Daily Brief

CISA has issued an emergency directive due to active exploitation of two critical Ivanti zero-day vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887. Federal Civilian Executive Branch agencies are ordered to swiftly implement Ivanti's mitigation measures to thwart ongoing attacks. Ivanti has not released patches for these vulnerabilities, prompting CISA to classify the situation as posing an "unacceptable risk." The Shadowserver service is tracking over 16,200 Internet-exposed Ivanti ICS VPN appliances globally, with more than 600 confirmed compromises. Volexity reports that a Chinese state-backed threat actor has backdoored over 2,100 Ivanti appliances, deploying malware including cryptocurrency miners. The ongoing cyber attacks have affected a diverse range of organizations, from small businesses to Fortune 500 companies across various industry sectors, including government and military.

The U.S. Federal Trade Commission (FTC) has settled with InMarket Media, prohibiting the sale of Americans' precise location data. InMarket Media, a Texas-based data company, has been aggregating and monetizing location data via proprietary and third-party apps. The FTC complaint reveals that InMarket's apps were installed on over 30 million unique devices since 2017, while their SDK was used in over 300 third-party apps. InMarket's data practices created detailed advertising profiles in 2,000 categories without proper user consent, raising privacy concerns. The FTC criticizes InMarket's five-year data retention policy as excessive and risky, prompting regulatory action to protect consumer privacy. The proposed FTC order demands that InMarket cease selling, licensing, or sharing products or services based on sensitive location data. This FTC case against InMarket follows a recent similar action barring X-Mode Social from engaging in location data sales from its SDK-using apps.

Chinese hackers, identified as UNC3886, exploited the CVE-2023-34048 vulnerability in VMware vCenter Server for espionage. The zero-day exploit was used since late 2021 but was only patched by VMware in October 2023 after the issue came to light. VMware acknowledged the in-the-wild exploitation of the vulnerability without giving details, while Mandiant connected it to UNC3886's activities. The attackers deployed VirtualPita and VirtualPie backdoors after gaining access to vCenter servers using compromised credentials. Following the initial breach, the hackers used another exploit, CVE-2023-20867, to escalate privileges and exfiltrate data from guest VMs. Mandiant noticed the exploitation trail back in late 2021 and early 2022, characterized by vmdird service crashes followed by deliberate removal of crash logs. UNC3886 specializes in targeting the defense, government, telecom, and technology sectors, primarily in the US and APJ region. The same group had previously leveraged a Fortinet zero-day to install sophisticated backdoors on compromised systems, showing their advanced capabilities.

VF Corporation disclosed a ransomware attack that compromised the personal information of over 35 million customers, but no sensitive financial data was breached. The attack, which occurred in December 2023, did not result in stolen consumer passwords, according to VF Corp's ongoing investigation. The cybersecurity incident forced VF Corp to shut down certain IT systems, disrupting retail inventory replenishment and causing delays in order fulfillment. Although significant IT systems have been restored, VF Corp continues to manage minor operational impacts from the breach. VF Corp claims to have removed the threat actor from its systems on December 15, 2023, and currently operates its retail stores and online platforms with minimal issues. There has been no information from VF Corp regarding notification to affected customers or details about the specific types of personal data compromised. VF Corp is collaborating with law enforcement and regulatory authorities to thoroughly investigate the breach and its repercussions.

VF Corporation, owner of Vans and other major brands, disclosed a data breach affecting 35.5 million customers. The breach occurred in December, but specific details about the compromised data haven't been disclosed to the public. VF Corp assures that SSNs, bank information, and payment card details were not at risk as they are not stored on their IT systems. There is no evidence so far that customer passwords were accessed, but the investigation is still ongoing. The cyberattack caused disruptions, impacting the company’s ability to fulfill orders and replenish inventories, leading to customer order cancellations. VF Corp has mostly restored its IT systems and operations, though some minor residual impacts remain. Suspicions of ransomware involvement exist due to system encryption and claims by the AlphV/BlackCat gang, but the company has not confirmed this.

