Daily Brief

The German state of Hessen has suffered a ransomware attack, leading to a shut down of IT systems and disruptions in its consumer advice center. Frankfurt, a key financial hub, is within Hessen, impacting a significant regional population and potentially critical infrastructure. Initial effects included issues with telephone and email communications, although the state's website remains fully functional. Restoration efforts are being assisted by external IT security experts, but there is currently no timeline for when normal operations will resume. The primary concern is the potential for a data breach, as ransomware attackers typically steal data before encrypting systems, using it for extortion. While it is currently unclear if data was stolen, Hessen officials have committed to informing citizens if personal data compromises are confirmed. Hessen is cautious with data storage on servers, but specifics about the types of data they hold were not disclosed. State authorities have reported the incident to data protection and IT security offices, and a criminal complaint has been filed with the police. No ransomware group has claimed responsibility for the attack yet.

A severe security flaw in the LiteSpeed Cache plugin for WordPress, affecting over 5 million sites, enables privilege escalation without authentication. The vulnerability, identified as CVE-2023-40000, was resolved in the LiteSpeed plugin version 5.7.0.1 released in October 2023. Unauthenticated attackers can utilize this flaw to conduct site-wide cross-site scripting (XSS) attacks, leading to potential theft of sensitive data. LiteSpeed Cache aids in site performance enhancement and its latest version, 6.1, was published on February 5, 2024. The issue arises due to inadequate sanitization of user inputs and insufficient output escaping, specifically within the update_cdn_status() function. An additional XSS vulnerability (CVE-2023-4372) was discovered previously in the LiteSpeed Cache plugin and rectified in the 5.7 version.

Malicious JavaScript code was found in a Tornado Cash governance proposal, causing a leak of user transaction data. The leak has affected all transactions made through certain IPFS gateways since January 1, jeopardizing users' privacy and security. A security researcher discovered the compromise, which involved code sending private deposit notes to an attacker's server. Tornado Cash is an Ethereum-based service providing transaction anonymity, previously sanctioned due to its use in money laundering. The malicious code was introduced through a deceptive proposal by a purported community developer and evaded detection by disguising its exploit mechanics. Tornado Cash developers have acknowledged the issue and urged users to withdraw and regenerate their deposit notes to avoid exposure. Token holders with voting rights are being encouraged to cancel their support for the harmful proposal to undo the implemented protocol changes.

Tornado Cash, an Ethereum blockchain mixer, had malicious code injected through a governance proposal that leaked user transaction data. The code has been active since January 1, compromising privacy and security for users on several IPFS deployments. The vulnerability was discovered by a security researcher known as Gas404, who alerted the community to veto the corrupted governance proposal. Tornado Cash is known for its privacy features using zero-knowledge SNARKs but has faced scrutiny for its use in money laundering activities. The platform's developers have recognized the breach and recommended users withdraw and regenerate their transaction notes. Proposal 47, which introduced the harmful code, is under scrutiny, and token holders are advised to revoke their votes to mitigate the security breach. Users are advised to switch to a specific IPFS ContextHash deployment that is considered secure following a Tornado Cash governance validation.

A new remote access trojan (RAT) named Xeno RAT has been uploaded to GitHub, posing as a freely available cybersecurity threat. Xeno RAT is compatible with Windows 10 and 11 and includes advanced features such as a SOCKS5 reverse proxy, real-time audio recording, and a hidden VNC module for remote access. The RAT is developed by a user known as moom825, who has also developed DiscordRAT 2.0, previously spread through a malicious npm package. Cyfirma has reported that Xeno RAT is being disseminated via Discord's content delivery network with a multi-stage payload delivery method. The dissemination strategy involves a shortcut file disguised as a WhatsApp screenshot that downloads and executes a malicious payload from Discord's CDN. Xeno RAT uses techniques to evade detection and analysis, including DLL side-loading and establishing system persistence. The report coincides with AhnLab Security Intelligence Center's discovery of Nood RAT, a Gh0st RAT variant targeting Linux systems, once again indicating the prevalent risk of RATs in the cybersecurity landscape.

