VMware warns customers of a critical vulnerability impacting its Aria Automation multi-cloud infrastructure automation platform.
VMware Aria Automation (formerly vRealize Automation) is a modern cloud automation platform that simplifies and streamlines the deployment, management, and governance of cloud infrastructure and applications. It provides a unified platform for automating tasks across multiple cloud environments, including VMware Cloud on AWS, VMware Cloud on Azure, and VMware Cloud Foundation.
VMware addressed a critical vulnerability, tracked as CVE-2023-34063 (CVSS score 9.9), that impacted its Aria Automation platform.
The issue is a missing access control vulnerability that can be exploited by an authenticated attacker actor to gain unauthorized access to remote organizations and workflows.
“Aria Automation contains a Missing Access Control vulnerability.” reads the advisory. “An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.”
The vulnerability was discovered by Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team.
The vulnerability CVE-2023-34063 affects versions before 8.16 and Cloud Foundation.
VMware strongly recommends customers update their installs to platform version 8.16.
Atlassian warns of a critical remote code execution issue in Confluence Data Center and Confluence Server that impacts older versions.
Atlassian warns of a critical remote code execution vulnerability, tracked as CVE-2023-22527 (CVSS score 10.0), in Confluence Data Center and Confluence Server that impacts older versions.
The vulnerability is a template injection vulnerability that can allow remote attackers to execute arbitrary code on vulnerable Confluence installs.
The flaw affects Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3. Most recent supported versions of Confluence Data Center and Server are not affected by this issue.
“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action.” reads the advisory published by the vendor. “This RCE (Remote Code Execution) vulnerability affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 as well as 8.4.5 which no longer receives backported fixes in accordance with our Security Bug Fix Policy. Atlassian recommends patching to the latest version.”
The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only).
Atlassian recommends customers to install the latest version.
The security bulletin states that there is no known workarounds or mitigation to remediate this vulnerability.
Google has addressed the first Chrome zero-day vulnerability of the year that is actively being exploited in the wild.
Google has released security updates to address the first Chrome zero-day vulnerability of the year that is actively being exploited in the wild.
The high-serverity vulnerability, tracked as CVE-2024-0519, is an out of bounds memory access in the Chrome JavaScript engine. The flaw was reported by Anonymous on January 11, 2024.
“The Stable channel has been updated to 120.0.6099.234 for Mac and 120.0.6099.224 for Linux and 120.0.6099.224/225 to Windows which will roll out over the coming days/weeks.” reads the security advisory published by the IT giant.“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.”
A remote attacker can exploit the flaw by tricking a user into visiting a crafted HTML page to potentially exploit heap corruption.
As usual, Google did not share details of the attacks that exploited the CVE-2024-0519 zero-day in the wild.
Google also fixed the following vulnerabilities:
[$16000][1515930] High CVE-2024-0517: Out of bounds write in V8. The flaw has been reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
[$1000][1507412] High CVE-2024-0518: Type Confusion in V8. The flaw has been reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
Citrix fixed two actively exploited zero-day vulnerabilities impacting Netscaler ADC and Gateway appliances.
Citrix warns customers to install security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-6548 and CVE-2023-6549, impacting Netscaler ADC and Gateway appliances.
“Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the advisory.
An attacker can trigger the flaw to gain remote code execution or cause a denial-of-service condition.
The vulnerability CVE-2023-6548 is an authenticated (low privileged) remote code execution affecting Management Interface. In order to exploit this issue, an attacker must have access to NSIP, CLIP or SNIP with management interface access.
The company pointed out that CVE- 2023- 6548 only impacts the management interface. Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. The vendor recommends that customers do not expose the management interface to the internet, as explained in the secure deployment guide.
The vulnerability CVE-2023-6549 is a Denial of Service. To be exploited the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Below is the list of Netscaler product versions:
NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
Citrix vulnerabilities were already exploited in the past in large-scale attacks. The critical Netscaler vulnerability CVE-2023-4966 was exploited by multiple threat actors in attacks against high-profile organizations.
U.S. CISA and the FBI warned of AndroxGh0st malware used to create a botnet for victim identification and exploitation in target networks.
US CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) to warn of AndroxGh0st malware. The malware is spreading to create a botnet for victim identification and exploitation in target networks.
The US agencies are sharing known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying the Androxgh0st malware.
“Androxgh0st malware establishes a botnet for victim identification and exploitation in vulnerable networks, and targets files that contain confidential information, such as credentials, for various high profile applications.” reads the advisory. “Threat actors deploying Androxgh0st malware have been observed exploiting specific vulnerabilities which could lead to remote code execution”
“AndroxGh0st is a “SMTP cracker” which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio.” reported Lacework.
The malware supports multiple features, including scanning, exploitation of exposed credentials and APIs, and even deployment of webshells. The malware allows operators to scan for and parse AWS keys, but it has also the ability to generate keys for brute-force attacks.
According to the joint Cybersecurity Advisory (CSA), threat actors behind the Androxgh0st malware exploit the following vulnerabilities to achieve remote code execution on target systems:
GitHub rotated some credentials after the discovery of a flaw that allowed access to the environment variables of a production container.
After GitHub became aware of a vulnerability through its bug bounty program, the Microsoft-owned company rotated some credentials.
The vulnerability, tracked as CVE-2024-0200 (CVSS score 7.2), allowed access to the environment variables of a production container and the company confirmed that all affected credentials have been rotated.
“On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container.” reads the announcement. “We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credentials.”
The vulnerability was reported on December 26, 2023, and the company addressed the flaw the same day.
The firm investigated the flaw and determined with high confidence that it had not been previously discovered and exploited. The rotation of credentials was conducted with an abundance of caution.
“Rotating credentials across our production systems caused a number of service disruptions between December 27 and 29. We recognize the impact these had on our customers that rely on GitHub and have improved our credential rotation procedures to reduce the risk of unplanned downtime going forward.” continues the announcement.
