Daily Brief

Hackers are exploiting critical vulnerabilities in the OpenMetadata platform to access Kubernetes workloads for cryptocurrency mining. Microsoft Threat Intelligence discovered that these vulnerabilities have been actively weaponized since April 2024. These security flaws allow the attackers to bypass authentication and achieve remote code execution on systems. After gaining initial access, hackers perform extensive reconnaissance to gather intelligence about the system’s configuration and user activity. The attackers ensure their network connectivity to control infrastructure silently using domains associated with Interactsh, aiding in stealthy operations. The end game for the attackers involves deploying crypto-mining malware from a server in China and establishing persistence through scheduled tasks. To cover their tracks, the perpetrators clear initial payloads and establish a reverse shell for ongoing control. OpenMetadata users are urgently advised to use strong authentication, avoid default settings, and update their systems to prevent similar attacks.

David Koh, head of Singapore's Cyber Security Administration, highlighted the potential challenges of a tech split between China and Western countries, impacting interoperability and trade. Speaking at Black Hat Asia, Koh emphasized Singapore's historical success as a trade hub, benefiting from an open economy and extensive global connections. The geopolitical standoffs, notably between the US and China, risk creating incompatible technology stacks, reminiscent of past technological incompatibilities experienced globally. Koh noted that while certain sectors, like national security, might not require interoperability, the general momentum towards separate tech ecosystems could hinder Singapore's role and influence in global trade. Singapore’s agility in cyber security governance is an asset, allowing swift decision-making in a small but innovative digital landscape. However, Koh admitted that Singapore's relatively small market size limits its influence on global standards, particularly around security features in technology products. The CSA chief advocated for continuous dialogue with the tech industry to ensure that the needs and security expectations of markets like Singapore are understood and considered.

A new malicious Google Ads campaign is spreading a sophisticated backdoor named MadMxShell using domains that mimic legitimate IP scanner software. The campaign uses typosquatting to create look-alike websites and leverages these sites atop Google search results through targeted keyword advertising. Up to 45 fake domains were registered between November 2023 and March 2024, presenting themselves as legitimate tools like Advanced IP Scanner and Angry IP Scanner. Users downloading from these fraudulent sites receive a ZIP file containing a malicious DLL and an executable file designed for infecting systems via DLL side-loading and process hollowing techniques. The backdoor enables system information collection, command execution, and file manipulation, and uses DNS MX queries for covert command and control operations. Advanced evasion techniques, such as anti-dumping and DNS tunneling, are employed to avoid detection by endpoint security and network monitoring tools. The operators of the malware have been active in underground forums and use specific techniques to exploit Google Ads without immediate financial cost.

Zhejiang Dahua Technology, a Chinese camera manufacturer, sold its US subsidiary to Taiwan's Central Motion Picture Corporation for $15 million. Dahua was placed on the US entity list in October 2019 due to its involvement in the mass surveillance of Uyghurs. The sale included all of Dahua's remaining US operations, following further restrictions from the US, including an FCC freeze on new equipment authorizations. The sale agreement, finalized on January 3, 2024, was initially communicated to distributors under different company names, raising questions about the transparency of the deal. Central Motion Picture Corporation, a major Taiwanese film studio, has expanded its business scope by acquiring the technology company. The transaction also included $1 million worth of Dahua's inventory, adding assets to the Taiwanese company's acquisition. Further clarity on the acquisition's impact and how Dahua will be integrated into CMPC is awaited from official sources.

The US Senate is set to vote on enhancing Section 702 of the Foreign Intelligence Surveillance Act (FISA), potentially broadening warrantless surveillance powers. The House of Representatives already passed the Reforming Intelligence and Securing America Act (RISAA), which renews and possibly expands Section 702. Section 702 allows US intelligence to monitor communications of foreigners outside the US but also inadvertently collects data from Americans without a warrant. A controversial amendment in RISAA could redefine "electronic communications service provider" to include virtually any entity handling data communications, compelling them to assist in surveillance. Senator Ron Wyden and organizations like the ACLU and the Electronic Frontier Foundation have expressed strong opposition, citing privacy concerns and potential abuses. Major technology firms and their lobby groups, like the Information Technology Industry Council, have warned that broadening surveillance authority could harm the competitiveness of US tech companies internationally. The proposed changes could lead to widespread mandatory government spying, converting ordinary citizens and workers into unwilling surveillance agents. The final decision on the bill, including key amendments, is imminent, with the White House urging rapid passage before existing authorities expire.

