Daily Brief

SpyAgent, a new Android malware, uses OCR to extract cryptocurrency wallet recovery phrases from images stored on devices. These recovery phrases are crucial for accessing and restoring cryptocurrency wallets and thus are targeted by cybercriminals. The malware has been linked to at least 280 APKs distributed via SMS and social media, primarily targeting users in South Korea with some activities in the UK. McAfee's investigation revealed poor security on the malware's servers, allowing researchers to access stolen data and confirm multiple victims. The malware can also alter device settings and send SMS, potentially to spread further or execute phishing attacks. Besides SpyAgent, other malware like CherryBlos and FakeTrade, also found on Google Play, are using similar OCR techniques to steal crypto data. Users are advised to download apps only from trusted sources like Google Play and to conduct regular security scans with tools like Google Play Protect.

A critical vulnerability in OSGeo GeoServer GeoTools, identified as CVE-2024-36401 with a CVSS score of 9.8, has been exploited to deploy various malware, including cryptocurrency miners and botnets. U.S. CISA recognized the severity of this issue by including it in its Known Exploited Vulnerabilities catalog in mid-July after noting active exploitation attempts. Attackers leverage this flaw to install diverse threats, such as the Condi and JenX botnets, and the SideWalk backdoor, which is linked to the Chinese APT group APT41. Targeted attacks have primarily affected IT service providers in India, tech companies in the U.S., government entities in Belgium, and telecommunications firms in Thailand and Brazil. The malware enables attackers to control compromised devices, execute additional malicious activities, and potentially extract sensitive data. The implications of these breaches are severe, indicating orchestrated efforts to exploit vulnerabilities across various geographies and industries. Security organizations detect these exploits by monitoring honeypot sensors and are urging entities exposed to these vulnerabilities to secure their systems immediately.

Threat actors are leveraging typosquatting to exploit GitHub Actions, allowing them to inject malicious code into software workflows. Orca security researchers identified this vulnerability which involves slight name alterations in GitHub Actions to deceive developers into using corrupted versions. Once a mistyped action is executed, it can tamper with source code, steal secrets, or embed malware, without the developer's awareness. A search revealed that many GitHub projects are at risk, with files containing errors like "action/checkout" instead of "actions/checkout". The technique exploits simple typing errors made by users when configuring GitHub Actions, which are essential for automation in software development. Attackers create fake actions that closely mimic popular ones to trigger execution of malicious actions when developers inadvertently make spelling errors. The impact of such vulnerabilities could have extensive consequences, possibly affecting all future builds and resulting in widespread software supply chain attacks. Developers are advised to double-check action names, use trusted sources, and regularly scan their CI/CD workflows for potential typosquatting issues.

SonicWall has issued an urgent advisory for a critical access control flaw, CVE-2024-40766, in its SonicOS, affecting Firewall Gen 5, 6, and 7 devices. The security vulnerability was initially disclosed on August 22, 2024, but recent updates show it also affects the SSLVPN feature on these firewalls. Affected devices are prone to unauthorized access and potential network crashes due to this flaw, jeopardizing network protections. The CVSS v3 score for this vulnerability is 9.3, highlighting its severity. SonicWall has not specified how the flaw is being exploited but historically, similar vulnerabilities have facilitated initial access to corporate networks. Patching updates are urgently recommended and available for download at mysonicwall.com to mitigate potential cyber attacks. Attackers, including suspected nation-state actors, have previously exploited similar vulnerabilities in SonicWall products.

The report highlights the escalating demand for virtual CISO (vCISO) services among MSPs and MSSPs with 98% expecting to incorporate them by 2025, marking a significant industry shift. Current services are offered by 21% of providers, a rise from 19% in the previous year, showcasing rapid growth and adoption in the cybersecurity sector. Adding vCISO services has financially benefited 59% of providers, with substantial revenue increases and improved customer security outcomes. Key challenges for MSPs and MSSPs include technological constraints and a lack of sufficient security and compliance expertise; 29% of respondents specifically cited inadequate technology. vCISO platforms are considered crucial tools, aiding in standardizing processes and enhancing compliance framework access, which directly tackles the main reported challenges. These platforms facilitate service scalability and offer significant advantages such as quicker employee onboarding and enhanced client satisfaction, leading to increased revenue. Security strategies for 2025 are focusing heavily on the integration and expansion of vCISO services in response to strategic business growth goals and escalating SMB demands for comprehensive cybersecurity solutions.

