Daily Brief

Ahold Delhaize, parent company of Food Lion and Stop & Shop, faces outages due to a "cybersecurity issue." Outages have disrupted pharmacy services, e-commerce, and caused delays in deliveries and invoicing problems. Ahold Delhaize has pulled some systems offline, engaged external cybersecurity experts, and notified law enforcement. Although all stores remain open, varied impacts are reported, with some stores having restored services, while others rely on limited methods like personal hotspots. Issues with phone lines, inaccurate invoicing, and unavailable online services have been reported by employees and customers. Concerns over financial data breaches have arisen as an employee reported fraudulent charges on their debit card shortly after the incident. The report of ongoing restoration efforts include pharmacies now being able to refill prescriptions through alternative arrangements. Nearly 2,000 US stores are potentially affected, with significant disruptions reported across different locations.

Microsoft released updates addressing 91 vulnerabilities, including four critical zero-days during their November 2024 Patch Tuesday. Two of the zero-days had been actively exploited: a spoofing vulnerability allowing NTLM hash exposure and an elevation of privilege vulnerability in Windows Task Scheduler. Additional publicly disclosed but unexploited vulnerabilities include spoofing risks in Microsoft Exchange and an Active Directory Certificate Services flaw that could grant domain administrator privileges. The NTLM hash disclosure issue required minimal interaction with a malicious file to compromise user credentials. New security protocols now flag and alert users to potential spoofing in emails handled by Microsoft Exchange. Updates are part of Microsoft's ongoing effort to fortify security measures and patch detected vulnerabilities in their software ecosystem, with emphasis on immediate installation recommended. Other vendors have also released multiple updates and advisories, indicating a broad and coordinated effort in improving cybersecurity resilience across platforms.

Signal has introduced a new feature called "call links" to simplify joining private group chats. Users can create and share call links directly from the Signal app, enabling easy access for other users. The feature allows group calls of up to 50 participants, maintaining privacy without limiting the size. Call links are designed to be reusable, suitable for various purposes like recurring professional meetings or casual gatherings. Admin approval is required for joining, giving hosts control over participant access. Signal announced additional usability improvements in its latest update to enhance user engagement during calls. All new features are available on the latest version of the app for Android, iOS, and Windows platforms. Signal also encourages users to participate in its beta program to help identify and resolve any potential issues with the new features.

The FBI, NSA, and authorities from the Five Eyes released a joint advisory detailing the top 15 exploited vulnerabilities of 2023. Agencies highlighted an increase in zero-day vulnerabilities exploitation from 2022, with 12 out of the top 15 initially exploited as zero-days. CVE-2023-3519, a critical code injection flaw in NetScaler ADC / Gateway, topped the list after being used by state actors to breach U.S. infrastructure. The exploited vulnerabilities were responsible for severe breaches, compromising over 2,000 Citrix servers globally by mid-August 2023. Cybersecurity advisory underscores the urgency for organizations to implement effective patch management systems to protect against these vulnerabilities. The report includes mitigation strategies and emphasizes the importance of rapid response to vulnerability disclosures to prevent ongoing and future attacks. The NSA and other agencies urge heightened vigilance and proactive cybersecurity measures as they predict continued targeted exploitation through 2024 and 2025.

Researchers at watchTowr have disclosed a critical vulnerability leading to unauthorized system privileges through Citrix's Virtual Apps and Desktops. Citrix contested the characterization of the flaw as unauthenticated RCE, stating it requires an authenticated NetworkService account. The vulnerability, assigned CVE identifiers CVE-2024-8068, exploits the Session Recording Manager feature. The attack can be executed via a simple HTTP request, despite normally requiring TCP port 1801, exposing a potential oversight in Citrix’s security implementation. Citrix has released several hotfixes for different versions of its software in response to the publicized exploit to prevent potential misuse. BinaryFormatter, used in the flawed component, is highlighted by Microsoft as outdated and insecure, adding a layer of risk. The potential impact includes impersonation of administrative users and unauthorized access to all hosted applications and desktops. This disclosure underscores ongoing challenges in secure coding and the necessity of swift response from organizations to patch vulnerabilities.

