Daily Brief

Cleo has released security patches for a critical zero-day vulnerability in its software products, LexiCom, VLTransfer, and Harmony, after discovery of active exploitation. Attacks leveraging this vulnerability, identified as CVE-2024-50623, allow execution of arbitrary bash or PowerShell commands, threatening data security. Ongoing assaults have been linked to the Termite ransomware gang, with instances of escalated activity noted as recently as early December. Despite previous patches, fully updated systems (version 5.8.0.21) remained susceptible until the latest version 5.8.0.24 was released to address these issues comprehensively. Customers are urged to install the latest patch immediately to safeguard against potential breaches and disable the Autorun feature if immediate patching isn’t feasible. The malware deployed in these attacks, named Malichus, targets Windows devices but also supports Linux, used for file transfers, command execution, and network communication. Indicators of compromise have been observed in over 50 Cleo hosts, primarily affecting retail organizations in the North American region.

Spanish and Peruvian police arrested 83 individuals involved in a sophisticated voice phishing scam, affecting over 10,000 bank customers and netting approximately €3 million. Authorities conducted 29 simultaneous raids across Spain and Peru, seizing cash, mobile phones, computers, and documented evidence of the fraud. The vishing operation was centralized in three call centers employing 50 people who used social engineering and caller ID spoofing to impersonate bank officials. Scammers manipulated victims into sharing sensitive information like banking details and one-time passcodes under the guise of verifying unauthorized transactions. The stolen codes were quickly used by operatives near banks to withdraw funds, which were then partially sent back to the scam's overseers in Peru. Criminals employed various tactics to avoid detection, including color codes for banks and dispersing operatives across multiple cities. Spanish police issued warnings and guidance on recognizing and protecting oneself from such phishing scams, emphasizing that legitimate banks do not ask for sensitive personal or account details over the phone.

U.S. Bitcoin ATM operator Byte Federal disclosed a data breach exposing personal data of 58,000 customers due to a GitLab vulnerability. The breach occurred in November, and the company became aware of the unauthorized access on November 18, 2024. Hackers exploited a vulnerability in GitLab, a platform used globally for project management and collaboration among developers. Byte Federal responded by performing a hard reset on customer accounts, updating internal passwords, and revoking access tokens and keys. No user funds or digital assets were compromised; however, sensitive information accessed may expose users to risks like SIM swap attacks or account takeovers. Forensic analysis is ongoing with the assistance of external cybersecurity experts and law enforcement. Impacted users have been advised to change login credentials and stay vigilant for phishing attempts and fraud. Byte Federal set up a dedicated helpline for affected customers but has not offered identity theft protection or credit monitoring services.

Cybersecurity researchers from Aqua have identified nearly 296,000 Prometheus Node Exporter instances and 40,300 servers openly accessible online. These unsecured Prometheus instances lack proper authentication, making them vulnerable to data leaks, including sensitive information like credentials and API keys. Exposed "/debug/pprof" endpoints could facilitate denial-of-service (DoS) attacks by enabling memory and CPU usage analysis, potentially disrupting server operations. Additional risks include remote code execution via the manipulation of undocumented or poorly protected server endpoints. Valuable organizational data like internal API endpoints, subdomains, Docker registries, and images are also accessible, posing significant reconnaissance tools for attackers. Attackers could exploit RepoJacking by taking over deleted or renamed GitHub repositories, introducing malicious code into Prometheus exports. Prometheus' security team addressed many of these vulnerabilities as of September 2024, but organizations are urged to enhance server security, monitor suspicious endpoint activity, and reduce public exposure.

Russia-linked Gamaredon, known for multiple aliases including Aqua Blizzard and Shuckworm, has expanded its cyber arsenal with Android spyware tools, BoneSpy and PlainGnome. The new spyware specifically targets former Soviet states, aiming at Russian-speaking populations and collecting sensitive data like SMS, call logs, photos, and location. BoneSpy, operational since 2021, and PlainGnome, first detected in 2023, mark the first known campaign by Gamaredon using exclusively mobile malware. There is no indication that these tools were used against Ukraine, where Gamaredon's activities have typically been focused. The deployment regions for these spyware tools potentially include Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan, reflecting possibly deteriorating relations with Russia. The malware employs sophisticated spying functions, such as information gathering on device details, communications, and user behavior, and attempts to gain device root access. Distribution methods for the malicious apps are believed to include deceptive tactics like masquerading as legitimate apps or updates. Recorded Future highlighted Gamaredon's tactic of utilizing Cloudflare Tunnels to hide infrastructure meant for hosting malicious operations.

