Daily Brief

Microsoft's January 2025 Patch Tuesday faced disruptions due to a compatibility issue with Citrix's Session Recording software, causing system rollbacks after updates. Devices affected download and attempt to apply the update but ultimately fail, restoring to previous settings, characterized by an error message stating, “Something didn’t go as planned.” The conflict specifically involves the 2411 version of Citrix's Session Recording Agent, newly released, impacting only a limited number of managed enterprise systems. Microsoft advised a workaround involving disabling the Citrix Session Recording Monitor Service before installing the update, which can be re-enabled post-installation. The security update was critical, intended to address under-attack privilege escalation vulnerabilities in Hyper-V. A secondary, less disruptive issue was also reported affecting home users with BitLocker, displaying a management settings error message on devices. Citrix acknowledged the problem and published detailed instructions to help users manage the update process on their support platform.

Over 660,000 Rsync servers potentially vulnerable to six new critical vulnerabilities. A severe heap-buffer overflow flaw could allow remote code execution on compromised systems. Vulnerabilities enable powerful exploitation chains leading to full system compromise. Exposures are global but predominantly high in China, with the majority of affected IP addresses. Google Cloud and independent researchers identified these vulnerabilities that impact various Linux distributions and projects including Red Hat and Ubuntu. CERT/CC and RedHat issue warnings; RedHat states no practical mitigations available for one severe CVE. Immediate user action recommended: upgrade to Rsync version 3.4.0 or block risky ports if upgrading is not feasible.

Cybersecurity researchers have identified a malvertising campaign that targets Google Ads users to steal their credentials and two-factor authentication (2FA) codes. The attackers use fraudulent ads on Google to redirect victims to fake login pages hosted on Google Sites that lead to external phishing sites. The credentials obtained are used to access Google Ads accounts, add new administrators, and misuse victims' advertisement budgets to propagate the scam. The threat actors employ sophisticated techniques such as fingerprinting, anti-bot detection, CAPTCHA lures, cloaking, and obfuscation to evade detection. The stolen credentials are also suspected to be sold on underground forums, further spreading the reach of the scam. This campaign has been active since at least mid-November 2024, affecting various businesses including a regional airport. The phishing infrastructure is majorly operated by Portuguese speakers, likely from Brazil, and utilizes .pt domains, indicating potential geographic origins. Despite the illicit nature of these activities, they don't violate Google's current ad rules, posing challenges in immediate mitigation by the platform.

The Lazarus Group, linked to North Korea, launched Operation 99, targeting Web3 and cryptocurrency software developers globally using fake LinkedIn profiles. Recruiters posing on LinkedIn entice developers with coding projects and direct them to clone malicious GitLab repositories, embedding malware into their systems. The malware connects to command-and-control servers, deploying data-stealing implants like Main5346 and Main99 to extract source code and cryptocurrency wallet keys. Victims of this strategic cyber attack have been identified worldwide, with significant numbers in Italy, and others in the U.S., U.K., Germany, and several other countries. Operation 99 stands out by employing job-themed deception tactics previously seen in other Lazarus campaigns, but with a specific focus on developers in lucrative Web3 and cryptocurrency sectors. By compromising developer accounts, the attackers gain direct access to intellectual property and cryptocurrency wallets, posing risks of substantial financial theft. This incident highlights the Lazarus Group’s sustained focus on funneling stolen cryptocurrency to support North Korea’s financial strategies amidst international sanctions.

North Korea executed five major cryptocurrency heists in 2024, stealing over $659 million. High-profile breaches included a $308 million theft from BitcoinDMM and a $235 million heist at WazirX. Innovative tactics involved masquerading as recruiters and tampering with multi-signature wallets. The U.S., Japan, and South Korea have recognized the sophistication of these heists and pledged increased cooperation to counter future incidents. North Korea reportedly uses stolen funds to support its weapon programs, according to U.S. investigations. Public-private sector collaboration is being encouraged to enhance defense mechanisms against these complex social engineering attacks. The FBI has alarmed the industry about North Korean efforts to compromise networks related to cryptocurrency ETFs and other financial products. North Korean operatives have also targeted Western companies in IT roles, even infiltrating major cybersecurity firms.

