Daily Brief

Fortinet has discovered a critical remote code execution (RCE) vulnerability in their FortiOS SSL VPN, potentially already exploited by attackers. The vulnerability, identified as CVE-2024-21762, allows unauthenticated attackers to remotely execute code through malicious requests. Fortinet has issued a 9.6 severity rating for this vulnerability and advises users to upgrade to a patched version immediately to secure their systems. As a temporary mitigation, disabling SSL VPN on FortiOS devices can help protect against this flaw if immediate patching is not possible. No specifics have been provided about the nature of the exploitation or the identifying party for this vulnerability. Other related flaws were disclosed, including a critical CVE-2024-23113 and two medium-severity CVEs, though they are not reported to be currently exploited. Fortinet's previous disclosures include an attack by the Chinese state-sponsored threat group Volt Typhoon, utilizing another set of FortiOS vulnerabilities. Organizations using Fortinet's products are urged to prioritize updates due to the high risk of targeted attacks leveraging these security weaknesses.

A fraudulent LastPass app developed by an entity named Parvati Patel was identified in the iOS App Store. LastPass' security and legal teams took action to have the malicious app removed by contacting Apple. The fake app, which attempted to impersonate the legitimate LastPass service, aimed to deceive users and potentially steal their data. Despite Apple's strict approval process and guidelines against impersonation, the rogue app circumvented the safeguards. LastPass is engaging with Apple to comprehend how the counterfeit application passed through Apple's usually rigorous security checks. The fake LastPass app contained obvious signs of fraud, such as misspellings and incorrect developer information, highlighting the need for user vigilance. The incident underscores the persistent challenge of ensuring app store security and the importance for users to scrutinize app details before downloading.

Hyundai Motor Europe was hit by a ransomware attack by the Black Basta group, compromising data integrity. Initially, Hyundai only reported "IT issues" when queried by BleepingComputer, later confirming the cyberattack. The company is actively investigating the unauthorized network access and working with cybersecurity and legal experts. Threat actors claim to have stolen 3 TB of corporate data affecting multiple departments, raising concerns about sensitive information leaks. Black Basta, linked to the notorious Conti operation, has been active since April 2022 and is known for double-extortion attacks and substantial ransom revenues. Hyundai previously faced a data breach in April 2023 and had its Hyundai MEA's X account hacked recently. Relevant authorities have been notified, emphasizing Hyundai's commitment to customer, employee, investor, and partner security.

A new authentication bypass vulnerability in Ivanti's Connect Secure, Policy Secure, and ZTA gateways poses a serious security threat requiring immediate patching. The flaw, identified as CVE-2024-22024, arises from an XML eXternal Entities (XXE) weakness in the gateways' SAML component, permitting attackers access to restricted resources without user interaction. Ivanti reports no current exploitations but emphasizes the critical need for immediate action to protect against potential attacks. Over 20,000 Internet-connected ICS VPN gateways are at risk, with compromised Ivanti Connect Secure VPN devices being actively monitored, nearly 250 of which were compromised as of February 7. Security patches for affected products were released on January 31, and Ivanti has provided interim mitigation steps for those still awaiting updates. Ivanti recommends a factory reset of all vulnerable appliances before patching to deter attacker persistence through upgrades. Following the detection of mass exploitation by various threat actors, CISA mandated that U.S. federal agencies disconnect vulnerable Ivanti VPN appliances within 48 hours.

A new variant of XLoader Android malware now runs automatically without user interaction after installation. The XLoader malware, attributed to threat actor 'Roaming Mantis,' targets users worldwide, including the U.S., U.K., and parts of Europe and Asia. The malware is spread via SMS with URLs leading to a malicious APK, often disguised as the legitimate Chrome web browser. McAfee researchers have reported the auto-execution technique to Google, and mitigations are being developed for future Android versions. Roaming Mantis uses Unicode and app impersonation to trick users into granting extensive permissions, which can lead to phishing and theft of sensitive information. Attackers utilize custom phishing attacks via notification channels, with phishing content extracted from Pinterest profiles to evade traditional security detection. The new XLoader variant can execute 20 different commands from its C2 server, indicating a sophisticated and adaptable threat. McAfee advises users to install security products capable of detecting and eradicating such threats based on known indicators.