Apache Struts 2 has disclosed a remote code execution vulnerability with a severity rating of 9.5 to 9.8, according to the National Vulnerability Database. The CVE-2024-53677 bug allows attackers to execute code remotely without requiring any privileges, significantly compromising system confidentiality, integrity, and availability. Apache delayed detailed disclosure of the vulnerability to allow developers time to upgrade to Struts version 6.4.0 or later, where the vulnerability is mitigated. There is no available workaround for this vulnerability; patching to a newer, secure version is the only solution. Applications using Struts’ deprecated File Upload Interceptor are vulnerable; upgrading to the Action File Upload Interceptor is advised to secure systems. Despite newer frameworks gaining popularity, Struts 2 remains widely used, with many downloads potentially containing vulnerabilities like CVE-2024-53677. Historical context includes a reference to the Equifax data breach, which was linked to an unpatched Struts vulnerability.

Researchers from Jamf Threat Labs identified and reported a new security vulnerability, CVE-2024-44131, in Apple's iOS and macOS systems. The discovered exploit could bypass the Transparency, Consent, and Control (TCC) framework, enabling unauthorized access to sensitive user data such as Health details, microphone, and camera activity without alarming the user. The flaw was found within the FileProvider component affecting devices running versions prior to iOS 18, iPadOS 18, and macOS Sequoia 15. This vulnerability operates by exploiting symbolic links, allowing a malicious app in the background to modify user-initiated file operations, redirecting files under the attacker’s control, potentially leading to data exfiltration. Apple has addressed this security issue through improved validation of symlinks in its latest updates to iOS, macOS, and iPadOS. The exploitation of this vulnerability could completely undermine the TCC framework, designed as a core security feature to manage app permissions for accessing sensitive information. Along with the TCC bypass fix, Apple also resolved additional security issues in WebKit and Audio, enhancing overall protection against potential arbitrary code execution and privacy intrusions.

Europol's Operation PowerOFF, targeting DDoS criminal networks, has recently shut down 27 domains and 18 booter platforms. The operation resulted in three arrests in France and Germany, focusing on administrators of DDoS services. Notable platforms affected include zdstresser.net, orbitalstress.net, and starkstresser.net. Over 300 users of these illegal DDoS services were identified during the crackdown. Fifteen countries contributed to the operation, emphasizing its global scale with coordination across multiple continents including Europe, North America, Australia, and Japan. Authorities use techniques such as online ads and direct outreach such as warning letters and emails to deter potential cybercriminals. The ongoing operation aims to not only dismantle existing DDoS infrastructure but also to prevent future attacks through various educational and deterrent initiatives.

SaaS spending is projected to reach $247.2 billion globally, highlighting the importance of strategic budget planning in IT and finance. Efficient SaaS budgeting is crucial as it helps ensure that every dollar spent maximizes ROI, with estimates suggesting 33% of SaaS spending is potentially wasteful. SaaS budget planning involves collaboration between IT, finance, and SaaS application owners to address unique challenges like complex pricing models and contract terms. Establishing a detailed SaaS inventory and understanding business needs are key first steps in creating a budget, aiming to eliminate untracked costs and optimize resource allocation. Future SaaS spending should be forecasted based on current inventories and growth indicators, with budgets adjusted over time to improve efficiency and reduce waste. Common budgeting mistakes include failing to negotiate terms, not understanding billing models, and overlooking contract nuances which can lead to unexpected costs. Tools like Auvik SaaS Management (ASM) can automate inventory management and help IT teams manage SaaS usage more effectively, minimizing waste and securing environments. Emphasizing a strategic approach to SaaS expense management can unlock potential savings and contribute to broader business objectives.

The British Army has successfully tested a high-energy laser for the first time to destroy drones using an armored vehicle. Conducted by 16 Royal Artillery, the tests took place at the Radnor Range in Wales, with earlier tests at a Porton Down firing range. The laser, a 15-kilowatt infrared system, demonstrated its ability to neutralize aerial targets from distances over 1 kilometer. This technology could provide a sustainable defense against drone threats, as it doesn't run out of ammunition like traditional weapons. The Ministry of Defence's (MoD) Laser Directed Energy Weapon (LDEW) program involves the Raytheon's High-Energy Laser Weapon System (HELWS). The technology is still being explored but aims to offer a cost-effective and operationally advantageous solution in modern warfare environments. The British Army's experiments are part of a broader MoD initiative, which could lead to the deployment of laser technologies across various military branches, including the Royal Navy and Royal Air Force.

