Daily Brief

Apache HugeGraph has a critical remote command execution (RCE) flaw, rated CVSS 9.8, impacting versions prior to 1.3.0, disclosed in April. The vulnerability, CVE-2024-27348, allows attackers to bypass security measures and execute malicious code through crafted Gremlin commands. Proof-of-concept (POC) exploit codes for this flaw are now publicly available on GitHub, increasing the risk of exploitation. Attackers exploiting this flaw could gain complete control over affected servers, potentially leading to data theft, network surveillance, or ransomware deployment. Upgrading to Apache HugeGraph version 1.3.0 and enabling Java11 along with the Auth system are strongly recommended to mitigate this vulnerability. Additional security measures, such as enabling a "Whitelist-IP/port" function, are advised to enhance RESTful-API security. The flaw was originally reported by a researcher from a Chinese cloud security vendor, highlighting the importance of community contributions to software security. Industry experts urge immediate updates given the widespread use of HugeGraph in various applications and the criticality of the flaw.

Los Angeles Unified School District (LAUSD) is investigating claims of stolen databases being sold, containing records for millions of students and thousands of teachers. An anonymous threat actor has listed over 26 million student records and more than 24,000 teacher records for sale on a hacking forum, allegedly demanding $1,000 for over 11GB of data. The data breach includes sensitive information such as Social Security Numbers, home addresses, email addresses, and parental contact details. Data verification by experts suggests the sold data could be legitimate, though possibly outdated, as no recent dates are included in the dataset shared. The breach allegation follows a September 2022 ransomware attack on LAUSD by Vice Society, where the attackers claimed to have stolen 500GB of various district files. Following the initial ransomware attack, LAUSD enhanced security measures, including a mandatory password reset and the implementation of multi-factor authentication across the district. It remains uncertain if the data currently up for sale is directly connected to the data previously stolen by the Vice Society ransomware attack.

Chinese threat actors are targeting ThinkPHP applications using old vulnerabilities for malicious installations. The Dama web shell is installed via flaws identified as CVE-2018-20062 and CVE-2019-9082, allowing remote code execution. The web shell facilitates further exploitation by enabling persistent access and use of compromised endpoints to aid in avoiding detection. The malicious payload is disguised and delivered from compromised servers in Hong Kong, highlighting sophisticated disguise tactics. Dama enables advanced server control, system data access, file management capabilities, and even bypasses certain PHP function restrictions. There is a significant lack of a command-line interface in the Dama web shell, which limits direct command execution. Attackers exploit these vulnerabilities to transform infected systems into nodes within their infrastructure. Mitigation efforts include upgrading to the latest ThinkPHP version and ensuring all known vulnerabilities are patched.

Ukraine's CERT-UA identified a campaign named "SickSync" by UAC-0020 (Vermin) group using SyncThing software to infiltrate defense forces. The Vermin group is associated with the Luhansk People's Republic, a region largely occupied by Russia, and their actions typically match Russian interests. The hackers incorporate SyncThing and SPECTR malware within a phishing approach involving a password-protected RARSFX archive. Once opened, this archive deploys SyncThing for data-sync over a peer-to-peer network and SPECTR malware to steal critical information silently. SPECTR has modular capabilities; it collects data and leverages the legitimate appearance of SyncThing to avoid detection by security systems. Ukraine's cybersecurity agency advises organizations to consider any interaction with SyncThing infrastructure as potential evidence of a breach requiring further investigation.

The FBI has released over 7,000 decryption keys to aid victims of the LockBit ransomware in reclaiming their data. Despite the disruption of LockBit operations in February, which led to the identification of Dmitry Khoroshev as the alleged leader, the gang remains active. Victims are encouraged to report to the Internet Crime Complaint Center if they believe they have been affected by LockBit. The FBI, along with international partners like the UK's National Crime Agency, continues to investigate and dismantle ransomware operations. Bryan Vorndran, the assistant director of the FBI's cyber division, noted that LockBit had been dishonest about deleting victim data post-ransom payments, retaining stolen data for potential future misuse. Vorndran emphasized the continuous threat posed by well-protected cybercriminals operating from countries like Russia, where they often receive tacit protection. The FBI is advocating for a united front involving private industry, nonprofits, academia, and the government to enhance collective cybersecurity defenses. LockBit's recent activity includes a confirmed attack on the Canadian pharmacy chain London Drugs, demonstrating the ongoing risk.

