Daily Brief

Ivanti Connect Secure (ICS) VPN zero-day vulnerabilities have been exploited on more than 1,700 devices. Microsoft Threat Intelligence Center indicates a "reasonable chance" of compromise for unmitigated systems starting January 11. The attacks multiplied quickly, from fewer than 20 devices to over 1,700, indicating a rapid escalation and shift towards mass exploitation. Attackers include UTA0178, believed to be China-linked, and other criminal groups that have subsequently obtained the exploit. The exploitation has impacted a broad range of sectors, including government, military, technology, financial services, and aerospace. Most victims have been compromised with a modified version of the GIFTEDVISITOR webshell, and each victim system appears to have a unique AES key. Despite available mitigation tools, many ICS appliances remain vulnerable, with a large concentration in the United States. Recommendations include using Ivanti's Integrity Checker Tool, collecting logs and forensic artifacts, and considering all sensitive data potentially compromised.

Organizations are increasingly adopting AI technologies to improve business functions, with a prediction that over 80% will use generative AI by 2026. AI is considered vital for enhancing customer experience, increasing revenue, and ensuring business continuity, with 51% of business owners looking to boost cybersecurity efforts through AI. Despite its benefits, AI's capabilities are also being harnessed by cybercriminals to intensify the scale and success of their attacks. Cybersecurity measures must evolve to confront the challenges posed by AI-assisted cyberattacks, including regular security testing and proactive vulnerability management. Pen Testing as a Service (PTaaS) offers continuous web application security monitoring and on-demand manual tests to strengthen digital defenses and detect unnoticed security gaps. Outpost24's PTaaS provides direct communication between developers and pen testers, real-time reporting, and assurance of zero false positives to protect against AI-enabled cyber threats. Vigilance is essential for businesses to reap AI's advantages while protecting against the increased risks of sophisticated cyberattacks.

Over 178,000 SonicWall firewall devices are vulnerable to critical security flaws that could trigger DoS conditions and enable RCE. Affected units have not been updated against a flaw identified nearly two years ago, potentially allowing disruptive attacks. Security flaws are present in different HTTP URI paths due to the reuse of a vulnerable code pattern, according to Bishop Fox's analysis. Although no active exploitations have been reported, there is a public proof-of-concept for one of the vulnerabilities, CVE-2023-0656. The report by watchTowr Labs also discovered several stack-based buffer overflow vulnerabilities in SonicWall's management interface and SSL VPN portal. Security experts advise updating SonicWall firewalls to the latest version and ensuring that the management interface is not exposed to the internet to prevent cyber attacks.

Remcos RAT, a sophisticated remote access trojan, is being spread through fake adult-themed games in South Korea. The malware distribution leverages WebHard platforms, commonly used for file storage and sharing in the country. Attackers trick users into downloading and executing booby-trapped files, which then deploy the Remcos RAT from a remote server. Originally designed as a legitimate administration tool, Remcos has evolved into a tool for unauthorized surveillance and data exfiltration. Features of Remcos include keylogging, audio recording, and the ability to bypass user account control (UAC) for persistence. Breaking Security, a Germany-based firm, initially marketed Remcos as a benign tool, but it has since been adapted for malicious use by threat actors. To mitigate risks, organizations are recommended to understand the threat of malicious browser extensions and consider strategies like Zero Trust security.

A major retail industry client faced potential fines due to a misconfiguration in its cookie management policy, as cookies were being injected without user consent on several domains. Reflectiz, a security firm, deployed an advanced exposure management solution that identified the problem that conventional security tools missed due to VPN limitations. The issue involved 37 domains using cookies without explicit consent, potentially exposing the retailer to fines under GDPR regulations of up to 4% of annual turnover or €20 million. The problem was complicated by the use of iFrames and a VPN, which obscured the lack of cookie consent from the retailer's existing security solutions. The misconfigured cookies were directing data to a legitimate third-party advertising service, not malicious actors, which mitigated the severity of the situation. The Reflectiz solution enabled the client to pinpoint and resolve the cookie consent issues, ensuring compliance and avoiding hefty penalties and reputation damage. The platform provided by Reflectiz offers comprehensive monitoring that is essential for maintaining compliance with data protection standards in various industries.

