Daily Brief

A group of researchers revealed critical vulnerabilities in Saflok electronic RFID hotel door locks, potentially affecting millions of doors globally. The security flaws, collectively termed "Unsaflok," enable the creation of master keycards capable of unlocking any door within an affected hotel. Discovered during a private hacking event, these vulnerabilities have been present for over 36 years with no confirmed real-world exploits reported thus far. Dormakaba, the manufacturer of Saflok locks, was informed in November 2022 and is currently working on mitigations, including replacing or upgrading the compromised locks. As of March 2024, the process is ongoing, and approximately 64% of doors equipped with Saflok locks remain vulnerable to this exploit. Malicious keycards designed to exploit these vulnerabilities can bypass additional security measures such as deadbolts. The researchers plan to withhold the complete technical details of the vulnerabilities until the majority of affected properties have completed their security upgrades.

The Russia-linked Turla group compromised systems at a European NGO to implant the TinyTurla-NG backdoor. Initial system breach and establishment of persistence were observed, with antivirus exclusions set to aid in avoiding detection. Turla utilized the tool Chisel for data exfiltration and lateral movement within the compromised network since October 2023. The attack appears highly targeted, primarily affecting Polish organizations aiding Ukrainian efforts against the Russian invasion. The attackers configured Microsoft Defender to exclude their tools, then established persistence by mimicking a "System Device Manager" service. TinyTurla-NG enables ongoing reconnaissance, file exfiltration, and the deployment of a modified Chisel tunneling software for C2 communication. Repeat of the attack methodology was noted across newly accessed systems, using the same pattern of setting exclusions, dropping malware, and ensuring persistence. The incident exemplifies sophisticated nation-state level cyber espionage focused on entities engaged in supporting geopolitical adversaries.

Over 39,000 WordPress websites have been infected by a malware campaign named Sign1 within six months. Sign1 inserts malware into custom HTML widgets and legitimate WordPress plugins, avoiding direct modification of WordPress core files. The security firm Sucuri identified the campaign after detecting popup ads displayed to visitors on a client's site compromised via brute force attack. Attackers leverage time-based URL randomization and recently registered domains to avoid detection and domain blacklists, showing increased sophistication. The malware remains dormant unless a visitor comes from a major site like Google or Facebook and prevents repeat popup ads through cookies, thus reducing chances of detection. The Sign1 campaign has evolved, with current tactics including XOR encoding and random variable names to further elude security measures. Sucuri advises strong password policies and regular updates of WordPress plugins, along with the removal of unnecessary add-ons, to mitigate the risk of such attacks.

US luxury yacht dealer MarineMax was targeted by the Rhysida ransomware group, with a cyberattack disclosed to the SEC on March 10. Despite MarineMax claiming that sensitive data was not compromised, Rhysida is auctioning stolen data with a starting price of 15 Bitcoin ($1.007 million). The majority of leaked documents appear related to accounts and finances, posing potential risks for high-profile clients if the data is misused. MarineMax's business operations continued largely unaffected, but the threat posed by the breach could have significant ramifications for the company and its clients. Rhysida ransomware group is utilizing a unique auction method as a secondary monetization strategy if victims refuse to pay the ransom. CISA has previously reported on similarities between Rhysida and Vice Society ransomware gangs, warning organizations about common vulnerabilities exploited by these groups.

A proof-of-concept (PoC) exploit has been released for a critical SQL injection vulnerability, CVE-2023-48788, in Fortinet's FortiClient Enterprise Management Server (EMS). This bug enables unauthenticated remote code execution with SYSTEM privileges and is being actively exploited in attacks. Affected versions include FortiClient EMS 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). The vulnerability allows attackers to execute unauthorized code or commands via crafted requests without user interaction. Fortinet has updated its security advisory, initially released last week, to confirm that CVE-2023-48788 is exploited in the wild. Security researchers from Horizon3 have published a PoC that verifies system vulnerability but requires modification for RCE attacks. According to Shodan and Shadowserver, over 300 EMS servers, mostly located in the United States, are currently exposed online. Fortinet products are commonly targeted for ransomware attacks and cyber espionage, with critical vulnerabilities like CVE-2024-21762 in FortiOS and FortiProxy being previously exploited.

