Daily Brief

Ivanti has addressed 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, including two labeled as critical. The critical vulnerabilities are heap overflow weaknesses which allow for remote command execution without user interaction. Apart from the critical issues, 25 other vulnerabilities ranging from medium to high severity were fixed, potentially preventing DoS attacks and unauthorized access to sensitive information. The vulnerabilities were discovered through Ivanti's responsible disclosure program, and there have been no reported exploitations before public disclosure. Ivanti has issued an updated version, Avalanche 6.4.3, and is urging customers to update immediately to mitigate these security risks. Previously, Ivanti’s solutions experienced similar critical vulnerabilities, highlighting persistent targeting by threat actors, including past exploits used by state-sponsored groups against Norwegian government systems. CISA has expressed concerns previously regarding the attractiveness of MDM systems for attackers due to the broad access they provide to networked mobile devices.

CVE-2024-3400, a severe vulnerability in Palo Alto's PAN-OS, allows unauthenticated command injection. Exploit code and a proof-of-concept are publicly available following active exploitation by state-sponsored group UTA0218. Over 156,000 PAN-OS firewall instances are observed daily, with more than 82,000 identified as vulnerable. UTA0218 has been using the vulnerability since March 26th to install backdoors, pivot to internal networks, and exfiltrate data. The vulnerability impacts multiple PAN-OS versions when telemetry and GlobalProtect are enabled. Palo Alto Networks has commenced distributing hotfixes; CISA mandates U.S. federal agencies patch their systems by April 19th. Additional protections are available through the 'Threat ID 95187' for those with an active 'Threat Prevention' subscription.

Charles O. Parks III is charged with defrauding cloud service providers out of over $3.5 million to illegally mine cryptocurrencies worth nearly $1 million. Parks allegedly exploited the computational resources of major cloud firms based in Seattle and Redmond to mine Ethereum, Litecoin, and Monero. He purportedly created multiple accounts using various identities and a VPN, convincing cloud companies to allocate more resources for cryptomining. Parks then failed to pay the substantial bills generated from the resource usage, accruing nearly $3.55 million in unpaid charges across different accounts. He reportedly laundered the mined cryptocurrencies through wallets, exchanges, and NFT marketplaces, converting them to fiat currency for personal luxury expenditures. Federal authorities highlight the growing sophistication of criminals in leveraging digital technologies for illegal activities like cryptojacking. The scheme outlines a breach of legal and financial regulations, including evasion of the financial transaction reporting requirements to the IRS. Parks was arrested and faces up to 20 years for wire fraud and money laundering, illustrating intensified law enforcement efforts against cybercrime.

Cisco has issued a warning about a significant brute-force campaign targeting VPN and SSH services across multiple device platforms, including their own equipment as well as those from CheckPoint, Fortinet, SonicWall, and Ubiquiti. The attackers employ a mix of valid and generic usernames tied to specific organizations to acquire correct login credentials, thereafter gaining unauthorized access to devices and networks. Initiated on March 18, 2024, all of these brute-force attacks have been conducted from TOR exit nodes and utilize various anonymization tools to avoid detection and blocking. Cisco Talos researchers highlight a risk of unauthorized network access, account lockouts, or potential denial-of-service disruptions due to the increasing success rate of these attacks. No specific industries or regions appear disproportionately targeted, indicating a broad, opportunistic approach by the attackers. Cisco has released a list of indicators of compromise on GitHub, which includes the attackers' IP addresses and the usernames and passwords used in these attacks. There may be a connection to previous attacks involving a malware botnet known as 'Brutus,' which also specialized in credential attacks on VPN services, though confirmation is still pending from Cisco.

T-Mobile and Verizon employees received text messages offering cash for illegal SIM swaps. Criminals used social engineering tactics to attempt to convince telecom employees to transfer phone numbers to their control. Messages included offers of $300 per SIM swap and contact details via Telegram. The scam allows criminals to hijack multi-factor authentication systems by gaining control of victims' phone numbers. T-Mobile confirmed no recent system breach but disclosed previous breaches as possible sources of employee data leaks. SIM swap scam warnings suggest severe consequences for telecom employees who participate. The source of the leaked employee information from Verizon remains unclear, with investigations ongoing.

