Daily Brief

Apple released patches for two critical WebKit vulnerabilities that may have been exploited in malicious activities. Microsoft patched over 30 flaws in their final 2023 update, including critical remote code execution and spoofing vulnerabilities, with one spoofing bug affecting Microsoft Power Platform and Azure Logic Apps, rated at CVSS 9.6. Adobe's substantial update addressed 212 vulnerabilities, with 185 cross-site scripting flaws found in Experience Manager allowing for arbitrary code execution and security feature bypass. Google updated Android to fix 85 vulnerabilities, three of which were Qualcomm component flaws under targeted exploitation. SAP released critical patches for an escalation of privilege vulnerability in its Business Technology Platform, signifying its severity with a separate blog post. Atlassian, Cisco, and Apache Struts all disclosed high-severity vulnerabilities, with Cisco investigating potential impacts on its products from a disclosed Apache Struts remote code execution vulnerability. VMware and FortiGuard addressed a moderate-level privilege escalation flaw and a high-severity code execution vulnerability, respectively, rounding off the significant industry-wide patch rollout.

Threat actors are misusing Microsoft OAuth applications to automate phishing, execute BEC attacks, and deploy cryptomining VMs. OAuth, crucial for secure access to server resources, is being targeted due to user accounts with inadequate protection, such as lack of multi-factor authentication. Compromised accounts with permission to modify OAuth apps are used to grant high privileges to malicious applications, ensuring attackers' persistent access. Attackers leverage these apps for various malicious activities; financial damages reported between $10,000 to $1.5 million. Microsoft tracked and dismantled a campaign with 17,000 malicious OAuth apps that sent over 927,000 phishing emails. Threat actors also executed password-spraying to compromise accounts, aiding in persistent spam campaigns. Microsoft recommends enforcing MFA and conditional access policies, among other security measures, to protect against these types of cyber attacks.

The Ukrainian military intelligence service asserts that it has successfully hacked the Russian Federal Taxation Service (FNS), erasing the agency's central database and backups. The cyberattack reportedly spread malware across both the central servers operated by the FNS and 2,300 regional servers, including those in occupied Ukrainian territories. This offensive compromised a Russian IT firm that services the FNS, leading to a loss of essential configuration files and causing a severe system collapse. The GUR (Main Directorate of Intelligence of Ukraine) suggests that the tax system outage in Russia might last for a month or more, with full recovery unlikely. Official Ukrainian claims of cyber operations emphasize the increasing use of cyber warfare in the conflict, marking this as the second publicized attack following a previous breach of Russia's Federal Air Transport Agency. On the Ukrainian side, Kyivstar, the country's largest telecom provider, experienced a significant cyberattack, affecting 25 million subscribers and disrupting internet, air raid alerts, and banking services.

Miklos Daniel Brody, a former First Republic Bank cloud engineer, was sentenced to two years in prison for intentionally damaging the bank's computer network, violating the Computer Fraud and Abuse Act. Brody caused over $220,000 in damages and was ordered to pay $529,266.37 in restitution, in addition to serving a three-year supervised release post-imprisonment. Fired for company policy violation on March 11, 2020, Brody later used unauthorized access to deploy malware and delete critical data from the bank's systems. Brody's post-termination activities included impersonating a colleague, damaging IT infrastructure, and emailing proprietary code to himself. The bank faced significant disruption, including locked-out users and deleted code repositories, with damages exceeding $220,000. Following his dismissal, Brody made several false claims, including a falsified police report stating his company laptop was stolen, and lied to US Secret Service agents. The incident highlights the critical importance of timely revocation of employee access upon termination to prevent retaliation and secure company assets.

Microsoft's December 2023 Patch Tuesday addressed 34 security issues, among which was a previously disclosed but unpatched AMD CPU zero-day vulnerability. Despite identifying eight remote code execution (RCE) bugs, only three received a critical rating from Microsoft. The patch included fixes for four critical flaws, impacting Power Platform, Internet Connection Sharing, and the Windows MSHTML Platform. The zero-day vulnerability, identified as 'CVE-2023-20588 AMD: CVE-2023-20588 AMD Speculative Leaks,' is a division-by-zero error in selected AMD processors posing a risk of leaking sensitive data. AMD's stance on the zero-day was to advise adherence to software development best practices, deeming the threat low due to the need for local access to exploit it. Alongside Microsoft's updates, other companies have also issued updates or advisories for December 2023. In-depth details of each resolved vulnerability from the December Patch Tuesday update are accessible for review in the full report.