The U.S. State Department is offering up to $10 million for information leading to Hive ransomware gang leaders. Hive is responsible for extorting $100 million from over 1,300 companies across more than 80 countries between June 2021 and November 2022. Additional rewards up to $5 million are available for information resulting in the arrest of individuals involved with Hive ransomware activities. Previous rewards of up to $15 million have been offered for other ransomware operations like Clop and Conti. The rewards are provided through the Transnational Organized Crime Rewards Program, which has paid over $135 million for tips since 1986. Law enforcement infiltrated Hive's network in July 2022, assisting victims and preventing $130 million in ransom payments. Agents provided over 300 decryption keys to Hive victims and shared intelligence gathered from Hive's communication records, malware file hashes, and affiliate information. Hive is known for its indiscriminate attacks, including on critical sectors like healthcare and emergency services.

Raspberry Robin malware operators are suspected of buying exploits to conduct faster cyberattacks. The group previously used exploits for vulnerabilities up to 12 months old but now uses recently disclosed ones. Check Point Research observed a strikingly quick adoption of vulnerabilities, some less than a month old, like CVE-2023-36802. Exploits were used before or shortly after public disclosure, with one being identified as a zero-day sold on the dark web. Analysis suggests that the Raspberry Robin team likely acquires exploits from sophisticated developers rather than developing in-house. The malware includes upgraded features for anti-evasion, survival after system shutdowns, and enhancements in communication and lateral movement. Raspberry Robin is linked with major criminal groups and is key in cybercriminal activities, being one of three loaders responsible for 80% of cyberattacks in a period of 2023.

A counterfeit LastPass app named 'LassPass' has been discovered on the Apple App Store, potentially designed to phish users' credentials. The fake app mimics the genuine LastPass in name, iconography, and user interface but is published under 'Parvati Patel' and has minimal reviews warning of its nature. As LastPass is a secure repository for sensitive information, the fraudulent app may pose a significant risk for credential theft. LastPass has issued a warning on their website about the deceptive app, providing URLs to the legitimate app for customer verification. Despite Apple's rigorous app review process, the counterfeit app has slipped through, raising questions about the efficacy of the review system. The presence of another app by the same developer on the App Store opens the possibility of their account being compromised. Users are advised to uninstall the fake LastPass app immediately, change their LastPass password, and consider resetting all passwords stored in their vault. At the time of the report, Apple had not yet responded to inquiries regarding the fake app, which remains available on the App Store.

Two French healthcare payment service providers, Viamedis and Almerys, experienced significant data breaches. Over 33 million individuals in France are affected, with sensitive data like social security numbers and insurance details exposed. No financial information was leaked according to Viamedis, which suggests bank details, email addresses, and phone numbers remain secure. Viamedis serves 20 million people via 84 health organizations, yet the exact number of affected individuals is still under investigation. The French data protection authority, CNIL, confirmed both breaches and highlighted the heightened risk of phishing, identity theft, and insurance fraud. CNIL is ensuring that both companies comply with GDPR obligations by directly informing those impacted by the breach. An investigation by CNIL is underway to assess the adequacy of the security measures in place and the companies' adherence to GDPR.

Two cybersecurity researchers, Noah Roskin-Frazee and Keith Latteri, are facing charges for defrauding an unnamed company, likely Apple, of $2.5 million. They are accused of ordering gift cards and hardware after gaining access through a third-party contractor's systems and selling these items to third parties. The pair allegedly exploited a password reset tool to compromise accounts, then used those accounts to access the company's VPN and remote desktops in India and Costa Rica. They used their access to manipulate Apple's Toolbox and Jamf MDM platforms for placing and amending orders, setting product prices to zero. They utilized transshipment companies to conceal their identities and ship fraudulently obtained products. One of the accused, Roskin-Frazee, was previously acknowledged by Apple for reporting bugs, highlighting the complexity of his dual status as a legitimate researcher and an alleged criminal. Requests for comment from Apple and the defense lawyers were not immediately answered.

