Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported active exploitation of a critical security flaw in Palo Alto Networks Expedition. The vulnerability, identified as CVE-2024-5910 with a CVSS score of 9.3, allows unauthorized admin account takeovers due to missing authentication. All versions of the Expedition tool before version 1.2.92 are affected; the issue was patched in July 2024. Palo Alto Networks has updated their advisory confirming the exploitation, following the reports from CISA. CISA has also highlighted other exploited vulnerabilities, including a privilege escalation in Android (CVE-2024-43093) and a command execution flaw in CyberPanel (CVE-2024-51567). The CyberPanel vulnerability has been exploited massively to deploy PSAUX ransomware on over 22,000 exposed servers. Federal agencies are urged to address these vulnerabilities by November 28, 2024, to protect against these ongoing threats.

Criminals are leveraging game-related apps to deploy Winos4.0 malware, giving them extensive control over affected Windows systems. Fortinet identified the malware, which is evolved from Gh0strat, within gaming installation tools, speed boosters, and optimization utilities. Winos4.0 is structured similarly to legitimate red-teaming tools like Cobalt Strike and Sliver, often misused by cybercriminals for malicious purposes including ransomware deployment. The malware has been part of attack campaigns by groups like Silver Fox, which may be linked to Chinese government activities. Infection starts with a fake gaming lure, proceeding to download and install multiple malware components that manage everything from data harvesting to establishing persistent backdoors. Winos4.0 exploits include collecting sensitive information, monitoring user activities, stealing documents, and searching for cryptocurrency wallets. Fortinet emphasizes the importance of downloading software only from reputable sources to avoid such sophisticated cyber threats.

Organizations globally are targeted with faux copyright infringement emails containing malware. Emails appear to be from tech companies claiming copyright violations on business Facebook pages. Malicious attachments are set up in a ZIP file containing a decoy PDF, executable, and a DLL file that deploys Rhadamanthys infostealer when executed. The infostealer malware is capable of stealing sensitive information like wallet seed phrases and login credentials. Rhadamanthys utilizes OCR technology which is not highly advanced but assists in automating phishing email creations. Errors in language choices have occasionally thwarted the phishing attacks' effectiveness. Security researchers advise prioritizing automation and AI in defense strategies due to the increasing use of these technologies in cyber attacks. The campaign's broad targeting across multiple countries and use of various evasion tactics indicates that a financially motivated, non-state group is likely behind these attacks.

North Korean group BlueNoroff has initiated a malware campaign, "Hidden Risk," targeting macOS systems of cryptocurrency businesses. The group uses phishing emails with crypto-related content to deploy a novel multi-stage malware that evades macOS detection. Malware utilizes a new persistence mechanism by altering the ".zshenv" config file, bypassing macOS's latest security alerts for LaunchAgents. The campaign leverages legitimate Apple Developer IDs to notarize malicious apps, effectively bypassing Apple's Gatekeeper controls. SentinelLabs discovered manipulation of the app's settings to allow insecure HTTP connections, overriding Apple’s security protocols. Once installed, the malware connects to a command-and-control server for updates and instructions, maintaining stealth operations. The malware has been operational for approximately 12 months, demonstrating BlueNoroff's enduring threat to the crypto sector.

CISA warns that a critical vulnerability in Palo Alto Networks Expedition is currently being exploited by attackers. The security flaw, identified as CVE-2024-5910, allows attackers to reset admin credentials on exposed Expedition servers remotely. Palo Alto Networks fixed the vulnerability in July, but it remains a target for cyber attacks, possibly compromising firewall configurations and other sensitive data. Horizon3.ai released a proof-of-concept in October that could chain CVE-2024-5910 with another vulnerability, CVE-2024-9464, enabling arbitrary command execution on affected systems. Palo Alto Networks advises updating Expedition to the latest version and suggests rotating all admin credentials post-update. CISA has placed CVE-2024-5910 in its Known Exploited Vulnerabilities Catalog and mandates U.S. federal agencies to secure their servers against this exploit by November 28. This directive underlines the high risk these vulnerabilities present to federal operations and the urgency of securing potentially compromised systems.

