Daily Brief

A new vulnerability named "GoFetch" has been identified in Apple's M-series chips, which could allow attackers to extract secret encryption keys. The flaw utilizes a microarchitectural side-channel attack, exploiting data memory-dependent prefetching features to target cryptographic operations. Apple was informed about the vulnerability in December 2023, and it affects constant-time cryptographic implementations in the CPU's cache. The vulnerability works by misleading the prefetcher, a system that anticipates and preloads memory data, to unintentionally reveal secure data. To launch an attack, a threat actor would need to run malicious code on the same machine and CPU cluster as the victim. GoFetch cannot be mitigated in existing M-series CPUs; instead, developers must update cryptographic libraries to prevent exploitable conditions, potentially impacting performance. On M3 chips, enabling data-independent timing (DIT) can disable the problematic prefetching, but this is not an option on M1 and M2 processors. Apple advises developers to use measures to prevent timing-based leakage and to avoid using secret data in conditional branches and memory access, to prevent secret inference.

Iran-linked threat group MuddyWater initiated a phishing campaign against Israeli organizations using the Atera RMM tool for surveillance. Targets included entities in manufacturing, technology, and information security, with a focus on phishing emails with PDF attachments linking to malicious content. MuddyWater has historically used various legitimate remote desktop and management software to infiltrate and control systems within victim organizations. The campaign involved hosting malicious files on file-sharing platforms and then duping victims into installing the Atera Agent via a PDF document and ZIP archive. A related incident by Iranian hacktivist group Lord Nemesis involved a software supply chain attack on Rashim Software, compromising numerous Israeli academic institutes. Lord Nemesis allegedly bypassed weak MFA protections to access sensitive information and alerted the customers of Rashim Software of the breach four months after initially gaining access. The incidents highlight the trend of nation-state actors targeting smaller companies within supply chains, seeking to compromise broader ecosystems for political and espionage objectives.

The United Nations has reported on various methods North Korea employs to evade international sanctions and fund its weapons programs, including money laundering through restaurants and cyber attacks on cryptocurrency companies. North Korea is purportedly operating eateries in China, Laos, Thailand, and Russia, potentially laundering upwards of $700 million annually through these businesses. The UN details 58 suspected North Korean cyber attacks on crypto-related companies between 2017 and 2023, aiming to acquire resources for weapons of mass destruction. In 2023 alone, North Korea is believed to have obtained $750 million in cryptocurrencies through illicit activities. Recommendations to combat these activities include international cooperation, implementing stricter compliance measures, and adopting essential infosec practices like multi-factor authentication and zero-trust principles. The UN suggests the creation of systems for reporting and sharing information on North Korean cyber threats, particularly with the cryptocurrency industry and private sectors. The report also calls on all crypto platforms and protocols to strengthen anti-money-laundering and know-your-customer measures to prevent North Korea's cryptocurrency schemes. Beyond cyber operations and restaurants, the report lists various other sanction evasion tactics by North Korea, reflecting the complexity and extent of these activities in a comprehensive 615-page document.

Microsoft acknowledged a memory leak issue in its March security update for Windows Server, causing crashes and reboots. The problem affected the Local Security Authority Subsystem Service on Windows Server versions 2012 R2, 2016, 2019, and 2022. The leak was triggered by Kerberos authentication requests on Active Directory Domain Controllers. Microsoft has identified the root cause and released a patch to address the issue. A severe vulnerability in Atlassian Bambo (CVE-2024-1597), rated CVSS 10.0, was disclosed, stemming from a non-Atlassian component. A new and more potent variant of AcidRain wiper malware, dubbed AcidPour, has been linked to Russian threat actors and is designed to target a broader range of Linux systems. According to Proofpoint's Data Loss Landscape report, 85% of companies experienced data loss in the past year, with 71% attributing it to careless employees. Privileged users, such as those in HR and finance, are considered the greatest insider threat, although just 1% of users were responsible for the majority of data loss events.

Up to 300,000 servers exposed to a new Loop Denial-of-Service (DoS) vulnerability. Vulnerable protocols include TFTP, DNS, and NTP, as well as some legacy services. Largest number of at-risk systems located in China, Russia, and the US. Attack utilizes IP address spoofing to create an infinite error message loop between two servers. Potential to disrupt services without ongoing attack traffic; difficult to stop once initiated. Researchers notified vendors in December for patching and will coordinate with Shadowserver Foundation for a broader notification campaign. Devices produced by Arris, Broadcom, Microsoft, and others, including out-of-support products by Cisco, TP-Link, and Zyxel, are also vulnerable. IT admins urged to update network services and check systems for vulnerabilities using provided detection code.

