Vulnerabilities and security risks.
Ivanti products are under active zero-day exploitation. Phemedrone is a new open-source info-stealer. Bishop Fox finds exposed SonicWall firewalls. GitLab and VMware patch critical vulnerabilities. The Secret Service foils a phishing scam. Europol shuts down a cryptojacking campaign. Ransomware hits a Majorca municipality. RUSI looks at ransomware. Ben Yelin explains the New York Times going after OpenAI over the data scraping. And the sad case of an Ohio lottery winner.
Today is January 16th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Ivanti products under active zero-day exploitation.
Ivanti's Connect Secure VPN and Policy Secure network access control appliances are currently facing mass exploitation due to two zero-day vulnerabilities, as reported by Volexity, a threat intelligence company. The vulnerabilities enable authentication bypass and command injection. These have been actively exploited in widespread attacks since January 11, 2024, affecting a range of organizations globally, including Fortune 500 companies across various industries.
Attackers have used a webshell variant named GIFTEDVISITOR to backdoor systems. As of January 14, 2024, over 1,700 Ivanti ICS VPN appliances have been compromised worldwide.
Ivanti has not yet released patches for these vulnerabilities, and administrators are advised to implement vendor-provided mitigation measures on all ICS VPNs and use Ivanti's Integrity Checker Tool. Any data on compromised ICS VPN appliances should be considered breached.
Shadowserver's threat monitoring service reveals over 16,800 exposed ICS VPN appliances online, with nearly 5,000 in the United States. Attackers, including a suspected Chinese state-backed group, are using these vulnerabilities to execute arbitrary commands on affected devices. Mandiant has identified five custom malware strains in these attacks, aimed at dropping webshells, deploying additional malicious payloads, and stealing credentials. The most notable malware is ZIPLINE, a passive backdoor with extensive capabilities like intercepting network traffic and creating reverse shells.
Previous exploits of Ivanti's vulnerabilities in recent years have targeted government, defense, and financial organizations in the U.S. and Europe.
Phemedrone is a new open-source info-stealer.
Bleeping Computer reports on a malware campaign using a new open-source info-stealer called Phemedrone, which exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts. Phemedrone harvests data from web browsers, cryptocurrency wallets, and applications like Discord, Steam, and Telegram, sending this information back to attackers for further malicious use or sale.
The exploited Microsoft Defender flaw was patched in November 2023 but had been actively exploited in attacks. It allows attackers to compromise users through specially crafted Internet Shortcut (.URL) files or hyperlinks, bypassing usual Windows SmartScreen warnings. This vulnerability poses a heightened risk for unpatched systems due to available proof-of-concept exploits.
Phemedrone targets data from various applications, including passwords and user information from Chromium and Gecko browsers, crypto wallet data, Discord authentication tokens, FTP details from FileZilla, and hardware and system information. Trend Micro notes that other malware families have also targeted this Windows flaw, including ransomware.
Bishop Fox finds exposed SonicWall firewalls.
Researchers from Bishop Fox discovered that over 178,000 internet-exposed SonicWall next-generation firewalls (NGFWs) are vulnerable to exploitation. These vulnerabilities affect SonicWall NGFW series 6 and 7 devices. They are unauthenticated denial-of-service vulnerabilities that could potentially lead to remote code execution. Although a proof-of-concept exploit is public, there have been no reported attacks exploiting these vulnerabilities.
The researchers used BinaryEdge data to locate SonicWall firewalls with exposed management interfaces, finding that 76% of the 233,984 firewalls they analyzed were vulnerable to one or both issues.
SonicOS, SonicWall's operating system, reboots after a crash, but if it crashes three times in a short period, it enters maintenance mode, requiring administrative action. The latest firmware addresses these vulnerabilities, and administrators are advised to upgrade and ensure the management interface is not publicly accessible. Despite the theoretical potential for remote code execution, the likelihood of such exploitation remains low due to challenges in bypassing security measures and the difficulty in remotely determining specific firmware and hardware versions of targeted devices.
GitLab and VMware patch critical vulnerabilities.
GitLab is releasing patches for a critical vulnerability in its email verification process that could allow attackers to reset user passwords and take over accounts. This flaw, with a maximum severity score of 10.0 on the CVS system, was introduced in May 2023 with GitLab version 16.1.0 due to a change allowing password reset via a secondary email address.
Attackers could exploit this vulnerability to send password reset messages to unverified email addresses, potentially leading to account takeovers. However, users with two-factor authentication (2FA) are less vulnerable, as attackers won't be able to bypass the 2FA method. GitLab has not observed any exploitation of this flaw on its managed platforms, including GitLab.com.
VMware has addressed a critical vulnerability in its Aria Automation platform with a CVSS score of 9.9. Aria Automation is an infrastructure automation platform used for managing multi-cloud environments with an emphasis on governance and DevOps-based delivery.
