Daily Brief

The White House has initiated a voluntary cybersecurity labeling program, nicknamed the ‘Cyber Trust Mark’, aimed at increasing transparency and security for smart device users. This initiative, intended to mirror the effectiveness of the EnergyStar program, enables consumers to identify secure tech products easily through a recognizable label. Managed by the US Federal Communications Commission and deployed through 11 participating companies, the program focuses on enhancing cybersecurity standards for Internet of Things (IoT) devices. Eligible products, including home security cameras, smart appliances, and other consumer IoT devices, must meet NIST-defined criteria to earn the US Cyber Trust Mark, which also includes a QR code for accessing detailed product security information online. Major retailers like Amazon and Best Buy have expressed support for the program, committing to highlight marked products, thereby adding a marketing advantage for compliant manufacturers. The program is a response to the increasing threat landscape highlighted by significant cyber attacks, as seen with the incidents involving Colonial Pipeline and SolarWinds. It aims to shift the burden of security from consumers to product manufacturers, ensuring that devices are secure by design, and comprehensive security covers both hardware and data handling practices.

CrowdStrike has identified a phishing campaign using fake job offers to distribute a Monero cryptocurrency miner, XMRig. The phishing emails, crafted to appear as if sent by CrowdStrike recruiters, ask recipients to download an "employee CRM application" to streamline the supposed hiring process. The fraudulent emails direct potential victims to a deceptive website mimicking a legitimate CrowdStrike portal, where they are prompted to download the CRM tool. The downloaded application conducts system checks to evade detection in analysis environments and, once cleared, downloads and installs the XMRig miner in the background. The crypto miner is designed to use a minimal amount of processing power (up to 10% maximum) to stay undetected and includes mechanisms for persistence between system reboots. CrowdStrike warns job seekers to verify the authenticity of recruitment communications by checking the email address and directly contacting recruiters through official company channels.

BayMark Health Services, a leading North American substance use disorder treatment provider, reports a data breach affecting an undisclosed number of patients. Personal and health information stolen during a cyberattack detected on October 11, 2024, following IT system disruptions identified between September 24 and October 14, 2024. Investigation involved third-party forensic experts and notification to law enforcement; breach caused by unauthorized access to BayMark's files. Exposed data includes patient names, Social Security numbers, and driver’s license numbers. BayMark offers one year of free identity monitoring services through Equifax to affected patients. RansomHub ransomware gang claims responsibility, boasting theft of 1.5TB of data now posted on a dark web site. The breach notification follows amid proposed HIPAA updates by the U.S. Department of Health and Human Services aiming to strengthen healthcare data security.

A new variant of Banshee, macOS-targeting malware, employs encryption used by Apple’s XProtect, concealing its malicious activities. Initially introduced as a stealer-as-a-service in mid-2024, Banshee was priced at $3,000 before its source code leaked in November 2024, ending its public distribution. Since the source code leak, various actors have advanced the malware, which now bypasses protections traditionally offered to Russian systems. The modified Banshee stealer disguises its malicious strings under encryption during execution, evading conventional static detection methods used by macOS and third-party antivirus software. It is distributed through deceptive GitHub repositories and tricks users into installing it by mimicking legitimate software applications. The malware's targets include data from commonly used browsers like Chrome and Brave, capturing passwords, two-factor authentication data, and cryptocurrency wallet information. Additional deceptive tactics include forcing infected macOS users into entering system passwords through fake login prompts. Despite the official shutdown of the Banshee malware-as-a-service operation, active phishing campaigns continue to distribute the evolved malware variant.

Palo Alto Networks patched several serious vulnerabilities in its Expedition migration tool, a vital resource that aids in migration from other firewalls to PAN-OS platforms. The issues, now fixed in version updates, could potentially allow authenticated users to access sensitive data, including plaintext passwords and device API keys. With the tool reaching end-of-life in December 2024, no further updates or security patches will be issued beyond the current fixes. SonicWall also released updates for SonicOS to tackle authentication bypass and privilege escalation vulnerabilities. Polish cybersecurity firm Securing detailed a critical flaw in Aviatrix Controller that permitted arbitrary code execution, now rectified in recent versions. Users are advised to restrict network access to these tools and apply the offered patches immediately to mitigate potential risks. Despite no current evidence of exploits in the wild, the presence of these vulnerabilities poses significant risks to network security.

