high-density key-point areas like brow lines and jaw contours. Traditional methods such as CV Dazzle makeup and Juggalo makeup are visually conspicuous and easily detectable by human observers. This study suggests a low-visibility approach, avoiding the overt recognition and potential stigma associated with more obvious anti-surveillance tactics. Techniques include tweaking the alpha transparency layer in images, making faces recognizable to humans but hidden from specific digital search tools. Facial recognition technology, although beneficial for tasks like traffic management and public safety, poses significant privacy and security risks. Masks are still considered one of the most effective and straightforward methods for evading facial recognition, gaining popularity during the COVID-19 pandemic. Future anti-recognition strategies may need to address emerging technologies like gait recognition, which could complement or replace facial recognition.