Daily Brief

The D-Link EXO AX4800 router is susceptible to a remote command execution vulnerability that can lead to unauthenticated attackers taking full control of the device. This flaw is present in routers operating the latest firmware version and can be exploited via the Home Network Administration Protocol (HNAP) port. Attackers can gain access by sending a specially crafted HNAP login request which bypasses authentication and permits command injection in the 'SetVirtualServerSettings' function. The security research team, SSD Secure Disclosure, has released a proof-of-concept (PoC) demonstrating the exploit process. SSD has attempted to contact D-Link three times over the past 30 days to report the issue, but the vulnerabilities remain unaddressed. Users are advised to disable remote management on their routers to mitigate the risk until a security update is released. The D-Link DIR-X4860 is widely used, especially in Canada, and features advanced specifications, including Wi-Fi 6 capabilities up to 4800 Mbps.

The FCC has publicly identified a robocall group called "Royal Tiger," involved in AI-aided scam operations, impersonating reputable organizations to deceive individuals. Royal Tiger employs AI voice cloning and caller ID spoofing to mislead victims into revealing personal and financial information under the guise of offering services like credit card rate reductions. The network is spearheaded by Prince Jashvantlal Anand and Kaushal Bhavsar, operating through entities in India, UK, UAE, and the US. These illicit activities have led the FCC to issue cease and desist orders to associated US companies such as Illum Telecommunication and PZ Telecommunication, and eventually blocking traffic from One Eye. Despite attempts to conceal their operations through frequently changing addresses and using multiple fronts, the FCC has been proactive in stopping their activities by designating Royal Tiger a Consumer Communications Information Services Threat (C-CIST). This designation aims to enhance collaborative efforts among local, national, and international regulatory and law enforcement bodies to protect consumer privacy and trust in communication services.

Singing River Health System in Mississippi was hit by a ransomware attack in August 2023, impacting operations and potentially leading to data theft. The attack affected roughly 895,204 individuals, significantly up from initial reported figures. The involved hospitals and facilities include Singing River Hospital in Pascagoula, Ocean Springs Hospital, Singing River Gulfport Hospital, and additional clinics and centers. The Rhysida ransomware gang, known for targeting healthcare providers, claimed responsibility for the attack. Data exposed includes personal and medical information; however, there is no evidence it has been used for identity theft or fraud. Singing River has provided affected individuals with 24 months of free credit monitoring and identity restoration services. Approximately 80% of the claimed data by the hackers has already been leaked, urging impacted parties to take preventive action against potential identity theft.

Microsoft has addressed a zero-day vulnerability in Windows exploited by QakBot malware to deliver various malicious payloads. The vulnerability, identified as CVE-2024-30051, is a privilege escalation flaw located in the Desktop Window Manager (DWM) core library. Exploitation of the bug allows attackers to obtain SYSTEM privileges, potentially leading to full system control. The issue was discovered by Kaspersky researchers while investigating a previously known CVE, with findings subsequently confirmed and patched by Microsoft during their monthly Patch Tuesday. This particular vulnerability was also reported to Microsoft by other security teams, including Google’s Threat Analysis Group, indicating its widespread knowledge among the cybersecurity community. QakBot, which started as a banking trojan, has evolved over the years into a sophisticated malware delivery platform involved in ransomware distribution and data theft. Despite efforts to dismantle QakBot's infrastructure in 2023, it continues to reinfect systems and propagate through new campaigns.

Microsoft's May 2024 Patch Tuesday addressed 61 vulnerabilities, including three zero-days, one of which is critical. Two of the zero-days were actively exploited, and one was publicly disclosed before being addressed in this update. The critical flaw fixed was a Remote Code Execution Vulnerability in Microsoft SharePoint Server. The vulnerabilities fixed span various Microsoft products, but the updates notably exclude non-security updates for Windows 11 reported separately. CVE-2024-30040 involved a bypass in MSHTML that could allow attackers to execute arbitrary code following user interaction with a malicious file. CVE-2024-30051, an exploited vulnerability in Windows DWM Core Library, enabled attackers to gain SYSTEM privileges through Qakbot malware attacks. Microsoft also patched a publicly disclosed denial of service issue in Microsoft Visual Studio. Other vendors also released security updates in May, but SAP's updates are now restricted behind a customer login.

