Daily Brief

Miami resident Onur Aksoy was sentenced to six and a half years in prison for trafficking counterfeit Cisco equipment, some of which was sold to the US military. Aksoy’s operation, which lasted from 2014 to 2022, involved creating fake Cisco devices using lower-end hardware and pirated software, costing hundreds of millions in revenue. He managed 19 companies and maintained 25 online sales accounts on platforms such as Amazon and eBay, specifically designed to distribute counterfeit networking equipment widely. The counterfeit goods jeopardized the safety and functionality of U.S. military applications, including those used in combat and flight simulations. Customs intercepted 180 shipments, but many slipped through due to the high volume and use of fake addresses. The financial impact included $100 million earned from eBay sales alone, with substantial personal gains prompting multiple cease and desist notices from Cisco. Aksoy was arrested in 2022 after a raid on his warehouse, and he pleaded guilty to multiple charges, including mail and wire fraud. The case emphasizes the risks and consequences associated with trafficking counterfeit goods within critical supply chains.

HPE Aruba Networking has disclosed 10 vulnerabilities in ArubaOS, urging network admins to patch immediately. Four of these vulnerabilities are classified as critical with a severity rating of 9.8, due to their potential for allowing remote code execution. Critical vulnerabilities stem from buffer overflow issues in various components of ArubaOS, potentially compromising wireless solutions. Vulnerable devices include Aruba Mobility Conductors, Mobility Controllers, and various gateways managed by Aruba Central. Patches are required for versions of ArubaOS from 10.5.1.0 and earlier, across multiple service generations, including unsupported versions. Exploitation could be conducted by sending specially crafted packets via Aruba's PAPI UDP port (8211). Six additional medium-severity vulnerabilities were identified, with suggested mitigations including enabling the PAPI Security feature with a non-default key. Immediate patch application and temporary workarounds are advised to prevent potential security breaches.

Bitwarden has introduced a new multi-factor authentication app, Bitwarden Authenticator, available for free on both iOS and Android platforms. The app utilizes time-based one-time passwords (TOTPs) to enhance security for users by adding an additional authentication layer. Unlike its premium in-app TOTP feature, the Bitwarden Authenticator is accessible to all users, including non-subscribers, and operates as a standalone application. The initial release of the app integrates basic TOTP generation and biometric options for security, with plans for future enhancements including push-based 2FA and account recovery. Bitwarden's roadmap for the app also includes features like Bitwarden account syncing and enterprise-grade authentication to cater to workforce needs. Currently, the app supports essential functions and uses the operating system's own services for backups; exporting capabilities are also provided. As an open-source project, Bitwarden makes the app’s code publicly available on GitHub for both iOS and Android versions.

CISA and the FBI have issued a warning to software developers to address path traversal vulnerabilities in their products before release. Path traversal can allow attackers to manipulate or access critical system files, potentially leading to unauthorized code execution or data breaches. These vulnerabilities are a concern in critical infrastructure, especially demonstrated by recent exploits in the healthcare sector. The alert highlights the continued prevalence of directory traversal flaws, referenced as 'unforgivable' since 2007 yet still common. Examples given include recent ransomware campaigns that exploited such vulnerabilities to deploy malicious payloads. The federal agencies recommend implementing known effective mitigations to prevent exploitation of these security flaws. Directory traversal vulnerabilities ranked eighth in MITRE’s list of top 25 most dangerous software weaknesses.

International law enforcement collaboration led to the shutdown of 12 call centers across Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, involved in extensive phone fraud operations. Operation, supported by Europol and initiated in December 2023, resulted in 21 arrests and identification of 39 suspects, targeting centers making thousands of scam calls daily. Law enforcement confiscated valuable evidence including data carriers, documents, and cash, totaling approximately €1 million. Comprehensive interception and monitoring by German police captured over 1.3 million conversations, blocking 80% of targeted financial fraud attempts, and prevented potential losses of more than €10 million. Scammers employed diverse deceptive strategies such as faux police alerts, investment fraud, romance scams, and other manipulation tactics to defraud victims. This crackdown is part of ongoing efforts against cybercrime networks engaging in "pig butchering" cryptocurrency scams and other investment frauds, having previously dismantled operations with massive financial losses across multiple countries. Critical electronic evidence obtained is expected to facilitate further identification of fraudulent operations and perpetrators involved.

