Daily Brief

Progress Software discovered a critical remote code execution vulnerability in Telerik Report Server, urging updates to mitigate risk. The flaw, identified as CVE-2024-6327 with a high CVSS score of 9.9, affects versions up to 2024 Q2 (10.1.24.514). Attackers can exploit the vulnerability via insecure deserialization, allowing them to execute unauthorized commands remotely. The vulnerability has been rectified in the newer version 10.1.24.709 of the software. As an interim safety measure, changing the user for the Report Server Application Pool to one with restricted permissions is recommended. Administrators are advised to verify their server's vulnerability status by following specific checking procedures outlined by Progress Software. This announcement follows a recent patch for another severe vulnerability in the same Telerik software that permitted authentication bypass and unauthorized administrator account creation.

The US Department of Justice has indicted North Korean Rim Jong Hyok for conducting ransomware attacks on US healthcare providers and NASA. Rim used malware from North Korea’s military intelligence, specifically the Reconnaissance General Bureau, for these cyber attacks. The indictment alleges that ransom proceeds were laundered in China and used to fund further international cyber intrusions, including attacks on defense and government entities. Andariel, the group Rim is associated with, has targeted systems worldwide, including defense companies in the US and South Korea and a Chinese energy firm. Microsoft and Mandiant reports describe Andariel's sophisticated use of custom malware and their exploitation of vulnerabilities in widely-used software. Approximately $114,000 in crypto currency related to the ransomware attacks has been seized by the FBI. The US government has offered a $10 million reward for information leading to Rim’s capture, although his current whereabouts are unknown.

Researchers at Check Point Software uncovered over 3,000 GitHub accounts forming the "Stargazer Ghost Network" used for distributing malware. The network, operated by "Stargazer Goblin," targets gamers, malware researchers, and other cybercriminals, employing innovative phishing tactics without using emails. Stargazer Goblin uses platforms like Discord to lure victims with links aiming to increase social media followers, leading them to malicious GitHub repositories. These GitHub accounts appear legitimate, some even verified, but harbor dangerous links within README.md files that facilitate malware distribution. The network's structure allows for quick replacement of banned accounts and repositories, likely automated, ensuring continuity in their malware distribution efforts. In a recent campaign, the network successfully distributed the Atlantida stealer malware, achieving over 1,300 infections in just four days. Another campaign spread the Rhadamanthys malware across repositories, attracting over a thousand downloads in two weeks by masquerading as cracked software and crypto tools. Check Point estimates the malware operations on GitHub alone have generated approximately $100,000 over the past year.

CrowdStrike's recent software update resulted in a shutdown of millions of Windows computers, with projected global financial losses possibly reaching billions. US Fortune 500 companies were significantly impacted, sustaining an estimated $5.4 billion in financial damage. Microsoft, a key player, was not included in this loss assessment. Insurance payouts for these losses are expected to cover only 10% to 20% for Fortune 500 companies, due to high risk retentions and low policy limits. Specific sectors like retail and IT lost around $500 million each, while airlines and the banking and healthcare sectors faced the highest losses, with airlines alone losing approximately $860 million. The effects varied by company size and industry, with CyberCube estimating a $15 billion loss worldwide, and noting that smaller companies might receive even less insurance compensation, about 3% to 10%. Despite the financial impact, CrowdStrike is attempting to mitigate the situation with actions like offering $10 Uber Eats gift codes to partners and support teams, though this gesture faced issues with redemption flagged as potential fraud. As of the latest update from CrowdStrike's CEO, 97% of the affected Windows systems have been restored to functionality.

Malicious actors are exploiting CrowdStrike's brand in a phishing scheme to distribute Lumma infostealing malware. The malware specifically targets and steals sensitive information, such as online banking, cryptocurrency wallet credentials, and login details of various services. The recent scam surfaced shortly after a CrowdStrike update caused disruptions for 8.5 million Windows users, a situation leveraged by cybercriminals to promote a fake recovery tool. CrowdStrike Intelligence links the fake domain involved in this campaign to earlier phishing attacks conducted by the same threat actor group. The attackers employ social engineering tactics such as phishing emails followed by fake support calls to deliver and execute the malware. The malware itself remains undetected by terminating if antivirus software is detected and then proceeds to install the Lumma stealer using a decoy installer. Infected systems had a tool called WidowsSystem-update[.]msi disguised as Microsoft Installer file, which ultimately executed the malware. CrowdStrike confirms that 97% of systems affected by the faulty update are now restored, highlighting quick remedial actions.

