Daily Brief

Over 700,000 DrayTek routers globally are susceptible to 14 newly identified security vulnerabilities. Critical issues include a buffer overflow and OS command injection, which could allow remote code execution or a DoS attack. The vulnerabilities mainly affect the router's Web UI, which is publicly accessible over the internet. The majority of vulnerable devices are in the U.S., with significant numbers also in Vietnam, the Netherlands, Taiwan, and Australia. DrayTek has released patches for all identified security flaws, including those affecting end-of-life models. Forescout advises disabling remote access if not required, implementing ACLs, and using two-factor authentication to mitigate risks. This situation underscores broader international concerns on securing operational technology as emphasized in joint guidance by cybersecurity agencies from various nations.

DrayTek has issued updates for multiple router models to mitigate 14 security vulnerabilities, including a severe remote code execution flaw rated at the highest severity level (CVSS score of 10). The patches cover both currently supported models and those that are no longer actively supported due to the critical nature of the issues discovered. Approximately 785,000 DrayTek routers are potentially at risk, with over 704,500 routers discovered to have their web interfaces exposed to the internet. The vulnerabilities mainly include medium-severity issues such as buffer overflows and cross-site scripting, but five of these vulnerabilities are considered high-risk and require urgent remediation. No active exploits of these vulnerabilities have been reported as of now; detailed technical findings have been temporarily withheld to allow users time to secure their devices. DrayTek users are urged to download the most recent firmware for their devices from the official DrayTek portal and to ensure that remote access features are disabled to prevent unauthorized access. The security flaws impact 24 different router models, including 11 models that have already reached end-of-life but are still in use, highlighting ongoing risks in legacy systems.

NIST failed to meet its self-imposed deadline to manage its backlog of security vulnerabilities in the National Vulnerability Database (NVD). As of September 21, the NVD had 18,358 unprocessed CVEs, equivalent to 72.4% of newly reported vulnerabilities. Despite some progress following the hiring of an outside consultancy, a significant amount of work remains to process and publish these CVEs. The backlog's persistence poses heightened risks in the cybersecurity landscape, hindering organizational visibility into potential threats. The U.S. agency's slowed processing speeds impact organizations globally, affecting security processes and increasing vulnerability exploitation risks. Alternative resources like CISA’s Vulnrichment project provide some relief by offering independent CVSS scores and data on CVE-tagged bugs. The backlog also notably impacts the open source community and other entities reliant on timely NVD data for security operations.

Cybersecurity researchers revealed 5% of Adobe Commerce and Magento stores were compromised, exploiting the CosmicSting vulnerability. CVE-2024-34102, a critical XXE vulnerability in Adobe Commerce platforms, enables unauthorized remote code execution. Adobe addressed the vulnerability in a June 2024 update; however, attacks have continued, compromising 3-5 stores per hour. Attackers exploit the vulnerability to steal encryption keys and manipulate the Magento REST API to inject malicious scripts. Combined attacks with CNEXT (CVE-2024-2961) vulnerability further enable threat actors to perform remote code execution. Compromised sites were leveraged to install persistent backdoors and script injections for stealing payment information. Major companies such as Ray Ban and Cisco reported being affected by this vulnerability. Security experts recommend updating to the latest software versions and rotating encryption keys to mitigate risks.

Dynamic malware analysis is crucial for investigating threats by executing malware in a controlled environment. Interactivity in sandboxes like ANY.RUN allows real-time interaction with malware to observe behavior and trigger specific actions. ANY.RUN sandbox enables extraction of IOC, capturing malware communication details such as C2 server addresses and encryption keys. The MITRE ATT&CK framework integrated in ANY.RUN helps in mapping attacker strategies and bolstering organizational defenses. Network traffic analysis in the ANY.RUN sandbox detects malicious activities and aids in comprehensive network inspection. Advanced process analysis features in the sandbox assist in monitoring malware processes, which is vital for understanding its impact and flow. ANY.RUN sandbox also supports analysis of fileless malware by tracking scripts and registry changes to identify stealthy and persistent threats. ANY.RUN offers a 14-day free trial, allowing organizations to test its capabilities in enhancing security measures.

