Daily Brief

Commercial spyware vendors are responsible for 80% of zero-day vulnerabilities discovered by Google's Threat Analysis Group in 2023. Google has monitored 40 spyware vendors, tracing 35 of the 72 zero-day exploits affecting its products in the last decade back to these vendors. The majority of the zero-days impact Google Chrome and Android, followed by Apple iOS and Windows. Spyware vendors target high-profile individuals, such as journalists and political figures, and sell exploit licenses for millions of dollars. Zero-day hunting has become increasingly aggressive, with spyware vendors developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023. Google's discovery and patching of vulnerabilities impose significant costs on spyware vendors, disrupting their operations and financial models. Despite challenges, spyware remains in demand with lucrative contracts, prompting Google to call for greater global action against spyware proliferation. Google combats spyware threats through its security initiatives like Safe Browsing, Gmail security features, the Advanced Protection Program, and Google Play Protect, while maintaining transparency in sharing threat intelligence.

JetBrains has issued a warning about a critical authentication bypass vulnerability, CVE-2024-23917, affecting TeamCity On-Premises servers. The vulnerability affects all TeamCity On-Premises versions from 2017.1 to 2023.11.2, enabling attackers to potentially execute remote code without user interaction. Users are strongly encouraged to update their servers to version 2023.11.3 to remedy the security flaw, or temporarily take servers offline if immediate update is not possible. Alternative security measures include a security patch plugin for users unable to upgrade immediately, applicable to certain older TeamCity versions. TeamCity Cloud servers have been secured against the flaw, and there is no indication of attacks, although it is unknown how many exposed on-premises servers have been updated. The vulnerability resembles a prior CVE-2023-42793 flaw exploited by APT29 and other hacking groups, pointing to the risk of widespread RCE attacks and potential software supply chain disruptions. JetBrains' TeamCity is widely used by over 30,000 organizations globally, including industry giants across various sectors. Over 2,000 TeamCity servers are currently exposed online, with Shadowserver actively monitoring the situation; the number of secured servers amongst them is not specified.

The Dutch Ministry of Defense (MoD) experienced an attempted cyberattack in 2023, attributed to Chinese state-sponsored actors. A novel malware, named Coathanger, was developed to target Fortinet's FortiGate firewalls, exploiting a known vulnerability (CVE-2022-42475) for access. Coathanger malware, a second-stage remote access trojan (RAT), is designed to evade traditional detection and persist through reboots and firmware updates. The MoD's network segmentation was credited for limiting the damage of the intrusion, as the attackers' activities were contained. Dutch Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) released technical details and indicators of compromise (IOCs) to help other organizations detect potential breaches. Complete reformatting of affected devices is required to remove the Coathanger malware, and victims are urged to contact national cybersecurity authorities. This public disclosure by Dutch authorities aims to increase international resilience against Chinese cyber espionage initiatives, highlighting a broader pattern of political espionage.

Verizon Communications has reported an insider data breach affecting roughly 63,206 of its employees. Sensitive employee data, which may vary per individual, was unauthorizedly accessed by a company insider on September 21, 2023. The breach was discovered by Verizon nearly three months later on December 12, 2023, after the internal exploitation took place. There's no current evidence to suggest misuse of the data or indications that it was distributed outside of Verizon. Verizon is taking steps to enhance its internal security and prevent further breaches, while also notifying regulators about the incident. Impacted employees are being offered a two-year identity theft protection and credit monitoring service for protection against any potential identity fraud. The incident has not affected any customer information according to Verizon's statement. The last significant cybersecurity issue Verizon faced prior, was in October 2022 regarding attempted SIM swaps that exposed customer data.

EquiLend, a significant securities finance technology firm, has fully restored client-facing services following a disruptive ransomware attack. The company, backed by major Wall Street institutions, operates the Next Generation Trading (NGT) platform, a pivotal system in the securities lending market. While internal teams and external experts worked on system recovery, EquiLend has not disclosed details about the attackers' entry point or the extent of data compromised. Rumors suggest that the ransomware group LockBit may have been behind the attack, although EquiLend has not confirmed if a ransom was paid. LockBit did not post EquiLend's information on its leak site, often a sign of ongoing ransom negotiations. EquiLend prides itself on "rigorous backups," which may have enabled them to refuse the attacker's demands and recover from backups instead. Despite the recovery, there is no available evidence suggesting that client transaction data was accessed or exfiltrated. The security breach occurred shortly after EquiLend's announcement of selling a majority stake to a private equity firm, Welsh, Carson, Anderson & Stowe.

