Daily Brief

Revolver Rabbit, a cybercriminal gang, has registered over 500,000 domains to propagate infostealer malware affecting Windows and macOS systems. The gang utilizes registered domain generation algorithms (RDGAs) to automate the mass registration of domain names for use in command and control server setups. These RDGAs are private and complex, making it tough for security researchers to crack the patterns used for domain generation, unlike the more commonly known DGAs. The domains are primarily under the .BOND top-level domain and are used to orchestrate phishing campaigns and malware infections using the XLoader malware, a successor to Formbook. Infoblox, a DNS security company, has tracked and studied the scale of Revolver Rabbit's operation, citing an investment of close to $1 million by the group in domain registrations. Through detailed analysis, Infoblox highlighted a typical RDGA pattern characterized by dictionary words followed by numbers, aiding in monitoring and potentially countering some of Revolver Rabbit's activities. The discovery underscores the increasingly sophisticated methods and significant financial investments criminal groups are willing to undertake to facilitate large-scale cyber threats.

A U.S. federal judge has primarily dismissed a lawsuit by the SEC against SolarWinds relating to the post-SUNBURST cyberattack disclosures. The court rejected claims about SolarWinds misleading investors on its security postures after the SUNBURST malware infection. SUNBURST, deployed by Russian spies, compromised SolarWinds' Orion software, impacting around 18,000 organizations including major U.S. government departments. The judge maintained allegations of securities fraud stemming from pre-attack statements about Orion's cybersecurity robustness. The ruling concludes that some of SolarWinds' promotional statements might have led investors to believe its software was minimally vulnerable. The court has removed claims about insufficient internal accounting and disclosure controls. SolarWinds expressed satisfaction with the ruling and anticipation to defend the remaining securities fraud claim vigorously. No comment was made by the SEC regarding the potential for an appeal.

Kaspersky has refuted US hacking claims and counteracted the US government's ban by suggesting an independent verification of its software. The firm responded to US concerns by proposing a 'comprehensive assessment framework' aimed at verifying its solutions and updates through an independent reviewer. This move is a part of Kaspersky’s Global Transparency Initiative, launched in response to its earlier ban from US government systems, where it even offered to open its source code for third-party scrutiny. Despite these efforts, the US Department of Commerce stands firm on its decision, attributing the ban to geopolitical tensions rather than the integrity of Kaspersky’s products. Kaspersky announced the cessation of new contracts and gradual phase-out of its operations in the US, which includes stopping antivirus updates and other security services by September 29. However, Kaspersky will still offer other services like cybersecurity training, threat intelligence, and consulting services in the US. The company reaffirms its commitment to global customers and its mission to contribute to a safer cyberspace through awarded and audited cybersecurity technologies.

SolarWinds has addressed eight critical vulnerabilities in Access Rights Manager (ARM), enhancing security against potential unauthorized access and data breaches. Six of the vulnerabilities allowed remote code execution (RCE) without necessary privileges, rated highly severe at 9.6/10, enabling unauthorized command execution on affected systems. Three additional patched vulnerabilities involved directory traversal that could allow unauthenticated users to delete files or access sensitive data. A high-severity flaw was also patched that permitted authentication bypass, potentially giving unauthenticated users admin-level access within Active Directory environments. The vulnerabilities were reported via Trend Micro’s Zero Day Initiative and resolved in the ARM 2024.3 version released recently. SolarWinds did not disclose if these vulnerabilities have been exploited in the wild or if proof-of-concept exploits exist. SolarWinds, a major provider to Fortune 500 companies and U.S. government agencies, was previously compromised by Russian state hackers in a severe supply-chain attack in 2020. The U.S. government and SEC have taken formal actions against SolarWinds and Russia concerning past security breaches and misinformation.

Russian cybercrime group FIN7 is reportedly selling a custom malware, AvNeutralizer, which disables security software, to various ransomware gangs. AvNeutralizer targets specific endpoint detection and response (EDR) solutions, with prices ranging from $4,000 to $15,000. Originally linked exclusively to the Black Basta group, an increase in activity suggests that multiple ransomware campaigns began using AvNeutralizer in 2023 to evade detection. The malware has proven effective against several major endpoint security products, including those from SentinelOne, Windows Defender, Sophos, and Symantec. Criminals specify which EDR solutions to bypass when purchasing AvNeutralizer, and receive a customized version tailored to their specifications. FIN7, using various pseudonyms on cybercrime forums, is likely managing the marketing and distribution of AvNeutralizer. New versions of the malware include advanced techniques for tampering with system processes to disable security protocols. The ability of FIN7 to operate under multiple aliases and their evolving tactics in cybercrime highlight the challenges in attributing and countering their operations.

