Daily Brief

Chinese state-sponsored hackers, known as Volt Typhoon, operated undetected within U.S. critical infrastructure for at least five years. The group targeted the U.S. sectors of communications, energy, transportation, and water systems, as well as facilities in Guam. Volt Typhoon utilized 'living-off-the-land' techniques to blend malicious actions with legitimate network behavior, making detection difficult. Their tactics included the use of multi-hop proxies to hide their activities' origins, and a strong focus on operational security to maintain undiscovered access. They engaged in privilege escalation to obtain admin credentials, facilitated lateral movement within networks, and long-term domain compromise. The U.S. government warns that the hackers methodically re-target environments over years to maintain unauthorized access. Meanwhile, PAPERWALL, another influence campaign linked to a Beijing PR firm, has been creating and deleting pro-China content on fake news websites internationally.

Unified identity platforms consolidate various identity challenges into a complete security solution, offering significant operational and security advantages. Sector-specific examples illustrate that the concept of unified identity varies; hospitals may emphasize different facets than software development studios. Increased organizational complexity and the rise of identity sprawl with numerous silos necessitate a move toward fewer, consolidated identity management systems. The adoption of Unified Identity Platforms can enhance a company's cybersecurity stance, simplify the tech landscape, and enable business agility. Cost reductions are achieved not only through vendor bundle discounts but also by easing the skills gap and reducing the need for extensive training and senior staff. Unified identity tools are pre-validated to work together, reducing the need for extensive customizations and support, yet vendor lock-in remains a consideration. Quick and efficient implementation time is a key advantage, as traditional identity and access management (IAM) projects are notoriously slow and complex. For sustained benefits, it's essential to choose vendors that offer modular identity platforms, allowing for gradual integration without full commitment to their entire ecosystem.

Loader malware HijackLoader has been updated with sophisticated techniques for evading defenses, making it harder to detect and analyze. Cybersecurity experts from CrowdStrike have identified new evasion methods that use process hollowing and a novel trigger mechanism involving writing to a pipe. Originally discovered by Zscaler ThreatLabz, HijackLoader is linked to the distribution of DanaBot, SystemBC, and RedLine Stealer and shares similarities with IDAT Loader. TA544, a notorious cybercrime group, has been utilizing HijackLoader to deliver payloads such as Remcos RAT and SystemBC through phishing campaigns. The updated tactics include the use of process doppelgänging and Heaven's Gate to bypass security measures and evade endpoint detection. Researchers also reported a unique injection technique involving a hollowed mshtml.dll into a cmd.exe process as part of an evolved multi-stage attack chain. CrowdStrike emphasizes the challenges introduced by loaders like HijackLoader, highlighting the importance of continued vigilance and advancements in threat detection methods.

Google has initiated a pilot program in Singapore to block sideloading of apps that abuse Android app permissions to collect sensitive information. Apps that attempt to use sensitive runtime permissions for financial fraud will be automatically blocked by Google Play Protect during installation from non-official sources. Users will see a pop-up warning when trying to install potentially harmful apps, advising of the risks of identity theft and financial fraud. The initiative focuses on preventing misuse of permissions like reading SMS messages, notifications, and accessibility services, which are common targets for Android malware. Google urges developers to adhere to Mobile Unwanted Software principles and review app permissions to avoid violating these guidelines. Google Play Protect has been effective in detecting new malicious apps, flagging over 515,000 and issuing millions of warnings or blocks. Apple echoes concerns about alternative app marketplaces, citing heightened risks to privacy and security, and plans to roll out Notarization for iOS apps in response to the EU's Digital Markets Act.

Memory-safety issues are high-severity but not the most exploited vulnerabilities; Rust language helps mitigate these. Horizon3.ai's analysis of CISA's Known Exploited Vulnerabilities shows that Rust alone isn't a panacea for software security. Insecure exposed functions were the most common vulnerability in 2023, accounting for 48.8% of the issues. Memory safety problems are impactful when exploited as zero-days, often before patches are available. 75% of the analyzed memory safety bugs were exploited as zero-days, with 25% believed to be first found by researchers who were actually not the initial discoverers. Simple vulnerabilities remain highly exploitable, pointing to the need for broader attention to software complexity and supply chain hardening. Software security is a process, emphasizing the importance of comprehensive security strategies beyond adopting a new programming language.

