Daily Brief

VexTrio is a traffic distribution system (TDS) controlling over 70,000 domains for cybercrime purposes. TDS networks like VexTrio redirect users to malicious sites, including phishing pages and malware distributors. Active since 2017, VexTrio partners with at least 60 affiliates to orchestrate wide-reaching cyber attacks. Infoblox's report uncovers the extensive collaboration between VexTrio and notorious campaigns like ClearFake and SocGholish. VexTrio's affiliates leverage the Keitaro TDS service for an additional layer of redirection, complicating detection efforts. The operation generates illicit revenue through abuse of legitimate referral programs, further intertwining its activities with genuine services. Users are advised to browse SSL-certified sites only, block push notifications, and use ad-blockers to mitigate threats posed by VexTrio. Infoblox emphasizes that the intricate nature of VexTrio's operation makes it difficult to eradicate, but identification of its network is a critical countermeasure.

Over 5,300 GitLab servers are at risk due to a critical zero-click account takeover flaw (CVE-2023-7028) with a CVSS score of 10.0. Attackers can reset targeted account passwords and redirect them to their email addresses, potentially bypassing accounts without 2FA. Vulnerable versions include GitLab Community and Enterprise Editions across multiple release lines, with patches released in multiple versions as of January 11, 2024. ShadowServer found the majority of the affected servers are in the US, Germany, Russia, China, France, the U.K., India, and Canada. Unpatched instances are susceptible to supply chain attacks, code disclosures, and leaks of API keys among other threats. GitLab recommends that admins who discover breaches should rotate all sensitive credentials and enforce 2FA, as well as check for tampering within developer environments. Despite no reported exploitations of the vulnerability to date, GitLab urges immediate action to mitigate potential compromise.

The Caravan and Motorhome Club (CAMC) is experiencing a significant IT outage, with systems down for five days. Over 1 million members are affected, with disruptions to booking systems and digital services, raising suspicions of a cyberattack. CAMC has reported the incident to the Information Commissioner's Office (ICO), implying a serious data security event. The onset of the outage coincided with a scheduled maintenance period, but issues have persisted, leading to external teams being brought in for resolution. Members report near-total digital disruption and concerns over the potential leak of sensitive data, including holiday schedules and home addresses. CAMC is facing criticism from members for insufficient communication regarding the nature and extent of the problem. Official communications maintain there's no evidence of member data compromise, but the ICO's involvement suggests other data may be at risk. Social media and member sentiments suggest frustration over the lack of transparency and updates from CAMC.

The UK's National Cyber Security Centre (NCSC) cautions that artificial intelligence (AI) will significantly enhance ransomware capabilities in the near future. AI is expected to lower the barrier to entry for initiating sophisticated cyberattacks, allowing less experienced hackers to execute complex operations. Cybercriminals are increasingly using AI to streamline various phases of cyberattacks, including reconnaissance and the creation of phishing lures and malware. Specialized generative AI services, like WormGPT, have emerged outside secure environments, offering malicious content generation for criminal activities. High-skill threat groups (APTs) could potentially utilize AI to create malware designed to bypass current security systems. Intermediate and low-skilled hackers will benefit from AI in aspects like social engineering and data extraction but will still struggle with lateral movements without human expertise. The NCSC emphasizes the role of AI in evolving and enhancing existing cyber threats, with a particular concern about the difficulty of detecting AI-powered phishing and social engineering attacks.

New York-based financial technology firm, EquiLend, experienced a cyberattack that caused system outages on January 22, 2024. The cyberattack led to unauthorized access to the company's network; EquiLend immediately initiated an investigation to secure its systems. EquiLend is currently collaborating with third-party cybersecurity experts to expedite service restoration and understand the breach's impact. The company informed its clients about potential service disruptions lasting several days but hasn’t confirmed any data compromise yet. This cybersecurity incident follows the announcement that EquiLend will be acquired by Welsh, Carson, Anderson & Stowe, with the transaction expected to close in Q2 2024. EquiLend, a prominent entity established by a consortium of major banks and broker-dealers, services over 190 firms globally with its securities lending trading platform.

