Daily Brief

Helldown ransomware is believed to exploit vulnerabilities in Zyxel firewalls, breaching corporate networks and stealing data. Since its launch over the summer, Helldown has listed multiple victims on its extortion portal, suggesting rapid growth despite being a newer player in the ransomware arena. The malware for Linux targets VMware files, specifically designed to encrypt virtual machine images, though it appears to be still under development. Utilizing code based on the leaked LockBit 3 builder, Helldown shares operational similarities with known ransomware families like Darkrace and Donex. Reports indicate that the attackers use batch files for task termination during encryption, pointing to less sophisticated attack mechanisms compared to other groups. Victimized parties include primarily small and medium-sized businesses in the U.S. and Europe, with Zyxel Europe also listed as a victim. Investigation by Sekoia suggests Helldown attackers could be using a specific CVE vulnerability in Zyxel's firmware, exploiting unpatched devices using a crafted username. Evidence of the Helldown attack were also found on Zyxel forums, where admins reported suspicious activities linked to the malware's tactics.

The Ngioweb botnet, instrumental in powering the NSOCKS proxy service, is being disrupted following a detailed security investigation. Researchers from Lumen’s Black Lotus Labs identified the botnet’s architecture and command-and-control (C2) nodes, disrupting operations that leveraged around 35,000 bots globally. The Ngioweb botnet contributed at least 80% of the proxies in NSOCKS, spread across 180 countries, predominantly targeting devices with outdated web application libraries. A significant aspect of the malware operation involved using a domain generation algorithm for creating C2 domain names, complicating efforts to counter the botnet. The NSOCKS proxy service was identified as having insecure protocols, which allowed unauthorized actors to use the network for malicious activities like DDoS attacks and malware distribution. Ngioweb’s proxies were frequently found in free proxy lists online, which were exploited in various cyber attacks, raising concerns about the lax security measures in proxy services. Ongoing efforts by cybersecurity firms, including traffic blocking and public exposure of compromise indicators, aim to further mitigate the activities supported by the Ngioweb botnet.

Palo Alto Networks issued patches for two critical zero-day vulnerabilities affecting their firewall products, designated CVE-2024-0012 and CVE-2024-9474. CVE-2024-0012, an authentication bypass issue with a 9.3 severity rating, and CVE-2024-9474, a privilege escalation bug rated at 6.9, both target the PAN-OS management interface. The vendor urged customers to restrict public internet access and allow only trusted internal IPs to manage interfaces, reducing the risk of exploitation. Researchers from watchTowr demonstrated that these vulnerabilities could be chained together to gain administrative access and perform actions as root on affected devices. PAN is tracking limited yet ongoing exploitation activity primarily originating from IP addresses associated with anonymous VPN services. The exploitation includes command execution and the deployment of malware such as webshells on compromised firewalls. The latest statistics from The Shadowserver Foundation indicated over 6,600 devices potentially exposed globally, with the highest numbers in Asia and North America.

SailPoint is hosting a webinar focused on managing third-party risks in IT infrastructure. Scheduled for December 3rd, the session features Steve Toole from SailPoint discussing strategies to enhance security and compliance. Key strategies include identifying access vulnerabilities, implementing effective controls, and fostering a compliance-centric culture among third-party partners. The webinar aims at providing attendees actionable insights for better managing external access and protecting sensitive data. The session emphasizes the importance of understanding where risks originate and how to curb unauthorized access through robust monitoring and identity management.

Unsecured JupyterLab and Jupyter Notebooks are being exploited by hackers to stream illegal sports broadcasts. Attackers gain initial access by hijacking unauthenticated Jupyter Notebooks and use tools like FFmpeg to capture and redirect live sports events to illegal servers. The cloud security firm Aqua discovered this illegal streaming activity following an attack on their honeypots. The attackers' activities include updating servers, downloading FFmpeg from MediaFire, and using it to record and duplicate broadcasts from networks such as beIN Sports. The malicious broadcasts were primarily hosted on platforms like ustream[.]tv. Evidence suggests the attackers might be Arabic-speaking due to the origin of one implicated IP address. Potential risks identified include denial of service, data manipulation, theft, corruption of AI and ML processes, lateral movements within networks, and financial and reputational damage to affected organizations.

Ngioweb botnet, first identified in 2018, primarily targets IoT devices and SOHO routers using the NSOCKS residential proxy service. Cybersecurity firms, including Lumen Technologies and Trend Micro, have analyzed the operation revealing over 20,000 IoT devices compromised globally. The botnet can convert an infected device into a proxy for the NSOCKS network in as short as 10 minutes, demonstrating a highly automated and efficient system. Attack tactics include leveraging vulnerabilities and zero-days to infiltrate devices, using a two-tier architecture for malware distribution and control. The proxies charge varying rates based on factors such as device type, infection recency, and desired proxy characteristics ($0.20 to $1.50 for 24-hour access). NSOCKS proxies have been implicated in malicious activities including credential-stuffing attacks and could potentially be used for targeting specific domains like .gov or .edu. The continued growth of the commercial and underground markets for residential proxies is driven by demands from cybercriminal groups and advanced persistent threat (APT) actors. The infrastructure allows threat actors to obscure their identities and operational loci, potentially leading to more directed and harmful cyberattacks.

Microsoft introduces a new administrator protection security feature in Windows 11 to enhance system security. The feature, currently in preview, utilizes Windows Hello authentication to require additional verification for critical system changes. By enabling just-in-time admin privileges, the system limits admin rights, requiring a PIN or biometric data to perform sensitive tasks. The additional security measures are designed to prevent malware and unauthorized users from accessing or altering the system’s critical resources. Once a task requiring admin privileges is completed, the temporary admin token is destroyed to ensure these privileges do not persist. The admin protection feature is initially turned off and must be activated through group policy. Microsoft also introduces enhanced app control policies to safeguard against the installation of malicious apps and drivers. Overall, these security enhancements are aimed at maintaining control over system resources and increasing resilience against cyber threats.