VMware has confirmed active exploitation of a critical vCenter Server remote code execution vulnerability, identified as CVE-2023-34048. The vulnerability, resulting from an out-of-bounds write error in the DCE/RPC protocol implementation, can be exploited remotely without authentication. The company has taken the unusual step of issuing patches for multiple unsupported, end-of-life products due to the severity of the threat. Network access brokers are targeting VMware servers to facilitate ransomware attacks by various notorious groups, such as Royal and LockBit. Over 2,000 VMware Center servers exposed online could be at risk, necessitating immediate patches and strict control of network perimeter access. VMware has released patches for other high-severity vulnerabilities throughout the year, indicating a trend in critical security issues affecting their platforms. The company recommends strict network perimeter access control for vSphere management components to mitigate the risk and protect against future attacks.

macOS backdoors are being distributed through pirated software on Chinese websites, potentially compromising users' devices. Researchers from Jamf Threat Labs discovered malicious payloads within popular applications like Navicat Premium, UltraEdit, and Microsoft Remote Desktop. The malware includes a dropper and a fully-featured backdoor that establishes persistence and enables remote control. The backdoor, part of the Khepri post-exploitation toolkit, is positioned in a temporary directory, suggesting it reinstalls upon each reboot via the pirated app. A downloader component ensures malware persistence and communicates with an actor-controlled server for additional payload retrieval. The compromised applications are not signed, increasing the risk for users bypassing macOS security measures to install pirated software. Similarities between this malware campaign and previous ZuRu malware suggest a potential evolution of threat actors' tactics.

Data is a crucial asset for organizations, and protecting it within Exchange Server environments is critical due to threats like cyberattacks, hardware failure, and human errors. Ransomware attacks targeting vulnerabilities like ProxyLogon in Exchange Servers are a significant cause of data loss. The role of Exchange Server administrators has expanded to protect organizational data against sophisticated cyber threats and manage increased data volumes. Data loss can result in severe consequences including financial losses, reputational damage, operational downtime, potential business closure, and regulatory fines. A comprehensive backup strategy, including VSS-based backups, a combination of full and incremental backups, transaction log management, circular logging, and adherence to the 3-2-1 backup rule, is crucial to safeguard against data loss. Proactive best practices and recovery strategies—including recovery databases, Exchange's native data protection features, dial tone portability, and Exchange recovery tools—are essential for quick data restoration and maintaining business continuity. Administrators need to navigate the complexity of modern Exchange Server environments by developing robust backup and recovery plans and adopting proactive security measures.

A malevolent npm package named "oscompatible" has been discovered distributing a remote access trojan to Windows systems. Once activated, it checks for admin rights, and if absent, uses a legitimate Microsoft process to gain elevated privileges. The trojan uses DLL search order hijacking to decrypt additional payloads including the AnyDesk remote access tool and a custom trojan. The malware establishes communications with a remote server to retrieve instructions and has extensive capabilities like disabling system shutdown and capturing user input. The incident highlights a growing trend of attackers exploiting open-source software supply chains to orchestrate sophisticated cyber attacks. Security firm Aqua's research shows that deprecated npm packages, with potential security flaws, are downloaded billions of times weekly, creating serious security gaps. Industry experts warn against the risks of not properly marking npm packages as deprecated, leaving users exposed to hidden threats.