North Korean threat actors linked to both IT worker schemes and a 2016 crowdfunding scam. SecureWorks Counter Threat Unit reveals infrastructure connections between various illicit activities by Pyongyang-based groups. Fraudulent IT personnel from North Korea suspected to be part of the 313th General Bureau, under the Munitions Industry Department. North Korean IT workers dispatched to front companies in China and Russia, previously sanctioned by the U.S. OFAC. Seventeen internet domains seized in October 2023, used by North Korean workers to impersonate U.S.-based IT services and apply for online freelance work. Historical domain registrations, including for kratosmemory[.]com, tie back to earlier scams and share addresses with sanctioned entities. Japan, South Korea, and the U.S. warn of DPRK's persistent cyber-attacks on the blockchain and cryptocurrency sectors, with substantial thefts reported. Chainalysis reports a significant increase in cryptocurrency stolen by North Korean actors in 2024, amounting to $1.34 billion across 47 hacks.

Snyk has been accused of uploading "malicious" NPM packages that targeted Cursor, an AI code editing company. Security researcher Paul McCarty discovered the packages, which were designed to extract system data and send it to an external server. The affected packages were named cursor-retrieval, cursor-always-local, and cursor-shadow-workspace, mimicking private packages used by Cursor. Snyk, a developer security company, later removed the packages from NPM and issued an apology to Cursor, stating the intent was to research dependency confusion vulnerabilities, not to cause harm. Despite Snyk's claims of non-malicious intent, the incident raised significant concerns in the developer community about ethical practices and responsible disclosure. Cursor confirmed they did not commission Snyk for any security audit or testing, disputing any claims of a benign error or prearranged testing agreement. Following backlash and inquiries, Snyk reiterated their commitment to responsible disclosure and community contribution, although the mishap left lingering doubts about the deployment method and real intentions.

The FBI, in collaboration with French law enforcement, executed a cyber operation to remove PlugX malware from thousands of infected U.S. Windows PCs. The malware, attributed to Mustang Panda, a Chinese government-sponsored hacker group, targeted multiple international sectors, including government and private organizations. PlugX malware spread by infecting computers via USB devices and could steal files, monitor activities, and deploy additional malware. The removal operation followed previous documentation of the malware by Sekoia.io and involved remote execution of a self-destruct command programmed into PlugX. Approximately 4,258 systems in the United States were cleansed of the malware during this operation, with final warrant expirations on January 3. The FBI is notifying affected American users through their ISPs about the infection and subsequent removal of the malware. The initiative is part of broader efforts to combat state-sponsored cyber activity by China and Russia, highlighting significant international cybersecurity collaboration.

Microsoft's January 2025 Patch Tuesday addressed three actively exploited privilege-escalation vulnerabilities in Hyper-V, rated important with CVSS scores of 7.8. Additional critical patches included fixes for remote code execution vulnerabilities in NTMLv1 authentication and the Windows OLE framework, both rated 9.8 on the CVSS scale. Two critical Excel vulnerabilities involving remote code execution via malware-infected files were identified and patched, emphasizing the threat of social engineering. Updates also included hardening against security flaws in Remote Desktop services and Azure, along with fixes for a Visual Studio code execution hole and a Purview information leakage flaw. Adobe, Cisco, and SAP concurrently released updates addressing various security issues across their products, ranging from medium to critical severity. Despite the significance of these vulnerabilities, this month was not regarded as the most threatening in terms of patches, yet vigilance was advised due to potential exploitation attempts following the release.

The U.S. Department of Justice announced that the FBI has removed PlugX malware from over 4,250 computers. PlugX, linked to the Chinese threat group Mustang Panda, is a remote access trojan used for espionage. The malware targets various governments and sectors across Asia, including Taiwan, Japan, and India, as well as Chinese dissidents. The cleanup operation is part of a broader effort that began in late July 2024 to eliminate the malware from infected systems. The FBI utilized a unique court-approved approach to remotely delete the malware without harming legitimate files or data. This operation was supported by intelligence from cybersecurity firm Sekoia, which also helped hinder the malware’s communication capabilities for a minimal cost. Recent actions included the deployment of nearly 60,000 disinfection payloads across over 5,500 IP addresses globally.