The issue also impacts Enterprise Server (GHES), but an authenticated user
This vulnerability is also present on GitHub Enterprise Server (GHES). However, a pre-requisite for the exploitation is that an authenticated user with an organization owner role is logged into an account on the GHES instance. The company addressed the issue in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
The rotated keys are used by customers to encrypt GitHub Actions, GitHub Codespaces, and Dependabot secrets before sending them to GitHub via the API to store for subsequent usage in the product.
Switzerland believes that the attack claimed by pro-Russian group NoName that hit the government websites is retaliation for Zelensky’s presence at Davos.
Switzerland believes that the cyberattack carried out by pro-Russia group NoName disrupted access to some government websites, following Ukrainian President Volodymyr Zelensky’s visit to Davos.
“We took a look at Switzerland, where the World Economic Forum Davos is currently taking place. Naturally, not empty-handed, but with DDoS gifts” read a message published by the hacker group on its Telegram channel.
The pro-Russian group launched a series of DDoS attacks against several government websites causing temporary disruptions in their accessibility.
“The government said that “the Russian-linked hacker group ‘NoName‘ claimed responsibility for the attack, citing Ukrainian President Zelensky’s attendance at the WEF annual meeting” in the luxury Swiss ski resort of Davos.” reported the AFP agency.
Switzerland’s National Cyber Security Centre (NCSC) claims that the cyberattack was promptly detected and immediately took the necessary measures to restore access to the targeted websites.
Some of the targeted websites are:
Authorization on the Davos-Klosters ski resort website
POOL-ALPIN service provider of the Swiss cable car network
Swiss Ministry of the Interior
Rhaetian railway (which goes to Davos)
“An attack of this kind had been expected, and appropriate security measures were in place.” reported NCSC.
The attacks did not impact the accessibility to the main portal of the Swiss government (www.admin.ch).
This isn’t the first time that the NoName group hit Switzerland, in June the pro-Russia group hit multiple government websites, and the websites of Swiss airports, municipalities and associations.
Swiss President Viola Amherd announced that Switzerland had agreed to organize a peace summit of world leaders towards ending Russia’s war in Ukraine.
However, Switzerland has never sent armaments to Kyiv or allowed countries that hold Swiss-made weaponry to re-export it to Ukraine.
Switzerland only agreed to the European Union’s economic sanctions on Russia
Researchers devised a “lightweight method,” called iShutdown, to determine whether Apple iOS devices have been infected with spyware.
Cybersecurity researchers from Kaspersky have identified a “lightweight method,” called iShutdown, to identify the presence of spyware on Apple iOS devices. The method allow to discover stealthy and poweful surveillance software like NSO Group‘s Pegasus, Intellexa‘s Predator, QuaDream‘s Reign.
The researchers focused on an unexpected system log, Shutdown.log, which is present in any mobile iOS device. The analysis revealed that the infections left traces in the Shutdown.log, which is a text-based log file. The iOS devices log any reboot event in this file along with multiple environment information.
The experts noticed some log entry notes related to processes that prevented a normal reboot.
“When a user initiates a reboot, the operating system attempts to gracefully terminate running processes before rebooting. If a “client” process is still running when the reboot activity begins, it is logged with its process identifier (PID) and corresponding filesystem path.” reads the analysis published by Kaspersky. “The log entry notes that these processes prevented a normal reboot and that the system is waiting for them to terminate.”
The researchers pointed out that retrieving the Shutdown.log file is easy and allows for time savings compared to other forensic techniques. The log file is stored in a sysdiagnose (sysdiag) archive.
The experts identified entries in the Shutdown.log file that logged instances where “sticky” processes, such as those associated with the spyware, were delaying the reboot.
The analysis of the infections also revealed other similarities such as the path associated with malware execution (“/private/var/db/”).
“Comparing the Shutdown.log for the Pegasus infections we analyzed and the artifacts for the Reign path above, we noticed other similarities with such infections. Malware execution originating from “/private/var/db/” seems to be consistent across all the infections we’ve seen, even if the process names are different.” continues the report. “This is also true for another mobile malware family, Predator, where a similar path, “/private/var/tmp/”, is often used.”
Kaspersky researchers have created a set of Python3 scripts that allow to automate the analysis of the Shutdown.log file. According to Kaspersky, the user needs to generate a sysdiag dump and extract the archive to the analysis machine as a prerequisite
“In conclusion, we’ve analyzed and confirmed the reliability of detecting a Pegasus malware infection using the Shutdown.log artifact stored in a sysdiag archive. The lightweight nature of this method makes it readily available and accessible. Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries. Again, this is not a silver bullet that can detect all malware, and this method relies on the user rebooting the phone as often as possible.” concludes Kaspersky. “We’ll continue to analyze the Shutdown.log file in more detail and on different platforms. We expect to be able to create more heuristics from the entries in it.”
Experts found multiple flaws, collectively named PixieFail, in the network protocol stack of an open-source reference implementation of the UEFI.
Quarkslab researchers discovered nine vulnerabilities, collectively tracked as e PixieFAIL, affecting the IPv6 network protocol stack of EDK II, TianoCore’s open source reference implementation of UEFI.
Unified Extensible Firmware Interface (UEFI) is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.
The researchers discovered the vulnerabilities while analyzing NetworkPkg, Tianocore’s EDK II PXE implementation. The severity and potential for exploitation of these flaws vary based on the particular firmware build and the default PXE boot configuration.
PixieFail issues can be exploited to achieve remote code execution and leakage of sensitive information, and carry out denial-of-service (DoS), and network session hijacking attacks.
NetworkPkg is a set of modules that implements networking capabilities within the UEFI environment. The NetworkPkg in UEFI may include modules that facilitate the initialization and management of network-related functions during the pre-boot phase. This can involve protocols for interacting with network devices, such as the Preboot eXecution Environment (PXE) protocol used for network booting.