Over 800 npm packages found to have discrepancies potentially exploitable by threat actors through a technique dubbed 'manifest confusion'. Security firm JFrog's research highlighted potential risks in software supply chain due to npm registry's lack of validation between package manifests and registry data. Manifest confusion allows malicious hidden dependencies to be stealthily installed during package setup, posing a significant threat to developers. Although not all discrepancies are malicious, JFrog identified 18 packages specifically designed to exploit manifest confusion, including one that shares the IP address of the install machine. To date, no evidence suggests that this attack vector has been actively exploited, but the inherent risk remains due to unresolved issues in npm's system. Developers and organizations are urged to establish verification procedures to ensure the security and trustworthiness of the packages they use, especially to detect hidden dependencies. JFrog's findings indicate the critical need for more rigorous checks to prevent such vulnerabilities in package management systems.

Ransomware continues to pose significant threats to organizations across various sectors, with the recent attack on Change Healthcare, affecting nearly 70,000 pharmacies. Veolia North America experienced a ransomware attack that disrupted their back-end applications, highlighting that critical infrastructure is also a target. VF Corporation suffered a ransomware attack resulting in data theft of 35 million customers’ information and disruptions in customer services. To counteract ransomware risks, organizations are advised to implement robust email and endpoint security, properly encrypt sensitive data, and pursue smart backup strategies. Patch management is crucial given that exploiting vulnerabilities in public-facing apps is a common initial access tactic for ransomware. Automation of security tasks can greatly enhance protection against ransomware, allowing for rapid responses and the efficient performance of security protocols without manual efforts.

AndroxGh0st is a tool targeting Laravel applications to extract sensitive data and compromise cloud credentials. The malware exploits vulnerabilities in Apache HTTP Server, Laravel Framework, and PHPUnit for initial access, privilege escalation, and persistence. U.S. cybersecurity agencies have alerted about the botnet activities associated with AndroxGh0st, which also involve known vulnerabilities such as CVE-2021-41773 and CVE-2017-9841. Attackers use the malware to steal .env file contents, including AWS, SendGrid, and Twilio credentials, to deliver additional payloads and establish control. Juniper Threat Labs reports a rise in activity around CVE-2017-9841 and emphasizes the urgency for software updates. Observations reveal most attacks against honeypot infrastructure originated from several countries, including the U.S., the U.K., and China. The article mentions additional cyber threats, including the exploitation of WebLogic servers in South Korea and the infiltration of AWS instances by the Meson Network for bandwidth and storage resource exchanges. The cloud continues to be an attractive target for cybercriminals, stressing the need for updated software and vigilant monitoring of suspicious activities.

Leicester City Council is currently managing a "cyber incident," with details suggesting a probable ransomware attack despite the council's non-disclosure. A criminal investigation is underway, and the council remains tight-lipped about whether resident data has been compromised. Security experts, including Kevin Beaumont, stress the need for transparency and better management of such incidents by the UK government. Estimated recovery time has been extended from a few days to at least two weeks, affecting various council services and direct debits collection. Essential services such as child protection, homelessness, and housing repairs maintain emergency contact lines during system recovery. The council assures residents that its website is secure and emails from council sources are safe to trust, including any attachments. Apologies have been issued to the public for disruptions and inconveniences caused by the cyber incident as efforts to restore normal operations continue.

Vendor Risk Management (VRM) is crucial for protecting organizational assets and data integrity amid the increasing dependence on third-party SaaS providers. Traditional methods for vendor risk assessment are becoming obsolete due to their slow and static nature, unable to cope with the rapid SaaS environment. Nudge Security offers a solution by providing robust security profiles for over 97,000 SaaS apps, enhanced with AI-powered risk insights. The service allows organizations to quickly identify and assess SaaS used internally and evaluate vendor security using comprehensive profiles, without extensive deployment requirements. Nudge Security helps organizations maintain a directory of approved applications and automates guidance for employees towards secure software choices. The platform speeds up evaluations of potential new SaaS purchases by providing easy access to security profiles and compliance information. Features also include visibility into the SaaS supply chain, crucial for managing data security risks and regulatory compliance. Alerts for breaches affecting SaaS providers or their supply chain are provided, enabling timely responses to mitigate potential security threats. Nudge Security's streamlined process for SaaS discovery and risk assessment offers a modern approach to VRM and improves organizations' SaaS security postures.

GitHub released a public beta feature called code scanning autofix for Advanced Security customers to enhance security by providing code suggestions. The tool, using GitHub Copilot and CodeQL, supports JavaScript, Typescript, Java, and Python, addressing over 90% of common alert types. Autofix is powered by CodeQL, Copilot APIs, and OpenAI GPT-4, and is expected to expand to include more languages like C# and Go. It aims to help devs fix vulnerabilities instantly by recommending fixes and explanations within the codebase context. The system generates fixes extending beyond one file, including necessary changes in other files and dependencies. GitHub emphasizes the importance of developer review for each recommendation due to the present limitations, such as the potential inclusion of dependencies with malicious software. The tool is designed to streamline the patching process by offering suggestions based on codebase specifics and security best practices.