Google is introducing updated security features in Android 15 to protect users from malware by using an expanded Play Integrity API. The enhancements will allow developers to detect if other apps might be capturing screen content or intercepting user data. Newly introduced security protocols include measures against overlay attacks and the abuse of accessibility services permissions by banking trojans. Some Android malware, like Anatsa, have found ways around existing security measures, prompting continuous improvements from Google. Google plans to increase cellular security, alerting users to unencrypted connections and potential surveillance activities. Screen sharing on Android 15 will now automatically obscure notification content, including one-time passwords, to prevent leakage during such sessions. Play Protect's new live threat detection uses on-device AI to analyze behavior, improving the detection of malicious apps based on their activity patterns and interactions. Google is collaborating with original equipment manufacturers (OEMs) to integrate these security features over the next few years, aiming for widespread adoption and enhanced user protection.

Google is launching new security enhancements for Android devices, designed to protect against theft. Features include a private space for sensitive apps, protected by a separate PIN, and security measures requiring biometric data before changing critical settings. An upgraded factory reset feature will make a stolen device inoperable without the owner's credentials. AI-driven capabilities will automatically lock the device if it detects sudden movement suggestive of theft. Offline Device Lock activates if a device is disconnected for an extended time, preventing unauthorized access. Additional functions allow users to mark a device as lost, improving tracking and enabling remote device locking with security challenges. These updates will be available for devices running Android version 10 and later through an update to Google Play services.

The Ebury botnet has compromised around 400,000 Linux servers since 2009, with approximately 100,000 still affected as of late 2023. ESET researchers have tracked this financially motivated malware for over a decade, noting significant capability enhancements in 2014 and 2017. Recent attacks involve breaching hosting providers and executing supply chain attacks, often via credential stuffing using stolen credentials. The malware steals SSH keys and other credentials, intercepts SSH traffic, and has also targeted cryptocurrency wallets on the compromised servers. Ebury uses various monetization strategies including credit card theft, traffic redirection for ad revenue, spam distribution, and selling stolen credentials. In 2023, ESET observed new obfuscation methods and a domain generation algorithm to help Ebury evade detection. Collaborative efforts with law enforcement led to the seizure of a backup server used by the malware operators, aiding ongoing investigations.

The UK's National Cyber Security Centre (NCSC) has partnered with leading insurance associations to issue new guidance on handling ransomware. Introduced at the CYBERUK conference, the guidance discourages knee-jerk ransom payments and aims to undermine cybercriminals' business models. The collaborative effort includes the Association of British Insurers (ABI), the British Insurance Brokers' Association (BIBA), and the International Underwriting Association (IUA). Despite not being groundbreaking for cybersecurity professionals, the guide is seen as valuable for organizations lacking detailed cybersecurity knowledge. The guidance emphasizes consulting with experts, involving appropriate organizational members, and investigating the root cause without panicking. Ransomware victims are reminded that paying the ransom does not guarantee the deletion of stolen data and may invite further attacks. NCSC CEO Felicity Oswald stressed the dangers of paying ransoms, noting it encourages criminals and doesn't resolve underlying issues. The guide also acts as an interim solution while the UK government considers more permanent legal measures against ransom payments.

Apple has issued security updates for a zero-day vulnerability in Safari, exposed during the Pwn2Own Vancouver hacking competition. The vulnerability, identified as CVE-2024-27834, affected systems running macOS Monterey and macOS Ventura and was patched to enhance checks. The flaw was part of an exploit chain used by security researcher Manfred Paul to achieve remote code execution, earning him $60,000. Pointer Authentication Codes (PACs), which prevent unauthorized pointer modifications in memory, are integral to the security mechanism breached. It remains unclear if the CVE-2024-27834 bug fix has been applied to other Apple platforms such as iOS, iPadOS, macOS Sonoma, and visionOS. Users can update Safari independently of macOS updates through the Software Update section in System Settings. Other technology vendors, including Google and Mozilla, also quickly addressed zero-day vulnerabilities disclosed at the same Pwn2Own event.

