Daily Brief

Microsoft's Patch Tuesday offered 49 Windows security updates, including two critical-rated bugs and four high-severity Chrome flaws in Microsoft Edge. None of the January CVEs are currently being exploited, but CVE-2024-20674 in Windows Kerberos is noted as "exploitation more likely." CVE-2024-20700, another critical update, addresses an RCE bug in Windows Hyper-V, requiring network access for exploitation. Adobe patched six "important" vulnerabilities in Substance 3D Stager, with no known active exploits prior to the update. SAP released 12 patches, highlighted by three HotNews Notes with CVSS scores of 9.1, addressing serious vulnerabilities such as privilege escalation. Cisco rolled out an update for privilege escalation vulnerabilities in its Identity Services Engine, with one CVE lacking a patch but considered a non-critical issue due to certain prerequisites for exploitation. Google's January Security Bulletin for Android corrected 59 CVEs, with the most severe allowing local privilege escalation, though no active exploits were reported.

The U.S. Securities and Exchange Commission's (SEC) Twitter account was hijacked to falsely claim approval of Bitcoin ETFs. The fraudulent tweet led to a temporary spike in Bitcoin prices before being corrected. SEC Chairman Gary Gensler confirmed the breach and clarified that no such approval had been granted. The false information caused confusion amid market anticipation for the SEC's decision on Bitcoin ETFs. The SEC has emphasized that approved Bitcoin ETFs would be under strict surveillance and compliance for investor protection, contrasting the unauthorized tweet's content. The crypto market, having recovered significantly from the previous year's crash, is highly sensitive to regulatory announcements. An investigation into the Twitter account compromise is underway to prevent such incidents and safeguard market integrity.

The U.S. Securities and Exchange Commission (SEC)’s official Twitter account was hijacked by an unknown party. A misleading tweet announced the false approval of Bitcoin ETFs by the SEC, prompting a temporary spike in Bitcoin prices. The fraudulent tweet claimed that Bitcoin ETFs would be listed on all registered national securities exchanges with ongoing surveillance. The false information was swiftly deleted, and SEC Chairman Gary Gensler confirmed that the tweet was unauthorized. The SEC reiterated that it has not approved the listing and trading of spot bitcoin exchange-traded products. Bitcoin's price briefly surged to $47,900 before dipping by 1.5 percent following the correction of the false announcement. The SEC is likely investigating the security breach and the method by which their Twitter account was compromised.

A Chinese government-backed institute claims it can decrypt Apple AirDrop logs to extract users' information. This capability enables tracking of individuals who share content via AirDrop, threatening anonymity. Protesters in China have used AirDrop to circumvent censorship and disseminate pro-democracy materials. Following anti-government protests, Apple limited AirDrop's "Everyone" reception to 10 minutes in China, a restriction later globalized. The Chinese research institute has reportedly used this decryption method to identify individuals spreading "inappropriate" messages. The institute utilized rainbow tables to reverse-hash phone numbers, email addresses, and device names from iOS logs. China's action reflects its ongoing efforts to control information flow and suppress dissent within its digital borders.

Organizations hit by Royal and Akira ransomware attacks have faced scam attempts by someone claiming to be a security expert offering to "hack back" and delete stolen data. The scammer, pretending to be an ethical hacker, demands payment in Bitcoin for proof of access to and deletion of victims' data from the attackers' servers. Cybersecurity firm Arctic Wolf reported multiple cases where ransomware victims, who had previously paid ransoms, were targeted by this scam. In two distinct cases, the perpetrator presented themselves as the ‘Ethical Side Group’ and as ‘xanonymoux’ but later the communication patterns suggested it was likely the same individual. The scam exploits the complex challenge faced by ransomware victims, introducing an additional layer of financial risk after the initial attack. Victims and businesses must be aware of such scams in the aftermath of ransomware incidents and exercise caution when approached by anyone offering hack-back services.