Over the years, operational technology (OT) environments have seen varied cyber-attacks, necessitating improved cybersecurity measures. OT cyber-attacks are not always sophisticated; many impact production due to IT tactics, techniques, and procedures (TTPs) affecting IT assets. The article categorizes OT cyber-attacks into two main groups: those using IT TTPs and inadvertently impacting OT (Category 1) and those involving deliberate, sophisticated attacks with OT-specific TTPs (Category 2). Category 1 attacks are more common in public reports and include ransomware, data theft, and unintended OT asset disruptions caused by breaches in IT systems. Category 2 attacks, though less frequent, pose a greater risk since they target OT systems directly with the intent to disrupt or manipulate production processes. The prevalence of attacks using IT TTPs (Category 1) hints at a potential shift in cybercriminal tactics towards more advanced, OT-focused strategies (Category 2) as defenses against IT attacks improve. The analysis suggests that organizations should prioritize building resilience against IT-level threats and prepare for possible evolution in cybercriminal methods targeting OT assets. The report promotes awareness and the development of robust cybersecurity controls specifically for OT to mitigate the future risk of sophisticated OT cyber-attacks.

The U.S. has imposed sanctions on two Russian nationals, Ilya Gambashidze and Nikolai Tupikin, along with their companies, for orchestrating cyber influence operations. These operations involve the use of fake websites and social media accounts under the 'Doppelganger' campaign targeting European and U.S. audiences. The sanctioned entities mimicked legitimate news and government sites to disseminate disinformation and promote Russian government narratives. Over $200,000 in cryptocurrency transactions linked to one of the individuals demonstrate financial connections to a sanctioned exchange involved in Russia's illicit activities. The Doppelganger operation, active since early 2022, has been cited as a significant Russian-origin influence campaign and has utilized AI to create fake news. These measures are part of broader initiatives, including legislation aimed at preventing the sale of sensitive data to foreign adversaries and controlling foreign adversary-influenced applications.

Pwn2Own Vancouver 2024 Day 1 ended with contestants demonstrating zero-day vulnerabilities in Windows 11, Tesla cars, and Ubuntu Linux, winning $732,500 and a Tesla Model 3. Notable achievements included Synacktiv hacking Tesla's ECU in under 30 seconds, winning the car and $200,000, and Theori researchers escaping a VMware Workstation VM, earning $130,000. Abdul Aziz Hariri of Haboob SA exploited an Adobe Reader vulnerability on macOS for a $50,000 prize. Reverse Tactics team members Bruno PUJOS and Corentin BAYET used two Oracle VirtualBox bugs and a Windows UAF to achieve SYSTEM privileges, winning $90,000. Manfred Paul successfully hacked the Apple Safari, Google Chrome, and Microsoft Edge web browsers, exploiting three zero-day vulnerabilities and securing $102,500. Vendors have a 90-day window to patch reported flaws before the Trend Micro's Zero Day Initiative publicly discloses them. Pwn2Own targets a broad range of categories including web browsers, cloud-native technologies, virtualization, and automotive systems, with a total prize pool of over $1,300,000. The top award includes $500,000 and a Tesla Model 3, with significant awards for exploiting a Windows kernel vulnerability and achieving a Hyper-V Client guest-to-host escape.

Chinese state television CCTV conducted an undercover investigation uncovering smartphone farms used for fraudulent activities. The farms consist of chassis packed with 20 smartphone motherboards, which are then racked in data centers with up to 1,000 devices. These devices operate fake accounts and frequently change IP addresses to avoid detection while conducting scams like fake e-commerce orders and boosting SEO through fake comments and likes. Rent for a 20-smartphone system can cost between RMB 3,000 ($417) and RMB 6,000 ($834), with operators remaining willfully ignorant of their clients' identities. Phone farming violates China's telecommunications regulations, Article 53, requiring a network access license for equipment connected to the public network. E-commerce platforms are blocking search terms related to phone farms, but the farms can still be found through alternative means, some of which provide management software for screen mirroring and remote device access. While some vendors claim legitimate uses for their technology, such as game development and testing, over 23 percent of businesses involved in this sector have encountered legal issues, and less than three percent have received administrative penalties.