Bob worked at a private equity firm where the owner insisted servers run 24/7 during a six-month campaign, countering the need for security patches. The boss demanded server patches be applied without rebooting, creating a direct conflict with existing IT practices. Finding a workaround, Bob befriended the head of building services over drinks to learn the date of an upcoming fire drill. Leveraging the drill, Bob and hidden colleagues installed necessary patches and rebooted servers while the office was evacuated. Additional delays were orchestrated post-drill as the building services ally created "faults" in the building's lifts, slowing staff return. The boss remained unaware of the discreet downtime until Bob revealed it years later during his exit interview, to which the boss responded positively.

A critical security flaw was identified in the LiteSpeed Cache plugin for WordPress, allowing unauthenticated user account control. Identified as CVE-2024-44000 with a CVSS score of 7.5, affecting versions up to 6.4.1 but fixed in version 6.5.0.1. The vulnerability enables attackers to impersonate any user, potentially escalating to administrator access, and install malicious plugins. Over 5 million active installations of LiteSpeed Cache are potentially impacted, highlighting widespread risk. The exploit is facilitated by an exposed debug log file in the "/wp-content" directory, which may contain sensitive user data. Despite the capability for significant damage, the risk is somewhat mitigated by the requirement that WordPress's debug feature be enabled. Updated security measures include relocating the debug log file, employing randomized filenames, and preventing cookie data logging. Users are urged to verify their plugin installations, ensure debugging features are secured, and directly restrict access to the debug log file.

A critical vulnerability in Apache OFBiz ERP system allowed unauthenticated remote code execution on Linux and Windows. The flaw, identified as CVE-2024-45195 with a CVSS score of 7.5, affects all software versions prior to 18.12.16. This vulnerability was a bypass to previously addressed issues which were actively exploited, including the deployment of Mirai botnet malware. Exploitation of the vulnerability could lead to execution of arbitrary code or SQL queries on the server without authentication. The latest patch enforces checks to ensure views permit anonymous access if accessed by unauthenticated users, enhancing previous security measures. Apache OFBiz 18.12.16 release also fixes a separate SSRF vulnerability (CVE-2024-45507, CVSS score: 9.8), further securing the system against unauthorized access.

Paul Durov, CEO of Telegram, was arrested in France for allegedly facilitating criminal activities such as drug trafficking and money laundering through his messaging platform. Durov claims that using pre-smartphone era laws to charge a platform CEO for users' crimes is misguided. He emphasized the need for legal action against the service rather than individuals when a country has issues with an internet service. Telegram boasts over 950 million monthly users and strives to balance user privacy with security, even if it means exiting incompatible markets. The platform has initiated internal changes to improve monitoring and address misuse, including a "Report" button for flagging illegal content in chats. Despite these efforts, Telegram does not offer end-to-end encryption by default, which has been criticised by security experts.

The U.S. Department of Homeland Security is addressing cybersecurity vulnerabilities in maritime ports by requesting information to assess and improve their technological security. This initiative targets the protection of 13 million jobs and $649 billion in economic activity that are dependent on secure maritime operations. A proposed "Maritime Port Resiliency and Security Research Testbed" will allow stakeholders to test and enhance their cybersecurity measures. The move was spurred by recent cyberattacks, including the LockBit attack on Japan's Nagoya Harbor and disruptions at Australian ports, highlighting the urgency of bolstering defenses. President Joe Biden's executive order earlier in the year placed the responsibility for port cybersecurity on Homeland Security and the U.S. Coast Guard. Homeland Security is seeking input from experts in maritime infrastructure and manufacturers of port equipment, with a submission deadline set for October 4. Although the timeline for the implementation of the Testbed is unclear, this initiative is a critical part of the national strategy to protect essential transportation infrastructure from cyber threats.

