Daily Brief

FBI attempts to dismantle the KV-botnet, a network of infected routers and firewall devices used in nation-state cyber operations by China. The botnet, active since at least February 2022, showed changes in behavior and reduced activity following U.S. disruption efforts. A significant drop in active bots was observed—down to around 650 from 1500—after the FBI started transmitting commands to wipe the botnet. Threat actors behind the KV-botnet engaged in a restructuring attempt, with heightened activity immediately following the U.S. disruption. Black Lotus Labs observed increased exploitation attempts and took additional measures to inhibit botnet communications. The KV-botnet is reportedly one part of a broader infrastructure utilized by Chinese state-sponsored hackers to conceal their activities. Cybersecurity experts highlight the risk of exploitation due to the use of unsupported networking equipment worldwide.

Organizations are adopting zero trust models to secure user access amidst a growing perimeterless work environment. Active Directory security is paramount, as it manages network authentication and stores sensitive credentials. Zero trust security assumes no inherent trust and requires strict authentication and authorization for all users and systems. Enforcing the principle of least privilege within Active Directory limits access levels, reducing the risk of abuse and potential damage from breaches. Temporary privileges or accounts for admins and multifactor authentication (MFA) for password resets can enhance security and prevent unauthorized access. Despite MFA, passwords remain vulnerable; continuous scanning for compromised passwords is necessary to maintain security integrity in a zero-trust framework. Tools like Specops Password Policy aid in blocking known compromised passwords in real-time, prompting immediate secure password changes for users. Organizations looking to implement these measures can utilize services from Specops Software, offering solutions tailored to zero trust security enhancements.

Chinese state-affiliated hackers, known as Volt Typhoon or Bronze Silhouette, attempted to rebuild a botnet following an FBI takedown. The botnet, known as KV-botnet, was used to conduct cyber espionage, targeting critical infrastructure in the U.S. The FBI gained control over the botnet's command-and-control server on December 6, severing the connection between hackers and compromised devices. After the takedown, hackers made a large-scale attempt to infect 3,045 devices but ultimately failed to re-establish control. Black Lotus Labs intervened by null-routing the attacker's command-and-control and payload server infrastructure, hindering their activities for over a month. Since no active command-and-control servers have been observed since January 3, it is believed that the KV activity cluster is no longer effective. The breached organizations targeted by Volt Typhoon include U.S. military, telecom, internet service providers, and a European renewable energy firm. CISA and the FBI have recently urged router manufacturers to enhance security to protect against such attacks by Volt Typhoon.

Ransomware payments hit a new record of $1.1 billion in 2023, surpassing the high of $983 million in 2021. The increase reverses the decline of 2022, signaling that year as an anomaly due to geopolitical events and law enforcement actions. The MOVEit campaign by Clop and other major attacks against institutions and infrastructure contributed to the spike in payments. Chainalysis report highlights diverse strategies by top ransomware groups like ALPHV/Blackcat, Clop, and LockBit, with some focusing on fewer, higher-value targets ("big game hunting"). Ransomware gangs are continually adjusting tactics, with some increasing attack frequency to maintain profits despite fewer victims paying ransoms. Laundering of ransom payments in 2023 often involved mixers, underground exchanges, and platforms lacking strict KYC policies, resulting in increased law enforcement focus on these services. Despite the rise in payments, there's hope that the growing trend of victims refusing to pay will eventually destabilize the ransomware economy.

A critical vulnerability in Shim could allow remote code execution and Secure Boot bypass on almost all Linux distributions. CVE-2023-40547, with a CVSS score of 9.8, stems from HTTP protocol handling issues leading to out-of-bounds write. Bill Demirkapi of the Microsoft Security Response Center identified the flaw, affecting Linux boot loaders signed in the last decade. An attacker could exploit the vulnerability to intercept HTTP traffic during the boot process, executing a Man-in-the-Middle attack. Successful exploitation grants the attacker early system control, enabling the deployment of bootkits for near-total command over the system. Shim version 15.8 has been released to patch this critical flaw along with five other security issues. Maintainers urge users to update their systems to mitigate the risk of these vulnerabilities being exploited by attackers.

