Daily Brief

CISA has added a severe security vulnerability in BeyondTrust software to its Known Exploited Vulnerabilities catalog. The flaw, identified as CVE-2024-12356 with a CVSS score of 9.8, allows command injection by unauthenticated users. BeyondTrust has already patched the flaw for its cloud-based solutions, but self-hosted users need to manually update their systems. A separate cyber attack on BeyondTrust earlier this month led to the compromise of some Remote Support SaaS instances. Attackers in this incident used a stolen API key to reset account passwords on the local application. Another vulnerability, CVE-2024-12686, was uncovered during investigations, also allowing command injection, but with lesser severity. BeyondTrust has communicated with all affected customers and has fixed the newly discovered issues in the latest software versions. The extent of the damage and the identities of the attackers are still not fully known.

Infosec professionals are divided on the effectiveness of AI in red team operations, which test enterprise system vulnerabilities. IBM's red team successfully used AI to uncover a flaw in a tech manufacturer's HR portal, accelerating the flaw identification process. Concerns remain about AI's transparency and its ability to explain processes, potentially complicating legal defenses in cybersecurity contexts. Experts at the Canalys APAC Forum discussed AI's potential to innovate and transform cybersecurity but stressed the need for cautious regulation. Critics argue that generative AI may not yet be mature enough for complex red team operations, though it shows promise in simpler penetration testing roles. Legal perspectives highlight uncertainties about liability and accountability when AI tools are used in security testing. There is a call within the industry for clear regulations and policies governing the use of AI in cybersecurity to avoid over-reliance and maintain operational integrity.

The BadBox malware, originally targeting obscure Chinese Android devices, now infects prominent brands like Yandex TVs and Hisense smartphones. Despite a sinkhole operation by Germany's Federal Office for Information Security aiming to disrupt the botnet, the BadBox infection has grown to over 192,000 devices. Financial gains drive the BadBox campaign; infected devices are repurposed as residential proxies or used for ad fraud, often by cybercriminals. The botnet, thought to originate from the 'Triada' malware family, enters devices through compromised supply chains or during distribution. Germany's effort disrupted 30,000 devices but did not significantly impact the botnet's broader operations, indicating geographical limitations in the effectiveness of the sinkhole. BitSight researchers managed to sinkhole another command and control server, monitoring over 160,000 unique IPs connecting within 24 hours. Signs of infection include device overheating, performance issues, unusual network traffic, and unauthorized settings changes. Experts advise consumers to update device firmware, isolate smart devices, and disconnect them when not in use to mitigate risks.

A spyware app called 'BMI CalculationVsn' was discovered on the Amazon Appstore, masquerading as a health tool but designed to steal data from Android devices. McAfee Labs identified the malicious application, prompting Amazon to remove it—users who downloaded the app need to uninstall it and conduct a full device scan. The Amazon Appstore is an alternative to Google Play and comes pre-installed on Amazon Fire tablets and Fire TV devices. The spyware app, while providing actual BMI calculation, secretly performs harmful activities such as screen recording, scanning installed applications, and intercepting SMS messages including OTPs. The screen recording made by the app was saved but not uploaded to its control server, suggesting it was likely in a developmental testing phase. Security experts advise Android users to install apps only from reputable publishers and to carefully review the permissions requested by apps. Keeping Google Play Protect active is essential for detecting and blocking recognized malware on Android devices.

Juniper Networks issued a warning about Mirai botnet attacks targeting Session Smart routers using default credentials. Detected first on December 11, the infected routers facilitated distributed denial-of-service (DDoS) attacks. The malware exploits devices by scanning for and accessing default login credentials, allowing the execution of remote commands. Juniper advised immediate action to change default passwords, enforce strong, unique credentials, and update router firmware. Recommendations for network admins include: reviewing access logs for anomalies, setting up intrusion detection systems, and using firewalls to prevent unauthorized access. Infected systems need to be reimaged entirely to eradicate the malware effectively and securely. This incident follows previous security warnings by Juniper, including a critical remote code execution exploit and a severe authentication bypass flaw in its products.