Chinese state-sponsored hackers, known as Volt Typhoon, operated undetected within U.S. critical infrastructure for at least five years. The group targeted the U.S. sectors of communications, energy, transportation, and water systems, as well as facilities in Guam. Volt Typhoon utilized 'living-off-the-land' techniques to blend malicious actions with legitimate network behavior, making detection difficult. Their tactics included the use of multi-hop proxies to hide their activities' origins, and a strong focus on operational security to maintain undiscovered access. They engaged in privilege escalation to obtain admin credentials, facilitated lateral movement within networks, and long-term domain compromise. The U.S. government warns that the hackers methodically re-target environments over years to maintain unauthorized access. Meanwhile, PAPERWALL, another influence campaign linked to a Beijing PR firm, has been creating and deleting pro-China content on fake news websites internationally.

Unified identity platforms consolidate various identity challenges into a complete security solution, offering significant operational and security advantages. Sector-specific examples illustrate that the concept of unified identity varies; hospitals may emphasize different facets than software development studios. Increased organizational complexity and the rise of identity sprawl with numerous silos necessitate a move toward fewer, consolidated identity management systems. The adoption of Unified Identity Platforms can enhance a company's cybersecurity stance, simplify the tech landscape, and enable business agility. Cost reductions are achieved not only through vendor bundle discounts but also by easing the skills gap and reducing the need for extensive training and senior staff. Unified identity tools are pre-validated to work together, reducing the need for extensive customizations and support, yet vendor lock-in remains a consideration. Quick and efficient implementation time is a key advantage, as traditional identity and access management (IAM) projects are notoriously slow and complex. For sustained benefits, it's essential to choose vendors that offer modular identity platforms, allowing for gradual integration without full commitment to their entire ecosystem.

Loader malware HijackLoader has been updated with sophisticated techniques for evading defenses, making it harder to detect and analyze. Cybersecurity experts from CrowdStrike have identified new evasion methods that use process hollowing and a novel trigger mechanism involving writing to a pipe. Originally discovered by Zscaler ThreatLabz, HijackLoader is linked to the distribution of DanaBot, SystemBC, and RedLine Stealer and shares similarities with IDAT Loader. TA544, a notorious cybercrime group, has been utilizing HijackLoader to deliver payloads such as Remcos RAT and SystemBC through phishing campaigns. The updated tactics include the use of process doppelgänging and Heaven's Gate to bypass security measures and evade endpoint detection. Researchers also reported a unique injection technique involving a hollowed mshtml.dll into a cmd.exe process as part of an evolved multi-stage attack chain. CrowdStrike emphasizes the challenges introduced by loaders like HijackLoader, highlighting the importance of continued vigilance and advancements in threat detection methods.

Google has initiated a pilot program in Singapore to block sideloading of apps that abuse Android app permissions to collect sensitive information. Apps that attempt to use sensitive runtime permissions for financial fraud will be automatically blocked by Google Play Protect during installation from non-official sources. Users will see a pop-up warning when trying to install potentially harmful apps, advising of the risks of identity theft and financial fraud. The initiative focuses on preventing misuse of permissions like reading SMS messages, notifications, and accessibility services, which are common targets for Android malware. Google urges developers to adhere to Mobile Unwanted Software principles and review app permissions to avoid violating these guidelines. Google Play Protect has been effective in detecting new malicious apps, flagging over 515,000 and issuing millions of warnings or blocks. Apple echoes concerns about alternative app marketplaces, citing heightened risks to privacy and security, and plans to roll out Notarization for iOS apps in response to the EU's Digital Markets Act.

Memory-safety issues are high-severity but not the most exploited vulnerabilities; Rust language helps mitigate these. Horizon3.ai's analysis of CISA's Known Exploited Vulnerabilities shows that Rust alone isn't a panacea for software security. Insecure exposed functions were the most common vulnerability in 2023, accounting for 48.8% of the issues. Memory safety problems are impactful when exploited as zero-days, often before patches are available. 75% of the analyzed memory safety bugs were exploited as zero-days, with 25% believed to be first found by researchers who were actually not the initial discoverers. Simple vulnerabilities remain highly exploitable, pointing to the need for broader attention to software complexity and supply chain hardening. Software security is a process, emphasizing the importance of comprehensive security strategies beyond adopting a new programming language.