A new ransomware called 'Fog' specifically targets the U.S. education sector by exploiting compromised VPN credentials. Discovered by Arctic Wolf Labs in May 2024, Fog's operators infiltrate networks using stolen credentials from various VPN gateways. The cybercriminals perform sophisticated attacks such as "pass-the-hash" and utilize tools like PsExec to spread within the network and commandeer admin accounts. Before encrypting data stored in Virtual Machines (VMs), the ransomware terminates specific system processes and deletes backups to hinder recovery. Encrypted files are appended with '.FOG' or '.FLOCKED', making them inaccessible without a decryption key provided upon ransom payment. Victims find a ransom note on their systems, directing them to negotiate payment through a Tor-based dark web chat interface. Despite not initially setting up an extortion portal, BleepingComputer confirms that Fog uses double-extortion tactics, leveraging stolen data to pressure victims into paying. Arctic Wolf Labs has yet to confirm whether Fog operates under a ransomware-as-a-service model or if it is controlled by a select group of cybercriminals.

GitHub repositories are being erased in an extortion campaign by attackers using the alias Gitloker. Victims are instructed to contact the attackers via Telegram for potential data recovery. Attackers are likely gaining access through stolen GitHub account credentials. Compromised accounts have their repository contents wiped and replaced with a README.me file containing ransom notes. Previous similar attacks prompted GitHub to advise users to change passwords and secure their accounts against unauthorized changes. This attack builds on past incidents where GitHub data was compromised, including a significant breach of a Microsoft account in 2020. GitHub has acknowledged the susceptibility of accounts to phishing campaigns that can result in account takeovers and data theft.

PandaBuy, a Chinese e-commerce platform service, paid a ransom to prevent their customers' stolen data from being leaked but faced renewed extortion threats. The attacker, using the alias "Sanggiero," initially leaked 3 million rows of customer data including names, contact information, addresses, and order details by exploiting vulnerabilities in PandaBuy's API. The compromised data was reported to Have I Been Pwned, which added 1.35 million affected email addresses from the incident to its system. On June 3, 2024, Sanggiero attempted to sell an alleged 17 million rows of additional data for $40,000, although no proof was given for the new batch of data. PandaBuy has since repaired the previously exploited vulnerabilities and decided against further payments to the hacker due to frozen funds and concerns of ongoing unauthorized data sales. Customers are advised to change their passwords and remain vigilant against phishing attempts by parties claiming to represent PandaBuy.

Mandiant, a part of Google Cloud, is organizing mWISE™ 2024, a cybersecurity conference in Denver, Colorado from September 18–19. Designed specifically for hands-on security practitioners, mWISE offers a unique, intimate setting to foster one-to-one connections with cybersecurity leaders. The conference serves as a platform for professionals from industry, academia, and government to share their experiences without fear of judgment. Attendees can expect to learn from some of the industry's most respected speakers who will discuss the latest security innovations and strategies. mWISE 2023 successfully drew thousands of practitioners nationwide, showing significant impact through positive attendee testimonials. The 2024 event agenda will include a variety of key topics in cybersecurity, shaped by community submissions and curated by an independent panel. Early Bird Registration for the 2024 conference ends on July 3, providing substantial savings on the standard conference rate.

The U.S. Justice Department is taking action to recover over $5 million stolen from a Massachusetts trade union through a business email compromise (BEC) scam. Cybercriminals spoofed the email of the union's investment manager, orchestrating a fake wire transfer of $6.4 million, primarily to various offshore bank accounts. The stolen funds were traced to seven bank accounts across China, Singapore, Hong Kong, and Nigeria, and are currently held in six JPMorgan Chase accounts and one Texas Bank and Trust account. The scam involved the recruitment of "money mules" who unknowingly helped launder the proceeds through complex transactions designed to obscure the origin of the funds. Rapid and purposeless money transfers between accounts were used as a technique to conceal the fraud, as evidenced by several flip-flop transactions recorded in a single day. Some of the stolen funds were converted into cryptocurrency, complicating the recovery efforts, although the majority of the funds were seized shortly after the fraudulent transfer. BEC scams continue to pose significant financial risks nationwide, with estimated daily losses reaching $8 million and annual losses reported by the FBI at $2.9 billion.

