Daily Brief

Finnish cybersecurity firm WithSecure identified a new backdoor malware, Kapeka, attributed to Russia-linked APT group Sandworm. Kapeka, detected in Eastern Europe since mid-2022, is designed to allow long-term access and serve as an early-stage toolkit for cyber operators. The malware is a Windows DLL, using methods like masquerading as a Microsoft Word add-in for legitimacy, and it features strong network communication capabilities via the WinHttp 5.1 COM interface. Kapeka can execute a variety of malicious activities, including data theft, payload launching, remote access facilitation, and destructive attacks. Microsoft documented Kapeka's use in multiple ransomware distribution campaigns and noted its ability to update its command-and-control settings dynamically. The propagation method of Kapeka involves compromised websites and utilizes a legitimate binary, certutil, suggesting sophisticated exploitation of trusted tools. Kapeka's development and deployment patterns suggest its lineage with other Russian malware tools like GreyEnergy and BlackEnergy, indicating a strategic evolution in Sandworm's cyber arsenal.

Critical zero-day vulnerability identified in Palo Alto Networks’ PAN-OS, specifically impacting GlobalProtect gateways. Proof-of-concept (PoC) exploits for the severity CVE-2024-3400 released by multiple cybersecurity firms, revealing potential for mass exploitation. The vulnerability involves a directory traversal bug that, coupled with a command injection flaw, allows for remote code execution. Researchers demonstrated that an attacker could exploit the vulnerability by manipulating SESSID cookies to execute arbitrary commands with root privileges. Palo Alto Networks issued hotfixes shortly after the vulnerabilities were disclosed; however, initial mitigation recommendations (like disabling telemetry) are no longer effective. Immediate patch application recommended as exploit code is public and cyberattacks are anticipated to increase, affecting around 156,000 GlobalProtect appliances daily. U.S. federal agencies urged to secure their systems by April 19, per directives from the Cybersecurity and Infrastructure Security Agency (CISA).

Multiple botnets are exploiting CVE-2023-1389, a high-severity command injection vulnerability in TP-Link Archer AX21 routers. Despite a firmware update in March 2023, many users have not updated, leaving routers susceptible to attacks. The vulnerability allows unauthenticated remote command execution via the router’s web management interface. Fortinet's data shows daily attempts to exploit this flaw often exceed 40,000, with peaks around 50,000. Active exploitation by at least six different botnet operations, including three Mirai variants and the “Condi” botnet. Attackers use the vulnerability to control affected routers for malicious activities, including DDoS attacks. Users are urged to update firmware, change default admin passwords, and disable unnecessary web admin panel access.

The UK has started issuing e-visas today to replace physical immigration documents like Biometric Residence Permits (BRPs) and Cards (BRCs). Millions of current BRP and BRC holders are being invited via email to set up a UK Visas and Immigration (UKVI) account, which will digitally confirm their legal immigration status. The Home Office plans to open this e-visa process to all BRP holders by summer 2024, aiming to enhance border security and reduce document fraud and abuse. E-visas are designed to be more secure; they cannot be lost, stolen, or tampered with, and allow real-time access from anywhere. The transition to e-visas aligns with international trends toward digitizing immigration systems and is set to replace most physical documents by the end of 2024. While the system boasts substantial benefits, the reliance on continuous internet connectivity raises concerns about verification during IT outages at borders or airports. Extensive contingency measures are reportedly in place to prevent global outages and provide alternative verification methods if needed. Despite the digital shift, the UK government advises travelers to keep their physical documents until they expire. Updates and additional information are available on the official government website.

The rapid integration of Generative AI (GenAI) in SaaS is transforming productivity but also heightens cybersecurity risks. Key SaaS players like Microsoft and Salesforce have launched GenAI products like 365 Copilot and Einstein GPT, demonstrating prevalent adoption. GenAI tools can expose sensitive corporate data, intellectual property, and personally identifiable information, expanding organizations' attack surfaces. Recent restrictions include a ban by U.S. Congress on Microsoft's Copilot in government PCs and a proactive ban in the banking sector, reflecting high concern over privacy and security. Over a quarter of surveyed organizations have prohibited GenAI tools due to fears of inadequate privacy protection and compliance challenges. The lack of clear policies and oversight on GenAI use at workplaces has escalated risks, with many employees using unapproved applications. The U.S. administration is pushing for better governance in AI usage by mandating federal agencies to appoint Chief AI Officers. To manage these risks, organizations might need to adopt advanced security frameworks like zero-trust and SaaS Security Posture Management (SSPM) systems.

