Daily Brief

WeChat developed a modified version of the TLS protocol named MMTLS, which deviates from the standard TLS 1.3, increasing security risks. Researchers from the University of Toronto's Citizen Lab conducted an in-depth analysis of MMTLS and found it introduces vulnerabilities such as deterministic IVs and lack of forward secrecy. MMTLS adds an additional layer of encryption to network requests, which previously used only AES-CBC based business-layer encryption, vulnerable to various attacks. Although MMTLS enhances security by double-encrypting data, the business-layer does not encrypt metadata, potentially exposing sensitive user information. Citizen Lab noted that while no current vulnerabilities could lead to known attacks due to this double encryption, minor issues persist that do not exist in unmodified TLS. Tencent is reportedly transitioning from AES-CBC to the more secure AES-GCM encryption to address these concerns. Despite these security measures, all WeChat communications are accessible to Tencent due to Chinese data regulations, and are not end-to-end encrypted. Citizen Lab suggests Tencent should adopt standard TLS or a combination of QUIC and TLS to enhance overall security in their applications.

The U.S. Justice Department has unmasked and charged two Sudanese nationals, Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer, as key members of the hacktivist group Anonymous Sudan. Both individuals face charges related to orchestrating numerous distributed denial-of-service (DDoS) attacks on significant U.S. and global targets including government agencies and major corporations. Specific attacks cited include attempts against the DOJ, DOD, FBI, State Department, and companies like Microsoft and Riot Games, extending even to entities like Cedars-Sinai Medical Center. The allegation extends to developing and utilizing a tool called Distributed Cloud Attack Tool (DCAT) for conducting DDoS attacks, which the FBI has since disabled in cooperation with other law enforcement. Anonymous Sudan allegedly offered their DCAT service to other criminal actors, effectively commercializing their DDoS capabilities. The hackers were reported to have developed part of their software on GitHub and also attacked the platform in a retaliatory DDoS strike. Arrests of the accused were carried out in March, though details regarding the location or extradition status remain unclear.

A critical vulnerability was identified in the Kubernetes Image Builder, noted as CVE-2024-9486 with a CVSS score of 9.8. The flaw allows potential attackers to gain root access if they exploit default credentials used during the image-building process. Only Kubernetes nodes using VM images created with the Proxmox provider and the Image Builder project are affected. The vulnerability has been addressed in Kubernetes Image Builder version 0.1.38, which removes default credentials and introduces additional security measures. A secondary, related vulnerability, CVE-2024-9594 (CVSS score: 6.3), was identified in the same project affecting other providers like Nutanix and OVA but with lesser severity. Recommendations include disabling the builder account on affected VMs and redeploying new images using the patched version of the Image Builder. Other cybersecurity updates include patches for critical-rated flaws in Microsoft's Dataverse and Power Platform, as well as a vulnerability in Apache Solr resolved in its latest updates.

A US government contractor, ASRC Federal Data Solutions, has agreed to a $306,722 settlement with the Justice Department following accusations of violating cybersecurity protocols. The settlement addresses allegations that the contractor failed to properly secure Medicare beneficiaries’ personally identifiable information (PII) during a shift to electronic record-keeping. The breach involved a subcontractor and occurred between March 10, 2021, and October 8, 2022, leading to several unencrypted screenshots containing PII being accessed by an unauthorized party. The subcontractor had implemented disk-level encryption that proved ineffective since the unauthorized access was gained using valid credentials. ASRC Federal Data Solutions has already spent $877,578 on notifying affected individuals and providing credit monitoring services. The company has also waived rights to reimbursement for expenses incurred in response to the breach. The settlement emphasizes the importance of complying with federal cybersecurity standards, especially for contractors handling sensitive personal information.

Iranian hackers are targeting critical infrastructure sectors worldwide to harvest credentials and network access, then selling these on the dark web. Key sectors affected include healthcare, government, IT, engineering, and energy, with breaches reported in the U.S., Canada, and Australia. Techniques used by attackers include brute-force attacks, password spraying, and MFA push bombing to gain unauthorized access. The collaborative advisory issued by CISA, FBI, NSA, and other international cybersecurity bodies details the methods and suggests mitigation strategies. Hackers aim for persistent network access, moving laterally within networks to escalate privileges and collect further sensitive data. Stolen credentials are used not only for initial breaches but also in broader attacks, enabling ransomware groups and other malicious activities. Multiple U.S. government alerts have been issued, naming specific Iranian threat groups and describing their tactics and impact on security. Security recommendations include monitoring for unusual login attempts, identifying compromised systems, and applying robust access controls.