North Korea-linked hacking entity Kimsuky is reportedly using a novel Golang-based information stealer named Troll Stealer to target South Korean systems. The Troll Stealer is designed to extract various sensitive data, such as SSH credentials, system information, browser data, and even screen captures. Similarities to previous Kimsuky-associated malware like AppleSeed and AlphaSeed suggest its connection to the notorious group, which has a history of espionage activities. Kimsuky, which faces sanctions from the US Treasury, has recently conducted spear-phishing campaigns against South Korean targets, delivering multiple backdoors. The Troll Stealer masquerades as a legitimate security program installer and uses a stolen certificate from D2Innovation Co., LTD for authenticity. The malware's new capability to target GPKI folders indicates a potential shift in tactics or involvement of another threat actor with access to Kimsuky's tools. The discovery of a Go-based backdoor, GoBear, also points to Kimsuky's continued development of sophisticated tools, with this one adding a SOCKS5 proxy feature not seen in their previous malware.

Cisco released patches for three vulnerabilities in Cisco Expressway Series with CVSS scores up to 9.6, potentially allowing unauthenticated remote CSRF attacks. Fortinet published a second round of updates for FortiSIEM supervisor critical flaw bypasses, with the new vulnerabilities having CVSS scores of 9.8. VMware warned of five moderate-to-high severity flaws in Aria Operations for Networks, advising users to upgrade to version 6.12.0 to mitigate risks. The vulnerabilities could enable attackers to execute arbitrary code or actions, modify system configurations, create privileged accounts, or induce DoS conditions. Patches have been released in specific versions for all the affected products and users are urged to apply them promptly due to the history of active exploitation. Organizations are recommended to prioritize patch management to protect against these newly disclosed vulnerabilities and improve overall security posture.

Fortinet has warned of two critical unpatched vulnerabilities in FortiSIEM—CVE-2024-23108 and CVE-2024-23109—which are patch bypasses for the original CVE-2023-34992 flaw. An initial confusing update suggested these CVEs were duplicates due to an API issue; however, they are confirmed as separate vulnerabilities. The new bugs allow remote, unauthenticated attackers to execute commands on the system through specially crafted API requests. Users are strongly advised to upgrade FortiSIEM to a version that addresses these vulnerabilities, as threat actors frequently target Fortinet flaws. Fortinet's handling of the disclosure has caused confusion, initially misstating the nature of the vulnerabilities. Vulnerability expert Zach Hanley from Horizon3 has been identified as the discoverer of these patch bypasses. Fortinet commits to issuing a reminder in its monthly advisory to alert customers of these critical security issues.

Proposed procurement rules would require IT suppliers to U.S. government agencies to provide complete access to their systems after a security incident and report intrusions within eight hours. The draft update to the Federal Acquisition Regulation (FAR) aligns with Biden’s 2021 executive order and responds to significant security incidents like SolarWinds and Colonial Pipeline. Industry backlash has been significant, with over 80 responses criticizing the burdensome nature of the proposed rules, including the Software Bill of Materials (SBOM) and incident reporting within eight hours. The Cloud Service Providers Advisory Board and Information Technology Industry Council voiced concerns about the impact on providers who service both federal and non-federal customers, fearing loss of business due to the invasive requirements. HackerOne highlighted the risk that federal law enforcement access to contractor systems could inadvertently expose non-government customer data. Different federal agencies have introduced varying incident reporting rules, leading to a lack of alignment; some stakeholders call for CISA to be the central agency for incident reporting. ITIC suggests selecting a single, harmonized incident reporting process across the federal government and regulated sectors to avoid misalignment and confusion.

The U.S. government has issued a warning about Chinese spy groups infiltrating American critical infrastructure, including energy and other essential services. These Chinese cyber-espionage operations are reportedly seeking to steal data and potentially disrupt vital systems upon command from Beijing. The intrusions by groups like Volt Typhoon have sometimes gone undetected for years, posing a risk of significant operational impact. The FBI acted to disrupt Volt Typhoon's activities by wiping out their botnet through a remote kill command. Officials underscore the necessity of robust identity management like phishing-resistant multi-factor authentication for infrastructure operators. Cybersecurity experts express serious concerns about Volt Typhoon's access to operational technology systems, which could lead to severe shutdowns. The Department of Energy has been collaborating with infrastructure owners to detect and eliminate these persistent threats actively positioning themselves on networks. Such state-sponsored activities suggest a reciprocal level of cyber-intrusion might be expected from American agencies regarding foreign critical infrastructure.