A widespread StrelaStealer malware campaign has affected over 100 US and European organizations, harvesting email credentials. Initially noticed targeting Spanish speakers, StrelaStealer has expanded its scope to include targets primarily across the US and Europe. Palo Alto Networks' Unit42 observed a considerable increase in related phishing campaigns from November 2023 to early 2024. High-tech industries have been the most affected, with finance, legal, manufacturing, government, and others also compromised. The malware distribution tactics have evolved to use ZIP attachments with JScript and batch files, increasing obfuscation to hinder analysis. StrelaStealer retains its core functionality, extracting login details from Outlook and Thunderbird and conveying them to the attackers' server. Users are cautioned to be skeptical of unsolicited emails linking to payments or invoices and to avoid downloading attachments from unknown sources.

VF Corporation experienced a significant data breach affecting 35.5 million customers, with personal information compromised but no financial details taken. The breach involved customer names, email addresses, phone numbers, billing and shipping addresses, and in some cases, order history and payment method. VF Corporation claims there is no evidence the stolen data has been misused but acknowledges the potential risk of identity theft, phishing, and fraud. The incident, initially reported in December without clear details, has been clarified in a privacy breach notification, though not labeled explicitly as a ransomware attack. The company assures customers that no financial details like credit card or bank account numbers were retained in their systems, thus were not exposed. VF Corporation emphasizes that consumer passwords were not compromised, advising customers to remain vigilant, update passwords, and watch for phishing attempts.

North Korea-linked Kimsuky threat actor is now using Compiled HTML Help (CHM) files to deploy malware. Active since 2012, Kimsuky primarily targets South Korea, North America, Asia, and Europe for sensitive data collection. Weaponized Microsoft Office documents, ISO files, and Windows shortcut files were previously used by the group. Rapid7, a cybersecurity firm, cited moderate confidence in attributing recent activity to the tactics commonly utilized by Kimsuky. The CHM file is usually contained within an ISO, VHD, ZIP, or RAR file and, once opened, it executes scripts that establish persistence and exfiltrate data. Kimsuky also impersonates legitimate applications, deploying Endoor backdoor malware. The group's actions contribute to North Korea's illegal revenue generation estimated at $3 billion, likely funding its nuclear weapons program. The Reconnaissance General Bureau, which oversees the Kimsuky group, is also broadening its scope by exploring the use of artificial intelligence for cyber operations.

German Police have seized the "Nemesis Market," a prominent darknet platform involved in the sale of narcotics, stolen data, and cybercrime services. Over €94,000 in cryptocurrency was confiscated during the raid involving German, Lithuanian, and U.S. law enforcement. The operation occurred on March 20, 2024, concluding an investigation that started in October 2022. Nemesis Market, operational since 2021, had over 150,000 users and 1,100 vendors worldwide, with a significant presence in Germany. The market offered a wide range of illicit goods and services, including drugs, fraudulent data, ransomware, phishing kits, and DDoS attacks. No arrests have been made yet, but investigations continue against users and sellers on the platform. This seizure follows the recent takedowns of other darknet markets and the LockBit ransomware group by German authorities.

Russian group Cozy Bear (APT29) targeted German political entities with a phishing campaign using fake dinner invitations. Emails purported to be from Germany's Christian Democratic Union (CDU) aimed to lure recipients to click a malicious link. The phishing method deployed WINELOADER, a backdoor granting remote control over compromised systems. WINELOADER, identified in January, is a sophisticated malware with obfuscation techniques, avoiding detection by security software. Mandiant linked this activity directly to the Russian Foreign Intelligence Service (SVR) and identified a potential interest in Western political dynamics. This espionage group was previously responsible for the highly-publicized SolarWinds breach, affecting key U.S. government departments. The tactics and targets of Cozy Bear are evolving, posing a continued threat to political bodies and beyond.