VMware has released patches for severe vulnerabilities in its Workstation and Fusion products. The vulnerabilities could allow unauthorized access to sensitive data, induce DoS attacks, and enable code execution. Affected versions include Workstation 17.x and Fusion 13.x; updates are available in versions 17.5.2 and 13.5.2 respectively. Users are advised to disable Bluetooth support and 3D acceleration as temporary safety measures until patches can be applied. No mitigations are available for CVE-2024-22270 except for updating to the latest software version. The vulnerabilities were highlighted during the Pwn2Own hacking contest by research teams from STAR Labs SG and Theori. This patch follows a previous update that fixed other critical vulnerabilities affecting VMware products, emphasizing ongoing security risks.

Apple has extended critical security updates originally released in March to older iPhone and iPad models, addressing a zero-day vulnerability. The vulnerability, identified as CVE-2024-23296, affects the RTKit real-time operating system, potentially allowing attackers with kernel access to bypass memory protections. Devices receiving these vital patches include iPhone 8, iPhone X, and various older iPad models. While Apple confirmed the exploitation of the zero-day, details on the attackers and the nature of the attacks remain unreported. The patches were initially applied to newer Apple devices in March, and the extension to older models emphasizes the severity and wide applicability of the vulnerability. Alongside usual device updates, Apple has introduced features to warn users about unwanted tracking through Bluetooth devices such as AirTags. Installing these updates is crucial for affected users to safeguard against potential data breaches and system infiltrations facilitated by this vulnerability.

Apple and Google have introduced a new privacy feature across iOS and Android platforms that alerts users to unrecognized Bluetooth tracking devices moving with them. The feature, part of iOS 17.5 and available on Android 6.0+ devices, aims to increase security and privacy by notifying users of potential unwanted tracking. Alerts including "[Item] Found Moving With You" for iOS and "Tracker traveling with you" for Android activate when an unknown Bluetooth device is detected. Users can interact with the alert to see the tracker’s identifier and, if possible, activate the tracker to emit noise for easier location. The update includes guidelines on how to deactivate the unknown tracking device. Accessories like Apple’s AirTag and compatible third-party products adhere to this new security standard, but older trackers without this capability can still operate undetected. The update seeks to curb the misuse of Bluetooth tracking devices, which have been exploited for surreptitious surveillance, despite their intended use for locating personal items.

VMware resolved four security vulnerabilities, including three zero-days exploited at Pwn2Own Vancouver 2024. The most critical flaw, CVE-2024-22267, is a use-after-free bug allowing code execution on the host via a compromised VM. A temporary workaround involves disabling Bluetooth in VM settings to mitigate one of the vulnerabilities. Additional vulnerabilities (CVE-2024-22269 and CVE-2024-22270) related to information disclosure were reported. CVE-2024-22268 involves a heap buffer overflow, enabling potential denial of service if 3D graphics are enabled. Security researchers at Pwn2Own disclosed 29 zero-days and earned significant rewards, highlighting critical software vulnerabilities. Following the competition, Google and Mozilla also quickly issued fixes for their affected products. VMware, along with other vendors, typically has 90 days to release patches after such disclosures by the Zero Day Initiative.

Telegram CEO Pavel Durov criticized Signal, claiming it has ties to US intelligence and questioning its encryption security. Durov's comments followed a City Journal report about Signal’s origins, funded by the US government's Open Technology Fund. The Signal Foundation's current chair, Katherine Maher, has a background with several US-backed entities and governmental roles. Durov suggests that big tech's encryption protocols, including those used by WhatsApp and Facebook Messenger, may be influenced by the US government. He also noted instances of Signal messages appearing in court cases, implying they could be due to compromised encryption, though specific evidence of this was not provided. Durov criticized both WhatsApp and Signal for not allowing full transparency of their source code and reproducibility of their apps, particularly on iOS. The timing of Durov’s remarks coincides with potential financial incentives as Telegram considers going public.