“In order to boot from the network, a client system must be able to locate, download, and execute code that sets up, configures, and runs the operating system. This is usually done in several stages, starting with a minimal program that is downloaded from a network server using a simple protocol, such as TFTP, which then downloads and runs a second booting stage or the full operating system image.” reads the advisory. “To locate this minimal program, called Network Bootstrap Program (NBP), the PXE client relies on a DHCP server to both obtain the configuration parameters to configure its network interface with a valid IP address and to receive a list of Boot Servers to query for the NBP file. Since the DHCP server must provide such a list and other special parameters, the PXE client has to send some mandatory PXE-releated DHCP Options, consequently, the DHCP server must be “PXE enabled”, i.e. configured appropriately to recognize PXE client options and to reply with the proper DHCP server options. “
Below is the list of PixieFAIL flaws discovered by the experts:
CVE-2023-45229 – Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
CVE-2023-45230 – Buffer overflow in the DHCPv6 client via a long Server ID option
CVE-2023-45231 – Out-of-bounds read when handling a ND Redirect message with truncated options
CVE-2023-45232 – Infinite loop when parsing unknown options in the Destination Options header
CVE-2023-45233 – Infinite loop when parsing a PadN option in the Destination Options header
CVE-2023-45234 – Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
CVE-2023-45235 – Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
CVE-2023-45237 – Use of a weak pseudorandom number generator
The CERT Coordination Center (CERT/CC) also published an advisory about these vulnerabilities.
“An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.” states CERT/CC.
CERT/CC also published Vulnerability Note VU#132380 with a comprehensive list of affected vendors, and guidance to mitigate the issues.
Google warns that the Russia-linked threat actor COLDRIVER expands its targeting and is developing a custom malware.
The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”,“TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.
In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
Google TAG researchers warn that COLDRIVER is evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.
Recently, TAG has observed COLDRIVER delivering custom malware via phishing campaigns using PDFs as lure documents. Google experts uncovered and disrupted these attacks by adding all known domains and hashes to Safe Browsing blocklists.
In November 2022, TAG spotted COLDRIVER sending targets benign PDF documents from impersonation accounts. The lure documents are new op-ed or other types of articles that the impersonation account is looking to publish, and threat actors were asking for feedback from the recipient. When the victims opens the PDF, an encrypted text is displayed.
If the target contacts the threat actors because it cannot read the content, the cyberspies send it a link where is hosted a decryption tool. Upon downloading and executing the tool, a decoy document is displayed while a backdoor, tracked as SPICA, is installed.
“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.” reads TAG’s analysis.
Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as:
Executing arbitrary shell commands
Stealing cookies from Chrome, Firefox, Opera and Edge
Uploading and downloading files
Perusing the filesystem by listing the contents of it
Enumerating documents and exfiltrating them in an archive
There is also a command called “telegram,” but the functionality of this command is unclear
The malware maintains persistence via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.
The researchers observed the use of SPICA since early September 2023, but believe that the Russian APT is employing it since at least November 2022.
“While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA. This sample, named “Proton-decrypter.exe”, used the C2 address 45.133.216[.]15:3000, and was likely active around August and September 2023.” concludes the report.
“We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.”
In December, the UK National Cyber Security Centre (NCSC) and Microsoft reported that the Russia-linked APT group Callisto Group is targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.
CVE-2024-0519 – Google Chromium V8 Out-of-Bounds Memory Access Vulnerability.
This week Citrix warned customers to install security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-6548 and CVE-2023-6549, impacting Netscaler ADC and Gateway appliances.
“Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the advisory.
Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.
An attacker can trigger the flaw to gain remote code execution or cause a denial-of-service condition.
The vulnerability CVE-2023-6548 is an authenticated (low privileged) remote code execution affecting Management Interface. In order to exploit this issue, an attacker must have access to NSIP, CLIP or SNIP with management interface access.
The company pointed out that CVE- 2023- 6548 only impacts the management interface. Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. The vendor recommends that customers do not expose the management interface to the internet, as explained in the secure deployment guide.
The vulnerability CVE-2023-6549 is a Denial of Service. To be exploited the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
This week, Google released security updates to address the first Chrome zero-day vulnerability of the year that is actively being exploited in the wild.
The high-serverity vulnerability, tracked as CVE-2024-0519, is an out of bounds memory access in the Chrome JavaScript engine. The flaw was reported by Anonymous on January 11, 2024.
“The Stable channel has been updated to 120.0.6099.234 for Mac and 120.0.6099.224 for Linux and 120.0.6099.224/225 to Windows which will roll out over the coming days/weeks.” reads the security advisory published by the IT giant.“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.”
A remote attacker can exploit the flaw by tricking a user into visiting a crafted HTML page to potentially exploit heap corruption.
As usual, Google did not share details of the attacks that exploited the CVE-2024-0519 zero-day in the wild.
Kansas State University (K-State) suffered a cybersecurity incident that has disrupted part of its network and services.
Kansas State University (K-State) suffered a cybersecurity incident that impacted a portion of its network and services.
On January, 16, 2023, the University K-State announced it was experiencing a disruption to certain network systems, including VPN, K-State Today emails, and videos on Canvas, or Mediasite.
The university immediately launched an investigation into the incident.
“We are able to confirm that these disruptions are the result of a recent cybersecurity incident, and as such, we want you to know that these impacted systems were taken offline and will remain offline for the immediate future as the investigation continues.” reads the message post by the University on its website. “This will also include select shared drives and printers, as well as university listservs.”
Kansas State University (KSU, Kansas State, or K-State) is a public land-grant research university with its main campus in Manhattan, Kansas. The university is classified among “R1: Doctoral Universities – Very high research activity”. Kansas State’s academic offerings are administered through nine colleges, including the College of Veterinary Medicine and the College of Technology and Aviation in Salina. Graduate degrees offered include 65 master’s degree programs and 45 doctoral degrees.
At present, Kansas State University enrolls 20,000 students and has a faculty comprising over 1,400 academic staff members.
KSU recommends its personnel and students to report any suspicious activity.
On January 17, the university announced that emails would return in a temporary format on Thursday, Jan. 18.
On January 18, KSU Wireless was still unavailable, the university recommends the use of KSU Guest to connect wirelessly during this time.
At this time, K-State has yet to provide details about the security breach.
Can quantum computing break cryptography? Can it do it within a person’s lifetime? Will it be a cryptopocalypse, as some experts suggest?