Fortinet's FortiSIEM product was thought to have new critical vulnerabilities, but they were duplicates of an existing CVE. BleepingComputer reported that CVE-2024-23108 and CVE-2024-23109 advisories were issued erroneously and matched an old flaw, CVE-2023-34992. Fortinet asserted that there are no new FortiSIEM vulnerabilities in 2024, attributing the error to an API issue during a routine information accuracy update. Information security teams that previously addressed the original vulnerability from 2023 are not required to take additional action. MITRE and NVD are expected to revoke the advisories for the mistakenly issued CVEs. The original vulnerability announced in October last year allowed remote attackers to execute unauthorized commands via crafted API requests. Fortinet products are often targeted by sophisticated hacker groups due to their widespread use in enterprise environments, including previous exploitation by Iranian and Chinese state-backed actors.

JetBrains has disclosed a critical security flaw in TeamCity affecting on-premises versions from 2017.1 to 2023.11.2. Identified as CVE-2024-23917 with a high severity score of 9.8, the vulnerability permits unauthenticated remote attackers to gain admin control of servers. Users are advised to update to the latest TeamCity version, 2023.11.3, to mitigate the risk. While TeamCity Cloud has been secured, the company has not confirmed whether on-prem servers have been exploited. Updating can be done through direct download, automatic update features, or a security patch plugin. As a precaution, administrators unable to immediately patch should disconnect public-facing TeamCity servers from the network. This announcement follows earlier incidents where Russian and North Korean state-sponsored actors targeted TeamCity servers due to a similar flaw (CVE-2023-42793).

In 2024, a significant trend within Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) is the rise of vCISO (Virtual Chief Information Security Officer) services, with 45% planning to offer these services. A new webinar presented by Cynomi highlights a 100-day plan for MSPs and MSSPs to effectively onboard as a vCISO for their clients. The webinar outlines a practical five-step strategy to establish a strong security posture and incorporates both the goals of a vCISO and the common pitfalls that should be avoided. Key steps include researching the client’s security infrastructure, understanding their security maturity, prioritizing tasks for improvement, executing security plans, and reporting the progress and success to management. The webinar emphasizes the importance of MSPs and MSSPs positioning themselves as strategic partners for their clients, capable of driving security transformation and managing security in a continuous, dynamic manner. The action plan presented spans from building stakeholder relationships and assessing risks to executing security upgrades and demonstrating measurable improvements in security. The webinar also offers a checklist to help new vCISOs navigate their roles effectively during the initial period of engagement with a client.

A global coalition, including major countries and tech companies, has agreed to curtail the misuse of commercial spyware. The Pall Mall Process aims to establish principles and policies for responsible use of cyber intrusion tools, protecting human rights and cyber stability. Thousands are affected by spyware campaigns annually, with devices compromised through 'zero-click' exploits that require no user interaction. Countries where commercial surveillance vendors are based, like Israel, or those implicated in past abuses, such as Hungary and Mexico, did not join the initiative. The U.S. Department of State intends to deny visas to individuals tied to the misuse of dangerous spyware technology. Google's Threat Analysis Group is tracking about 40 commercial firms involved in spyware, with recent zero-day vulnerabilities exploited by these companies. The abuses of spyware pose threats to journalists, activists, lawyers, and dissidents, highlighting the need for effective international regulation and cooperation.

The commercial spyware market is expanding despite measures by governments and tech giants to control it, with Google TAG tracking about 40 surveillance vendors. In 2023, TAG uncovered 25 actively exploited zero-days, attributing 20 to commercial spyware vendors. Victims of spyware infections include human rights advocates and journalists, with some cases leading to detention and even death. The United States introduced visa restrictions for individuals linked to the abuse of commercial spyware and banned the US government from using certain spyware products. An international agreement led by the UK and France, involving 35 nations, aims to address the spread and irresponsible use of commercial cyber intrusion tools. The spyware economy's inner workings remain largely opaque, with little shared data on threats, pricing, or operational details, hindering effective counteraction.