Microsoft has discovered a new attack vector in Android apps named "Dirty Stream" that can allow overwriting of files, potentially leading to arbitrary code execution and data theft. The vulnerability stems from the mishandling of Android's content provider system, intended to facilitate secure data sharing between apps through isolation and permissions. Incorrect implementations, such as unvalidated filenames in intents and misuse of the FileProvider component, enable the attack, turning standard OS functions into security risks. Malicious apps can exploit this flaw by sending manipulated filenames or paths to targeted apps, thereby executing or storing malicious files. Microsoft's research indicates significant impact, with vulnerable apps accounting for over four billion installations worldwide. High-profile apps like Xiaomi's File Manager and WPS Office were mentioned as susceptible but have since worked closely with Microsoft to deploy security patches. The findings and recommendations have been shared with the Android developer community and incorporated into updated Google app security guidelines to enhance protection in future releases. Users are advised to keep their applications updated and avoid downloads from unofficial sources to mitigate potential threats.

Yaroslav Vasinskyi, a Ukrainian national, was sentenced to 13 years and seven months for participating in the REvil ransomware attacks. Vasinskyi was required to pay $16 million in restitution and was involved in over 2,500 ransomware incidents demanding over $700 million in ransoms. He was arrested in October 2021 while attempting to cross into Poland and faced charges including conspiracy to commit fraud and money laundering. His criminal activities included leveraging a zero-day vulnerability in Kaseya VSA software, impacting over 1,500 global companies. REvil, which Vasinskyi was affiliated with, was one of the most notorious ransomware operations, culminating in a significant attack on Kaseya in 2021. Following his extradition to the U.S. in March 2022, Vasinskyi pled guilty to an 11-count indictment, though he faced a maximum of 115 years. REvil was forcibly shut down in October 2021 after law enforcement in Russia heightened actions against the group, leading to several arrests.

Several widely-used Android applications have been found vulnerable to a path traversal flaw, allowing file overwriting in the app's home directory. The vulnerability could enable malicious apps to execute arbitrary code or steal authentication tokens, potentially leading to unauthorized access to the victim's online accounts. Affected apps include prominent names like Xiaomi and WPS Office, which have since addressed the issue after Microsoft's report in February 2024. The flaw exploits Android's content provider mechanism, which lacks proper validation of filenames and file content during inter-app data exchange. This vulnerability makes it possible for a rogue app to overwrite critical files within another app's data space, compromising security and privacy. Microsoft's Threat Intelligence team highlighted the ongoing issue and noted that this could be widespread among other apps that don't properly validate or sanitize file inputs. Google has issued guidelines instructing developers on secure file handling practices to mitigate such risks. This discovery underscores the continuous need for developers to enhance security measures in app design and implementation.

The US Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch a critical GitLab vulnerability, CVE-2023-7028, under active exploitation. This flaw in both Community and Enterprise editions of GitLab allows zero-click account takeovers due to improper access control. Initially disclosed by GitLab in January with a 10 severity rating, its exploitative status was confirmed with its addition to CISA's Known Exploited Vulnerabilities (KEV) list. Agencies typically have a 21-day window to implement security patches once vulnerabilities are listed on the KEV. The security gap, introduced in May 2023 following an update that altered email verification in password resets, has potential for widespread software supply chain attacks. Environments that activated two-factor authentication (2FA) on GitLab are not affected by this vulnerability. After the vulnerability's disclosure, the number of vulnerable GitLab instances reduced significantly, from 4,652 to 2,149, particularly in Europe and Asia.

A Ukrainian national, Yaroslav Vasinskyi, received over 13 years of imprisonment and an order to pay $16 million for ransomware attacks. Vasinskyi, associated with the REvil ransomware group, conducted over 2,500 ransomware attacks, demanding ransoms totaling more than $700 million. He was extradited to the U.S. after being arrested in Poland in October 2021, and pleaded guilty to multiple federal charges including conspiracy to commit fraud. REvil, a notorious cybercrime gang, has been linked to high-profile cases like JBS and Kaseya, and went offline in late 2021. The U.S. Justice Department also secured a forfeiture of approximately $6.1 million in USD and almost 40 Bitcoins linked to the ransomware activities. Additionally, the U.S. Treasury sanctioned Vasinskyi and another Russian national in November 2021, emphasizing efforts to combat cybersecurity threats and ransomware. The sentencings and prosecutions of such criminals underline ongoing international cooperation and a robust approach by U.S. authorities to curtail cybercrime operations.

