Daily Brief

The Japanese Space Exploration Agency (JAXA) detected zero-day exploits while investigating a cyberattack on its Microsoft 365 systems in 2023. The agency, with Microsoft's assistance, confirmed that no classified data regarding rockets, satellites, or national security was compromised. Attackers initially gained access through a vulnerability in JAXA's VPN, subsequently breaching user accounts to access Microsoft 365 services. During the investigation, JAXA uncovered multiple malware strains and unauthorized accesses, including zero-day attacks. Personal information was accessed in the breach, but no sensitive information related to launch vehicles or satellite operations was believed to be compromised. Measures such as enhanced network monitoring and improved remote access security have been adopted to prevent future incidents. JAXA has a history of breaches, with significant prior incidents in 2016 and 2012, including one involving a Chinese national linked to the CCP.

A crucial vulnerability in PHP, identified as CVE-2024-4577, enables remote execution of malicious commands, primarily affecting Windows systems in Chinese and Japanese locales. Within a day of its public disclosure, threat actors began exploiting this vulnerability to inject various malicious software, including remote access trojans, cryptocurrency miners, and DDoS botnets. Notable payloads delivered through this exploit include the Gh0st RAT, RedTail and XMRig mining software, and the Muhstik DDoS botnet. The exploitation involved sophisticated use of character encoding flaws to execute harmful commands and evade detection. Security firms like Imperva have also reported instances where the TellYouThePass ransomware was distributed using this exploit. Researchers advise organizations and individuals using PHP to update their software to the latest version to defend against these attacks. The report highlights a general increase in DDoS attacks, noting an 11% decrease in Q2 quarter-over-quarter but a 20% increase year-over-year, signaling evolving cyber threat landscapes.

GitLab patched a critical vulnerability labeled CVE-2024-6385 with a CVSS score of 9.6, allowing attackers to trigger unauthorized pipeline jobs under other user identities. The issue affected GitLab Community Edition (CE) and Enterprise Edition (EE) in versions prior to 16.11.6, 17.0.4, and 17.1.2; updates have now remediated these flaws. GitLab also addressed a medium-severity security issue where developers with specific permissions could alter group namespace URLs, potentially impacting system integrity. Alongside GitLab updates, Citrix and Broadcom released patches for separate critical and medium-severity vulnerabilities affecting their respective software products. The recent advisories and patches follow a CISA and FBI bulletin urging technology manufacturers to address command injection vulnerabilities, which facilitate unauthorized remote code execution. The collective software patches align with cybersecurity advisories from international agencies emphasizing the importance of addressing injection flaws and adopting robust security frameworks like Zero Trust to protect network infrastructures.

Huione Guarantee, an online marketplace, has been identified as a major facilitator for laundering money generated from online scams, specifically "pig butchering" investment fraud. An investigation by Elliptic blockchain analytics revealed that merchants on Huione Guarantee have conducted transactions amounting to at least $11 billion, which are linked to various cybercrimes such as investment fraud, personal data sales, and money laundering. The platform, launched in 2021 and owned by the Cambodian conglomerate Huione Group, operates with limited oversight on the legality of the transactions conducted, despite offering an escrow system through Huione Pay to ensure transaction safety. The lack of moderation and a robust payment system on Huione Guarantee have made it comparable to darknet markets, attracting cybercriminals looking to buy and sell illegal items and services, including involvement of its staff in laundering operations. A particular instance highlighted involved a Huione International Payments representative agreeing to launder $2 million from a scam for a 10.5% fee. The platform is becoming a central figure in enabling scam operators in Southeast Asia, with its payment system playing a crucial role in the global laundering of scam proceeds. Elliptical has gathered hundreds of cryptocurrency addresses associated with Huione companies and merchants, which could assist crypto exchanges and law enforcement in tracking and blocking illicit financial flows on the platform.

GitLab announced a critical security vulnerability in its Community and Enterprise editions, potentially allowing attackers to execute pipeline jobs as other users. The issue affects GitLab versions 15.8 through 17.1.2 and has a high severity rating of 9.6 on the CVSS scale. Immediate patches released for versions 17.1.2, 17.0.4, and 16.11.6, with GitLab urging all users to update their installations as soon as possible. Mitigated versions are already deployed on GitLab.com and GitLab Dedicated, securing these platforms against the vulnerability. This flaw follows closely after other serious GitLab vulnerabilities, including an account takeover bug and another that could allow pipeline impersonation, highlighting ongoing security challenges. The exploitation of such vulnerabilities can lead to significant consequences, such as unauthorized access to sensitive corporate data and potential supply chain attacks. GitLab is a critical infrastructure for many Fortune 100 companies, making it a high-value target for cyberattacks.

