Daily Brief

SolarWinds has patched 11 security vulnerabilities in its Access Rights Manager (ARM) software, with 7 rated as Critical. These critical flaws, with a CVSS score of 9.6, could allow attackers to read, delete files, and execute code with elevated privileges. The remaining four vulnerabilities are considered High risk, each with a CVSS score of 7.6. Exploitation of these vulnerabilities could lead to significant information exposure and unauthorized system control. Updates fixing these vulnerabilities were released in SolarWinds ARM version 2024.3 on July 17, 2024. The patches followed a responsible disclosure by the Trend Micro Zero Day Initiative. Additionally, a high-severity flaw in SolarWinds' Serv-U Path was added to CISA’s KEV catalog due to active exploitation. This security update follows historical breaches, including a significant supply chain attack in 2020 carried out by Russian hackers.

CrowdStrike's recent update is causing significant disruption as Windows 10 PCs around the globe are experiencing system failures. Affected computers display a Blue Screen of Death (BSOD) and fail to reboot, entering a continuous error loop. Users have identified the crash source as related to csagent.sys, which is part of the Falcon Sensor software. A locked advisory notice suggests CrowdStrike is aware and addresses issues specifically tied to the Falcon Sensor on Windows hosts. Engineering teams at CrowdStrike are actively working to resolve the malfunctions and system crashes. This incident has impacted critical services across multiple organizations, emphasizing the severity of the software failure.

North Korean operatives likely behind the cyber attack on Indian crypto exchange WazirX, resulting in a loss of over $230 million. The attack exploited security loopholes in WazirX’s multi-signature wallet systems, bypassing layers of security. Post-attack, all crypto withdrawals were halted by WazirX to prevent further losses, and efforts were made to block certain deposits. Blockchain analytics firms, including UK-based Elliptic, have traced the stolen funds, suggesting active attempts by the perpetrators to convert the stolen assets into Ether using decentralized services. North Korea has historically engaged in such cyber thefts to fund its nuclear program and the regime of Kim Jong Un, circumventing international sanctions. WazirX, having significant user base and once owned by Binance, faces ownership disputes and regulatory challenges, including previous sanctions and fines. Calls for clear cryptocurrency regulations in India amid this and other incidents, emphasizing the need for improved security standards and accountability in the sector.

China claims the accused Beijing-backed cyber gang, Volt Typhoon, is an invention by the US intelligence community to misinform and manipulate public opinion. According to a Chinese report, this misinformation campaign was orchestrated by the NSA, the FBI, and other US departments alongside Five Eyes nations. The stated purpose behind this fabrication was to renew support for the controversial Section 702 warrantless surveillance law in the US. China's report, endorsed by its National Computer Virus Emergency Response Center and other agencies, alleges that this campaign directly targeted American citizens. The report criticizes the US for enhancing its domestic surveillance powers under the guise of national security threats posed by foreign entities. China positions itself as a victim of US cyber imperialism, alluding to past revelations like the CIA’s hacking tools exposed in Wikileaks' Vault 7. The publication calls for international awareness and caution against US hegemonic strategies in the digital realm.

WazirX, an Indian cryptocurrency exchange, confirmed a security breach resulting in the theft of $230 million in cryptocurrency assets. The breach involved a cyber attack on one of its multi-signature wallets that was managed using the digital asset custody and wallet services of Liminal. Liminal identified that the attack was due to a discrepancy in what their interface showed and what was actually being signed, allowing attackers to redirect control. Despite the breach of this specific wallet, Liminal assured that other WazirX wallets on their platform remain secure. Blockchain analytics firm Elliptic and crypto researcher ZachXBT suggested that the attack bears the characteristics of a North Korean cybercrime group, potentially the Lazarus Group. The stolen funds were reportedly converted to Ether using decentralized services to possibly obscure the trail. This type of attack is part of a broader trend where North Korean threat actors target the cryptocurrency sector to bypass international sanctions and fund their nuclear weapons agenda.

