Daily Brief

Iranian state-backed hackers, linked to the APT35 group, have launched spearphishing attacks on researchers and university staff in Europe and the US to deploy new MediaPl malware. Microsoft has identified this subgroup of APT35, also known as Charming Kitten or Phosphorus, as using sophisticated phishing emails to socially engineer targets. The MediaPl backdoor malware is designed to resemble Windows Media Player, using encrypted communication to avoid detection while interfacing with its command-and-control server. Additionally, MischiefTut, another PowerShell-based malware, assists in dropping tools and performing reconnaissance on infected systems. The campaign focuses on stealing sensitive information from high-value targets and appears to be particularly interested in individuals with insights into Middle Eastern affairs. APT35 has a history of backdooring various companies using previously unknown Sponsor malware and targeting macOS systems with NokNok malware. Another Iranian group, known as APT33, has been targeting defense organizations and contractors globally with password spray attacks and new FalseFont malware since February 2023.

Bigpanzi, an undercover cybercrime syndicate, has infected 170,000 Android TV and eCos set-top boxes, turning them into bots since at least 2015. The botnet, primarily affecting Brazil, utilizes malware through fake firmware updates and backdoored apps, according to Qianxin Xlabs. Bigpanzi monetizes the botnet by engaging in illegal streaming, traffic proxying, DDoS attacks, and providing over-the-top (OTT) content. The malware, pandoraspear, functions as a backdoor trojan enabling DNS hijacking, command execution, and communication with a command and control server. Another malware tool, pcdn, creates a P2P Content Distribution Network (CDN) with DDoS capabilities, adding another attack vector. Xlabs, after hijacking two C2 domains, observed 170,000 daily active bots and over 1.3 million unique IPs since August, indicating a potentially larger network. The vast operations of Bigpanzi suggest only a fraction of its activities and scale have been uncovered, with cybersecurity analysts continuing investigations. Artifacts linked to a suspicious YouTube channel were found, but no specific attributions have been publicly disclosed, with details likely reserved for law enforcement.

CISA mandates U.S. federal agencies to patch Citrix and Chrome vulnerabilities exploited in ongoing attacks, prioritizing a Citrix RCE bug. The Citrix vulnerabilities impact NetScaler ADC and Gateway appliances, which may allow remote code execution and denial-of-service attacks. Federal agencies are given one week to patch the highlighted Citrix RCE vulnerability, with a deadline set for January 24th. CISA also included an actively exploited Chrome zero-day in its Known Exploited Vulnerabilities Catalog, expanding the scope of concern. Over 51,000 NetScaler appliances are exposed online, and only a fraction have secured their management interfaces. While federal agencies are under a binding operational directive, CISA strongly advises all organizations to patch these flaws promptly. Temporary workarounds include blocking network traffic to affected instances and ensuring they're not accessible online until patches are applied.

Security researchers have developed iShutdown scripts which utilize the Shutdown.log file to detect spyware on iOS devices. The method allows for the identification of high-profile spyware like Pegasus, Reign, and Predator by analyzing reboot event logs. Kaspersky released Python scripts to automate this analysis process, offering a simpler alternative to traditional forensic techniques. The reliability of this method has been confirmed through testing with iPhones infected with the Pegasus spyware. Kaspersky emphasizes the necessity of routine reboots after potential infections to ensure the method's effectiveness. The scripts provided by Kaspersky require some technical knowledge for proper application and analysis of the results. Delays registered in the Shutdown.log file can be indicative of spyware infection, with multiple delays warranting further investigation. This technique has shown consistent results in identifying malware when the infected device is rebooted sufficiently often.

A vulnerability, known as 'LeftoverLocals,' has been identified that allows data retrieval from local memory of popular GPUs. Affected manufacturers include AMD, Apple, Qualcomm, and Imagination Technologies, impacting AI and machine learning applications. The vulnerability (CVE-2023-4969) was discovered by Trail of Bits researchers, who privately reported the issue before making it public. LeftoverLocals exploits insufficient memory isolation in GPU frameworks, enabling unauthorized access to sensitive computational data. Attackers can employ a listener GPU kernel to dump data left in local memory by another kernel, which can include inputs, outputs, and weights of machine learning models. Trail of Bits demonstrated the vulnerability with a proof of concept showing substantial data recovery per GPU invocation. Remediation efforts are in progress; some vendors have issued fixes, while others are still developing mitigation strategies, with suggestions for automatic memory clearing between kernel executions.

