Daily Brief

Security flaws branded as PixieFail found in the open-source reference implementation of the UEFI specification widely used in computers. Nine vulnerabilities in TianoCore EFI Development Kit II (EDK II) could lead to remote code execution, denial-of-service attacks, DNS cache poisoning, and data leaks. UEFI firmware from major manufacturers like AMI, Intel, Insyde, and Phoenix Technologies could be compromised due to these issues. The flaws exist in the EDK II's NetworkPkg, affecting both IPv4 and IPv6, enabling potential attacks even before the operating system boots. Quarkslab identified security weaknesses spanning from overflow bugs to weak pseudorandom number generation that could facilitate information theft and network exploits. The CERT Coordination Center has issued advisories regarding these vulnerabilities, stating that local or remote attackers could exploit them under certain conditions. Implications for the security community include the need for patching and updating firmware to prevent exploitation of these vulnerabilities.

A sophisticated Iranian cyber espionage group, known as Mint Sandstorm, targets academics and experts on Middle Eastern affairs across several countries. Microsoft Threat Intelligence identifies the group's new tactics, including the use of a previously unknown backdoor, MediaPl. Attacks focus on individuals with knowledge on the Israel-Hamas conflict, using social engineering with phishing emails posing as journalists. Mint Sandstorm is linked to Iran's Islamic Revolutionary Guard Corps (IRGC) and employs advanced post-intrusion techniques. The group uses legitimate but compromised email accounts to build trust before delivering malware-rich links and files. Two types of custom malware, MischiefTut and MediaPl, are used for system reconnaissance and encrypted communication with command-and-control servers. Microsoft warns of the group's growing sophistication in evading detection and maintaining persistent access to compromised systems. The article also references the historical use of cyber tactics in the context of Stuxnet, a malware reportedly deployed against an Iranian nuclear facility.

Security researcher discovers a misconfigured server at Toyota Tsusho Insurance Broker India, leading to over 650,000 emails being exposed. The vulnerability was first reported privately to TTIBI five months prior to public disclosure, yet the firm had not changed the compromised password. The issue stemmed from a buggy API in an Android app developed by Eicher Motors, which included a client-side email sending mechanism. The exposed API allowed sending emails with any subject and body from a genuine Eicher email address, and server errors revealed the Base64-encoded Office 365 account password. The noreply account used for automated customer emails also granted access to all the emails sent, including sensitive customer information and password reset links. Despite the API being fixed to add an authentication check, as of the researcher's last check, the password for the email account at risk had not been changed. There has been no immediate response from TTIBI or Eicher Motors regarding the disclosed security lapse and access to customers' personal data.

A security vulnerability in GPUs from Apple, Qualcomm, AMD, and possibly Imagination allows unauthorized access to data on shared systems. The flaw, named CVE-2023-4969 or LeftoverLocals, permits attackers to spy on machine-learning models, including language processing, by exploiting memory isolation failures. Attackers on shared servers can observe and potentially steal sensitive data used by machine-learning applications, with around 5.5 MB leakable per GPU invocation. The exploit requires access to run code on the shared GPU and is a concern for cloud-based AI systems due to the volume of sensitive data processed. The Trail of Bits research team has disclosed the vulnerability to vendors and CERT Coordination Center since September 2023, and mitigations are being rolled out. AMD is releasing driver updates with mitigations starting March, while Google has patched ChromeOS devices affected by the flaw, and Apple has fixes for certain processors. Unlike Apple, Qualcomm, AMD, and Imagination, Nvidia and Arm GPUs are not affected by this particular security issue.

Have I Been Pwned has added nearly 71 million email addresses from the compromised Naz.API dataset to its breach notification service. The Naz.API dataset, unrelated to NAS devices, comprises over 1 billion stolen credentials from credential stuffing and information-stealing malware. Credential stuffing lists contain pilfered login details reused to access other sites, while information-stealing malware targets a variety of data from infected computers. Illicit.services, an OSINT platform, had utilized the Naz.API dataset and was initially shut down due to abuse but later reopened. The collected data includes various personal details and is traded, used for cyberattacks, or given away to build a hacker's reputation. Troy Hunt of Have I Been Pwned received the dataset from a tech company addressing a bug bounty submission, which contained his own outdated password. Users are advised to change passwords for all accounts storing sensitive information and move cryptocurrency to new wallets due to potential exposure.

