Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in JetBrains TeamCity to its list of exploited vulnerabilities. Tracked as CVE-2024-27198, the vulnerability allows attackers to bypass authentication and compromise servers, with a CVSS score of 9.8. An additional moderate-severity flaw, CVE-2024-27199, was also addressed, allowing partial information disclosure and system modification. Attacks exploiting the vulnerabilities have been linked to the delivery of Jasmin ransomware and the creation of rogue user accounts. Exploitation attempts detected since March 4, 2024, indicate active and widespread attempts to leverage the flaw by threat actors. CISA advises users of the on-premises TeamCity software to update immediately, with federal agencies mandated to patch by March 28, 2024.

Researchers uncovered a Man-in-the-Middle (MiTM) phishing technique that compromises Tesla accounts, enabling car unlocking and engine starting. The latest versions of the Tesla app and software are susceptible to this sophisticated attack. Attackers can generate a new 'Phone Key' to gain access to the vehicle without proper authentication, after stealing Tesla account credentials. Tesla deemed the researchers' report "out of scope," not recognizing it as a significant vulnerability. The attack can be carried out with a variety of devices capable of creating a WiFi hotspot, not only the Flipper Zero used in the demonstration. Once connected to a fake "Tesla Guest" network, victims are tricked into providing login details and two-factor authentication codes. Tesla has not issued any official response or update to address the reported security oversight, leaving users potentially vulnerable to such exploits.

Canva, an Australian online graphic design platform, has identified security vulnerabilities in font processing tools. Three vulnerabilities were disclosed, with CVE-2023-45139 being a high-severity issue involving the manipulation of fonts with the Python library FontTools. The vulnerabilities CVE-2024-25081 and CVE-2024-25082 pertain to font naming conventions and compression, leading to potential security challenges. Canva's researchers demonstrated that certain tools could be tricked into executing commands or accessing unauthorized files. Specifically, the proof of concept showed that FontForge, a font manipulation tool, could extract and operate on maliciously crafted fonts in temporary directories, leading to command injection. Canva highlighted the pervasive risk presented by complex and prevalent font processing in both individual and corporate settings. In response to these findings, Canva urged the cybersecurity community to treat fonts with the same caution as any other untrusted input and called for more research into font security.

U.S. government and major open source organizations launched initiatives to enhance software supply-chain security. CISA introduced a voluntary threat intelligence sharing program to collaborate with open source software developers globally. Initiatives include the Rust Foundation's development of a public key infrastructure and tools for identifying malicious packages. The Python Software Foundation expanded its Trusted Publishing to additional platforms, enabling identity verification for package maintainers. Maven Central will introduce a new publishing portal with improved security measures, including multi-factor authentication. NPM requires MFA for high-impact project maintainers and promotes the use of Software Bill of Materials for tracing dependencies. Biden administration emphasized open source software security since the Log4j vulnerabilities highlighted critical infrastructure risks. CISA director Jen Easterly urged software manufacturers to support open source security through financial contributions or developer time.

The NSA and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly published cybersecurity bulletins on securing cloud environments. Their guidance covers identity and access management, key management practices, encryption, cloud storage management, and addressing managed service provider risks. These best practices entail configuring multi-factor authentication, secure credentials storage, privilege partitioning, and secure Key Management Solutions (KMS). Recommendations include implementing network segmentation, encrypting data in transit, and securing cloud storage with proper auditing systems. The guidance document also highlights how to minimize threats from Managed Service Providers (MSPs), including securing accounts, auditing activity, and careful contract negotiations. Attention is drawn to attacks by threat actors on cloud services for data access and as a stepping-stone to infiltrate internal networks, as seen in attacks by Nobelium actors. CISA previously released the 'Untitled Goose Tool' to help detect attacks on Azure cloud services, underscoring the ongoing need for robust defense strategies in cloud security.

A coalition of 41 US state attorneys general has sent a letter to Meta Platforms, Inc. concerning a substantial increase in user complaints about account takeovers on Facebook and Instagram. The attorneys general are frustrated with the high volume of complaints, which in some states have risen more than tenfold, and refuse to act as Meta's customer service representatives. Complaints surged around the same time Meta announced large-scale layoffs, suggesting a potential connection between reduced workforce and increased security incidents. Phone number recycling is highlighted as one known issue causing account takeovers, with Meta previously pinning responsibility on telecom companies. The state AGs are urging Meta to take immediate action by investing more in mitigation tactics and improving response to users with compromised accounts. They suggest that Meta implement additional measures, such as enhanced multi-step authentication, to protect against unauthorized access. While Meta claims to invest heavily in training and educating users on security, the efficacy of these measures in preventing the reported surge in account takeovers is brought into question.

The Swiss National Cyber Security Centre reported a data breach affecting 65,000 government files. Xplain, a Swiss software provider for government bodies, was targeted by the Play ransomware gang on May 23, 2023. The attacker threatened to release confidential data and published the documents on a darknet portal in early June 2023. The breached data includes sensitive information from various Swiss federal departments and the military force. The Swiss government's administrative investigation, to be completed by the end of the month, will offer cybersecurity recommendations. The complexity of analyzing the unstructured leaked data and legal intricacies of handling confidential information are cited for the prolonged investigation.

A phishing attack using Flipper Zero can compromise Tesla accounts and enable attackers to unlock and start Tesla vehicles. Researchers Talal Haj Bakry and Tommy Mysk found that linking a car to a new phone does not require adequate authentication. Tesla deemed the security concern reported by the researchers as "out of scope" for their current security measures. Attackers can establish a fake "Tesla Guest" WiFi network, prompting users to enter their credentials on a phishing login page. Once connected to the spoofed network, attackers can capture account credentials and one-time passwords to bypass two-factor authentication. Accessing the victim's Tesla account, malicious actors can add a new 'Phone Key' without requiring the physical presence of the Tesla Card Key or notification to the owner. Researchers recommend requiring a physical Tesla Card Key to authenticate the addition of new Phone Keys but Tesla's response suggests it's an intended feature. BleepingComputer has reached out to Tesla for comment on potential updates to address these security issues, but has not yet received a response.