Targeted social engineering attack aimed to gain control over key JavaScript projects via OpenJS Foundation. Attackers used fake personas and email addresses linked to GitHub, requesting critical project updates and push for new maintainer appointments. Similar tactics were used previously in the attack on the XZ Utils project, putting crucial open-source software at risk of compromised integrity. No unauthorized or privileged access was granted to the attackers in OpenJS, avoiding potential exploitation or backdoor insertion. The incident highlights ongoing vulnerabilities and targeting of the open-source ecosystem, emphasizing the need for rigorous security practices. CISA emphasizes the collective responsibility of technology manufacturers in maintaining secure open-source software usage and contributions. Techniques used by attackers included creating pressure and doubt among project maintainers, indicating a sophisticated and patient approach.

CVE-2024-31497 discovered in PuTTY versions 0.68 to 0.80, posing a risk of cryptographic private key recovery from ECDSA signatures. Attackers can utilize 60 ECDSA signatures generated using the flawed PuTTY to potentially compute an SSH private key, enabling unauthorized server access or misrepresentation as legitimate users. The vulnerability specifically impacts the generation of ECDSA nonces using NIST P-521 curve, where a deterministic SHA-512 hashing leads to significant bias. Recovery of private keys is feasible without preemptive server compromise by extracting signatures from publicly visible signed Git commits. The flaw is addressed in PuTTY version 0.81, which adopts RFC 6979 for generating DSA and ECDSA key nonces ensuring enhanced security. Users of affected PuTTY versions are urged to switch to updated software and regenerate any P521 keys that may have been compromised. The systematic flaw highlights potential broader impacts and requires verification across tools that integrate compromised PuTTY versions.

UnitedHealth Group reported an $872 million loss in Q1 earnings due to a ransomware attack on its Change Healthcare unit, significantly impacting the U.S. healthcare system. Direct costs of responding to the cyberattack were $593 million, with an additional $279 million lost due to business disruptions. The attack is attributed to the BlackCat/ALPHV ransomware group, which claimed theft of 6 TB of data and involvement in a double-extortion scheme alongside a $22 million ransom paid event. Full-year financial impact from the attack estimated by UnitedHealth to be between $1.15 to $1.35 per share, with an additional $800 million claimed reserves due to uncertain claims receipt timing. Operational cash flows in Q1 2024 were reduced by approximately $3 billion, due to cyberattack response actions and accelerated funding to care providers. Despite these setbacks, UnitedHealth's Q1 revenues grew by almost $8 billion year-over-year, reaching $99.8 billion. The U.S. Department of Health and Human Services has initiated an investigation into potential theft of protected health information due to the breach.

Open source communities are currently facing sophisticated social engineering attacks aimed at inserting backdoors, similar to a recent attempt on Linux's xz library. The OpenJS Foundation and Open Source Security Foundation (OpenSSF) have identified suspicious activities surrounding project maintainers across various popular projects. Attackers attempt to gain maintainer status by exploiting vulnerabilities they vaguely suggest in projects, without proper details, aiming to introduce malicious code. Similar patterns of attack attempts were noticed in multiple JavaScript projects not hosted by OpenJS but were proactively flagged to the relevant leaders and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Maintainers are advised to be vigilant against unknown community members who aggressively seek elevated access or exhibit signs of pushing misleading endorsements. Typical signs of such attacks include persistent communications, deviation from typical project norms, and attempts to rush security processes. Investments and support from large tech firms and governments, like Germany's Sovereign Tech Fund, are highlighted as crucial in bolstering security in open source projects.

Social engineering attacks, exploiting human vulnerabilities, are involved in 98% of cyber-attacks and up to 90% of data breaches. Effective strategies to combat these threats include regular end-user training, restricting user access via the principle of least privilege, and implementing multi-factor authentication (MFA). Regular security audits, penetration testing, and employing Pen Testing-as-a-Service (PTaaS) are crucial to detect and address vulnerabilities promptly. Developers and IT professionals should secure web applications by using HTTPS, SSL certificates, and regularly updating software to close security gaps. Additional protective measures include rigorous input validation, comprehensive web application monitoring, and establishing strict data handling protocols. An incident response plan is essential to mitigate and manage social engineering attacks swiftly and efficiently. The article emphasizes the unpredictable nature of human behavior and the need for a layered, comprehensive approach to cybersecurity.

