Daily Brief

Defense-in-Depth, or multi-layered defense, is an established cybersecurity strategy aiming to protect assets through multiple redundant layers of security controls. Despite its widespread adoption, organizations are facing increased cyber threats and breaches, revealing gaps in the multi-layered approach. Breach and Attack Simulation (BAS) tools have emerged as automated solutions to regularly test and improve the effectiveness of each security layer. Automation in cyber threat intelligence (CTI) is crucial, using Large Language Models (LLMs) to handle and analyze the abundance of threat intelligence reports. BAS tools are used to mimic real-life cyber attacks, allowing organizations to assess and bolster defenses at the network, host, application, and data layers. Security teams can now continuously validate their defenses with BAS, proactively identifying vulnerabilities and ensuring readiness against evolving threats. The article underscores the importance of regular testing and adaptation of security strategies to match the dynamic nature of cyber threats, as championed by Picus Security.

Chinese-speaking users have been targeted with malicious ads that falsely offer messaging apps like Telegram, WhatsApp, and LINE. The ads direct users to download fake versions of these apps, which are actually Remote Administration Trojans (RATs) giving attackers full machine control. This campaign, named FakeAPP, exploits Google advertiser accounts to display fraudulent ads that redirect to malware-laden downloads via Google Docs and Google Sites. The fake apps associated with the campaign can deploy dangerous trojans like PlugX and Gh0st RAT. Two advertiser accounts from Nigeria, Interactive Communication Team Limited and Ringier Media Nigeria Limited, have been identified as sources of the fraudulent ads. PhaaS platform Greatness is highlighted for its role in targeting Microsoft 365 users for credential harvesting, offering tools for phishing email attacks. Email phishing lures have been used to distribute malware, such as AsyncRAT, to South Korean companies, employing false urgency and spoofed identities of trusted entities.

Microsoft has identified expanding espionage activities by state-sponsored Russian hacking group APT29 targeting various organizations worldwide. The attacks focus on governments, diplomatic entities, NGOs, and IT service providers, predominantly in the U.S. and Europe, aiming to extract sensitive information for Russia's strategic interests. APT29, also known as The Dukes or Cozy Bear, utilizes compromised accounts and OAuth applications to evade detection and maintain long-term access to target environments. Microsoft's notification follows an admission by Hewlett Packard Enterprise (HPE) of their systems being compromised by the same group. In the November 2023 attack on Microsoft, the threat actors executed a password spray attack through residential proxies, compromising a non-production account lacking multi-factor authentication. Microsoft stresses the importance of defense measures against rogue OAuth applications and password spraying to counter the sophisticated tactics employed by APT29.

Russian cybercriminal Vladimir Dunaev is sentenced to 5 years and four months in prison for his involvement with TrickBot malware. Dunaev provided technical skills for the TrickBot scheme, which impacted hospitals, schools, and businesses with significant financial losses. TrickBot evolved from a banking trojan to a multi-purpose tool, ultimately becoming part of the Conti ransomware operation. The TrickBot network fragmented after leaks exposed its activities, leading to a multitude of other cybercrime efforts. Dunaev developed tools to harvest sensitive data, enable remote access, and evade detection by security software. His sentencing follows the recent conviction of another TrickBot developer, Latvian national Alla Witte. Governments from Australia, the U.K., and the U.S. have sanctioned Alexander Ermakov, affiliated with REvil, signifying ongoing international cybersecurity collaborations and enforcement.

Cisco has patched a critical flaw (CVE-2024-20253) in its Unified Communications and Contact Center Solutions, which could allow hackers to execute arbitrary code remotely. The vulnerability, with a CVSS score of 9.9, arises from incorrect processing of user input that can be exploited via specially crafted messages. An attacker leveraging this flaw could gain privileges equivalent to the web services user and potentially obtain root access to the device. Julien Egloff, a security researcher at Synacktiv, is recognized for identifying and reporting the issue. Affected Cisco products do not have direct workarounds; however, Cisco recommends using access control lists to restrict access to vulnerable systems as a temporary mitigation. The flaw's announcement comes after recent fixes for another critical Cisco security issue (CVE-2024-20272) affecting Unity Connection. Cisco advises users to apply the updates immediately and to enforce access control lists if immediate patching isn't feasible.