Chinese state-sponsored group Volt Typhoon has resumed building its KV-Botnet after an FBI-led disruption in January. The botnet targets primarily outdated SOHO routers from Cisco and Netgear, using malware that allows covert communications and persistent network access. SecurityScorecard reports significant compromises, with 30% of Cisco RV320/325 routers affected within a short span. The threat actors employ MIPS-based malware and webshells, communicating over non-standard ports to avoid detection. The geographic spread of the compromised devices is concentrated in Asia, with command servers in multiple locations for resilience. A compromised VPN device in New Caledonia serves as a pivotal link between the Asia-Pacific and American networks, facilitating stealthy operations. Security recommendations include updating firmware on current routers, replacing outdated hardware, and enhancing network security measures to mitigate risks associated with this botnet.

Increasing engagement with contractors and vendors heightens the risk of unauthorized data access. The webinar, led by SailPoint's Steve Toole, will address third-party risk management in IT environments. Key discussion topics will include identifying potential security risks from third parties and appropriate mitigation strategies. Emphasis will be placed on creating a security-conscious culture that also involves external partners. IT managers and security professionals will gain insights on securing their data against external threats. The event aims to enhance practices around the management of third-party access and vulnerabilities.

A new phishing tool named GoIssue is targeting GitHub developers, enabling bulk email campaigns that bypass spam filters and specifically target developer communities. Developed by a threat actor known as cyberdluffy on the Runion forum, GoIssue allows extraction of email addresses from public GitHub profiles for mass phishing attacks. This tool can significantly increase the risk of corporate network breaches, source code theft, and supply chain attacks through compromised developer credentials. GoIssue is currently being sold for $150 for a custom build and $1,000 for complete source code access to the first five customers, a price reduction from initial rates. Cyberdluffy also appears to be a "member of Gitloker Team," known for a GitHub-focused extortion campaign leveraging booby-trapped links that masquerade as GitHub security and recruitment communications. GoIssue not only targets GitHub users but also facilitates a variety of fraudulent activities including malware distribution and unauthorized OAuth app installations, increasing the impact on the developer community and project security. Related phishing trends were identified, involving Microsoft Visio (.vsdx) files and SharePoint being used in two-step credential stealing schemes, signaling a rise in sophisticated attacks leveraging trusted platforms and file formats.

Cybersecurity researchers have identified new vulnerabilities in Citrix Virtual Apps and Desktops that facilitate unauthenticated remote code execution. The vulnerabilities stem from misconfigurations in the Session Recording component, which is designed to monitor and record user interactions for compliance and troubleshooting. The flaw involves an exposed MSMQ instance combined with misconfigured permissions, utilizing BinaryFormatter for deserialization, accessible via HTTP. Successful exploitation of these flaws typically requires the attacker to be on the same Windows Active Directory domain and intranet as the session recording server. Citrix has released patches for the vulnerabilities, emphasizing the importance of keeping systems updated. Microsoft has recommended that developers move away from using BinaryFormatter due to its susceptibility to attacks, including remote code execution. The incident highlights the ongoing risk associated with poor configuration and maintenance of security controls in software environments.

Over 5 million records from 25 organizations, including Amazon, were exposed on a cybercrime forum due to a vulnerability in MOVEit file transfer software. The vulnerability, CVE-2023-34362, was critically assessed and allowed unauthorized data access by bypassing authentication. Amazon clarified that their systems and AWS remain secure; the exposure involved only employee work contact information such as email addresses and phone numbers. The exposed data includes comprehensive employee details like names, organizational roles, and cost center codes, raising concerns about potential social engineering attacks. Notably, Amazon had the highest number of records exposed, totaling over 2.86 million. The data breach was discovered by cybercrime intelligence firm Hudson Rock, highlighting the broad implications for corporate security. An individual known as Nam3L3ss is reportedly auctioning and distributing the stolen data on BreachForums, despite not claiming to be the original hacker.