ViperSoftX malware uses CLR implementation to run PowerShell within AutoIt scripts, bypassing typical security detections. The malware has been updated to increase its evasion capabilities, including using modified offensive scripts. Distributed through torrent sites, ViperSoftX disguises itself in ebook downloads containing malicious files and deceptive .LNK files. On execution, the malware configures Task Scheduler to maintain persistence, running every five minutes after user login. Uses Base64 obfuscation and AES encryption within PowerShell scripts to hide its commands. Modifies memory of the Antimalware Scan Interface (AMSI) to bypass security checks. Employs deceptive network communication strategies to stay under the radar and steal user data. Cybersecurity experts emphasize a comprehensive defense strategy to counter the sophisticated threat posed by ViperSoftX.

CISA and the FBI issued a joint advisory urging software developers to address and mitigate OS command injection vulnerabilities in their products. Recent attacks by the state-sponsored Chinese group Velvet Ant exploited these vulnerabilities to compromise network devices from Cisco, Palo Alto, and Ivanti. The agencies highlighted that these vulnerabilities allow execution of malicious commands due to inadequate validation and sanitation of user inputs. The advisory recommends practical steps for developers, including the use of secure coding practices and rigorous testing to ensure the security of software products. Technical and executive leadership in tech companies are encouraged to be proactive in reviewing and improving the security measures in their development processes. The vulnerabilities are ranked fifth in MITRE's top 25 most dangerous software weaknesses, illustrating the critical need for improved security practices in software development. Past advisories have also addressed related security issues such as path traversal and SQL injection vulnerabilities as part of ongoing efforts to promote software security by design.

Japan's JPCERT/CC has warned of targeted cyberattacks by the North Korean hacker group Kimsuky. These attacks involve phishing and deploying custom malware aimed at espionage and data theft. Kimsuky used phishing emails with malicious ZIP attachments to infiltrate networks, disguising executables to evade detection. The malware deployed collects crucial information such as network details, user data, and keylogs, transmitting this data to remote servers. A recent variant discovered aims to execute further harm via keylogging and credential theft, indicating an evolution in Kimsuky’s methodologies. Compiled HTML Help (CHM) malware strains have been newly deployed in Korea by Kimsuky, featuring enhanced obfuscation tactics. ASEC's reports and shared IoCs have played a critical role in identifying and attributing these attacks to Kimsuky.

Snowflake is implementing a mandatory multi-factor authentication (MFA) option for administrators to enforce across all user accounts, aiming to bolster security post-data breaches. This decision follows recommendations by Mandiant in response to several data thefts linked to Snowflake account intrusions, noting the absence of MFA in breached accounts. Snowflake's new policy can be applied to all users, including those using single sign-on (SSO) or on a user-by-user basis, with special recommendations for service accounts. Alongside the mandatory MFA, Snowflake has launched the Snowflake Trust Center to help customers monitor compliance and enhance security measures, including MFA and network policies. The Security Essentials scanner and the CIS Benchmarks scanner packages, included in the Snowflake Trust Center, are now generally available to audit customer accounts against best security practices. Snowflake’s interface, Snowsight, nudges users to adopt MFA by repeatedly prompting those without it to enable the configuration every three days. This enforcement comes after third-party researchers linked intrusions in Ticketmaster and Santander accounts to Snowflake, though Snowflake denies the breaches originated from their systems, attributing some to a former employee’s compromised credentials. Snowflake continues to deny any direct fault for the incidents at Santander and Ticketmaster, facing ongoing legal and reputational challenges.

Researchers at QuoIntelligence have identified a large fraud operation using 708 domains to sell fake tickets to events like the Paris Summer Olympics. Named "Ticket Heist," this scheme predominantly targets Russian-speaking users, with most websites only available in Russian, and uses inflated ticket prices to lure potential buyers. The scam involves sophisticated website designs that mimic legitimate ticketing services, convincing users of their authenticity. Payment for these fake tickets is processed through Stripe, with the scam's goal being direct financial theft rather than data breach. The fraudulent operation also includes fake offers for major concerts and the UEFA European Championship, extending its target audience. VIP Events Team LLC, a company linked to the operation, appears to be a front, with registrations in both New York and Tbilizian, none of which have any online presence beyond the scam sites. The French National Gendarmerie and cybersecurity firm Proofpoint have previously warned about similar fraudulent activities aimed at scamming ticket buyers.