This vulnerability, if exploited, could allow unauthorized access to remote workflows and organizations, posing a significant risk to Integrity and Availability, with a lesser impact on Confidentiality. The exploitation risk is heightened due to the low complexity of the attack, which can be carried out by an authenticated attacker with low privileges and without user interaction.
The Secret Service foils a phishing scam.
The U.S. Secret Service has uncovered a scam where fraudsters stole $34,000 using fake Norton Antivirus renewal emails. These phishing emails tricked victims into calling a number and inadvertently granting scammers remote access to their computers and bank accounts.
The funds were traced to a Chase bank account owned by Bingsong Zhou. The Secret Service, through a seizure warrant, aims to recover these funds, considering them as proceeds from criminal activity. Zhou faces charges of wire fraud and involvement in the phishing scam, with potential additional charges related to money laundering and bank fraud.
Europol shuts down a cryptojacking campaign.
A 29-year-old Ukrainian man was arrested for orchestrating a large-scale cryptojacking scheme, as reported by Europol. The suspect allegedly hacked accounts to create 1 million virtual servers for cryptocurrency mining, illegally generating around $2 million.
The scheme involved hijacking cloud computing resources to mine cryptocurrency, significantly impacting the performance of compromised organizations’ CPUs and GPUs, and increasing their power usage. A 2022 Sysdig report estimated that cryptojacking costs organizations about $53 for every $1 of Monero mined.
The investigation began in January 2023 after a cloud service provider reported compromised accounts. Collaborative efforts by Europol, Ukrainian police, and the cloud provider led to the development of intelligence to track and identify the hacker.
Authorities arrested the suspect on January 9th, seizing computer equipment, bank and SIM cards, and other evidence. The Ukrainian cyberpolice revealed that the suspect had been active since 2021, using brute force attacks to access 1,500 accounts of a major e-commerce entity’s subsidiary.
The individual now faces criminal charges under Ukraine’s Criminal Code for unauthorized interference in electronic communication networks.
Ransomware hits Majorca municipality.
The municipality of Calvià on the Spanish island of Majorca has experienced a ransomware attack, leading to an extortion demand of approximately €10 million. The mayor has firmly stated that the city council will not pay the ransom, aligning with Spain's stance as a signatory of the Counter Ransomware Initiative, which discourages government institutions from paying ransomware demands.
The cyberattack was discovered on Saturday, and has prompted the formation of a crisis cabinet to assess and manage the situation.
Due to the attack, all administrative deadlines in Calvià, such as the submission of civil claims and requests, have been temporarily suspended until the end of January. The council has informed its approximately 50,000 residents of these disruptions and is striving to restore normality as swiftly as possible.
RUSI looks at ransomware.
A research paper from the UK’s RUSI, The Royal United Services Institute for Defence and Security Studies, delves into the multifaceted impact of ransomware attacks, painting a vivid picture of their extensive reach. It reveals that organizations of all sizes are at risk, with ransomware posing a significant threat not just to their financial stability but also to their reputations. The consequences of these attacks stretch far beyond mere financial losses. Individuals, ranging from employees to healthcare patients and students, are subjected to both physical and psychological trauma, highlighting the human cost of ransomware.
Furthermore, the study underscores the broader societal implications of ransomware. These attacks disrupt supply chains, erode public trust in law enforcement and public services, and contribute to the normalization of cybercrime. They also provide strategic advantages to hostile states that harbor the cyber-criminals responsible for these disruptions.
One critical finding is the differentiation in the severity of harm based on the attack's nature. Attacks that encrypt IT infrastructure inflict more severe damages compared to those involving data theft and leakage. Interestingly, the research highlights that the ransomware ecosystem currently finds less profitability in exploiting stolen data for fraud compared to direct extortion tactics.
The report provides a comprehensive picture of ransomware's pervasive and multi-layered impact, setting the stage for future research focused on developing strategies to mitigate these wide-ranging harms.
The sad case of an Ohio lottery winner.
And finally, the Akron Beacon Journal in Ohio shares the sad case of Edward Riley, an 85-year-old Ohio resident, who encountered difficulties cashing in his $1,000 lottery scratch-off win due to a cybersecurity incident at the Ohio Lottery. A recent cyberattack on the Ohio Lottery's systems on Christmas Eve has disrupted services, affecting the processing of winnings over $599.
With limited options, Riley faced the choice of either mailing his winning ticket to the Ohio Lottery Central Office in Cleveland, risking loss or theft, or using the Ohio Lottery smartphone app for direct deposit into his bank account. Opting for the app, Riley, who is not tech-savvy, struggled for hours to set it up and now faces a 10-day wait for his winnings.
The investigation into the cyberattack is ongoing, with no clear timeline for when normal service will resume. Riley, a long-time lottery player since 1974, commented on the importance of the lottery in his life, especially after the passing of his wife.
It turns out, in Ohio hitting the jackpot isn’t nearly as hard as cashing out your winnings.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.