Daily Brief

VMware has confirmed active exploitation of a critical vCenter Server remote code execution vulnerability, identified as CVE-2023-34048. The vulnerability, resulting from an out-of-bounds write error in the DCE/RPC protocol implementation, can be exploited remotely without authentication. The company has taken the unusual step of issuing patches for multiple unsupported, end-of-life products due to the severity of the threat. Network access brokers are targeting VMware servers to facilitate ransomware attacks by various notorious groups, such as Royal and LockBit. Over 2,000 VMware Center servers exposed online could be at risk, necessitating immediate patches and strict control of network perimeter access. VMware has released patches for other high-severity vulnerabilities throughout the year, indicating a trend in critical security issues affecting their platforms. The company recommends strict network perimeter access control for vSphere management components to mitigate the risk and protect against future attacks.

macOS backdoors are being distributed through pirated software on Chinese websites, potentially compromising users' devices. Researchers from Jamf Threat Labs discovered malicious payloads within popular applications like Navicat Premium, UltraEdit, and Microsoft Remote Desktop. The malware includes a dropper and a fully-featured backdoor that establishes persistence and enables remote control. The backdoor, part of the Khepri post-exploitation toolkit, is positioned in a temporary directory, suggesting it reinstalls upon each reboot via the pirated app. A downloader component ensures malware persistence and communicates with an actor-controlled server for additional payload retrieval. The compromised applications are not signed, increasing the risk for users bypassing macOS security measures to install pirated software. Similarities between this malware campaign and previous ZuRu malware suggest a potential evolution of threat actors' tactics.

Data is a crucial asset for organizations, and protecting it within Exchange Server environments is critical due to threats like cyberattacks, hardware failure, and human errors. Ransomware attacks targeting vulnerabilities like ProxyLogon in Exchange Servers are a significant cause of data loss. The role of Exchange Server administrators has expanded to protect organizational data against sophisticated cyber threats and manage increased data volumes. Data loss can result in severe consequences including financial losses, reputational damage, operational downtime, potential business closure, and regulatory fines. A comprehensive backup strategy, including VSS-based backups, a combination of full and incremental backups, transaction log management, circular logging, and adherence to the 3-2-1 backup rule, is crucial to safeguard against data loss. Proactive best practices and recovery strategies—including recovery databases, Exchange's native data protection features, dial tone portability, and Exchange recovery tools—are essential for quick data restoration and maintaining business continuity. Administrators need to navigate the complexity of modern Exchange Server environments by developing robust backup and recovery plans and adopting proactive security measures.

A malevolent npm package named "oscompatible" has been discovered distributing a remote access trojan to Windows systems. Once activated, it checks for admin rights, and if absent, uses a legitimate Microsoft process to gain elevated privileges. The trojan uses DLL search order hijacking to decrypt additional payloads including the AnyDesk remote access tool and a custom trojan. The malware establishes communications with a remote server to retrieve instructions and has extensive capabilities like disabling system shutdown and capturing user input. The incident highlights a growing trend of attackers exploiting open-source software supply chains to orchestrate sophisticated cyber attacks. Security firm Aqua's research shows that deprecated npm packages, with potential security flaws, are downloaded billions of times weekly, creating serious security gaps. Industry experts warn against the risks of not properly marking npm packages as deprecated, leaving users exposed to hidden threats.

