Daily Brief

A serious vulnerability was discovered in Microsoft Outlook potentially allowing attackers to access hashed NTLM v2 passwords. Tracked as CVE-2023-35636 with a CVSS score of 6.5, Microsoft issued a patch in December 2023 as part of its Patch Tuesday updates. Attack vectors included phishing emails or web-based attacks where victims would be tricked into opening a malicious file. The NTLM hash leakage was possible via the calendar-sharing function in Outlook through inserting specific headers in an email. While patches addressed the main vulnerability, related risks using Windows Performance Analyzer and Windows File Explorer haven't been patched. Researchers highlighted the flaws of NTLM authentication and Microsoft's move to phase it out in Windows 11 for the safer Kerberos protocol. Enhanced security practices and awareness are crucial to avoid falling victim to such exploitation techniques.

97% of companies are exposed to severe risks due to unsecured SaaS applications. 20% of these organizations are battling internal data threats. The upcoming webinar by Wing Security COO, Ran Senderovitz, will offer in-depth insights into SaaS security challenges. The event promises a comprehensive analysis of data from 493 companies, identifying statistics and trends in SaaS security. Attendees will receive actionable tips for immediate implementation to enhance their organization's security posture. The webinar will provide a forecast of SaaS security threats expected in 2024 and strategies to combat them. IT and security professionals will gain valuable knowledge and tools to proactively defend against SaaS-related threats. The session aims to transform SaaS security challenges into opportunities for strengthening organizational defenses.

AI has become critical in cybersecurity, offering advanced features from spam filtering to predictive analytics and AI-assisted responses. The democratization of AI technology presents a significant challenge, arming attackers with sophisticated means to launch advanced cyber threats. Early 2000s malware like ILOVEYOU and the Zeus banking trojan highlighted the need for evolving security solutions. The second wave (2010–2020) saw an increasingly dynamic IT landscape with cloud computing and SaaS, coupled with an uptick in sophisticated cyber threats. AI-based cybersecurity tools, such as those pioneered by Cylance, have been instrumental in outpacing increasingly sophisticated malware and attacks. The third wave (2020-present) showcases a profound shift where AI is also being used by adversaries, necessitating an informed and well-equipped defense strategy. As cyber threats continue to grow in both scale and sophistication, the dual use of AI demands continuous innovation and vigilance in cybersecurity practices.

Fortinet FortiGuard Labs identified the Faust variant of Phobos ransomware using an Excel document to deliver malware. The new ransomware, including Albabat and Kuiper, leverage advanced programming languages Rust and Golang to avoid common code issues and enhance cross-platform capabilities. Faust ransomware doesn't specifically target industries or regions and uses multiple threads for its file encryption attack, making it more resilient and efficient. Kuiper ransomware, linked to threat actor RobinHood, was advertised on underground forums and developed to target multiple operating systems. NONAME ransomware imitates the data leak site of the known LockBit group, suggesting potential connections or shared strategies. The links among the Royal/BlackSuit ransomware, the 3 AM ransomware, and the remnants of the Conti cybercrime group indicate shared tactics and infrastructures. Ransomware attacks continue to exploit common remote access tools like TeamViewer and misuse legitimate-looking documents, such as resumes in Word format, to execute attacks.

The NSA has been purchasing internet browsing records from third-party data brokers to identify websites and apps used by Americans, avoiding the need for a court order. Senator Ron Wyden condemns this practice as both unethical and illegal, and challenges the legitimacy of funding such a "shady industry." Metadata about users' browsing habits purchased by the NSA could reveal personal details, including visits to sensitive websites related to health and personal assistance. The NSA contends that it uses such data in compliance with privacy standards and minimizes collection of U.S. persons' information. The agency asserts it does not buy or use phone location data or vehicle telematics from within the U.S. without a court order. This practice of purchasing private data without a warrant reflects broader issues with law enforcement agencies acquiring sensitive information from third-party companies. The FTC has recently taken action against companies selling precise location information without informed user consent. Concerns are raised about third-party apps not notifying users that their data, collected for advertising or national security purposes, is shared or sold.

