Daily Brief

CISOs use Cato SSE 360 from the Cato SASE Cloud platform to achieve a balance between security and productivity without compromise. Leveraging Cato yields comprehensive visibility into the organization's security, networking, and connectivity, much like an SIEM. The platform provides real-time threat prevention with built-in security capabilities such as IPS, Anti-Malware, and daily security updates; it safeguarded against Log4j quickly. Cato supports data sovereignty through DLP and CASB functionalities, aiding in sensitive information protection and controlled SaaS application interaction. The article also mentions easy policy enforcement and minimal configuration, ensuring protection against the latest threats across all users and locations. It positions Cato as a future-proof solution for CISOs, implying that it accommodates growth and evolves with security needs with no barriers to deployment or onboarding.

Blind Eagle, a cybercrime group, has been using Ande Loader malware to deploy RATs such as Remcos RAT and NjRAT. The malware primarily targeted Spanish-speaking individuals in the manufacturing sector in North America through phishing emails. The threat actor employs phishing emails containing RAR or BZ2 archive files, which initiate the infection chain through a malicious VBScript. The Ande Loader malware establishes persistence by adding to the Windows Startup folder and then releases the selected RAT payload on the victim's system. There have been cases where malware was distributed via Discord CDN links, showcasing an evolution in the attack methodology. Blind Eagle utilizes crypters from known developers, one of which has hardcoded servers involved in the campaign. The report also references a SonicWall study exposing a different loader malware family (DBatLoader), which uses a compromised driver to bypass security measures.

DarkGate malware uses a recently patched Microsoft vulnerability (CVE-2024-21412) to bypass Windows SmartScreen, enabling zero-day attacks. Phishing emails contain PDF attachments with Google DoubleClick open redirects leading to malicious sites that distribute fake Microsoft (.MSI) installers loaded with DarkGate malware. The attack targets financial institutions and deploys through convincing social engineering, using bogus software such as iTunes and NVIDIA. Multiple malware families like Planet Stealer and Tweaks are exploiting popular platforms and social engineering to steal sensitive data. Cybercriminals are increasing their reach through ad campaigns and legitimate platform exploits to deliver various information stealers and remote access trojans. Security experts warn users to be vigilant and only trust software installers from official channels to prevent infections.

Fortinet has disclosed a critical SQL injection vulnerability in FortiClientEMS software, potentially leading to unauthorized code execution. The security flaw, designated CVE-2023-48788, has a high severity level with a CVSS score of 9.3 and affects Horizon3.ai, among other versions. Exploitation of this vulnerability could lead to remote code execution as SYSTEM on the server, with plans to release technical details and a PoC exploit shortly. This vulnerability was identified by Thiago Santana of the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC). Additionally, Fortinet has rectified two other critical bugs in FortiOS and FortiProxy that also enable execution of arbitrary code via captivated portal HTTP requests. There have been no active exploitations reported for these flaws, yet it's crucial for users to apply the provided software updates swiftly due to prior instances of unpatched Fortinet appliances being targeted by cybercriminals.

The U.S. House of Representatives has passed the Protecting Americans from Foreign Adversary Controlled Applications Act, targeting TikTok specifically. If passed, the bill would force TikTok's parent company ByteDance to sell the app's US operations or potentially face a ban. The bill, gaining bipartisan support, passed with 352 votes, citing concerns over potential intelligence gathering and surveillance by Beijing through TikTok. The Senate is yet to consider the bill, with some senators indicating plans to slow the process due to free speech concerns and the potential impact on TikTok users. The practicality of disentangling TikTok's US operations from its global infrastructure is in question and past rumors of big tech acquisitions have emerged again. The bill's advancement is set against the backdrop of China's ban on non-Chinese social networks, highlighting an asymmetry in social network regulations between the two nations.

Nissan Oceania is contacting around 100,000 Australian and New Zealand individuals affected by a data breach in December 2023. The breach may have been executed by the Akira ransomware gang, which claims to have stolen thousands of ID documents. Compromised data includes government IDs, with up to 10% of victims having sensitive documents like Medicare cards, driving licenses, passports, and tax file numbers stolen. Other stolen data may consist of loan transactions, employment, and salary details and could include personal information like dates of birth. Customers from associated financial services for other automakers marketed by Nissan are also affected. Nissan is offering free credit monitoring services and assistance replacing stolen ID documents, with support from IDCARE to protect against data misuse. The Akira group, responsible for significant attacks on other entities, boasts about the data on their website, suggesting they did not receive a ransom from Nissan.

