Daily Brief

Mortgage servicing firm LoanCare has announced a data breach affecting 1.3 million individuals due to a cyberattack at Fidelity National Financial, its parent company. Fidelity National Financial, a significant title insurance provider, disclosed the breach in an SEC filing, prompting LoanCare to inform authorities and affected customers. Unauthorized access was detected around November 19, 2023, leading to the theft of sensitive customer information that could be exploited for malicious activities such as phishing. The exposed data includes personal details that can significantly increase risks of identity theft and financial fraud for impacted individuals. LoanCare has offered a two-year identity monitoring service through Kroll to help customers monitor and protect their personal information post-breach. A similar cyberattack was reported by First American Financial Corporation, another title insurance company, which is still in the process of system restoration without clear timelines for returning to regular operations. Customers of LoanCare are advised to be vigilant against unsolicited communications that may attempt to use the stolen information.

Panasonic Avionics Corporation experienced a data breach following a December 2022 cyberattack, compromising undisclosed personal information. The breach was detected on December 30, 2022, with unauthorized access occurring around December 14, 2022. Cybersecurity and forensics experts were engaged to investigate the extent of the incident and the data affected. Exposed information includes names, contact details, dates of birth, medical and health insurance information, financial account numbers, employment status, and government identifiers such as Social Security numbers. There is currently no evidence to suggest the misused data, yet free identity and credit monitoring services are offered to all impacted individuals for 24 months. The scope of the breach regarding whether Panasonic's employees, customers, or business partners are affected remains unclear.

Previously undiscovered Android malware, 'Xamalicious,' has infected around 338,300 devices through Google Play. McAfee identified 14 apps with the malware on the official store, with three apps reaching over 100,000 installs each. The malicious apps have been removed, but users who downloaded them could still be infected and require manual device cleanup. Infection rates were highest among users in the United States, Germany, Spain, and several other countries. Xamalicious can access the Android Accessibility Service to perform advanced actions and downloads additional payloads for execution. There is potential evidence linking Xamalicious to ad fraud activities, like in the case of the 'Cash Magnet' app. The incident underscores the importance of downloading apps only from trusted sources and conducting due diligence on app reviews and developers to avoid malware infections.

A zero-day vulnerability, CVE-2023-51467, has been identified in Apache OfBiz ERP software, leaving businesses vulnerable. The flaw allows attackers to bypass authentication due to an improper fix for a previous high-severity vulnerability, CVE-2023-49070. The issue stems from the handling of authentication with empty username and password fields, combined with a particular URL parameter setting. Attackers can exploit the zero-day to achieve Server-Side Request Forgery (SSRF), gaining unauthorized access to internal resources. The vulnerability was initially a result of an incomplete patch to a deprecated XML-RPC component in Apache OFBiz. SonicWall researchers are urging users to upgrade to Apache OFBiz version 18.12.11 or later to address the security risk. There is an added urgency to address the flaw due to the high privileges that an attacker could acquire through its exploitation.

A spyware campaign named Operation Triangulation targeted iPhones using four zero-day vulnerabilities to bypass hardware security protections. Kaspersky analysts uncovered that the campaign exploited undocumented Apple chip features, suggesting the involvement of a highly sophisticated actor. The exploit chain required no user interaction and left no obvious traces, utilizing a malicious iMessage attachment to begin the attack. Russia's FSB accused Apple of providing a backdoor for the NSA to spy on Russian government officials, but there's no evidence to support this claim. Apple patched two of the vulnerabilities in question with its iOS/iPadOS 16.5.1 and 15.7.7 updates and addressed another critical flaw with iOS/iPadOS 16.6 release. The most crucial vulnerability exploited a feature tied to the iPhone's GPU co-processor that was not intended for consumer use, allowing attackers to bypass memory protection. Kaspersky theorizes the undocumented feature could be a holdover from testing or a mistake, emphasizing security risks of obscurity practices in hardware design. The origin and knowledge source of the attackers regarding the obscure hardware feature remain unknown despite Apple's remediation efforts.

