Daily Brief

Exposed secrets within a company's source code, such as API keys and credentials, represent a significant security threat requiring immediate action. Secret scanners can detect exposed secrets but lack the context needed to assess the severity and formulate an appropriate response. Steps to contextualize secrets include classifying by sensitivity, assessing the exposure's scope and impact, identifying the root cause, and enriching secret information. Remediation involves swift mitigation efforts, establishing policies to prevent future exposures, and regular monitoring and auditing of secrets. Technology, particularly automation and advanced platforms like Entro, plays a crucial role in managing exposed secrets more effectively by providing essential context and easy integration with existing security workflows. Proactive and strategic management of exposed secrets is vital to protect sensitive data and maintain an organization's security posture, with Entro offering comprehensive tools to assist in these efforts.

Orange Spain experienced a BGP traffic hijack causing an internet outage after an account was compromised using stealer malware. The incident led to significant disruptions and a loss of 50% of network traffic, but no personal data was reported as breached. Suspected perpetrator Ms_Snow_OwO obtained access to the RIPE account and altered Orange's AS number, which caused the outage. The compromised admin account was linked to an Orange Spain employee whose computer was infected with Raccoon Stealer malware. RIPE does not currently enforce two-factor authentication or strong password policies, a situation they plan to change following the incident. RIPE is investigating the breach and will contact affected accounts; also urging users to update passwords and enable multi-factor authentication. The event underlines the importance of robust cybersecurity measures to protect against initial attack vectors such as malvertising and phishing.

Ivanti has deployed security updates for a critical vulnerability in its Endpoint Manager, labeled CVE-2023-39336, with a CVSS score of 9.6. The flaw affects certain versions of EPM 2021 and EPM 2022 and can lead to remote code execution on servers running vulnerable software. An attacker with internal network access could exploit an SQL injection flaw to execute arbitrary SQL queries and control machines with the EPM agent. This vulnerability disclosure follows a recent patch of 21 security flaws in Ivanti's Avalanche enterprise MDM, including 13 critical buffer overflow issues. Ivanti previously dealt with zero-day vulnerabilities in their products that were exploited by state-backed actors to attack Norwegian government networks. While no current exploits of the newly discovered vulnerability have been reported, the past incidents underline the importance of applying the security updates promptly.

Russia-linked Sandworm hacking group is believed to have compromised Kyivstar, Ukraine's largest telecom provider, impacting 24 million users and critical services. Sandworm hackers had infiltrated Kyivstar's network for at least six months, gaining full access by November 2023 and executing a disruptive attack in December. The attack not only affected the telecommunication services but also compromised air raid alerts and banking operations in Kyiv, coinciding with physical missile strikes on the city. Ukrainian officials, including the SBU cyber chief, and private-sector analysts attribute the attack to Sandworm, which operates as part of Russia's GRU military intelligence. The breach highlights the use of cyberattacks in hybrid warfare, potentially monitoring Ukraine’s military movements and compounding the psychological impact on civilians. Western experts hint at the broad implications of the attack for global cybersecurity as Sandworm's capability extends beyond Ukraine, previously targeting the US and other countries. Mandiant Intelligence group warns of similar telecom vulnerabilities in the United States and urges Western nations to consider the Kyivstar hack as a global threat signal.

The Russian state-sponsored hacking group Sandworm accessed systems of Ukrainian telecom provider Kyivstar since May 2023. Kyivstar's services were disrupted last month, affecting millions; Russia-linked group Solntsepyok claimed responsibility. Solntsepyok is affiliated with Russian military intelligence and has been involved in past disruptive cyberattacks. The cyberattack on Kyivstar resulted in the substantial destruction of virtual servers and computers, with the attackers having full access for several months. The head of the SBU's cybersecurity department noted the meticulous planning over many months that went into the attack. While Kyivstar has resumed operations, no evidence suggests customer personal data was compromised. The method of the network breach remains unclear. The SBU took down two hacked surveillance cameras used by Russian intelligence for spying on Ukrainian defense and infrastructure.