Nokia responded to claims of a data breach, stating the leaked source code originated from a third-party developer, not from Nokia itself. Third-party application's source code was leaked on a hacker forum by a threat actor known as IntelBroker. The leak included SSH keys, RSA keys, BitBucket logins, SMTP accounts, webhooks, and hardcoded credentials. Investigation reveals the breach occurred via a SonarQube server managed by the third-party vendor, exposing multiple companies including Nokia. Nokia confirmed that the leaked application was specifically designed for a single client network, hence posing no threat outside that environment. The company assured that no Nokia or customer data was compromised and that crucial systems including their source code and encryption keys remain secure. Nokia continues to monitor the situation closely, emphasizing ongoing vigilance despite the breach's limited impact.

The Canadian government has mandated the dissolution of TikTok Technology Canada, citing national security concerns. The decision followed a comprehensive review by Canada's security and intelligence agencies along with other governmental partners. Although TikTok's Canadian operations are ordered to close, the app itself remains accessible to users in Canada for content creation and use. This action does not constitute a ban on TikTok's platform in Canada, allowing users to continue enjoying the app. The specific national security threats posed by ByteDance Ltd., TikTok's parent company, have not been disclosed due to confidentiality constraints under the Investment Canada Act. TikTok has expressed strong opposition to the Canadian government’s decision and plans to challenge it legally. The shutdown of the Canadian office is projected to impact local employment negatively, but the broader operational functionality for users remains intact.

Hewlett Packard Enterprise (HPE) has released updates for critical vulnerabilities in Aruba Networking Access Points. Two severe flaws were identified, which could allow remote attackers to execute unauthenticated command injections via UDP port 8211. The vulnerabilities, assigned CVE-2024-42509 and CVE-2024-47460, have high severity scores of 9.8 and 9.0, respectively. Affected software versions include Instant AOS-8.12.x.x, AOS-8.10.x.x, and AOS-10.4.x.x, with older versions also impacted but no longer supported. HPE has provided patches for updated software versions and suggested workarounds such as restricting access to UDP port 8211 and securing management interfaces. Despite no reported active exploitations, HPE strongly recommends immediate application of these security measures to mitigate risk.

North Korean threat actor, BlueNoroff, has been targeting cryptocurrency firms using malware that infects Apple macOS devices. The malware campaign, named Hidden Risk by SentinelOne, began as early as July 2024, utilizing emails with fake news as lures. Attackers use sophisticated social engineering tactics, including offering bogus job opportunities to gain trust before deploying the malware. The malware mimics a PDF application but downloads a backdoor executable from a remote server, providing attackers with control over the infected device. This backdoor utilizes a novel method involving the zshenv file for persistence, a technique not yet countered by macOS's security notifications. The campaign uses sophisticated infrastructure setups with domains and hosting services portraying legitimacy in the crypto and Web3 spaces. Recent campaigns by the same group involve hijacking Apple developer accounts to notarize their malware, enhancing the malware’s appearance of legitimacy. These activities are part of broader efforts by North Korean hackers to subvert international sanctions and generate revenue through cybercrime targeted at Western businesses.

Hackers specifically target weak, simple passwords like "123456" or "password," which are still commonly used despite security warnings. Effective password-cracking tools allow hackers to breach simple passwords in seconds, exploiting easy-to-guess combinations. Organizations face major risks from end-user behavior, such as password reuse across multiple sites and preference for easily remembered passwords. Credential stuffing is a common hacker tactic, allowing them to access multiple accounts by using a single compromised password. Implementing strong password policies, promoting good password hygiene, and enforcing multi-factor authentication are crucial defensive measures. Organizations are encouraged to use passphrases—a series of unrelated words— which offer robust security due to their length and unpredictability. Implementing identity proofing, such as email or SMS confirmation, adds an additional layer of protection against password compromises. Regular scanning of Active Directory with tools like Specops Password Auditor can identify and address compromised or weak passwords within the network.

