Daily Brief

"CosmicSting" vulnerability remains largely unpatched in Adobe Commerce and Magento platforms, affecting 75% of sites. The vulnerability enables XML external entity injection (XXE) and Remote Code Execution (RCE), posing severe security threats. Rated with a critical CVSS score of 9.8, CosmicSting could lead to unauthorized data access and system control. Adobe released updates to mitigate the flaws, but many sites have not yet applied these critical patches. Sansec warns that the combination of CosmicSt while using the vulnerable glibc library on Linux escalates the risk of attack. Administrators are urged to apply the provided patches or implement suggested emergency measures to prevent exploitation. Sansec compares the potential impact of CosmicSting to notable past e-commerce breaches, indicating high severity and risk.

RansomHub, a ransomware-as-a-service (RaaS), now targets VMware ESXi environments with a specialized Linux encryptor, affecting global corporate sectors. The operation has associations with other major ransomware groups like ALPHV/BlackCat and Knight, and has impacted over 45 entities in 18 countries. RansomHub's new ESXi variant is crafted in C++ and features advanced functionalities such as execution delay, targeted VM exclusion, and targeted directory encryption. It employs a partial encryption method for efficiency, encrypting just the beginning of larger files and adding unique identifiers to the encrypted files. Recorded Future discovered a flaw in this variant that allows defenders to induce a perpetual loop, neutralizing the ransomware threat temporarily. The ransom message is displayed prominently on the system's login screens and web interfaces to ensure visibility immediately upon system compromise. The ESXi-specific ransomware disables critical system logs and can delete itself following execution to elude detection and forensic analysis.

UNC3886, a suspected Chinese threat actor, utilizes open-source Linux rootkits 'Reptile' and 'Medusa' on VMware ESXi virtual machines for stealth and persistence. Mandiant has closely followed UNC3886, noting their focus on critical sectors such as government, telecom, tech, aerospace, defense, and energy. The attackers deploy the rootkits after exploiting zero-day vulnerabilities, gaining profound control over VMs to conduct espionage and maintain long-term access. 'Reptile' provides backdoor access with capabilities for command execution and file transfers, while 'Medusa' is used for credential logging and command execution logging. UNC3886 has customized these rootkits for enhanced evasion and persistence, adjusting configuration settings and deployment scripts. In addition to rootkits, UNC3886 employs custom malware tools like 'Mopsled' and 'Riflespine', leveraging platforms like GitHub and Google Drive for command and control. The group's recent targets include organizations across North America, Southeast Asia, Oceania, Europe, Africa, and other parts of Asia. Detailed technical information on UNC3886’s tools and methods, including VMCI backdoors, will be disclosed by Mandiant in future reports.

Kraken, a major cryptocurrency exchange, has charged three security researchers from CertiK with exploiting a vulnerability to steal $3 million and then attempting extortion. The alleged security breach involved a UX update that improperly credited user accounts before deposits were confirmed, creating potential for false account value inflation. Kraken’s CSO, Nicholas Percoco, claims the issue was quickly identified internally, yet the researchers involved exploited it rather than reporting it responsibly. Despite initial cooperative discussions on the vulnerability, tensions escalated with CertiK allegedly demanding further compensation beyond the return of the stolen funds. CertiK has denied withholding the funds deliberately and has highlighted aggressive demands and threats from Kraken's security team. The dispute has stirred significant attention on social media, where further allegations about CertiK’s activities involving sanctioned entities have surfaced. Kraken is treating the incident as a criminal case and is coordinating with law enforcement, asserting that the actions of the researchers were not in line with ethical hacking practices.

The CVE-2024-28995 vulnerability in SolarWinds Serv-U is being exploited, risking sensitive data through unauthorized file access. Exploits and a proof-of-concept are publicly available, notably published by Rapid7 and an independent researcher. The vulnerability allows unauthenticated attackers to read arbitrary files on the system using specific HTTP GET requests. Over 5,500 to 9,500 internet-exposed instances may be vulnerable to this high-severity directory traversal flaw. SolarWinds has released a hotfix (version 15.4.2.157) to address this vulnerability by enhancing validation mechanisms. Attack attempts vary from manual to automated, with attackers adapting techniques based on server responses. Files most targeted in these attacks are crucial for gaining elevated privileges or further network compromise. SolarWinds urges system administrators to install the available updates promptly to mitigate the vulnerability.