A critical remote code execution vulnerability in Zimbra mail servers (CVE-2024-45519) is being actively exploited. The vulnerability was publicly disclosed on September 27, with attacks beginning just a day after. Attackers are exploiting inadequate user input sanitization in Zimbra's postjournal library, allowing them to spoof email CC fields with malicious code. Exploited servers could lead to unauthorized access, privilege escalation, and potential system integrity and confidentiality compromise. The vulnerability can be exploited remotely on specific ports, and efforts to patch the systems have been urgently recommended. The identity and motives of the attackers remain unknown; however, they are building webshells on compromised servers for further malicious activities. Alan Li, a computer science graduate student, initially reported the flaw, which has yet to receive a severity score from Zimbra. The National Vulnerability Database faces challenges, including a significant backlog, which impedes the timely analysis of new vulnerabilities.

North Korean state-sponsored group Andariel targeted three U.S. organizations in August 2024, focusing on financial gains rather than deploying ransomware. Andariel, linked to the infamous Lazarus Group and known for its cybersecurity threats since 2009, used tools like Dtrack and a new backdoor, Nukebot. The U.S. Department of Justice indicted a North Korean operative in July 2024 for previous ransomware attacks against healthcare facilities, alleging the funds were used for further cyber intrusions worldwide. The attackers utilized known security vulnerabilities in internet-facing applications for initial access and employed a range of public tools such as Mimikatz and Sliver. A deceptive practice observed was the use of an invalid certificate impersonating Tableau software to sign tools, previously reported by Microsoft. Despite shifts to more espionage-focused activities since 2019, Andariel recently reverted to financially motivated attacks, continually attempting extortion schemes against U.S. organizations. A separate report noted a related North Korean cyber-attack on German defense manufacturer Diehl Defense, showcasing the persistent and global threat posed by these actors.

Nutanix to host a webinar focused on securing intellectual property (IP) within AI systems. The event is scheduled for October 2nd at 12PM ET, targeting IT leaders and AI developers. Discussion will cover best practices for AI deployment and robust data protection strategies. Key topics include preventing IP exposure and managing security within AI model updates. The session aims to help enterprises balance innovation with critical data protection. Emphasis on safeguarding sensitive data against unauthorized access in complex AI workflows. Registration available for those seeking to enhance AI security measures in their organizations.

A recent pre-press paper highlights serious vulnerabilities within the Resource Public Key Infrastructure (RPKI) protocol, including issues like persistent DoS attacks, authentication bypasses, and cache poisoning. Despite the White House integrating RPKI into its roadmap for improving internet routing security, researchers found that the protocol is still immature with significant security and operational challenges. The study documented at least 53 disclosed vulnerabilities in RPKI software packages, many of which were promptly fixed, yet the issues raise concerns about the overall resilience and potential undiscovered vulnerabilities. Researchers also expressed concerns about the scalability of RPKI and potential misconfigurations due to lack of automated patching tools in the current deployment. The paper discusses the possibility of remote code execution attacks and the risk of supply chain attacks embedding backdoors into open-source RPKI components. It is estimated that 41.2 percent of RPKI users are vulnerable to attacks that have been known for some time. Despite these serious concerns, the researchers are optimistic about the future improvements of RPKI and suggest using their findings to advance the protocol’s development toward better security and reliability.

Cybersecurity researchers from Proofpoint have reported active attacks targeting a critical flaw in Zimbra Collaboration by Synacor, noted as CVE-2024-45519. The vulnerability allows unauthenticated attackers to execute arbitrary commands through unsanitized input in Zimbra's postjournal service. Attackers are sending specially crafted emails with Base64 encoded strings in CC fields, which execute commands if processed by vulnerable servers. Patches for the vulnerability have been released in multiple Zimbra versions as of early September 2024, following its discovery by researcher Alan Li. For systems where the patch cannot be quickly applied, removing the postjournal binary is recommended as a temporary safety measure. Attackers deploy web shells on compromised servers, enabling them to execute commands remotely and potentially download further malicious payloads. No specific threat actor has been linked to these attacks, although exploitation began shortly after the technical details were made public by Project Discovery.