Vladimir Dunaev, a former Trickbot malware developer, was sentenced to over five years in prison for his involvement in cybercrimes. Dunaev's activities included creating infections to steal banking credentials and facilitate further malware attacks against US hospitals and businesses. His offenses caused substantial financial damage, with tens of millions of dollars in losses reported by victims. The Trickbot gang has extorted at least $180 million from global organizations according to the UK National Crime Agency. Dunaev's role extended from writing malicious code and browser modifications to laundering the proceeds of the cybercriminal operation. One of Dunaev’s cohorts, Alla Witte, has already been sentenced as the US continues its crackdown on international cybercriminals. Trickbot started as a banking trojan but evolved into a comprehensive malware-as-a-service operation before being shut down in 2022. The US and UK have sanctioned several individuals associated with distributing various ransomware and the Trickbot trojan.

Genetic testing company 23andMe confirmed a data breach resulting from a credential stuffing attack, impacting customer accounts over five months. Health reports and raw genotype data of millions were compromised, some of which appeared on hacking forums and a subreddit. Stolen login credentials from other breaches were used to access 14,000 user accounts, downloading data of almost 6.9 million customers. Affected features included DNA Relatives and Family Tree, potentially exposing detailed profile information. 23andMe implemented mandatory password resets and two-factor authentication to strengthen account security following the breach. The company faces multiple lawsuits and updated its Terms of Use to limit customer participation in class action lawsuits, claiming improvements to the arbitration process.

A previously unidentified threat actor, named Blackwood, has been conducting sophisticated cyberespionage attacks since at least 2018. Blackwood employs a complex malware termed NSPX30 to target companies and individuals, aligning with perceived Chinese state interests. NSPX30 malware distribution is achieved through the update mechanisms of legitimate software such as WPS Office, Tencent QQ, and Sogou Pinyin. ESET researchers indicate that Blackwood may intercept traffic to disguise command and control (C2) server communications and collaborate with other Chinese APT groups. NSPX30 has evolved from a basic backdoor created in 2005 to a multilayered malware with capabilities including system information collection, keylogging, and anti-detection techniques. The malware's backdoor functionality includes stealing of chat logs and sensitive information, remote control features, and the evasion of Chinese anti-malware solutions. The group uses adversary-in-the-middle (AitM) attacks to hijack legitimate update processes, a method that differs from traditional supply-chain attacks. ESET has provided detailed technical insights and indicators of compromise for organizations to detect and defend against NSPX30 infections.

Russian national Vladimir Dunaev sentenced to 64 months in prison for participating in the Trickbot malware operation that targeted hospitals, companies, and individuals. Dunaev developed a component of the TrickBot malware that facilitated browser injections to siphon sensitive information from victims. Arrested in South Korea and extradited to the U.S., he pleaded guilty to charges including computer fraud and identity theft. Prosecutors highlighted the significant disruption and financial damage caused by the malware attacks orchestrated by Dunaev and co-defendants. The TrickBot malware has evolved from stealing banking credentials to becoming a sophisticated tool used by cybercriminals to launch ransomware attacks. Despite takedown attempts, the Conti group continued its operations using TrickBot, which had links to Russian intelligence. Internal communications of the Conti group were leaked, leading to the exposure of their association with TrickBot and contributing to the group's disbandment into new ransomware entities.

Numerous iOS apps are exploiting push notifications as a means to initiate background processes that collect extensive user data without user consent. Mobile researcher Mysk has highlighted a significant privacy risk where these apps circumvent Apple’s background activity restrictions to gather information for potential fingerprinting and tracking. Apps are taking advantage of a feature in iOS that allows for quiet background launching to process new push notifications and are using this as an opportunity to send device data back to their servers. Apps that abuse this feature, including TikTok and Facebook, collect various data points such as system uptime, locale, battery status, and display brightness, which could be used for user profiling. Apple plans to address this issue by tightening the use of APIs linked to device signals; starting in Spring 2024, apps must explicitly declare their reasons for API access to remain on the App Store. Until these new Apple policies are in effect, users are advised to disable push notifications entirely to avoid possible data collection, as merely muting them will not prevent the exploitation. Revelations from December indicate that governments have requested push notification records from Apple and Google to monitor users, but Apple is barred from disclosing details about these requests.