Revolver Rabbit, a cybercriminal gang, has registered over 500,000 domains to propagate infostealer malware affecting Windows and macOS systems. The gang utilizes registered domain generation algorithms (RDGAs) to automate the mass registration of domain names for use in command and control server setups. These RDGAs are private and complex, making it tough for security researchers to crack the patterns used for domain generation, unlike the more commonly known DGAs. The domains are primarily under the .BOND top-level domain and are used to orchestrate phishing campaigns and malware infections using the XLoader malware, a successor to Formbook. Infoblox, a DNS security company, has tracked and studied the scale of Revolver Rabbit's operation, citing an investment of close to $1 million by the group in domain registrations. Through detailed analysis, Infoblox highlighted a typical RDGA pattern characterized by dictionary words followed by numbers, aiding in monitoring and potentially countering some of Revolver Rabbit's activities. The discovery underscores the increasingly sophisticated methods and significant financial investments criminal groups are willing to undertake to facilitate large-scale cyber threats.

A U.S. federal judge has primarily dismissed a lawsuit by the SEC against SolarWinds relating to the post-SUNBURST cyberattack disclosures. The court rejected claims about SolarWinds misleading investors on its security postures after the SUNBURST malware infection. SUNBURST, deployed by Russian spies, compromised SolarWinds' Orion software, impacting around 18,000 organizations including major U.S. government departments. The judge maintained allegations of securities fraud stemming from pre-attack statements about Orion's cybersecurity robustness. The ruling concludes that some of SolarWinds' promotional statements might have led investors to believe its software was minimally vulnerable. The court has removed claims about insufficient internal accounting and disclosure controls. SolarWinds expressed satisfaction with the ruling and anticipation to defend the remaining securities fraud claim vigorously. No comment was made by the SEC regarding the potential for an appeal.

Kaspersky has refuted US hacking claims and counteracted the US government's ban by suggesting an independent verification of its software. The firm responded to US concerns by proposing a 'comprehensive assessment framework' aimed at verifying its solutions and updates through an independent reviewer. This move is a part of Kaspersky’s Global Transparency Initiative, launched in response to its earlier ban from US government systems, where it even offered to open its source code for third-party scrutiny. Despite these efforts, the US Department of Commerce stands firm on its decision, attributing the ban to geopolitical tensions rather than the integrity of Kaspersky’s products. Kaspersky announced the cessation of new contracts and gradual phase-out of its operations in the US, which includes stopping antivirus updates and other security services by September 29. However, Kaspersky will still offer other services like cybersecurity training, threat intelligence, and consulting services in the US. The company reaffirms its commitment to global customers and its mission to contribute to a safer cyberspace through awarded and audited cybersecurity technologies.

SolarWinds has addressed eight critical vulnerabilities in Access Rights Manager (ARM), enhancing security against potential unauthorized access and data breaches. Six of the vulnerabilities allowed remote code execution (RCE) without necessary privileges, rated highly severe at 9.6/10, enabling unauthorized command execution on affected systems. Three additional patched vulnerabilities involved directory traversal that could allow unauthenticated users to delete files or access sensitive data. A high-severity flaw was also patched that permitted authentication bypass, potentially giving unauthenticated users admin-level access within Active Directory environments. The vulnerabilities were reported via Trend Micro’s Zero Day Initiative and resolved in the ARM 2024.3 version released recently. SolarWinds did not disclose if these vulnerabilities have been exploited in the wild or if proof-of-concept exploits exist. SolarWinds, a major provider to Fortune 500 companies and U.S. government agencies, was previously compromised by Russian state hackers in a severe supply-chain attack in 2020. The U.S. government and SEC have taken formal actions against SolarWinds and Russia concerning past security breaches and misinformation.

Russian cybercrime group FIN7 is reportedly selling a custom malware, AvNeutralizer, which disables security software, to various ransomware gangs. AvNeutralizer targets specific endpoint detection and response (EDR) solutions, with prices ranging from $4,000 to $15,000. Originally linked exclusively to the Black Basta group, an increase in activity suggests that multiple ransomware campaigns began using AvNeutralizer in 2023 to evade detection. The malware has proven effective against several major endpoint security products, including those from SentinelOne, Windows Defender, Sophos, and Symantec. Criminals specify which EDR solutions to bypass when purchasing AvNeutralizer, and receive a customized version tailored to their specifications. FIN7, using various pseudonyms on cybercrime forums, is likely managing the marketing and distribution of AvNeutralizer. New versions of the malware include advanced techniques for tampering with system processes to disable security protocols. The ability of FIN7 to operate under multiple aliases and their evolving tactics in cybercrime highlight the challenges in attributing and countering their operations.