The White House has introduced the "Service for America" campaign, aimed at addressing the significant shortage in the cybersecurity workforce. The campaign is a two-month initiative designed to link Americans seeking employment with opportunities in the cybersecurity sector. The Office of the National Cyber Director highlighted that approximately 500,000 cybersecurity positions are currently unfilled in the United States. Events including career fairs and seminars will be conducted to assist job seekers in understanding the federal job application process and exploring cybersecurity careers. The government emphasizes a shift from traditional degree requirements to a skills-based hiring approach to make cybersecurity jobs more accessible. Alongside government roles, there's a strong push to fill cybersecurity positions in the private sector due to growing technological and digital service expansions. There's an ongoing effort to increase cybersecurity education and training, featuring apprenticeships and local initiatives. It remains unclear if the White House will extend these efforts beyond the initial two-month campaign period.

Apache has patched a critical vulnerability in OFBiz, enabling remote code execution on Linux and Windows servers. The vulnerability, tracked as CVE-2024-45195, was discovered by Rapid7 and involves a forced browsing weakness that bypasses authorization checks. Attackers could exploit this flaw without valid credentials by accessing restricted web application paths. This flaw acts as a patch bypass for three similar vulnerabilities previously identified and patched in OFBiz. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that similar vulnerabilities had been actively exploited, urging all organizations to apply patches. Apache has released version 18.12.16 of OFBiz that includes necessary authorization checks to mitigate the risk. Agencies and organizations are encouraged to update their OFBiz installations immediately to avoid potential exploits.

Microsoft has collaborated with StopNCII to proactively remove non-consensual intimate images from the Bing search engine using a new tool that utilizes digital hashes. StopNCII, a project under the Revenge Porn Helpline, allows individuals to generate digital hashes of their intimate media without needing to upload the actual images or videos. Major social platforms such as Facebook, TikTok, Reddit, Pornhub, Instagram, OnlyFans, and Snapchat are also participating in this initiative by using the StopNCII database to identify and remove similar harmful content. Microsoft has incorporated its PhotoDNA technology into StopNCII's process to enhance the generation of digital hashes, ensuring that intimate images can be hashed and searched without leaving the user's device. As of the end of August, Microsoft has addressed 268,899 images on Bing using StopNCII’s database, indicating significant implementation of this privacy-protecting technology. The initiative addresses the growing issue of AI-generated deepfake nude images that are more challenging to detect using traditional hashing technologies. These images often appear as revenge porn and for extortion purposes. Impacted individuals can manually report both real and AI-created synthetic images to be removed from Bing through Microsoft’s "Report a Concern" page, although challenges remain with AI-generated content detection. Unlike Microsoft, Google has not joined this initiative but offers similar options to have intimate images removed from their search results.

The US has charged five Russian GRU military intelligence officers and one civilian with involvement in the WhisperGate cyber campaign against Ukraine. The charged individuals are accused of hacking and wiping data from Ukrainian government computers, making these actions appear as ransomware attacks. A $10 million bounty is announced for information leading to the whereabouts of each of the six individuals involved. These cyberattacks occurred before the ground invasion of Ukraine in early 2022, targeting critical non-military sectors to undermine Ukrainian morale. The FBI, along with international and other US agencies, issued a detailed cybersecurity advisory highlighting the persistent threat from these Russian operatives. GRU’s Unit 29155 exploited common vulnerabilities in international software to gain access to critical systems in the US and other NATO countries. The indictment and cyber advisory are part of broader US actions against ongoing Russian attempts to influence US policy and elections.

Cisco has announced critical vulnerabilities in its Smart Licensing Utility, advising users to apply patches immediately. The two distinct flaws could let unauthorized remote attackers gain admin access and manipulate system operations, with a severity rating of 9.8/10. No current workarounds exist for these issues, emphasizing the necessity for immediate software updates to mitigate risks. The flaws were discovered internally by a Cisco network security engineer, with no known malicious exploitation reported thus far. Cisco has updated its software to address these vulnerabilities and continues to monitor for any abuse following disclosure. Users are reminded to verify that they have valid licenses for downloading updates, which are provided free but do not extend to new features or major software upgrades. These vulnerabilities underscore the importance of robust defensive measures beyond just patching, to prevent potential breaches.