Can quantum computing break cryptography? Sure, it can. Can it do it within a person’s lifetime? Yes. In fact, it will likely achieve this sometime within your career. Will it be a cryptopocalypse, as some experts suggest? Possibly. Advances in quantum computing mean that we don’t necessarily have to wait for a large quantum computer running at supercooled strengths at sufficient qubits to run Shor’s algorithm (the best-known algorithm for factoring large numbers). There are newer, more sophisticated techniques on the table, such as combinations of attacks that can do what one brute force thing can’t. So, it might not be time to panic, but it certainly is time to recognize that the threats and the benefits of quantum computing are here now, and security professionals need to ensure that they and the organization they work for are fully prepared.
These are just some of the thoughts that Johna Till Johnson, CEO at Nemertes Research, and Bob Burns, Chief Product Security Officer at Thales, shared with me on the latest episode of the Security Sessions podcast. Quantum has been discussed and theorized for years, and like the “sudden” rise of AI and generative technology that seemed to happen in early 2023, efficient and cost-effective use of quantum computing may also jump to a critical mass, and sooner than expected, despite its long voyage of research and development.
Bob asks, for example, “What happens if we find that quantum computing actually can be used as a multistage step to break the factoring that doesn’t involve Shor’s algorithm? What if we make incremental improvements or chain multiple results from a quantum computer that’s realizable today?” Those are the types of thoughts that keep him up at night. They are a testament to people’s relentless desire for innovation, as well as their abilities to advance by developing techniques, products, and solutions that weren’t even foreseen when the technology was first introduced.
Are we closer to Q-Day than we estimate?
You can say such things about almost any technology, of course – the personal computer, the internet, and the smartphone – they all became much more versatile than their inventors ever foresaw. But Johna provides an example of how this evolution in breaking cryptography happened just recently: researchers from the KTH Royal Institute of Technology in Stockholm used recursive training AI combined with side-channel attacks to crack one of NIST’s quantum-resistant algorithms. In this case, it measured out-of-band information, specifically temperature changes corresponding to the processing inside the machine.
This has direct and ominous implications on what is known as a Q-Day – that point in time “when quantum computers can render all current encryption methods meaningless,” as PCMagazine succinctly puts it. But as Bob points out, for calculating a Q-Day, “I look at all my data, and I take the biggest amount of data that I want to keep the longest amount of time, and I predict how long it might take me to make that transition. But when my Q-Day ends up being, let’s say, ten years away, my concern will be that someone forces that up to three of four years.”
For the hard to solve problems, an improved answer is good enough
But both Johna and Bob point out that quantum computing is not all doom and gloom. There are lots of good reasons to deploy quantum computing, and many aren’t what most people think they are. Basically, Johna says they can solve problems for which the answer isn’t the best or the only, but good enough by some consistent definition of good enough, for example, policy hardening. Whether this refers to a technical policy, a cybersecurity policy, or even a geopolitical policy, it’s helpful to know all the answers. In the latter case, a government might need to identify all the possible things it can do that will not result in war with a particular country. That’s the kind of thing that a classical computer with AI can’t answer very well, but a quantum computer can because it effectively computes all the possible scenarios and outcomes at once. It’s not great at telling you which of those scenarios is the absolute best, but it can help decision-makers draw a line to say, anything above this line, we don’t go to war, and that’s good enough.
Essentially, this is about taking on the category of problems that we don’t even try to solve right now because they’re too hard; they require a technique of solving all possible scenarios at once and cherry-picking the ones that come above some definition of good enough. And those are all the problems that quantum can solve. Johna concludes, “Once you let your imagination go with that, policy hardening is just kind of the tip of the iceberg.”
At the end of July, Ivanti disclosed a security vulnerability impacting Endpoint Manager Mobile (EPMM), tracked as CVE-2023-35078 (CVSS score: 7.8), that was exploited in the wild as part of an exploit chain by threat actors.
In early August, Rapid7 researchers discovered a bypass for the CVE-2023-35078 vulnerability in Ivanti Endpoint Manager Mobile (EPMM).
The new vulnerability, tracked as CVE-2023-35082 (CVSS score: 10.0), can be exploited by unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below). Ivanti addressed the vulnerability with the release of the MobileIron Core 11.3 version.
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti reported in August 2023.
Ransomware groups claimed that they successfully targeted 4191 victims in 2023, Cybernews researchers report.
According to the Ransomlooker tool, the number of ransomware attack victims increased by 128.17% compared to the previous year (2022), with 1837 additional incidents.
Based on Ransomlooker, a free Cybernews tool for monitoring the dark web and other hidden areas of the internet, more ransomware attacks occurred in spring and summer, with 1253 and 1275 victims, compared to winter and autumn, which had 611 and 1052 incidents, respectively. Winter was the least active time (14.6% of attacks in 2023), while summer was the most active for ransomware attacks (30.4%).
Furthermore, based on findings from the Ransomlooker tool, there were an average of 36 successful ransomware attacks per day in 2023, or more than one successful ransomware attack claim against a company per hour.
The most targeted country in the world: the USA
Ransomlooker data shows that the most targeted countries over the past four years are the same top five countries: the United States, United Kingdom, Canada, Germany, and France.
The US consistently takes the first position, significantly surpassing other countries, with a victim count sometimes nearly ten times greater than the second-ranked country. Other economically and technologically advanced countries consistently maintaining a presence in the top ten include Italy, Australia, and Spain.
What is more unexpected is the continued inclusion of India and Brazil on the top 12 list despite their less progressive economies. However, this correlation aligns with their comparatively limited ability to invest in advanced cybersecurity practices and greater susceptibility to successful ransom attacks.
According to the data presented by the Cybernews research team, 66 active ransomware groups were identified and operating within the digital landscape in 2023. The top 10 groups, based on the number of victims, collectively account for 59% of the total victims in 2023.
LockBit remained the most active group through 2023. They claimed responsibility for most victims, with 1009 incidents constituting nearly a quarter of all ransomware victims in 2023. This group primarily focused its attacks on the construction, manufacturing/industrial, and retail industries.