Cybersecurity firm ESET identified a new malware, named HotPage, disguised as an ad blocker that installs a malicious kernel driver on Windows. HotPage can modify web traffic, redirect users, and display targeted ads while harvesting system data to send to a Chinese technology company, Hubeil Dunwang Network Technology Co., Ltd. The malware leverages a kernel driver to inject harmful libraries into browsers, enabling unauthorized code execution with elevated system privileges. There were no access restrictions on the kernel driver, enabling even low-level users to exploit it to gain high-level system permissions. The Chinese company behind this malware secured a Microsoft-signed certificate for their driver, which enhances the malware's ability to bypass security measures. This incident unveils potential vulnerabilities within Microsoft's driver certification process, as used effectively by the malware creators. The malicious driver was eventually removed from the Windows Server Catalog, following its exposure.

Cisco has patched a critical vulnerability in Security Email Gateway (SEG) appliances that could allow hackers to add root users or crash the system. The vulnerability, identified as CVE-2024-20401, involved an arbitrary file write flaw due to absolute path traversal in SEG’s content scanning and message filtering. Attackers exploiting this flaw could replace any file on the device’s OS, modify configurations, execute arbitrary code, or trigger a permanent DoS condition. The flaw affects SEG appliances running specific vulnerable releases of Cisco AsyncOS, with risk factors escalating if certain email scanning features are active. Cisco has issued updates in the Content Scanner Tools package and Cisco AsyncOS for Secure Email to mitigate the vulnerability. Users can check for the vulnerability by accessing the product web management interface to review settings for file analysis and content filters. Despite no known exploitation or public proofs of concept, Cisco urges immediate updating of affected models to prevent potential attacks. An additional severe bug was fixed by Cisco, related to password changes on Cisco Smart Software Manager On-Prem license servers.

AppSec teams and developers often experience conflicting objectives: security vs. speed. A common issue in software development is the tension between quickly shipping code and addressing security vulnerabilities. The webinar titled "Turn Developers into Allies: The Power of Security Champion Programs" aims to bridge this gap by transforming developers into security proponents. The strategy involves implementing Security Champion Programs, which have shown significant effectiveness but are not widely utilized. Attendees will learn how these programs can create a collaborative, secure, and innovative development environment. Registration is open and free for participants, emphasizing the accessibility and importance of the topic.

The travel industry faced 21% of all bot attack requests last year, making it a prime target for automated threats. Imperva's 2024 Bad Bot Report highlights that 44.5% of the industry's web traffic in 2023 was due to bad bots, up from 37.4% in 2022. These bots engage in unauthorized activities like scraping, account takeover, and fraud, severely impacting operations. Advanced bad bots, mimicking human behavior to evade detection, constituted 61% of this malicious bot activity. Seasonal travel demand and major events are expected to further increase bot activity targeting travel services. Imperva advises layered security measures, including real-time bot detection and traffic analysis, to protect against these threats. Recommended strategies include blocking outdated browsers, restricting bulk IP access, and regular monitoring for traffic anomalies.

Cisco released a patch for a critical vulnerability in its Smart Software Manager On-Prem, identified as CVE-2024-20419. The vulnerability enables unauthenticated attackers to modify passwords for any user, including administrators, via crafted HTTP requests. Rated 10/10 on the CVSS 3.1 scale, this flaw poses a high threat to product integrity, availability, and confidentiality. Attack complexity is classified as low, requiring no prior privileges or user interaction for exploitation. No current evidence suggests that this vulnerability has been exploited in the wild, but the risk escalates now that details are public. Affected versions include SSM On-Prem up to version 8-202206; Cisco advises upgrading to at least version 8-202212 or ideally version 9. Cisco's SSM On-Prem is widely used in critical sectors such as financial institutions, utilities, and government entities, increasing potential impact. This vulnerability was part of a broader set of security updates that also addressed other critical issues, including a high-severity flaw in Cisco Secure Email Gateway.