AI SPERA's Criminal IP ASM, an advanced cybersecurity solution, is now available on the Microsoft Azure Marketplace. AI SPERA, a certified ISV partner of Microsoft, offers technologies enhancing Azure's functionality and security. Criminal IP ASM provides Automated Attack Surface Management to monitor internet-connected assets with just a domain address. It features IP-based security monitoring to swiftly detect vulnerabilities and risks, streamlining the management of a company's attack surface. The solution automates IT security tasks, improves detection times, eliminates false positives, and discovers previously unmonitored assets and vulnerabilities. Criminal IP ASM supports continuous threat exposure management and offers sector-specific proactive responses. AI SPERA has established partnerships with over 40 global security firms and offers services in multiple languages to users in over 160 countries.

Threat actors are deploying fake Facebook job ads to distribute a new malware named Ov3r_Stealer. Ov3r_Stealer is designed to steal a variety of sensitive data, including credentials, crypto wallets, and personal information. The malware is delivered via a weaponized PDF laced with an internet shortcut file, ultimately executing the Ov3r_Stealer payload via a PowerShell script. The campaign uses a fake Facebook account and runs ads impersonating Amazon CEO Andy Jassy to spread the malware. There is speculation that the malware may be sold or evolved to act as a loader for additional malicious payloads. Trustwave SpiderLabs identified similarities between Ov3r_Stealer and another malware called Phemedrone Stealer, noting potential code overlaps. Cybersecurity firm Hudson Rock has also reported that some threat actors are leveraging infostealer infections to advertise unauthorized access to law enforcement request portals of major tech firms. The incident highlights a growing trend of utilizing cracked software as a vector for distributing various types of malware, including information stealers and ransomware.

Security experts have identified three critical vulnerabilities in Azure HDInsight services, including Apache Hadoop, Kafka, and Spark. The flaws allow for privilege escalation and can cause a regular expression denial-of-service (ReDoS) condition. Two privilege escalation vulnerabilities could enable attackers with existing access to escalate to cluster administrator rights. A particular XXE vulnerability allows root-level file reading and privilege escalation due to inadequate user input validation. The ReDoS flaw in Apache Oozie results from improper input validation, making the system susceptible to DoS by causing intensive loop operations. Microsoft has patched these vulnerabilities in the October 26, 2023 update, following Orca security researchers' responsible disclosure. The report also references previous findings from Orca of eight significant flaws in Azure HDInsight and a "potential abuse risk" in Google Cloud Dataproc clusters due to lax security controls.

Two critical vulnerabilities, CVE-2024-23108 and CVE-2024-23109, have been identified in Fortinet's FortiSIEM product, allowing remote code execution. The vulnerabilities have received the highest severity rating (CVSS score of 10) and can be exploited remotely without authentication or user interaction. Fortinet's advisory linked to a previously addressed issue and has not been updated with new information, causing confusion among users. The impact of the vulnerabilities may extend to additional or updated versions of FortiSIEM, similar to a previously patched vulnerability from October. Details are under review in the National Vulnerability Database, and clarification from Fortinet is pending. Affected versions range from 6.4.0 through the latest 7.1.1, with no public exploit currently available. Customers are urged to upgrade to version 7.1.2 to mitigate risks, while updates for other affected version series are expected soon.

A multimedia corporation with $10 billion annual revenue leveraged Adaptive Shield's SaaS Security Posture Management (SSPM) to significantly improve their security posture. Forrester Consulting's Total Economic Impact™ (TEI) study highlighted a 201% ROI and notable qualitative security improvements after the SSPM implementation. Prior to SSPM deployment, the company contended with misconfigurations and communication gaps between app owners and security teams, along with regulatory compliance issues. The study found that SSPM usage resulted in a 30% increase in security posture, better collaboration across teams, and improved operational efficiencies. Automation features of SSPM allowed security staff to shift focus from configuration interviews to strategic security management and continuous compliance. Operational efficiency, compliance review improvements, and enhanced collaboration collectively led to $2.18 million in benefits over three years against costs of around $724,000. The payback period was under six months, justifying the investment in SSPM by demonstrating significant, measurable return on investment and operational advantages in SaaS security.

