Daily Brief

The German Federal Office for Information Security (BSI) warns of 17,000 vulnerable Microsoft Exchange servers online. Approximately 37% of all German Exchange servers are severely vulnerable due to outdated versions or unpatched security flaws. Critical vulnerabilities could lead to remote code execution attacks, especially on servers running outdated Exchange versions from 2010 and 2013. Vulnerabilities persist despite previous warnings and the declaration of an 'IT threat situation red' by the BSI in 2021, due to the negligence of server operators in updating their systems. BSI advises admins to use current Exchange versions, apply all security updates, and configure web-based services securely, potentially limiting access or using VPN. Microsoft has responded by enabling Extended Protection by default on updated Exchange servers and continues to stress the importance of keeping on-premises servers up-to-date.

A sophisticated hacking campaign, "ShadowRay," is exploiting an unpatched flaw in the Ray open-source AI framework, impacting numerous sectors. Companies affected include those in education, cryptocurrency, biopharma, and more, exposing sensitive data and computing resources. Ray, credited with over 30,500 stars on GitHub, enables distributed AI processing and is used globally by leading firms for ChatGPT training. Five vulnerabilities were disclosed by Anyscale in November 2023; four were patched, but one critical remote code execution flaw remained unaddressed based on a design decision. Attackers have taken advantage of the disputed vulnerability, CVE-2023-48022, to gain unauthorized access to servers for activities including cryptocurrency mining and obtaining sensitive information. Oligo's investigation uncovered exploitation of public Ray servers, leading to compromised AI models, credentials, and cloud access tokens. Recommended defense strategies include following best practices for securing Ray deployments and using tools to enhance the security posture of clusters.

A suspicious package named SqzrFramework480 has been discovered in the NuGet package manager. Security firm ReversingLabs reports that the package seems to target developers working with tools from a Chinese industrial manufacturer, Bozhon Precision Industry Technology Co., Ltd. SqzrFramework480 has been downloaded almost 3,000 times and includes a DLL capable of taking screenshots and transmitting them to a remote IP address. The purpose of the package remains unclear, with possibilities ranging from industrial espionage to accidental exposure by a developer. The use of open source repositories to distribute possibly malicious packages underscores the growing challenge of supply chain threats in the software industry. Researchers urge users to thoroughly inspect libraries prior to use to mitigate risks associated with supply chain vulnerabilities. The incident draws attention to the importance of developer diligence and the need for enhanced security practices in cloud environments.

The U.S. federal authorities are urging software vendors to conduct formal code reviews to eliminate SQL injection vulnerabilities. FBI and CISA referenced the MOVEit supply chain attacks, facilitated by SQL injection flaws, to illustrate the potential damage. The Cl0p ransomware group exploited the MOVEit MFT vulnerability, impacting 2,769 organizations and about 95 million individuals. Authorities are also pressing customers to demand accountability from vendors regarding the security of their software products against SQL injection exploits. Software developers must implement a "Secure by Design" approach from the initial development stages to protect against cyber threats. Prepared statements and parameterized queries were recommended as mitigation strategies, rather than the less reliable input sanitization techniques. Agencies highlighted the importance of transparent vulnerability disclosure, encouraging the use of the CVE program. Emphasizing security from the beginning can protect not just individual software but also contribute to national security and economic stability.

Over 15 free VPN apps on Google Play leveraged a malicious SDK to turn Android phones into residential proxies for potentially illicit activities. Residential proxies disguise internet traffic, but in this case, they were likely used for cybercrime purposes such as ad fraud, phishing, and credential stuffing. The proxy services were involuntarily installed on devices, risking users' bandwidth and legal implication for the activities conducted through their devices. A report by HUMAN's Satori team identified 28 apps using the "Proxylib" library from LumiApps SDK to create a proxy network, with links to the Russian proxy provider 'Asocks'. Google has since removed the malicious apps from the Play Store following the report, and Google Play Protect has been updated to detect the LumiApp libraries. Despite the cleanup, some of the previously targeted apps have reappeared on Google Play, raising concerns about their safety and potential misuse. Users are advised to uninstall the affected apps or update to the latest version that does not include the harmful SDK; paid VPN services are recommended over free ones to avoid similar risks.