Top targeted companies: Stanford University, Volt, CoinBase
According to data from Ransomlooker, the top 10 industries targeted by ransomware groups in 2023 were IT services and IT consulting, construction, manufacturing and industrial, retail, hospitals and health care, insurance, law practice, real estate, software development, and machinery manufacturing.
The data shows a shift in ransomware targets over the past three years. Previously dominated by the construction industry, the IT sector now claims the top spot in 2023.
In the IT service and consulting sector, Stanford University, Volt, and CoinBase were reportedly identified by the Ransomlooker tool as the top companies targeted by ransomware gangs based on their annual revenue in 2023.
You can read the full report here, the data provided in the report have been collected up to December 19th, 2023.
China-linked group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.
Mandiant researchers reported that China-linked APT group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.
vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.
In October, VMware addressed a critical out-of-bounds write vulnerability, tracked as CVE-2023-34048 (CVSS score 9.8), that impacts vCenter Server.
The company updated its advisory on January 18, 2023, revealing that it is aware of exploitation “in the wild.”
“As of January 18, 2024 VMware is aware of exploitation “in the wild.”” reads the advisory.
In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.
Researchers from Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.
The technique was used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux.
The highly targeted and evasive nature of this attack leads the experts to believe that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.
In the attack investigated by Mandiant in September 2022, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.
Further investigation conducted by Mandiant revealed additional techniques used by the group UNC3886 used to target multiple organizations avoiding EDR solutions.
The cyberespionage group was observed harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance. The threat actors are exploiting the zero-day vulnerability CVE-2023-20867 to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.
The CVE-2023-20867 flaw is exclusively exploitable by an attacker with root access to the ESXi server.
Then the attackers deploy backdoors on ESXi hosts using an alternative socket address family, use VMCI, for lateral movement and maintain persistence.
In recent attacks, Chinese hackers were also spotted modifying and disabling logging services on compromised systems.
At the time, Mandiant had now evidence to discover how the attackers were deploying the backdoors to vCenter systems.
In late 2023, Mandiant noticed that a VMware vmdird service crashed minutes prior to the deployment of the backdoors being deployed.
“Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems.” reads the report published by Mandiant.
Mandiant observed crashes across multiple UNC3886 cases between late 2021 and early 2022.
The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.
“VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks.” concludes the report.“As mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant recommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild.”
American global apparel and footwear company VF Corp revealed that the December data breach impacted 35.5 million customers.
VF Corporation is an American global apparel and footwear company that owns 13 brands. In 2015, the company controlled 55% of the U.S. backpack market with the JanSport, Dickies, Eastpak, Timberland, Smartwool, Vans, and The North Face brands.
In December 2023, VF Corp announced it was the victim of a ransomware attack and was forced to take some systems down to contain the threat.
Now the company confirmed attackers stole corporate and personal information impacting 35.5 million customers.
On December 13, 2023, VF Corp detected unauthorized access to a portion of its infrastructure. VF immediately began taking measures to remediate the attack and launched an investigation into the security breach.
“Based on VF’s preliminary analysis from its ongoing investigation, VF currently estimates that the threat actor stole personal data of approximately 35.5 million individual consumers.” reads a Form 8-K filed with the Securities and Exchange Commission (SEC) on January 18, 2024. “However, VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices, and, while the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor.”
The company pointed out that it does not store Social Security numbers and financial information in its systems. VF Corp also added that it has found no evidence that customer passwords were stolen.
Following the shutdown of certain systems, VF encountered disruptions in its operations. The incident interrupted retail store inventory replenishment and delayed order fulfillment. These issues resulted in customer and consumer cancellations of product orders, reduced demand on certain brand e-commerce sites, and delays in some wholesale shipments.
The company has restored all impacted systems, however, it is still experiencing minor issues.
“VF believes that the material impact or reasonably likely material impact on VF is limited to the material impacts on VF’s business operations disclosed in the Original Report which are no longer ongoing at this time. As of the date of this Amendment, VF also believes the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations.” concludes the Form 8-K.
“VF will be seeking reimbursement of costs, expenses and losses stemming from the cyber incident by submitting claims to VF’s cybersecurity insurers. The timing and amount of any such reimbursements is not known at this time.”
Microsoft revealed that the Russia-linked APT Midnight Blizzard has compromised some of its corporate email accounts.
Microsoft warned that some of its corporate email accounts were compromised by a Russia-linked cyberespionage group known as Midnight Blizzard. Microsoft notified law enforcement and relevant regulatory authorities.
Microsoft discovered the intrusion on January 12, 2024, and immediately launched an investigation into the security breach. The IT giant confirmed to have locked out the threat actors and mitigated the attack.
“On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, on the basis of preliminary analysis.” reads a Form 8-K filing with the SEC. “We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident.”
The company attributed the attack to the Russian cyberespionage group Midnight Blizzard.
The state-sponsored hackers first compromised the company systems in late November 2023 with a password spray attack. Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.
Microsoft revealed that the threat actors gained access to a legacy non-production test tenant account and used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. The attackers gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions. The company also confirmed that attackers have exfiltrated some emails and attached documents. The APT group initially targeted email accounts to gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities. Microsoft is notifying impacted employees.
The company pointed out that the attackers did not exploit any vulnerability in Microsoft products or services. Microsoft also added that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.” wrote Microsoft. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”
According to the Form 8-K, the incident has not had a material impact on the Company’s operations.
“The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” reads the document.
The lesson from the incident is that the compromised accounts were not adequately protected against brute force attacks. Effective techniques to mitigate brute-force attacks include enabling Multi-factor Authentication (MFA), using strong passwords, utilizing CAPTCHAs, IP rate limiting, implementing account lockout, log monitoring.
Italian readers can listen to my podcast on the importance of enabling 2FA to protect our accounts.
In July, Conor Brian Fitzpatrick agreed to plead guilty to a three-count criminal information charging the defendant with conspiracy to commit access device fraud, solicitation for the purpose of offering access devices, and possession of child pornography.