Cybersecurity researchers discovered significant flaws in SAP AI Core, a platform used for AI workflow development. These vulnerabilities, named SAPwned, allow unauthorized access to customer data and cloud credentials, including AWS, Azure, and SAP HANA Cloud. Attackers could manipulate Docker images and artifacts, potentially leading to a supply chain attack. Exploitable weaknesses also provided means to obtain cluster administrator privileges in Kubernetes, enabling further access to sensitive customer data. The issues stemmed from insufficient isolation and sandboxing of AI models and training routines. SAP patched these vulnerabilities after they were responsibly disclosed to them on January 25, 2024. The breaches underscore the need for stringent security measures in AI deployment, especially as generative AI's enterprise use expands. These events highlight ongoing cybersecurity concerns, emphasized by the rise of cybercriminal groups like NullBulge targeting AI and gaming sectors.

TAG-100, an unknown threat group, uses open-source tools for cyber espionage targeting various global entities. This adversary has likely attacked organizations in over ten countries, including entities in government, the private sector, and diplomatic circles. The attacks exploit multiple security vulnerabilities in widely used internet-facing products like Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks devices. Recorded Future's Insikt Group highlights TAG-100’s use of malware such as Pantegana and Spark RAT, as well as Cobalt Strike Beacon in their attack chains. The group conducted significant reconnaissance on internet-facing appliances in various sectors, especially targeting the U.S.-based organizations post-exploitation of a Palo Alto Networks GlobalProtect vulnerability. These activities are believed to facilitate initial access and enable long-term presence in the targeted networks. The use of Proof-of-Concept (PoC) exploits combined with open-source programs helps the attackers evade detection and complicates attribution efforts.

Significant updates to software applications are reviewed for security issues only 54% of the time by cyber security teams, as per a recent poll by CrowdStrike. The report indicates a comprehensive discrepancy in the frequency of security reviews, with 22% of security managers conducting reviews fewer than half the time. Security review processes are delayed primarily due to time constraints and the associated costs, with analysis estimating an average of $1.2 million in yearly expenses for these reviews. Many firms handle ten code reviews weekly, involving 16 to 17 team members each, underscoring the labor-intensive nature of the process. The diversity in coding languages and tools for threat detection adds complexity and potential misalignment in technology, with over half of the managers citing tool misalignment as a top challenge. Organizations use a mix of manual and automated processes for application security, but 71% still rely heavily on traditional methods like documentation and spreadsheets. CrowdStrike emphasizes the urgent need for improved security practices as methodologies of potential adversaries evolve rapidly.

Meta has ceased the use of generative AI technologies in Brazil in compliance with a preliminary ban from the country's National Data Protection Authority (ANPD). The ban was prompted by concerns over Meta’s new privacy policy, which allows the collection of user data for training its GenAI systems without clear consent. ANPD has imposed a daily fine of 50,000 reais should Meta fail to comply with the authority’s decision. The Brazilian data protection agency highlighted the risk of "serious and irreparable harm" to fundamental rights regarding the data privacy of citizens. Meta expressed disappointment, stating the decision as a hindrance to AI innovation and competition in Brazil. Global tech firms, including Apple, are similarly adjusting their AI tool offerings in regions with stringent data privacy regulations like the European Union. Human Rights Watch has raised alarms over the misuse of personal data, such as unauthorized use of children's photos in AI datasets, leading to potential exploitation.

Cisco released patches for a critical vulnerability in Smart Software Manager On-Prem, tracked as CVE-2024-20419 with a CVSS score of 10.0. The vulnerability allowed unauthenticated remote attackers to change user passwords, potentially accessing the system with administrative privileges. The flaw was due to an improper implementation of the password-change process and could be exploited via crafted HTTP requests. Affected versions were Cisco SSM On-Prem versions up to 8-202206; the issue has been fixed in version 8-202212. Cisco confirmed that version 9 of the software is not vulnerable and stated there are no current workarounds for the issue. No known exploitations of this vulnerability have been reported in the wild according to Cisco. The bug was discovered and reported by security researcher Mohammed Adel. Meanwhile, CISA has updated its KEV catalog with three other vulnerabilities noted for active exploitation, requiring federal agencies to comply with mitigation instructions by August 2024.