Cybersecurity architecture is crucial for protecting an organization’s information systems against a wide array of cyber threats. Implementing a robust cybersecurity framework can be costly, making open source solutions a viable alternative for SMEs. Open source software (OSS) offers cost-effectiveness, flexibility, and community-driven enhancements, benefiting from collective expertise. Key cybersecurity tools within an architecture include solutions for endpoint, application, and network security, as well as monitoring and compliance. Open source projects allow organizations to customize their cybersecurity infrastructure while saving on licensing fees associated with proprietary solutions. Wazuh is an open source security solution that provides SIEM and XDR capabilities, supporting virtualized, on-premises, cloud-based, and containerized environments. Wazuh's platform offers real-time data correlation, intrusion detection, vulnerability detection, file integrity monitoring, and compliance monitoring. With over 20 million annual downloads, Wazuh garners extensive support and contributions from the open source community, enhancing its functionality and scalability.

Security researchers have discovered an extortion bot that wipes public PostgreSQL and MySQL databases with weak passwords within hours of internet exposure. The bot falsely claims to back up all data but only saves the first 20 rows of each table before deleting them, leaving a ransom note demanding payment for data recovery. Victims who pay the ransom do not recover their full data as the backups are incomplete; the bot has netted over $3,000 in a single week from six victims. The bot's activity is linked to a digital wallet containing nearly $3 million, suggesting the perpetrators' involvement in more extensive cybercrime operations. The bot operates by brute-forcing databases, dropping tables, terminating backend processes, and attempting to shut down servers after the attack. The global presence of millions of public-facing Postgres and MySQL servers presents a significant target pool for the bot, with security experts urging the use of strong passwords to prevent attacks. Researchers highlight that exposing databases to the public internet—even in cloud services or via Docker—increases the risk, underscoring the importance of secure configurations.

Wing Security is now providing free discovery and a paid service to mitigate risks in AI and SaaS applications to protect intellectual property and sensitive data. A staggering 83.2% of surveyed companies use GenAI applications and 99.7% employ SaaS applications that leverage AI, exposing them to security risks often overlooked by security teams. Wing Security has categorized the risks of AI usage in applications, including concerns over long-term data storage, model training using proprietary data, and potential knowledge leaks. The company offers an automated solution following a three-step process: Know (discovery of AI-powered apps), Assess (security scoring and data usage analysis), and Control (addressing critical issues). Automating these processes allows security teams to focus on priorities and reduce risks, while fostering a positive security culture by involving end users in secure SaaS AI usage. Wing's solution is part of their wider approach to confront the new challenges brought by the integration of AI in omnipresent SaaS applications, while balancing productivity benefits and security risks.

PAX Technology PoS terminals are vulnerable to high-severity threats that allow arbitrary code execution. STM Cyber R&D team discovered the vulnerabilities by reverse engineering Android-based devices, highlighting six significant flaws. Attackers could potentially gain root privileges, bypass sandboxing, and interfere with payment transactions. To exploit certain vulnerabilities, attackers require either shell access or physical USB access to devices. One of the disclosed flaws, CVE-2023-42133, has details withheld, while others are publicly listed. PAX Technology was informed about the vulnerabilities in May 2023, with patches released in November 2023. The vulnerabilities, if exploited, could lead to attackers modifying transaction amounts during payment processing.

The Windows Server 2022 patch KB5034129, intended as a security update, is causing disruption with applications, notably Google Chrome. Users report that Chrome fails to launch or displays as a blank white box after installing the update; similar problems extend to other Chromium-based browsers and tools. The issue appears to stem from the patch's interaction with the graphics subsystem, as indicated by GPU-related error logs from Chrome. Microsoft has acknowledged the issue and is currently investigating, although their official support page has not yet been updated to reflect any known issues. As a workaround, affected administrators have been either uninstalling the update, which poses a security risk, or making registry edits, which could potentially destabilize the Windows installation. The situation highlights a challenge administrators face when balancing between essential security updates and maintaining operational stability for widely used applications. Microsoft and Google have been contacted for comments, with further updates from the companies pending.