In 2023, 70.3% of the disclosed vulnerabilities that were exploited were zero-days, up from previous years. Threat actors exploited these vulnerabilities before the affected companies could deploy patches. Google reports no significant change in the number of n-days exploited, attributing the rise to more zero-day discoveries and better detection technologies. The time to exploit (TTE) newly disclosed vulnerabilities has dramatically dropped to just five days, compared to weeks in previous years. This rapid TTE underscores the need for timely mitigation strategies such as network segmentation and real-time detection. In 2023, the number of vendors impacted by exploits rose to a record 56, indicating a broadening of targets by threat actors. Google highlighted that the availability of public exploit details does not consistently correlate with the beginning of malicious activity.

A critical vulnerability in Kubernetes Image Builder could allow unauthorized root access via SSH due to default credentials left during the image build process. The most affected provider is Proxmox, where VM images carry a high-risk CVSS score of 9.8, tracked as CVE-2024-9486. Other affected providers include Nutanix, OVA, QEMU, and raw, each with a lower risk score of 6.3 under CVE-2024-9594, where exploitation is only possible during the image build. The flaw impacts Image Builder version 0.1.37 or earlier; upgrading to version 0.1.38 or later, which disables the builder account post-build and uses random passwords during the build, resolves the issue. Users are advised to upgrade and redeploy new images to any affected VMs to mitigate risks effectively. As a temporary workaround, users can manually disable the builder account to decrease vulnerability. The bug was discovered and reported by Nicolai Rybnikar from Rybnikar Enterprises.

A hacker known as USDoD, responsible for multiple high-profile data breaches, has been arrested by Brazil's Polícia Federal. USDoD's cybercrimes included breaches of FBI's InfraGard and National Public Data, leaking sensitive information online. The arrest occurred under "Operation Data Breach" after USDoD targeted and leaked internal data from cybersecurity firm CrowdStrike. Information leaked by USDoD included personal data and social security numbers of hundreds of millions of US citizens. CrowdStrike's report played a crucial role in identifying USDoD as Luan BG, a 33-year-old Brazilian residing in Brazil. The operation also included search and seizure warrants related to previous publications selling Federal Police data. USDoD had previously admitted to leaking sensitive data of 80,000 InfraGard members and boasted about his invasions online.

The 8Base ransomware group claims to have obtained a substantial amount of confidential Volkswagen data, threatening its release. Volkswagen remains unfazed by the claims, stating their IT infrastructure is secure and unaffected. The ransomware group set a release date for the data on September 26, but no data has been published, casting doubts on the credibility of the threat. Volkswagen has a history of data security issues, including a significant breach in 2021 affecting three million customers via a third-party supplier. 8Base, known for using a variant of the Phobos ransomware, has been relatively inactive recently, raising questions about their current operations. The German auto manufacturer is closely monitoring the situation but has not disclosed whether a ransom demand was received or specified the nature of the allegedly stolen data.

A critical vulnerability, utilizing hardcoded credentials in SolarWinds’ Web Help Desk, is currently being exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) has listed the flaw in its Known Exploited Vulnerabilities Catalog. This vulnerability, assigned a high severity score (CVSS 9.1), permits unauthenticated remote attackers to access and modify sensitive data. SolarWinds has resolved the issue in its latest patch for Web Help Desk 12.8.3 HF2, urging customers to update immediately. Approximately 827 instances of the vulnerable software version were still publicly accessible as of late September. The exploit impacts various sectors, notably state and local governments, and educational institutions, heightening risks of lateral movement attacks. This incident marks SolarWinds' second severe security challenge within a two-month period, following another high-severity exploit in August.

