Daily Brief

CISA has updated the Known Exploited Vulnerabilities catalog with six flaws found in products from companies like Apple, Adobe, and Apache. The listed vulnerabilities have been actively exploited, with agencies directed to patch or cease using vulnerable products by January 29. One notable vulnerability, CVE-2023-41990, was used in the ‘Operation Triangulation’ spyware campaign that targeted iPhones since 2019. Other vulnerabilities, such as CVE-2023-38203 and CVE-2023-29300, saw hackers exploiting vendor patches bypasses. CVE-2023-27524 had proof-of-concept exploits made public in September, increasing its risk of exploitation. Federal agencies must audit their systems for these vulnerabilities and apply necessary patches or countermeasures promptly.

Microsoft released patches for 49 security flaws across various products as part of their January 2024 Patch Tuesday. Among the vulnerabilities are 12 remote code execution (RCE) bugs, with two classified as critical. A significant flaw fixed is an RCE vulnerability in Microsoft Office related to malicious FBX 3D model files. Another critical bug addressed was a Windows Kerberos Security Feature Bypass, which could allow attackers to bypass authentication. Although no vulnerabilities were actively exploited or publicly disclosed this month, the Office RCE flaw presents a notable risk. The security update included both Windows and Mac versions of Office applications and will disable the ability to insert FBX files. Microsoft's updates come alongside other January 2023 advisories from various tech vendors.

A Turkish hacker group is attacking Microsoft SQL servers with Mimic ransomware worldwide, particularly in the EU, the US, and Latin America. These attacks, denoted as RE#TURGENCE by Securonix Threat Research, can result in either the sale of access to compromised systems or the delivery of ransomware payloads. Attackers hijacked MSSQL servers through brute force assaults, leveraging xp_cmdshell to elevate their permissions. They used Cobalt Strike payloads and AnyDesk to maintain access and facilitate lateral movement after credential harvesting via Mimikatz. The threat actors expanded their control by hacking into other network devices and ultimately compromised the domain controller. The Mimic ransomware is deployed via AnyDesk as self-extracting archives that seek out and encrypt files, demanding a ransom through a text notice deposited on the infected system. The same email associated with the ransom note has been linked to previous Phobos ransomware attacks, indicating a connection between the threat groups. This campaign shows similarities to the previous DB#JAMMER operation, which also targeted MSSQL servers via brute force and deployed ransomware.

Cisco Talos, in partnership with Dutch police, procured a decryption tool for the Tortilla variant of Babuk ransomware. The decryption tool was previously supplied to victims who paid ransoms to the ransomware operator. The Tortilla ransomware operator was identified and arrested due to intelligence shared by Cisco Talos. The decryptor contained a universal key pair utilized across all attacks, allowing for the creation of a generic decryption tool. Avast incorporated the Tortilla decryption key into their existing Babuk decryptor, making it available for free to affected users. Experts noted that multiple operations have been utilizing Babuk ransomware's code since its source code leak in 2021.

Tigo Business in Paraguay, the largest mobile carrier, was targeted by a cyberattack affecting cloud and hosting services, triggering outages. Military authorities warn of the Black Hunt ransomware attacks, following the breach which specifically impacted corporate clients. Over 330 servers and backups were reportedly encrypted in the attack, disrupting websites, emails, and cloud storage for many companies. The General Directorate of Information and Communication Technologies of the Paraguayan Armed Forces quickly issued, then deleted, a warning about the ransomware. The Black Hunt ransomware operation, known for targeting South American companies, began its activities towards the end of 2022. Attackers deploy ransomware that cripples systems through various means, including disabling critical Windows features and security measures. The malware forces a full reinstall of Windows to recover, with no instances of data leaks observed, despite claims in ransom notes.