Security Operations Centers (SOCs) contend with an overwhelming number of alerts, often leading to uninvestigated events due to the sheer volume and time required to sift through them. The manual process of investigating alerts from disjointed sources contributes significantly to delays, creating challenges in distinguishing true threats from false alarms. ANY.RUN's Threat Intelligence Lookup (TI Lookup) provides a centralized platform that aggregates Indicators of Compromise (IOCs) from their sandbox sessions, enhancing visibility into threats for quicker analysis. Users can search across various data points, including URLs, file hashes, IP addresses, and more, for comprehensive investigations. TI platforms facilitate rapid threat intelligence gathering, thus aiding in swift incident response and decision-making during security events. Active threat hunting capabilities using known IOCs can help unearth risks earlier, potentially preventing larger-scale breaches. Detailed insights into the nature and behavior of malware threats allow security teams to make informed decisions about containment, remediation, and future defenses, strengthening the organization's overall security posture.

The Five Eyes intelligence alliance has issued a joint advisory about APT29, a Russian state-sponsored cyber threat actor. APT29, also known as The Dukes or Cozy Bear, is linked with the Russian Foreign Intelligence Service and is known for sophisticated cyber espionage. The threat group has recently targeted Microsoft, Hewlett Packard Enterprise (HPE), and other entities, capitalizing on the shift to cloud infrastructures. The advisory underscores the need for robust defenses against APT29's methods of gaining initial access to cloud systems. Upon breaching a network, APT29 deploys advanced techniques like MagicWeb for maintaining access and control. The bulletin emphasizes the importance of vigilance as organizations modernize and transition to cloud-based systems, which APT29 is exploiting.

A critical security flaw in Hugging Face's Safetensors conversion service allows for potential supply chain attacks. Compromise of the service can enable attackers to send malicious pull requests and hijack AI models hosted on the platform. Attackers might masquerade as the official conversion bot, creating opportunities to tamper with trusted machine learning models. The service's vulnerability allows for the execution of arbitrary code when users attempt to convert models, posing significant risks to their projects. Private repository conversions could lead to token theft and internal data poisoning, amplifying the threat's impact. Public repository conversions are equally at risk, with the potential to alter widely used models and pose a considerable supply chain threat. This alarming revelation follows a report on a memory leak vulnerability affecting various GPGPUs, highlighting ongoing security challenges in ML systems.

In 2023, 70% of ransomware infections within industrial organizations struck the manufacturing industry, according to a report by Dragos. Manufacturing is a more attractive target due to earlier adoption of digital transformation, leading to a higher number of insecure, connected systems. Dragos' findings indicate that manufacturing is particularly challenged in network segmentation, increasing the risk of intruders moving across systems. Attackers target operational technology (OT) because it impacts the revenue-generating processes of companies, prompting faster and higher ransom payments. The ransomware incident at PSI Software disrupted the company's IT systems and highlighted supply-chain vulnerabilities within the manufacturing sector. Attacks often start within traditional IT environments before moving to OT, as seen with a recent process followed by the ransomware group LAURIONITE exploiting Oracle iSupplier vulnerabilities. Although the focus has been on manufacturing, the report suggests that other critical infrastructure sectors might follow the same trend.

Microsoft acknowledges that the February 2024 updates for Windows 11 versions 22H2 and 23H2 are failing to install, resulting in 0x800F0922 errors. The errors halt update downloads at 96%, with affected systems displaying a message to reassure users while the changes are being undone. The issue has prompted Microsoft to add an entry to the Windows release health dashboard, detailing the problem and assuring users that they are working on a solution. A temporary workaround suggested by Microsoft involves deleting the 'C:\$WinREAgent' folder and potentially restarting the computer for successful update installation. The problems may be related to the Windows Recovery Environment (WinRE), drawing parallels to previous update issues in January 2024. Microsoft has also alluded that the error could be due to insufficient space in the System Reserved partition or issues with connectivity to Windows Update servers, particularly in cases where a VPN is used.

