Daily Brief

MITRE Corporation confirmed a cyber attack originating on December 31, 2023, exploiting vulnerabilities in Ivanti Connect Secure. Attackers used CVE-2023–46805 and CVE-2024–21887 to infiltrate the NERVE research network. Utilized ROOTROT, a Perl-based web shell, for initial access, followed by the deployment of other web shells including BEEFLUSH and BRICKSTORM. The intrusion involved profiling and controlling MITRE's VMware infrastructure, facilitating persistent access and the execution of arbitrary commands. Analysis revealed lateral movement attempts and SSH manipulations to maintain system control. The attack was linked to the China-connected cyber-espionage group UNC5221. MITRE observed data exfiltration and persistent network presence from January to mid-March 2024 following the disclosure of the exploited vulnerabilities.

CISA's Known Exploited Vulnerabilities (KEV) catalog, primarily aimed at federal agencies, also positively influences private sectors’ cybersecurity practices. Private organizations patch vulnerabilities listed in the KEV catalog about three times faster than those not listed—175 days compared to 621 days. Despite this improvement, most deadlines for vulnerability patches are still missed by both government and private organizations. Findings indicate that vulnerabilities linked to ransomware are patched significantly faster, demonstrating the influence of potential financial risks. Technology companies patch vulnerabilities the fastest, averaging 93 days due to higher exposure and industry reputation concerns. Critical severity vulnerabilities take an average of around four and a half months to be remediated, indicating room for improvement in response times. Bitsight suggests that organizations should adopt stringent internal deadlines for patching, tailored to the severity of the vulnerabilities. The imperative for executive support for robust security measures is highlighted, stressing the necessity for swift and effective vulnerability management.

A routine security scan identified hidden malicious code within an image posted in the comments section of a global retailer’s product page. This altered image containing a simple 'Thank You' message hid malware designed to steal personal identifying information from online shoppers. The malicious payload was embedded using steganography, a technique of hiding data within digital content, in this case, an RGB pixel modification in the image. The discovery was made by Reflectiz, a web security firm using continuous web threat management solutions to monitor and protect e-commerce platforms. This form of threat highlights the persistent risks and challenges e-commerce sites face from cyber criminals, including potential regulatory penalties and reputational harm. The full case study details the methods of protection and detection used to avert significant breaches, focusing on inexperienced users who might be unaware of such risks in seemingly innocent web interactions. Legislative frameworks like GDPR impose stringent security requirements and substantial penalties for breaches, aligning with the need for advanced security measures as demonstrated in this incident.

UK-based Amberstone Security inadvertently exposed nearly 1.3 million documents due to a misconfigured database. The exposed data included images of security guards' ID cards and photos of individuals suspected of criminal activities, dating back to 2017. Documents revealed personal details such as names, photos, expiration dates of ID cards, and in some cases, signatures. A security researcher discovered the breach, highlighting risks such as potential impersonation of security staff and unauthorized access to facilities. Exposed data also detailed suspect behaviors and tactics in theft incidents, revealing operational security details. Amberstone Security responded swiftly to the breach notification, securing the database and investigating the cause with the involved third-party contractor. The incident underlines significant privacy and security risks, prompting calls for enhanced measures including biometric updates to security ID cards.

Google has made the process of enabling two-factor authentication (2FA) simpler for both personal and Workspace accounts. Users can now set up 2FA without initially requiring a phone number, opting instead for methods like authenticator apps or hardware security keys. Over 400 million Google accounts adopted passkeys in the past year, supporting passwordless authentication that promises to curb phishing and hijacking instances. Despite these advancements, new threats like the adversary-in-the-middle (AitM) attack could bypass FIDO2 security, exploiting weaknesses in single sign-on (SSO) systems. AitM attacks allow unauthorized actors to hijack sessions after successful authentication via stolen session cookies, exposing the inadequacy in session protection post-authentication. Google proposes Device Bound Session Credentials (DBSC) in its Chrome browser to strengthen defenses against session cookie theft, a feature limiting potential unauthorized access. These updates underscore the ongoing evolution and challenges in cybersecurity, emphasizing the need for continuous improvement in authentication technologies and user security awareness.