SoumniBot, a new Android banking malware, utilizes unique obfuscation techniques exploiting Android manifest parsing vulnerabilities to bypass security protocols. Kaspersky researchers identified methods including manipulation of compression values and file sizes within APK manifests to deceive Android's security checks. The malware tricks the Android APK parser through invalid compression values, making the parser treat the data as uncompressed and bypass established security checks. Additional evasion tactics include misreporting manifest file sizes and using overly long strings for XML namespaces, complicating automated analysis tools. Once active, SoumniBot communicates with a hardcoded server to fetch configuration, steal sensitive data such as contact lists, account details, and banking credentials, and receives commands via an MQTT server. The malware conceals its presence by hiding its application icon post-installation, making it difficult to detect and remove. Kaspersky has alerted Google about the issues with the Android APK Analyzer's ability to handle files manipulated by these evasion techniques. The research includes details of indicators of compromise for detection, such as malware hashes and command and control server domains.

Attackers exploit critical vulnerabilities in OpenMetadata workloads within Kubernetes environments, targeting unpatched systems for cryptomining. Microsoft identified the campaign, noting that the breaches began in early April using previously patched security flaws CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254. Once access is established, attackers download cryptomining malware from a server based in China, then use tools like Netcat for remote management, establishing a persistent threat within compromised systems. Affected systems were manipulated to run cronjobs, which facilitate scheduled execution of malicious tasks ensuring persistence of the malware. The attackers also request donations in Monero cryptocurrency, claiming they need funds to purchase a car or suite in China. Microsoft and other security experts urge users to patch affected OpenMetadata workloads and change default credentials to mitigate risks. This incident underscores the importance of regular updates and stringent security practices in managing containerized software environments.

FIN7, a financially motivated threat group, targeted a major U.S. car manufacturer's IT department with spear-phishing emails. Attack involved sending emails with links to a malicious website impersonating the Advanced IP Scanner tool to deploy the Anunak backdoor. The attack leveraged living-off-the-land binaries and scripts, focusing on employees with high-level privileges. BlackBerry researchers linked the attack to FIN7 through unique PowerShell scripts and tactics seen in previous campaigns. The malware setup included multiple stages leading to the installation of the Anunak backdoor, using tools like DLL, WAV files, and shellcode execution. Additional security measures like OpenSSH were installed for potential persistent access, though lateral movement was not observed in this instance. The assault was contained before it could progress beyond the initially infected system. BlackBerry underscores the importance of strengthening phishing defenses and implementing MFA to mitigate such threats.

The Russian military intelligence group, Sandworm, identified as APT44, is implicated in recent cyberattacks on US and European water facilities. Google’s Mandiant linked these cyber incidents to Sandworm, with severe consequences including a water tank overflow in the US. The attacks primarily utilized remote management software vulnerabilities to disrupt operations in water and hydroelectric plants. Sandworm has expanded its cyber operations beyond Ukraine, targeting Western critical infrastructure as part of Russia’s broader military objectives. A notable incident involved compromised human machine interfaces at Polish and US water utilities, as publicly claimed by the affiliated Telegram channel, CyberArmyofRussia_Reborn. This group also claimed responsibility for interfering with the control technology at a French hydroelectric plant, impacting electricity generation. Mandiant anticipates that Sandworm's activities will continue to evolve based on Western political dynamics and Russian strategic interests.

Moldovan citizen Alexander Lefterov was indicted by the U.S. Justice Department for operating a large-scale botnet, impacting thousands of U.S.-based computers. Under aliases like Alipako and Uptime, Lefterov faced charges including aggravated identity theft and conspiracy to commit wire fraud. The botnet controlled by Lefterov was used to steal financial and personal credentials from infected devices which facilitated unauthorized money transfers. The infected computers had a hidden hVNC server, allowing direct and unnoticed access to victim’s online accounts, presenting a trusted connection to platforms. Lefterov’s botnet also served other criminals to deploy additional malware, including ransomware, across compromised networks. Lefterov allegedly profited by leasing access to the botnet and stolen credentials to other cybercriminals. Potential penalties for the charged crimes range from 2 to 10 years in prison, with actual sentencing influenced by the crime severity and Lefterov’s prior criminal record. The FBI emphasizes a rigorous pursuit of cybercriminals targeting Americans, ensuring ongoing investigations into malware and cyber-attacks.