PKfail security issue allows bypassing of Secure Boot, enabling UEFI malware installation on vulnerable devices. Binarly Research Team identified hundreds of UEFI products from top vendors like Dell, HP, and Intel compromised due to misuse of a test master key marked "DO NOT TRUST." The incorrect use of the Platform Key (PK) by device vendors has resulted in 813 affected products that fail to maintain a secure boot environment. Recent supply chain security breaches include leaked private keys from Intel Boot Guard, impacting multiple vendors, and an earlier leak from MSI exposing source code and signing keys. The PKfail vulnerability persists across enterprise devices, with the first reported case in 2012 and new vulnerable devices still identified as of June 2024. Attackers exploiting this vulnerability can manipulate key databases to sign malicious UEFI code and disrupt the firmware-to-OS security chain. Mitigation recommendations include proper key management using Hardware Security Modules and prompt application of firmware updates. Binarly has launched a website, pk.fail, for users to scan firmware and identify vulnerabilities and potential malicious payloads.

Threat actors are exploiting critical ServiceNow RCE flaws, compromising various sectors including government and energy. ServiceNow issued fixes for these critical vulnerabilities on July 10, 2024, which include a high-risk input validation flaw that allows unauthenticated remote code execution. Despite the release of patches, tens of thousands of systems remain at risk, with nearly 300,000 ServiceNow instances exposed online. Attackers use publicly available exploits to chain vulnerabilities, allowing them to access databases and extract sensitive data such as user credentials. Resecurity observed active exploitation shortly after the vulnerabilities and associated exploits were publicized. Some instances exposed plaintext credentials, heightening the risk and potential impact of these breaches. Cybercriminals are showing heightened interest in these vulnerabilities on underground forums, particularly focusing on infiltrating IT service desks and corporate portals. ServiceNow has urged all users to apply the available patches immediately to mitigate the risk of exploitation.

Researchers from Truffle Security discovered that deleted GitHub repositories may still expose data due to Cross Fork Object Reference (CFOR) vulnerabilities. Deleted or forked repository data, including sensitive information like API keys, can still be accessed post-deletion. GitHub recognizes this behavior as an intentional design decision, framing it as a feature rather than a security flaw. An example highlighted involved a tech company that deleted a repository with a sensitive private key, which remained accessible through a previously created fork. Truffle Security's test on public repos from major AI firms uncovered 40 valid API keys from deleted forks. The issue stems from 'dangling commits'—data entries that remain accessible within GitHub's architecture even after their deletion in the user interface. Despite the potential risks, a GitHub spokesperson reiterated that this behavior is by design and documented, suggesting that it is an expected consequence of how fork networks operate. Truffle Security suggests that GitHub should modify its handling of forked repository data to enhance user privacy and data security.

The U.S Department of Justice has indicted Ping Li, a 59-year-old U.S citizen of Chinese descent, for allegedly spying on behalf of China since at least 2012. Li, who resided in Wesley Chapel, Florida, worked for a major U.S telecommunications company and an international IT firm, relaying sensitive information to China’s Ministry of State Security (MSS). The indictment details Li's involvement in gathering data on a variety of subjects, including information on U.S cyberattacks linked to state-sponsored groups in China, and details about banned religious groups like Falun Gong. Li is accused of complying with MSS directives swiftly, even providing biographical details of individuals and corporate information shortly after receiving orders. He reportedly used anonymous online accounts for communication and traveled to China to meet with MSS personnel directly. The activities span diverse espionage efforts from collecting trade secrets to detailed intelligence about U.S-based dissidents, emphasizing China's broad intelligence-gathering tactics that even extend to its former citizens now in the U.S.

The U.S. State Department is offering up to $10 million for information leading to North Korean hacker Rim Jong Hyok. Rim Jong Hyok, linked to the Andariel hacking group, is implicated in the Maui ransomware attacks on U.S. infrastructure and healthcare. Hyok faces charges including conspiracy to commit computer hacking and money laundering in the U.S. The attacks have affected U.S. Air Force bases, healthcare providers, defense contractors, and NASA’s Office of Inspector General. The ransomware encrypted essential systems in healthcare, disrupting services and extorting ransom to fund further malicious activities. Andariel is also believed to have stolen military and sensitive information valuable to North Korea's nuclear and defense endeavors. A joint advisory was issued by CISA and the FBI, highlighting ongoing threats from Andariel to global industry sectors. Information about Andariel can be reported through a dedicated Tor SecureDrop server set up by the State Department.

