Apple resolves 2024’s first zero-day exploited via WebKit

In this week’s cybersecurity roundup, a diverse range of threats emerged, highlighting the evolving tactics of malicious actors. These threats included a unique Docker malware campaign, a nation-state attack on Microsoft executives, Apple’s rapid response to its first zero-day in 2024, Kasseika ransomware exploiting an antivirus driver, and a CISA emergency directive for Ivanti Connect Secure and Policy Secure Gateways. These incidents highlight the ongoing need for vigilance and comprehensive cybersecurity measures. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. New Docker malware steals CPU for crypto and drives fake website traffic

A new campaign is exploiting vulnerable Docker services using a unique combination of the XMRig cryptocurrency miner and the 9Hits Viewer software, showcasing an innovative monetization strategy. This marks the first instance of malware incorporating the 9Hits application as a payload, revealing adversaries’ continuous efforts to diversify their strategies for compromising hosts.  

While the propagation method onto susceptible Docker hosts remains unclear, the attack involves deploying two malicious containers via the Docker API, fetching images from the Docker Hub library for 9Hits and XMRig. The 9Hits container generates credits for attackers by visiting specified sites, while the second container hosts an XMRig miner, causing resource exhaustion on compromised hosts. Immediate isolation, thorough investigation, regular patching, and adherence to Docker security best practices are crucial for mitigating this evolving threat. 

2. Apple resolves first zero-day vulnerability exploited in 2024 attacks

Apple has swiftly addressed its first zero-day vulnerability of 2024, identified as CVE-2024-23222, found in the WebKit browser engine. This type confusion flaw could be exploited by manipulating crafted web content to execute arbitrary code. The Cybersecurity and Infrastructure Security Agency (CISA) added the Apple WebKit zero-day to its Known Exploited Vulnerabilities Catalog due to ongoing exploitation.  

Affected products include iPhones, iPads, Macs, and Apple TVs. Apple released updates (iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, tvOS 17.3, Safari 17.3) to address the vulnerability and recommended users apply the patches promptly. The company has acknowledged the issue without disclosing details about the attacks or involved threat actors.  

3. Microsoft’s top execs’ email compromised by Russia-linked threat actors

Microsoft disclosed a nation-state attack by the Russian APT group Midnight Blizzard, revealing the theft of emails and attachments from cybersecurity and legal executives. Discovered on January 12, 2024, the attack began in late November 2023, with Midnight Blizzard using a password spray attack to breach a non-production test tenant account, subsequently accessing a limited number of Microsoft corporate email accounts, including those of high-ranking executives.  

While the number of compromised accounts and specific accessed information were not disclosed, Microsoft affirmed that no security flaws in its products were exploited, and no evidence of access to client environments, production systems, source code, or AI systems was found. The company is currently notifying affected employees. 

4. Kasseika ransomware exploits antivirus driver to disable security tools

The Kasseika ransomware group has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack technique, leveraging a phishing email to deploy remote administration tools and execute a malicious batch script using Microsoft’s Sysinternals PsExec. The script terminates the “Martini.exe” process, facilitating the deployment of the “Martini.sys” driver, which aims to disable 991 security tools.  

The ransomware payload (“smartscreen_protected.exe”) is initiated after terminating processes and services, encrypting files with ChaCha20 and RSA algorithms. Kasseika demands a 50-bitcoin payment within 72 hours, with the threat of a $500,000 charge every 24 hours post the deadline. To mitigate risks, security measures include restricting administrative rights, regular security product updates, secure data backups, and practicing safe email and website habits.  

5. Dual zero-day threats in Ivanti Connect Secure and Policy Secure Gateways

CISA issued an emergency directive in response to active exploitation of two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure and Ivanti Policy Secure. The flaws, facilitating authentication bypass and command injection, have been actively exploited since December, impacting global entities across various sectors. These vulnerabilities allow threat actors to move laterally, exfiltrate data, and establish persistent access.  

A suspected Chinese-backed group, UTA0178/UNC5221, has targeted over 16,200 ICS VPN appliances, deploying webshells, various malware strains, and crypto-miners. Organizations are urged to implement Ivanti’s mitigation measures promptly, report compromises to CISA, conduct incident analysis, and reset compromised products following recovery instructions.