Iranian state-backed hackers, linked to the APT35 group, have launched spearphishing attacks on researchers and university staff in Europe and the US to deploy new MediaPl malware. Microsoft has identified this subgroup of APT35, also known as Charming Kitten or Phosphorus, as using sophisticated phishing emails to socially engineer targets. The MediaPl backdoor malware is designed to resemble Windows Media Player, using encrypted communication to avoid detection while interfacing with its command-and-control server. Additionally, MischiefTut, another PowerShell-based malware, assists in dropping tools and performing reconnaissance on infected systems. The campaign focuses on stealing sensitive information from high-value targets and appears to be particularly interested in individuals with insights into Middle Eastern affairs. APT35 has a history of backdooring various companies using previously unknown Sponsor malware and targeting macOS systems with NokNok malware. Another Iranian group, known as APT33, has been targeting defense organizations and contractors globally with password spray attacks and new FalseFont malware since February 2023.

Bigpanzi, an undercover cybercrime syndicate, has infected 170,000 Android TV and eCos set-top boxes, turning them into bots since at least 2015. The botnet, primarily affecting Brazil, utilizes malware through fake firmware updates and backdoored apps, according to Qianxin Xlabs. Bigpanzi monetizes the botnet by engaging in illegal streaming, traffic proxying, DDoS attacks, and providing over-the-top (OTT) content. The malware, pandoraspear, functions as a backdoor trojan enabling DNS hijacking, command execution, and communication with a command and control server. Another malware tool, pcdn, creates a P2P Content Distribution Network (CDN) with DDoS capabilities, adding another attack vector. Xlabs, after hijacking two C2 domains, observed 170,000 daily active bots and over 1.3 million unique IPs since August, indicating a potentially larger network. The vast operations of Bigpanzi suggest only a fraction of its activities and scale have been uncovered, with cybersecurity analysts continuing investigations. Artifacts linked to a suspicious YouTube channel were found, but no specific attributions have been publicly disclosed, with details likely reserved for law enforcement.

CISA mandates U.S. federal agencies to patch Citrix and Chrome vulnerabilities exploited in ongoing attacks, prioritizing a Citrix RCE bug. The Citrix vulnerabilities impact NetScaler ADC and Gateway appliances, which may allow remote code execution and denial-of-service attacks. Federal agencies are given one week to patch the highlighted Citrix RCE vulnerability, with a deadline set for January 24th. CISA also included an actively exploited Chrome zero-day in its Known Exploited Vulnerabilities Catalog, expanding the scope of concern. Over 51,000 NetScaler appliances are exposed online, and only a fraction have secured their management interfaces. While federal agencies are under a binding operational directive, CISA strongly advises all organizations to patch these flaws promptly. Temporary workarounds include blocking network traffic to affected instances and ensuring they're not accessible online until patches are applied.

Security researchers have developed iShutdown scripts which utilize the Shutdown.log file to detect spyware on iOS devices. The method allows for the identification of high-profile spyware like Pegasus, Reign, and Predator by analyzing reboot event logs. Kaspersky released Python scripts to automate this analysis process, offering a simpler alternative to traditional forensic techniques. The reliability of this method has been confirmed through testing with iPhones infected with the Pegasus spyware. Kaspersky emphasizes the necessity of routine reboots after potential infections to ensure the method's effectiveness. The scripts provided by Kaspersky require some technical knowledge for proper application and analysis of the results. Delays registered in the Shutdown.log file can be indicative of spyware infection, with multiple delays warranting further investigation. This technique has shown consistent results in identifying malware when the infected device is rebooted sufficiently often.

A vulnerability, known as 'LeftoverLocals,' has been identified that allows data retrieval from local memory of popular GPUs. Affected manufacturers include AMD, Apple, Qualcomm, and Imagination Technologies, impacting AI and machine learning applications. The vulnerability (CVE-2023-4969) was discovered by Trail of Bits researchers, who privately reported the issue before making it public. LeftoverLocals exploits insufficient memory isolation in GPU frameworks, enabling unauthorized access to sensitive computational data. Attackers can employ a listener GPU kernel to dump data left in local memory by another kernel, which can include inputs, outputs, and weights of machine learning models. Trail of Bits demonstrated the vulnerability with a proof of concept showing substantial data recovery per GPU invocation. Remediation efforts are in progress; some vendors have issued fixes, while others are still developing mitigation strategies, with suggestions for automatic memory clearing between kernel executions.

