Daily Brief

German authorities have dismantled the Nemesis Market, a prominent darknet platform involved in cybercrime, seizing its infrastructure in Germany and Lithuania. About $100,000 in cash was confiscated as law enforcement took down the website on March 20, 2024. Nemesis Market was known for selling illegal drugs, stolen data, credit cards, and services for ransomware, phishing, and DDoS attacks. The marketplace, launched in 2021, accommodated over 150,000 users and 1,100 sellers, with a significant 20% of users from Germany. The investigation into Nemesis Market, initiated in October 2022, was a collaboration between German, Lithuanian, and American agencies, including the FBI, DEA, and IRS-CI. Although the Nemesis website now shows a seizure notice, authorities have not yet disclosed if arrests have been made of the server administrators or main operators. Earlier busts by German police include the German-speaking 'Crimemarket' in March 2024 and 'Kingdom Market' in December 2023, demonstrating the ongoing effort to tackle cybercrime on darknet platforms. The largest takedown was of the 'Hydra' market in April 2022, which had over 17 million members and 19,000 sellers.

Researchers discovered a hardware-level vulnerability in Apple Silicon processors that can leak cryptographic keys. The flaw, named GoFetch, involves data memory-dependent prefetchers (DMPs) that may inadvertently leak data resembling a pointer. The vulnerability opens up risks for cryptographic operations, allowing malicious apps to extract keys if they're running on the same CPU cluster. The team demonstrated successful attacks on M1 chips and found base-model M2 and M3 CPUs also display similar weaknesses. Disabling DMP can mitigate the issue, but this workaround would substantially degrade performance. The vulnerability is more challenging for Apple processors than for Intel's 13th Gen Raptor Lake microarchitecture, which has more restrictive DMP activation criteria. The researchers’ findings necessitate that third-party cryptographic programs enhance their implementations to prevent successful exploits.

Researchers uncover a side-channel attack, named GoFetch, that targets Apple's M1, M2, and M3 processors, risking exposure of cryptographic keys. The GoFetch attack exploits the data memory-dependent prefetchers in modern Apple CPUs, violating constant-time cryptographic execution principles. Capable of pilfering private keys for algorithms such as OpenSSL Diffie-Hellman and CRYSTALS Kyber, this hardware vulnerability lacks a direct fix in affected chips. Apple was informed about the vulnerability on December 5, 2023, yet any potential software mitigation might result in a performance degradation for cryptographic operations. Intel's latest CPUs exhibit a more restrictive prefetcher implementation, seemingly impervious to this specific attack methodology. Defensive tactics recommended for developers include input blinding and DMP activation masking, but no simple solution exists for end-users apart from general safe computing practices. Apple has limited comments on the GoFetch issue, with advised mitigations available on a developer page, devoid of indicating concrete plans for a security patch.

Cybersecurity researchers have identified a series of phishing attacks using StrelaStealer malware affecting over 100 organizations across the E.U. and the U.S. The attacks involve spam emails with varying types of attachments designed to evade detection and launch the malware's DLL payload. StrelaStealer is capable of extracting email credentials from popular email clients and sending the information to servers controlled by attackers. Recent campaigns have shown a trend toward using invoice-themed emails with ZIP attachments containing a JavaScript file to initiate infection. The malware utilizes advanced obfuscation and anti-analysis techniques to complicate detection within sandboxed environments. Broader cybersecurity observations note the prevalence of other stealers like Stealc and RATs such as Revenge RAT and Remcos RAT, often packed using cryptors-as-a-service platforms. Separately, a social engineering scam involving fake obituary notices and SEO poisoning has been discovered, primarily aimed at pushing adware and other unwanted programs. The use of malware-as-a-service (MaaS) is highlighted, showing how relatively unskilled threat actors can conduct large-scale, successful attacks leveraging readily available tools and malware.

The U.S. National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) is undergoing a significant slowdown in adding analysis to reported vulnerabilities. NIST announced on February 15th, 2024, that users will experience delays in analysis efforts amid the transition to a new consortium aimed at improving the NVD program. Without the standard analysis, cybersecurity professionals struggle to assess and manage vulnerabilities effectively, as NIST's insights and scores (like CVSS) are critical for understanding the severity of security holes. The current halt in updates has resulted in thousands of Common Vulnerabilities and Exposures (CVEs) going without any record of NVD analysis, posing challenges for scanning and assessing software risks. Alternative sources like Open Source Vulnerabilities (OSV) or GitHub Security Advisory DB are available, but many organizations, especially government contractors, are mandated by law to use NIST's CVSS and NVD. Attempts are being made to compensate for the missing NVD data, such as Anchore's open-source project called NVD Data Overrides, which aims to provide a stopgap solution minus CVSS scores.