Security researchers Talal Haj Bakry and Tommy Mysk have found a vulnerability using a Flipper Zero device that could compromise Tesla accounts and steal cars. The exploit uses a simple Wi-Fi phishing attack to trick Tesla owners into connecting to a fake network and entering their account credentials. Attackers can use the stolen information to bypass two-factor authentication and add a new 'Phone Key,' allowing them to unlock and activate the vehicle's systems. The researchers have reported the issue to Tesla, but the company has deemed the vulnerability report to be outside of their scope of concern. Although Tesla's response suggests this behavior is intended, no security measures or notifications are currently in place to alert owners of a new Phone Key being added. The vulnerability report highlights a significant security gap in Tesla's process for linking a car to a new phone without additional physical authentication measures.

The Change Healthcare ransomware attack last month may be linked to Chinese government-backed cybercrime groups. The attack caused significant disruptions, making pharmacies incapable of processing health insurance claims and forcing some patients to pay out of pocket. The attacker, who goes by "Notchy," claims to be an affiliate of the ALPHV/BlackCat group and alleges that Change Healthcare's parent company UnitedHealth paid a $22 million ransom. Menlo Security's report suggests high probability of "Notchy" being associated with Chinese Nation-State groups based on their activities and purchases on dark-web forums. The attackers used tools like Cobalt Strike, commonly employed in cyberattacks, and were discovered buying additional malware. The US Department of Health and Human Services has intervened to assist affected healthcare providers, while the American Hospital Association has called for further action from Congress.

Flipper Zero device enables phishing attacks, compromising Tesla accounts and enabling car theft. Attack exploits a gap in authentication when adding a new phone as a key to Tesla vehicles. Attackers create a deceptive Wi-Fi network, similar to ones found at Tesla stations, to capture login details. Once in possession of account credentials, attackers can track and add a new 'Phone Key' without alerting the owner. The vulnerability reported to Tesla was deemed as "out of scope" by the car maker. Security researchers stress the need for improved safeguards, such as requiring a physical card key for new phone additions. Tesla has not yet responded to inquiries about potential updates to address the security issue.

Over 1,000 JetBrains TeamCity servers remain vulnerable to recent exploits, leading to an increase in ransomware attacks. Researchers have observed active exploitation attempts, including deployment of a modified Jasmin ransomware variant. Poor coordination in vulnerability disclosure between JetBrains and Rapid7 has led to details of the exploits being publicized alongside patch releases. Attackers are exploiting two TeamCity vulnerabilities (one critical) to create hundreds of unauthorized accounts for future misuse. The United States and Germany are the two countries with the highest numbers of exposed and vulnerable TeamCity servers. Security professionals are advised to patch TeamCity servers prior to version 2023.11.4 immediately to mitigate the risk of supply chain attacks. The cybersecurity community is divided on whether the rapid disclosure of vulnerabilities alongside patches is the best approach for customer protection.

AnyCubic issued a firmware update for Kobra 3D printers to fix a zero-day flaw exploited by attackers. Users reported unauthorized print jobs warning them about a critical vulnerability due to insecure MQTT service API permissions. Attackers could send commands remotely, causing a G-code file with a security warning to be printed. The researchers behind the discovery had contacted AnyCubic thrice without receiving a response, prompting them to expose the issue publicly. AnyCubic's latest firmware strengthens security verification and permission management, with additional updates planned. AnyCubic provided instructions for users to disable WiFi on their printers if they are uncomfortable with cloud service access. While apologizing for the incident, AnyCubic has not addressed the lack of response to the researchers' initial warnings.

WordPress sites have been compromised by hackers using JavaScript injections to facilitate distributed brute-force attacks. Security researchers from Sucuri detected over 700 sites where malicious scripts were used to attack other WordPress sites using common and leaked passwords. The attacks are conducted through the visitors' browsers without their knowledge, trying to upload files with encrypted credentials to other sites via the XML-RPC API. It is unclear why attackers shifted from using crypto wallet drainers to brute-force methods, but the change might be profit-driven. Despite a focus on brute-forcing, crypto drainers have caused digital asset losses in the hundreds of millions in 2023. Threat actors exploit a critical vulnerability in the 3DPrint Lite WordPress plugin to install the Godzilla web shell for persistent access. A new campaign using SocGholish (aka FakeUpdates) distributes JavaScript malware through modified versions of legitimate WordPress plugins by exploiting admin credentials.

Evasive Panda, a China-linked hacking group, has been targeting the Tibetan community through watering hole and supply chain attacks since September 2023. Cybersecurity firm ESET discovered that the hackers compromised Tibetan websites and software to distribute malware, including a new Windows implant called Nightdoor. Evasive Panda strategically targeted IP addresses from India, Taiwan, Hong Kong, Australia, and the U.S., coinciding with the annual Kagyu Monlam Festival in India. Malware distributed through these attacks leverages the Google Drive API for command-and-control activities and can perform various espionage tasks. The supply chain attack involved a Tibetan software company's website, distributing trojanized installers that delivered MgBot or Nightdoor malware. The campaign also compromised the Kagyu International Monlam Trust's website and a Tibetan news website, using them to host malicious payloads. ESET's findings reveal an ongoing cyber espionage campaign by Evasive Panda, which has been active since 2012, aiming to infiltrate targeted networks in East Asia.