Cybersecurity firm ESET identified a new malware, named HotPage, disguised as an ad blocker that installs a malicious kernel driver on Windows. HotPage can modify web traffic, redirect users, and display targeted ads while harvesting system data to send to a Chinese technology company, Hubeil Dunwang Network Technology Co., Ltd. The malware leverages a kernel driver to inject harmful libraries into browsers, enabling unauthorized code execution with elevated system privileges. There were no access restrictions on the kernel driver, enabling even low-level users to exploit it to gain high-level system permissions. The Chinese company behind this malware secured a Microsoft-signed certificate for their driver, which enhances the malware's ability to bypass security measures. This incident unveils potential vulnerabilities within Microsoft's driver certification process, as used effectively by the malware creators. The malicious driver was eventually removed from the Windows Server Catalog, following its exposure.

Cisco has patched a critical vulnerability in Security Email Gateway (SEG) appliances that could allow hackers to add root users or crash the system. The vulnerability, identified as CVE-2024-20401, involved an arbitrary file write flaw due to absolute path traversal in SEG’s content scanning and message filtering. Attackers exploiting this flaw could replace any file on the device’s OS, modify configurations, execute arbitrary code, or trigger a permanent DoS condition. The flaw affects SEG appliances running specific vulnerable releases of Cisco AsyncOS, with risk factors escalating if certain email scanning features are active. Cisco has issued updates in the Content Scanner Tools package and Cisco AsyncOS for Secure Email to mitigate the vulnerability. Users can check for the vulnerability by accessing the product web management interface to review settings for file analysis and content filters. Despite no known exploitation or public proofs of concept, Cisco urges immediate updating of affected models to prevent potential attacks. An additional severe bug was fixed by Cisco, related to password changes on Cisco Smart Software Manager On-Prem license servers.

AppSec teams and developers often experience conflicting objectives: security vs. speed. A common issue in software development is the tension between quickly shipping code and addressing security vulnerabilities. The webinar titled "Turn Developers into Allies: The Power of Security Champion Programs" aims to bridge this gap by transforming developers into security proponents. The strategy involves implementing Security Champion Programs, which have shown significant effectiveness but are not widely utilized. Attendees will learn how these programs can create a collaborative, secure, and innovative development environment. Registration is open and free for participants, emphasizing the accessibility and importance of the topic.

The travel industry faced 21% of all bot attack requests last year, making it a prime target for automated threats. Imperva's 2024 Bad Bot Report highlights that 44.5% of the industry's web traffic in 2023 was due to bad bots, up from 37.4% in 2022. These bots engage in unauthorized activities like scraping, account takeover, and fraud, severely impacting operations. Advanced bad bots, mimicking human behavior to evade detection, constituted 61% of this malicious bot activity. Seasonal travel demand and major events are expected to further increase bot activity targeting travel services. Imperva advises layered security measures, including real-time bot detection and traffic analysis, to protect against these threats. Recommended strategies include blocking outdated browsers, restricting bulk IP access, and regular monitoring for traffic anomalies.

Cisco released a patch for a critical vulnerability in its Smart Software Manager On-Prem, identified as CVE-2024-20419. The vulnerability enables unauthenticated attackers to modify passwords for any user, including administrators, via crafted HTTP requests. Rated 10/10 on the CVSS 3.1 scale, this flaw poses a high threat to product integrity, availability, and confidentiality. Attack complexity is classified as low, requiring no prior privileges or user interaction for exploitation. No current evidence suggests that this vulnerability has been exploited in the wild, but the risk escalates now that details are public. Affected versions include SSM On-Prem up to version 8-202206; Cisco advises upgrading to at least version 8-202212 or ideally version 9. Cisco's SSM On-Prem is widely used in critical sectors such as financial institutions, utilities, and government entities, increasing potential impact. This vulnerability was part of a broader set of security updates that also addressed other critical issues, including a high-severity flaw in Cisco Secure Email Gateway.