Daily Brief

CERT-UA warns of PurpleFox malware infecting at least 2,000 computers across Ukraine. PurpleFox, also known as DirtyMoe, is a modular Windows botnet malware with rootkit capabilities for concealment and persistence. The malware serves multiple functions including acting as a downloader for further payloads, providing backdoor access, and enabling DDoS attacks. New versions of PurpleFox have switched to WebSocket for C2 communications, increasing stealth, with disguised campaigns like a counterfeit Telegram desktop app. Ukrainian computers were identified as infected through IoCs provided by Avast and TrendMicro, monitored over January 20-31, 2024. CERT-UA advises isolation and network segmentation for outdated systems alongside specific removal recommendations due to the challenges posed by PurpleFox's rootkit component. The majority of identified control server IP addresses associated with infections are located in China, hinting at the potential origin of attacks. The agency provides guidance on detecting infections and emphasizes the significance of firewall rules to prevent re-infection.

The FritzFrog P2P botnet has resurfaced with a new variant that exploits the Log4Shell vulnerability for internal network propagation. Originally detected in 2020, the Golang-based malware targets internet-facing servers with weak SSH credentials, primarily aiming at the healthcare, education, and government sectors. The current technique takes advantage of unpatched internal systems, even if external defenses are updated, by targeting non-public assets. The updated FritzFrog version uses SSH brute-force attacks with enhanced targeting, leveraging system log enumeration on infected hosts. The malware now incorporates PwnKit, tracked as CVE-2021-4034, to achieve local privilege escalation. FritzFrog is designed to remain undetected, avoiding file drops on the disk by using in-memory payloads via /dev/shm and memfd_create. Akamai's report also noted a separate InfectedSlurs botnet that exploits patched vulnerabilities in DVR devices from Hitron Systems for DDoS attacks.

A new zero-day flaw, known as EventLogCrasher, allows attackers to remotely crash the Event Log service on Windows devices. The vulnerability impacts all versions of Windows, from Windows 7 to Windows 11, and Server editions from 2008 R2 to Server 2022. Microsoft has acknowledged the flaw but has not provided an official patch, stating that the issue was a duplicate of a 2022 vulnerability. Varonis, a software company, disclosed a similar unpatched flaw named LogCrusher, which could be exploited by any domain user to crash the Event Log service. To exploit the zero-day, attackers require network access to the target device and any valid credentials, enabling them to disrupt logging and evade detection. The Event Log service crash affects SIEM and IDS systems, preventing the ingestion of new events and thus hindering security alerts. 0patch, a micropatching service, has released free unofficial patches for the vulnerability, available until Microsoft issues official security updates. Users can apply the unofficial patches without a system restart by creating a 0patch account and installing the 0patch agent on their Windows systems.

Ransomware group LockBit attacked Saint Anthony Hospital in Chicago, demanding a $800,000 ransom, despite the hospital's non-profit status. The hospital confirmed the cyberattack and stated that files containing patient information were copied, but no medical or financial records were accessed. Patient care continued without interruption, and Saint Anthony Hospital has taken steps to enhance security and is cooperating with investigations by the FBI and regulatory bodies. LockBit has previously shown leniency towards non-profits, even apologizing and providing a decryptor for a similar incident involving Toronto's SickKids hospital. The criminal organization is now demonstrating a more ruthless approach, indicating a shift in their policy and highlighting potential ignorance or disregard for the nature of non-profit entities. All patients have been advised to monitor for identity or financial fraud and offered a year of free credit monitoring as Saint Anthony reviews and notifies those affected by the data theft.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered the disconnection of Ivanti VPN appliances due to exploitation of multiple security vulnerabilities. Federal agencies must disconnect Ivanti Connect Secure and Policy Secure VPN appliances by Saturday to avoid potential breaches. Ivanti has released patches for certain software versions and provided mitigations for its Connect Secure, Policy Secure, and ZTA gateways. Ivanti recommends factory resetting vulnerable devices before patching to eliminate any attackers' foothold. Over 22,000 Ivanti ICS VPNs are exposed online, and nearly 390 devices were found compromised as of January 31. After disconnecting, agencies must hunt for signs of compromise and monitor at-risk authentication services, audit privileges, and isolate systems. A comprehensive recovery plan includes factory resets, software rebuilds using patched versions, revocation of exposed credentials, and assuming domain account compromise with necessary resets and revocations. Federal agencies must report progress and status to CISA and regularly update until all required actions are completed or the directive is otherwise terminated.