Cisco has issued a critical alert for a flaw in its Ultra-Reliable Wireless Backhaul systems, rated CVSS 10. The flaw, identified as CVE-2024-20418, affects the Unified Industrial Wireless Software, allowing admin-level remote access exploitation. Attackers can execute arbitrary commands with root privileges by sending crafted HTTP requests to the system's web management interface. There are no available workarounds for this vulnerability; immediate patching is necessary. The vulnerability poses significant risks especially in industrial settings like ports or factories due to the potential disruption of critical infrastructure. Users can verify the activation of the vulnerable setting using the 'show mpls-config' CLI command. Cisco urges customers to apply the security fix promptly to prevent potential exploits. No instances of exploitation in the wild have been reported as of yet.

China-aligned hacker group MirrorFace targeted a diplomatic entity in the European Union for the first time using the World Expo 2025 as bait. The attack involved a spear-phishing email linking to a malicious ZIP file hosted on Microsoft OneDrive, aiming to deploy malware including ANEL and NOOPDOOR. MirrorFace, part of the broader APT10 umbrella group, is noted for prior cyber-espionage efforts focusing on Japan, Taiwan, and India. The group's arsenal has evolved to feature sophisticated backdoors and credential stealers aimed at data theft and espionage. Resurfacing of ANEL malware after a noted hiatus since 2019 suggests tactical evolutions within the group. The incident follows broader patterns of increasing reliance on open-source tools like SoftEther VPN by Chinese threat actors for maintaining network access. Related cybersecurity breaches include the targeting of major telecommunication providers and national security officials in the U.S. and allied nations by other China-linked groups.

Disabling of Windows Event Logging remains a common tactic, allowing malware to operate undetected by disabling crucial system logs. PowerShell exploitation is widely used for manipulating system settings, data exfiltration, and maintaining persistent access, bypassing standard detection methods with obfuscation techniques. Abuse of the Windows Command Shell (cmd.exe) involves executing harmful commands which blend with legitimate activities, thus evading immediate detection. Modification of Registry Run Keys and the Startup Folder ensures malware automatically runs at each system start, helping attackers achieve long-term persistence. Time-based evasion techniques are employed by malware like DCRAT, delaying execution to avoid detection in limited-time sandbox monitoring, allowing for synchronized malicious activities after initial analysis phases. ANY.RUN's Interactive Sandbox provides a sophisticated environment for real-time interaction and analysis of these malware techniques, aiding in advanced cybersecurity defenses.

A phishing campaign labeled CopyRh(ight)adamantys is using copyright infringement claims to distribute the Rhadamanthys information stealer, impacting the U.S., Europe, East Asia, and South America. Emails impersonate legal entities from the media and technology sectors, using AI-enhanced OCR technology to improve attack efficacy. Victims are lured with accusations of copyright misuse on social media, directed to download malicious files from links posing as legal documents. The malware, delivered through a DLL side-loading technique, compromises systems once a decoy document is opened. Check Point attributes these widespread phishing attacks to a financially motivated cybercrime group, leveraging automated tactics and varied lures. Concurrently, the new SteelFox malware utilizes driver exploits and sophisticated execution chains to target users worldwide, including Russia, China, and Brazil. SteelFox, distributed via counterfeit software downloads, involves complex malware mechanisms to pilfer credit card data and launch crypto-miners, securing system-level access through outdated driver exploits. Both malware campaigns highlight significant advancements in cybercrime tactics, emphasizing the evolving threats in global cybersecurity landscapes.

A malicious package titled "fabrice" impersonating the popular "fabric" library has been found on Python Package Index (PyPI), targeting developers' AWS credentials. The deceptive package, first published in March 2021, scored over 37,100 downloads over three years, affecting both Linux and Windows machines via different methods. On Linux, "fabrice" downloads, decodes, and executes shell scripts from an external server to tamper with the system. For Windows, the malware uses Visual Basic and Python scripts to perform actions such as running hidden scripts, installing executables covertly named "chrome.exe", and setting up persistent scheduled tasks. The primary goal across different systems is to harvest AWS access and secret keys, which are siphoned back to the attackers using the Boto3 SDK. The attack represents a sophisticated case of "typosquatting," where attackers leverage a name similar to a widely trusted library to exploit unwary developers. As of the latest update, the "fabrice" package has been removed from the PyPI repository to stop further compromises.