Nissan Oceania will inform approximately 100,000 individuals from Australia and New Zealand about a data breach that occurred in December 2023. The breach may involve the Akira ransomware gang, who claim to have stolen thousands of ID documents along with other sensitive personal information. Stolen data includes government IDs, Medicare cards, driving licenses, passports, and tax file numbers, affecting about 10% of the victims. The remaining 90% may have had loan, employment, or salary information compromised. The breach extends beyond Nissan, impacting customers from other automakers for whom Nissan provides finance services, such as Mitsubishi and Renault. Nissan Oceania is offering affected individuals in Australia and New Zealand credit monitoring services and the potential reimbursement for replacing ID documents. The Akira group has publicly shared data supposedly belonging to Nissan, indicating the possibility of a ransomware attack, but Nissan has not confirmed this. Akira ransomware has been active since March 2023, targeting several major organizations including Lush and Stanford University.

A now-patched Windows Defender SmartScreen vulnerability, CVE-2024-21412, is being exploited by hackers to deliver DarkGate malware. The malicious campaign utilizes fake software installers to bypass SmartScreen security warnings and automatically execute malware. Attackers send phishing emails with PDF attachments containing links that redirect through Google's services, evading email security measures. The attack chain involves multiple steps, including the use of .url files and a remote WebDAV server to trigger automatic execution of a malicious MSI file. The DarkGate malware, which can steal data and allow remote access, uses advanced evasion techniques and determines its operational tactics through encrypted configuration parameters. Trend Micro recommends applying Microsoft's February 2024 Patch Tuesday update to remediate the vulnerability and has published indicators of compromise for organizations to detect potential attacks.

DarkGate malware operators are exploiting a Windows Defender SmartScreen flaw, CVE-2024-21412, which was recently patched by Microsoft. The flaw allowed attackers to bypass security warnings and automatically execute malicious software installers. Attackers distributed emails with a rigged PDF that redirected victims through Google's services to compromised servers harboring malicious .url files. These .url files automatically triggered the execution of fake installer MSI files that appeared to be from reputable sources like NVIDIA and Apple. The MSI files would then deploy a DLL sideloading technique to decrypt and run the DarkGate malware, enabling data theft, payload delivery, and unauthorized remote access. The latest version of DarkGate, 6.1.7, includes enhanced encryption and configuration options for better evasion and targeted attacks. Users and organizations are urged to apply the February 2024 Patch Tuesday update to protect against this exploitation, and Trend Micro has listed all IoCs related to this campaign.

The U.S. Department of Health and Human Services (HHS) is investigating a ransomware attack on UnitedHealthcare Group’s subsidiary Optum, which operates Change Healthcare. The attack, attributed to the BlackCat ransomware gang, may have resulted in the theft of protected health information. Change Healthcare, a widely-used payment platform in the U.S. healthcare system, was hit by the attack, causing significant service disruptions. HHS' Office for Civil Rights (OCR) is focusing on whether Health Insurance Portability and Accountability Act (HIPAA) rules were violated during the breach. The BlackCat gang claims to have stolen 6TB of data, including sensitive information from critical healthcare providers and U.S. military healthcare systems. There was an increase of 141% in individuals affected by large breaches in 2023 compared to 2022, with hacking accounting for 79% of the reported breaches.

Fortinet fixed a critical remote code execution bug in its FortiClient Enterprise Management Server software after being alerted by the UK's National Cyber Security Centre and a Fortinet developer. The vulnerability, identified as CVE-2023-48788, affects versions 7.0 and 7.2 of the FortiClient EMS software, resulting in the potential for attackers to execute code with SYSTEM privileges on impacted servers. The SQL injection flaw in the software's DB2 Administration Server component is particularly dangerous because it can be exploited by unauthenticated attackers in low-complexity attacks without user interaction. No evidence has been disclosed on whether this vulnerability had been exploited before the patch was issued. Fortinet also fixed another critical vulnerability in the FortiOS and FortiProxy squid proxy, as well as two high-severity vulnerabilities in FortiWLM and FortiClient EMS. Attackers have previously exploited Fortinet vulnerabilities in ransomware and cyber espionage campaigns, highlighting the critical importance of applying security patches promptly.