TA558 utilizes steganography to hide and deliver malware including Agent Tesla, FormBook, and more through VBS, PowerShell, and RTF documents disguised within images. The campaign, named SteganoAmor, specifically targets sectors like industry, services, and construction primarily in Latin American countries, with some attacks also observed in Russia, Romania, and Turkey. Initial attack vectors include phishing emails with infected Microsoft Excel attachments exploiting a known vulnerability (CVE-2017-11882), leading to the download of a malicious Visual Basic Script. The malware operation involves downloading images with embedded malicious code, which executes to deploy various payloads such as remote access tools and keyloggers. Legitimate but compromised SMTP servers are used for sending phishing emails to avoid detection and blocking by email security gateways. TA558 also leverages compromised FTP servers to host and manage stolen data. The disclosure of these activities coincides with other unrelated phishing and malware campaigns targeting governmental bodies in various Eurasian countries.

Security flaw identified in AWS, Google Cloud, and Azure CLI tools could lead to credential leaks in build logs. The issue has been given the identifier CVE-2023-36052 with a CVSS score of 8.6, indicating a high severity. Microsoft addressed this vulnerability in their November 2023 security updates, but Google and Amazon have not released specific fixes. The leaked data includes sensitive details like passwords and access tokens, directly threatening organizational cybersecurity. Research by Orca highlights that several projects inadvertently exposed sensitive information on platforms like GitHub Actions and CircleCI. Google and Amazon maintain that it is the responsibility of users to safeguard their environment variables and recommend using dedicated secrets management services. The exposure is particularly concerning in Continuous Integration and Continuous Deployment (CI/CD) environments where CLI commands are commonly used. Enhanced vigilance and security practices are advised for users to prevent potential data breaches and unauthorized access.

UnitedHealth reports a total of $872 million in costs from a ransomware attack on its subsidiary, Change Healthcare, as of the first quarter of 2024. Additional financial support includes over $6 billion in advance funding and loans to assist care providers affected by the attack. Remediation and ongoing costs are expected to exceed $1 billion, with the initial ransom payment reported at $22 million. The attack greatly disrupted medical services across U.S. hospitals and pharmacies, impacting cash flow and care provision capabilities. UnitedHealth experienced significant financial impact, reporting a net loss of $1.221 billion and adjusted earnings reduced by cyberattack-related costs. Despite these setbacks, UnitedHealth's share price increased by 7.5% in premarket trading following the financial disclosure. ALPHV/BlackCat, responsible for the attack, committed an exit scam after receiving the ransom, further complicating recovery and response efforts.

The rapid evolution of digital landscapes has significantly increased the complexity of cybersecurity threats facing today's organizations. The introduction of cloud services and the rise of remote working have further exposed digital identities to cyber exploitation, emphasizing the need for strengthened identity security measures. Our research, "The Identity Underground Report," highlights the overlooked security liabilities in identity management, including forgotten user accounts and configuration errors that criminals exploit. These identity threat exposures (ITEs) in both on-premise and cloud environments pose serious risks, granting unauthorized access to critical resources. The report also discusses the challenges faced by organizations in synchronizing on-prem user accounts with cloud Identity Providers (IdPs), which can inadvertently aid attackers. Key solutions suggested include the implementation of Multi-Factor Authentication (MFA) and the investment in comprehensive identity security strategies to prevent risk and enhance security posture. By understanding and addressing these vulnerabilities highlighted in the report, organizations are better positioned to mitigate risks and prioritize security investments effectively.

A critical vulnerability has been identified in PuTTY versions 0.68 through 0.80, potentially allowing full recovery of private keys. The security flaw (CVE-2024-31497) affects the ECDSA cryptographic algorithm, specifically exploiting biased nonces in key generation. Attackers capable of obtaining several dozen signed messages and the corresponding public key can recover the private key and forge signatures. Compromised environments include servers authenticated using the vulnerable keys, with PuTTY advising immediate key revocation and updating to patched versions. The vulnerability was also found in other software that uses PuTTY, including FileZilla, WinSCP, and TortoiseGit, all of which have released updates fixing the issue. Researchers recommend transitioning to the usage of RFC 6979 for generating cryptographic nonces to avoid similar vulnerabilities in the future. All users affected are urged to update their software to the latest versions and to regenerate any potentially compromised ECDSA NIST-P521 keys.