Daily Brief

RansomHouse ransomware group developed 'MrAgent,' a tool that automates data encryption on multiple VMware ESXi hypervisors. The MrAgent tool was designed to streamline the ransomware deployment process, maximizing the operational disruption to affected businesses. This tool can disable firewalls, execute custom ransomware configurations, schedule encryption events, and change hypervisor welcome messages. MrAgent aims to reduce detection risks and administrative intervention by targeting all accessible virtual machines simultaneously. A Windows version of MrAgent suggests RansomHouse's intention to expand the tool's use for cross-platform attacks. Trellix emphasizes the need for strong cybersecurity defenses due to the heightened risk posed by automated tools like MrAgent.

The U.S. State Department is announcing rewards of up to $10 million for identification or location of ALPHV ransomware gang leaders. An additional $5 million reward is available for information on individuals involved in ALPHV ransomware attacks. The FBI attributes over 60 global breaches to ALPHV in its initial four months, with $300 million in ransoms from 1,000 victims as of September 2023. The rewards are part of the Transnational Organized Crime Rewards Program (TOCRP), with $135 million in payouts since 1986. Tips can be submitted through a Tor SecureDrop server, ensuring anonymity and security for informants. ALPHV is considered a successor to DarkSide and BlackMatter ransomware groups, responsible for high-profile attacks like the Colonial Pipeline. U.S. government also offered similar bounties for information on members of other ransomware gangs such as Hive, Clop, Conti, REvil, and DarkSide.

The FBI has successfully disrupted a botnet known as Moobot, which was controlled by Russia's GRU to conduct cyber espionage. GRU's Military Unit 26165, also known as APT28 or Fancy Bear, hijacked the botnet initially deployed by non-state cybercriminals. The botnet composed of Ubiquiti Edge OS routers was used in spearphishing and credential theft attacks against various targets, including U.S. and allied governments and military. FBI agents executed a court-authorized operation to delete malicious data and prevent GRU from reinfecting the routers through remote management access. The FBI operation was careful not to disrupt the standard functionality of the SOHO routers or to harvest user data. Router users are advised to reset their devices to factory settings and change default passwords to mitigate recompromise risks. APT28 is known for high-profile attacks, including the 2015 German Federal Parliament hack and the 2016 breaches of the DCCC and DNC.

The swift and inexpensive nature of training, validating, and deploying AI models can introduce significant security risks. Not only ethical actors but also malicious ones leverage AI to enhance their cyberattack capabilities, potentially bypassing security measures. The rapid pace of AI development often employs new, untested tools that may have unclear vulnerabilities, exposing organizations to cyber threats. Cloudflare, with its experience in protecting popular AI applications, offers insights into safeguarding businesses against AI-related cyber risks. A webinar hosted by The Reg's Tim Phillips with John Engates, Field CTO at Cloudflare, will explore the increase in attack surface due to AI consumption and deployment. The webinar will discuss tools, techniques, and services to minimize AI vulnerabilities and practical steps to secure AI operations. Executives and professionals involved in AI initiatives are encouraged to join the webinar for crucial information on protecting their AI projects. Reminders for the webinar's attendance on 22 February can be received by signing up through the provided link.

OpenAI has deactivated accounts of state-backed threat groups from Iran, North Korea, China, and Russia that were abusing ChatGPT. The actions were taken after collaboration with Microsoft's Threat Intelligence team, which helped identify the malicious use of OpenAI's services. Threat groups utilized ChatGPT for various nefarious activities such as reconnaissance, social engineering, and developing tactics to evade detection. While there has been an increase in the use of AI tools for phishing and social engineering, there was no direct evidence of these tools being used to write malware or build sophisticated cyber attack tools. The UK's NCSC had forecasted in January that by 2025, AI tools would become instrumental for APT groups in creating advanced malware. OpenAI is employing specialized monitoring technology and information sharing with partners to detect and prevent misuse by sophisticated actors. OpenAI emphasizes the importance of learning from these incidents to improve security measures and prepare for potential future widespread malicious activities.