Juniper Networks alerts on Mirai malware targeting Session Smart routers using default login details. Detected first on December 11, infected routers are exploited to launch DDoS attacks. Juniper advises immediate change of default passwords to unique, strong credentials and firmware updates. Measures include monitoring access logs, setting alerts, deploying IDS, and using firewalls to prevent unauthorized access. Infected systems need reimaging to fully mitigate any remaining risks post-infection. Previous warnings from Juniper noted ongoing attacks exploiting critical vulnerabilities in their network devices.

Fortinet disclosed a critical flaw in FortiWLM, affecting versions 8.6.0 to 8.6.5 and 8.5.0 to 8.5.4, with a severity rating of 9.8. Discovered by Horizon3 researcher Zach Hanley, the vulnerability allows remote attackers to execute commands and hijack devices. Attackers can exploit the 'imagename' parameter to read sensitive log files containing administrator session IDs via directory traversal. These IDs enable unauthorized users to access and manipulate wireless networks, used by sectors including government and healthcare. Despite discovery in May 2023, a fix and security bulletin were only made public in December 2024, following a zero-day period. Users remained unaware for several months due to delayed CVE identification and security communication from Fortinet. Fortinet has now patched the issue in versions 8.6.6 and 8.5.5 of FortiWLM, stressing the importance of immediate updates by administrators.

BeyondTrust detected abnormal behavior in its network on December 2nd, 2024, signaling a cyberattack. Hackers compromised Remote Support SaaS instances by obtaining and exploiting an API key. The attack allowed unauthorized resetting of passwords for local application accounts. Two vulnerabilities were discovered during the investigation; one critical and one medium-severity, possibly exploited as zero days. BeyondTrust has patched these vulnerabilities for cloud instances and alerted customers to update self-hosted systems. Ongoing investigations to determine the full impact on BeyondTrust and potential downstream effects on customers. BeyondTrust remains vigilant and continues to update its security measures and provide further information as it becomes available.

Threat actors created counterfeit npm libraries that impersonated popular tools, leading to thousands of downloads. The fake packages, such as @typescript_eslinter/eslint and types-node, contained malicious code intended to install trojans and retrieve further malicious payloads. The npm listings for these packages included links to phony GitHub repositories created explicitly for these attacks, enhancing their appearance of legitimacy. One particular malicious file, “prettier.bat,” disguised as a batch file, was identified as a Windows executable trojan. This incident highlights significant vulnerabilities in software supply chains and the ease with which developers can be duped into downloading compromised software. Security analysts emphasize the necessity for enhanced vigilance and security measures when utilizing third-party software libraries. Relatedly, similar tactics were seen in malicious VSCode extensions targeting the crypto community, indicating a broader pattern of exploiting development environments through trusted platforms. These findings underscore the ongoing risks associated with downloading and implementing open-source tools without thorough security vetting.

Juniper Networks has issued an advisory about the Mirai botnet targeting Session Smart Router (SSR) products that use default passwords. The warning came after anomalies were detected on several customer systems on December 11, 2024, which were traced back to Mirai malware infections. Infected devices were used to launch DDoS attacks against other network-connected systems. Recommendations to mitigate risk include using strong, unique passwords, auditing access logs regularly, using firewalls, and updating software. Indicators of Mirai infection include unusual port scanning, frequent SSH login attempts, high outbound traffic, system reboots, and connections from known malicious IPs. Juniper advises reimaging the infected systems as it’s uncertain what alterations or data theft may have occurred. Concurrently, ASEC reported the rise of a new DDoS malware, cShell, mainly targeting Linux servers with exposed SSH services.