Alexander Vinnik, a Russian national, admitted to money laundering charges stemming from the ownership and operation of the BTC-e cryptocurrency exchange. The charges relate to activities between 2011 and 2017, during which BTC-e facilitated transactions involving criminal activities such as hacking, ransomware scams, and drug trafficking. BTC-e failed to register as a money services business in the U.S. and did not implement mandatory anti-money laundering (AML) or Know Your Customer (KYC) protocols. Over its course of operation, BTC-e handled over $4 billion in Bitcoin and served more than one million users globally, including substantial dealings in the United States. Vinnik was captured in Greece in 2017 and extradited to the U.S. in 2022, facing multiple charges including operation of an unlicensed money service business and money laundering. The U.S. Department of Justice described BTC-e as a major avenue for cybercriminals to launder ill-gotten funds. Financial penalties were levied against BTC-e and Vinnik by the U.S. Department of the Treasury for severe violations of AML laws.

Ransomware attacks are evolving to exploit social engineering and psychological pressure, as reported by Charles Carmakal, CTO of Mandiant. Criminals are utilizing deeply personal attacks, such as SIM swapping the phones of executives' children, to increase pressure on victims to meet ransom demands. The tactic includes making phone calls to executives from their children's numbers, often using caller ID spoofing or direct SIM card manipulation. Incidents of ransomware have expanded beyond encrypting or stealing data, with criminals now resorting to endangering lives, as seen in attacks that delayed ambulances and exposed sensitive patient information. This shift focuses on psychological impacts, shifting the decision criteria from protecting customer data to safeguarding employees and their families. The increased leverage of cryptocurrencies has facilitated easier and more profitable extortion for perpetrators, broadening the scope of potential targets across various industries, especially healthcare. Mandiant's head of global intelligence, Sandra Joyce, highlights the difficult decisions companies must make when facing ransom demands, which might involve legal and ethical considerations, particularly when dealing with sanctioned entities.

Apple recently demanded iOS developers to justify the use of APIs potentially employed for device fingerprinting. Despite restrictions, apps from Google, Meta, and Spotify allegedly misuse these APIs to collect and externalize data against Apple's policies. Device fingerprinting gathers unique device identifiers, useful for precise ad targeting but controversial for privacy invasion. Apple claims APIs used for core app functionalities shouldn't be exploited for fingerprinting, regardless of user permission. Developers Talal Haj Bakry and Tommy Mysk reported that major tech companies fail to comply with Apple’s requirements to contain API-derived data onsite. This issue arises as Apple introduces stricter App Store submissions rules effective May 1, 2024, aiming to deter privacy breaches. Google acknowledged the report and is investigating the claims, while responses from Meta and Spotify remain pending. Critiques suggest Apple’s enforcement of API usage transparency lacks rigor, rendering their privacy measures ineffective.

International law enforcement agencies, including the FBI, NCA, and Europol, have relaunched the previously seized LockBit ransomware group's website, setting a countdown for new disclosures. The site, originally used by LockBit for extortion and data leaks, now features eight locked pages with a countdown, promising revelations about the gang's activities and possibly the identity of its members. Previously disappointing articles posted by the police on this site have been critiqued for lackluster information, with promises now of more substantive revelations. Charles Carmakal of Mandiant highlighted the significance of the upcoming reveal at the RSA Conference, suggesting it could provide detailed insights into the LockBit group and its key figure, LockbitSupp. The newly resurrected site will be operational only until May 10, indicating a limited window for these disclosures. Despite law enforcement actions, LockBit continues its operations unabated, recently targeting hospitals and government entities, demonstrating resilience and ongoing threat presence. The tension between LockBit's representatives and U.S. authorities continues, with accusations of deception from both sides, underscoring the complex dynamics of cyber enforcement and cybercrime engagement.

Mastodon has delayed releasing a fix for a bug that causes accidental DDoS attacks through its link preview feature. The decentralized structure of the Mastodon network contributes to multiple servers requesting data from a single site simultaneously, resembling a DDoS attack. The issue has persisted for over a year, with initial plans to address it in update version 4.3.0 now postponed to version 4.4.0. Websites impacted by this excess traffic can experience significant slowdowns or downtime, exemplified by the 504 Gateway Timeout error reported by the It's FOSS News blog. Despite the delay in resolving the DDoS problem, Mastodon faces other challenges, including varying update compliance across its servers, some of which remain vulnerable to other security issues. The progress on the upcoming version 4.4.0 is uncertain, with no clear timeline for the rollout of the planned fixes.