New "TheMoon" malware variant targets and infects outdated ASUS routers, branching out to IoT devices in 88 countries. Infections link to "Faceless" proxy service, which anonymizes cybercriminal activities by routing traffic through compromised devices. "Black Lotus Labs" observed over 6,000 ASUS router infections within 72 hours of the malware campaign's start in early March 2024. Researchers note that the compromised routers are primarily end-of-life models likely breached through known vulnerabilities or weak credentials. Malware evades detection and secures communication with a command and control server by establishing specific iptables rules and reaching out to hardcoded IP addresses. The "Faceless" service, which operates without KYC measures, uses some of these infected devices as proxies, with transactions in cryptocurrencies. Sustained infections suggest some compromises go unnoticed for extended periods, whereas others are resolved quickly, possibly due to active monitoring. Enhanced cybersecurity practices for router owners include using strong passwords, updating firmware, and replacing end-of-life (EoL) devices. Signs of infection include connectivity issues, device overheating, and unauthorized setting changes.

DARPA enhances its Artificial Intelligence Cyber Challenge (AIxCC) by collaborating with ARPA-H to secure critical healthcare infrastructure against ransomware. ARPA-H adds $20M in rewards for AI-based tools that can autonomously secure code in medical devices, biotech, and hospital IT systems. The increased targeting of healthcare by ransomware attacks poses significant risks to patient safety and care delivery. US Senator Mark Warner expresses concern over the potential for attacks that directly affect patient care, following a disruptive ransomware incident at Change Healthcare. In 2023, the critical infrastructure sector, particularly healthcare, saw a significant rise in ransomware, with losses exceeding $59.6M according to FBI data. The AIxCC competition focuses on addressing software vulnerabilities in critical systems, with a recent example being the Linux kernel challenge involving CVE-2021-43267. With a large percentage of medical devices running on Linux, successes in the competition are expected to translate into safer healthcare environments.

The U.S. Department of Justice has indicted seven Chinese nationals for conspiring in a cyber espionage operation spanning approximately 14 years. The hacking group, known as APT31, targeted U.S. and international critics, journalists, political figures, and businesses to further China's economic and intelligence agendas. Two of the accused are linked to Wuhan Xiaoruizhi Science and Technology Company, Limited, suspected to be a front for China's Ministry of State Security. APT31 utilized sophisticated techniques, including personalized spear-phishing campaigns, zero-day exploits, and custom malware, to compromise networks and steal sensitive information. The cyber espionage activities included monitoring of U.S. government officials and personnel from various departments, as well as political dissidents globally. The U.S. is offering up to $10 million for information on individuals associated with APT31, with sanctions also imposed by the U.K. and the U.S. against implicated persons and entities. The U.K. government has previously accused APT31 of unauthorized access to voter data from its Electoral Commission, affecting approximately 40 million people. China denies the allegations, labeling them as "completely fabricated" and criticizing the imposition of sanctions, maintaining their opposition to cyberattacks and unilateral sanctions.

Minecraft servers are facing increasing risks from Distributed Denial-of-Service (DDoS) attacks, which can disrupt gameplay and cause financial and reputational damage. Despite their prevalence, many DDoS attacks on Minecraft servers go unreported; therefore, awareness and protection are often lacking. During a DDoS attack, players may struggle with logging in, loading worlds, and the server may experience lags, disconnections, or crashes. Server owners and operators should be vigilant for signs of DDoS attacks and take immediate action by consulting with ISPs or hosting providers. The community impact of DDoS attacks can extend beyond gameplay disruption to emotional and financial consequences, such as players missing out on tournament earnings. Basic protective measures include staying informed about DDoS tactics, fostering a strong community, and involving law enforcement in serious threats. Advanced protective measures, like Gcore DDoS Protection, offer real-time, tailored defense mechanisms to protect against attacks of any scale. The gaming industry is highly targeted for DDoS attacks, with significant potential losses, highlighting the importance of specialized DDoS mitigation services like Gcore.

The FreeBSD Foundation has announced Beacon Awards which reward safer software initiatives, especially those working on CHERI-enabled hardware and the CheriBSD operating system. CHERI, standing for Capability Hardware Enhanced RISC Instructions, is aimed at enhancing security by prize safety over speed in hardware and software designs. The Beacon Awards is part of the UK government's Digital Security by Design initiative which has been funding security R&D for over six years. One of the grand prize winners is the Mojo JVM project, developing a memory-secure Java runtime that is compatible with existing Java applications with little to no code changes. Another grand prize went to Intravisor, offering innovative virtualization host technology for cloud software with improved isolation capabilities on CHERI-enabled hardware. Capabilities Limited received a grand prize for refactoring over 1.7 million lines of C++ web services software for CheriBSD and Morello hardware. The article emphasizes the importance of balancing performance with security, suggesting that despite a potential decrease in speed, the enhanced security provided by CHERI research is a valuable trade-off.