A critical vulnerability in GoAnywhere MFT software, enabling admin access, has been exploited and a working example released by Horizon3 researchers. The exploit is based on an old path traversal flaw and is tracked as CVE-2024-0204, with a severity rating of 9.8. Affected versions are 6.x from 6.0.1 to before 6.7.5, and 7.x to before 7.1.5, advising users to update to avoid potential compromise. As a temporary mitigation, Fortra recommends deleting the InitialAccountSetup.xhtml file or replacing it with an empty one for various deployments. While no exploit attempts have been detected yet, the availability of public proof-of-concept code suggests that attempts could increase soon. The use of GoAnywhere MFT by government and critical infrastructure entities raises concerns about the potential for significant data theft. This vulnerability disclosure comes after a dramatic year for Fortra, with the Clop cybercrime group previously exploiting a GoAnywhere zero-day to target more than 130 companies.

Microsoft detected approximately 1,287 password attacks every second throughout 2022, emphasizing the need for improved password security in organizations. Traditional password advice, such as 8-character passwords with varied characters and mandatory periodic changes, has resulted in weak and predictable passwords due to human tendency for convenience and memorability. The National Cyber Security Centre advocates for passwords comprising three random words, as they are both harder for attackers to guess and easier for users to remember. The National Institute of Standards and Technology recommends tailoring password expiration dates to password length, reducing the frequency of mandatory changes for longer passwords. Specops Software offers a solution with Breached Password Protection to prevent the use of known compromised passwords, enhancing Active Directory account security. Organizations can use sophisticated password security tools that enforce password strength and length-based aging while blocking breached passwords, helping to maintain robust security without inconveniencing users. With these strategies, organizations aim to not only fortify their defenses against cyber threats but also improve the overall end-user experience with simpler, yet secure authentication methods.

Cybersecurity researchers identified a critical vulnerability in Google Kubernetes Engine that could allow any Gmail user to control Kubernetes clusters. Approximately 250,000 active GKE clusters are estimated to be at risk of being compromised due to this issue. The vulnerability arises from a misconception about the system:authenticated group, which is believed to contain only verified identities, but actually includes any Google authenticated account. Attackers could exploit the flaw by using a Google OAuth 2.0 bearer token, enabling unauthorized access and potential activities like lateral movement, cryptomining, and sensitive data theft. The exploitation method does not leave traces that can be readily linked to the specific Gmail or Google Workspace account used. Google has responded by updating GKE to prevent binding of the system:authenticated group to the cluster-admin role in versions 1.28 and above and has advised users not to bind the group to any RBAC roles. Orca Security has cautioned that while no large-scale attacks using this technique have been recorded, the potential risk should not be overlooked, and users are advised to secure their clusters proactively.

Security researchers uncovered 24 zero-day exploits at Pwn2Own Automotive 2024, targeting a Tesla and other automotive technologies. The team from Synacktiv won $295,000 on the first day, successfully exploiting Tesla Modem and various EV charging stations. NCC Group EDG ranked second, earning $70,000 by hacking infotainment systems and an EV charger. After identified vulnerabilities are reported, vendors have 90 days to fix the issues before public disclosure. Pwn2Own Automotive 2024 in Tokyo is part of the larger Automotive World conference, with a focus on vehicle-related cybersecurity. Participants aim to expose vulnerabilities in Tesla's in-vehicle systems and EV charging technologies from multiple brands. The highest reward includes $200,000 plus a Tesla car, for significant exploits in critical vehicle systems. Last year, Pwn2Own Vancouver 2023 saw researchers awarded $1,035,000 and a Tesla Model 3 for demonstrating 27 zero-day exploits.

Kasseika ransomware is deploying BYOVD (Bring Your Own Vulnerable Driver) tactics, a method also used by Akira, AvosLocker, BlackByte, and RobbinHood. This technique involves disabling antivirus processes before deploying ransomware, a method analyzed by Trend Micro. The ransomware shows similarities to the defunct BlackMatter and suggests that experienced threat actors may be leveraging acquired access to BlackMatter's resources. Kasseika's infection process starts with a phishing email, followed by distributing RATs and using tools like PsExec for lateral movements within networks. The group uses a malicious signed driver, "viragt64.sys," on Microsoft's vulnerable driver blocklist, to neutralize 991 security tools. Once the security tools are bypassed, Kasseika launches its ransomware payload, encrypts files with ChaCha20 and RSA, and then demands a ransom paid in Bitcoin. Kasseika's ransomware also attempts to cover its tracks by wiping system event logs to impede detection by security tools.