AWS has patched a critical vulnerability in AWS Managed Workflows for Apache Airflow (MWAA), named 'FlowFixation' by Tenable. The flaw enabled potential session hijacking and remote code execution on the underlying instances of the service. Attackers exploiting this weakness could have accessed connection strings, modified configurations, and triggered directed acyclic graphs (DAGS), leading to possible remote code execution (RCE) and lateral movement across services. The security issue stemmed from a session fixation exploit combined with an AWS domain misconfiguration enabling cross-site scripting (XSS) attacks. Tenable emphasizes the broader risk associated with cloud providers' domain architecture, pointing out potential for same-site attacks, cross-origin issues, and cookie tossing. AWS and Azure have taken steps to address the domain misconfiguration by adding affected domains to the Public Suffix List (PSL). Google Cloud, however, has not deemed the issue severe enough to warrant a fix. The report highlights the significant risks in cloud environments, including cookie-tossing attacks and bypassing of CSRF protections via session fixation vulnerabilities.

Over 39,000 WordPress sites have been affected by the 'Sign1' malware campaign over the past six months. The latest variant of 'Sign1' has infected at least 2,500 sites in the past two months, using malicious JavaScript to redirect users to scam sites. Malware injects rogue JavaScript into HTML widgets and plugins, allowing remote execution of scripts that lead users to scam pages only if visiting from major sites like Google or Facebook. Attackers employ dynamic URLs changing every 10 minutes to evade blocklists, using domains registered just days before their use in cyberattacks. Sign1 appears to leverage brute-force attacks or exploit vulnerabilities in WordPress themes and plugins for site access, often using legitimate plugins to hide malicious code. The malware remains undetected for long periods as it doesn't place any malicious code into server files, instead using WordPress custom HTML widgets for code injection.

A China-linked threat group, UNC5174, exploited software flaws to infiltrate networks and deliver malware. The attackers targeted Southeast Asian and U.S. research, education, Hong Kong businesses, NGOs, and government entities. The group used vulnerabilities in multiple software including Atlassian Confluence, ConnectWise ScreenConnect, F5 BIG-IP, Linux Kernel, and Zyxel. Post-intrusion actions involved reconnaissance, scanning for vulnerabilities, creating admin accounts, and deploying SNOWLIGHT and GOREVERSE malwares. The threat actor also used tools like GOHEAVY for lateral movement and employed atypical practices such as applying patches to exploited vulnerabilities. UNC5174 appears to be acting as an initial access broker, potentially associated with China's Ministry of State Security (MSS). There are operational similarities between UNC5174 and another access broker, UNC302, indicating a collaborative MSS-backed cyber espionage effort. The Chinese MSS has issued warnings about foreign hackers targeting domestic entities, though without specifying the responsible group or origin.

The ThreatLocker® Zero Trust Endpoint Protection Platform advocates for a deny-by-default approach, enhancing organizational security against cyber threats. The platform aligns with multiple compliance frameworks, providing confidence in protection against devastating attacks such as ransomware. Cybersecurity compliance frameworks assist in developing strong security measures but can be ambiguous and complex in their requirements. Key cybersecurity practices include access management, multi-factor authentication, privileged access management, and antimalware solutions. Organizations are encouraged to implement firewall solutions, intrusion detection/prevention, and secure data encryption, among other robust security measures. Regular security reviews and adherence to written policies are emphasized to ensure continuous protection against potential threats. ThreatLocker® offers a free guide, "The IT Professional's Blueprint for Compliance", to help professionals navigate and fulfill diverse compliance obligations.

The U.S. Department of Justice, joined by 16 state and district attorneys, has filed a lawsuit against Apple, alleging the company maintains an unlawful monopoly in the smartphone market. Apple is accused of leveraging security and privacy as a pretext for anticompetitive behavior, such as selectively degrading text message security for non-iPhone users. The suit claims Apple's refusal to make iMessage interoperable with Android devices purposely undermines cross-platform communication security. Third-party attempts to enable secure messaging across platforms, like the Beeper Mini client for Android, have been stifled by Apple, citing security concerns. The DoJ argues that Apple's practices strengthen network effects, compelling consumers to stay within the Apple ecosystem and deterring them from switching to competitors. Apple plans to support the RCS messaging protocol and encryption in its Messages app, combining instant messaging features with enhanced security. Cupertino vows to "vigorously defend" against the lawsuit, asserting that a DoJ victory would set a "dangerous precedent" in government interference with technology design.