A German IT consultant was fined €3,000 for accessing and reporting a vulnerability in an e-commerce database. The database contained approximately 700,000 customer records and was easily accessible due to a plaintext password. The security flaw was published in a report by e-commerce writer Mark Steier, which led to a swift but inadequate response by Modern Solution. Modern Solution claimed limited customer data exposure, but allegations suggest a more extensive data breach. September 2021 saw the seizure of the consultant's computers, leading to a charge of unlawful data access. Initially, the district court sided with the consultant, but the verdict was reversed, resulting in his sentencing to a fine and court costs. The verdict, criticized for its impact on security research, is not yet legally binding, and the consultant intends to appeal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a critical flaw in Ivanti Endpoint Manager Mobile (EPMM). The vulnerability, CVE-2023-35082, is an authentication bypass with a 9.8 CVSS score and allows unauthorized remote access to personal data and server modifications. Ivanti's older vulnerabilities, CVE-2023-35078 and CVE-2023-35081, have also been cited as part of attack chains allowing for malicious web shell file uploads. Federal agencies are advised to apply patches to the affected Ivanti EPMM versions by February 8, 2024, to prevent potential breaches. In a separate incident, Ivanti has warned of mass exploitation in Ivanti Connect Secure (ICS) VPN devices, urging customers to rotate configuration secrets post-rebuild. Over 1,700 compromised devices have been identified globally, with initial attacks linked to a suspected Chinese threat actor and now involving multiple threat actors. Researchers at Assetnote discovered an additional exploitable endpoint in older ICS versions, highlighting the risks of seemingly simple security oversights in VPN devices.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that Chinese-made drones might be used for spying. Chinese laws, such as the National Intelligence Law (2017) and Data Security Law (2021), may compel companies to hand over data to the Chinese government. There is a risk that drones operating in critical infrastructure sectors could expose sensitive information to Chinese authorities. CISA and FBI guidance suggests treating drones like IoT devices and securely managing firmware updates and connected accessories to mitigate risks. The US previously grounded its own fleet of drones and has taken action against Chinese drone manufacturers like DJI for security reasons. Concerns include possible exploitation of system vulnerabilities by Chinese authorities and potential IP and security control compromises aiding future cyberattacks.

Ransomware actors are using TeamViewer, a popular remote access tool, to infiltrate and attack organizational networks. The attackers gain initial access through compromised TeamViewer accounts, bypassing the need to exploit software vulnerabilities. TeamViewer was first reported as a vector for Surprise ransomware delivery in March 2016, with credential stuffing as the probable cause. A recent Huntress report highlights two incidents where the same source used TeamViewer to attempt ransomware deployment using a leaked LockBit ransomware builder. In one compromised endpoint, the ransomware was successfully deployed but contained; in the other, antivirus software thwarted the attack. TeamViewer's security team emphasizes the importance of strong passwords, two-factor authentication, whitelisting, and updating to the latest software versions to prevent unauthorized access. TeamViewer condemns the malicious use of its software and offers guidance on best practices for secure unattended access to its users.

CISA alerts that a critical authentication bypass bug in Ivanti's device management software is actively being exploited. The flaw, tracked as CVE-2023-35082, allows unauthorized API access and affects several versions of Ivanti's software. Successful exploitation could lead to access to personal information and potential backdoor creation into compromised servers. Organizations are urged to upgrade to a supported version and apply Ivanti's provided RPM script to mitigate risks. Over 6,300 Ivanti EPMM user portals are exposed online, with some pertaining to government agencies. CISA mandates federal agencies to patch the vulnerability by February 2, in line with a 3-year-old operational directive. Multiple Ivanti Connect Secure zero-days are also under mass exploitation, affecting businesses including Fortune 500 companies. Several Ivanti zero-days have been previously exploited in attacks targeting government, defense, and financial sectors.

JPMorgan Chase, the largest US bank, faces 45 billion cyberattack attempts per day, a figure that's doubled from the previous year. This claim was made by Mary Callahan Erdoes, CEO of asset and wealth management at JPMorgan, during the World Economic Forum in Davos. Despite the volume of attacks, many are likely to be routine scans rather than sophisticated attempts; however, the sheer quantity could obscure truly malicious activity. JPMorgan employs 62,000 technologists, which Erdoes indicates is more than tech giants like Amazon or Google, to counteract these risks and protect the bank's assets. JPMorgan was recently ordered to face a lawsuit for negligent behavior that allowed a $272 million fraud, highlighting the challenge of staying ahead of increasingly sophisticated cybercriminals. The bank's internal technical errors have also led to regulatory fines, such as a $4 million penalty by the SEC for the accidental deletion of millions of subpoenaed emails. Bank of England reports cyberattacks as the top threat perceived by banking executives, emphasizing the critical need for robust cybersecurity measures in the financial sector.