Cisco has patched a critical vulnerability in its Integrated Management Controller (IMC) that allowed privilege escalation to root access. The flaw, designated CVE-2024-20295, stemmed from insufficient input validation in the CLI, permitting command injection attacks. Public exploit code for the vulnerability is accessible, though there have been no reported incidents of exploitation by threat actors. Affected devices include UCS C-Series Rack and UCS S-Series Storage servers utilizing vulnerable IMC versions in their default setups. Cisco's Product Security Incident Response Team (PSIRT) highlighted the availability of the exploit code in their recent advisory. The company urges users with access rights ranging from read-only upwards on implicated devices to apply the patches immediately. Historical context includes recent Cisco advisories on zero-day vulnerabilities exploited to attack over 50,000 devices and ongoing brute-force campaigns targeting network devices.

Sandworm, linked to Russian military intelligence, disguises its cyber activities under false hacktivist personas. Mandiant identifies three associated Telegram channels utilized by Sandworm to amplify pro-Russia narratives. The group, known for cyber sabotage since 2009, employs phishing, exploits, and supply chain attacks for initial access. Recent shifts show Sandworm using fake online identities for data breaches and disruptive actions, notably since the onset of the Russia-Ukraine conflict. Google's analysis indicates that the hacktivist group CyberArmyofRussia_Reborn shares infrastructure with Sandworm, enhancing credibility suspicions. Reported breaches by this persona include attacks on utilities in the U.S., Poland, and a French hydroelectric facility, alongside leaking sensitive Ukrainian personnel data. Mandiant suggests these operations aim to influence public perception and showcase exaggerated cyber capabilities of Russia's GRU. APT44, another name for Sandworm, is poised to potentially disrupt upcoming elections and continue prioritizing Ukrainian targets amidst the ongoing war.

Dark web monitoring remains critical for identifying external cyber threats by examining .onion sites and associated cybercrime activities. It provides actionable intelligence on credentials sold on breach forums, offering opportunities to prevent unauthorized access across multiple platforms. Advanced monitoring includes observing forums and marketplaces for tactics and leaked corporate access, enhancing preemptive security measures. Identifying network access for sale by initial access brokers can prevent impending cyber attacks and limit ransomware threats. Dark web ransom leak sites pose significant risks as they may release sensitive data if ransoms are not paid, necessitating effective monitoring strategies. Telegram and other instant messaging platforms have become integral to the cybercrime ecosystem with channels dedicated to fraud and data theft. Flare's comprehensive dark web monitoring through its Threat Exposure Management solution integrates with security programs, providing 24/7 actionable insights. Flare's monitoring capability extends beyond the dark web to detect threats on instant messaging platforms, crucial for managing the evolving cybercrime landscape.

Finnish cybersecurity firm WithSecure identified a new backdoor malware, Kapeka, attributed to Russia-linked APT group Sandworm. Kapeka, detected in Eastern Europe since mid-2022, is designed to allow long-term access and serve as an early-stage toolkit for cyber operators. The malware is a Windows DLL, using methods like masquerading as a Microsoft Word add-in for legitimacy, and it features strong network communication capabilities via the WinHttp 5.1 COM interface. Kapeka can execute a variety of malicious activities, including data theft, payload launching, remote access facilitation, and destructive attacks. Microsoft documented Kapeka's use in multiple ransomware distribution campaigns and noted its ability to update its command-and-control settings dynamically. The propagation method of Kapeka involves compromised websites and utilizes a legitimate binary, certutil, suggesting sophisticated exploitation of trusted tools. Kapeka's development and deployment patterns suggest its lineage with other Russian malware tools like GreyEnergy and BlackEnergy, indicating a strategic evolution in Sandworm's cyber arsenal.

Critical zero-day vulnerability identified in Palo Alto Networks’ PAN-OS, specifically impacting GlobalProtect gateways. Proof-of-concept (PoC) exploits for the severity CVE-2024-3400 released by multiple cybersecurity firms, revealing potential for mass exploitation. The vulnerability involves a directory traversal bug that, coupled with a command injection flaw, allows for remote code execution. Researchers demonstrated that an attacker could exploit the vulnerability by manipulating SESSID cookies to execute arbitrary commands with root privileges. Palo Alto Networks issued hotfixes shortly after the vulnerabilities were disclosed; however, initial mitigation recommendations (like disabling telemetry) are no longer effective. Immediate patch application recommended as exploit code is public and cyberattacks are anticipated to increase, affecting around 156,000 GlobalProtect appliances daily. U.S. federal agencies urged to secure their systems by April 19, per directives from the Cybersecurity and Infrastructure Security Agency (CISA).