Daily Brief

Nearly 11 million SSH servers are vulnerable to the recently discovered "Terrapin" attack. Researchers from Ruhr University Bochum in Germany developed the attack, which compromises SSH integrity. The attack specifically manipulates handshake process sequence numbers and can downgrade public key algorithms. An adversary-in-the-middle position is required for attackers to intercept and modify SSH handshakes. The Shadowserver report indicates that approximately 52% of all scanned SSH servers could be affected. The United States has the highest number of vulnerable SSH servers, followed by China and Germany. A vulnerability scanner is available from the research team to check SSH clients and servers for Terrapin susceptibility.

Xerox Corporation confirmed a cybersecurity incident involving unauthorized access to its US subsidiary Xerox Business Solutions (XBS). The attack was made public by INC Ransom, which claimed to have exfiltrated confidential files and posted them on their leak blog. The precise nature of the cyberattack remains uncertain, with no clear indication if ransomware was deployed or if attackers sought extortion by threatening to release sensitive data. Xerox stated the incident was contained to XBS and did not impact Xerox’s main corporate systems, operations, or data, nor did it affect XBS operations. Xerox acknowledges that "limited personal information" may have been compromised and is working with cybersecurity experts to investigate and secure the XBS IT environment. INC Ransom has since removed the leaked information from their blog, hinting at possible negotiations between Xerox and the hacker group. INC Ransom, which surfaced in July 2023, employs various tactics to compromise networks, including spear-phishing and exploiting critical vulnerabilities.

Information-stealing malware is exploiting an undocumented Google OAuth endpoint called MultiLogin to maintain unauthorized access to user sessions. This exploit allows attackers to persist in Google services despite users' passwords being reset, posing a significant threat to account security. The exploit was disclosed by a hacker on Telegram and has been adopted by various malware-as-a-service (MaaS) families, including Lumma, Rhadamanthys, and others. By leveraging the MultiLogin feature designed for synchronizing Google accounts, these malwares regenerate authentication cookies using stolen tokens. Google has acknowledged the attack vector and countered claims that users cannot revoke stolen sessions; signing out or remote revocation is possible. To enhance security, Google has recommended users enable 'Enhanced Safe Browsing' in Chrome, and they continue to improve defenses against such malware attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported two actively exploited vulnerabilities in Chrome and an Excel parsing library. Federal agencies have been directed to address or mitigate these vulnerabilities by January 23 as outlined by CISA. CVE-2023-7101, a remote code execution (RCE) flaw in Spreadsheet::ParseExcel, allows attackers to execute malicious code via specially crafted Excel files. Chinese hackers have exploited this RCE vulnerability in Spreadsheet::ParseExcel to compromise Barracuda Email Security Gateway appliances. Barracuda has released security updates and mitigations after the exploit was used to deploy 'SeaSpy' and 'Saltwater' malware by threat actor UNC4841. CVE-2023-7024 is a heap buffer overflow vulnerability in Google Chrome's WebRTC component that could lead to crashes or code execution. Google has already issued fixes for this vulnerability, which also affects other browsers using the WebRTC component. CISA's Known Exploited Vulnerabilities catalog aids organizations globally in prioritizing and managing known vulnerabilities.

Nudge Security emphasizes the critical nature of maintaining comprehensive visibility into an organization's SaaS landscape to effectively manage cyber risks. The adoption of SaaS applications significantly expands the attack surface, leading to heightened risks of identity-based breaches involving compromised credentials. Real-time discovery tools provided by Nudge Security enable automatic inventorying of all SaaS accounts and deliver security alerts for new applications, streamlining governance. Managing OAuth risks is essential, requiring regular reviews to ensure that integrations between SaaS applications do not contravene data privacy or compliance standards. Continuous monitoring of the SaaS attack surface is crucial to identify and protect externally visible corporate assets from supply chain breaches. Expanded use of Single Sign-On (SSO) is recommended to centralize access management for SaaS applications, with tools to facilitate easier SSO onboarding of new apps. Extending Multi-Factor Authentication (MFA) to all user accounts forms another layer of defense, reducing the susceptibility to unauthorized access. Nudge Security's tools not only improve visibility but also help eliminate shadow IT, secure unauthorized accounts, and automate security processes without hindering productivity.