Chinese threat actors used a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances to install backdoors on select systems. The flaw, tracked as CVE-2023-7102, permits arbitrary code execution via a third-party library used by the Amavis scanner. The adversary, UNC4841, was also linked to previous exploitation of another zero-day in Barracuda devices. Attackers used malicious Microsoft Excel email attachments to exploit the vulnerability and deploy persistence-capable malware variants, SEASPY and SALTWATER. Barracuda has released and automatically applied a security update, with an additional patch for affected appliances, requiring no extra customer actions. The original vulnerability in the third-party library remains unpatched, posing a risk that requires downstream user attention. Mandiant has found evidence of impacted private and public sector organizations in at least 16 countries since October 2022. The persistent adaptability of UNC4841 showcases the group's focus on maintaining access to high-value targets by exploiting new security gaps.

Barracuda Networks remotely patched a zero-day vulnerability affecting Email Security Gateway appliances, targeted by the Chinese hacker group UNC4841. The vulnerability, tracked as CVE-2023-7102, is a result of a flaw in the Spreadsheet::ParseExcel library used by Amavis virus scanner in the company's appliances. Attackers executed arbitrary code on unpatched devices by exploiting this flaw through parameter injection. A second set of security updates was deployed to tackle the SeaSpy and Saltwater malware found on compromised ESG appliances. The CVE-2023-7101 CVE ID was created to track the associated bug within the third-party library, which is yet to be patched. Barracuda's investigation into the breach is ongoing, in collaboration with security firm Mandiant, pointing to the activities of the UNC4841 hacker group, suspected for espionage. The espionage campaign had been operational since at least October 2022, leading to targeted data exfiltration from government and high-tech sectors. Barracuda advised customers to replace all compromised appliances after a similar attack in May, and currently serves over 200,000 organizations globally.

Yakult Australia has confirmed a "cyber incident" after 95 GB of company data was leaked by a cybercrime group named DragonForce. The incident has affected both Australian and New Zealand IT systems, though the offices continue to operate. The cybercrime actor claiming responsibility for the attack, DragonForce, alleges the leaked data includes databases, contracts, passports, and more. The leak site operated by the group suggests they engage in extortion by threatening to release stolen data if their demands are not met. Yakult Australia is currently investigating the breach with the help of cybersecurity experts but has not confirmed the full extent of the incident. BleepingComputer's analysis of the data indicates that it contains business documents and records, including employee information and copies of identity documents. DragonForce has listed 20 victims on its leak site so far, but there is no confirmed connection between this group and the hacktivist group DragonForce Malaysia.

A new Android backdoor, Xamalicious, developed utilizing Xamarin framework, has infected over 327,000 devices with a range of malicious activities. The malware leverages Android's accessibility permissions, gathering device metadata and downloading a second-stage payload to control the infected device. McAfee's Mobile Research Team identified 25 malicious apps, some distributed via the Google Play Store, with the majority of infections in Brazil, Argentina, the UK, the US, and parts of Europe and the Americas. The communication between the malware and its command-and-control server is heavily encrypted, making detection and analysis difficult. The Xamalicious dropper can self-update, potentially transforming the malware into spyware or a banking trojan without user intervention. There's an association between Xamalicious and the ad-fraud app Cash Magnet, which generates illicit revenue through automated ad-clicking. A separate phishing campaign in India uses social messaging apps to distribute rogue banking apps, posing a significant threat to the country's digital banking users.

Attackers are compromising Linux SSH servers for cryptocurrency mining and DDoS attacks, with the potential of breached data being sold on the dark web. Vulnerable servers are identified through dictionary attacks, which attempt to guess SSH credentials using common username and password combinations. Successful intrusions lead to the installation of port scanners and additional malware to extend the attack to other susceptible systems. The malware scans for systems with an active port 22, indicative of SSH service, and uses dictionary attacks to propagate the infection further. The PRG old Team is believed to have created these malicious tools, which attackers then modify slightly for their own use. System administrators are advised to use complex passwords, regular password changes, and ensure systems are kept updated to reduce the risk of attack. Kaspersky reports on the emergence of NKAbuse, a multi-platform threat utilizing NKN protocol for P2P communication in orchestrating DDoS attacks.