The FTC has implemented a ban on Outlogic from selling sensitive American location data, enforcing a commitment to user privacy. Outlogic is ordered to delete all previously collected location data and any derivative models or algorithms. The data sold by Outlogic exposed crucial information about individuals such as medical visits and worship locations. The FTC criticizes Outlogic for not filtering out sensitive locations from the data and neglecting user preferences when opting out. FTC Chair Lina M. Khan emphasizes the importance of protecting citizens from invasive corporate surveillance and data brokers. The violation includes insufficient information to users regarding data usage and a lack of informed consent from consumers. Outlogic's security failures included not honoring certain Android users' requests to opt out of tracking and personalized ads. This FTC action aligns with efforts to uphold consumer privacy following a presidential executive order related to reproductive health services.

CISA has updated the Known Exploited Vulnerabilities catalog with six flaws found in products from companies like Apple, Adobe, and Apache. The listed vulnerabilities have been actively exploited, with agencies directed to patch or cease using vulnerable products by January 29. One notable vulnerability, CVE-2023-41990, was used in the ‘Operation Triangulation’ spyware campaign that targeted iPhones since 2019. Other vulnerabilities, such as CVE-2023-38203 and CVE-2023-29300, saw hackers exploiting vendor patches bypasses. CVE-2023-27524 had proof-of-concept exploits made public in September, increasing its risk of exploitation. Federal agencies must audit their systems for these vulnerabilities and apply necessary patches or countermeasures promptly.

Microsoft released patches for 49 security flaws across various products as part of their January 2024 Patch Tuesday. Among the vulnerabilities are 12 remote code execution (RCE) bugs, with two classified as critical. A significant flaw fixed is an RCE vulnerability in Microsoft Office related to malicious FBX 3D model files. Another critical bug addressed was a Windows Kerberos Security Feature Bypass, which could allow attackers to bypass authentication. Although no vulnerabilities were actively exploited or publicly disclosed this month, the Office RCE flaw presents a notable risk. The security update included both Windows and Mac versions of Office applications and will disable the ability to insert FBX files. Microsoft's updates come alongside other January 2023 advisories from various tech vendors.

A Turkish hacker group is attacking Microsoft SQL servers with Mimic ransomware worldwide, particularly in the EU, the US, and Latin America. These attacks, denoted as RE#TURGENCE by Securonix Threat Research, can result in either the sale of access to compromised systems or the delivery of ransomware payloads. Attackers hijacked MSSQL servers through brute force assaults, leveraging xp_cmdshell to elevate their permissions. They used Cobalt Strike payloads and AnyDesk to maintain access and facilitate lateral movement after credential harvesting via Mimikatz. The threat actors expanded their control by hacking into other network devices and ultimately compromised the domain controller. The Mimic ransomware is deployed via AnyDesk as self-extracting archives that seek out and encrypt files, demanding a ransom through a text notice deposited on the infected system. The same email associated with the ransom note has been linked to previous Phobos ransomware attacks, indicating a connection between the threat groups. This campaign shows similarities to the previous DB#JAMMER operation, which also targeted MSSQL servers via brute force and deployed ransomware.

Cisco Talos, in partnership with Dutch police, procured a decryption tool for the Tortilla variant of Babuk ransomware. The decryption tool was previously supplied to victims who paid ransoms to the ransomware operator. The Tortilla ransomware operator was identified and arrested due to intelligence shared by Cisco Talos. The decryptor contained a universal key pair utilized across all attacks, allowing for the creation of a generic decryption tool. Avast incorporated the Tortilla decryption key into their existing Babuk decryptor, making it available for free to affected users. Experts noted that multiple operations have been utilizing Babuk ransomware's code since its source code leak in 2021.

