The CyberWire Daily Podcast 1.11.24
Ep 1981 | 1.11.24

Unveiling the Shadow Strike: A zero-day assault on Ivanti VPN users.

Transcript

A zero-day hits Ivanti VPN customers. CISA highlights an active MS Sharepoint Server flaw. Cisco patches a critical vulnerability. Atomic Stealer gets updates. Sensitive school emergency planning documents are exposed online. The FCC reports on risky communications equipment. The White House will introduce new cybersecurity requirements for hospitals. Mandiant explains their X-Twitter hack. Our guest is Palo Alto Networks’ Unit 42’s David Moulton, host of the new Threat Vector podcast. And we are shocked - shocked! - to learn that an online sex for money scheme is a scam.

It’s Thursday, January 11th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Thank you all for joining us, it’s great to have you here. 

A zero-day hits Ivanti VPN customers. 

We begin today with word that the Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to users of Ivanti's IT products, specifically the Connect Secure VPN tool, to patch two actively exploited vulnerabilities. Ivanti reported that at least 10 of its customers were affected by these security flaws. The first vulnerability allows a hacker to bypass control checks and access restricted resources, while the second enables attackers to send commands to a device. The vulnerabilities are being exploited together. 

Cybersecurity firms Volexity and Mandiant played key roles in identifying the issues. Volexity’s investigation into suspicious network activity led to the discovery of these exploits being used for data theft, file alteration, and more. They attribute the attacks to a potential Chinese nation-state threat actor, UTA0178. This is not the first instance of Chinese hackers targeting Ivanti’s products, as similar incidents were reported in April 2021 involving breaches of U.S. government and private sector systems.

Ivanti is still developing a patch, urging customers to apply available mitigations and monitor their networks for suspicious activity. They also noted that their internal integrity checker might not detect all threat actor activities. Indicators of compromise will be shared with affected customers, and patches will be released in a staggered schedule from late January to mid-February.

Cybersecurity experts emphasize the widespread use of Ivanti’s Connect Secure in enterprises and government, highlighting the need for swift action and possible compromise assessments. Over 15,000 instances of the tool have been found exposed online. 

CISA highlights active MS Sharepoint Server flaw.

CISA also warns of active exploitation of a critical vulnerability in Microsoft SharePoint Server, identified as CVE-2023-29357 with a CVSS score of 9.8. This flaw, patched in June 2023, is an elevation of privilege (EoP) issue allowing unauthenticated attackers to gain administrator privileges by sending a spoofed JSON Web Token (JWT). The vulnerability enables attackers to bypass authentication. In September 2023, a technical write-up and proof-of-concept (PoC) code were published, showing its use in a remote code execution exploit on SharePoint.

Federal agencies now have 21 days to patch affected SharePoint instances. CISA also advises all organizations to promptly apply patches or discontinue vulnerable products if patches are not available.

Cisco patches a critical vulnerability.

Cisco has addressed a critical vulnerability in its Cisco Unity Connection software, a unified messaging and voicemail solution. This vulnerability allows a remote, unauthenticated attacker to upload arbitrary files and gain root privileges on the affected system. The flaw exists in the web-based management interface of Cisco Unity Connection and stems from a lack of authentication in a specific API and inadequate validation of user-supplied data. Customers are advised to upgrade to the patched versions, as no workarounds are available. As of the advisory, there were no reports of public disclosure or malicious exploitation of this vulnerability.

Atomic Stealer gets updates.

Researchers at Malwarebytes have detected an upgraded version of the Atomic Stealer macOS information stealer, which they say indicates its developers are actively improving it, adding features like payload encryption to evade detection. Originating in April 2023 and initially priced at $1,000 per month, Atomic Stealer can now extract a wide range of sensitive data, including passwords and crypto wallets, and its rental fee has risen to $3,000 per month. Distributed via malvertising and fake websites, it often appears as legitimate software updates. The malware also employs obfuscation to hide its command-and-control server. 

Sensitive school emergency planning documents are exposed online. 

Security researcher Jeremiah Fowler discovered a massive leak of over 800 gigabytes of files from Raptor Technologies, a software provider for over 5,300 US school districts, Wired reports. These files, found in unsecured web buckets and not resulting from a hack, included highly sensitive school emergency planning documents for scenarios like active shooter situations. The leak exposed evacuation plans, threat reports, medical records, court documents, and personal details of staff, students, and their families. About 75% of the documents pertained to threat assessments and emergency procedures. Although there's no evidence of malicious access, the detailed information could be exploited for harmful purposes. Raptor Technologies was informed in December and quickly secured the data. The company is investigating the incident, emphasizing the safety of children and community members as their top priority. 

The FCC reports on risky communications equipment.

The FCC is seeing progress in their efforts to remove national security risks from communications networks. The Wireline Competition Bureau reported to Congress that five recipients in the Reimbursement Program have completed removing, replacing, and disposing of risky communications equipment in their networks. This program, part of the Secure and Trusted Communications Networks Act of 2019, reimburses providers for costs incurred in removing equipment posing national security risks. The Bureau's third report details ongoing efforts and challenges, including supply chain delays and labor shortages.

As of December 2023, the Bureau has processed most of the 126 approved applications, disbursing about just under four hundred million dollars. Further updates are expected in July 2024, following calls from lawmakers to fund the FCC's Rip and Replace program to protect U.S. communications networks.

White House to introduce cybersecurity requirements for hospitals. 

The Biden administration is set to introduce new cybersecurity requirements for hospitals to combat a surge in cyberattacks affecting healthcare providers. The Centers for Medicare & Medicaid Services will soon propose rules mandating hospitals to implement basic digital security measures to qualify for federal funding. These measures are expected to take effect by the end of the year and include using multi-factor authentication and timely software vulnerability remediation. The new requirements are part of a broader array of standards that hospitals must meet to receive Medicare and Medicaid reimbursements. The administration believes these fundamental cybersecurity practices will significantly reduce cyber incidents in healthcare. The American Hospital Association is expected to fight any new regulations in court. 

Mandiant explains their X-Twitter hack.

Mandiant has published a report on the recent brief takeover of their social media account on X-Twitter. Their investigation concludes that the hijack likely resulted from a brute-force password attack, specifically targeting their primary X-Twitter account, with no evidence of further malicious activity or compromise of Mandiant or Google Cloud systems.

Mandiant highlighted issues with X-Twitter's 2FA configuration changes as a contributing factor. These changes, making 2FA exclusive to Premium subscribers, had disabled the text message/SMS 2FA method for non-subscribers since February 2023. Mandiant acknowledged some responsibility but also cited these policy changes at X as partially to blame. 

 

Today, I talk with David Moulton from Palo Alto Networks about Threat Vector. It’s Unit 42’s segment turned podcast on the N2K media network.

 

Sex for money scheme a scam. 

And finally, our friend Graham Cluley brought to our attention a BBC story about a man in Bihar, India who fell victim to an online scam after encountering a video from the "All India Pregnant Job Service" on Facebook. The fraudulent scheme promised significant financial rewards for having intimate relations with a woman, with the goal of helping her conceive a baby.  The victim, lured by the promise of nearly three years' wages, lost 16,000 rupees to the scammers, who exploited his financial desperation. The fraud involved fake documents, including a "Baby Birth Agreement," and continued demands for money under various pretexts. The Deputy Superintendent of Police of the victim’s district reported numerous victims of this elaborate con, with his team arresting eight men and searching for others. Victims hesitated to come forward, likely due to shame. 

Cases like this highlight how easy it can be to blame the victim, which of course we should not do. Still, If it’s too good to be true, it probably is. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.