Critical vulnerability in the Hunk Companion WordPress plugin, identified as CVE-2024-11972, has been exploited to install malicious plugins. Attackers use this flaw to inject vulnerable or even previously removed plugins to facilitate further attacks, including Remote Code Execution (RCE) and SQL Injection. The vulnerability impacts all versions of the plugin prior to 1.9.0, affecting over 10,000 active installations. An RCE flaw in a secondary plugin, WP Query Console, labeled as CVE-2024-50498, was used in conjunction with CVE-2024-11972 to execute malicious PHP code. The plugin flaw exploited is also a patch bypass for CVE‑2024‑9707, indicating repeated issues with security measures in the Hunk Companion plugin. WPScan discovered these vulnerabilities during an investigation into a compromised WordPress site, highlighting the importance of constant vigilance and updates. Wordfence recently reported a separate high-severity flaw in the WPForms plugin, showcasing ongoing security challenges within WordPress plugins. These incidents underscore the critical need for securing all components of a WordPress site, particularly third-party themes and plugins.

Mozilla has announced that the "Do Not Track" (DNT) feature will be removed from Firefox's Privacy and Security settings in the forthcoming release of Firefox 135, set for February 4, 2025. The removal comes as DNT has been largely ineffective, with many websites choosing not to honor the setting due to its optional nature. Mozilla directs users towards using the Global Privacy Control (GPC) feature, which has been adopted as a new technical standard and offers more robust privacy options. Unlike DNT, GPC has the backing of recent privacy regulations like California’s Consumer Privacy Act and the EU's General Data Protection Regulation, potentially making it more enforceable. Despite the introduction of GPC, major browsers like Google Chrome and Microsoft Edge have not yet supported it natively, requiring users to install specific browsers or extensions. Mozilla and other privacy advocates suggest additional privacy measures such as browser extensions like Privacy Badger, uBlock Origin, or using a VPN for improved security. Mozilla's decision underscores a broader industry shift towards more meaningful privacy standards and acknowledges the limitations of voluntary compliance in the realm of online tracking.

Europol coordinated an international operation named PowerOFF, targeting DDoS stresser services across 15 countries. 27 DDoS platforms including zdstresser.net, orbitalstress.net, and starkstresser.net were taken offline, and three administrators were arrested in France and Germany. The crackdown also identified over 300 users of these platforms, setting the stage for further operational activities against cybercriminal activities. These booter and stresser websites utilized botnet malware from compromised devices to execute large-scale DDoS attacks for clients against various targets. Dutch authorities are prosecuting four individuals involved in hundreds of DDoS attacks, highlighting ongoing legal actions within the nations involved. The operation saw participation from nations including Australia, Brazil, Canada, Finland, France, Germany, and the United States, reflecting a broad international response. The operation coincides with increased DDoS activities during high retail traffic periods, underscoring the persistent threat to global web infrastructure. Additional global concerns include a significant misconfiguration issue in CDN/WAF services that could allow attackers to circumvent web application protections.

Citrix has acquired two European companies, deviceTRUST and Strong Network, to strengthen its security capabilities. DeviceTRUST, based in Germany, focuses on enhancing security by verifying user context and behaviors, such as device location and connected peripherals. Swiss company Strong Network specializes in Cloud Development Environments that facilitate coding in the cloud with integrations like GitHub and cloud storage services. Both companies' technologies will be incorporated into the Citrix Platform, which provides tools for virtual desktops, application publishing, and network infrastructure management. The acquisitions are part of Citrix's strategic initiative to improve its existing zero trust security tools and expand support for Secure Private Access in hybrid environments. The new acquisitions aim to provide Citrix customers, especially developers, more seamless and secure cloud-based coding environments. Citrix has not disclosed the financial terms of these acquisitions, and further details about the integration into Citrix's offerings are anticipated.

Hackers are exploiting a critical vulnerability in the Hunk Companion WordPress plugin to install outdated, vulnerable plugins. These older plugins have known security flaws allowing for remote code execution, SQL injection, and cross-site scripting. WPScan identified the issue and found active exploitation of CVE-2024-11972, enabling unauthenticated plugin installations. The exploited vulnerability also allowed hackers to implement a PHP dropper for persistent backdoor access. Hunk Companion, used by over 10,000 sites, complements ThemeHunk WordPress themes, enhancing their functionality. Despite a previous update to patch a similar flaw, the new version 1.9.0 was urgently released to address this zero-day vulnerability. Roughly 8,000 websites have not updated and thus remain at risk following the initial patch download figures.