Daily Brief

Jenkins has resolved nine security issues, including a critical remote code execution (RCE) vulnerability, identified as CVE-2024-23897. The flaw stems from an arbitrary file read vulnerability via the built-in command line interface, caused by a feature in the command parser. Attackers could exploit this to read arbitrary files on the Jenkins server, with limitations on certain binary file contents due to encoding. Those with "Overall/Read" permission could potentially access entire files, leading to escalated attack possibilities. Jenkins has released fixes in versions 2.442 and LTS 2.426.3, and advises disabling CLI access as a short-term mitigation strategy. The discovery of this critical vulnerability comes after Jenkins addressed serious security issues almost a year prior. Users are urged to patch their systems immediately to prevent potential exploitation of this vulnerability.

LODEINFO, an evolving fileless backdoor malware, has been updated with new anti-analysis techniques and remote code execution features. Spear-phishing campaigns distribute the malware, which originally targeted Japanese entities but now includes broader language settings. Stone Panda, a Chinese nation-state actor, has been identified as being behind the attacks that deploy LODEINFO via malicious Microsoft Word document macros. Recent versions of LODEINFO implement remote template injection to retrieve malicious macros and use language checks for Microsoft Office settings. LODEINFO version 0.7.1 adds an intermediate stage that involves downloading a file mimicking a Privacy-Enhanced Mail which then loads the backdoor into memory. The latest techniques underscore the necessity for memory-scanning cybersecurity solutions to detect and mitigate fileless malware threats. The article also alludes to a SaaS Security Masterclass for critical security insights based on a study of 493 companies.

The Axur Threat Landscape Report for 2023/2024 reveals a significant increase in cyberattacks and the convergence of cyber risk with business risk, urging organizations to revamp security strategies. Geopolitical tensions notably affect the cybersecurity sector, influencing cybercriminal tactics, as seen in the Russia-Ukraine conflict. Ransomware evolves to prioritize data exposure over encryption, pressing organizations with higher risks of data breach fines. The use of AI in cyber threats has escalated, enabling more sophisticated scams including deepfake videos and automated social engineering. The report notes a threefold increase in leaked credit and debit card details, credential leaks remain stable but with changes in sources. Axur highlights the importance of brand protection due to increased detection of brand misuse, and reports on innovative fraud tactics such as "apphishing". The successful execution of takedowns by Axur and their rapid response times are emphasized as key in mitigating cyber threats. Insights from the Deep & Dark Web show an urgent need for comprehensive monitoring and swift response to preemptive cybersecurity. Axur introduces Polaris, an AI-powered threat management tool, to streamline threat intelligence and heighten organizational response capabilities.

A China-backed APT group, known as Blackwood, has been hijacking legitimate software updates to deliver "NSPX30" spyware, active since at least 2018. The attacks predominantly target manufacturing, trading, and engineering companies in China, Japan, and the U.K., along with individuals within these regions. NSPX30 includes multiple components designed to hide its infrastructure and is capable of bypassing Chinese antivirus programs. Origins of the backdoor date to Project Wood from 2005, having evolved through various iterations, now exploiting unencrypted HTTP protocols to intercept and deliver malicious updates. ESET suggests that compromised network appliances like routers may be used to distribute the malware, although the exact delivery mechanism remains unclear. Once deployed, the NSPX30 orchestrator component executes, leading to the download of a backdoor that enables file collection, reverse shell creation, process termination, keystroke logging, and self-uninstallation capabilities. The recently identified activities of APT group Volt Typhoon highlight an ongoing trend of attackers leveraging outdated network infrastructure to facilitate espionage and data exfiltration.

A newly discovered malware loader, CherryLoader, is impersonating a legitimate note-taking app, CherryTree, to deploy exploits for privilege escalation on compromised hosts. Analysis by Arctic Wolf Labs has identified the loader in two intrusions, using it to drop the privilege escalation tools PrintSpoofer or JuicyPotatoNG. CherryLoader features modularity, enabling attackers to swap exploits without needing to recompile the malware’s code. The distribution method of CherryLoader is uncertain, but observed attack chains indicated it uses a RAR file hosted on a specific IP address. The malware uses process ghosting, an evasive fileless technique, to run its payload, avoiding detection by antivirus systems like Microsoft Defender. After successful privilege escalation, the malware establishes persistence on the victim's device with a batch file script that also attempts to disarm Microsoft Defender. Security experts warn that CherryLoader is a sophisticated multi-stage downloader with encryption and anti-analysis techniques designed to deploy public privilege escalation exploits stealthily.