CISA has added a critical hardcoded credentials flaw in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities catalog. The vulnerability, identified as CVE-2024-28987, was disclosed and patched by SolarWinds in August 2024 following a discovery by Horizon3.ai researcher Zach Hanley. This flaw allows remote, unauthenticated attackers to access and potentially modify data without restrictions using hardcoded credentials. SolarWinds has released a hotfix (WHD 12.8.3 Hotfix 2) to address the flaw, and system administrators are urged to update immediately. CISA has not specified details of the attacks exploiting this vulnerability but noted that the threat actors are actively using it in the wild and set its ransomware exploitation status as unknown. Alongside CVE-2024-28987, CISA listed exploits for vulnerabilities in Windows and Mozilla Firefox, both of which are also actively being exploited. Microsoft and Mozilla have both issued patches for their respective vulnerabilities, highlighting the widespread nature of these security risks. Federal agencies are required to patch these vulnerabilities by November 5, 2024, indicating the severity and urgency of these security risks.

The U.S. Department of Justice indicted two Sudanese brothers, operators of the cyber group Anonymous Sudan, responsible for over 35,000 DDoS attacks worldwide. Targets included major corporations like Microsoft, Cloudflare, and government and healthcare facilities, notably disrupting Cedars-Sinai Hospital in Los Angeles. Accusations suggest that their attacks, while claimed to protect Sudanese political interests, might have connections to Russian operations. The U.S. authorities successfully disrupted Anonymous Sudan's operations in March 2024, seizing its primary DDoS tools without compromising private devices. Anonymous Sudan utilized unique tools like the Skynet Botnet or DCAT, relying on open proxies rather than compromised victim devices to conduct attacks. Both brothers were arrested in March, and though not in U.S. custody, they have been interrogated by the FBI. Charges include conspiracy to damage protected computers, with additional charges against Ahmed Omer for endangering lives during the DDoS attack on Cedars-Sinai Hospital.

A Chinese industry group, the Cybersecurity Association of China (CSAC), has accused Intel of embedding backdoors in its CPUs that could potentially allow the U.S. National Security Agency (NSA) to access data globally. CSAC alleges these backdoors have been present in almost all Intel CPUs since 2008, posing significant security threats internationally, particularly to critical information infrastructures. The accusations emerged amid escalating technological tensions between the U.S. and China, which includes U.S. accusations of Chinese espionage and recent stringent export restrictions on advanced and AI chips to China. CSAC has urged the Cyberspace Administration of China to initiate a thorough investigation into Intel's security practices to protect national security and the interests of Chinese consumers. Intel's sales in China, accounting for over a quarter of its total revenue last year, could be severely impacted if restrictive measures are imposed following an investigation. The ongoing dispute reflects broader concerns over international cybersecurity and technological dominance, particularly in areas of critical infrastructure and advanced computing technologies.

A critical vulnerability identified in the Kubernetes Image Builder could allow unauthorized root access via SSH to virtual machines (VMs). The flaw, tracked as CVE-2024-9486, affects VM images created using Image Builder version 0.1.37 or earlier with the Proxmox provider. Attackers can exploit default credentials which were not disabled after the image-building process to gain root access. Kubernetes has issued updates in Image Builder version v0.1.38 which introduces randomly generated passwords and disables the default "builder" account. Temporary measures include disabling the builder account using specific commanding if immediate upgrading isn't feasible. Similar vulnerabilities with a medium-severity rating exist for images built with Nutanix, OVA, QEMU, or raw providers, tracked as CVE-2024-9594, exploitable under specific conditions. Detailed mitigation guidance and system check information are available via Kubernetes community forums and GitHub.

Threat actors are repurposing the open-source EDRSilencer tool to bypass endpoint detection and response (EDR) systems, facilitating undetected malicious activities. EDRSilencer disables EDR solutions by blocking their outbound traffic using the Windows Filtering Platform (WFP), undermining their ability to communicate with management consoles. The tool affects a wide range of EDR products from prominent companies like Microsoft, Palo Alto Networks, SentinelOne, and Trend Micro among others. By employing such tools, hackers aim to compromise the effectiveness of EDR systems, increasing the chances of successful malware deployment and persistence. The misuse of EDRSilencer highlights a broader trend among ransomware groups who increasingly utilize sophisticated methods to neutralize antivirus and EDR defenses. Additional advanced EDR-killing tools like AuKill and TrueSightKiller are also mentioned, underlining their evolving tactics to remain undetectable. Trend Micro emphasizes the growing sophistication of threat actors in adapting their techniques beyond traditional security detections. The strategic implementation of WFP rules to dynamically target and disrupt security processes marks a significant escalation in cyber threats, requiring enhanced defense strategies.