The National Police Agency and the Cabinet Cyber Security Center in Japan identified the "MirrorFace" group, supported by the Chinese state, as the perpetrators behind sustained cyber-espionage attacks since 2019. MirrorFace, also known as "Earth Kasha," targets Japanese government entities and technology sectors to steal advanced technology and national security data. The hackers exploit vulnerabilities in networking equipment by brands like Array Networks, Fortinet, and Citrix to gain unauthorized access. Deployed malware includes LODEINFO, ANEL, and NOOPDOOR which enable data theft and establish long-term presence within compromised networks. Evasion tactics by MirrorFace involve using Visual Studio Code tunnels and the Windows Sandbox feature to avoid detection and maintain persistence. Japanese authorities have observed three distinct campaigns by this group, emphasizing the strategic and evolving nature of these attacks. Recommendations for organizations include monitoring PowerShell logs, suspicious VSCode domain communications, and unusual sandbox activity to detect and mitigate these threats.

Chinese state-backed hackers, known as Silk Typhoon, were responsible for a significant cybersecurity breach at the U.S. Treasury. The hackers accessed the Treasury's network by using a stolen API key to compromise a BeyondTrust remote support instance. The breach particularly targeted the Office of Foreign Assets Control (OFAC), aiming to gather intelligence on potential U.S. sanctions against Chinese entities. BeyondTrust notified the Treasury of the breach on December 8, following which no evidence suggested continued access by the attackers. The breach was isolated to the Treasury and did not affect other federal agencies, according to CISA. The Silk Typhoon group, also known as Hafnium, is known for its broad cyberespionage activities against various global targets. The Biden administration is reportedly preparing an executive order to bolster U.S. cybersecurity defenses in response to such incidents.

Chinese hackers have exploited a critical zero-day vulnerability in Ivanti VPN products, installing previously unknown malware. The exploitation affected Ivanti Connect Secure versions up to 22.7R2.5 and related products, using malware dubbed ‘Dryhook’ and ‘Phasejam’. The attackers initiated their campaign by targeting specific Ivanti appliance versions through HTTP requests masked by VPS or Tor networks. Post-exploitation actions included disabling security features and modifying system configurations to prevent detection and facilitate persistent access. Malware deployed included the Spawn toolkit with capabilities for backdoors, tunneling, and log tampering, alongside new malware that captures user credentials. Mandiant, part of Google Cloud, attributes these attack patterns to a China-linked group known as UNC5337, involved in broader espionage activities. Recommendations for mitigation include a factory reset of affected systems and updating to the latest firmware versions. Despite the patch release, over 2,800 Ivanti ICS appliances remain exposed online, posing ongoing risks.

AI SPERA has launched the Criminal IP Malicious Link Detector add-in for Microsoft Outlook, enhancing email security. The detector provides real-time analysis and blocking of phishing URLs and malicious domains within emails. It leverages advanced generative AI technology to combat increasingly sophisticated phishing attacks. The add-in has successfully prevented phishing attacks, including a notable instance involving cryptocurrency wallet users. Fully integrated and free to use, the tool is designed to protect both individual and organizational email communications. Global expansion of AI SPERA includes strategic partnerships with major tech platforms like Cisco, VirusTotal, and Quad9. Criminal IP operates internationally in over 150 countries and is now accessible on major US data platforms including AWS, Microsoft Azure, and Snowflake.

Ivanti is combating two severe vulnerabilities in Connect Secure appliances, with one being actively exploited as a zero-day. Affected products include Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways, across specific older versions. The most critical issue, CVE-2025-0282, allows unauthenticated remote code execution and is already being exploited. Ivanti advises customers to perform factory resets and to immediately upgrade to the latest software versions to mitigate risks. The Integrity Checker Tool (ICT) provided by Ivanti offers insights into the devices' states but cannot detect ongoing exploitation. Patches for Connect Secure are available now, while Policy Secure and ZTA Gateways updates are delayed until January 21. Mandiant and watchTowr have indicated the exploits bear the hallmarks of an APT campaign and have caused significant concern over the threat landscape. Ivanti had previously committed to a secure-by-design philosophy following past security issues, highlighting ongoing struggles with cybersecurity resilience.

