Daily Brief

The FBI successfully issued a remote command to dismantle the Volt Typhoon botnet, which infected outdated routers to compromise US critical infrastructure. Attackers from China exploited weaknesses in end-of-life Cisco and Netgear routers to establish a network aiming at communication, energy, transportation, and water sectors. The FBI infiltration led to the harvesting of critical data from the botnet and the subsequent erasure of malware from the affected devices. Law enforcement utilized court-approved warrants to remotely search for and eliminate the malicious software on compromised routers, seizing pivotal information regarding the illicit activities. Federal authorities along with international partners first identified the threat in May 2023 and released a public warning about vulnerabilities in small office/home office (SOHO) router interfaces. The US Cybersecurity Agency and the FBI have urged manufacturers to fix defects and enhance security in SOHO routers to protect against such infiltrations in the future.

Europcar denies a data breach after a seller claimed to offer details for 50 million users on a hacking forum. Shared customer data in the post was declared fake by Europcar, citing inconsistencies and artificial data generation. The data sample allegedly contained names, addresses, and driver's license numbers but was inconsistent with Europcar's records. Security expert Troy Hunt asserts the data was fabricated but not by artificial intelligence, noting discrepancies in email and username matches. Some of the email addresses in the sample were involved in past breaches, indicating a potential compilation of previously leaked info. Security researchers highlight that there are tools available to create realistic-looking fake data, which might have been used in this case. The incident highlights the complexity in validating the authenticity of data in potential breaches and the misuse of buzzwords like "AI" for credibility.

Ransomware payments have decreased to 29% of victims, a significant drop from 85% in 2019. Awareness and better preparation, such as improved data backups, have contributed to this decline. Coveware's report highlights a growing skepticism towards ransomware groups honoring their promises. Payment rates for data exfiltration incidents have also dropped, with only 26% choosing to pay, compared to 53% two years ago. Coveware cautions against a nationwide ban on ransomware payments, suggesting it may lead to more under-the-table transactions and less compliance with reporting. Effective responses include safe harbor provisions, collaboration with law enforcement, and continued promotion of cybersecurity awareness. The report asserts that changing the incentives for victims and imposing greater costs on threat actors is crucial in battling ransomware.

A PoC exploit for a local privilege elevation flaw in Android, impacting at least seven OEMs, is available on GitHub. The vulnerability, tracked as CVE-2023-45779, was discovered by Meta's Red Team X and fixed in the December 2023 security update. Compromised APEX modules signed with test keys can lead to local privilege elevation and full device compromise. Android devices patched with the security level 2023-12-05 or later are protected against this vulnerability. Affected devices include models from ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, and Fairphone. The vulnerability highlights the need for improvements in Android's Compatibility Test Suite (CTS) and documentation. The exploit requires physical access, making the risk to unpatched devices modest, but it poses a threat in combination with other exploits. Google, Samsung, Xiaomi, OPPO, Sony, Motorola, and OnePlus devices were not affected thanks to the use of private keys for signing APEX modules.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a kernel security flaw in Apple devices being actively exploited in the wild. The vulnerability, identified as CVE-2022-48618, affects iPhones, Macs, Apple TVs, and watches, potentially allowing attackers arbitrary read and write access. Apple's security researchers discovered the flaw, which can bypass Pointer Authentication, a critical memory corruption mitigation feature. Devices running iOS 16.2, iPadOS 16.2, macOS Ventura, tvOS 16.2, and watchOS 9.2 or later have received security updates to address this issue. CISA has mandated federal agencies to patch affected systems by February 21st, under the authority of a binding operational directive from November 2021. Apple's recent updates also addressed the first zero-day bug of the year and two additional WebKit zero-days for various Apple device models.

A nearly four-year-old Cisco vulnerability is suspected to be exploited by the Akira ransomware group. The Cisco flaw, CVE-2020-3259, could potentially let attackers access sensitive information such as usernames and passwords. TrueSec's incident response engagements reveal this vulnerability as an entry point, despite it being patched in May 2020. There is no public exploit code available, suggesting the exploit used by attackers might be privately developed or acquired. TrueSec advises organizations running Cisco AnyConnect to assess when the non-vulnerable patch was implemented. In the absence of conclusive evidence, suggested indicators such as use of legitimate credentials and lack of phishing or password attacks point to exploit use. Organizations are recommended to enforce broad password resets and enable Multi-Factor Authentication (MFA). The vulnerability was originally discovered by a Russian security firm sanctioned by the US, hinting at the possibility that cybercriminals and nation-states might share resources or knowledge.