Meta has eliminated 63,000 Instagram accounts based in Nigeria involved in large-scale sextortion scams. The operation included a tightly organized network of 2,500 accounts managed by 20 individuals targeting American men. These Instagram accounts were part of a broader cybercrime group known as ‘Yahoo Boys,’ also responsible for coordinating scams via 1,300 Facebook accounts, 200 Pages, and 5,700 Groups. The social media giant has implemented advanced measures to prevent the scammers from creating new accounts, enhancing their capability to block suspicious activities. Sextortion, the central crime committed by these accounts, involves coercing victims into sending private images and then demanding payment under threats of public exposure. Meta has intensified its effort to detect and disable such fraudulent accounts using a combination of human investigations and new technical signals. The FBI notes an upsurge in sextortion crimes, especially targeting young males, with some instances leading to severe emotional distress or suicidal actions. Victims are urged to report incidents of sextortion to the FBI and seek guidance on how to handle such extortion schemes effectively.

Progress Software has issued a warning to patch a critical remote code execution flaw in Telerik Report Server. The vulnerability, tracked as CVE-2024-6327, allows attackers to execute remote code on unpatched servers. It affects all versions up to 2024 Q2 (10.1.24.514) and is addressed in a patch released in version 2024 Q2 (10.1.24.709). Progress advises updating to Report Server 2024 Q2 (10.1.24.709) or later to eliminate the risk. Temporary mitigation involves changing the Report Server Application Pool user to one with limited permissions. Previous instances show other Telerik vulnerabilities have been exploited by attackers, notably by foreign threat groups. A proof-of-concept exploit has been developed targeting similar vulnerabilities in Telerik Report servers, indicating the critical nature of the issue.

French police, in collaboration with Europol, are releasing a self-deleting program to exterminate the PlugX malware across infected devices in France. This cleanup action is led by the French National Gendarmerie's Center for the Fight Against Digital Crime (C3N) with help from cybersecurity firm Sekoia. The PlugX malware, commonly linked to Chinese cyber espionage, is being remotely removed from systems through a sinkholed command and control server. The cybersecurity firm Sekoia had previously taken control of the command server for a botnet variant of PlugX, which had infected approximately 2.5 million devices. Sekoia developed a disinfection solution that issues self-deletion to infected devices and was shared with French authorities ahead of the Paris 2024 Olympic Games. The cleanup operation began on July 18, 2024, targeting not only France but also other European countries like Malta and Austria and is set to continue for several months. Potential complications include legal challenges linked to the deployment of Sekoia's solution due to concerns over unauthorized access and possible data loss from infected USB drives.

North Korean threat group APT45, historically linked to espionage, now engages in ransomware attacks to support financial motives. Tracked under various aliases including Andariel and Nickel Hyatt, APT45 has targeted critical infrastructure in South Korea, Japan, and the U.S. Ransomware strains deployed by APT45 include SHATTEREDGLASS and Maui, documented in global cybercrime incidents in 2021 and 2022. The group utilizes tools like the Dtrack backdoor, previously used against India's Kudankulam Nuclear Power Plant in 2019. APT45's activities, supported by North Korea's premier military intelligence, the Reconnaissance General Bureau, align with the regime's shifting geopolitical priorities. Mandiant’s insights reveal APT45’s role in generating funds not only for operational sustenance but also for broader North Korean state objectives. The case of a North Korean IT worker using stolen identity for employment at US-based KnowBe4 highlights North Korea's sophisticated use of identity theft and remote systems to infiltrate foreign companies.

Docker has discovered a critical vulnerability, CVE-2024-41110, impacting Docker Engine versions since 2019, which had been originally patched in early 2019 but was mistakenly not carried over to later updates. The vulnerability arises from the mishandling of authorization plugins (AuthZ) in Docker, where a specially crafted API request with a body content length of zero bypasses normal security checks, potentially allowing unauthorized command execution. The exploit requires low-level access and no user interaction, with Docker assessing the overall attack complexity as low but the potential impact on system confidentiality, integrity, and availability as high. National Vulnerability Database rates the severity of this vulnerability at 9.9 out of 10, indicating a near-maximum threat, while a separate assessment by the Moby project gives it a perfect score of 10. Affected Docker Engine versions include all releases from 19.03 onward; users are advised to upgrade to the versions above v23.0.14 and v27.1.0 to mitigate the risk. Docker Desktop is also affected, although a fix (v4.33) is pending, and the impact is deemed less severe due to the default configuration and the limited scope of potential privilege escalation within the Docker Desktop VM. Docker emphasizes that the vulnerability affects only setups using AuthZ plugins, and systems not using these plugins or running Mirantis Container Runtime are not vulnerable.