Microsoft addressed a critical MSHTML spoofing vulnerability, CVE-2024-38112, in its July 2024 Patch Tuesday updates. Discovered by Haifei Li of Check Point Research, the zero-day has been leveraged in attacks since January 2023 to deploy password-stealing malware. Attackers exploited the ability of Internet Explorer to process MHTML files, circumventing security measures to execute malicious .HTA files disguised as .PDFs. By tweaking Internet Shortcut File configurations and using hidden Unicode characters, these malicious files appeared legitimate and bypassed browser security warnings. Once the disguised HTA file was opened, it could execute without adequate security warnings, allowing malware installation such as the Atlantida Stealer, which harvests sensitive information including passwords and crypto wallet data. The vulnerability mirrors the characteristics of CVE-2021-40444, previously exploited by North Korean hackers, revealing a pattern of utilizing MHTML flaws for cyber attacks. Microsoft's fix involves unregistering the mhtml: URI to force these links to open in the more secure Microsoft Edge, enhancing user protection against similar exploitation tactics.

Even inactive or test accounts require strong, secure passwords to protect your organization's data and prevent unauthorized access. Hackers exploit forgotten accounts, including test environments, which can store genuine customer data or provide access to more sensitive accounts. A recent incident highlighted this threat when Russian state hackers compromised Microsoft by using a simple password spray attack on an inactive test account. Multi-factor authentication (MFA) and strong password policies are essential defenses against cyber attacks, preventing easy exploitation by hackers. Specops Software provides tools like Password Auditor and Password Policy to help organizations detect and fix vulnerabilities, ensuring all user accounts, even inactive ones, are secured. Organizations should regularly audit their Active Directory for inactive accounts and either secure them with strong passwords or delete them entirely.

Fujitsu Japan experienced a significant data theft due to a sophisticated malware attack, which was confirmed in March. The malware, described as "not ransomware," was capable of worm-like behavior, spreading to 48 business computers within the internal network. The attack was challenging to detect due to the malware's advanced techniques, including various disguising methods. While initial assessments downplayed the risk, an in-depth investigation revealed the execution of copying commands indicative of data exfiltration. Affected individuals and customers with potentially compromised data have been directly notified in compliance with Japanese data protection laws. Comprehensive measures, including isolation of infected machines and enhanced monitoring protocols, were implemented to contain and mitigate the attack. External experts were brought in to assist in the investigation, focusing on analyzing communication and operation logs to trace the activities of the malware. Fujisto is committed to bolstering its cybersecurity framework to prevent future incidents and protect sensitive data.

A newly identified ransomware group, EstateRansomware, has exploited a security flaw in Veeam Backup & Replication software, specifically leveraging CVE-2023-27532. Initial breach was achieved through a Fortinet FortiGate firewall utilizing a dormant account, later advancing through SSL VPN to access critical servers. The attackers employed sophisticated methods including VPN brute-force attempts, persistent backdoors, and remote command execution via a command-and-control server. Tactics included creating a rogue user, conducting network reconnaissance, and disabling Windows Defender to facilitate unchecked lateral movement and payload deployment. The final phase of the attack involved deploying ransomware across the network, preceded by detailed pre-attack preparation and reconnaissance. The revelation of this attack underscores the persistent threat posed by ransomware actors who increasingly utilize public-facing vulnerabilities and sophisticated intrusion techniques. Cisco Talos highlights the evolution of ransomware operations, noting the use of double extortion techniques and a trend towards more targeted, niche attacks by emerging groups.

The "2024 Attack Intelligence Report" by Rapid7 points out the inadequacy of the current patch and put strategies for newly identified vulnerabilities in IoT devices, highlighting the significant delays in patch development and application. The IoTSF's report on IoT and OT devices indicates that modern IoT firmware often composed of open-source components leads to consistent security vulnerabilities due to the interdependent nature of software components. Security teams struggle with creating accurate Software Bills of Materials (SBOMs) and managing the ever-increasing complexity and number of vulnerabilities in IoT firmware. Historical exploits, such as the 2007 malware attack on an electricity generator at Idaho National Laboratory, demonstrate the catastrophic potential of cyberattacks on infrastructure, emphasizing the risks of destructive exploits via simple malware in IoT devices. The article suggests that isolating vulnerable firmware through improved technology like "separation kernels" used in aerospace and automotive industries offers a better solution than traditional patch management. However, typical IoT devices face challenges with these solutions due to their reliance on low-power microcontrollers (MCUs) which only support limited memory management capabilities. A viable solution proposed involves isolated partitioning for Cortex-M based MCUs, enhancing security by physically separating crucial and vulnerable firmware components, ensuring operations continuity even during an attack. Isolated partitioning not only defends against zero-days and unpatched vulnerabilities but also mitigates insider threats and enforces good programming practices, improving overall device and network security.