A German IT consultant was fined €3,000 for accessing and reporting a vulnerability in an e-commerce database. The database contained approximately 700,000 customer records and was easily accessible due to a plaintext password. The security flaw was published in a report by e-commerce writer Mark Steier, which led to a swift but inadequate response by Modern Solution. Modern Solution claimed limited customer data exposure, but allegations suggest a more extensive data breach. September 2021 saw the seizure of the consultant's computers, leading to a charge of unlawful data access. Initially, the district court sided with the consultant, but the verdict was reversed, resulting in his sentencing to a fine and court costs. The verdict, criticized for its impact on security research, is not yet legally binding, and the consultant intends to appeal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a critical flaw in Ivanti Endpoint Manager Mobile (EPMM). The vulnerability, CVE-2023-35082, is an authentication bypass with a 9.8 CVSS score and allows unauthorized remote access to personal data and server modifications. Ivanti's older vulnerabilities, CVE-2023-35078 and CVE-2023-35081, have also been cited as part of attack chains allowing for malicious web shell file uploads. Federal agencies are advised to apply patches to the affected Ivanti EPMM versions by February 8, 2024, to prevent potential breaches. In a separate incident, Ivanti has warned of mass exploitation in Ivanti Connect Secure (ICS) VPN devices, urging customers to rotate configuration secrets post-rebuild. Over 1,700 compromised devices have been identified globally, with initial attacks linked to a suspected Chinese threat actor and now involving multiple threat actors. Researchers at Assetnote discovered an additional exploitable endpoint in older ICS versions, highlighting the risks of seemingly simple security oversights in VPN devices.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that Chinese-made drones might be used for spying. Chinese laws, such as the National Intelligence Law (2017) and Data Security Law (2021), may compel companies to hand over data to the Chinese government. There is a risk that drones operating in critical infrastructure sectors could expose sensitive information to Chinese authorities. CISA and FBI guidance suggests treating drones like IoT devices and securely managing firmware updates and connected accessories to mitigate risks. The US previously grounded its own fleet of drones and has taken action against Chinese drone manufacturers like DJI for security reasons. Concerns include possible exploitation of system vulnerabilities by Chinese authorities and potential IP and security control compromises aiding future cyberattacks.

Ransomware actors are using TeamViewer, a popular remote access tool, to infiltrate and attack organizational networks. The attackers gain initial access through compromised TeamViewer accounts, bypassing the need to exploit software vulnerabilities. TeamViewer was first reported as a vector for Surprise ransomware delivery in March 2016, with credential stuffing as the probable cause. A recent Huntress report highlights two incidents where the same source used TeamViewer to attempt ransomware deployment using a leaked LockBit ransomware builder. In one compromised endpoint, the ransomware was successfully deployed but contained; in the other, antivirus software thwarted the attack. TeamViewer's security team emphasizes the importance of strong passwords, two-factor authentication, whitelisting, and updating to the latest software versions to prevent unauthorized access. TeamViewer condemns the malicious use of its software and offers guidance on best practices for secure unattended access to its users.

CISA alerts that a critical authentication bypass bug in Ivanti's device management software is actively being exploited. The flaw, tracked as CVE-2023-35082, allows unauthorized API access and affects several versions of Ivanti's software. Successful exploitation could lead to access to personal information and potential backdoor creation into compromised servers. Organizations are urged to upgrade to a supported version and apply Ivanti's provided RPM script to mitigate risks. Over 6,300 Ivanti EPMM user portals are exposed online, with some pertaining to government agencies. CISA mandates federal agencies to patch the vulnerability by February 2, in line with a 3-year-old operational directive. Multiple Ivanti Connect Secure zero-days are also under mass exploitation, affecting businesses including Fortune 500 companies. Several Ivanti zero-days have been previously exploited in attacks targeting government, defense, and financial sectors.

JPMorgan Chase, the largest US bank, faces 45 billion cyberattack attempts per day, a figure that's doubled from the previous year. This claim was made by Mary Callahan Erdoes, CEO of asset and wealth management at JPMorgan, during the World Economic Forum in Davos. Despite the volume of attacks, many are likely to be routine scans rather than sophisticated attempts; however, the sheer quantity could obscure truly malicious activity. JPMorgan employs 62,000 technologists, which Erdoes indicates is more than tech giants like Amazon or Google, to counteract these risks and protect the bank's assets. JPMorgan was recently ordered to face a lawsuit for negligent behavior that allowed a $272 million fraud, highlighting the challenge of staying ahead of increasingly sophisticated cybercriminals. The bank's internal technical errors have also led to regulatory fines, such as a $4 million penalty by the SEC for the accidental deletion of millions of subpoenaed emails. Bank of England reports cyberattacks as the top threat perceived by banking executives, emphasizing the critical need for robust cybersecurity measures in the financial sector.