A new variant of the Bandook Remote Access Trojan (RAT) has been identified targeting Windows machines through phishing campaigns. Fortinet FortiGuard Labs reported the malware's distribution method: a phishing email containing a PDF file that leads to a password-protected .7z archive. Upon opening the archive using the password from the PDF, the Bandook malware injects its payload into the legitimate Windows system file msinfo32.exe. Originally detected in 2007, Bandook is a commercial malware that provides attackers with extensive remote control capabilities over infected systems. The latest version of Bandook has been implicated in a cyber espionage campaign, according to research from ESET in 2021, with attacks focusing on Spanish-speaking countries. Once installed, the malware alters Windows Registry settings for persistence and connects to a command-and-control server for further malicious instructions and payload downloads. The abilities of this RAT include file and registry manipulation, data theft, downloading additional payloads, executing files, and even uninstalling itself remotely.

Ivanti has patched a critical RCE vulnerability in its Endpoint Management (EPM) software that allowed unauthenticated attackers to take over enrolled devices or even the core server. The vulnerability, identified as CVE-2023-39366, affects all supported versions of Ivanti EPM and has been resolved with the release of version 2022 Service Update 5. The security flaw enables attackers within the target's internal network to perform low-complexity, no-privilege attacks, utilizing SQL injection to execute arbitrary SQL queries. Ivanti asserts that there have been no known instances of this vulnerability being exploited against its customers to date. The company has limited public access to the detailed advisory on CVE-2023-39366, possibly to give customers additional time to implement protective measures against potential exploits. The article references previous incidents where state-affiliated hackers exploited two zero-day vulnerabilities in Ivanti’s EPMM software to attack Norwegian government entities, as well as a third zero-day in the company's Sentry software. Ivanti is a key player in the IT asset management space, with its products in use by over 40,000 organizations worldwide.

Mandiant's Twitter account was compromised in a cryptocurrency scam attempt. The account posted about distributing free $PHNTM tokens from a fake website. Mandiant regained control and has launched a thorough investigation into the incident. Criminals mocked Mandiant during the takeover, suggesting they change their password and check bookmarks. The incident adds to a series of high-profile Twitter account hackings, including those of Jeff Bezos, Bill Gates, and Barack Obama in 2020. Vitalik Buterin, Ethereum co-founder, also had his account hacked recently with significant financial losses to followers. The breach is particularly concerning given Mandiant's status as a leading threat intelligence firm owned by Google. CloudSEK reports an increase in Twitter account takeovers and sales, highlighting the risks and potential damage to brand reputation.

Russian hackers infiltrated Kyivstar, Ukraine's largest telecom provider, and executed a devastating cyberattack. The attack, which occurred in December, led to the shutdown of services, impacting approximately 25 million subscribers. The Security Service of Ukraine (SSU) confirmed that the network had been compromised since May 2023, with the hackers gaining full access possibly by November. Thousands of virtual servers and computers were wiped, dealing a severe blow to Kyivstar's operational core. Despite the attack's extensive damage to civilian infrastructure, Ukrainian military communications remained largely unaffected due to different communication protocols. The cyberattack was later claimed by the Russian hacking group Solntsepek, linked to the notorious Sandworm military hackers. The SSU continues to investigate the attack and assess the malware used, while an October report states Russian hackers have targeted multiple Ukrainian telecom networks since May 2023, causing service disruptions.

Cybercriminals are targeting Twitter accounts with "gold" and "grey" checkmarks to promote cryptocurrency scams. Google's subsidiary Mandiant's Twitter account was recently compromised to push a fake airdrop scam. MalwareHunterTeam reported several breaches, including accounts of a Canadian senator, 'The Green Grid' consortium, and a Brazilian politician. Trust inspired by the gold (companies) and grey (government) checkmarks is being exploited by hackers, leading to a rise in scam activities. A black market for selling access to compromised verified accounts has emerged, with prices ranging from $1,200 to $2,000. Threat actors also use dormant corporate accounts to create new "gold" profiles, sometimes selling these for thousands of dollars. CloudSEK advises organizations to shut down inactive accounts, strengthen security settings, and use two-factor authentication.

