Daily Brief

Visa's Payment Fraud Disruption unit reports a new phishing campaign leveraging a sophisticated variant of the JSOutProx malware. Financial institutions and their clients in Asia, the Middle East, and Africa are primarily targeted by the attacks. JSOutProx operates as a RAT, allowing attackers to execute shell commands and control infected devices for fraudulent activities. The campaign uses phishing tactics, sending fake financial notifications and employing GitLab repositories to host malware payloads. Visa provided indicators of compromise and recommended actions, including enhancing phishing awareness and securing remote access protocols. Analysts suggest with moderate confidence that the JSOutProx RAT is likely linked to Chinese or China-affiliated cyber actors. In comparison to its initial detection in 2019, the latest version of JSOutProx has improved evasion techniques and functionalities.

Microsoft has resolved an issue causing false security alerts to pop up in Outlook when opening .ICS calendar files after December 2023 updates. The bug was introduced following an update that patched the CVE-2023-35636 vulnerability, which could be exploited to steal NTLM authentication hashes. Users received misleading warnings about the potential security risks of certain locations when accessing .ICS files. The fix is currently available for Microsoft 365 users in the Beta Channel, with a broader release planned for April 30th and backporting in June 2024. As a temporary measure prior to the fix, users could disable the false alerts via a registry key, but were cautioned as this would also disable warnings for other potentially unsafe file types. Microsoft recently fixed other Outlook-related syncing issues with email servers and connection problems on Outlook.com for both desktop and mobile email clients.

The US State Department is investigating claims of a significant data theft involving classified information from the Pentagon and other national security agencies. An individual or group named IntelBroker claims responsibility for the data leak and alleges to have posted the stolen information on the dark web. The compromised data reportedly includes contact details for government and military officials, classified documents, and communications among Five Eyes intelligence allies. The leak was first highlighted by Dark Web Informer and also includes information concerning personal details of 100,000 individuals affiliated with US immigration agencies. The breach purportedly occurred through a zero-day vulnerability in GitHub, affecting Acuity, a consulting firm that works with the US government. A similar incident occurred in June 2023, involving a breach by a Chinese-government backed group that resulted in the theft of State Department emails and employee information.

Hoya Corporation experienced a cyberattack that disrupted servers at various production plants and business divisions. The incident caused system failures and network outages, leading to downtime for ordering systems and some production lines. The company, with over 37,000 employees globally, has initiated an investigation with the help of outside forensic experts. There is currently no clear timeline for full system recovery; the focus is on restoring services to continue providing customer support. The nature of the cyberattack suggests unauthorized third-party access, which may involve compromised confidential or personal information. Hoya is actively working with authorities in the affected countries and commits to resuming normal production and supply to customers as soon as possible. This is not the first cyber incident for Hoya; previous attacks occurred in 2019 and 2021, one claimed by the Astro Team hacking group.

City of Hope, a significant cancer treatment and research center, reported a data breach impacting more than 820,000 patients. The breach was detected after suspicious activity was observed on their systems between September 19, 2023, and October 12, 2023. A cybersecurity firm was engaged to investigate the incident, which confirmed unauthorized system access. Sensitive personal data was potentially exposed, but there's no evidence of identity theft or fraud at this point. The affected individuals are being offered two years of complimentary identity monitoring services. City of Hope has taken measures to fortify its defenses against future cybersecurity threats. Patients are urged to monitor their financial statements and stay alert for fraud or suspicious requests for information.

A Vietnamese cybercriminal group, known as CoralRaider, has been using malware to steal financial and personal data across several Asian countries since May 2023. Main targets include individuals and businesses in India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam, focusing on credentials and social media accounts. The group employs a variety of malware tools, including RotBot, which is a customized version of Quasar RAT, and XClient stealer, as well as AsyncRAT, NetSupport RAT, and Rhadamanthys. Stolen information is exfiltrated through Telegram and then sold on underground markets, with evidence suggesting the operation's base in Vietnam. Malware distribution begins with a deceptive Windows shortcut file (LNK), leading to an HTML application that triggers a series of actions to disable security measures and execute RotBot. RotBot and XClient are designed to harvest extensive data from web browsers and applications, including financial details from platforms like Facebook, Instagram, TikTok, and YouTube. Bitdefender has also reported a related malvertising campaign on Facebook, using fake AI tool accounts to distribute similar stealing malware across Europe.