Nudge Security is designed to adapt to business needs, allowing IT and security leaders to manage SaaS usage without hindering employee productivity. It provides a comprehensive inventory of SaaS accounts and activity by analyzing machine-generated email messages for security-relevant events. The platform includes tools for monitoring access methods, such as MFA and SSO enrollment, while assessing risks associated with OAuth grants and scopes. Nudge Security helps monitor and minimize the organization's SaaS attack surface, providing data on vendor security profiles and alerting on relevant breaches. The service aims to control SaaS sprawl and reduce shadow IT by automating employee engagement and guiding users toward security best practices. It offers automated workflows to handle common SaaS security tasks, enhancing efficiency and reducing the burden of manual oversight. Organizations can start a 14-day free trial to evaluate Nudge Security's impact on their SaaS security and governance.

Russian state-sponsored actors, also known as Midnight Blizzard or Cozy Bear, compromised Microsoft's corporate systems, stealing leadership emails. The breach occurred in late November 2023 but was only detected on January 12, 2024, with Redmond yet to assess the full financial impact. Microsoft's statement emphasized that customer environments, production systems, source code, or AI systems were not accessed during the attack. Cozy Bear had previously infiltrated Microsoft in the SolarWinds supply-chain attack and other subsequent breaches by various attackers have occurred since. US Senator Ron Wyden criticized Microsoft for failing to implement multi-factor authentication in its legacy systems, which might have prevented the breach. Despite the security lapses, Microsoft continues to dominate in enterprise and government contracts, with cybersecurity revenue exceeding $20 billion. Industry experts criticize Microsoft for potential security weaknesses due to reliance on its products for various IT infrastructure and services.

The reliance on open-source software components in application infrastructures is increasing, highlighting the attack surface including supply chain vulnerabilities. Incorporating one open-source library often means adding multiple dependent libraries, exposing applications to any vulnerabilities within those libraries. Software Composition Analysis (SCA) platforms help detect and fix known vulnerabilities but are not fully equipped to handle unknown risks, such as supply chain attacks. Gartner predicts that by 2025, up to 45% of organizations will experience supply chain attacks, stressing the urgency to prepare and defend against them. Traditional SCA tools are insufficient for supply chain attack prevention, necessitating a new approach to tackle both known and unknown supply chain risks. A comprehensive cheat sheet is available for download, offering insights into five types of critical supply chain attacks and 14 best practices for defense. The article also highlights the importance of differentiating between vulnerabilities and attacks, suggesting a more robust protection strategy is needed. Executives are encouraged to consider a masterclass on SaaS security which is based on insights from a study of 493 companies, for practical dos and don'ts in the field.

The U.S., U.K., and Australia have sanctioned a Russian national believed to be involved in the Medibank ransomware attack. Identified as Alexander Ermakov, he is associated with the now-defunct REvil cybercrime group. The Medibank breach in October 2022 affected around 9.7 million individuals, exposing sensitive personal and medical data. Financial sanctions criminalize any transactions with Ermakov's assets, imposing penalties of up to 10 years in prison. Australia has additionally enforced a travel ban on Ermakov to hinder his movements. The U.K.'s actions align with efforts to deter cybercrime undermining national prosperity and security. The U.S. Treasury has criticized Russia for cultivating cybercriminals and called for stronger action against cybercrime operating within its borders. Underlining the resolve to protect critical infrastructure, the sanctions aim to disrupt ransomware actors threatening the economies of allied nations.

A database without password protection, estimated to hold 1.3 million Dutch COVID-19 test records, was found unsecured on the internet. Personal information exposed included names, birth dates, passport numbers, email addresses, test certificates, appointment records, and testing samples. The database is believed to be associated with CoronaLab, which is recommended by the US Embassy in the Netherlands for COVID-19 testing. Security researcher Jeremiah Fowler discovered the breach but received no response from CoronaLab or parent company Microbe & Lab after multiple contact attempts. The database remained open for nearly three weeks before the cloud hosting provider was contacted and the database was finally secured. The CoronaLab website is currently down, and there's no indication of whether European data protection authorities have been informed, as required by the GDPR. Patients and customers affected by the breach appear to be unaware of their data exposure.