CDK Global, a SaaS provider for car dealerships, experienced a second cyberattack while recovering from an earlier breach. The initial cyberattack caused CDK to shut down its data centers and IT systems, severely disrupting operations for car dealerships. Restoration attempts were underway when a subsequent cyber incident prompted another shutdown of most systems. The company is assessing the impact of the breaches with the help of external cybersecurity experts. Industry professionals have expressed concerns that CDK may be rushing to restore services, potentially increasing security risks. The repeated outages have impacted both car dealerships and customers, affecting vehicle sales and servicing capabilities. CDK is engaging with its customers minimally, with plans to bring systems back online by June 21. There is ongoing worry that not fully resolving security issues before resuming operations could lead to additional cyberattacks and data theft.

Cybersecurity experts have identified a significant vulnerability in Phoenix SecureCore UEFI firmware, impacting numerous Intel CPU families. The flaw, known as CVE-2024-0762, is a buffer overflow issue in the TPM configuration that could allow attackers to execute malicious code. This vulnerability enables local attackers to escalate privileges and manipulate UEFI firmware, a foundational component for system security. The exploitation of such vulnerabilities is akin to firmware backdoors, enabling attackers to maintain persistence and bypass OS-level security measures. Phoenix Technologies released a patch in April 2024, with additional updates provided by Lenovo to address the affected systems. The CPUs affected include AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. This vulnerability underscores the critical nature of securing UEFI firmware due to its high-level privileges and role in the initial system boot process. These vulnerabilities pose significant risks to the supply chain, potentially impacting numerous devices and vendors globally.

French diplomatic entities have been subject to targeted cyber attacks by state-sponsored actors with ties to Russia. The attacks are attributed to Midnight Blizzard, also known under various aliases such as APT29 and Nobelium, linked to the Russian Foreign Intelligence Service (SVR). ANSSI identifies separate threat clusters including Midnight Blizzard and Dark Halo, noted for different cyber attack strategies. Attack methods primarily include phishing campaigns using compromised legitimate email accounts from diplomatic staff. Phishing emails sent by Nobelium were recently aimed at European embassies in Kyiv including the French embassy in May 2023. Additional attacks targeted the French Embassy in Romania leveraging security flaws in JetBrains TeamCity servers but were unsuccessful. Nobelium’s infiltration attempts extend to IT and cybersecurity entities, enhancing their espionage capabilities and posing a sustained threat. The Polish government also reported a DDoS attack by Russian hackers against Telewizja Polska during a broadcast in June 2024.

France's CERT-FR has revealed ongoing cyber espionage operations by Nobelium, a Russian-linked cyber group, aimed at French national security and democratic processes. Nobelium, differentiated from APT29 and Dark Halo by ANSSI, targets diplomatic emails via sophisticated phishing attacks and business email compromise (BEC) tactics. Notable incidents include repeated attempts to infiltrate the French Ministry of Foreign Affairs and other public sector entities, using themes like embassy closures and diplomatic appointments to deploy Cobalt Strike tools. The cybersecurity report underscores Nobelium's persistence and strategic targeting, hinting at state-sponsored operations aimed at gathering intelligence and influencing political outcomes. French officials are concerned about potential Russian interference in upcoming elections and diplomatic relations, especially with the impending Olympic and Paralympic Games hosted by France. Russia has also been implicated in disinformation campaigns, including attempts to influence previous French presidential elections and spread misleading narratives about socio-economic issues in France.

MSPs manage a vast array of cybersecurity tools, making integration and management complex. Recent surveys indicate 36% of MSPs utilize over 10 different cybersecurity tools, increasing the risk of security gaps. An excess of tools often leads to alert fatigue, causing delays in response and potentially undetected vulnerabilities. The Guardz Unified Cybersecurity Platform offers a centralized solution to manage risks and streamline operations. Guardz integrates multiple security functions like email and endpoint security, phishing simulations, and cyber insurance. The platform enhances threat detection and response, ensuring consistent security policies across all environments. Continuous Attack Surface Discovery and Penetration Testing help MSPs stay ahead of threats by prioritizing critical vulnerabilities.