Zoom has disclosed a series of security vulnerabilities, including a critical privilege escalation flaw with a CVSS score of 9.6. The critical vulnerability (CVE-2024-24691) could allow unauthenticated users to gain escalated privileges through network access. Affected products include various Windows-based Zoom applications, with the company urging updates to the latest versions for security. The security issues were identified by Zoom's Offensive Security division; however, no in-the-wild exploitation has been reported. Additional vulnerabilities addressed include denial of service (DoS) risks, information disclosure flaws, and other medium-severity concerns. One high-severity vulnerability (CVE-2024-24697) could allow local privilege escalation for authenticated attackers on some 32-bit Windows clients. All Zoom desktop apps, mobile apps, and various clients are affected by at least one of the disclosed vulnerabilities, necessitating a review of the advisories for version-specific details.

Over 13,000 Ivanti gateway servers remain unpatched for critical security vulnerabilities that were disclosed over a month ago. These vulnerabilities range from high to critical severity, impacting Ivanti Connect Secure and Policy Secure endpoints. The security flaws include an XXE vulnerability in the SAML component, command execution, and injection issues, with some already exploited by nation-state actors. More than 3,900 Ivanti endpoints are vulnerable to an unauthorized access flaw (CVE-2024-22024), predominantly affecting servers in the United States. As of February 15, 2024, security updates for four of the critical vulnerabilities (CVE-2024-21893, CVE-2024-21888, CVE-2023-46805, and CVE-2024-21887) have not been applied to over 13,000 servers. The global patching rate for the most recent vulnerability (CVE-2024-22024) is just 21.1%, leaving 19,132 servers at risk. Due to the short disclosure period for these flaws, administrators may face challenges in applying the necessary patches promptly, potentially leaving systems exposed for extended periods.

A Russian-linked threat group, Turla, has launched a campaign targeting Polish NGOs using a new backdoor variant called TinyTurla-NG. The malware campaign against Polish NGOs lasted for over three months, starting from December 2023. TinyTurla-NG operates as a "last-chance" backdoor, used when other unauthorized accesses are compromised or detected. Turla's activities have recently focused on the defense sector in Ukraine and Eastern Europe, with other tools like the DeliveryCheck backdoor and Kazuar implant. The campaign's beginnings trace back to November 2023, indicated by the malware's compilation dates. The backdoor is distributed via compromised WordPress websites, executes commands, downloads/uploads files, and can deliver scripts to exfiltrate sensitive data. The ongoing actions of nation-state actors, including Turla, show an interest in generative AI tools to support espionage and cyber operations.

Automated vulnerability scanners are essential but can miss critical application security flaws that entail complex logic and context-specific understanding. Logic flaws and the ability to bypass business rules in applications are often overlooked by automated scanners because they cannot comprehend complex business logic. Vulnerability scanners may not cover all areas of an application, potentially underestimating the risk of vulnerabilities in less visible features. False positives and generic risk assessments by automated scanners do not provide the nuanced vulnerability evaluations needed for precise threat mitigation. Advanced attack techniques, such as zero-day exploits and obfuscated payloads, are often not detectable by automated scanners, highlighting the need for human analytical skills. Manual penetration testing adds significant value by understanding the specific context of an application and executing attack simulations that mimic real-world threats. The combination of automated scanning with manual penetration testing can create a more robust security posture for organizations, addressing vulnerabilities that automated tools alone might not catch. Outpost24's Pen Testing-as-a-Service (PTaaS) aims to provide continuous monitoring and expert manual testing to ensure a comprehensive level of application security.

Turla, a Russian hacker group linked to FSB, has used new malware, TinyTurla-NG, to backdoor NGOs and steal data. Exploiting vulnerable WordPress sites, Turla placed C2 infrastructure to control the malware and gather stolen information. Cisco Talos revealed TinyTurla-NG during an investigation of a Polish NGO supporting Ukraine, indicating espionage activities. TinyTurla-NG serves as a persistent backdoor, providing ongoing access to compromised systems and executing commands via infected WordPress websites. The malware focuses on exfiltrating passwords for key management software utilizing TurlaPower-NG PowerShell scripts. Researchers identified several variants of TinyTurla-NG, with attacks dating back to as early as November last year. Despite some coding differences from previous TinyTurla versions, the new backdoor shares similar traits and aims. Indicators of compromise associated with TinyTurla-NG have been published by Cisco Talos to aid in detection and defense.