Inferno Drainer, a malware operation, impersonated legitimate Web3 services and siphoned off over $87 million from 137,000 victims. The fraud spanned from November 2022 to November 2023 and used high-quality phishing pages to deceive victims into making transactions. Cybercriminals created more than 16,000 unique domains featuring cryptocurrency brand spoofs to propagate the scam. An investigation found JavaScript-based drainers initially on GitHub before being embedded directly onto phishing websites. Scammers offered bogus incentives such as free tokens to lure users on platforms like Discord and the former Twitter. The malware presented itself as popular Web3 protocols such as Seaport, WalletConnect, and Coinbase to facilitate unauthorized transactions. Special features were used on phishing websites to hinder victims from accessing source codes and uncovering the scam. Even though Inferno Drainer has ceased operations, the incident underscores the growing threat of sophisticated drainer scams targeting cryptocurrency holders.

Cybercriminals are exploiting a previously patched Windows security flaw to distribute Phemedrone Stealer, an information-stealing malware. Phemedrone Stealer targets web browsers, cryptocurrency wallets, and messaging apps, and can also take screenshots and gather system information. The hackers send the collected data back to themselves using Telegram or their command-and-control server. The vulnerability, identified as CVE-2023-36025, affects Windows SmartScreen and can be exploited via malicious Internet Shortcut files or hyperlinks. Attackers are distributing the malware through Discord, cloud services, and URL shorteners, despite Microsoft's November 2023 patch. The malware uses a complex infection chain, including a malicious Windows Control Panel file, a PowerShell loader, and an open-source shellcode loader called Donut. Phemedrone Stealer is maintained on GitHub and Telegram, indicating a support network for ongoing malware development and distribution. The misuse of CVE-2023-36025, even after it's been patched, demonstrates the persistence of threat actors in using sophisticated evasion methods to spread malware.

The United Nations Office on Drugs and Crime (UNODC) has released a report detailing an increase in cybercrime linked to illegal online casinos in Southeast Asia. Chinese crackdown on gambling has pushed junket operators to establish illegal online casinos in less-regulated areas of Asia, creating hubs for money laundering and cybercrime. Illegal casinos are increasingly favored for cryptocurrency-based laundering, particularly using stablecoin Tether (USDT) on the TRON blockchain. China's efforts to combat these operations revealed the involvement of at least five million people and an estimated capital outflow of $157 billion. Criminal groups have diversified, now creating and deploying malicious apps, web applications, malware, and engaging in various cybercrimes as a service. UNODC officials emphasize the widening gap between organized crime and law enforcement, warning that if not addressed, the impact will spread beyond Southeast Asia. The report calls on regional governments to recognize and respond to the sophisticated operations of online casinos and their associated money laundering activities.

Two zero-day vulnerabilities in Ivanti's Connect Secure VPN and Policy Secure appliances are being exploited globally, affecting businesses of all sizes including Fortune 500 companies. Security firm Volexity reports mass exploitation of vulnerabilities CVE-2023-46805 and CVE-2024-21887, resulting in numerous compromised systems through a GIFTEDVISITOR webshell variant. Over 1,700 Ivanti devices have been identified as compromised, impacting diverse sectors like government, telecoms, defense, technology, finance, and aerospace. Ivanti has not yet released patches, but mitigation steps have been advised to network admins, including running Ivanti's Integrity Checker Tool and treating system data as compromised if breaches are found. The Shadowserver service is tracking more than 16,800 Ivanti devices exposed online, with nearly 5,000 in the U.S. alone. Multiple threat actors, including a suspected Chinese state-backed group, have escalated attacks, using the vulnerabilities to deploy custom malware for credential theft and further malicious activity.

The U.S. Secret Service has investigated a phishing scam involving fake antivirus subscription renewal emails, leading to the theft of $34,000. Threat actors targeted victims with emails impersonating Norton Antivirus renewals, instructing them to call a phone number to cancel a supposed charge. Upon contacting the scammers, victims were directed to install remote access software, unknowingly facilitating access to their PCs and bank accounts. The scammers convinced a particular victim to transfer $34,000 under the pretense of refunding an overcharge, cleverly disguising the transfer from the victim's savings to their checking account. J.P. Morgan Chase intervened by restricting the scam-associated account and transferring the funds to a controlled suspense account. The U.S. Secret Service's investigation has led to the application for a seizure warrant to recover the stolen funds from an account belonging to Bingsong Zhou, who is implicated in the scam. Charges against Zhou may include wire fraud, money laundering, bank fraud, phishing involvement, and potentially conspiracy to commit wire fraud.