A series of malicious packages was discovered in the Python Package Index (PyPI), pretending to aid in cryptocurrency wallet recovery while actually stealing user data. The affected wallets included major players like Atomic, Trust Wallet, Metamask, and others, with the packages designed to extract private keys and mnemonic phrases. These deceptive packages lured developers by mimicking genuine cryptocurrency management functionalities and boasted inflated download statistics to appear legitimate. The malicious activity involved specific packages with dependencies like cipherbcryptors and ccl_leveldbases, which helped in executing the harmful code and obscuring its purpose. Unlike typical malware, these packages only triggered their malicious functions under certain conditions, not immediately upon installation. Data stolen by the malware was sent to a remote server, with the server address dynamically retrieved through external resources, complicating efforts to trace the attackers. This discovery highlights ongoing security threats within the cryptocurrency community and emphasizes the need for cautious handling of open-source materials and continuous security monitoring. This incident is part of a broader trend of sophisticated attacks targeting cryptocurrency users, including previous scams involving fake social media videos and deceptive apps.

Arc has launched a Bug Bounty Program to enhance security by rewarding reported vulnerabilities. This follows the discovery of a severe remote code execution bug, CVE-2024-45489, which allowed the execution of arbitrary code via modified user customizations. The flaw was exploited through the "Boosts" feature, enabling malicious JavaScript execution across user sessions. The vulnerability was promptly remedied following its disclosure on August 25, 2024, with the researcher receiving a $2,000 reward. The bounty program extends to Arc on macOS, Windows, and Arc Search on iOS, with rewards varying based on the severity of the vulnerabilities. Version 1.61.2 of Arc has disabled auto-syncing of Boosts, added a toggle for disabling related features, and is undergoing an external audit. Enhanced security measures include new coding guidelines, improvements to the incident response process, and the hiring of additional security personnel. Despite its recent introduction, Arc browser has rapidly gained users due to features like effective design, customization options, and integrated ad blocker.

Rackspace experienced a data breach due to a zero-day vulnerability in a third-party tool used within ScienceLogic SL1, impacting "limited" customer monitoring data. ScienceLogic developed and distributed a patch promptly to all affected customers to address the vulnerability, found in a non-ScienceLogic third-party utility included in the SL1 package. The vulnerability was disclosed by a user on the social platform X, identifying an exploit in the hosting provider's ScienceLogic EM7, resulting in access to three Rackspace monitoring web servers. The breach allowed hackers to access customer account information, usernames, device IDs and information, IP addresses, and AES256 encrypted internal device agent credentials. Rackspace informed customers and rotated encrypted credentials as a precaution, stating that customers need not take further actions. The exposed data, including IP addresses, could potentially be used for DDoS attacks or further malicious activities. The full extent of the impacted customers remains unclear as Rackspace has not disclosed the total number affected nor have responded to further inquiries from the media.

Euro cops arrested four individuals tied to the LockBit ransomware group, significantly weakened post-February's disrupt operation. A suspected LockBit developer was captured in a country with extradition agreement to France while on holiday, showcasing international law enforcement collaboration. Arrests included suspected affiliates and a key player in bulletproof hosting in Spain, crucial for facilitating LockBit's operations. Authorities seized nine relevant servers of LockBit infrastructure, gaining crucial data to prosecute core members and affiliates. Investigations revealed that LockBit kept stolen data post-ransom payments, refuting claims by ransomware operators of deleting such data. Operation Cronos controlled LockBit's blog, used for updates and to tarnish the group’s operational integrity. Despite the progress, challenges remain in prosecuting many members, with some indicted individuals still at large.

Texas-based UMC Health System was hit by a ransomware attack, causing significant operational disruptions. The attack forced the diversion of all emergency and non-emergency cases to alternate locations. UMC Health, which operates 30 clinics and serves 400,000 patients annually, is working to mitigate the impact on patient care. Critical departments like radiology are facing closures or delays, and prescription lists are currently inaccessible. The hospital's IT systems are offline, preventing the printing of medical records, but they remain accessible via the patient portal. Communication is uncertain, with the health system advising patients in need of immediate assistance to visit clinics in person. The perpetrators of the ransomware attack have not yet been identified, and no group has claimed responsibility. UMC is conducting an ongoing investigation into the attack and promises to provide further updates as information becomes available.