Pwn2Own Vancouver 2024 concluded with security researchers awarded $1,132,500 for demonstrating 29 zero-days. Participants successfully compromised various software and a Tesla Model 3, highlighting system vulnerabilities even in fully patched configurations. The event covered multiple categories including web browsers, virtualization, enterprise applications, and automotive systems. Top awards went to Team Synacktiv for a Tesla Model 3 win and Manfred Paul earning the "Master of Pwn" title with $202,500 in total prize money. Hacking highlights include gaining remote code execution on web browsers using sophisticated exploits and breaching the Tesla ECU in under 30 seconds. Vendors affected by the zero-day vulnerabilities now have a 90-day window to issue security patches before public disclosure by the Zero Day Initiative.

SentinelOne reports the deployment of upgraded 'AcidPour' malware targeting Ukrainian telecoms, potentially impacting four providers. AcidPour is connected to AcidRain malware and appears to be associated with Russian military intelligence activities, specifically to the Sandworm team. The malware predominantly aims to disable Linux x86 systems embedded in networking, IoT, RAID storage devices, and even Industrial Control Systems (ICS). Uniquely coded like the CaddyWiper, AcidPour possesses a self-deletion feature and various device-specific wiping approaches. The hacking group UAC-0165, linked with Sandworm, is allegedly responsible for the attacks on Ukrainian infrastructure, having targeted 11 telecom service providers from May to September 2023. The disclosure of the Ukrainian telecoms attack follows the claims of the Solntsepyok actor, with GRU ties, compromising four telecom operators on March 13, 2024. The evolving tactics of these threat actors indicate a strategic approach to cause disruptive and long-lasting impacts on critical infrastructure and communication systems.

A study from Colorado State University reveals serious security flaws in Electronic Logging Devices (ELDs) used by US commercial truck fleets. Over 14 million trucks could be affected by these vulnerabilities, allowing hackers to potentially take control of vehicles and spread malware. ELDs are mandated for tracking driving hours and vehicle data but lack robust security controls, making them susceptible to Bluetooth or Wi-Fi attacks. Researchers demonstrated a worm that can jump from truck to truck via wireless connections, using default passwords and predictable SSIDs to spread. The potential for such a cyberattack poses severe safety and operational risks to the US commercial transportation sector. The flaws have been disclosed to the manufacturers and the US Cybersecurity and Infrastructure Security Agency (CISA) for rectification. The researchers highlight the urgency for the transportation industry to improve cybersecurity, as current ELD systems expose vehicles to significant threats.

The U.S. government has issued guidance to protect critical infrastructure from DDoS attacks. The alert follows warnings about destructive cyber activities from China and occurs alongside a new cybersecurity task force for the water sector. Agencies including CISA, FBI, and MS-ISAC recommend that organizations follow their report to defend against these threats. The guide clarifies the difference between DoS and DDoS attacks and outlines three main attack techniques: volume-based, protocol-based, and application-layer attacks. A set of 15 best practices is provided, including risk assessments, network monitoring, regular traffic analysis, and implementing Captchas. Implementing DDoS mitigation strategies, maintaining updated software, and conducting regular employee training are also advised. The guide stresses the importance of incident response plans, data backup, and network redundancy to protect service availability during an attack.

Bipartisan US criticism targets Microsoft for allegedly censoring Bing search results in China on topics like human rights and democracy. Republican Senator Marco Rubio and Democrat Senator Mark Warner have condemned Microsoft's actions, advocating for Bing's withdrawal from China. A Bloomberg report suggests that Bing removes search content to align with Chinese government censorship policies. Google and Yahoo have ceased using their search engines in China, while other Western services are blocked. Microsoft argues Bing is the least censored search option in China, providing important information despite legal content removal obligations. The company contends leaving the Chinese market would deprive users of access to information through Bing, counter to the criticism of compliance. Previous incidents reveal that Bing has a history of censoring content and providing pro-state results in sensitivity to China's censorship practices.