BreachForums functioned as a cybercrime marketplace, enabling its members to engage in the solicitation, sale, purchase, and exchange of illicitly obtained or compromised data, along with various contraband items. Traded goods included stolen access devices, cybercrime tools, compromised databases, and services aimed at gaining unauthorized access to targeted systems.
In March 2023, U.S. law enforcement arrested Pompompurin, the agents spent hours inside and outside the suspect’s home and were seen removing several bags of evidence from the house.
The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices. Fitzpatrick was released on a $300,000 bond signed by his parents.
The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET. pompompurin always declared that he was ‘not affiliated with RaidForums in any capacity.’
In a memorandum filed by U.S. prosecutors on January 16th, the U.S. government recommended to the courts that Fitzpatric was sentenced to 15 years in prison.
Today the United States government recommended to the courts that Conor Fitzpatrick, the previous administrator of BreachedForum, receive 15 years in prison. pic.twitter.com/HP5fl4tbBe
VX-Underground and BleepingComputer first revealed that the man was finally sentenced to time served and 20 years of supervised release.
Today we spoke with individuals from the US Eastern District Court of Virginia. We requested information from the Clerks office on the official sentencing of Mr. Conor Fitzpatrick, the previous administrator of BreachedForum.
A federal judge ruled that the initial two years of the 20-year sentence will be served under home confinement, as outlined in a sentencing document published on Friday and shared by CyberScoop. During the first year of home confinement, Fitzpatrick will be restricted from accessing the internet and is required to register with state sex offender registries.
“The defendant shall serve his first two (2) years of supervised release on HOME ARREST with GPS location monitoring with the following outings and permission given in advance by the probation officer: Therapy sessions, meetings with the probation officer, medical appointments, and religious observances.” reads the sentence. “The defendant shall comply with the requirements of the computer monitoring program as administered by the probation office. The defendant shall allow the probation officer to install computer monitoring software on any computer the defendant uses. defendant shall allow the probation officer to install computer monitoring software on any computer the defendant uses”
Fitzpatrick was also ordered to pay restitution for the losses incurred by the victims, with the specific amount that has yet to be decided.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
The LockBit ransomware gang claimed to have hacked Subway, the American multinational fast food restaurant franchise.
Subway IP LLC is an American multinational fast-food restaurant franchise that specializes in submarine sandwiches (subs), wraps, salads, and drinks.
The Lockbit ransomware group added Subway to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 02, 2024 at 21:44:16 UTC. The group claims to have stolen hundreds of gigabytes of sensitive data. The gang said that stolen data includes employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, and more
“The biggest sandwich chain is pretending that nothing happened. We exfiltrated their SUBS internal system which includes hundreds of gigabytes of data and all financial expects of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers etc. We are giving some time for them to come and protect this data, if no we are open to sell to competitors.” reads the message published on the Tor leak site.
At this time, it is unknown what ransom the Lockbit group has demanded from the victim.
Researchers warned that pirated applications have been employed to deliver a backdoor to Apple macOS users.
Jamf Threat Labs researchers warned that pirated applications have been utilized to distribute a backdoor to Apple macOS users.
The researchers noticed that the apps appear similar to ZuRu malware, they allow operators to download and execute multiple payloads to compromise machines in the background.
The pirated applications discovered by Jamf Threat Labs are being hosted on Chinese pirating websites.
During their investigation, the researchers detected an executable name .fseventsd. The executable attempts to avoid detection by starting with a period and using the name of a process built into the operating system. It’s not signed by Apple, however, at the time of the research it was not detected by any anti-virus on VirusTotal.
Using VirusTotal, Jamf Threat Labs researchers discovered that the .fseventsd binary was initially uploaded as part of a larger DMG file. Further investigation on VirusTotal revealed three pirated applications that contained the same malware. The experts also discovered many pirated applications hosted on the Chinese website macyy[.]cn. The experts also identified two more trojanized DMGs following a similar pattern that had not been reported on VirusTotal.
The malware-laced DMG files include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
Each pirated application included the following components:
Malicious dylib, a library loaded by the application that acts as a dropper.
Backdoor: a binary downloaded by dylib that uses the Khepri open-source C2 and post-exploitation tool
Persistent downloader: a binary downloaded by dylib that is used to maintain persistence and downloads additional payloads
“Each application bundle has had its Mach-O executable modified with an additional load command.” reads the analysis published by Jamf. “This technique of hooking malware in via malicious dylib is considered fairly advanced as far as macOS malware goes. However, it does result in breaking the application signature. As a result, the apps are being distributed online as unsigned applications — a detail that many users who are downloading pirated applications likely don’t care about.“
Upon executing the FinalShell.dmg application, the dylib library loads the backdoor “bd.log” and the downloader “fl01.log” from a remote server.
The bd.log backdoor is written to the path “/tmp/.test”, this executable remains hidden in the temporary directory and storing the malware in this folder will cause the deletion of the backdoor when the system shuts down.
The backdoor is written in this path every time the pirated application is loaded and the dropper is executed.
“The executable found at the directory /Users/Shared/.fseventsd acts as a persistent downloader, enabling the execution of arbitrary payloads retrieved from the attacker’s server.” continues the analysis.
The malware creates a LaunchAgent to maintain persistence and sends an HTTP GET request to the attacker’s server.
The researchers discovered many similarities between this malware and the ZuRu malware that has been active since at least 2021 [1], [2].
Both malware primarily targets victims in China.
“The ZuRu malware was originally found in pirated applications iTerm, SecureCRT, Navicat Premium and Microsoft Remote Desktop Client. Upon opening the infected application, the user was presented with an operational app, but logic held within an added dylib would execute a Python script in the background to grab sensitive files and upload them to an attacker server.” concludes the report. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure.”
Resecurity researchers warn of massive leak of stolen Thai personally identifiable information (PII) on the dark web by cybercriminals.
