Source: www.techrepublic.com – Author: Fiona Jackson TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyberthreats, including zero-days, ransomware and deepfakes. Today, all businesses are at risk of cyberattack, and that risk is constantly growing. Digital transformations are resulting in more sensitive and valuable data being moved onto online systems […]

La entrada How Can Businesses Defend Themselves Against Common Cyberthreats? – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Networking giant Cisco warned that a group of state-sponsored hackers exploited zero-days in its firewall appliances to spy on government networks over the last several months. Cisco in a Wednesday warning said that two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls were exploited by a state-backed hacking group since November 2023 to infiltrate government networks globally. Identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, the hackers initiated their cyber-espionage campaign, dubbed “ArcaneDoor,” through targeting of vulnerable edge devices in early November 2023.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos said.

Discovery and Details of the Two Cisco Zero-Days

Despite the absence of an identified initial attack vector, Cisco detected and rectified two security flaws - CVE-2024-20353, a denial-of-service bug and CVE-2024-20359, a persistent local code execution bug - which the threat actors used as zero-days. Cisco became aware of the ArcaneDoor campaign earlier this year but said the attackers had been testing and developing exploits for the two zero-days since at least July 2023. “The investigation that followed identified additional victims, all of which involved government networks globally,” Cisco Talos added. [caption id="attachment_64982" align="aligncenter" width="997"] Cisco Zero-Days Exploitation Timeline. Credit: Cisco Talos[/caption] The exploited vulnerabilities facilitated the deployment of previously unknown malware, allowing threat actors to establish persistence on compromised ASA and FTD devices. One such malware implant dubbed “Line Dancer,” acted as an in-memory shellcode loader, enabling the execution of arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets. The second implant, a persistent backdoor known as “Line Runner,” included various defense evasion mechanisms to evade detection and enable the execution of arbitrary Lua code on compromised systems. Perimeter network devices like the ASA and FTD firewall appliances “are the perfect intrusion point for espionage-focused campaigns,” Cisco said. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.” The networking and security giant said it had observed a “dramatic and sustained” increase in the targeting of these devices in the past two years, especially those deployed in the telecommunications and energy sectors as “critical infrastructure entities are likely strategic targets of interest for many foreign governments,” Cisco explained.

What Cybersecurity Agencies Said

A joint advisory published today by the UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Cyber Security Centre outlined additional activity undertaken by the threat actors: - They generated text versions of the device’s configuration file for exfiltration through web requests. - They controlled the enabling and disabling of the devices syslog service to obfuscate additional commands. - They modified the authentication, authorization, and accounting (AAA) configuration to provide access to specific actor-controlled devices within the impacted environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the zero-day bugs to its Known Exploited Vulnerabilities Catalog and encouraged users to apply the necessary updates, hunt for malicious activity, and report any positive findings to the agency. Cisco released security updates on Wednesday to address the two zero-days and recommended all customers to upgrade their devices to the fixed software version to mitigate potential attacks. Cisco asked administrators to monitor system logs for signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity. The company also provided instructions on verifying the integrity of ASA or FTD devices in the advisory.

Espionage Actors Increasingly Using Edge Device Zero-Days

Although no attribution was made for the ArcaneDoor campaign a recent trends report from Google security firm Mandiant fingered Chinese hackers for increasingly targeting edge devices like VPN appliances, firewalls, routers, and IoT tools in espionage attacks. Mandiant observed a more than 50% growth in zero-day usage compared to 2022, both by espionage groups as well as financially motivated hackers.

“China-nexus attackers have gained access to edge devices via exploitation of vulnerabilities, particularly zero-days, and subsequently deployed custom malware ecosystems,“ Mandiant said.

The security firm added that it is likely to see continued deployment of custom malware ecosystems from Chinese espionage groups that are tailored for the device and operation at hand. “This approach provides several advantages such as the increased ability to remain undetected, reduced complexity and increased reliability, and a reduced malware footprint.“ Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MITRE Corporation revealed on April 19 that it was one of over 1700 organizations compromised by a state-backed hacking group in January 2024. The MITRE data breach, which involved chaining two Ivanti VPN zero-days, highlights the evolving nature of cyber threats and the challenges organizations face in defending against them.

The MITRE data breach was detected after suspicious activity was noticed on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. [caption id="attachment_63933" align="aligncenter" width="609"] Source: X[/caption]

MITRE DATA Breach Discovery and Response

Following the detection, MITRE promptly took NERVE offline and launched an investigation with the assistance of both internal and external cybersecurity experts. "Following detection of the incident, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and quickly launched an investigation with the support of in-house and leading third-party experts. The investigation is ongoing, including to determine the scope of information that may be involved," reads the Official notice. MITRE CEO Jason Providakes emphasized that "no organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible." Providakes highlighted the importance of disclosing the incident in a timely manner to promote best practices and enhance enterprise security. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices,” said Providakes. Charles Clancy, MITRE's Chief Technology Officer, provided additional insights, explaining that the threat actor compromised the Ivanti Connect Secure appliance used to provide connectivity into trusted networks. Clancy stressed the need for the industry to adopt more sophisticated cybersecurity solutions in response to increasingly advanced threats. MITRE outlined four key recommendations:

1. Advance Secure by Design Principles: Hardware and software should be inherently secure.
2. Operationalize Secure Supply Chains: Utilize software bill of materials to understand threats in upstream software systems.
3. Deploy Zero Trust Architectures: Implement micro-segmentation of networks in addition to multi-factor authentication.
4. Adopt Adversary Engagement: Make adversary engagement a routine part of cyber defense to provide detection and deterrence.

MITRE has a long history of contributing to cybersecurity research and development in the public interest. The organization has developed frameworks like ATT&CK®, Engage™, D3FEND™, and CALDERA™, which are used by the global cybersecurity community.

Details of the MITRE Data Breach

The MITRE data breach involved two zero-day vulnerabilities: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887). These vulnerabilities allowed threat actors to bypass multi-factor authentication defenses and move laterally through compromised networks using hijacked administrator accounts. The attackers utilized sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials. Since early December, the vulnerabilities have been exploited to deploy multiple malware families for espionage purposes. Mandiant has attributed these attacks to an advanced persistent threat (APT) known as UNC5221, while Volexity has reported signs of Chinese state-sponsored actors exploiting the zero-days. Volexity discovered over 2,100 compromised Ivanti appliances, affecting organizations of various sizes globally, including Fortune 500 companies. The scale and severity of the attacks prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive on January 19, instructing federal agencies to mitigate the Ivanti zero-days immediately. MITRE's disclosure serves as a reminder of the ongoing threat posed by cyber adversaries and the critical need for organizations to continually enhance their cybersecurity defenses. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against state-sponsored attacks” to “About Apple threat notifications and protecting against mercenary spyware.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

• Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
• Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

How to stay safe

Apple advises iPhone users to:

• Enable Lockdown mode.
• Keep devices up to date.
• Protect devices with a passcode.
• Use Multi-Factor-Authentication (MFA) for your Apple ID.
• Only install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

We’d like to add:

• Use an anti-malware solution on your device.
• If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
• Use a password manager.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.