ICS/OT security needs specific controls and strategies due to the unique challenges and requirements of industrial control systems and operational technologies. ICS/OT systems, crucial for critical infrastructure, are increasingly targeted by sophisticated cyberattacks aiming to cause physical damage. Recent incidents like TRISIS, CRASHOVERRIDE, Pipedream, and Fuxnet show the severity and potential catastrophic consequences of these cyberattacks, often conducted by state-sponsored actors and cybercriminals. Data reveals only 31% of organizations have a SOC with specific capabilities for ICS/OT, highlighting the lack of adequate incident response and system monitoring. There is a significant imbalance in security budget allocation, with a higher risk now posed by interconnected IT networks to ICS/OT environments. The deployment of ICS/OT-specific cybersecurity controls is crucial as traditional IT security measures prove ineffective and hazardous in these settings. The SANS Five ICS Cybersecurity Critical Controls whitepaper offers vital guidance on implementing effective security measures for ICS/OT environments. Security strategies should align with the critical functions of ICS/OT to enhance safety and operational efficiency amidst evolving cyber threats.

Google Cloud researchers revealed six vulnerabilities in the Rsync file-synchronization tool, affecting Unix systems. Vulnerabilities include heap-buffer overflow, information disclosure, and other critical flaws potentially allowing arbitrary code execution. Attackers exploiting these flaws could manipulate a server to read/write files on any connected client, compromising sensitive data like SSH keys. The most severe vulnerabilities could enable attackers with minimal permissions to execute arbitrary code on systems hosting a public Rsync server. The combined exploitation of CVE-2024-12084 and CVE-2024-12085 could lead to arbitrary code execution on client machines running an Rsync server. Patches to address these issues have been included in the newly released Rsync version 3.4.0. Users unable to immediately update to the patched version are advised to implement recommended mitigations to protect against potential exploits.

Threat actors are using the FastHTTP Go library for brute-force attacks on Microsoft 365 accounts globally, which started on January 6, 2025. These attacks target Azure Active Directory Graph API, attempting unauthorized logins and overwhelming MFA challenges. SpearTip discovered the campaign with 65% of malicious traffic originating from Brazil and noted a notable portion coming from Turkey, Argentina, Uzbekistan, Pakistan, and Iraq. The outcomes of the attacks are varied: 41.5% failure, 21% account lockouts, 17.7% access policy rejections, 9.7% successful authentications. To combat these activities, administrators can use a provided PowerShell script to detect the FastHTTP agent in audit logs, check user login instances, and reset compromised credentials. SpearTip also advises on the importance of reviewing and securing MFA devices to prevent unauthorized access.

The FBI successfully deleted Chinese PlugX malware from approximately 4,258 computers across the U.S., targeting cyber espionage operations. This action followed an international law enforcement effort, initiated by French authorities and cybersecurity outfit Sekoia, focusing on eradicating this malware globally. PlugX malware is linked to the Chinese cyber espionage group Mustang Panda and has been prevalent in attacks since 2008. Involved systems were infiltrated primarily via a wormable component through USB flash drives, maintaining persistence by modifying registry keys. Victims included diverse entities such as European shipping companies, several governments within Europe and the Indo-Pacific, as well as global Chinese dissident groups. The FBI issued commands to cleanse US-based machines until January 3, 2025, completing their part in the op without harvesting any data from cleansed devices. Notifications about the removal were sent to affected U.S. computer owners through their ISPs, assuring no personal data was accessed or compromised.

A significant vulnerability in Google's OAuth authentication, commonly used for “Sign in with Google” functionality, could enable attackers to hijack abandoned startup domain accounts and access SaaS platforms. Trufflesecurity researchers discovered attackers could register domains of defunct startups and impersonate former employees to extract sensitive data from platforms like Slack, Notion, and HR systems. Initially dismissed by Google, the issue gained recognition after a presentation at Shmoocon by Dylan Ayrey, leading to a reevaluation and a $1337 bounty for the discovery. The problem stems from the use of mutable user identifiers in Google's OAuth system, which can be easily manipulated by acquiring control over a dormant domain. Potential solutions include introducing immutable identifiers and additional verification measures by SaaS providers, though these could increase costs and user friction. Google advises customers to properly close out domains and encourages third-party apps to implement best practices to mitigate risks. The flaw remains unaddressed and exploitable, posing ongoing risks to millions of employee accounts linked to Google Workspaces and other services.