Water Curupira threat group actively engaged in distributing PikaBot loader malware through spam campaigns. Phishing campaigns involved a two-component system allowing remote access and execution of commands via a command-and-control server. The campaigns began in early 2023, surged again in September, and show similarities to past QakBot-related activities by groups TA571 and TA577. PikaBot serves as an initial payload delivery mechanism to facilitate further malware attacks, such as Cobalt Strike and ultimately ransomware. Attackers utilize email thread hijacking, making use of ongoing conversations to spread malicious links or files, which trigger the malware. The malware contains language checks to halt execution for systems with Russian or Ukrainian settings and gathers system details to send to C&C servers. Primary goal of Water Curupira's campaigns is to deploy Cobalt Strike beacons leading to Black Basta ransomware infections. Despite engaging in DarkGate and IcedID campaigns earlier in the year, the group has since focused on propagating PikaBot exclusively.

Criminal IP, an AI SPERA Cyber Threat Intelligence search engine, has partnered with Tenable for advanced threat analysis and exposure management. The partnership aims to provide users with a stronger solution for detecting IP asset threats and vulnerabilities by integrating data and tools. Vital IP data from Criminal IP will be streamlined directly into Tenable Vulnerability Management, enabling thorough asset information aggregation for threat mitigation. The integration allows for the import of detailed IP asset data, such as network subnets and connected domains, into Tenable for in-depth analysis. Users of Tenable can run real-time scans to assess and address the severity of vulnerabilities on their assets, using the integrated features. The collaboration between AI SPERA and Tenable includes joint marketing initiatives and aims to improve cybersecurity strategies for shared customers. Criminal IP has established various technical and business partnerships and offers its users an attack surface management solution with dashboard access to monitored assets. The partnership's key benefits include streamlined vulnerability assessment, leveraging joint capabilities of both platforms to proactively manage cyber threats.

Firefox for Android users encounter a blank page when attempting to access Google Search. The issue is consistent across multiple versions of Firefox Mobile, including Nightly builds, and affects various localized versions of Google. The problem does not appear on Chrome for Android, indicating that this is a Firefox-specific bug. Mozilla engineer Dennis Schubert attributes the issue to server-side User-Agent sniffing by Google's web servers, leading to the serving of an empty document to affected Firefox versions. Disabling Enhanced Tracking Protection in Firefox does not resolve the issue, suggesting a deeper compatibility problem. While the critical bug is escalated for resolution, no fix is available at the time of reporting. Temporary workarounds for affected users include using alternative browsers or search engines, tweaking the user agent string, or forcing desktop site requests.

Turkish threat actors are exploiting poorly secured Microsoft SQL servers in the U.S., EU, and LATAM, potentially leading to the sale of server access or ransomware attacks. The cyberattack campaign, named RE#TURGENCE, employs brute-force methods and utilizes the xp_cmdshell option for initial access. These attacks mirror a previous campaign, DB#JAMMER, and involve the retrieval of a PowerShell script that delivers an obfuscated Cobalt Strike beacon payload. Attackers use AnyDesk, Mimikatz, and Advanced Port Scanner for system access, credential harvesting, and reconnaissance, followed by lateral movement with PsExec. The RE#TURGENCE campaign's end goal includes deploying Mimic ransomware, with operational security errors revealing the hackers’ Turkish origins. Researchers urge organizations not to expose critical servers directly to the internet to prevent such brute-force attacks and unauthorized access.

An updated decryptor for the Babuk ransomware, targeting the Tortilla variant, has been released by security researchers. The decryptor was made possible through collaboration among Cisco Talos, Avast, and the Netherlands police, leading to arrests. The Amsterdam police arrested the individual responsible for Babuk Tortilla, with prosecution by the Dutch Public Prosecution Office. The decryptor's efficacy stems from the ransomware operators' failure to update their encryption scheme with unique keys for each victim. The decryptor, now included in Avast's portfolio and the No More Ransom project, uses a single private key to unlock files across all victims. Babuk ransomware was initially identified between 2020 and 2021, attacked various sectors, and its code leak led to multiple spin-off ransomware families. The Tortilla variant exploited Microsoft Exchange servers using the ProxyShell vulnerability and demanded payment in Monero, often below average ransom amounts.