An evolved version of Rhadamanthys malware is being distributed through phishing campaigns aimed at the oil and gas industry. The phishing emails feature a unique vehicular incident lure and spoof documents from the Federal Bureau of Transportation mentioning fines. Recipients are tricked by a malicious link exploiting an open redirect vulnerability, leading to malware download under the guise of a PDF document. Rhadamanthys, written in C++, harvests sensitive data by establishing C2 server connections with infected hosts. The emergence of this campaign coincides with the takedown of the LockBit ransomware group; the same malware variants have been found bundled together. New families of stealer malware are surfacing with sophisticated evasion techniques, while existing strains like StrelaStealer continue to evolve. Separate malspam campaigns propagate Agent Tesla malware in various regions, attributed to African-origin threat actors and using simple cybercrime tactics.

A newly discovered set of vulnerabilities in HTTP/2, dubbed "CONTINUATION Flood," can trigger denial-of-service (DoS) attacks, causing some web servers to crash with just one TCP connection. HTTP/2, which enhances web performance and efficiency, was found to be vulnerable due to the mismanagement of CONTINUATION frames, where many implementations lack proper limitations and checks. Attacks take advantage of this oversight by not setting the 'END_HEADERS' flag in the protocol, resulting in out-of-memory crashes or CPU exhaustion during frame processing. Researcher Barket Nowotarski identified that these uncontrolled continuation frames can create out-of-memory conditions leading to server outages. The CERT Coordination Center issued an alert listing several CVE IDs related to the vulnerability, which affects a range of vendors and HTTP/2 libraries, including Red Hat, Apache, and Node.js. The issue is considered more severe than the 'HTTP/2 Rapid Reset' attack uncovered last year, with the potential to impact a significant portion of Internet servers. The researcher highlighted the complexity of identifying and mitigating such attacks, as they might not show in access logs without advanced frame analytics. It's critical for server administrators to update their systems to prevent exploitation.

Ivanti is adopting a secure-by-design approach, spearheading an organizational overhaul in response to numerous exploited vulnerabilities in their Connect Secure product earlier this year. CEO Jeff Abbott penned an open letter highlighting plans for security improvements, following what he calls "humbling" events over recent months. Ivanti aims to integrate security into every phase of the software development lifecycle, from inception to deployment, including threat modeling and proactive vulnerability management. The company intends to expedite their network security products' stack modernization and enhance their vulnerability management program to improve patch distribution times. Ivanti acknowledges the need for transparent information sharing and has announced the creation of a customer advisory board to better incorporate user feedback. The overhaul is backed by significant investment and the full support of Ivanti's board of directors, indicative of a company-wide commitment to heightened security standards. Ivanti disclosed main vulnerabilities exploited by multiple groups, including nation-state actors, with a considerable delay in patch release, which prompted the US CISA to order federal agencies to disconnect Ivanti equipment. Even as patches became available, Ivanti disclosed additional vulnerabilities, although still emphasizing their commitment to securing their products and enhancing customer protections.

Rigorous security measures are required to tackle increasingly complex malware, as evident from a stealthy and pervasive malware framework named StripedFly, which affected over a million systems. The banking sector faces threats from novel Android banking trojans, underlining a concerning growth in malicious software targeting financial applications. A sophisticated malware called "Coathanger" infiltrated the Dutch Ministry of Defence's network, demonstrating the capabilities and intentions of state-sponsored cyber operations. Prevention strategies include reliable anti-virus and anti-malware solutions capable of both signature-based detection and heuristic analysis to combat a wide array of threats. Regular employee training is crucial for fostering human vigilance against malware tactics, coupled with safe web browsing practices to prevent malware entry points. Robust device management policies and user privilege management help minimize vulnerabilities and limit the potential damage from malware attacks. User Behavior Analysis (UBA) employs machine learning to spot anomalous activities, aiding in the early detection of malware infections. Automating security responses can considerably expedite malware isolation and reduce the impact, illustrating the importance of integrating automation in cybersecurity defense mechanisms.