23andMe experienced a data breach affecting the data of 6.9 million users due to compromised user credentials. The company blames the breach on users reusing passwords that had been compromised in unrelated security incidents. A lawsuit alleges the biotech firm failed to maintain reasonable security measures, which 23andMe denies. The company did not require two-factor authentication (2FA) prior to the breach but claims to have supported it since 2019. Infosec professionals criticize the response, suggesting the company should have had better security practices, like mandatory 2FA and checks for compromised credentials. There is a call within the industry for using services like HaveIBeenPwned to alert users of compromised credentials during account creation. Despite some industry support for the company's stance, the predominant view is that organizations are responsible for securing user data and should not blame users for breaches.

A threat actor has reportedly sold the source code and a cracked version of the Zeppelin ransomware builder for $500 on a hacker forum. The sale was identified by threat intelligence company KELA, though the authenticity of the offered package has not yet been confirmed. The acquisition of the source code could lead to the establishment of a new ransomware-as-a-service (RaaS) operation or development of new malware based on Zeppelin. The seller, known by the handle 'RET,' claimed to have cracked a licensed builder version of Zeppelin but did not create the malware. Despite law enforcement discovering flaws in Zeppelin's encryption scheme leading to a decrypter being built in 2020, the seller asserts the offered version has patched these vulnerabilities. Zeppelin is a derivative of Vega/VegaLocker malware, existing from 2019 to 2022, known for double-extortion tactics and significant ransom demands, previously selling for up to $2,300. In 2022, the FBI alerted the public to a new Zeppelin encryption method involving multiple layers to complicate victim's data recovery.

The FTC is offering a $25,000 prize for ideas to detect and prevent AI-enabled voice cloning, which poses risks of fraud. Voice cloning technology's advancements have sparked concerns about its misuse in acts such as voice phishing and social engineering scams. The Voice Cloning Challenge is part of an effort to proactively address the security threat posed by sophisticated text-to-speech AI systems. While voice cloning can benefit those needing assistive communication tools, its potential for abuse in fraudulent schemes is growing. Potential solutions will be judged on feasibility, impact on corporate accountability, burden on consumer, and adaptability to technological change. The competition is open for submissions until January 12th, with a detailed proposal and optional demonstration video required. If the challenge does not produce viable defenses, the FTC sees it as a warning signal that stricter AI regulations may be necessary.

Orange Spain experienced a massive outage due to an infostealer malware that harvested an employee's admin credentials. The compromised RIPE account had a "ridiculously weak" password ("ripeadmin"), which allowed attackers to disrupt half of the network's traffic. The attack was executed by an individual using the alias "Snow," who hijacked the provider's BGP traffic after breaching the RIPE account. RIPE, lacking mandatory 2FA or MFA and reasonable password policies, made Orange Spain's critical infrastructure particularly vulnerable. The attack led to incorrect routing associations within the network's BGP, resulting in service outages for customers. Despite the service disruption, there was no evidence of customer or client data being compromised. The incident highlights the risk of infostealer malware and poor cybersecurity practices, with experts anticipating potential future similar attacks on other RIPE accounts.

Executive Order on Improving the Nation's Cybersecurity highlights the importance of securing software supply chains, impacting those selling software to federal agencies and beyond. Protecting sensitive information such as API keys and credentials is critical, as shown by high-profile cybersecurity incidents where such data was exposed in plaintext. Tools like GitGuardian can scan code for inadvertently published secrets or prevent such occurrences, aiding in swift remediation and the prevention of future breaches. Building a comprehensive Software Bill of Materials (BOM) using Software Composition Analysis (SCA) tools helps in managing dependencies and vulnerabilities, ensuring transparency in software construction. Ethical hacking, a practice that involves the authorized probing of systems for security weaknesses, is crucial for identifying and mitigating potential exploits before software release. Adopting these proactive security measures and participating in programs like bug bounties can significantly reduce the risk of having to manage incidents post-deployment. Following the SLSA security framework can move software supply chain security "from 'safe enough' to being as resilient as possible," thus reducing post-deployment clean-up and regulatory reporting.