Fortinet issued an advisory for a critical flaw in FortiWLM, identified as CVE-2023-34990, with a CVSS score of 9.6, necessitating immediate updates. The vulnerability allows unauthenticated remote attackers to read sensitive files and potentially execute unauthorized code or commands. The flaw impacts certain versions of FortiWLM, and patches are now available to address this security issue. CVE-2023-34990 could enable attackers to obtain session IDs, hijack user sessions, and gain administrative access to the appliance. The vulnerability also allows for potential combination with another flaw, CVE-2023-48782, enabling remote code execution as root. A related high-severity command injection vulnerability in FortiManager, CVE-2024-48889, has also been addressed in recent updates. Users are urged to update affected Fortinet devices promptly to protect against exploitation by threat actors targeting these vulnerabilities.

CISA issued Binding Operational Directive 25-01 mandating federal civilian agencies to secure cloud environments per SCuBA secure configuration baselines. Directive prompted by recent cybersecurity incidents, aims to minimize risks from misconfigurations and weak security controls. Agencies are required to utilize CISA-developed automated configuration assessment tools aligned with SCuBA and integrate continuous monitoring. Primary focus on Microsoft 365 cloud applications; potential expansion of secure baselines to other cloud services planned. Deadline set for next year for all federal agencies to comply with new security practices to bolster protections and resilience. Additional guidance encourages regular updates to security configurations to match vendor patches and evolving security best practices. In parallel, CISA released mobile communication guidelines in response to cyber espionage, particularly targeting US telecommunication entities by China-linked groups.

The Dutch Data Protection Authority fined Netflix €4.75 million for insufficient data usage transparency from 2018 to 2020. Netflix did not adequately inform customers about the specifics of data collection practices or the processing of their personal data. Violations included unclear information on third-party data sharing, data retention periods, and data security, especially across non-European countries. The investigation was initiated after a complaint by Austrian privacy non-profit None of Your Business (noyb) in January 2019. Despite updating its privacy policies, Netflix is contesting the fine, highlighting ongoing challenges in data protection compliance. This incident underscores the heightened scrutiny and enforcement of GDPR regulations affecting major tech companies operating in Europe. Similar GDPR-related complaints by noyb have led to substantial fines against other tech giants like Spotify.

The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a malware campaign targeting military personnel using a fake version of the Army+ app. Threat actor UAC-0125, utilizing Cloudflare Workers, is deceiving individuals into downloading a compromised Windows executable of the Army+ app. The malware deploys a decoy document while executing a PowerShell script to install OpenSSH, generate RSA cryptographic keys, and exfiltrate private keys via the TOR network. The campaign aims to provide remote access to the adversary, enabling potential espionage or further malicious activities. UAC-0125 is linked to APT group UAC-0002, also known as APT44 or Sandworm, which is associated with Russian military intelligence (GRU). There has been a significant increase in the abuse of legitimate services like Cloudflare for phishing and credential theft, highlighted by a 198% increase in incidents on Cloudflare Pages. The broader context includes European Council sanctions against Russian individuals and entities involved in destabilizing actions abroad, including cyber attacks and disinformation campaigns.

Researchers from Palo Alto Networks' Unit 42 identified a phishing campaign impacting about 20,000 users chiefly in the UK and Europe's automotive, chemical, and industrial manufacturing sectors. Attackers attempted to steal Microsoft Azure account credentials via phishing emails disguised with urgency, using a DocuSign pretext. The phishing operation aimed to hijack victims' Microsoft Azure cloud environments, facilitating prolonged unauthorized access and potential data theft. Unit 42 could not ascertain the exact number of compromised victims but indicated strong evidence suggesting the concentration of targets in the UK and Europe. The phishing emails directed victims to fake Microsoft Outlook Web Access login pages through malicious links, where credentials were harvested. Although some phishing infrastructure was taken offline, Unit 42 discovered active elements enabling them to study the phishing tactics and the source code used. Attacks were identified as peaking in June and ongoing as of September, according to the researchers' tracking and analysis. Security experts underline the importance of vigilance and verification of email sources and embedded links to mitigate such phishing schemes.