Vulnerability scanners use databases of known weaknesses; however, given the proliferation of vulnerabilities—approximately 30,000 yearly—no single scanner covers all potential vulnerabilities effectively. Competitive analysis between different scanners such as Tenable’s Nessus and OpenVAS reveals significant gaps in their detection capabilities, highlighting disparities in the range of vulnerabilities each scanner detects. The practice of utilizing multiple scanning engines can offer more comprehensive coverage and a better understanding of an organization’s attack surface, thus reducing security risks. Intruder incorporates multiple scanning engines in one platform, including the addition of Nuclei, to provide a broad and deep coverage without the prohibitive costs typically associated with operating several scanners. Nuclei, an open-source scanning engine, is notable for its rapid development and deployment of checks for new vulnerabilities, thus enhancing the capability to protect against newly discovered threats. Intruder's integration of Nuclei supports a more robust vulnerability management strategy by increasing detection capabilities and securing more aspects of an organization's digital infrastructure against potential exploits.

Dropbox disclosed a breach in its Dropbox Sign service, initially acquired as HelloSign, affecting all users. Unidentified attackers accessed user data, including emails, usernames, phone numbers, and certain account settings. The breach extended to third parties who interacted with Dropbox Sign documents but did not have accounts, exposing their names and emails. No indications found that attackers accessed content of user agreements, templates, or payment info; breach limited to Dropbox Sign infrastructure. Attackers used an exploited automated system tool and a service account to breach the customer database. Dropbox is contacting affected users with protection steps, has reset passwords, and is rotating API keys and OAuth tokens. Dropbox is collaborating with law enforcement and regulatory bodies; ongoing investigation to assess full impact. This incident marks the second significant security compromise Dropbox has faced in under two years.

A novel botnet named Goldoon is actively exploiting CVE-2015-2051, a critical vulnerability in D-Link DIR-645 routers, allowing remote command execution. The exploitation process starts by retrieving a dropper script from a remote server that downloads further payloads tailored for various Linux system architectures. After initial infection, Goldoon malware sets up persistence on compromised devices and establishes communication with a command-and-control (C2) server. Attack capabilities include launching distributed denial-of-service (DDoS) attacks using an array of 27 different flooding methods across multiple protocols. The malware attempts to conceal its presence by deleting the dropper script post-execution and using humorous denial messages to deter direct examination of the server endpoint. Trend Micro highlights the increasing trend of using compromised routers as proxies by cybercriminals and nation-state actors to anonymize their activities. The U.S. government's recent actions against the MooBot botnet illustrate ongoing efforts to combat similar malicious infrastructure exploiting internet-facing devices.

The Australian Strategic Policy Institute (ASPI) report highlights Chinese tech companies' integral role in Beijing's global propaganda strategy. Chinese apps, games, and online platforms are used to harvest user data to monitor global public opinion and societal trends. Investments in globally operating Chinese firms allow Beijing access to vital data under China's unique storage laws, influencing consumer and societal understanding. ASPI argues that technology like generative AI and immersive tech (AR, VR) is being developed to shape and control global narratives and public perception. Limiting platforms like TikTok is insufficient; the broader impact of China's technological advancements needs comprehensive policy consideration. Recommendations include scrutinizing digital supply chains in tech procurement and reclassifying certain tech as surveillance goods. Standardization of data storage practices globally could limit authoritarian data misuse, according to ASPI. Contrasting views from other think tanks suggest inefficiencies may undermine Beijing's ability to manage such a vast control system internationally.

Yaroslav Vasinksyi, a 24-year-old Ukrainian national, has been sentenced to nearly 14 years in prison for his involvement with the REvil ransomware attacks. Vasinksyi and his associates conducted over 2,500 ransomware attacks, extorting over $700 million from various organizations and individuals globally. He was arrested in 2021 near the Poland-Ukraine border and extradited to the U.S., where he pleaded guilty to an 11-count indictment, including fraud and money laundering conspiracies. A U.S. court has ordered Vasinksyi to pay more than $16 million in restitution, reflecting a part of the damages caused by his cybercriminal activities. The Justice Department successfully recovered millions in ransom payments, including significant amounts of Bitcoin and cash, traced back to Vasinksyi and other REvil members. REvil, known for its double-extortion tactics, stole sensitive data before encrypting victims' files, threatening data leaks if ransoms were not paid. The arrest and sentencing showcase the extent of US and international law enforcement collaboration to combat global cybercrime and bring perpetrators to justice.