The UK Deputy Prime Minister Oliver Dowden asserts that Chinese cyber interference has not undermined UK elections. Formal accusations have been made by the UK and US against China for cyberattacks on the UK Electoral Commission and MPs in 2021. In 2021, China's state-sponsored actors were linked to the exposure of 40 million UK voters' data through the ProxyNotShell exploit in Microsoft Exchange servers. The National Cyber Security Centre (NCSC) of the UK believes the stolen data may be used by Chinese intelligence for espionage and suppressing dissidents. UK parliamentarians, particularly critics of Beijing and members of the Inter-Parliamentary Alliance on China (IPAC), were targeted by Chinese state-linked group APT31 in reconnaissance efforts. The NCSC has updated its Defending Democracy guidance to help political organizations protect against state-aligned cyberattacks. UK and US sanctions have been imposed on two Chinese nationals and one front organization linked to APT31 for their involvement in cyber espionage. Ongoing vigilance is maintained against nation state cyber threats, with China remaining one of the primary adversaries in cyberspace for both the UK and US.

The U.S. Treasury's OFAC has sanctioned three cryptocurrency exchanges for helping Russia evade sanctions imposed due to its invasion of Ukraine. The sanctions focus on individuals and entities in the Russian financial services and technology sectors that facilitate transactions for other sanctioned entities. Bitpapa, AWEX, and TOEP specifically are accused of enabling significant transactions with Russian entities like Hydra Market, Garantex, and notable Russian banks. Companies like B-Crypto, Masterchain, and Laitkhaus, partnered with Russian banks, are among the newly sanctioned for cryptocurrency-related services. All property and interests in the U.S. relating to the designated persons and entities are now frozen, affecting any entities that they own 50% or more of. The U.S. Treasury reaffirms its commitment to disrupting financial networks that allow Russian financial institutions to connect with the global financial system.

Two DNSSEC vulnerabilities—KeyTrap (CVE-2023-50387) and NSEC3-encloser (CVE-2023-50868)—were reported with identical severity scores but vary widely in impact. KeyTrap is considered extremely severe and can exhaust CPU resources, potentially disabling large internet segments. NSEC3-encloser, on the other hand, has been deemed by researchers to have a much lower impact on CPU resources and does not pose a similar threat. Both vulnerabilities share a severity rating of 7.5 out of 10 based on the Common Vulnerability Scoring System (CVSS), raising questions about the accuracy of such assessments. ATHENE's research indicates an incongruity between the perceived threat levels of the two flaws, with experiments showing no denial of service through CPU exhaustion is achievable with the NSEC3-encloser. MITRE, the organization assigning CVE scores, and NIST, which runs the National Vulnerability Database, have come under scrutiny for the discrepancy in the portrayal of the vulnerabilities' severity. Concerns have been raised about MITRE's and other information security entities' neutrality and precision in the evaluation of vulnerabilities, emphasizing the importance of relying on detailed analyses rather than varying perspectives.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. Flaws in Fortinet, Ivanti, and Nice products are flagged as serious enough that federal agencies are mandated to patch them by April 15, 2024. Fortinet's FortiClient EMS vulnerability allows unauthenticated attackers to execute unauthorized code via crafted requests, with confirmed in-the-wild exploitation. Ivanti Endpoint Manager Cloud Service Appliance has a code injection vulnerability, which may stem from an intentional backdoor in a discontinued open-source project. Nice Linear eMerge E3-Series access controllers have been vulnerable since at least May 2019, with a remote code execution exploit observed as of February 2020. CISA and the FBI are also warning software manufacturers about the persistent threat from SQL injection vulnerabilities, highlighted by a recent exploitation by the Cl0p ransomware gang. The alerts demonstrate the agencies' commitment to urging organizations to improve cybersecurity by addressing known vulnerabilities promptly.

New Zealand's attorney-general disclosed that China state-sponsored group APT40 was behind a cyberattack on its parliamentary agencies in 2021. The cyberattack targeted the Parliamentary Counsel Office and the Parliamentary Service, both crucial for government operations. The National Cyber Security Center (NCSC) responded swiftly to the intrusion, containing the threat and ridding the network of malicious actors. Following the cyberattack, New Zealand has reportedly enhanced its cybersecurity measures to prevent similar future intrusions. This revelation came in the wake of similar accusations from the UK and US against Chinese state-backed cyber activities. Australia joined international condemnation, expressing concerns over Chinese cyber threats to democratic institutions. China regularly rebuffs foreign cyberattack claims, with few details disclosed on incidents beyond those reported by Edward Snowden. The US has taken measures against Chinese influence through social media platforms, underscoring geopolitical cyber tensions.