More than 11,500 Juniper Networks devices are susceptible to a critical remote code execution (RCE) vulnerability (CVE-2024-21591), with a 9.8 CVSS score. The vulnerable software versions include multiple releases of Junos OS, which need immediate patching to prevent exploitation. The majority of these devices have not been patched from previous vulnerabilities, posing serious security risks, and are publicly displaying model numbers. South Korea, the US, Hong Kong, and China are the top locations with exposed devices; notably, the SRX110H2-VA model, which is end-of-life, is the most exposed. Juniper Networks advises applying patches urgently, or as an interim measure, disabling J-Web or restricting access to trusted hosts. This vulnerability disclosure follows a US Cybersecurity and Infrastructure Security Agency (CISA) directive regarding the dangers of exposing management interfaces to the public internet. Juniper Networks is potentially being acquired by HPE for $14 billion, indicating significant changes for the company in the near future.

Security vulnerabilities CVE-2022-22274 and CVE-2023-0656 affect over 178,000 SonicWall firewalls, potentially leading to DoS and RCE attacks. 76% of scanned SonicWall firewalls with online management interfaces are susceptible to these flaws, according to Bishop Fox researchers. The vulnerabilities result from the same code pattern but affect different HTTP URI paths. Attackers can exploit these issues to push devices into maintenance mode, disrupting corporate network VPN access. Shadowserver data reveals over half a million SonicWall firewalls are exposed online, with a significant number in the U.S. A PoC exploit for CVE-2022-22274 is already circulating online, prompting urgent firmware updates by administrators. SonicWall has a broad customer base, including government agencies and large corporations, and has faced cyber threats like cyber-espionage and ransomware in the past.

A new information-stealing malware named Phemedrone has exploited a Microsoft Defender SmartScreen vulnerability, CVE-2023-36025, to avoid detection. The malware campaign targets data from web browsers, cryptocurrency wallets, and various applications including Discord, Steam, and Telegram. CVE-2023-36025 was patched in the November 2023 Patch Tuesday update, which was marked as an actively exploited vulnerability. Attackers use trusted cloud services to host malicious URL files and bypass the usual Windows SmartScreen security prompts by exploiting the CVE-2023-36095 flaw. The malicious URL downloads and executes a control panel item from the attacker's server, delivering a PowerShell loader which further installs the Phemedrone malware. Phemedrone harvests sensitive data and uses Telegram for exfiltrating the gathered information. Trend Micro, which reported on the malware's activities, has published indicators of compromise (IoCs) for organizations to detect and address the threat.

Over 178,000 SonicWall firewalls potentially exposed to DoS and RCE cyberattacks due to security flaws. Security experts from Bishop Fox identified two critical vulnerabilities, CVE-2022-22274 and CVE-2023-0656, resulting from a reused code pattern in SonicWall's NGFW appliances. Attackers can place devices in maintenance mode even without executing code, disrupting VPN access and requiring manual intervention. Data indicates over half a million SonicWall firewalls are accessible online, with a significant portion in the United States. Although no exploits have been confirmed in the wild, a proof-of-concept for CVE-2022-22274 has been published online. SonicWall PSIRT recommends administrators to not expose the management interface and to update firewalls to the latest firmware to prevent potential attacks. Previous incidents have seen SonicWall appliances targeted by cybercriminals and state-sponsored hackers for espionage and ransomware deployment.

GitLab has disclosed a critical vulnerability, CVE-2023-7028, affecting self-managed instances, allowing attackers to bypass account security. The flaw is due to a change in password reset via secondary email, enabling unverified email addresses to receive reset links. Users without two-factor authentication (2FA) are especially at risk, while 2FA users could still face password resets if their authenticator is compromised. Mitigation includes enforcing 2FA for all accounts and disabling all password authentication for self-managed customers with an external identity provider. Affected versions span GitLab Community and Enterprise editions from 16.1 to 16.7.1, all requiring immediate patching. GitLab's advisory also describes how to check logs for signs of exploitation and has announced additional security measures, including improvements to password reset validations. A secondary vulnerability, CVE-2023-5356, could allow unauthorized use of slash commands in communication tools like Slack or Mattermost, potentially exposing sensitive data. Other vulnerabilities addressed include bypassing CODEOWNERS approval, improper access control in GitLab Remote Development, and potential modification of signed commit metadata.