A former IT consultant, Vincent Cannady, is charged with attempting to extort $1.5 million from his previous employer, a multinational IT services company. Cannady was arrested in Missouri after allegedly using a company laptop to illegally download and store confidential data, including trade secrets and server architecture, to his personal cloud storage. Following his dismissal for poor job performance in June 2023, Cannady purportedly demanded a "settlement" equaling approximately fifteen years’ worth of salary under threats of legal action and data leakage. The extortion attempts included threats to release the stolen information to media outlets and the use of this information for a potential book deal to inflict reputational damage on the company. Kyndryl, identified through court records, sought a temporary restraining order against Cannady to prevent public disclosure of the proprietary data. Negotiations broke down after the company provided a draft settlement agreement that did not exempt Cannady from future prosecution, which he refused. Charged with Hobbs Act extortion, Cannady faces up to 20 years in prison if convicted, highlighting the legal repercussions of data theft and extortion in the cybersecurity realm.

The City of Wichita, Kansas experienced a ransomware attack leading to the shutdown of several network segments. The attack, which took place on May 5th, led to the encryption of the city’s IT systems. The city has not confirmed if any data was stolen; however, data theft is common in similar ransomware incidents. Wichita has initiated a comprehensive review to assess the impact, including potential data compromise. Due to ransomware, city’s online payment services, including water bills and court fees, are currently offline. First responder services such as police and fire departments continue operating under established business continuity plans. The specific ransomware group responsible for the attack has not been identified, though the incident has been reported to local and federal law enforcement for further investigation.

More than 50% of Tinyproxy hosts exposed on the internet are vulnerable to a critical flaw (CVE-2023-49606). The vulnerability, found in Tinyproxy versions 1.10.0 and 1.11.1, allows unauthenticated remote code execution through a specially crafted HTTP header. This flaw was identified by Cisco Talos with a high severity rating of 9.8 out of 10. Approximately 52,000 hosts out of 90,310 surveyed hosts use the affected Tinyproxy versions. Significant numbers of affected hosts are located in the U.S., South Korea, China, France, and Germany. Despite Talos releasing a proof of concept for the exploit, patch delays stemmed from reporting issues, as maintainers were not promptly informed. Recommendations include updating Tinyproxy as soon as patches are available and avoiding exposure of the Tinyproxy service to the public internet.

A cyber espionage campaign named ArcaneDoor targets perimeter network devices, impacting several major vendors, including Cisco. China-linked threat actors, known as UAT4356 or Storm-1849, suspected behind the attacks that began in July 2023 and were detected in January 2024. Custom malware, Line Runner and Line Dancer, were deployed to exploit patched vulnerabilities in Cisco Adaptive Security Appliances. Attack interest extends to Microsoft Exchange servers and additional network devices, indicating a broader surveillance scope. Connections to China suspected based on SSL certificates and IP addresses linked to Chinese networks and technology companies. The attackers' infrastructure involved anti-censorship tools hinting at methods to circumvent Chinese internet restrictions. French cybersecurity firm Sekoia intercepted a related command-and-control server operation, revealing widespread infections across multiple countries. The espionage efforts are part of broader strategic intelligence activities, potentially linked to China's Belt and Road Initiative.

CISA has issued an urgent call to the software industry to address persistent directory traversal vulnerabilities, which have plagued systems for over 20 years. Recent exploits of these vulnerabilities in critical sectors, like healthcare, have prompted heightened vigilance from the cybersecurity agency. Directory traversal attacks allow unauthorized access to data and can lead to significant data theft and system compromises. Examples of recent severe exploits include vulnerabilities in ConnectWise's ScreenConnect and Cisco AppDynamics Controller. Out of 1,104 logged vulnerabilities in the CISA's KEV catalog, only 55 are directory traversals, yet their impact on critical infrastructure is significant. CISA recommends implementing well-known mitigations such as using random identifiers for file naming and restricting file name input characters to prevent such attacks. The move is part of a broader initiative by CISA to encourage 'secure-by-design' practices, which include addressing software vulnerabilities from the development phase.