The FBI successfully disrupted the KV Botnet, aligning with "Chinese Volt Typhoon" state hackers, and cleared malware from numerous small office/home office (SOHO) routers. Affected devices included Netgear ProSAFE, Cisco RV320s, and DrayTek Vigor routers, and Axis IP cameras, potentially blending malicious traffic with legitimate network activity. The botnet was part of a broader campaign by Chinese hackers against U.S. critical infrastructure sectors, including communications, energy, transportation, and water. Initiated with a court order on December 6th, the FBI's operation hacked into the botnet's C2 server, disconnecting infected devices and preventing reconnection. The operation removed the botnet's malware and blocked future communication with the controlling devices to mitigate further threats. Vendors of SOHO routers were advised by CISA and the FBI to automate security updates and prioritize security during the design phases to prevent similar vulnerabilities. Past disclosures revealed that the KV Botnet has been part of incursions into U.S. military, telecom, and other vital organizations since at least mid-2021.

Volt Typhoon, a Chinese government-backed cyberespionage group, has infiltrated U.S. energy, satellite, and telecommunications systems, with a focus on strategic sites important in conflicts. The FBI recently disabled parts of Volt Typhoon's cyber campaign, following Dragos CEO Robert Lee's revelation of the group's targeting of industrial control systems (ICS) for about 18 months. Lee warns that Volt Typhoon possesses the resources and expertise to develop advanced industrial malware akin to Pipedream, capable of causing physical destruction across a variety of industries. Pipedream, also known as Incontroller, allows operators to disrupt critical industrial equipment without exploiting specific system vulnerabilities, a threat that cannot be mitigated by software or firmware updates alone. U.S. government agencies have issued warnings against potential attacks by Pipedream on programmable logic controllers and servers from notable vendors, indicating that critical infrastructure remains at risk. The spread of these sophisticated ICS cyber tools to criminals is a concerning possibility, as it could lead to more common and destructive attacks outside of national conflict scenarios. The ease of access to such cyber weapons for criminal groups could result in a surge of devastating attacks on industrial and OT environments, echoing the widespread adoption of tools like Cobalt Strike by ransomware gangs.

CISA, with FBI collaboration, has directed SOHO router manufacturers to enhance security measures due to attacks by the Volt Typhoon group (Chinese state-sponsored hackers). Manufacturers are asked to fix vulnerabilities in router web management interfaces and improve default configurations to increase update automation and security. The Volt Typhoon group is exploiting numerous SOHO routers to attack U.S. critical infrastructure, using the devices as a platform for further intrusions. Cybersecurity measures include the requirement for disclosing vulnerabilities through the CVE program and accurate CWE classification. The Volt Typhoon group, also linked to the KV-botnet malware, has been actively targeting such devices since August 2022. U.S. critical infrastructure, including military bases in Guam and other key entities, has been compromised by these state-sponsored attacks. Some of Volt Typhoon's infrastructure reportedly dismantled by U.S. government actions, signaling ongoing countermeasures against the group's operations.

Ivanti has released patches for Connect Secure and Policy Secure gateways vulnerabilities, while two more zero-days have been discovered. The currently exploited vulnerabilities allow remote, unauthenticated code execution, and Ivanti is patching versions based on the number of installs. Admins are urged to reset devices to factory settings before patching, to remove any attacker persistence. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted that attackers have found ways to bypass Ivanti's previous mitigations. Ivanti's latest patches address high-severity zero-days, CVE-2024-21888 (privilege escalation) and CVE-2024-21893 (server-side request forgery). Despite the patch release, some product versions remain unpatched, and customers must apply mitigations and monitor for suspected compromises actively. Ivanti emphasizes the critical need for customers to apply these patches immediately to protect against potential attacks.

