Daily Brief

U.S. CISA and FBI have issued warnings about the AndroxGh0st malware used in a botnet targeting credentials for services like AWS, Azure, and Office 365. AndroxGh0st is a Python-based malware initially identified by Lacework in December 2022, and has inspired similar tools aimed at penetrating servers using known vulnerabilities. Attackers exploit vulnerabilities such as CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133 to infiltrate servers for Laravel environment files and credential theft. The malware possesses capabilities for SMTP abuse, including scanning for exposed credentials, exploitation of APIs, and deploying web shells for persistent access. AndroxGh0st also targets AWS by scanning for keys and has brute-force functionalities for generating new keys if needed. The alert follows reports by SentinelOne on the FBot tool and NETSCOUT on a surge in botnet scanning activity, with the majority of activities traced back to the U.S., China, Vietnam, Taiwan, and Russia. Attackers increasingly use cheap or free cloud and hosting servers to launch botnets, offering them anonymity and requiring minimal overhead.

The webinar titled "The Art of Privilege Escalation How Hackers Become Admins" is designed to enhance the knowledge of IT security professionals. Privilege escalation is highlighted as a significant threat where attackers gain high-level access, leading to a network takeover. The webinar aims to educate on anticipating and defending against such cyber threats to improve digital security strategies. Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea, will be delivering expert insights during the session. The announcement emphasizes the importance of transforming cybersecurity approaches to protect organizations effectively. Additional resources include a report on the threat of malicious browser extensions and insights into implementing Zero Trust security to minimize attack surfaces.

Cybersecurity researchers have developed iShutdown, a new method to detect spyware on iOS devices. The method locates traces of spyware like Pegasus in a system log file that documents each reboot event. Kaspersky's analysis discovered reboot delays and file paths in "Shutdown.log" indicating spyware activity. Sticky processes associated with spyware cause reboot delays, serving as indicators of compromise. The efficiency of iShutdown depends on the frequency of device reboots, linked to the user's threat profile. Kaspersky released Python scripts to help extract and analyze log files for anomalies. The log file can keep entries for years, proving to be a significant forensic tool to identify irregular activities. Separate research warned about the rapid evolution of macOS malware outpacing Apple's XProtect antivirus.

The Information Commissioner’s Office (ICO) has issued fines to Poxell Ltd and Skean Homes Ltd for making unauthorized marketing calls to individuals registered with the Telephone Preference Service (TPS). Poxell Ltd, focusing on energy-saving products, is fined £150,000 for 2.6 million calls made between March and July 2022, resulting in 413 complaints about aggressive sales tactics. Skean Homes Ltd incurred a £100,000 fine for over 600,000 calls made between March and May 2022, wrongly claiming that a lead generation provider made the calls due to a technical error. Both companies violated the Privacy and Electronic Communications Regulation 2003 by not respecting the TPS 'do not call' register. Andy Curry, head of investigations at the ICO, emphasized the entities' legal breaches and the distress caused to individuals by disregarding their choice for privacy. The ICO warns that it will take strong measures against companies that dodge rules via third parties or multiple phone numbers for making illegal calls. The continued breaches suggest that fines are not deterring companies from targeting individuals registered with TPS, with expectations of further instances.

GitHub identified and swiftly addressed a high-severity security vulnerability on December 26, 2023, which could have allowed unauthorized access to sensitive credentials. Following the discovery of the vulnerability, tracked as CVE-2024-0200, GitHub proactively rotated potentially compromised keys, including commit signing and customer encryption keys. The issue affected GitHub Enterprise Server (GHES) and required an authenticated user with an organization owner role for potential exploitation. Patches were released for the "unsafe reflection" vulnerability in multiple GHES versions to prevent reflection injection and remote code execution. Another high-severity issue tracked as CVE-2024-0507 was also addressed, involving privilege escalation through command injection in the Management Console. GitHub's recent history of preemptive security measures includes the replacement of an RSA SSH host key following inadvertent exposure in a public repository. The incident underlines the importance of rapid and decisive action in detection and mitigation of security threats, demonstrating GitHub's commitment to maintaining platform security.