Russian hacker group Turla used a new malware variant, TinyTurla-NG, to target non-governmental organizations (NGOs) and maintain network access. Compromised WordPress websites were utilized for command and control (C2), hosting malicious scripts, and data exfiltration. Cisco Talos uncovered the threat whilst aiding a Polish NGO that supports Ukraine, revealing the attack dates back to at least December. TinyTurla-NG serves as a 'secret backdoor', ensuring persistent access to systems, even when other entry points are detected and closed. TurlaPower-NG PowerShell scripts exploit this access to steal master passwords and sensitive information, avoiding files like .MP4 videos during data harvesting. At least three variants of the backdoor exist, with the campaign potentially initiated in November, and indicators of compromise have been published by Cisco Talos.

Ivanti Pulse Secure appliance found running on extremely outdated CentOS 6.4 Linux version, unsupported since November 2020. Security flaws in Ivanti Connect Secure, Policy Secure, and ZTA gateways actively exploited by threat actors for malware delivery. Eclypsium's reverse engineering using a PoC exploit unveiled numerous vulnerabilities across outdated packages and libraries. Perl and Linux kernel versions used have not been updated in over 23 and 11 years, respectively, raising significant security concerns. Analysis revealed over 1,200 script issues, 5,218 vulnerabilities in Python files, and 133 outdated certificates. Ivanti's Integrity Checker Tool (ICT) found to skip critical directories, potentially allowing attackers to evade detection. The demonstration of a theoretical attack shows the risk of attackers exploiting zero-day flaws and lack of comprehensive integrity checks. Calls for better systems of checks and balances for validating product integrity, with emphasis on an open system enabling visibility into vendor processes.

A Chinese-speaking cybercrime group, GoldFactory, is deploying malware targeting both Android and iOS users to steal Face ID scans and break into banking accounts. The group has developed Trojan apps called GoldPickaxe and GoldPickaxe.iOS, which trick users into giving biometric data that bypasses bank app security checks in Thailand and Vietnam. The iOS attacks use sophisticated social engineering, enrolling victims in an MDM program via TestFlight and LINE messaging app impersonations, to infiltrate tighter security controls of Apple devices. By combining stolen Face ID scans with deepfake technology and intercepted SMS messages, attackers are able to perform unauthorized banking transactions remotely. The threat actors are highly versatile, utilizing tactics like impersonation, phishing, and ID theft to adapt tools specifically for their target environment. The Gold factory's malware evolution highlights an urgent need for proactive cybersecurity measures, emphasizing user education and modern detection systems to counter new Trojan variants.

Developers of Qakbot malware are testing new variants, evidenced by recent email campaigns using fake Adobe installers. The infamous QBot, linked to significant financial damages and system infections, evaded a takedown and continues to operate. Post-takedown campaigns indicate the malware's spam infrastructure remains intact, with new variants emerging since December. Sophos X-Ops identified up to 10 new Qbot builds employing advanced obfuscation and evasion techniques. Unlike older versions, the new samples do not inject code into benign processes but use .MSI and .CAB files for distribution. The Qbot malware now actively searches for endpoint protection and virtual environments to avoid detection. Researchers underscore the importance of monitoring QBot’s resurgence to keep security measures updated and the community informed.

Wing Security's analysis of 493 companies using SaaS applications in Q4 2023 highlights increased susceptibility to cyber threats. Nation-state actors, such as North Korean group UNC4899 and Russian Midnight Blizzard APT, have been targeting SaaS applications used by high-profile organizations. SaaS applications are now integral to modern organizations and can bypass traditional IT security approvals, posing new supply chain security risks. Unauthorized or unnoticed SaaS use, MFA bypassing practices, forgotten access tokens, and the unchecked integration of AI capabilities create significant security gaps. The proliferation of AI across SaaS platforms has led to inadvertent sharing of sensitive data due to overlooked term changes, increasing the risk of data misuse. Wing Security recommends strategies for mitigating SaaS-related threats, emphasizing the need for continuous monitoring and control of SaaS security settings. The report encourages companies to adopt advanced SaaS security measures and provides actionable tips to safely navigate the evolving SaaS landscape.