Cybersecurity experts have discovered several malicious packages on the Python Package Index (PyPI) that secretly install WhiteSnake Stealer malware. The nefarious packages target Windows operating systems, executing malware that can steal information and execute commands. The malware has the capability to exfiltrate data from web browsers, cryptocurrency wallets, and various applications such as WinSCP, Discord, and Telegram. WhiteSnake Stealer uses Anti-VM mechanisms and communicates with its control server using the Tor network, enhancing its stealth and persistence. The threat actor, dubbed PYTA31, has introduced variations in the payloads of the malicious packages, indicating a focus on stealing particularly cryptocurrency wallet data. Some packages also possess clipper functionality that can replace clipboard content with attacker-controlled cryptocurrency wallet addresses to facilitate unauthorized transactions. Fortinet highlights the ease with which a single malware author can release multiple info-stealing malware packages onto the open-source repository, indicating a significant threat to software supply chain security.

Trend Micro's Zero Day Initiative hosted the first automotive-focused Pwn2Own event, with over $1.3 million awarded for 49 zero-day vulnerabilities. Synacktiv, a French security firm, won the top prize, earning $450,000 for successful exploits on Tesla vehicles, gaining root access to a Tesla Modem, and finding a sandbox escape in the infotainment system. High-value attacks also targeted after-market infotainment systems and electric vehicle (EV) chargers, exposing vulnerabilities in chargers from Emporia, ChargePoint, Ubiquiti, Phoenix, and JuiceBox. One out of three attacks on Automotive Grade Linux succeeded, highlighting potential threats to the infotainment backbone used by major car manufacturers like Subaru, Toyota, and Lexus. Cisco disclosed a critical vulnerability (CVSS 9.9) in its Unified Communications products; the recommended action is to promptly apply the provided patches. Apple fixed an actively exploited WebKit zero-day that allowed arbitrary code execution which could be triggered by malicious web content. The U.S. Securities and Exchange Commission (SEC) acknowledged a SIM swap attack that compromised its Twitter account, after disabling multi-factor authentication and failing to reactivate it. Kaspersky's Securelist reported a new macOS malware family found in cracked apps, aimed at stealing cryptocurrency wallet seed phrases and giving attackers remote control over infected systems.

CloudSEK, an Indian information security firm, discovered a 1.8TB data trove containing information on 750 million Indian mobile subscribers being sold on the dark web. The data includes subscribers' names, phone numbers, addresses, and Aadhaar details, allegedly sourced through illegal means from law enforcement channels, not due to a telecom leak. The breach impacts all major Indian telecom providers and poses serious risks of financial losses, identity theft, reputational damage, and susceptibility to cyber-attacks. Samsung has opted to integrate Baidu's ERNIE model in the China-sold Galaxy S24 for AI features such as real-time call translation and intelligent document summarization. Terraform Labs, a crypto firm, filed for Chapter 11 bankruptcy in the US while facing legal proceedings and attempts to extradite its founder, Do Kwon. India's IT minister announced plans for a $1.2 million public-private supercomputing and quantum computing hub to boost AI capabilities for startups and enterprises. Telstra International has partnered with Trans Pacific Networks on the Echo undersea cable, the first to directly connect the US to Singapore, with increased capacity anticipated by 2029.

The Kansas City Area Transportation Authority (KCATA) has been the victim of a ransomware attack, impacting communication systems. Attack compromised KCATA's ability to receive calls at regional RideKC call centers and affected KCATA landlines. KCATA assures that bus routes and paratransit services are operational, and schedule information remains accessible online and via the transit app. Alternative contact numbers were provided for paratransit customers needing to schedule trips during the disruption. Authorities, including the FBI, have been notified; KCATA is working with cyber professionals to resolve the issue. Data theft concerns arise as personal and payment details of KCATA customers could have been compromised. Medusa ransomware group claimed responsibility for the attack, demanding a $2 million ransom and offering a daily extension of the data leak deadline for $100,000.

Multiple proof-of-concept (PoC) exploits have been made public for a critical Jenkins vulnerability allowing unauthenticated file access. Jenkins is a pivotal automation server in numerous software development processes, particularly in Continuous Integration and Deployment. Researchers at SonarSource identified two vulnerabilities, one (CVE-2024-23897) that permits the reading of arbitrary files, and the other (CVE-2024-23898) that enables execution of arbitrary CLI commands. CVE-2024-23897 exposes systems to potential admin privilege escalation and remote code execution under specific conditions. The second flaw exists due to browsers inconsistently enforcing protective policies, leaving systems at risk despite security measures. Jenkins has released updates to address these issues and urges users to patch their systems immediately. Security researchers have observed active exploitation in the wild, as attackers leverage the disclosed PoCs against unpatched Jenkins servers.

