Daily Brief

Fortinet reported a critical security flaw in FortiManager (CVE-2024-47575) with a CVSS score of 9.8, allowing unauthenticated remote code execution. The vulnerability is currently being actively exploited in the wild, with the attackers yet unidentified, tracked by Mandiant as UNC5820. Several other high-risk CVEs are trending, impacting a range of software and services. Upcoming webinar to focus on mastering data security in the cloud, led by Global-e and focusing on Data Security Posture Management (DSPM). Experts highlight common vulnerabilities in enterprise systems, emphasizing IAM misconfigurations and the need for robust access and API security management. Advises on enhancing DNS security, like using privacy-focused resolvers and DNSSEC, to protect against redirection to malicious sites. Continuous vigilance and staying informed are essential in mitigating the risks posed by these security threats in the digital age.

OT security becomes paramount as marine vessels and port operators digitally automate ships and cranes. Remote diagnostics and maintenance require secure, scalable solutions due to the challenges of linking identities to access sessions and ensuring comprehensive auditing. A major marine vessel operator adopted SSH’s PrivX OT Edition to manage secure remote access across a global fleet, addressing issues with always-on connections and insufficient granularity. The adoption of PrivX OT Edition has ensured crew safety, minimized unscheduled dock time, and helped comply with NIS2 Directive and IEC 62442 standards. A leading industrial crane manufacturer implemented the same SSH solution to overcome regional access control issues and inadequate transparency leading to security vulnerabilities. The new technology supports immediate, secure access management and automatic off-boarding, improving compliance and minimizing infrastructure disruption. Overall, PrivX OT Edition provides centralized, scalable access management to meet modern security needs in industrial settings.

WordPress has required WordCamp organizers to share their social media login credentials allegedly to handle issues of account access by new team members effectively. WordCamp Sydney was instructed to remove specific social media posts that supported WP Engine, going against the views of the WordPress Community Team directed by Automattic employees. Automattic's CEO, Matt Mullenweg, has criticized WP Engine for not sufficiently contributing to the open-source community despite profiting from WordPress. This disagreement is part of a broader dispute over the commercial use of the WordPress trademark and contributions to its open-source project. The demands for credential sharing and content control have led to concerns among volunteers about overreach and possible retaliation for non-compliance. Kellie Peterson, former head of domains at Automattic, has highlighted a pattern of interventions by Automattic in the internal affairs of WordCamp organizers. These internal dynamics have reportedly led to decreased community engagement and have negatively impacted event organizing efforts, including lower ticket sales for WordCamp Sydney.

Researchers have identified a new attack method that targets Microsoft Windows systems to bypass Driver Signature Enforcement using an OS downgrade technique. The attack exploits previously discovered privilege escalation vulnerabilities—CVE-2024-21302 and CVE-2024-38202—to roll back the Windows software to less secure versions. Attackers utilize a tool called "Windows Downdate" to manipulate the Windows Update process, enabling persistent, undetectable OS downgrades including critical kernel components. This vulnerability allows attackers to load unsigned kernel drivers, facilitating the deployment of rootkits that can evade security measures and maintain system control stealthily. Addressed in Microsoft's recent Patch Tuesday updates, the security flaws now include measures against the mentioned downgrade tactics. Despite these patches, attackers can still bypass security via older versions of the "ci.dll" library unless the system employs Virtualization-Based Security (VBS) with a UEFI Lock and a "Mandatory" setting. The research underscores the importance for security technologies to detect and prevent component downgrades even if the components do not directly cross defined security boundaries.

U.S. Senator Mark Warner has approached six domain registrars for their alleged role in enabling Russian disinformation campaigns. The registrars, including NameCheap, GoDaddy, and Cloudflare, are scrutinized following the seizure of 32 domains spreading pro-Russian propaganda. These domains were part of the Doppelgänger campaign, employing fake news sites and social media to influence public opinion in favor of Russia. Warner criticized the domain registration industry for withholding crucial information, ignoring registration inaccuracies, and not addressing domain squatting. The senator hinted at potential legislative actions unless immediate measures are taken to curb the misuse of domain services for foreign influence operations. GoDaddy responded, noting its commitment to tackling online abuse, but other registrars have yet to comment. The issue highlights ongoing concerns about the misuse of internet infrastructure in geopolitical misinformation efforts.