Resecurity has detected a noticeable increase in data leaks from consumer-focused platforms in Thailand, confirming that threat actors are actively targeting the personal data of citizens now at the beginning of 2024. Thailand is swiftly becoming a key player in the digital arena, particularly in the field of Information and Communication Technology (ICT), within the Asia-Pacific region. Notably, from the latter part of 2022 to the early months of 2023, there has been a significant drop in incidents of data breaches in the country.
But as we step into 2024, this trend might see a change. There are reports of cybercriminals, one known in the shadowy corners of the Dark Web as Naraka, circulating large amounts of stolen personal identifiable information (PII) of Thai citizens. It’s believed that these sensitive details were sourced from various breached platforms.
Threat actors target Thai-based e-commerce, fintech and government resources due to a large presence of personal documents both in text and graphical form used for KYC (“Know Your Customer”). Compared to 2023, there has been an increase in the frequency of attacks, as evidenced by the rising number of leaked data incidents involving consumers and businesses from Thailand on the Dark Web. In the early part of January 2024 alone, at least 14 significant data breaches exposing citizens’ information were posted on cybercriminal forums, nearly surpassing the annual volume of compromised records identified last year.
Threat actors use stolen PII data to defraud Thai citizens and attack financial organizations, which are actively developing and cultivating digitization in the region to service 71.6 million people population
More details are available in the report published by REsecurity:
Researchers warn of a spike in attacks exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell.
Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell Godzilla.
Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.
In November 2023, researchers at Rapid7 reported the suspected exploitation of the recently disclosed critical vulnerability CVE-2023-46604 in the Apache ActiveMQ.
Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.
Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments.
CVE-2023-46604 (CVSS score: 10.0) is a remote code execution vulnerability that impacts Apache ActiveMQ. A remote attacker with network access to a broker can exploit this flaw to run “arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”
Apache addressed the flaw with the release of new versions of ActiveMQ on October 25, 2023. The researchers pointed out that the proof-of-concept exploit code and vulnerability details are both publicly available.
The vulnerability affects the following versions –
ActiveMQ 5.18.0 before 5.18.3
ActiveMQ 5.17.0 before 5.17.6
ActiveMQ 5.16.0 before 5.16.7
ActiveMQ before 5.15.16
ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
In the attacks observed by Trustwave SpiderLabs, the malicious file was planted in the “admin” folder within the ActiveMQ installation directory. The folder contains the server scripts for the ActiveMQ administrative and web management console.
“Interestingly, the Jetty JSP engine which is the integrated web server in ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary.” reads the analysis published by Trustwave. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”
Once the web shell has been deployed, the threat actor can connect to it through the Godzilla management user interface and achieve complete control over the target system.
The Godzilla Web Shell supports multiple functionalities including:
Viewing network details
Conducting port scans
Executing Mimikatz commands
Running Meterpreter commands
Executing shell commands
Remotely managing SQL databases
Injecting shellcode into processes
Handling file management tasks
The report includes Indicators of Compromise (IoCs).
Adaptive phishing campaigns are emerging as an increasingly sophisticated threat in the cybersecurity landscape.
The phenomenon
This phenomenon represents an evolution of traditional phishing tactics, as attackers seek to overcome defenses using more personalized and targeted approaches. In an adaptive phishing campaign, attackers gather specific information about victims through various sources, such as social media, public websites, and previous data breaches. This data is then used to tailor attacks, making them more convincing and harder to detect.
One of the key elements of these campaigns is social engineering, which aims to psychologically manipulate victims. Attackers may use personal information, such as names, job roles, or company details, to create fake messages that appear to come from trusted sources.
This significantly increases the likelihood that victims will fall into phishing traps. Adaptive phishing campaigns can be delivered through e-mail, text messages, social media, or even phone calls. Attackers often exploit current events or emergency situations to elicit emotional responses and induce victims to act hastily without carefully evaluating the legitimacy of the communications.
As Cert-AgiD (https://t.me/certagid/599) has also recently put the spotlight on this issue, I take this opportunity to tell you about the “My Slice” campaign which I have personally taken over.
“My slice”, the details of the Italian campaign
Last year, a highly targeted phishing campaign that I renamed “My slice” (derived from the name of a variable in the javascript code of the landing page) targeted e-mail account holders of Italian organisations.
The e-mail message attempts to pass itself off as support from its company, which warns the caller that the memory limit of his e-mail account has been exceeded. This would prevent e-mails from being sent and received. To remedy the problem, the message invites you to check the status of your e-mail account via the proposed support page, otherwise the box will be deleted from the management servers.
The propounded web page is highly customized (https://elinajaguar[.]com/wp-admin/index.html) and looks like a form with logos and names of the targeted organization with a preset e-mail address and a password field to be typed.
Following the request, you end up handing over your login information to the scammers while being redirected to your organization’s home page. In fact, the information entered in the form is sent via a “POST” method to a manned server listening on the same domain.
To setup the highly targeted phishing campaign, the attackers:
First they pass the target’s e-mail address as a parameter to the phishing page. The “Clicca qui” link (https://elinajaguar[.]com/wp-admin/index.html#[[email protected]]) passes the targeted e-mail address by pointing to it after the “#” character;
with a JS function they extract the e-mail domain name and invoke the http://logo.clearbit[.]com/[domain name] service to derive the company logo. The organisation’s domain name is extracted, based on the victim’s e-mail address, from the string following the @ symbol (in this case from “[email protected]” the domain name obtained is example.com);
Finally with another JS function they plan to redirect the user after form submission to the home page of the target organization. The home page address is created by putting the string “http://www.” before the domain name obtained in the previous step (in this case from “example.com” the home page address is www.example.com).
How to Protect Yourself
To protect against these evolving threats, it is crucial to adopt good cybersecurity practices. Organizations and individuals should be aware of adaptive phishing techniques and implement cybersecurity training to educate users on how to recognize and avoid online scams.
In addition, the use of advanced security solutions, such as anti-phishing filters and AI-based threat detection systems, can help mitigate the risk of falling victim to these sophisticated campaigns.