Netcraft reports that scammers are utilizing cheap .cloud and .sbs domain names for hosting fraudulent health product sites. These scammers create fake news stories mimicking reputable outlets, falsely claiming endorsement from shows like Shark Tank. The low cost of new gTLD domains aids criminals in spreading their scams across numerous domains, complicating countermeasures. .sbs, formerly associated with Australia's Special Broadcasting Service, is now frequently used for such health product scams. A significant spike in scam activity was observed in the summer of 2023, with thousands of distinct IP addresses involved. Over half of .sbs domain registrations in some months were connected to dubious health sites, and around 30% for .cloud names throughout 2023. This type of cybercrime has drawn attention from authorities like the US Federal Trade Commission, which has warned the public about fake celebrity endorsements.

Citrix has issued warnings and patches for two zero-day security vulnerabilities (CVE-2023-3519 and CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway, currently being exploited in the wild. Users of affected versions are urged to upgrade to a supported version with patches and advised not to expose the management interface to the internet to mitigate risk. VMware disclosed a critical security vulnerability (CVE-2023-34063) in Aria Automation, allowing authenticated attackers to gain unauthorized access. The flaw is characterized by a "missing access control" issue. VMware customers must apply a specific patch and follow a supported upgrade path to version 8.16, as certain intermediate versions may reintroduce the vulnerability. Atlassian released patches for a critical RCE flaw (CVE-2023-22527) in Confluence Data Center and Server, with a maximum severity CVSS score of 10.0. The vulnerability allows template injection leading to RCE by an unauthenticated attacker. The RCE issue is resolved in Confluence versions 8.5.4, 8.5.5, 8.6.0, 8.7.1, and 8.7.2 with Atlassian urging users to update their installations immediately to the latest version. Separate reports highlight the danger of malicious browser extensions and discuss strategies, including the adoption of Zero Trust security to minimize the attack surface.

Finnish telecom giant Nokia has launched a new business unit in the USA, Nokia Federal Solutions, focused on selling to the U.S. government. The move capitalizes on U.S. efforts to remove Chinese-made equipment from national networks due to security fears, specifically targeting telecom providers Huawei and ZTE. The U.S. has not only barred Huawei and ZTE from importing U.S. tech but has also pressured allies to exclude Chinese telecom equipment from their infrastructure. Although Huawei has denied any wrongdoing, U.S. concerns are fueled by Chinese laws that could compel companies to share information with the government. Nokia sees an opportunity in the American preference for non-Chinese technology in critical infrastructure, particularly given that the U.S. lacks major domestic players in RAN technology. Nokia Federal Solutions will offer typical telecom technologies as well as "tactical private wireless" systems for military use, recently acquired from Fenix Group. The establishment of this dedicated entity is a strategic move by Nokia to secure lucrative contracts with the U.S. government by addressing national security concerns.

Google has released an update to fix a zero-day vulnerability in the Chrome browser that was actively being exploited by attackers. The vulnerability is identified as CVE-2024-0519 and involves an out-of-bounds memory access in the V8 JavaScript engine that could lead to heap corruption. Attackers exploiting this flaw could bypass security mechanisms, potentially leading to code execution beyond just causing a denial of service. Detailed information about the attacks and the identities of threat actors have been withheld to prevent further exploitation. The flaw was anonymously reported and Chrome users must update to the latest versions provided for Windows, macOS, and Linux to protect against the risk. This is the first zero-day vulnerability in Chrome reported in 2024, following eight similar issues rectified by Google in the previous year. Users of other Chromium-based browsers are encouraged to stay vigilant and apply relevant updates as they are made available.

The FBI and CISA have released a joint warning about Androxgh0st malware, which targets cloud service credentials. Androxgh0st exploits old vulnerabilities in popular frameworks and servers, including PHPUnit, Laravel, and Apache HTTP Server. The malware primarily targets .env files to obtain user credentials for services like AWS, Office 365, SendGrid, and Twilio. Attackers have been observed using the stolen credentials to create new AWS users and instances for further malicious activities. The US government agencies recommend updating systems and software, denying all unnecessary URI requests, and regularly reviewing .env files for unauthorized access. Suggested mitigations also include making sure Apache servers run secure versions and maintaining updated OS, software, and firmware. The security alert provides indicators of compromise and suggests one-time and regular reviews of stored cloud credentials to identify potential unauthorized use.