Threat actors exploit unpatched Atlassian servers using CVE-2023-22518 to install Cerber ransomware on vulnerable systems. CVE-2023-22518 is a critical vulnerability in Atlassian Confluence allowing unauthenticated users to reset the system and create admin accounts. Attackers install the Effluence web shell via the admin account for remote command execution and download the Cerber ransomware. Cerber, written in C++, encrypts files with a .L0CK3D extension and drops a ransom note, but does not exfiltrate data. The ransomware primarily affects files accessible to the 'confluence' user, often limiting the damage due to typical data backup configurations. Recent trends show an increase in ransomware families and the customization of malware using leaked source codes from major ransomware like LockBit. Kaspersky highlights the ease of creating potent ransomware variants using leaked builder files and the necessity for robust security measures. Atlassian's shift to cloud solutions is also noted, emphasizing the need for comprehensive backup and security strategies in cloud environments.

Cybersecurity researchers have identified a campaign exploiting a critical Fortinet FortiClient EMS vulnerability, designated CVE-2023-48788, to deliver malicious payloads. The threat actors attempted to install ScreenConnect and execute Metasploit's Powerfun script, which allows reverse shell capabilities. The exploitation began after a proof-of-concept (PoC) was made public on March 21, 2024, exposing the company's vulnerable system to the internet. The attackers demonstrated persistence in their attack methodology, manually attempting various techniques to download and install the malware. The campaign, dubbed Connect:fun by Forescout, is linked to similar tactics and infrastructure observed in other incidents reported by Palo Alto Networks Unit 42 and Blumira. The malicious actors have selectively targeted environments with VPN appliances, showing a preference rather than conducting mass scans. Recommended mitigation measures include applying Fortinet's patches, monitoring for unusual network traffic, and employing a web application firewall (WAF) to mitigate potential attacks.

OpenAI’s GPT-4 large language model (LLM) can exploit real-world vulnerabilities effectively when reading CVE advisories. A study by University of Illinois Urbana-Champaign researchers highlighted GPT-4's ability to autonomously execute attacks with an 87% success rate, surpassing other models and tools. GPT-4 performed notably better than previous versions and alternative LLMs, which all recorded a 0% success rate in similar tests. The high success rate was based on exploiting a selection of 15 known vulnerabilities, termed one-day vulnerabilities, which are disclosed but unpatched. Terminating access to CVE descriptions reduced the LLM's exploitation success dramatically from 87% to 7%. The cost of each LLM agent-led exploit was estimated to be significantly lower than hiring a human penetration tester. The study points toward a potential future where advanced LLMs might enhance cyber threats, outpacing traditional defenses and accessible hacker tools. The researchers argue against using security through obscurity, advocating for more proactive security measures.

Cisco has issued a warning about a significant upsurge in brute-force attacks targeting VPN and SSH services globally since March 18, 2024. The attackers are using TOR exit nodes and various anonymizing services such as VPN Gate, IPIDEA Proxy, and others to conceal their IP addresses. These attacks aim to gain unauthorized access to networks, cause account lockouts, or induce denial-of-service conditions. The threat is widespread, with attackers using both generic and organization-specific usernames, targeting a broad spectrum of sectors and regions. Cisco has observed similar password spray tactics aimed at reconnaissance efforts against remote access VPN services. In related news, security vulnerabilities in IoT devices, specifically the TP-Link Archer AX21 router, have been exploited to deploy DDoS botnets. Users are advised to remain vigilant, promptly update and patch their systems to protect against ongoing botnet threats.

The UK Home Office has commenced the distribution of e-visa invitations to millions of residents with existing physical immigration credentials such as Biometric Residence Permits (BRPs) and Biometric Residence Cards (BRCs). E-visas are designed to modernize and secure the UK border by minimizing the risks associated with physical document loss, theft, and fraud. The transition to digital proofs of immigration status facilitates real-time, secure verification processes for both public and private sector needs. Holders of e-visas can manage their details online, enhancing the convenience and accuracy of data communication with the Home Office. The digital shift aligns with global trends towards electronic immigration processes and is expected to provide significant cost savings. Despite the advantages, the dependence on continuous internet access for verification poses potential challenges during IT system outages. The broader implementation will fully open to all BRP holders by summer 2024, with an eventual phase-out of most physical documents by the end of that year. Travelers are advised to continue carrying their physical documents until their expiration, despite having an e-visa, particularly for international travel.