Russian hackers, linked to the Kremlin and known as APT29, have infiltrated HP Enterprise's cloud email environment, leading to data exfiltration. The breach, reported in an SEC filing by HPE, involved unauthorized access to mailboxes of key personnel in cybersecurity and other vital departments. The intrusion at HPE, reported to have begun in May 2023, lasted over six months before detection, with the company notified on December 12, 2023. The same Russian group is believed to have conducted a similar attack against Microsoft's corporate systems in November 2023. A prior security event, also attributed to APT29, occurred with SharePoint files being exfiltrated as early as May 2023, with HPE alerted in June 2023. HPE claims the recent security breach has not significantly impacted its business operations, although details of the theft's extent remain undisclosed. APT29 is linked to the Russian SVR and is known for its involvement in several high-profile cyber-attacks, including the 2016 DNC hack and the 2020 SolarWinds incident.

Hewlett Packard Enterprise (HPE) announced that suspected Russian entity Cozy Bear breached its cloud email system. The malicious activity began in May 2023 and was first detected by HPE in June 2023, but initial containment measures seemed ineffective. Cozy Bear, also known as Midnight Blizzard, accessed and exfiltrated data from select HPE mailboxes. Affected email accounts were related to cybersecurity, sales, and other business operations of HPE. HPE launched an immediate response to investigate, contain, and remediate the breach, claiming to have eradicated the cyber intrusion. Despite the security breach, HPE reported that the incident did not materially impact its operations or future financial projections. HPE's stock price remained stable following the announcement, reflecting investor perception that such breaches are expected risks for technology companies. This breach raises concerns about the reliability of major tech companies' security offerings, especially as Microsoft and HPE both disclosed security breaches within the same week.

US judge refuses to dismiss Apple's lawsuit against NSO Group for deploying spyware on iDevices. Apple accuses NSO of violating US Computer Fraud and Abuse Act and other laws via Pegasus spyware. NSO must now respond to Apple's allegations by February 14 following court's decision to proceed. Pegasus allowed unauthorized access to phone calls, messages, and device cameras and microphones. NSO has faced US sanctions and claims of misuse of its spyware by targeting journalists and activists. The court ruled that Apple's loss fits within the anti-hacking law, dismissing NSO's motion. Apple continues fight against spyware through new security features and civil society support grants. NSO Group to continue legal battle, claiming their technology is vital for law enforcement and safety.

HPE disclosed that Russian hackers, known as Midnight Blizzard, accessed their Office 365 email environment, targeting cybersecurity team among others. Midnight Blizzard is attributed to various attacks, including the 2020 SolarWinds breach, and is believed to be part of Russia's SVR. Hackers exfiltrated data from HPE mailboxes since May 2023, as revealed in a recent SEC filing. HPE's investigation relates this incident to an earlier breach of their SharePoint server in May 2023. HPE is working with external cybersecurity experts and law enforcement to further investigate the breach. HPE activated immediate cyber response protocols upon discovery to investigate and mitigate the breach. There has been no operational impact on HPE’s business, and no significant financial impact is anticipated. The breach at HPE follows a separate, but potentially similar, incident involving Midnight Blizzard's data theft from Microsoft's corporate email accounts.

VexTrio is a traffic distribution system (TDS) controlling over 70,000 domains for cybercrime purposes. TDS networks like VexTrio redirect users to malicious sites, including phishing pages and malware distributors. Active since 2017, VexTrio partners with at least 60 affiliates to orchestrate wide-reaching cyber attacks. Infoblox's report uncovers the extensive collaboration between VexTrio and notorious campaigns like ClearFake and SocGholish. VexTrio's affiliates leverage the Keitaro TDS service for an additional layer of redirection, complicating detection efforts. The operation generates illicit revenue through abuse of legitimate referral programs, further intertwining its activities with genuine services. Users are advised to browse SSL-certified sites only, block push notifications, and use ad-blockers to mitigate threats posed by VexTrio. Infoblox emphasizes that the intricate nature of VexTrio's operation makes it difficult to eradicate, but identification of its network is a critical countermeasure.