A new version of the PixPirate Android banking trojan employs innovative hiding techniques to remain undetected on devices. PixPirate specifically targets users of the Brazilian Pix payment platform and manages to operate covertly, even after its dropper app has been removed. IBM Trusteer researchers discovered that PixPirate doesn't use an app icon, making it invisible on all recent Android versions, including version 14. The malware functions by using a 'downloader' app to install a 'droppee' app, which contains the encrypted PixPirate malware and is activated by device events rather than a launcher icon. PixPirate listens for system events like device boot or connectivity changes to execute in the background, facilitating hidden fraudulent transactions. The malware has Remote Access Trojan (RAT) capabilities, automating the theft process, including capturing credentials and performing unsanctioned money transfers. PixPirate also has mechanisms to disable Google Play Protect, further reducing the chances of detection and removal by the user or system defenses. Although the malware spreads through common phishing tactics via WhatsApp or SMS, its icon-less design and event-based activation present a challenging new threat vector.

Google's vulnerability reward programs distributed $10 million to bug hunters in 2023, a decrease from $12 million the previous year. The company introduced new reward categories, including bounties for vulnerabilities in AI products and Android phone apps. Microsoft outpaced Google in bounty payouts, awarding $13.8 million to researchers in a similar period. Google's largest single bounty in 2023 was $113,337, awarded for an unspecified program and recipient. The Android Vulnerability Reward Program (VRP) paid over $3.4 million for Android device security issues, and maximum rewards for critical bugs were increased to $15,000. Google included Wear OS in its bounty program and hosted live hack-a-thon events, uncovering over 20 critical vulnerabilities with payouts totaling $70,000. Chrome Vulnerability Reward Program (VRP) paid $2.1 million, with fewer reports following the implementation of MiraclePtr technology aimed at preventing specific types of exploits. Concerns have been raised about the effectiveness of bug bounty programs in actually improving software security, with some arguing for the importance of investing in secure software development over bounty payouts.

Microsoft is releasing Copilot for Security, a generative AI service for cybersecurity tasks, on April 1, 2024. The AI service, powered by GPT-4 and a specialized security model, offers automated assistance with security operations, analysis, and incident response. Integration is set up across Microsoft's own product suite, including Sentinel and Defender XDR, and with third-party services, aiming to streamline cybersecurity workflows. Features include a standalone portal or embedded service, custom promptbooks, company-specific knowledge bases, multilingual support, and detailed usage reporting. Copilot for Security employs a 'pay-as-you-go' model through Microsoft Azure, with billing based on Security Compute Units at an anticipated rate of $4/hour. According to Microsoft, users of Copilot for Security completed tasks 22% faster on average, although for some response tasks, the service slowed down progress due to its load time. The service aims to alleviate the current cybersecurity talent shortage by enabling faster and more efficient security task handling, potentially improving threat detection and response.

OPSWAT's latest whitepaper offers insight on the insufficiency of common file upload security tools when used singularly. CEO Benny Czarny emphasizes the importance of a comprehensive, layered cybersecurity strategy to combat evolving malware threats. The paper identifies the limitations of standalone tools including Anti-Malware File Scanning, Web Application Firewalls, and Sandboxing. OPSWAT's MetaDefender Platform integrates multiple layers of security technology, including more than 30 anti-malware engines for near-perfect efficacy rates. Deep Content Disarm and Reconstruction (Deep CDR) and Proactive Data Loss Prevention (DLP) are highlighted as innovative methodologies for preemptive threat neutralization and data protection. The platform also includes an adaptive, emulation-based sandboxing feature that operates with other technologies for a robust defense against sophisticated malware. The whitepaper underscores OPSWAT's continued innovation to address the challenges and needs of protecting critical infrastructure in an ever-changing threat landscape.