Broadcom announced the integration of VMware's SD-WAN and Symantec's Security Service Edge into a new offering called "VMware VeloCloud SASE, Secured by Symantec" at the Mobile World Congress in Barcelona. The new SASE product combines network and security services such as SD-WAN, secure web gateway, cloud access security broker, next-gen firewall, and zero trust network access. This marks the first instance of cross-brand integration following Broadcom's acquisition strategy, aiming to encourage customers to utilize more of its combined software solutions. VMware previously updated telco offerings at Mobile World Congress, but this year highlighted customer updates, including Dish Networks' 5G performance management pilot, Vodafone's network programmability proof-of-concept, and Singtel's partnership for 5G and edge cloud. It's unclear if the new customer projects are a result of the Broadcom acquisition or an existing trend, leaving questions about Broadcom's impact and strategy for VMware. Meanwhile, KKR confirmed the acquisition of VMware's end user compute portfolio for approximately $4 billion, planning to create a standalone business emphasizing customer success and partner support. Shankar Iyer of Broadcom's EUC division expressed optimism about the divestment, coinciding with his ten-year anniversary in the division, citing the move as an opportunity for dedicated focus and growth.

A severe SQL Injection vulnerability has been discovered in the Ultimate Member WordPress plugin, affecting over 200,000 websites. Christiaan Swiers identified the vulnerability, CVE-2024-1071, with a high severity CVSS score of 9.8. The flaw stems from improper escaping of a 'sorting' parameter and could allow unauthenticated attackers to extract sensitive data. The vulnerability is only a concern for users who enabled the "Enable custom table for usermeta" option. Developers have patched the vulnerability with the release of Ultimate Member version 2.8.3; users urged to update immediately. Wordfence has reported an attempt to exploit this vulnerability since the disclosure. The disclosure occurs amid rising campaigns exploiting WordPress sites, injecting crypto drainers, and phishing tactics to compromise Web3 ecosystems. Additional information was provided on a new drainer-as-a-service (DaaS) scheme, and the use of Telegram bots to perpetrate fraudulent activities.

The Ministry of Industry and Information Technology in China has issued a warning about fake digital currency wallet apps targeting users of the nation's central bank digital currency (CBDC), also known as e-Yuan or e-CNY. The fraudulent tactics used by scammers include patriotic themes and promises of high returns from get-rich-quick schemes, as well as phishing for personal information. The ministry has advised the public to only use official sources to download wallet apps and be cautious with QR codes and unfamiliar websites. Over 260 million digital wallets for the e-CNY have been issued, and as usage grows, scammers find the scale attractive for cybercrime. Despite the presence of numerous Android app stores in China, the ministry is working on keeping a list of harmful apps and advises netizens to avoid them. This initiative aligns with the Chinese government's larger goals to promote the digital yuan for international trade and to challenge the dominance of the US dollar. Authorities are expected to enforce stricter regulations on app store operators to ensure the safety and integrity of the online ecosystem in China.

UnitedHealth Group subsidiary Optum suffered a ransomware attack by BlackCat, impacting Change Healthcare's payment exchange platform. The outage has caused widespread billing disruptions across the U.S. healthcare system. Optum has initiated daily updates, taking care to restore systems without compromising security. The BlackCat ransomware group is reportedly the same gang behind former DarkSide and BlackMatter operations. The FBI has linked BlackCat to over 60 breaches and estimates its earnings at $300 million from more than 1,000 victims. UnitedHealth Group's SEC filing hinted at "nation-state" involvement, but no public evidence links BlackCat to foreign governments. The U.S. State Department has announced rewards for information leading to BlackCat gang leaders or affiliates.

A Ukrainian group identified as 'UAC-0184' was found using steganography in image files to deploy the Remcos RAT to an entity in Finland with Ukraine ties. This method evades detection by hiding malicious code within image pixel data. Morphisec analysts detected the campaign, which began in early 2024 and follows similar attacks on the Ukrainian armed forces in 2023. The attack begins with a phishing email leading to a multi-stage infection process involving an executable and a modular malware loader called 'IDAT.' IDAT uses advanced evasion techniques, including API call resolution at runtime and dynamic code injection, to deliver the Remcos RAT undetected. Remcos RAT allows attackers to stealthily monitor and steal data from compromised systems. Other malware types, like Danabot, SystemBC, and RedLine Stealer, may also be distributed by IDAT, although specifics were not detailed for the Finland incident.