Kansas State University is responding to a cyberattack that disrupted critical network systems, including VPN, email, and video services. Essential systems were immediately taken offline upon detection of the incident, affecting VPN access, email services, video hosting on Canvas and Mediasite, printing, shared drives, and Listservs. University officials have engaged third-party IT forensic experts to help investigate the nature of the attack. Academic deans have received guidance on maintaining educational continuity using alternative resources while some systems remain unavailable. Students and staff are advised to stay alert for any suspicious activity and report it to the IT help desk. Email services for "K-State Today" are expected to be partially restored with a modified format and content limitations. There has been no indication as of yet that there was a data breach affecting personal information of students or staff. This incident marks the second major cyberattack on an educational institution in 2024, following a ransomware attack on Memorial University of Newfoundland.

The US Cyber Safety Review Board (CSRB) may become a permanent entity amidst calls for increased independence and transparency. The CSRB, established by Executive Order in 2021, has published only two reports on major cybersecurity incidents, analyzing Log4J and the LAPSUS$ group. Experts argue for the board's independence to prevent conflicts of interest, citing the potential for biased reporting from private sector members involved in cybersecurity incidents. There is a suggestion that the CSRB operate like the National Transportation Safety Board, with the authority to conduct in-depth investigations and report findings publicly. The cybersecurity industry relies on private companies for intelligence sharing, and the CSRB aims to provide actionable information without legal restrictions or profit considerations. Subpoena power for the CSRB is debated, with some experts in favor to compel information sharing, while others caution against it until further regulation details are established. The hearing concluded without endorsement from Senator Gary Peters, indicating that discussions are ongoing to define the CSRB's role and capabilities.

Haier has issued a legal takedown notice to a German developer for creating and publishing Home Assistant integration plugins on GitHub. The plugins facilitated control of Haier and its affiliated brands' smart appliances through the open-source Home Assistant automation platform. Haier asserts these plugins cause financial harm and violate copyright laws, demanding their immediate removal to avoid further legal actions. The developer, Andre Basche, has indicated he will take down the projects following Haier's legal threats. The open-source nature of the plugins has stirred a community backlash, with calls to boycott Haier-branded products and support for the developer increasing. The long-term viability of the plugins is uncertain, given Haier's stance, but community support may lead to the code being maintained through forks or clones. Haier has not provided an immediate comment on the situation when contacted by the media.

Ransomware attacks are causing severe psychological and physical health issues for cybersecurity professionals, including cases of hospitalization and suicidal ideation. A financial industry cybersecurity worker attributed a heart attack to the stress of managing ransomware, while a charity security staffer was hospitalized due to health problems exacerbated by a ransomware attack. The Royal United Services Institute (RUSI) research details the extensive psychological harm to infosec workers that goes unrecognized, linking high-stress levels and burnout to the cybersecurity field. Victims often feel personal blame for ransomware incidents, leading to mental anguish, doubt in their abilities, and fear of job insecurity and reputational damage. An engineering business established a PTSD support team recognizing the immense pressure on IT staff post-attack, although PTSD was not clinically diagnosed but rather self-identified by the respondents. The stress of potential regulatory action and accountability for breaches further contributes to the long-term mental strain on cybersecurity defenders. Social impacts included strained personal and professional relationships, with prolonged working hours affecting time spent with family and coworkers' behavior. Financial impacts extend beyond the victim organizations to the individuals, with potential job losses and personal costs for therapy to recover from the ransomware incidents.

A new cyberattack campaign targeting vulnerable Docker services has been discovered, utilizing both cryptocurrency mining and fake website traffic generation as monetization methods. The malware deploys XMRig, a tool for mining Monero (XMR) cryptocurrency, and 9Hits Viewer, software that simulates traffic to websites to earn credits within an exchange service. Security experts note this is the first time the 9Hits application has been employed as part of a malware payload, demonstrating threat actors' evolving strategies. Attackers are potentially scanning for open Docker API ports using search engines like Shodan, then installing malicious containers to exploit these services. Once breached, the servers run two containers—one for the 9Hits Viewer to accrue traffic credits fraudulently, and another for the XMRig miner to exploit CPU resources for cryptocurrency mining. Legitimate server workloads suffer due to resource exhaustion caused by the malware, and there's a risk of further compromise, such as adding a remote shell for more severe breaches. The scale and profitability of this campaign remain unknown since the XMRig miner connects to a private mining pool, concealing its activities.