GitHub addressed a vulnerability allowing attackers to access credentials in production containers via environment variables. The issue, tracked as CVE-2024-0200, could lead to remote code execution on unpatched servers and was patched in various GitHub Enterprise Server versions. The exploit required authentication with an organization owner role, limiting its potential for abuse. GitHub rotated all potentially exposed credentials as a preventative measure, even though the vulnerability was believed to be unexploited previously. Users dependent on specific GitHub keys, like the commit signing key and encryption keys for GitHub Actions and Dependabot, must import new public keys. GitHub advises regular API checks for public keys to ensure the use of up-to-date credentials. An additional high-severity command injection vulnerability, CVE-2024-0507, was also patched, which could allow privilege escalation. GitHub has a history of key rotation and revocation due to previous incidents of exposed or stolen secrets.

MacOS information-stealers are rapidly evolving to escape detection by the built-in anti-malware system, XProtect, despite frequent malware database updates. SentinelOne's report identified three significant examples of such malware: KeySteal, Atomic Stealer, and CherryPie, each employing methods to bypass XProtect and most antivirus engines. KeySteal, an info-stealer targeting Apple's Keychain, has changed enough since Apple's last signature update to avoid detection, leveraging hardcoded command and control addresses. Atomic Stealer now uses cleartext AppleScript rather than code obfuscation, includes checks to prevent execution on virtual machines, and disables the Terminal app to avoid analysis. CherryPie, also a cross-platform info-stealer, employs anti-analysis, VM detection, and admin privilege to deactivate Gatekeeper, although recent XProtect updates have improved detection. Overall, the rapid evolution of these information-stealers against static security measures like XProtect underscores the need for dynamic or heuristic antivirus solutions and a layered security approach. Enhanced network monitoring, firewalls, and consistent application of security updates are recommended to bolster defenses against these adapting threats.

Citrix has warned customers to immediately patch two zero-day vulnerabilities in Netscaler ADC and Gateway appliances to prevent exploitation. Identified as CVE-2023-6548 and CVE-2023-6549, the security flaws could lead to remote code execution and denial-of-service attacks. Attackers require low-privilege user access and management interface access to exploit these vulnerabilities for remote code execution. The zero-days only affect customer-managed Netscaler appliances, not Citrix-managed cloud services or adaptive authentication solutions. Over 1,500 Netscaler management interfaces are currently exposed online, as per data from Shadowserver. Citrix emphasizes the importance of installing updated versions immediately and advises customers using end-of-life software to upgrade to supported versions. In the absence of immediate update capabilities, Citrix advises blocking network traffic to affected instances and avoiding exposure of the management interface to the internet. Previous Netscaler vulnerabilities have been exploited by threat groups targeting government and large tech companies, highlighting the critical need for timely updates.

The expanding attack surface presents new challenges in protecting the network edge as more processes migrate to distributed sites. Traditional, centralized data centers with robust controls are more secure than distributed edge locations. Long supply chains and the lack of dedicated IT security professionals at the edge increase risks, especially in sectors like healthcare, energy, and manufacturing. Data breaches at the edge can have immediate and significant impacts on daily operations and regulatory compliance. Dell Technologies' webinar, featuring Jeroen Mackenbach, highlights the need for a Zero Trust security approach at the edge, with continuous verification of devices. The webinar explains that visibility and automation are critical components of a successful Zero Trust strategy to manage and mitigate cybersecurity threats. Dell's NativeEdge platform offers a solution to address edge security challenges by reducing attack surfaces and enhancing visibility and control.

Google addressed a high-severity Chrome zero-day exploited in the wild, designated CVE-2024-0519. The vulnerability resides in Chrome's V8 JavaScript engine, leading to out-of-bounds memory access. Updated Chrome versions released for Windows, Mac, and Linux platforms, less than a week after reporting. Google has yet to disclose specific details about the attacks exploiting the zero-day. The update is distributed worldwide and available immediately, with automatic updates following. The flaw could allow attackers to bypass protection mechanisms like ASLR and enable code execution via other weaknesses. In addition to CVE-2024-0519, Google fixed other significant flaws, such as CVE-2024-0517 and CVE-2024-0518. Past year, Google rectified eight zero-day bugs, some of which were utilized to deploy spyware on devices of high-risk individuals.