Muhstik botnet, first identified in 2018, targets IoT devices and Linux servers. Utilizes the CVE-2023-33246 vulnerability in Apache RocketMQ for malware deployment, enabling remote code execution. The malware, named "pty3," is designed to avoid detection and maintain persistence by mimicking system files and residing in memory. Features include metadata collection, lateral movement via SSH, and establishing C2 communications through IRC. Primary objectives are to launch DDoS attacks and perform cryptocurrency mining. Over 5,200 vulnerable instances of Apache RocketMQ remain exposed, putting numerous systems at risk. Security recommendations include patching impacted systems and adopting strong, frequently changed credentials.

Microsoft has officially marked the NTLM authentication protocol as a deprecated feature, urging a shift to more secure authentication methods. The protocol, first introduced in 1993 with Windows NT 3.1, is notorious for its vulnerabilities and weak encryption. NTLM will still function in upcoming releases of Windows Server and Windows, but developers are encouraged to transition to using Negotiate with Kerberos. The use of NTLM spiked unexpectedly due to issues caused by a security update in April 2024, which was corrected in a subsequent update. Despite being replaced as the default by Kerberos in 2000, NTLM remains hardcoded in some applications and Windows components, posing ongoing security risks. Microsoft is applying a data-driven methodology to monitor NTLM usage declines, aiming to eventually disable the protocol entirely. Organizations still using NTML due to compatibility issues are advised to catalog and plan for their transition strategies urgently.

Supply chain attacks in the interconnected business ecosystem allow cybercriminals to exploit vulnerabilities across multiple organizations by targeting software and IT vendors. In 2023, the U.S witnessed 245,000 software supply chain attacks, causing substantial financial damage estimated at $46 billion, projected to increase to $60 billion by 2025. Attackers utilize compromised accounts and vulnerabilities to inject malicious software or execute unauthorized access, affecting entities from small vendors to large corporations like Ferrari and Audi. Notable past incidents such as SolarWinds and Kaseya underscore the devastating potential of these types of attacks, necessitating rigorous and continuous security measures. Cybersixgill highlights methods for mitigating risk, including enhanced cyber threat intelligence and continuous monitoring of third-party vendors' security practices to protect against supply chain vulnerabilities. Importance of a proactive security posture emphasized, integrating advanced tools and strategies to detect and respond to these expanding threats.

The CVE-2017-3506 vulnerability in Oracle WebLogic Server allows remote command execution, originally patched in 2017 but recently exploited. Chinese cybercriminal group Water Sigbin, also known as 8220 Gang, uses this bug along with another Oracle vulnerability (CVE-2023-21839) to install cryptocurrency miners on targets. Water Sigbin employs complex obfuscation techniques, making detection and response challenging for security teams. Previously, CVE-2017-3506 was utilized with other WebLogic vulnerabilities to infiltrate the Click2Gov servers of multiple county governments for credit card theft. The continuous exploitation of CVE-2017-3506 indicates persistent vulnerabilities and the need for updated patches or enhanced security measures. Water Sigbin targets multiple technology vulnerabilities, frequently shifting malware deployment to include cryptominers and botnets. Oracle may re-release a special patch to fully address CVE-2017-3506, acknowledging past patching efforts as inadequate.

Hackers are increasingly exploiting legitimate packer software like BoxedApp to distribute malware undetected. The surge in use of these packers, observed around May 2023, predominantly targets financial and government sectors. Notable malware distributed includes Agent Tesla, AsyncRAT, LockBit, and others, with submissions from Turkey, the U.S., Germany, France, and Russia. These tools, originally designed to compress software, now add a layer of obfuscation making malware difficult to analyze. BoxedApp-packed applications tend to trigger high false positive rates in anti-malware systems, complicating detection efforts. The NSIXloader, another exploited packer utilizing the Nullsoft Scriptable Install System, disguises malicious payloads as legitimate installers. Specialized tools like Kiteshield target Linux systems with sophisticated encryption and injection techniques. Continuous global monitoring and advanced security protocols are recommended to mitigate such sophisticated cyber threats.