Synacktiv Team secured $100,000 for exploiting two zero-day vulnerabilities to compromise Tesla's Infotainment System. They also exploited a three-bug zero-day chain in the Automotive Grade Linux OS, earning an additional $35,000. On the first day, Synacktiv earned $295,000 by rooting a Tesla Modem and hacking various EV charging stations. In total, 48 unique zero-days were discovered during the competition, with prizes amounting to $1,101,500. Vendors are given a 90-day deadline to address the vulnerabilities before they are publicly disclosed by TrendMicro’s Zero Day Initiative. Pwn2Own Automotive 2024 is held as part of the Automotive World conference in Tokyo, with a focus on vehicle and EV charger security. The competition challenges participants to hack EV chargers, operating systems, and infotainment systems, with a top prize of $200,000 and a Tesla car. The event follows a successful Pwn2Own Vancouver 2023 where researchers earned $1,035,000 and a Tesla Model 3.

Cisco has issued a security advisory for a critical remote code execution (RCE) vulnerability affecting several of its Unified Communications Manager and Contact Center Solutions products. The vulnerability, assigned CVE-2024-20253, could allow an unauthenticated, remote attacker to execute arbitrary code on an impacted system. Discovered by Synacktiv researcher Julien Egloff, the severity of the flaw is rated 9.9 out of 10, indicating a critical level of potential impact. Attackers could exploit the flaw by sending a specially crafted message to a listening port on vulnerable devices, potentially gaining command execution with root access. Affected products are at risk in their default configurations, and Cisco has made security updates available as there is no alternative workaround. Cisco advises administrators to set up access control lists (ACLs) to restrict access to affected components until updates can be applied. The company has shared detailed guidance on implementing ACLs and cautions admins to assess, test, and understand the implications of mitigation before deployment to avoid business disruption. There have been no reports of public announcements or malicious exploitation of the vulnerability as of the issuance of the advisory.

Cybersecurity researchers have conducted in-depth analysis of the command-and-control (C2) server infrastructure for SystemBC malware. SystemBC is available for purchase on dark web marketplaces and enables attackers to remotely control compromised hosts and facilitate the delivery of additional payloads. The malware, which first appeared in 2018, is known for using SOCKS5 proxies to obfuscate network traffic and maintain persistent access for post-exploitation activities. The malware package sold includes executables for both Windows and Linux, a PHP-based web panel for the C2 server, and detailed instructions in multiple languages. The C2 server opens multiple TCP ports to manage C2 traffic, inter-process communication, and connections with each infected host. The PHP panel is simple but provides real-time information on active implants and allows operators to run shellcode and arbitrary files on compromised machines. The analysis also covered an updated version of DarkGate, a RAT that compromises victim systems, with researchers identifying a decoding weakness in its custom Base64 alphabet used for exfiltration. The findings contribute to better understanding and identification of cyber threats, highlighting the continuous evolution of malware techniques.

Hackers are exploiting a critical severity flaw in the 'Better Search Replace' WordPress plugin, actively installed on over one million sites. The vulnerability, tracked as CVE-2023-6933, could allow unauthenticated attackers to inject a PHP object due to deserialization of untrusted input. The WP Engine vendor has released an update, version 1.4.5, to address this security issue, which can lead to code execution, data access, and potential denial of service. While 'Better Search Replace' itself isn't directly vulnerable, the flaw can be exploited in conjunction with other plugins or themes that contain a suitable Property Oriented Programming (POP) chain. Wordfence, a WordPress security firm, has reported blocking over 2,500 attacks exploiting this vulnerability in just 24 hours. Although there have been close to half a million downloads of the plugin in the past week, clarity on the update adoption rate amongst users remains uncertain. Users are urged to upgrade to the patched version 1.4.5 immediately to prevent potential security breaches and exploitation.

EquiLend, a major US securities lender, took systems offline due to an unauthorized access incident, impacting Wall Street transactions. Systems restoration is anticipated to take several days, with external cybersecurity firms aiding in the investigation and recovery efforts. The cyber attack was noticed on January 22, 2024, and the company is now operating manually, which may affect transaction efficiency and quality. LockBit ransomware group claims responsibility for the breach and asserts ongoing negotiations with EquiLend. Manual operations may lead to reduced performance and increased costs but typically have a manageable impact on financial services. The cybersecurity incident occurs amid EquiLend's recent agreement to sell a majority stake to a private equity firm, which could be valued at up to $700 million. This attack follows a series of high-profile cybersecurity breaches in the US financial industry, including Fidelity National Financial, Mr Cooper, and loanDepot.