Electronic Health Records (EHRs) are a highly valued commodity on the dark web, fetching up to $1,000 each due to the irrevocability of personal data. The healthcare sector has faced the highest average costs per breach for 12 years, with figures exceeding $10 million, outstripping the financial industry's average cost. There has been more than a threefold increase in reported hacking or IT incidents in the healthcare sector to the US Department Health & Human Services from 2018 to 2022. Ransomware attacks leverage the essential nature of healthcare services, with the industry's expanding use of digital systems making it an attractive target. Healthcare organizations must adopt an attacker's mindset to protect sensitive data, focusing on asset inventory and monitoring their attack surface. The leaking of 10 million secrets on GitHub in 2022 points to the widespread issue of exposed credentials, which can lead to significant security breaches in healthcare systems. Continuous vigilance and proactive measures such as GitHub attack surface audits and the integration of honeytokens are recommended to improve cybersecurity postures. As the sector continues to digitally evolve, maintaining robust cybersecurity practices and fostering a culture of security awareness are crucial for safeguarding patient data.

Air National Guardsman, Airman 1st Class Jack Teixeira, leaked top-secret US military documents on a Discord server, leading to an Air Force investigation. Despite clear warning signs, Teixeira's chain of command failed to take adequate action, with incidents occurring as early as February 2022. Teixeira had access to the Top Secret-Sensitive Compartmented Information (TS-SCI) platform through his role in the 102nd Intelligence Wing. Multiple incidents where Teixeira displayed suspicious behavior were either not documented properly or not reported to security officials. Leadership failures and systemic issues within the unit, such as inadequate supervision and lack of permissions controls, contributed to the security oversight. 15 Air National Guard leaders have faced disciplinary action, with some being permanently removed from their positions; reforms have been instituted to prevent future breaches.

Sophos has backported a security update to fix the actively exploited vulnerability CVE-2022-3236 in end-of-life firewall firmware versions. The remote code execution flaw exists in the User Portal and Webadmin of Sophos Firewall, initially addressed in September 2022 for current versions. Over 4,000 internet-visible appliances were still vulnerable in January 2023 due to running outdated firmware not automatically receiving updates. Hackers targeted these unsupported and unpatched devices, prompting Sophos to release a backported patch in December 2023 for certain EOL firmware versions. Sophos automatically applied the patch to 99% of affected organizations with the "accept hotfix" option enabled. Organizations with disabled auto-update features are advised to manually apply the hotfix or upgrade to newer firewall versions. Where upgrades are not possible, limiting WAN access to the User Portal and Webadmin and using VPN or Sophos Central for management is recommended.

Ukraine's leading mobile operator Kyivstar has sustained a cyberattack impacting its mobile and internet services for over 25 million subscribers. The company's official website went offline; however, Kyivstar kept subscribers updated on the situation via social media. The Security Service of Ukraine (SSU) is conducting an investigation into the matter, which has led to criminal proceedings under various articles of the Ukrainian criminal code. NetBlocks confirmed a significant drop in Kyivstar's internet traffic following the attack, indicating a loss of service. Kyivstar has reassured customers that no personal data was compromised and promises compensation for the inconvenience. The incident is suspected to be the work of Russian hackers due to the ongoing conflict, though no confirmation has been made. Alternative mobile services are being offered by Vodafone Ukraine, and free internal roaming allows users to connect to other networks during outages. The Ukrainian Interior Minister has ensured that emergency services remain reachable, and individuals can contact relatives through local police or fire stations during the outage.

Miklos Daniel Brody, a former cloud engineer, received a two-year prison sentence and was ordered to pay $529,000 for deleting code repositories from his former employer’s network. The criminal act was in response to Brody’s termination from First Republic Bank (FRB), a major U.S. bank acquired by JPMorgan Chase. Brody's employment at FRB ended after a policy violation involving connecting a USB drive with inappropriate content to company computers. After being fired, Brody utilized his still-active credentials to access FRB's systems, where he deleted code, ran a script to erase logs, left taunting messages, and impersonated other employees. He also emailed proprietary bank code, valued at over $5,000, to himself and continued to lie about the whereabouts of his FRB-issued laptop, which he claimed was stolen. Brody’s unauthorized actions resulted in damages exceeding $220,000, and he was eventually apprehended by U.S. Secret Service agents. Following his guilt plea on charges under the Computer Fraud and Abuse Act and for lying to law enforcement, Brody will also face three years of supervised release post-imprisonment.