Exploitation of internet-facing Docker API endpoints by a sophisticated cryptojacking campaign dubbed Commando Cat. Security researchers from Cado Security reported the attackers deploy benign containers to escape and execute multiple payloads on Docker hosts. Active since early 2024, Commando Cat follows on the heels of a similar campaign targeting vulnerable Docker hosts for cryptocurrency mining. Commando Cat's modus operandi consists of gaining initial access via Docker, establishing persistence, exfiltrating credentials, and deploying the XMRig miner. Attackers use a crafted container with the chroot command to break out of container restrictions and run various checks to avoid competition with other malware. Additional payloads include backdooring the host, adding a rogue user, collecting credentials, and employing evasion tactics like using memory-backed file storage for operations. The campaign culminates in the deployment of XMRig after removing competing miners, indicating a focus on financial gain through cryptojacking. Linkage to previous cryptojacking groups such as TeamTNT suggests the possible involvement of a copycat group or related actors.

The U.S. government has disrupted a China-linked botnet, known as KV-botnet, that compromised small office/home office (SOHO) routers. Law enforcement activities were aimed at a threat actor called Volt Typhoon (aka DEV-0391, Bronze Silhouette, Vanguard Panda) with suspected state sponsorship. Most affected routers were end-of-life Cisco and NETGEAR devices no longer supported by security updates, making them vulnerable to exploitation. The botnet facilitated covert data transfer and anonymized cyber espionage activities by creating encrypted channels through compromised routers. An FBI operation remotely removed the botnet malware and took additional steps to cut off the connection to the command-and-control network. Victims were being notified about the botnet and the infection, while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released new guidelines for SOHO device security. The measures to remove the routers from the botnet are temporary and devices could be reinfected upon reboot. The Chinese government denied any involvement, terming the allegations a "disinformation campaign."

The malware HeadCrab, first reported a year ago, has been updated to a new variant called HeadCrab 2.0, targeting Redis database servers for crypto mining. Aqua's researchers report that the number of infected Redis servers has nearly doubled, with an additional 1,100 servers compromised, bringing the total to around 2,300. HeadCrab 2.0 can execute shell commands, load fileless kernel modules, and exfiltrate data, forming a botnet for cryptocurrency mining without the need to store files on disk. The threat actor behind HeadCrab justifies their actions by stating that cryptocurrency mining is legal in their country, aiming to earn $15,000 annually. This updated malware version employs advanced evasion techniques, including a fileless loader and using the MGET command for covert command-and-control communications. The malware's evolution to minimize its forensic trail poses significant challenges for detection and highlights the need for ongoing security research and vigilant monitoring.

Effective vulnerability management requires key metrics to assess program performance and ROI. Prioritization of vulnerabilities based on severity and business impact is critical to maintaining security. Vital metrics include scan coverage, average time to fix, risk score, issue detection time, and progress measurement. Scan coverage should encompass all assets, with attention to changes and growth in your IT environment. The average time to fix indicates the responsiveness of the security team to vulnerabilities. Intelligent results and reduction of false positives help security teams focus on the most critical issues. Attack surface monitoring is essential to keep track of protected assets and detect new services or exposures. Tools like Intruder provide prioritized reporting, simplifying compliance and risk management for organizations.

Google's Mandiant identified new malware exploiting Ivanti VPN vulnerabilities, linked to China-nexus espionage group UNC5221. Custom web shells BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE variant were used in the sophisticated attacks. Attackers exploited zero-days CVE-2023-46805 and CVE-2024-21887, enabling unauthenticated command execution with elevated privileges on Ivanti devices. Germany's BSI reported multiple compromised systems, highlighting the international impact. Ivanti disclosed additional vulnerabilities, CVE-2024-21888 and CVE-2024-21893, and released fixes to combat exploitation. UNC5221's tactics include using open-source utilities for post-exploitation activities such as reconnaissance, lateral movement, and data exfiltration. The malware and associated attacks showcase UNC5221's strategic targeting of industries valuable to Chinese interests.