Johnson Controls International faced a ransomware attack in September 2023, resulting in $27 million in direct expenses and significant data theft. The cybersecurity incident initially began with a breach in the company's Asia offices before spreading across its network, disrupting IT infrastructure and impacting customers. The Dark Angels ransomware gang claimed responsibility for the attack, demanding a $51 million ransom and allegedly stealing over 27 TB of confidential data. The attack's financial impact included lost and deferred revenues, with expenses related to response and remediation, partially offset by insurance recoveries. Johnson Controls confirmed the nature of the incident in a U.S. SEC filing, detailing unauthorized access, data exfiltration, and deployment of ransomware on part of its IT systems. The company is working with external cybersecurity experts to manage ongoing risks and expects the financial impact to increase as the full extent of the data breach is evaluated. Despite the attack, Johnson Controls assures that all unauthorized activity has been contained and that its digital products and services are fully operational.

Ivanti announced the discovery of two security vulnerabilities, one being a zero-day actively exploited, affecting its Connect Secure, Policy Secure, and ZTA gateways. The zero-day vulnerability (CVE-2024-21893) allows attackers to bypass authentication due to a server-side request forgery issue in the gateways' SAML component. A second flaw (CVE-2024-21888) enables threat actors to escalate their privileges to the level of an administrator on affected devices. While the company indicates limited known impact, they released patches for the vulnerabilities, including two additional zero-days previously disclosed in January. Security patches were accompanied by mitigation instructions and steps for recovery to help compromised organizations restore their systems. The Emergency Directive (ED 24-01) from CISA mandates federal agencies to address the Ivanti zero-day flaws, highlighting the severity and widespread nature of the exploitation. The exploits have been used in attacks leading to lateral movement within networks, data theft, and persistent access, with victims ranging from small businesses to Fortune 500 firms in various sectors. Cybersecurity firms have observed the deployment of custom malware, webshells, and cryptocurrency miners on compromised systems.

Ivanti has disclosed two high-severity zero-day vulnerabilities in its Connect Secure and Policy Secure products. One vulnerability, CVE-2024-21893, is currently being exploited by attackers targeting specific entities. Although no impacts have been reported for CVE-2024-21888, Ivanti warns of an expected uptick in exploitation attempts post-disclosure. Patches have been released for various product versions; Ivanti suggests a factory reset before applying the patch for increased security. Mitigation steps include importing a specific XML file as a stopgap measure until patches can be applied. These disclosures follow the exploitation of other Ivanti product flaws, leading to unauthorized deployments of backdoors and malware.

Telegram has become a hub for cybercriminal activity, offering tools and data for phishing attacks at low costs. Researchers from Guardio Labs highlighted the "democratization" of phishing, with resources available for both experienced and novice cybercriminals. Phishing kits, tutorials, and hacker-for-hire services are easily accessible on Telegram, which previously were only found on dark web forums. Tools such as Telekopye bot can automate creating fraudulent web pages, emails, and SMS messages for large-scale phishing scams. Telegram marketplaces sell "letters" and "leads" which are convincingly crafted messages and targeted victim data lists with personal information. Compromised but legitimate websites are exploited to host scam pages and send phishing emails that bypass spam filters. Stolen credentials are monetized by selling them to other criminals, showing a significant return on investment for attackers. The prevalence of these services on Telegram underscores the need for site owners to protect their platforms from being misused for malicious purposes.

The SEC has expanded its cybersecurity disclosure and preparedness rules to include data stored in SaaS systems and associated third-party applications. New regulations require public companies to report cyber incidents promptly, without distinction between on-premise, cloud, or SaaS data storage environments. The SEC’s actions reflect a growing concern about the frequency of cybersecurity incidents, particularly in the SaaS space, despite organizations believing their cybersecurity maturity is sufficient. SaaS-to-SaaS connections, often established without IT department approval, are exposing organizations to new risks, as traditional security tools cannot detect these configurations. A significant number of enterprises have undocumented SaaS-to-SaaS connections, which could provide unauthorized pathways into sensitive data. The SEC's move is motivated by its responsibility to protect investors, as data breaches can be as material to investors as physical asset losses. The rules not only focus on incident disclosure but also on preventative measures, mandating CISOs to detail cybersecurity risk management processes. SaaS Security Posture Management (SSPM) tools are recommended to monitor configurations and permissions across SaaS applications and to manage compliance with the new SEC regulations.