Fog and Akira ransomware groups have exploited SonicWall VPNs via the CVE-2024-40766 SSL VPN flaw to infiltrate corporate networks. SonicWall issued a fix for this critical vulnerability in August 2024, but cybercriminals had already begun exploiting vulnerable systems. Arctic Wolf reports document at least 30 breaches initiated through these VPN accounts, with the majority linked to Akira ransomware. Attackers typically progressed from initial entry to data encryption within ten hours, exploiting unpatched, vulnerable endpoints. The compromised networks often lacked multi-factor authentication and operated on the default SSL VPN port. Once inside, cybercriminals targeted virtual machines and backups for rapid encryption, selectively stealing recent and relevant data. There appears to be shared infrastructure between Fog and Akira ransomware groups, indicating ongoing collaboration. Both ransomware operators initially access networks using stolen or compromised VPN credentials, highlighting the importance of network security and timely updates.

Cisco has introduced new security features in ASA and FTD to combat brute-force and password spray attacks on VPNs. These attacks have notably included massive brute-force attempts on various networking devices from multiple vendors including Cisco and Fortinet. The new features were developed after Cisco detected a Denial of Service (DoS) vulnerability, CVE-2024-20481, exacerbated by these attack types. The security improvements not only prevent unauthorized access but also significantly reduce resource exhaustion on Cisco devices. Full implementation across all software versions was achieved recently, with some Cisco admins reporting greatly diminished attack impact upon activation. The configuration commands provided by Cisco help in preventing multiple failed authentication attempts from the same IP, thereby improving security posture. Despite the benefits, potential downsides such as false positives and minor performance impacts are reported, underscoring the importance of careful implementation.

Security researcher Alon Leviev demonstrated a bypass in Windows Driver Signature Enforcement allowing the installation of kernel rootkits on fully patched systems. The method involves manipulating the Windows Update process to deploy outdated, vulnerable software components, thus rendering new security patches ineffective. Despite Microsoft's resistance to categorizing the issue as crossing a security boundary, Leviev showcased the attack's feasibility at BlackHat and DEFCON. The exploit, named "ItsNotASecurityBoundary" by Leviev, can replace critical system files like 'ci.dll' to accept unsigned drivers, compromising kernel integrity. Leviev also discussed potential bypasses for Microsoft's Virtualization-based Security (VBS), showing how VBS can be disabled or disrupted to further malware installation. Microsoft has previously addressed similar types of vulnerabilities but remains unresponsive to this particular downgrade attack tactic. Leviev released "Windows Downdate," a tool for crafting downgrade attacks, emphasizing the ongoing risk and the illusion of security in so-called “fully patched” systems.

Over $1 million was awarded in prizes at the Pwn2Own Ireland 2024 for discovering over 70 zero-day vulnerabilities across various fully patched devices. The competition tested security on multiple categories including mobile phones, messaging apps, home automation systems, smart speakers, printers, surveillance systems, NAS devices, and SOHO Smash-up. Viettel Cyber Security won the "Master of Pwn" title, securing $205,000 in prize money for vulnerabilities found in QNAP NAS, Sonos speakers, and Lexmark printers. The event achieved a milestone by surpassing the million-dollar prize mark for the fourth consecutive year, with a total prize payout of $1,066,625. Targets successfully exploited on the final day included products from Lexmark, True NAS, and QNAP. The next Pwn2Own event is scheduled for January 22, 2025 in Tokyo, focusing on the automotive industry with categories aimed at Tesla, In-Vehicle Infotainment (IVI) systems, Electric Vehicle Chargers, and Operating Systems. Details about the upcoming competition's categories and prize money were outlined by the Zero Day Initiative (ZDI).

TeamTNT is initiating a new cryptojacking campaign targeting cloud-native environments to mine cryptocurrencies. The campaign utilizes exposed Docker daemons to deploy Sliver malware, cryptominers, and uses Docker Hub to spread the malware. Attackers are selling compromised server capacities on Mining Rig Rentals, indicating a more mature business model. The offensive involves scanning for unauthenticated Docker API endpoints and deploying malicious Alpine Linux containers. Significant shift noted with the replacement of the Tsunami backdoor by the Sliver C2 framework, suggesting an evolution in their tactics. TeamTNT is also adopting AnonDNS to obscure their server communications, enhancing their operational secrecy. Relatedly, Trend Micro reported a brute-force campaign by another group using the Prometei botnet, indicating a broader increase in crypto mining attacks.