Cybersecurity architecture is crucial for protecting an organization’s information systems against a wide array of cyber threats. Implementing a robust cybersecurity framework can be costly, making open source solutions a viable alternative for SMEs. Open source software (OSS) offers cost-effectiveness, flexibility, and community-driven enhancements, benefiting from collective expertise. Key cybersecurity tools within an architecture include solutions for endpoint, application, and network security, as well as monitoring and compliance. Open source projects allow organizations to customize their cybersecurity infrastructure while saving on licensing fees associated with proprietary solutions. Wazuh is an open source security solution that provides SIEM and XDR capabilities, supporting virtualized, on-premises, cloud-based, and containerized environments. Wazuh's platform offers real-time data correlation, intrusion detection, vulnerability detection, file integrity monitoring, and compliance monitoring. With over 20 million annual downloads, Wazuh garners extensive support and contributions from the open source community, enhancing its functionality and scalability.

Security researchers have discovered an extortion bot that wipes public PostgreSQL and MySQL databases with weak passwords within hours of internet exposure. The bot falsely claims to back up all data but only saves the first 20 rows of each table before deleting them, leaving a ransom note demanding payment for data recovery. Victims who pay the ransom do not recover their full data as the backups are incomplete; the bot has netted over $3,000 in a single week from six victims. The bot's activity is linked to a digital wallet containing nearly $3 million, suggesting the perpetrators' involvement in more extensive cybercrime operations. The bot operates by brute-forcing databases, dropping tables, terminating backend processes, and attempting to shut down servers after the attack. The global presence of millions of public-facing Postgres and MySQL servers presents a significant target pool for the bot, with security experts urging the use of strong passwords to prevent attacks. Researchers highlight that exposing databases to the public internet—even in cloud services or via Docker—increases the risk, underscoring the importance of secure configurations.

Wing Security is now providing free discovery and a paid service to mitigate risks in AI and SaaS applications to protect intellectual property and sensitive data. A staggering 83.2% of surveyed companies use GenAI applications and 99.7% employ SaaS applications that leverage AI, exposing them to security risks often overlooked by security teams. Wing Security has categorized the risks of AI usage in applications, including concerns over long-term data storage, model training using proprietary data, and potential knowledge leaks. The company offers an automated solution following a three-step process: Know (discovery of AI-powered apps), Assess (security scoring and data usage analysis), and Control (addressing critical issues). Automating these processes allows security teams to focus on priorities and reduce risks, while fostering a positive security culture by involving end users in secure SaaS AI usage. Wing's solution is part of their wider approach to confront the new challenges brought by the integration of AI in omnipresent SaaS applications, while balancing productivity benefits and security risks.

PAX Technology PoS terminals are vulnerable to high-severity threats that allow arbitrary code execution. STM Cyber R&D team discovered the vulnerabilities by reverse engineering Android-based devices, highlighting six significant flaws. Attackers could potentially gain root privileges, bypass sandboxing, and interfere with payment transactions. To exploit certain vulnerabilities, attackers require either shell access or physical USB access to devices. One of the disclosed flaws, CVE-2023-42133, has details withheld, while others are publicly listed. PAX Technology was informed about the vulnerabilities in May 2023, with patches released in November 2023. The vulnerabilities, if exploited, could lead to attackers modifying transaction amounts during payment processing.

The Windows Server 2022 patch KB5034129, intended as a security update, is causing disruption with applications, notably Google Chrome. Users report that Chrome fails to launch or displays as a blank white box after installing the update; similar problems extend to other Chromium-based browsers and tools. The issue appears to stem from the patch's interaction with the graphics subsystem, as indicated by GPU-related error logs from Chrome. Microsoft has acknowledged the issue and is currently investigating, although their official support page has not yet been updated to reflect any known issues. As a workaround, affected administrators have been either uninstalling the update, which poses a security risk, or making registry edits, which could potentially destabilize the Windows installation. The situation highlights a challenge administrators face when balancing between essential security updates and maintaining operational stability for widely used applications. Microsoft and Google have been contacted for comments, with further updates from the companies pending.