Governments have increasingly taken action against ransomware criminals; sanctions and prison sentences were given this past week to notable figures. Aleksandr Gennadievich Ermakov, linked to the REvil ransomware group and the Medibank hack, faced sanctions from Australia, the US, and the UK. Vladimir Dunaev, a Russian national involved with TrickBot malware and related ransomware assaults on US entities, received a prison sentence of five years and four months. Multiple large-scale ransomware attacks were reported, including on IT service provider Tietoevry, water services company Veolia North America, and fintech firm EquiLend, with the latter claimed by the LockBit group. The mortgage lender loanDepot disclosed a data breach impacting 16.6 million people due to a ransomware incident earlier in the month. Security analysts observed new ties between recently active ransomware variants and established cybercrime groups like Conti and Royal. The UK's National Cyber Security Centre warned that AI advancements might exacerbate the ransomware threat landscape. Researchers have highlighted the consequences of the ransomware surge, tracking activity that disproportionately affects healthcare and manufacturing sectors in the US and EU.

Kansas City Area Transportation Authority (KCATA) was hit by a ransomware attack affecting communications but not service operations. The attack occurred on January 23 and disrupted KCATA's call centers by targeting their landline communication systems. KCATA services continue to run as scheduled despite the attack, maintaining all bus routes and paratransit services. Temporary alternative phone lines have been provided for customers needing to schedule Freedom and Freedom-On-Demand Paratransit services. The online platform ridekc.org and the transit app remain functional for users to access bus schedule information. KCATA is collaborating with cybersecurity professionals to restore full system functionality as swiftly as possible. Potential risks to personal and payment information of customers have not been specifically addressed by the agency. No ransomware groups have claimed responsibility for the incident at the time of the article's publication.

A new spear-phishing campaign is distributing a modified version of the AllaKore RAT malware targeting Mexican financial institutions. BlackBerry researchers linked the malware to an unidentified Latin American threat group focused on financial fraud. The threat actor has crafted emails that mimic official communications from the Mexican Social Security Institute (IMSS) and included legitimate document links. AllaKore RAT has been enhanced with capabilities for banking fraud, targeting Mexican banks and cryptocurrency platforms, collecting clipboard data, and executing additional payloads. The malware checks for the victim's Mexican geolocation before executing and maintains control over infected machines, possibly for extended fraud operations. Large Mexican firms across various sectors, particularly those with over $100 million in revenue, are the primary targets. There are also related cybersecurity concerns following the discovery of vulnerabilities in Lamassu Douro bitcoin ATMs, which could allow attackers to compromise the machines—these were patched in October 2023. The campaign represents a continued and persistent targeting of Mexican entities for financial gain by the same threat actor for more than two years.

Microsoft confirmed a Russian espionage team, Midnight Blizzard (APT29/Cozy Bear), carried out a successful cyber-attack by exploiting accounts without multi-factor authentication (MFA). The attack began with a "password spray" tactic on a non-production legacy test account at Microsoft, which led to broader system access. Attackers compromised a legacy OAuth application, allowing them to create malicious OAuth applications and gain full access to certain Microsoft employees' mailboxes. The espionage group used residential broadband networks as proxies to disguise their activities, making the malicious traffic appear legitimate. Microsoft has acknowledged the need to expedite the implementation of MFA and strengthen security measures across legacy systems. The breach was not detected until two months after the fact, and it revealed gaps in Microsoft’s internal security practices, despite the company’s leadership in the cybersecurity industry. Microsoft is using the incident to underscore the importance of MFA and to fast-track MFA deployment to enhance security measures, even if it disrupts current business processes.

CISA advisor Jack Cable highlighted that 23 of the top 24 computer science programs in the US don't require cybersecurity courses for graduation. Even years later, the situation remains largely unchanged, with UC San Diego being the possible exception. Cybersecurity is often seen as a subdiscipline rather than an essential part of a developer's education, a perspective that is deemed unacceptable by experts. The White House's National Cybersecurity Strategy suggests application makers should be liable for security flaws, necessitating better training for programmers. A skills gap persists as private companies have not prioritized security in hiring, which in turn influences academic curricula. CISA hosted a workshop to address the issue of security in computer science education and identified a lack of private sector demand as a major obstacle. CISA issued a Request for Information seeking input on the integration of security into computer science education, with responses due by February 20.