A newly identified exploitation method, SMTP smuggling, allows attackers to send spoofed emails that bypass typical security checks. Threat actors can exploit vulnerable SMTP servers to send emails from seemingly legitimate sender addresses, facilitating targeted phishing campaigns. SMTP smuggling works by exploiting inconsistencies in handling end-of-data sequences between outbound and inbound SMTP servers, enabling command injection. The technique is similar to HTTP request smuggling and affects servers from Microsoft, GMX, Cisco, Postfix, and Sendmail, allowing attackers to bypass DKIM, DMARC, and SPF email authentication systems. Microsoft and GMX have addressed the vulnerabilities; however, Cisco treats the issue as a feature and has not altered default configurations, leaving systems potentially exposed. SEC Consult advises Cisco users to adjust settings from "Clean" to "Allow" to mitigate the risk of receiving spoofed emails that pass DMARC validation.

Emsisoft has suggested a complete ban on ransom payments following a significant rise in ransomware attacks. At least 2,207 US hospitals, schools, government organizations, and private-sector businesses were affected by ransomware in 2023. Ransomware incidents typically cost around $1.5 million per attack for recovery, with the average ransom demand hitting this amount. High-profile victims in 2023 included Boeing and MGM Resorts, with disclosures of such attacks expected to rise due to SEC rules. MOVEit attacks by the Clop ransomware gang, which caused over $15 billion in damages, were not included in Emsisoft's 2023 statistics. The International Counter Ransomware Initiative's member countries agreed not to pay ransom, but this does not apply to private-sector companies. Experts are divided on an outright ban due to potential implications and the current cyber resilience maturity across the economy. US government advises against paying ransoms and emphasizes the need for resilience and the implementation of preventive measures.

The U.S. Department of Justice (DoJ) has fined XCast Labs $10 million for operating an extensive illegal robocall service. XCast violated the Telemarketing Sales Rule (TSR) since at least January 2018 by transmitting billions of robocalls, including ones falsely claiming to be from government agencies. The robocalls included pre-recorded messages sent to numbers on the National Do Not Call Registry, contained deceptive or false information, and sometimes mimicked official agencies to solicit payments from victims. The financial penalty is suspended due to XCast's inability to pay, but the company must comply with stringent future regulations, including the establishment of a customer screening process. The order requires XCast to terminate relationships with any company that does not comply with U.S. telemarketing laws and implement technologies to prevent calls with invalid caller ID numbers. The FTC has separately banned Response Tree from conducting or aiding in robocall operations and has accused them of using misleading tactics to collect personal information, which was sold to telemarketers for making illegal calls.

Steam has officially ended support for Windows 7, 8, and 8.1 as of January 1, urging users to upgrade to more recent versions of Windows for enhanced security. The gaming platform will no longer provide software or security updates for installations on these older operating systems, and technical support will be unavailable for related issues. Microsoft has already ceased support for Windows 7 in January 2020, and its extended security updates for Windows 8.1 expired in January 2023. This shift may not significantly affect the user base since only 0.89% of Steam users were on these versions as per the latest hardware survey. Steam's dependency on an embedded version of Google Chrome, which is incompatible with older Windows versions, necessitates this move to ensure access to essential Windows feature and security updates. There's a risk associated with using outdated Steam versions on unsupported OS, including vulnerability to malware designed to steal credentials, heightening the importance of the transition for security reasons. Valve has introduced SMS-based security checks for developers releasing game updates, but stronger multi-factor authentication methods are suggested to protect against more sophisticated threats like SIM swapping attacks.

U.S. prosecutors have decided not to proceed with a second trial against Sam Bankman-Fried (SBF), the disgraced cryptocurrency entrepreneur. The decision to forgo the second trial was based on the fact that the evidence for the eighth charge, related to unlawful campaign contributions, was largely considered during the first trial. Any additional trial would likely delay SBF's scheduled sentencing in March 2024 and require complicated extradition negotiations with The Bahamas. SBF had already been extradited from The Bahamas to face seven criminal charges in the U.S., which he was found guilty of in his first trial. The seven convictions include conspiracy to commit wire fraud, commodities fraud, securities fraud, and money laundering, with a maximum combined sentence of 110 years. It was revealed that SBF used FTX customer deposits to bail out his other enterprise, Alameda Research, leading to a defrauding of stakeholders of approximately $10 billion. Although the campaign finance charge will not be pursued in court, it may still influence SBF's sentencing, including potential orders of forfeiture and restitution for his crimes' victims. Allegations against SBF include living a lavish lifestyle on stolen funds, bribing Chinese officials, witness tampering, and using over $100 million in embezzled funds for political campaign contributions.