Chinese state-backed actors infiltrated a Dutch military R&D network, exploiting a flaw in Fortinet FortiGate devices. The cyber intrusion targeted a system used for unclassified research and development with less than 50 users, not impacting the primary defense network. Attackers exploited a critical vulnerability in FortiOS SSL-VPN (CVE-2022-42475) to execute arbitrary code and deploy the COATHANGER backdoor. COATHANGER malware offers stealth and persistence, evading detection and maintaining access through reboots and firmware updates. This incident marks the first time the Netherlands has publicly attributed a cyber espionage effort to China. The discovery coincides with recent U.S. actions against Chinese botnets, and follows reports of China-linked cyber espionage groups leveraging Fortinet zero-days for data exfiltration and command execution.

JetBrains has issued an alert for a critical flaw in TeamCity On-Premises that could let attackers gain administrative control. The identified vulnerability, CVE-2024-23917, has a high severity rating of 9.8 out of 10 on the CVSS scale. The security issue affects TeamCity versions from 2017.1 to 2023.11.2 and has been fixed in version 2023.11.3. A security patch plugin is available for users who can't immediately upgrade their TeamCity server to the fixed version. JetBrains recommends temporarily taking internet-accessible servers offline if they can't be promptly updated or patched. Although there's no evidence yet of exploitation, a similar vulnerability (CVE-2023-42793) was previously targeted by ransomware groups and nation-state actors shortly after disclosure.

The renowned DEF CON hacking conference was abruptly canceled by Caesars Entertainment, its long-time host, due to an unexplained "strategy change." The unexpected cancelation came without warning, leaving the DEF CON organizers scrambling to find a new location for the event. Despite the setback, the conference will proceed at the Las Vegas Conference Center and the Sahara hotel, featuring expanded space and amenities. Jeff Moss, the founder of DEF CON, expressed that the move will allow for new experiences and opportunities not possible in the previous setup. The relationship between DEF CON attendees and Caesars has had its tensions in the past, including a ban of a speaker and security concerns. DEF CON attendees are stereotyped by the hotel as less profitable because they tend to spend less on gambling and more time in their rooms.

Mozilla has introduced a paid tier to its Monitor service, now called Mozilla Monitor Plus, which aims to remove subscriber's personal information from data brokers. The service expansion comes as Mozilla seeks revenue diversification, with the Plus tier costing $8.99 per month, or $107.88 a year. Mozilla Monitor originally provided alerts on data breaches using the HaveIBeenPwned database to notify users of their info being compromised. The new Monitor Plus service will work with over 190 data broker sites to request the deletion of personal information, claiming to cover twice the number of sites compared to some competitors. The concern over data privacy has been heightened by recent events and regulations, such as Europe's GDPR and the California Consumer Privacy Act, with more legislative attention towards data brokers. California's upcoming Delete Act will introduce a data deletion mechanism, which may diminish the necessity of services like Monitor Plus in the state by 2026. Monitor Plus and similar services might serve as a stopgap solution in a largely unregulated data broker environment until more comprehensive privacy laws are enacted.

Verizon is notifying over 63,000 people, predominantly current employees, of a privacy incident in which an insider had improper access to a file with personal information. The incident, classified as "inadvertent disclosure" and "insider wrongdoing" was reported to the Maine Attorney General due to state laws mandating disclosure of security lapses. Personal data exposed includes names, addresses, Social Security numbers or equivalents, gender information, union affiliation, birthdates, and compensation details. There is no current evidence suggesting malicious intent or external sharing of the compromised information, according to Verizon. Verizon is conducting an internal review of the incident and is not publicly discussing actions taken regarding the employee responsible for the disclosure. The company is enhancing its technical controls to prevent similar occurrences and is offering two years of complimentary credit monitoring and identity protection services for affected individuals. Verizon's previous security issue in October 2022 involved a data compromise and attempted SIM swapping attack on prepaid customers' accounts.