Tigo Business in Paraguay, the largest mobile carrier, was targeted by a cyberattack affecting cloud and hosting services, triggering outages. Military authorities warn of the Black Hunt ransomware attacks, following the breach which specifically impacted corporate clients. Over 330 servers and backups were reportedly encrypted in the attack, disrupting websites, emails, and cloud storage for many companies. The General Directorate of Information and Communication Technologies of the Paraguayan Armed Forces quickly issued, then deleted, a warning about the ransomware. The Black Hunt ransomware operation, known for targeting South American companies, began its activities towards the end of 2022. Attackers deploy ransomware that cripples systems through various means, including disabling critical Windows features and security measures. The malware forces a full reinstall of Windows to recover, with no instances of data leaks observed, despite claims in ransom notes.

Water Curupira threat group actively engaged in distributing PikaBot loader malware through spam campaigns. Phishing campaigns involved a two-component system allowing remote access and execution of commands via a command-and-control server. The campaigns began in early 2023, surged again in September, and show similarities to past QakBot-related activities by groups TA571 and TA577. PikaBot serves as an initial payload delivery mechanism to facilitate further malware attacks, such as Cobalt Strike and ultimately ransomware. Attackers utilize email thread hijacking, making use of ongoing conversations to spread malicious links or files, which trigger the malware. The malware contains language checks to halt execution for systems with Russian or Ukrainian settings and gathers system details to send to C&C servers. Primary goal of Water Curupira's campaigns is to deploy Cobalt Strike beacons leading to Black Basta ransomware infections. Despite engaging in DarkGate and IcedID campaigns earlier in the year, the group has since focused on propagating PikaBot exclusively.

Criminal IP, an AI SPERA Cyber Threat Intelligence search engine, has partnered with Tenable for advanced threat analysis and exposure management. The partnership aims to provide users with a stronger solution for detecting IP asset threats and vulnerabilities by integrating data and tools. Vital IP data from Criminal IP will be streamlined directly into Tenable Vulnerability Management, enabling thorough asset information aggregation for threat mitigation. The integration allows for the import of detailed IP asset data, such as network subnets and connected domains, into Tenable for in-depth analysis. Users of Tenable can run real-time scans to assess and address the severity of vulnerabilities on their assets, using the integrated features. The collaboration between AI SPERA and Tenable includes joint marketing initiatives and aims to improve cybersecurity strategies for shared customers. Criminal IP has established various technical and business partnerships and offers its users an attack surface management solution with dashboard access to monitored assets. The partnership's key benefits include streamlined vulnerability assessment, leveraging joint capabilities of both platforms to proactively manage cyber threats.

Firefox for Android users encounter a blank page when attempting to access Google Search. The issue is consistent across multiple versions of Firefox Mobile, including Nightly builds, and affects various localized versions of Google. The problem does not appear on Chrome for Android, indicating that this is a Firefox-specific bug. Mozilla engineer Dennis Schubert attributes the issue to server-side User-Agent sniffing by Google's web servers, leading to the serving of an empty document to affected Firefox versions. Disabling Enhanced Tracking Protection in Firefox does not resolve the issue, suggesting a deeper compatibility problem. While the critical bug is escalated for resolution, no fix is available at the time of reporting. Temporary workarounds for affected users include using alternative browsers or search engines, tweaking the user agent string, or forcing desktop site requests.

Turkish threat actors are exploiting poorly secured Microsoft SQL servers in the U.S., EU, and LATAM, potentially leading to the sale of server access or ransomware attacks. The cyberattack campaign, named RE#TURGENCE, employs brute-force methods and utilizes the xp_cmdshell option for initial access. These attacks mirror a previous campaign, DB#JAMMER, and involve the retrieval of a PowerShell script that delivers an obfuscated Cobalt Strike beacon payload. Attackers use AnyDesk, Mimikatz, and Advanced Port Scanner for system access, credential harvesting, and reconnaissance, followed by lateral movement with PsExec. The RE#TURGENCE campaign's end goal includes deploying Mimic ransomware, with operational security errors revealing the hackers’ Turkish origins. Researchers urge organizations not to expose critical servers directly to the internet to prevent such brute-force attacks and unauthorized access.