Cybersecurity researchers have identified a new version of macOS malware, Banshee Stealer, which employs advanced encryption to evade antivirus detection. Originally discovered in August 2024, the Banshee Stealer malware experienced disruptions when its source code leaked in November of the same year. This malware, now distributed via phishing sites and counterfeit GitHub repositories, imitates common applications to deceive users. Banshee Stealer is sold as malware-as-a-service (MaaS) at $3,000 a month, targeting data from web browsers, cryptocurrency wallets, and specific file types. Despite its operation shutdown post-source code leak, ongoing campaigns suggest that former clients might still be using the malware. The updated variant has abandoned the Russian language check, potentially broadening its target demographic. The stealers are also spread through unsolicited Discord messages, harvesting not only user data but also expanding the network of compromised accounts. These developments highlight the evolving threat landscape where even systems like macOS can be vulnerable to sophisticated cyberattacks.

Attacks involved fake exploits of Microsoft security vulnerabilities to propagate malware among security researchers. An apparent fork of a legitimate proof-of-concept (PoC) for LDAPNightmare was created, which secretly executed information-stealing malware. The malicious PoC replaced Python files in the legitimate version with an executable that dropped a PowerShell script for further malicious downloads and execution. The stolen data included information about the user’s PC, directory lists, network IPs and adapters, and installed updates. Trend Micro highlighted that the increasing use of this tactic could affect a larger number of victims due to the significance of the LDAP vulnerabilities among Windows environments. The decoy exploited CVE-2024-49113 and CVE-2024-49112, with the latter receiving the highest severity score in Microsoft’s December patch release. This scheme represents another example in a series of sophisticated attacks aimed at deceiving security experts, sometimes using social media as part of the deception process.

Reco leverages AI-based graph technology to identify and catalog unauthorized AI tools within SaaS environments, known as shadow AI. Shadow AI represents a risk due to lack of security controls, often residing undetected within approved business applications or personal AI instances. Reco’s detection capabilities allow insights into which SaaS applications and AI assistants are used, their connections, and the associated risks. The system generates comprehensive lists detailing user behaviors, permissions, and interactions between SaaS and AI applications. Reco provides valuable metrics such as a Vendor Risk Score to help prioritize security efforts and manage app-to-app integrations. While Reco offers extensive visibility into shadow AI and SaaS usage, it can’t directly enforce security measures, acting primarily as a detection and advisory tool. Continuous security monitoring by Reco helps organizations understand and manage the lifecycle and security of SaaS applications and embedded AI tools.

Japan's National Police Agency and NCSC have identified the China-linked MirrorFace group as responsible for ongoing cyberattacks since 2019. MirrorFace, also known as Earth Kasha and categorized under APT10, primarily targets Japanese organizations to steal national security and advanced technology information. The threat actor employs sophisticated tools such as ANEL, LODEINFO, and NOOPDOOR to infiltrate and execute attacks. Recent reports from Trend Micro highlighted a spear-phishing campaign by MirrorFace aimed at delivering malware tools to Japanese targets. The group has also conducted similar cyber operations against entities in Taiwan and India. MirrorFace’s recent tactics include using the Windows Sandbox for executing malicious payloads stealthily to avoid detection and leaving no traces after system restarts or shutdowns. The campaigns by MirrorFace are broadly classified into three major initiatives, signifying a highly organized and persistent threat to regional cybersecurity.

Ransomware attacks are increasingly using encryption to hide their activities and extract large ransoms. Encrypted cyberattacks increased by 10.3% in the past year, showcasing a significant rise in this threat vector. Cybercriminals have successfully extorted as much as $75 million in ransom payments. Zscaler's upcoming webinar, led by Emily Laufer, aims to educate businesses on preparing against these sophisticated threats. The session will cover innovative strategies and actionable insights to proactively handle ransomware and encryption-based attacks. Immediate action is urged as delays can lead to substantial financial losses and the exposure of sensitive organizational data.