Mandiant attributes cyber attacks on German political parties to APT29, a hacking group linked to Russia's SVR. The group utilized WINELOADER malware alongside sophisticated phishing tactics involving wine-tasting invitations. Targets received phishing emails with a fraudulent CDU (Christian Democratic Union) logo around February 26, 2024, marking APT29's new operational focus on political entities. Initial infection occurs through an emailed invite linked to a malicious ZIP file, delivering the ROOTSAW dropper, followed by WINELOADER payload. The WINELOADER backdoor enables remote execution of additional modules and shares characteristics with other APT29-associated malware. APT29 previously concentrated on diplomatic missions but has expanded its targeting to include political intelligence, reflecting SVR's strategic interests. German military officer Thomas H has been charged with espionage for willingly offering cooperation and transmitting sensitive information to Russian intelligence.

Chinese operatives exploited critical bugs in F5 and ConnectWise software, gaining access to US and UK networks. Mandiant assesses, "with moderate confidence," that group UNC5174, posing as Uteus, carried out the attacks, working for China's MSS. The group's activities included selling access to compromised networks, including US defense and UK government agencies. UNC5174 used custom software and the C2 framework SUPERSHELL to infiltrate networks via the F5 BIG-IP bug, then attempted to sell the access. In their campaigns, UNC5174 also exploited other vulnerabilities in Atlassian Confluence, Linux kernels, and Zyxel Firewall OS. The attackers targeted universities, think tanks, and government entities, engaging in reconnaissance, scanning, and aggressive fuzzing for vulnerabilities. After gaining access, the Chinese espionages created admin accounts and deployed malware like SNOWLIGHT, GOHEAVY, and GOREVERSE for sustained access and control. Mandiant's report warns of the continued threat from China-nexus actors and provides indicators of compromise for network defense.

A Russian hacking group associated with the SVR is now attacking German political parties using WineLoader malware. The shift in focus from diplomatic entities to political parties signifies an operational change for the group known as APT29, NOBELIUM, or Cozy Bear. WineLoader enables remote access and espionage activities, and is the latest in a series of sophisticated tools used by APT29. The campaign, noticed since late February 2024, involves phishing emails impersonating the Christian Democratic Union to distribute malware. Previously targeting cloud services and email environments, APT29 demonstrates persistent and evolving cyber threats. Mandiant researchers identified the recent use of WineLoader in various countries, indicating a broad and continued espionage effort. WineLoader's complexity and evasion techniques reflect APT29's technical sophistication and adaptability.

Mozilla has released updates to fix two zero-day vulnerabilities that were exploited in the Firefox browser during the Pwn2Own Vancouver 2024 event. Researcher Manfred Paul received a $100,000 reward for discovering and demonstrating the flaws, which allowed for remote code execution and sandbox escape. The first vulnerability allowed arbitrary code execution through Firefox's event handlers, while the second involved an out-of-bounds write on a JavaScript object. The vulnerabilities, identified as CVE-2024-29944 and CVE-2024-29943, were patched in versions Firefox 124.0.1 and Firefox ESR 115.9.1. Fixes were issued just one day after the zero-day exploits were reported at the contest, significantly quicker than the typical 90-day disclosure deadline provided by Trend Micro's Zero Day Initiative. In total, participants at the Pwn2Own Vancouver 2024 earned over $1 million for exploiting 29 zero-day vulnerabilities, with Manfred Paul leading the event in cash prizes and points. The event showcased the vulnerabilities of major browsers, including Firefox, Safari, Chrome, and Edge, and emphasized the ongoing importance and value of ethical hacking in cybersecurity.

Security flaws in Saflok keycard locks, made by dormakaba, potentially affect 3 million doors globally, posing a significant risk to hotel security. The exploit, named "Unsaflok," impacts locks commonly used in hotels, elevators, and parking garages across 131 countries. Researchers disclosed the vulnerabilities in September 2022, with a fix being developed in November 2023; however, only 36% of affected locks have been updated. The exploit requires a keycard from the targeted property and involves creating two new cards using commercially available tools to gain unauthorized access. Upgrading to address the issue is not just limited to the locks but also requires updating hotel management software, keycard encoders, and the keycards themselves. While there is no evidence of previous exploitation, the vulnerability has existed for over 36 years, potentially allowing undetected intrusions. Details of the exploit have not been fully disclosed to prevent widespread misuse while hotels are in the process of upgrading their security systems. Other keycard systems have been compromised in the past, but Unsaflok is the most recent example of a widespread security vulnerability in hotel access control.