Over 25 new ransomware gangs emerged in 2023, with Akira and 8Base being the most noteworthy, signaling persistent allure for high ransom profits. Increased law enforcement scrutiny and high competition led to the dissolution of five nascent ransomware operations within their first year. Existing successful groups such as LockBit and ALPHV/BlackCat force newcomers to offer competitive incentives and strong ransomware payloads to attract affiliates. Many new gangs are linked to or are rebrands of previous operations, with at least 12 of the 25 new groups having connections to prior entities. Akira, associated with the infamous Conti group, and 8Base, related to Phobos, accounted for a significant portion of ransomware incidents in 2023, with Akira growing swiftly. International law enforcement efforts have successfully shut down several ransomware operations, including Hive, Ragnar Locker, and Trigona, but the lack of a ban on ransom payments dilutes the impact of these takedowns. The newly established WereWolves group rose rapidly in prominence towards the end of the year, suggesting ongoing challenges in the fight against ransomware.

Hackers, known as ResumeLooters, targeted employment platforms in the Asia-Pacific region, stealing data from millions of job seekers. Approximately 65 job search websites were compromised between November and December 2023, with over 2 million unique email addresses exposed. The threat actor used SQL injection attacks to access sensitive information, including personal details, employment history, and resumes. Stolen data was subsequently sold in Telegram channels, emphasizing the financial motivation behind the attacks. Group-IB discovered evidence of cross-site scripting (XSS) infections on legitimate job search sites, which loaded malicious scripts for phishing and stealing admin credentials. The majority of breaches occurred in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, with additional incidents in Brazil, the U.S., Russia, Mexico, and Italy. ResumeLooters utilized tools like sqlmap, BeEF, Metasploit, dirsearch, and xray to execute their cyberattacks, alongside poor security and database management by the victims. Group-IB warns of the continued prevalence and effectiveness of SQL injection attacks in the APAC region, despite being a well-known exploit method.

A server-side request forgery (SSRF) vulnerability in Ivanti VPN products is being exploited en masse following public disclosure. Security researchers observed more than 170 unique IP addresses attempting to exploit CVE-2024-21893 to establish a reverse shell. The SSRF flaw, also known as CVE-2023-36661, had been previously fixed in the Shibboleth XMLTooling library in June 2023. Ivanti has released official patches after their initial mitigation was bypassed by attackers. A proof-of-concept exploit released by Rapid7 highlighted the combination of this vulnerability with another to execute remote code without authentication. The SSRF flaw's mass exploitation began after the vulnerability details became public and a PoC exploit was made available. Ivanti VPN appliances are reported to have outdated components, posing additional security risks. Numerous instances (28,474) of Ivanti Connect Secure and Policy Secure were found to be exposed globally, with 610 confirmed compromises.

'ResumeLooters' threat group has compromised 65 job listing and retail websites, stealing personal data of over two million individuals. Victims are predominantly from the APAC region, including countries such as Australia, China, and India, with stolen data including names, contact details, and employment history. The primary attack methods used were SQL injection and XSS attacks, allowing for unauthorized data access and phishing attempts. Open-source penetration testing tools were utilized to identify vulnerabilities before injecting malicious scripts across the websites. Group-IB detected the sale of stolen data on Telegram and identified the hackers' operational security error, which provided insights into their methods and access level. Indicators suggest ResumeLooters may be a China-based group, given the language used in communications and tool preferences. The data is being sold for financial gain to other cybercriminals, posing a significant threat to those affected.

The U.S. has introduced visa restrictions on individuals connected to the unlawful use of commercial spyware against civil society members. Secretary of State Antony Blinken emphasizes the threat to privacy and basic freedoms posed by the misuse of such spyware. The new policy aims to promote accountability and covers not only the users of the spyware but also those who profit from it financially and the companies developing and selling these tools. The enforcement of these restrictions for individuals from visa waiver countries remains unclear, potentially requiring these individuals to apply for visas. The decision follows reports of illegal surveillance activities in the Middle East, with journalists and activists being targeted by NSO Group's Pegasus spyware. Previous measures include U.S. sanctions against spyware vendors like NSO Group and Candiru and a presidential executive order barring federal agencies from using suspect commercial spyware. Two further companies, Intellexa and Cytrox, were added to the U.S. trade blocklist in July 2023. A GCHQ assessment reports that over 80 countries have acquired commercial cyber intrusion software over the past decade.