In conclusion, the phenomenon of adaptive phishing campaigns underscores the need for a proactive approach to cybersecurity. Only through awareness, training and the adoption of advanced defense measures can we effectively protect our personal and business information from this growing digital threat.
About the author: Salvatore Lombardo (Twitter @Slvlombardo)
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
Apple addressed the first zero-day vulnerability that impacts iPhones, Macs, and Apple TVs. The issue is actively exploited in the wild.
Apple released security updates to address a zero-day vulnerability, tracked as CVE-2024-23222, that impacts iPhones, Macs, and Apple TVs. This is the first actively exploited zero-day vulnerability fixed by the company this year.
The vulnerability is a type confusion issue that resides in the WebKit, an attacker can exploit this issue by tricking the victims into visiting maliciously crafted web content to achieve arbitrary code execution.
“Processing maliciously crafted web content may lead to arbitrary code execution.” reads the advisory published by the company. “Apple is aware of a report that this issue may have been exploited.”
The IT giant addressed the vulnerability with improved checks. The issue has been fixed in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and later, and with tvOS 17.3 and later.
Cybersecurity researcher Bob Dyachenko and CyberNews researchers discovered the largest data leak ever discovered.
The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered.
There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases.
Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, has discovered billions upon billions of exposed records on an open instance whose owner is unlikely ever to be identified.
You can check if your data was exposed in historic data breaches using the Cybernews data leak checker. Our team is working hard to update the tool and provide you with means to check if your data was exposed in the MOAB.
However, the researchers believe that the owner has a vested interest in storing large amounts of data and, therefore, could be a malicious actor, data broker, or some service that works with large amounts of data.
“The dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts,” the researchers said.
The supermassive MOAB does not appear to be made up of newly stolen data only and is most likely the largest compilation of multiple breaches (COMB).
While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.
A quick run through the data tree reveals an astoundingly large number of records compiled from previous breaches. The largest number of records, 1.4 billion, comes from Tencent QQ, a Chinese instant messaging app.
However, there are supposedly hundreds of millions of records from Weibo (504M), MySpace (360M), Twitter (281M), Deezer (258M), Linkedin (251M), AdultFriendFinder (220M), Adobe (153M), Canva (143M), VK (101M), Daily Motion (86M), Dropbox (69M), Telegram (41M), and many other companies and organizations.
The leak also includes records of various government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries.
According to the team, the consumer impact of the supermassive MOAB could be unprecedented. Since many people reuse usernames and passwords, malicious actors could embark on a tsunami of credential-stuffing attacks.
“If users use the same passwords for their Netflix account as they do for their Gmail account, attackers can use this to pivot towards other, more sensitive accounts. Apart from that, users whose data has been included in supermassive MOAB may become victims of spear-phishing attacks or receive high levels of spam emails,” the researchers said.
The leak’s scale is of yet unseen proportions. For example, in 2021, Cybernews reported a COMB that contained 3.2 billion records – only 12% of the supermassive MOAB of 2024.
The full and searchable list of the leaks composing the MOAB is available in the original post published by CyberNews:
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds VMware vCenter Server Out-of-Bounds Write bug to its Known Exploited Vulnerabilities catalog.
vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.
In October, VMware addressed the flaw CVE-2023-34048 (CVSS score 9.8). Recently, the virtualization giant updated its advisory on January 18, 2023, revealing that it is aware of exploitation “in the wild.”
“As of January 18, 2024 VMware is aware of exploitation “in the wild.”” reads the advisory.
This week, Mandiant researchers reported that China-linked APT group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.
In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.
Researchers from Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.
The technique was used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux.
The highly targeted and evasive nature of this attack leads the experts to believe that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.
In the attack investigated by Mandiant in September 2022, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.
Further investigation conducted by Mandiant revealed additional techniques used by the group UNC3886 used to target multiple organizations avoiding EDR solutions.
In late 2023, Mandiant noticed that a VMware vmdird service crashed minutes prior to the deployment of the backdoors being deployed.
“Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems.” reads the report published by Mandiant.
Mandiant observed crashes across multiple UNC3886 cases between late 2021 and early 2022.
The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.
“VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks.” concludes the report.“As mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant recommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild.”
The Black Basta ransomware gang claimed to have hacked the UK water utility Southern Water, a major player in the UK water industry.
Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area.
The company is a major player in the UK water industry, it employs over 6,000 people and has an annual turnover of over £1 billion. It is committed to providing its customers with high-quality water and wastewater services.
The Black Basta ransomware group added Southern Water to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 29, 2024.
Black Basta posts UK water utility Southern Water.
In early January, independent security research and consulting team SRLabs discovered a vulnerability in Black Basta ransomware’s encryption algorithm and exploited it to create a free decryptor.
A joint research by Elliptic and Corvus Insurance revealed that the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall.
The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.
In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.
The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.
SRLabs analyzed the encryption algorithm used by the ransomware and discovered a specific weakness in the variant used by the gang around April 2023. The ransomware employs encryption based on a ChaCha keystream, which is utilized to perform XOR operations on 64-byte-long chunks of the file.
The researchers determined that the position of the encrypted blocks is determined by the file size, as indicated in the mentioned ranges.py. Depending on the file size, the ransomware encrypts the initial 5000 bytes.
The position of the encrypted blocks is determined by the file size. Depending on the file size, the ransomware encrypts the first 5000 bytes.
“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.” reads the post published by the researchers. “The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt. For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images.”
The experts pointed out that the weakness doesn’t impact the encryption process for the first 5,000 bytes of a file, for this reason, these bytes cannot be recovered. This means that files below the size of 5000 bytes cannot be recovered.
SRLabs developed tools that enable users to analyze encrypted files and determine if decryption is possible.
The decryptauto tool may allow to recover files containing encrypted zero bytes.
“Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.” continues the researchers.
The bad news is that Black Bast has fixed the issue. The decryptor only allows to recover files encrypted before December 2023.
“The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for free. However, BleepingComputer has learned that the Black Basta developers fixed the bug in their encryption routine about a week ago, preventing this decryption technique from being used in newer attacks.” reported Bleeping Computer.
Login