A security researcher discovered an exploitable flaw in the HTTP/2 protocol allowing for denial-of-service (DoS) attacks. The vulnerability involves the mishandling of CONTINUATION frames within the HTTP/2 protocol, leading to potential server crashes or severe performance hits. Named "HTTP/2 CONTINUATION Flood," this class of vulnerabilities is considered to pose a greater threat than the previously known "Rapid Reset" attack. Exploitation of this flaw does not show up in traditional HTTP access logs, making the attacks harder to detect. Several projects are impacted by the vulnerability, including well-known servers and frameworks like Apache HTTP Server, Apache Tomcat, and Node.js. Affected software vendors have been notified, and users are advised to upgrade to the latest versions to mitigate the threat. In cases where no immediate fix is available, it is recommended to temporarily disable HTTP/2 on servers to prevent potential DoS attacks.

Operational Technology (OT) systems differ from IT systems as they directly interface with and control physical processes. OT and IT convergence through the Industrial Internet of Things (IIoT) increases efficiency but also introduces IT-like cyber threats to OT systems. Real-time operational demands of OT systems may render traditional cybersecurity measures like multi-factor authentication problematic due to added latency. Legacy OT systems were not designed with modern cybersecurity threats in mind, often lacking encryption and authentication capabilities. In OT, safety and reliability outweigh the typical IT focus on data confidentiality and integrity, influencing the type of cybersecurity measures employed. Cybersecurity strategies for OT must be specifically tailored, balancing the need for system safety and reliability with data protection. The unique challenges of securing OT systems include negating disruptions while protecting against contemporary cyber threats. Cost-effective enterprise-grade Privileged Access Management (PAM) solutions and cloud security strategies are available to enhance OT cybersecurity.

Leicester City Council confirmed a ransomware attack resulted in the theft of residents' confidential data after the INC Ransom group leaked documents. The leak included residents' IDs, bank statements, and official council forms related to housing and rent, with a threat of more stolen data potentially existing. The Council is contacting affected individuals and has involved the Information Commissioner's Office as well as local cybercrime law enforcement. Despite the breach, the Council has communicated that its recovery is nearly complete, with most services operational. INC Ransom, linked to other government and healthcare attacks, has seen a rise in activity, potentially benefiting from law enforcement action against other ransomware groups. The Council urges residents to be aware of potential fraud and assures them that continued engagement with council services remains secure. Cybersecurity researcher notes the redistribution of affiliates and rise in attacks by ransomware groups including INC Ransom following crackdowns on groups like LockBit and ALPHV.

GenAI is enhancing the potency and scale of cybercrimes by facilitating advanced reconnaissance and social engineering tactics. The UK National Cyber Security Centre anticipates a surge in impactful cyberattacks over the next two years due to AI technologies. AI commoditization is expected to support both cybercriminals and nation-state actors in rapidly analyzing stolen data for further exploitation. Sophos identifies the risk of generative AI, such as LLMs, in enabling the creation of deceptive content to extract sensitive information. Sophos will host a webinar detailing the risks of AI-driven large-scale scam campaigns, demonstrating how GenAI tools can harvest user credentials for cyberattacks. The webinar presents the ease with which novice cybercriminals can create convincing online materials to ensnare victims. Corporate executives and cybersecurity professionals are encouraged to register for insight into AI-propelled cyber threats and prevention strategies.

Ivanti has issued security updates addressing four vulnerabilities in Connect Secure and Policy Secure Gateways, which could lead to code execution and denial-of-service attacks. No exploitation of these vulnerabilities has been reported at the time of the security update release. The company had previously patched a critical vulnerability in its Standalone Sentry product that allowed for unauthenticated command execution. Another critical flaw was fixed in the on-premises version of Neurons for ITSM, which could have enabled an authenticated remote attacker to write files and execute code. Ivanti CEO Jeff Abbott publicly acknowledged the need to overhaul the company's security approach, including adoption of secure-by-design principles and transparency with customers. Ivanti is enhancing its internal security mechanisms, utilizing third-party researchers, and expanding its bug bounty program to encourage responsible vulnerability disclosure.