Over 5,300 GitLab servers are at risk due to a critical zero-click account takeover flaw (CVE-2023-7028) with a CVSS score of 10.0. Attackers can reset targeted account passwords and redirect them to their email addresses, potentially bypassing accounts without 2FA. Vulnerable versions include GitLab Community and Enterprise Editions across multiple release lines, with patches released in multiple versions as of January 11, 2024. ShadowServer found the majority of the affected servers are in the US, Germany, Russia, China, France, the U.K., India, and Canada. Unpatched instances are susceptible to supply chain attacks, code disclosures, and leaks of API keys among other threats. GitLab recommends that admins who discover breaches should rotate all sensitive credentials and enforce 2FA, as well as check for tampering within developer environments. Despite no reported exploitations of the vulnerability to date, GitLab urges immediate action to mitigate potential compromise.

The Caravan and Motorhome Club (CAMC) is experiencing a significant IT outage, with systems down for five days. Over 1 million members are affected, with disruptions to booking systems and digital services, raising suspicions of a cyberattack. CAMC has reported the incident to the Information Commissioner's Office (ICO), implying a serious data security event. The onset of the outage coincided with a scheduled maintenance period, but issues have persisted, leading to external teams being brought in for resolution. Members report near-total digital disruption and concerns over the potential leak of sensitive data, including holiday schedules and home addresses. CAMC is facing criticism from members for insufficient communication regarding the nature and extent of the problem. Official communications maintain there's no evidence of member data compromise, but the ICO's involvement suggests other data may be at risk. Social media and member sentiments suggest frustration over the lack of transparency and updates from CAMC.

The UK's National Cyber Security Centre (NCSC) cautions that artificial intelligence (AI) will significantly enhance ransomware capabilities in the near future. AI is expected to lower the barrier to entry for initiating sophisticated cyberattacks, allowing less experienced hackers to execute complex operations. Cybercriminals are increasingly using AI to streamline various phases of cyberattacks, including reconnaissance and the creation of phishing lures and malware. Specialized generative AI services, like WormGPT, have emerged outside secure environments, offering malicious content generation for criminal activities. High-skill threat groups (APTs) could potentially utilize AI to create malware designed to bypass current security systems. Intermediate and low-skilled hackers will benefit from AI in aspects like social engineering and data extraction but will still struggle with lateral movements without human expertise. The NCSC emphasizes the role of AI in evolving and enhancing existing cyber threats, with a particular concern about the difficulty of detecting AI-powered phishing and social engineering attacks.

New York-based financial technology firm, EquiLend, experienced a cyberattack that caused system outages on January 22, 2024. The cyberattack led to unauthorized access to the company's network; EquiLend immediately initiated an investigation to secure its systems. EquiLend is currently collaborating with third-party cybersecurity experts to expedite service restoration and understand the breach's impact. The company informed its clients about potential service disruptions lasting several days but hasn’t confirmed any data compromise yet. This cybersecurity incident follows the announcement that EquiLend will be acquired by Welsh, Carson, Anderson & Stowe, with the transaction expected to close in Q2 2024. EquiLend, a prominent entity established by a consortium of major banks and broker-dealers, services over 190 firms globally with its securities lending trading platform.

A critical vulnerability in GoAnywhere MFT software, enabling admin access, has been exploited and a working example released by Horizon3 researchers. The exploit is based on an old path traversal flaw and is tracked as CVE-2024-0204, with a severity rating of 9.8. Affected versions are 6.x from 6.0.1 to before 6.7.5, and 7.x to before 7.1.5, advising users to update to avoid potential compromise. As a temporary mitigation, Fortra recommends deleting the InitialAccountSetup.xhtml file or replacing it with an empty one for various deployments. While no exploit attempts have been detected yet, the availability of public proof-of-concept code suggests that attempts could increase soon. The use of GoAnywhere MFT by government and critical infrastructure entities raises concerns about the potential for significant data theft. This vulnerability disclosure comes after a dramatic year for Fortra, with the Clop cybercrime group previously exploiting a GoAnywhere zero-day to target more than 130 companies.