CISA has identified active exploitation of a severe vulnerability (CVE-2022-48618) in Apple's operating systems. The flaw affects the kernel component in iOS, iPadOS, macOS, tvOS, and watchOS, with a CVSS score of 7.8. Apple has acknowledged that this vulnerability allows attackers to bypass Pointer Authentication, potentially affecting versions of iOS released before iOS 15.7.1. Apple previously patched a similar kernel flaw (CVE-2022-32844) in July 2022 and has since released updates to address CVE-2022-48618 on December 13, 2022. Details on how CVE-2022-48618 is being exploited in attacks remain unclear, but patches have been available since the release of multiple OS updates in December 2022. CISA has advised Federal Civilian Executive Branch agencies to implement the fixes by February 21, 2024. Expanding beyond iOS devices, Apple has recently issued patches for a critical WebKit browser engine flaw (CVE-2024-23222) now covered on the Apple Vision Pro headset, available with visionOS 1.0.2.

FBI Director Christopher Wray and other officials briefed the U.S. House committee on Chinese cyber threats targeting American critical infrastructure. Information discussed includes intent by Chinese hackers to disrupt U.S. water treatment, energy, transportation, and communication systems to incite societal chaos. The FBI disrupted the activities of a Chinese botnet, Volt Typhoon, that had infected outdated routers and attempted to infiltrate critical infrastructure. U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly emphasized the real threat posed by Chinese operatives deeply embedded in U.S. critical systems. The possibility of large-scale disruptions is linked to hypothetical scenarios such as a Chinese invasion of Taiwan and the consequential U.S. support for Taiwan. There is a cyber imbalance, with Chinese cyber spies greatly outnumbering FBI cyber agents, highlighting the need for enhanced private-public cybersecurity partnerships and skills development. Officials stress the need for robust cybersecurity measures, urging software companies to be held accountable for the security of their products and advocate for secure-by-design technologies.

A cybercriminal group, UNC4990, uses USB devices to deploy malware by embedding payloads in legitimate online platforms like GitHub, Vimeo, and Ars Technica. The malicious campaign, primarily targeting Italian users since 2020, initiates with victims unknowingly activating a harmful LNK shortcut from a USB drive. The shortcut triggers a PowerShell script that downloads an intermediary payload disguised as benign content on popular sites, which then installs the EMPTYSPACE malware downloader. These intermediary payloads, hidden in plain sight and encrypted, are downloaded from platforms often considered trustworthy, allowing them to evade typical security detection methods. The EMPTYSPACE loader subsequently installs a multi-functional backdoor named QUIETBOARD and cryptocurrency miners that have generated over $55,000 for the attackers. Mandiant researchers emphasize the challenge of such attacks, as they exploit conventional trusted sources and complicate the identification and removal of the malicious payloads. The sophisticated nature of QUIETBOARD allows for persistent and modular attacks, reflecting the threat actor's ongoing refinement of tactics and experimentation with their attack chains.

Multiple flaws have been discovered in the runC command line tool that could lead to container escapes and unauthorized host access. The vulnerabilities, identified as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, allow attackers to potentially access sensitive data and escalate privileges. runC, integral to Linux container creation and originally part of Docker, is now a critical independent open-source component. CVE-2024-21626 is particularly severe as it involves misusing the `WORKDIR` command to achieve a container escape. There are currently no known exploits in the wild leveraging these vulnerabilities. Updates fixing these vulnerabilities are available in runC version 1.1.12, and immediate updating is advised. Users are recommended to check for updates from all vendors providing container runtime environments to ensure security. In the past, runC had addressed a similar high-severity flaw that also allowed attackers to obtain root access on the host.

The FBI successfully issued a remote command to dismantle the Volt Typhoon botnet, which infected outdated routers to compromise US critical infrastructure. Attackers from China exploited weaknesses in end-of-life Cisco and Netgear routers to establish a network aiming at communication, energy, transportation, and water sectors. The FBI infiltration led to the harvesting of critical data from the botnet and the subsequent erasure of malware from the affected devices. Law enforcement utilized court-approved warrants to remotely search for and eliminate the malicious software on compromised routers, seizing pivotal information regarding the illicit activities. Federal authorities along with international partners first identified the threat in May 2023 and released a public warning about vulnerabilities in small office/home office (SOHO) router interfaces. The US Cybersecurity Agency and the FBI have urged manufacturers to fix defects and enhance security in SOHO routers to protect against such infiltrations in the future.