Four members of the defunct REvil ransomware group were sentenced in Russia for hacking and money laundering. Convictions include Artem Zaets and Alexei Malozemov with sentences of 4.5 and 5 years respectively; Ruslan Khansvyarov and Daniil Puzyrevsky received 5.5 and 6 years each. The individuals were part of a larger group of 14, with the rest facing various charges related to cybercrime. This rare action follows the dismantling of REvil by Russia's FSB, demonstrating a noteworthy instance of Russia prosecuting cybercriminals. Previous actions include the U.S. sentencing a Ukrainian national involved with REvil to 13 years and a $16 million restitution. The sentencing precedes a Russian investigation into Cryptex and UAPS, both sanctioned by the U.S. for their roles in money laundering related to cybercrime.

The US Consumer Financial Protection Bureau (CFPB) emphasizes that third-party reports on employees must adhere to the Fair Credit Reporting Act (FCRA), including consent and transparency requirements. The CFPB's guidance targets businesses using external reports for employment decisions, such as firing or hiring, based on worker activity or behavior. Concerns are rising over workplace surveillance, algorithmic decision-making, and the use of machine learning and analytics in employee monitoring. CFPB Director Rohit Chopra highlighted the risks of unchecked surveillance and opaque profiling akin to credit scoring creeping into employment practices. Specific uses of concern include predicting union membership, automatic job assignments based on performance data, and adverse actions without human oversight. Consumer reporting agencies and background screening services might provide employers with data on various personal and work-related activities of workers. Companies using such data must seek employee consent, correct any data inaccuracies, and ensure information is used strictly within legal confines. The CFPB’s actions signal a commitment to enforce long-standing consumer protections in emerging areas such as employment and worker surveillance.

CERT-UA identified malicious email campaigns employing '.rdp' files to target Ukrainian military, enterprises, and government entities, implicating potential nation state activity and data breach risks. The attacks exploit popular service branding like Amazon and Microsoft to gain unauthorized remote access, data theft, and further malware deployment. Amazon Web Services linked these activities to APT29, a Russian hacking group, which used fake domains to mimic AWS and steal Windows credentials. CERT-UA also uncovered a separate attack distributing Visual Basic Script-based malware, aimed at exfiltrating sensitive user data via phishing emails. A ClickFix-style campaign was discovered, tricking users into downloading malicious PowerShell scripts, which enable SSH tunnels and data theft from web browsers. Both campaigns involved complex impersonation and credential theft tactics, with infrastructure preparations dated back to at least August 2024. CERT-UA has expressed an "average level of confidence" that another campaign is likely operated by APT28, another well-known Russian APT group. The reports align with ongoing geopolitical tensions, highlighting the importance of vigilant cybersecurity measures in governmental and military digital infrastructures.

Black Basta ransomware group now employs Microsoft Teams, pretending to be corporate IT help desks, to engage in social engineering attacks. The operation has evolved from calling victims to using Microsoft Teams chats, overwhelming employee inboxes as a preliminary step. Attackers instruct employees to install remote access tools like AnyDesk or launch Windows Quick Assist during the chat, under the guise of assisting with spam issues. Once access is gained, the attackers deploy payloads such as ScreenConnect, NetSupport Manager, and the Cobalt Strike to establish a foothold for further malicious activities. New tactics observed involve setting up fake IT support profiles in Microsoft Teams with display names including "Help Desk" to deceive employees. External user accounts involved in these attacks were traced back to Russian origins, according to time zone data. Researchers recommend that organizations restrict external communications in Microsoft Teams to trusted domains and enable logging to detect suspicious chats.

Black Basta ransomware group has begun using Microsoft Teams to conduct social engineering attacks, impersonating corporate IT support. The operation has targeted employees with overwhelming spam emails to prompt a response on Microsoft Teams where they pose as help desk personnel. Attackers use this method to convince targets to install malicious tools such as AnyDesk or launch Quick Assist, providing remote access to end-user devices. Once access is gained, the malware installs additional payloads including ScreenConnect, NetSupport Manager, Cobalt Strike, and ultimately the ransomware encryptor. Researchers at ReliaQuest noted that this new tactic involved creating external user accounts on Microsoft Teams, complete with display names mimicking legitimate IT support. The QR codes sent via Teams chats are suspect, though their exact purpose remains unclear. Geolocation data suggests that the external accounts originate from Russia, specifically Moscow time zones. Recommendations for organizations include restricting external communications in Teams and enabling thorough logging to detect suspicious activities early.