Ov3r_Stealer malware is being spread via fraudulent Facebook job advertisements targeting users to steal credentials and cryptocurrency. The scam leads victims to a Discord link that executes a PowerShell script to download the malware from GitHub. Trustwave analysts uncovered the campaign, noting the danger due to Facebook's widespread use, despite non-novel tactics. The infection process deceives users with a fake PDF, redirecting to a malicious payload disguised as a DocuSign document. The malware aims to harvest data from various applications and searches the system registry areas to potentially expand its breach. Collected data, including geolocation and a synopsis of pilfered information, is sent every 90 minutes to a Telegram bot controlled by the attackers. Investigations reveal links to software cracking forums and code resemblance to a known C# stealer, Phemedrone, suggesting possible origins or associations of the malware creators.

Half of cybersecurity professionals surveyed by Kaspersky assert their higher education in cybersecurity does not translate effectively to practical work applications. Only 29% of respondents found their academic knowledge to be "extremely useful," with smaller percentages rating their education as "very useful." The survey included 1,012 infosec professionals from 29 countries, highlighting a perception of disconnect between academic preparation and real-world demands. The rapid pace of technological change is cited as a contributing factor to the obsolescence of educational content, with tech quickly becoming "legacy" within a few years. There is a notable regional variance in the perceived practical experience of cybersecurity educators, with Latin America reporting the highest levels of instructor industry engagement, and the Middle East, Turkey, and Africa the lowest. An overwhelming majority of professionals with 2-5 years of experience (83%) consider the availability of useful infosec courses in higher education to be poor, pointing to a gap in training for handling real-life security incidents.

The Danish data protection authority has issued an injunction preventing schools from sending student data to Google. The decision affects the use of Google Workspace and Chromebooks across 53 municipalities in Denmark. Concerns were raised about the misuse of student data and potential future impact on individuals. Schools must now modify their data processing practices to align with the authority’s new requirements. Permitted uses of data are limited to specific educational services and fulfilling legal obligations. The decision does not outright ban Chromebooks but places restrictions on data sharing with Google. Municipalities are given until March 1, 2024, to outline compliance plans, with full implementation required by August 1, 2024. The action, welcomed by many, was criticized for the delay in the authority’s response to the issue.

Chinese cyber-espionage group Volt Typhoon infiltrated U.S. critical infrastructure networks and remained hidden for around five years. A joint advisory by CISA, the NSA, the FBI, and the Five Eyes intelligence alliance revealed Volt Typhoon's stealth operations and living off the land (LOTL) tactics. The group targeted specifically the communications, energy, transportation, and water/wastewater sectors, putting a spotlight on their ability to leverage stolen accounts for persistent access. U.S. authorities are concerned that Volt Typhoon might leverage its network footholds to disrupt critical infrastructure during times of high tension or conflict. Recent efforts have been made to harden U.S. cyber defense systems against such threats and to understand the full scope of Volt Typhoon's activities. The FBI and CISA recently disrupted a Volt Typhoon-controlled botnet, highlighting ongoing counter-cyber espionage measures. Cybersecurity agencies have released technical guides to help network defenders detect Volt Typhoon activities and protect critical infrastructure from similar threats.

The US and 11 international government agencies issued a warning about China's Volt Typhoon group targeting critical infrastructure. Volt Typhoon has infiltrated IT networks across the communications, energy, transportation, and water sectors in the US and its territories. The group's conduct suggests a departure from espionage goals, with a focus on pre-positioning for potential disruptive or destructive cyberattacks. The US agencies, including CISA, NSA, and FBI, express high confidence in Volt Typhoon's intent to exploit network access amid geopolitical tensions. The FBI cautioned that Chinese hackers are equipped to "wreak havoc" on US infrastructure, with recent malware infections on Cisco and Netgear equipment. Canada, Australia, and New Zealand's infrastructure could be affected due to interconnectedness and shared vulnerabilities with the US. Governments have provided a list of technical details, observed TTPs, detection recommendations, and urged immediate actions to mitigate threats, such as applying patches, enabling MFA, and maintaining centralized logging systems.