GitHub has announced that all users contributing code must enable two-factor authentication (2FA) by January 19th, 2024, to continue having full access to the platform. Users not enrolled in 2FA by the deadline will experience limited functionality on GitHub.com but business and enterprise accounts are exempt from this requirement. The initiative is part of GitHub's efforts to protect accounts from breaches and mitigate potential supply chain attacks by enhancing account security. After the deadline, users without 2FA will be prompted to complete the setup process to gain full access to their accounts. GitHub supports multiple 2FA methods, including security keys, the GitHub Mobile app, authenticator apps, and SMS text messages, and recommends using at least two methods for added security. Users who lose their 2FA credentials may face difficulties in account recovery and are advised to keep their recovery codes as a last resort for account access.

Integris Health, Oklahoma's largest not-for-profit healthcare network, confirmed a cyberattack resulting in the theft of patient data. Affected patients received emails demanding payment to prevent the sale of their stolen personal data to other threat actors. The data breach was discovered by Integris Health on November 28, 2023, with potential unauthorized access on their systems. Patients reported the extortion emails included accurate personal information, suggesting the theft of over 2 million patients' data. The blackmailers operate a dark web site allowing data removal for $50 or viewing of information for $3, showcasing data from October to December 2023. Integris Health advises patients not to engage with the extortion emails and updated their security notice accordingly. The incident mirrors a similar extortion email strategy used against Fred Hutchinson Cancer Center patients by the Hunters International ransomware gang. Payment of ransom is discouraged as it doesn't guarantee data removal and may lead to further extortion attempts.

The Carbanak banking malware has been updated to perform ransomware attacks, adopting new tactics and distribution methods. Compromised websites are being used to spread malicious versions of legitimate business software like HubSpot, Veeam, and Xero. Carbanak, linked to the cybercrime group FIN7, originally focused on data theft and system control but has now diversified into ransomware deployment. A spike in ransomware attacks was observed in November 2023, with 442 incidents reported, bringing the year's total to 4,276, close to the combined total for 2021 and 2022. The most affected sectors are industrials, consumer cyclicals, and healthcare, predominantly in North America, Europe, and Asia. While the notorious BlackCat ransomware operation was dismantled by authorities, it's yet unknown how this will affect future cyberattack patterns. The ransomware ecosystem has shifted away from reliance on the now-disrupted QBot, incorporating alternative malware and vulnerabilities into their operations. Cybersecurity company Kaspersky highlighted that some ransomware operators are exploiting several Windows driver vulnerabilities for privilege escalation.

Google's Chrome Safety Check feature now operates in the background, checking for compromised passwords. Desktop users will be alerted to dangerous extensions, outdated Chrome versions, and whether Safe Browsing is enabled. The automatic Safety Check will revoke permissions for unused websites and flag sites with too many notifications. Safety Check, introduced in December 2020, screens login credentials against data leaks and identifies weak passwords. An upcoming Chrome update will allow users to save tab groups and continue browsing sessions across desktop devices. Chrome's Memory Saver mode provides detailed information on tab memory usage, with options to keep specific sites always active. All Chrome users now benefit from automatic HTTP to HTTPS upgrades, improving overall internet security. Google's Safe Browsing feature now includes real-time phishing protection using a local list of malicious URLs.

The source code for Grand Theft Auto 5 was reportedly leaked online on Christmas Eve. This event follows over a year after Rockstar Games was hacked by Lapsus$ threat actors. The stolen source code was shared across multiple platforms, including Discord and a dark web site, with links posted by 'Phil' in a Telegram channel previously used by hackers. The post paid tribute to Lapsus$ hacker Arion Kurtaj, who had a role in previous GTA leaks and was recently sentenced to indefinite hospitalization. The original hack in 2022 compromised Rockstar's internal Slack server and Confluence wiki, leading to claims of stolen GTA 5 and 6 data. The motivation behind the early leak, according to the leaker, was to address scams in the GTA V modding scene. The authenticity of the leaked source code appears legitimate but has not been independently verified, as Rockstar did not respond to queries during the holiday period. The Lapsus$ group, known for their expert social engineering and SIM swapping attacks, faded in activity after arrests but some members may now be part of another hacking collective, Scattered Spider.