Japan's government has disapproved of Yahoo!'s proposed security improvements following a data leak incident. The LINE messaging app, owned by Yahoo! through its subsidiary LY Corporation, experienced security failures, allowing unauthorized access to user messages and leaking customer data. The issues stem from intertwined technology stacks following Yahoo! Japan's acquisition of LINE from NAVER in 2021. The Ministry of Internal Affairs and Communications has demanded that Yahoo! Japan separate these technology stacks and enhance user privacy protections. The government's order included accelerating improvements in information security practices and management of subcontractors to rectify the existing vulnerabilities. Yahoo!’s initial response plan was deemed inadequate by the authorities, suggesting a lack of a solid security governance framework across the corporate group. This aggressive regulatory approach by the Japanese government highlights its commitment to holding tech companies accountable for security lapses.

Cisco notified customers of a phishing attack on a Duo telephony partner, resulting in unauthorized access to message logs for its MFA service. The breach, affecting around 1% of Duo's 100,000 global customers, involved stolen employee credentials but did not compromise message content. Affected logs contained phone numbers, geographical data, and metadata, but no messages were sent using the accessed data. In addition to the data breach, Cisco’s Talos team reported a spike in global brute-force attacks targeting VPNs and web authentication interfaces from various providers including Cisco, Fortinet, and SonicWall. These brute-force attacks, originating from TOR exit nodes and other anonymizing services, targeted a broad spectrum of industries and regions without clear attribution or successful breaches reported. Cisco has responded by issuing security advisories and recommending mitigation steps to protect against further incidents. The company remains in active investigation and communication with affected customers, reinforcing security measures and awareness training following the incident.

Criminals are sending text messages to T-Mobile and Verizon employees, offering $300 for illegal SIM swaps. The messages are being sent to both personal and professional phones and claim to source contact details from employee directories. Both current and former employees of mobile carriers are being targeted to exploit their access to necessary systems for SIM swapping. Attackers are also directing potential collaborators to discuss details on Telegram, indicating an organized approach. T-Mobile has confirmed the receipt of these solicitation messages but has denied that these signify a new data breach. The scale of SIM swap fraud is increasing, prompting the FBI and the FCC to take measures, including enhancing security protocols and implementing new industry regulations. SIM swap attacks lead to unauthorized access to personal and financial information, resulting in substantial financial losses and emotional distress for victims.

Cerebral, a telehealth company, will pay $7 million in a settlement concerning improper handling of sensitive health data of over 3.2 million users. The FTC charged Cerebral with disclosing personal health information to third-party advertisers including platforms like LinkedIn, Snapchat, and TikTok. The complaint highlighted the use of tracking pixels on Cerebral’s platforms that collected and transmitted user data to third parties primarily for advertising purposes. Allegations also include Cerebral’s failure to adhere to proper access controls for both current and former employees, risking further data exposure. Additionally, FTC criticized the company's insecure single sign-on method for accessing their patient portal. The settlement is pending court approval; Cerebral's former CEO Kyle Robertson has not yet agreed to the settlement terms and will face court decisions on his involvement. The incident underscores the ongoing issues surrounding data privacy and security in the telehealth services sector.

MGM Resorts has filed a lawsuit against the FTC and its chair to halt an ongoing investigation into a severe ransomware attack that happened in September 2023. The company claims the presence of FTC Chair Lina Khan at one of its properties during the cyberattack might influence the fairness of the investigation. The ransomware incident led to significant operational disruptions and financial losses estimated at over $100 million for MGM. Scattered Spider, a known criminal gang, took credit for the attack, which was facilitated by deceiving MGM's IT helpdesk. Following the incident, MGM had to shutdown critical IT systems, affecting its service operations including how guests were checked in. The FTC launched a comprehensive investigation after the attack, requesting extensive information from MGM, which the company suggests stems from Khan's personal experience during her stay. MGM now faces multiple consumer class action lawsuits partly spurred by the increased publicity from Khan's presence and the subsequent FTC actions. MGM requested that Khan be recused from the probe due to a potential conflict of interest, which the FTC has denied.