Russian state-backed threat actor APT28 has been targeting entities across 13 nations in a focused cyber espionage campaign. The actor employs a custom backdoor known as HeadLace, exploiting current geopolitical tensions as lures in their attacks. The attacks leverage legitimate documents from academic, financial, and diplomatic organizations to ensure the malware reaches specific targets. A recently identified exploit, CVE-2023-38831 in WinRAR, is being used to deliver the HeadLace backdoor. Phishing campaigns employ decoy documents related to significant international bodies like the United Nations and the European Parliament. Microsoft and other cybersecurity firms have documented APT28's use of severe Outlook vulnerabilities to infiltrate Exchange servers. This recent shift to using policy-related documents indicates an increased focus on influencing and gaining insights into foreign policy and humanitarian aid decisions. Concurrently, CERT-UA has reported a substantial phishing operation against Ukraine and Poland, attributed to a separate entity, which uses Remcos RAT and Meduza Stealer malware.

Roughly 1,450 online instances of pfSense firewall and router software are vulnerable to a bug chain enabling remote code execution (RCE) attacks. The vulnerabilities impact pfSense 2.7.0 and older versions, and pfSense Plus 23.05.01 and older, with CVE identifiers CVE-2023-42325, CVE-2023-42327 (both XSS), and CVE-2023-42326 (command injection). The most serious of these flaws (CVSS score 8.8) would allow command execution with root privileges due to the absence of proper input validation in the web UI. An attacker would need to combine these vulnerabilities, using the XSS to hijack an authenticated user session and gain the necessary permissions to exploit the command injection vulnerability. Although updates were released by Netgate in November addressing these issues, a large number of devices have not applied these patches, leaving them exposed. The widespread use of pfSense in large enterprises amplifies the risks, as the exploitation could lead to data breaches and lateral movements within networks.

An internal review has disclosed the extensive impact of the Police Service of Northern Ireland's (PSNI) data breach in August, which affected 9,483 officers. Described as UK policing's most significant breach, the leaked identities of PSNI officers heightened safety fears, prompting relocations and name change requests. The breach's effects include 50+ reported sickness absences due to stress, a strong resolve among many to continue duties, and substantial operational costs estimated between £24-37 million. Audits have revealed shortcomings in the PSNI's approach to data protection, with progress on the implementation of the Data Protection Act 2018 being insufficient. Recommendations stress the need for robust information management and security, the establishment of a dedicated data protection officer (DPO), and an embedded data protection impact assessment (DPIA) process. The PSNI has acknowledged the breach's systemic nature and has begun to implement changes, elevating the Senior Information Risk Owner (SIRO) role to ensure high-level oversight of information security.

Non-human access points, such as API keys, tokens, and service accounts, have become a significant vulnerability in cybersecurity, leading to numerous high-profile attacks in 2023. Unlike user credentials, non-human access often lacks basic security measures, leaving them ungoverned, over-permissive, and vulnerable to exploitation by cybercriminals. Astrix Research indicates that a large number of access tokens and connections to third-party apps are unused or come from unvetted sources, increasing security risks. Internal non-human access credentials, or 'secrets,' are frequently misplaced or mismanaged by R&D teams, with a high percentage having no expiration or being misconfigured. GenAI tools and services, such as ChatGPT, have exacerbated security concerns due to their rapid adoption and broad access permissions when connected to core business systems. Security strategies need to evolve to support the beneficial trends of cloud adoption and automation without compromising on safeguarding non-human identities and their access routes. Firm security policies and automated enforcement tools are essential to mitigate the threat of non-human access exploits while maintaining operational efficiency and compliance.

A sophisticated phishing campaign is utilizing booking-related PDFs to deliver MrAnon Stealer, an information-stealing malware, primarily targeting German IT professionals. The MrAnon Stealer extracts sensitive data such as credentials, system information, browser sessions, and cryptocurrency wallet extensions. Attackers engineered malicious PDFs to trick victims into downloading a faux Adobe Flash update, which triggers the malware infection chain utilizing .NET executables and PowerShell scripts. The malware's capabilities include commandeering data from messaging apps, VPN clients, and specific file types, subsequently transmitting the stolen information to the attackers' Telegram channel and a public file share. The attackers have commoditized MrAnon Stealer for $500 a month, with additional offerings such as a crypter and a loader to augment evasion tactics. The shift from earlier Cstealer campaigns to MrAnon Stealer marks a strategic pivot in the use of Python-based stealers, continuing to leverage phishing as the predominant dissemination method. The report also notes an unrelated cyber espionage operation by the Mustang Panda, a China-associated group, which is targeting Taiwanese officials with spear-phishing to deploy a new variant of the PlugX backdoor.