U.S. CISA and FBI have issued warnings about the AndroxGh0st malware used in a botnet targeting credentials for services like AWS, Azure, and Office 365. AndroxGh0st is a Python-based malware initially identified by Lacework in December 2022, and has inspired similar tools aimed at penetrating servers using known vulnerabilities. Attackers exploit vulnerabilities such as CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133 to infiltrate servers for Laravel environment files and credential theft. The malware possesses capabilities for SMTP abuse, including scanning for exposed credentials, exploitation of APIs, and deploying web shells for persistent access. AndroxGh0st also targets AWS by scanning for keys and has brute-force functionalities for generating new keys if needed. The alert follows reports by SentinelOne on the FBot tool and NETSCOUT on a surge in botnet scanning activity, with the majority of activities traced back to the U.S., China, Vietnam, Taiwan, and Russia. Attackers increasingly use cheap or free cloud and hosting servers to launch botnets, offering them anonymity and requiring minimal overhead.

The webinar titled "The Art of Privilege Escalation How Hackers Become Admins" is designed to enhance the knowledge of IT security professionals. Privilege escalation is highlighted as a significant threat where attackers gain high-level access, leading to a network takeover. The webinar aims to educate on anticipating and defending against such cyber threats to improve digital security strategies. Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea, will be delivering expert insights during the session. The announcement emphasizes the importance of transforming cybersecurity approaches to protect organizations effectively. Additional resources include a report on the threat of malicious browser extensions and insights into implementing Zero Trust security to minimize attack surfaces.

Cybersecurity researchers have developed iShutdown, a new method to detect spyware on iOS devices. The method locates traces of spyware like Pegasus in a system log file that documents each reboot event. Kaspersky's analysis discovered reboot delays and file paths in "Shutdown.log" indicating spyware activity. Sticky processes associated with spyware cause reboot delays, serving as indicators of compromise. The efficiency of iShutdown depends on the frequency of device reboots, linked to the user's threat profile. Kaspersky released Python scripts to help extract and analyze log files for anomalies. The log file can keep entries for years, proving to be a significant forensic tool to identify irregular activities. Separate research warned about the rapid evolution of macOS malware outpacing Apple's XProtect antivirus.

The Information Commissioner’s Office (ICO) has issued fines to Poxell Ltd and Skean Homes Ltd for making unauthorized marketing calls to individuals registered with the Telephone Preference Service (TPS). Poxell Ltd, focusing on energy-saving products, is fined £150,000 for 2.6 million calls made between March and July 2022, resulting in 413 complaints about aggressive sales tactics. Skean Homes Ltd incurred a £100,000 fine for over 600,000 calls made between March and May 2022, wrongly claiming that a lead generation provider made the calls due to a technical error. Both companies violated the Privacy and Electronic Communications Regulation 2003 by not respecting the TPS 'do not call' register. Andy Curry, head of investigations at the ICO, emphasized the entities' legal breaches and the distress caused to individuals by disregarding their choice for privacy. The ICO warns that it will take strong measures against companies that dodge rules via third parties or multiple phone numbers for making illegal calls. The continued breaches suggest that fines are not deterring companies from targeting individuals registered with TPS, with expectations of further instances.

GitHub identified and swiftly addressed a high-severity security vulnerability on December 26, 2023, which could have allowed unauthorized access to sensitive credentials. Following the discovery of the vulnerability, tracked as CVE-2024-0200, GitHub proactively rotated potentially compromised keys, including commit signing and customer encryption keys. The issue affected GitHub Enterprise Server (GHES) and required an authenticated user with an organization owner role for potential exploitation. Patches were released for the "unsafe reflection" vulnerability in multiple GHES versions to prevent reflection injection and remote code execution. Another high-severity issue tracked as CVE-2024-0507 was also addressed, involving privilege escalation through command injection in the Management Console. GitHub's recent history of preemptive security measures includes the replacement of an RSA SSH host key following inadvertent exposure in a public repository. The incident underlines the importance of rapid and decisive action in detection and mitigation of security threats, demonstrating GitHub's commitment to maintaining platform security.