SaaS applications' collaborative features can lead to unintended data exposure, with 58% of security incidents involving data leakage. User errors, such as accidental exposure of private repositories or misconfigured permissions, are common causes of data leaks on platforms like GitHub. Publicly accessible calendars can present security risks by exposing meeting details, which could be used for phishing or social engineering attacks. Collaborating with external service providers without proper access controls can lead to unauthorized retention of sensitive data. Experts recommend using SaaS security tools to identify and secure publicly shared resources to mitigate risks. Keeping a resource inventory of publicly accessible files and implementing best practices for sharing are crucial for protecting company data. It's essential to maintain control over shared materials, especially when collaborating with short-term external team members, to prevent data breaches.

A significant security flaw in Kyocera's Device Manager has been reported, allowing potential interception and manipulation of Active Directory hashed credentials. The vulnerability, identified as CVE-2023-50916, is described as a path traversal issue enabling attackers to redirect database backup paths and achieve unauthorized access. The vulnerability can lead to NTLM relay attacks depending on the configuration, raising concerns about data theft and compromised client accounts. This issue has been addressed in the Kyocera Device Manager version 3.1.1213.0, marking an important security update. QNAP also fixed several high-severity vulnerabilities, notably CVE-2023-39296, which could cause system crashes through prototype pollution. QNAP updates addressing these vulnerabilities have been released for QTS and QuTS hero, amongst other affected software components. Users of affected QNAP and Kyocera products are strongly advised to update to the latest software versions to safeguard against these security flaws. Despite no current exploitation reports, timely updates are crucial to mitigate risks and ensure the security integrity of the enterprise's network systems.

Threat actors are using YouTube videos promoting cracked software to distribute an information-stealing malware known as Lumma Stealer. The videos direct users to a link in the description that downloads a fake installer, which ultimately installs the Lumma Stealer malware. Lumma Stealer is capable of harvesting sensitive data and has been available on underground forums since late 2022. The fraudulent installer involves a multi-step process that includes downloading a loader from GitHub and performing checks to evade virtual machine and debugging detection. This form of malware distribution exploits legitimate looking video editing tool links, such as Vegas Pro, but results in cryptocurrency theft and potentially unauthorized cryptocurrency mining on the infected machines. Previously similar methodologies were noted for delivering various types of malware, which highlights the continued use of YouTube as a platform for cybercriminals. The article also references an increase in stream-jacking and phishing attacks leading to account takeovers on YouTube, as well as a sophisticated 11-month-old AsyncRAT campaign targeting U.S. infrastructure management entities.

Toronto Zoo experienced a ransomware attack that did not affect animal welfare, public website, or the zoo's operational activities. The zoo is investigating whether guest, member, or donor information was compromised and assured no credit card information is stored on its systems. Operations including visitor admissions are continuing normally, and the Zoo is working with cybersecurity experts and the City of Toronto's Chief Information Security Office. Toronto Police Service has been notified, and the Zoo has requested patience from the public as they respond to inquiries during the investigation. In a separate incident, the Toronto Public Library suffered a ransomware attack by the Black Basta gang, impacting service availability and compromising personal data back to 1998. The Toronto Public Library, a major system with extensive resources, has not paid the ransom and is also engaging with external cybersecurity specialists.

Official Twitter accounts of Netgear and Hyundai MEA were hijacked to promote cryptocurrency wallet drainer malware. Hyundai has already recovered its account and removed malicious links, whereas Netgear's account still shows traces of the attack. Attackers changed Hyundai MEA's account name to Overworld, a known entity often impersonated in scams. Netgear's account was repurposed to entice users to a fake website, falsely promising significant monetary rewards. Verified Twitter accounts with 'gold' and 'grey' checkmarks are increasingly targeted by hackers to bolster the credibility of crypto scams. Even two-factor authentication did not prevent the hijacking of Mandiant's Twitter account. A wallet drainer campaign reportedly stole $59 million in cryptocurrency from 63,000 victims via Twitter ads. Twitter users associated with cryptocurrency are experiencing a particularly high volume of these malicious ads.