North Korean threat actors have begun using Flutter applications to deploy malware targeting macOS devices, a first for such tactics. The discovery was made by Jamf Threat Labs after examining artifacts uploaded to VirusTotal, revealing the use of multiple programming languages including Golang and Python. There is uncertainty about the distribution mechanism of these malware samples or whether they have actively targeted any victims yet. The malware notably masquerades as a functional Minesweeper game titled "New Updates in Crypto Exchange (2024-08-28)," which is a clone of a basic Flutter game available on GitHub. The malware has capabilities to execute AppleScript code it receives from a command and control server, thereby controlling infected machines. Jamf has tentatively linked this activity to the North Korean hacking group Lazarus, particularly the BlueNoroff subgroup, due to infrastructure overlaps with known malware campaigns. Apple has revoked the developer IDs used to notarize the malicious applications, illustrating the breach of Apple’s app security processes by the attackers. Analysts speculate the continual evolution of the malware suggests persistent efforts by DPRK actors to infiltrate cryptocurrency companies and remain undetected by varying their attack methodologies.

North Korean hackers have been targeting macOS systems with trojanized cryptocurrency-themed Notepad apps and Minesweeper games. These malicious apps were developed using Flutter, signed with a legitimate Apple developer ID, and passed Apple’s notarization checks. Jamf Threat Labs has identified this campaign as an experimental effort to bypass macOS security features. The applications connect to DPRK-linked servers and display initial functionalities disguised as innocuous applications even under AV scans. Discovered apps also include functionality for script execution through AppleScript, which communicates with a command and control server. Despite their temporary approval, Apple has revoked the signatures of the identified apps, preventing them from bypassing Gatekeeper defenses on updated systems. This incident highlights the evolving complexity and stealth of cyber threats, particularly from nation-state actors using legitimate development tools and platforms.

Behavioral analytics, traditionally used for threat detection, is now enhancing incident response by providing insightful post-detection analysis. The technology improves accuracy by offering context, helping to distinguish between real threats and false positives such as "impossible travel" alerts. Utilizing AI-driven tools, SOC teams avoid interrupting end-users for confirmation, streamlining investigations thanks to pre-established behavioral models. Behavioral analytics significantly reduces the Mean Time to Respond (MTTR), speeding up the investigation process by automating data queries and checks. Enhanced insights from behavioral analytics assist in deeper investigations, providing valuable context about application behavior and user interactions. AI-enabled SOC solutions reduce the resource and infrastructure burden associated with maintaining behavioral models, improving overall SOC efficiency. As SOCs adopt these advanced analytics, incident response becomes quicker, more precise, and less resource-intensive, helping teams proactively manage threats.

A new ransomware family, Ymir, noted for its stealth and efficiency, was recently identified, targeting corporate networks after initial credential theft. Ymir ransomware operates by executing code directly in memory, using sequences untypical of other ransomwares, enhancing its undetectability. The ransomware was deployed following a breach using RustyStealer malware to obtain corporate credentials, which were then used to navigate and compromise the target company’s network. This technique included the use of malware tools like Advanced IP Scanner and Process Hacker, and scripts from SystemBC malware for covert communications and data exfiltration. Files are encrypted with the ChaCha20 cipher, and Ymir allows attackers to target specific directories while skipping predefined ‘whitelist’ files. Other ransomware groups, like Black Basta, are also evolving, using social engineering through platforms like Microsoft Teams and deceptive QR codes to secure initial access. Amidst rising ransomware attacks, both U.S. policymakers and cybersecurity firms are challenging the efficacy of cyber insurance policies that cover ransom payments, pushing for a more resilient approach to tackling ransomware.

Apple's recent iOS 18.1 update includes a new security feature causing iPhones to automatically reboot after being idle for extended periods. This "inactivity reboot" aims to re-encrypt data and complicate unauthorized data extraction from devices in states such as After First Unlock (AFU). Devices reboot to a Before First Unlock (BFU) state, a more secure condition where decryption keys are not loaded, making data access significantly more challenging. Law enforcement discovered the feature when suspects' phones, held in custody, rebooted unexpectedly, complicating data extraction efforts. The feature, independent of phone or network status, activates based on device inactivity alone, enhancing security against both law enforcement breaches and criminal exploits. Once rebooted, iPhones require re-authentication, clearing encryption keys from memory, thus fortifying data against unauthorized access. Apple has not provided an official statement on the feature, though its effectiveness in protecting user data has been highlighted by technology researchers and media reports.