Security researchers reveal that malware can still access Google accounts even after password changes, due to an exploit in Google's OAuth system. A cybercriminal introduced the existence of a zero-day exploit in Google's security, allowing regaining access to victims' accounts by generating new session tokens. At least six malware families, including Lumma and Rhadamanthys, have incorporated this vulnerability, with others like Eternity Stealer planning updates. The exploit involves stealing web browser session tokens from an infected PC, which the malware then uses to access the victim's account despite password resets. The root of the exploit is an undocumented Google OAuth endpoint called "MultiLogin," which synchronizes accounts across services and can be manipulated with stolen tokens. The threat demonstrates a heightened level of cybercriminal sophistication, shifting to more stealthy and advanced cyber threat capabilities. Google has yet to respond to inquiries regarding countermeasures for this security issue, but logging out seems to invalidate the malicious use of session tokens.

Orbit Chain, a blockchain infrastructure project, has been compromised, resulting in a theft of $86 million in various cryptocurrencies. The security breach occurred on December 31, 2023, with the platform's balance plummeting from $115 million to $29 million following the incident. The attackers, potentially state-sponsored and possibly from North Korea, executed a sophisticated series of unauthorized transactions. Orbit Chain is collaborating with South Korean authorities, including the Korean National Police Agency and KISA, to investigate the breach. North Korean hacker groups like Lazarus have been suspected of conducting multiple crypto heists throughout 2023 to fund the country's sanctioned programs. The hack may be linked to previous attacks on related projects, hinting at an ongoing pattern of sophisticated, targeted cybercrime involving blockchain protocols. International efforts are in place to track and freeze the stolen funds, with warnings issued about phishing scams exploiting the event to victimize users further. Scam Sniffer's data shows wallet drainers have stolen $295 million from over 320,000 victims in 2023, indicating a widespread issue with crypto theft and scams.

Gallery Systems, a provider of museum software solutions, has been hit by a ransomware attack resulting in IT outages. The attack occurred on December 28, leading to the encryption of systems and taking them offline to halt further damage. Over 800 museums are affected, including MoMA, the Met, and SFMOMA, disrupting access to the eMuseum platform used for public online viewing. Gallery Systems is working to restore data from backups and has informed law enforcement and launched an internal investigation. The identity of the ransomware group responsible for the attack remains unknown and Gallery Systems hasn't provided further details on the extent of the breach. eMuseum.com subdomains, used by museums and colleges for online exhibitions, are currently offline due to the cyberattack.

Xerox Business Solutions (XBS) U.S. division has experienced a data breach after a ransomware gang leaked sensitive information. The breach involved possible exposure of personal data and was confirmed by Xerox Corporation. INC Ransom ransomware group claims to have stolen data and added XBS to its extortion portal on December 29. The attack was contained by Xerox cybersecurity personnel with no reported impact on Xerox's or XBS' operations. An investigation has been launched with the help of third-party cybersecurity experts, focusing on further securing XBS's IT environment. Samples of data shared by the ransomware group on its leak site included emails, payment details, and purchase orders. The extent of the breach is not yet fully known, but Xerox assured it will notify all individuals confirmed to be impacted. Xerox removed from INC Ransom's leak portal, potentially indicating resumed negotiations with the cybercriminals.

Google announces the discontinuation of Usenet support on Google Groups due to increasing spam and decline in legitimate use. The change will take place on February 22, 2024, preventing new posts, subscriptions, or viewing of Usenet content via Google Groups. Historical Usenet data prior to the cutoff will still be accessible for search and view on the platform. The use of Usenet has shifted from text-based discussions to mainly file sharing and spam, prompting Google's decision. Google's cessation of support includes shutting down its NNTP server services and content peering with other NNTP servers. Non-Usenet groups on the Google Groups platform will not be affected by this update. Google provides guidance for users to transition to alternative Usenet platforms, including advice on selecting new Usenet clients and public NNTP servers.