Qilin ransomware group orchestrated a deliberate attack on Synnovis, causing a significant healthcare crisis in London hospitals, demanding a $50 million ransom. The group claims the attack was politically motivated, targeting entities linked to political elites who allegedly withhold high-quality medicines. Despite their claim, experts and analysts suggest Qilin's traditional operations have been financially motivated rather than politically, questioning the authenticity of their stated ideology. So far, the attack has led to over 1,500 cancellations of operations and appointments, seriously impacting patient care and hospital functions. Qilin alleges to have used a zero-day vulnerability to initiate the attack, though specifics about the vulnerability remain unconfirmed by Synnovis and UK's NCSC. Synnovis is currently investigating the breach, in coordination with The Information Commissioner’s Office (ICO) and other relevant authorities, assessing the extent of data impacted. Qilin's claims and previous activities suggest a sophisticated level of operational capability, likely supported by advanced cybercriminal techniques and tools.

Chinese cyber espionage groups linked to infiltrating telecom operators in Asia, ongoing since at least 2021. The attacks involve placing backdoors into networks, credential theft, and targeting an additional services company and university. Symantec identifies use of known Chinese cyber tools such as COOLCLIENT, QuickHeal, and RainyDay, which capture sensitive data and connect to C2 servers. Initial access methods to target systems remain unclear; the campaign includes port scanning and Windows Registry hive dumping. The operations may involve collaboration or independent actions of different espionage collectives known as Mustang Panda, RedFoxtrot, and Naikon. Motives likely include intelligence gathering on telecom sectors and potentially establishing capabilities for future disruptions in critical infrastructure. Parallel reporting by Kaspersky in November 2023 exposes a related ShadowPad malware attack exploiting Microsoft Exchange vulnerabilities in Pakistani telecom infrastructure.

Fickle Stealer is a Rust-based malware focused on stealing sensitive data from compromised systems using various attack chains. The malware employs multiple distribution methods including VBA dropper, downloader, link downloader, and executable downloader. It uses a PowerShell script to bypass User Account Control (UAC) and facilitate data exfiltration to a Telegram bot controlled by the attacker. The malware performs anti-analysis checks to avoid detection and operates in non-sandboxed environments to gather data. Fickle Stealer specifically targets data from crypto wallets, several popular web browsers, and applications like AnyDesk and Discord. It searches for files with various extensions including .txt, .pdf, and .docx, and also adapts its targets based on server-side instructions. The article briefly discusses another stealer, AZStealer, which is Python-based and available on GitHub, noted for stealing information through Discord webhooks.

Cybersecurity experts identified a new malware loader, SquidLoader, primarily targeting Chinese entities through phishing emails disguised as legitimate Microsoft Word documents. SquidLoader employs advanced evasion techniques including encrypted code segments and direct syscalls, complicating both static and dynamic malware analysis. The malware facilitates the delivery of second-stage shellcode payloads, such as Cobalt Strike, directly within the loader process without writing payloads to disk, enhancing its ability to evade detection. It features several defense evasion mechanisms such as Control Flow Graph obfuscation and debugger detection, which make it difficult for security programs to effectively identify and neutralize. Loader malware is increasingly popular among cybercriminals, serving as a critical tool to bypass antivirus defenses and inject additional harmful payloads into compromised systems. The discovery of SquidLoader follows similar findings of other loader malware like PikaBot and Taurus Loader, indicating a persistent and evolving threat landscape in malware development and deployment. The recent operation "Endgame" led to the takedown of infrastructure supporting various loader malwares, signaling law enforcement's ongoing efforts to mitigate such cyber threats.

T-Mobile has denied any direct breach or theft of its source code after allegations by the group IntelBroker about stolen company data. IntelBroker, a notorious hacker group, asserted they compromised T-Mobile in June 2024 and exhibited proof through screenshots from internal systems like Confluence and Slack. The leaked data, however, is reported to be older and stolen from a third-party vendor's servers rather than T-Mobile's infrastructure directly. The nature of the breach at the third-party service provider is unclear, though vulnerability CVE-2024-1597 in Confluence systems could be related. T-Mobile insists no customer data or source code was compromised during this incident and continues to investigate the claims. The identity of the third-party service provider has not been publicly disclosed as investigations are ongoing. T-Mobile's history with cybersecurity issues includes significant breaches in 2023 impacting millions of customers.