Microsoft has launched a new hacking event called Zero Day Quest at its Ignite conference in Chicago, focusing on identifying vulnerabilities in cloud and AI technologies. Participants in the Zero Day Quest can earn multiplied bounty rewards for submitting vulnerabilities, and may also qualify for an onsite hacking event in Redmond in 2025. Microsoft is doubling bounty payments for AI vulnerabilities and providing researchers direct access to its AI engineers and AI Red Team. The event is part of Microsoft's Secure Future Initiative (SFI), aimed at enhancing cybersecurity across its product range following critical reviews from the Cyber Safety Review Board. This initiative comes after Microsoft was targeted by Chinese hackers in May, leading to the theft of over 60,000 emails from U.S. State Department accounts. Microsoft commits to transparently sharing identified vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program. The company introduced a new administrator protection security feature for Windows 11, enhancing protection against unauthorized access to critical system resources.

Maryland-based AI firm iLearningEngines reported a $250,000 loss due to a business email compromise (BEC) scheme. An unidentified cybercriminal infiltrated company systems, rerouted the wire payment to their own account, and deleted corresponding emails to cover tracks. Following the discovery of the fraud, iLearningEngines activated its cybersecurity response plan, initiated an internal probe, and hired forensic experts to mitigate and investigate the incident. The incident is part of a larger trend, with BEC schemes in the US resulting in losses surpassing $2.9 billion according to the FBI. The company's investigation into the breach is ongoing, focusing on assessing and securing affected systems and data. Efforts to recover the misdirected funds have not been mentioned, and the stolen amount may contribute to further financial uncertainties. iLearningEngines faces additional challenges including potential litigation, stock prices decline, and shifting investor behavior post-incident. Despite these issues, the company does not anticipate a significant impact on their overall financial results for the full year.

Privileged accounts serve as critical gateways to sensitive organizational systems, requiring more than just management; proper security is essential. Traditional Privileged Access Management (PAM) focuses primarily on controlling access but often fails to address sophisticated cyber threats like lateral movement and credential theft. As cyber threats evolve, organizations must shift from merely managing privileged access to actively securing accounts with continuous monitoring and real-time threat responses. PAM has advanced by integrating with broader security tools, yet still often underperforms against complex cyberattacks due to inherent limitations. A robust privileged access strategy should include features like automated workflows, password vaulting, session monitoring, threat detection, and risk-based access controls. Advancements in PAM should incorporate a security-first approach, focusing on proactive protections such as continuous, automated monitoring and real-time enforcement. Organizations are advised to adopt strategies that prioritize security to protect critical assets against advanced persistent threats and zero-day attacks.

Spotify is being exploited by threat actors to distribute pirated software, game cheats, spam links, and warez sites through manipulated playlists and podcast descriptions. This abuse of Spotify's platform helps boost the SEO of dubious websites, as the Spotify web player's content is indexed by search engines like Google, increasing visibility and traffic to these malicious sites. Example given included a playlist titled "Sony Vegas Pro 13 Crack," which directed users to illicit software download sites that potentially host malware and scams. Users downloading pirated software or game cheats from these sites risk infecting their systems with viruses, adware, or other malware. Spotify has taken actions such as removing offending playlists and reinforcing platform rules against sharing harmful software or practices. Third-party service providers like Firstory, which facilitate podcast publishing on Spotify, are also addressing the spam issue by implementing strict filters and security measures. Scammers are persistent in using various online platforms to promote illegal content, indicating a broader issue of digital platform abuse for spam and malware distribution.

Helldown, a new Linux ransomware variant from the LockBit 3.0 lineage, is targeting more complex infrastructures, including VMware systems. Originated by exploiting security vulnerabilities, Helldown has attacked at least 31 companies across sectors including IT, telecom, healthcare, and manufacturing. Attack methodologies include exploiting internet-facing Zyxel firewalls for initial access, followed by credential harvesting and lateral movement to deploy ransomware. Unlike its Windows counterpart, the Linux version lacks sophisticated obfuscation and debugging prevention but can terminate active VMs before encryption. The Windows version uses advanced techniques like deleting system backups and shutting down various processes before carrying out encryption. Connections with previous ransomware like DarkRace and possibly DoNex, also derivatives of LockBit 3.0, suggest a pattern of evolution and rebranding among ransomware groups. The article also notes a trend of increasing collaborations among different ransomware operators, enhancing their threat capabilities. Despite the depth of its attack mechanism, Sekoia's analysis suggests the Helldown Linux variant might still be under development, given its basic functionality and lack of network communication.

The 2024 SANS Holiday Hack Challenge begins on November 7th, offering an eight-week series of gamified cybersecurity challenges. This year's challenge introduces an earlier start and a new format to maintain participant engagement over a longer period. Participants will tackle various cybersecurity exercises, including ransomware reverse engineering, mobile app penetration testing, and more. The challenge will be structured in segments, with new challenges released throughout November and December. Each challenge offers varying difficulty levels, allowing participants to select according to their expertise and revisit unresolved segments. Participants can track their progress through a live scoreboard and compete in teams within their organizations or with friends. Winners will receive rewards such as a free SANS OnDemand cybersecurity course and a subscription to the NetWars Continuous platform. Registration and further details are available online, with options to sign up for notifications about the challenge’s start and updates.

Apple's iOS 18 incorporates a new security feature which initiates an automatic reboot if devices remain unused for 72 hours. This feature was discovered through reverse engineering by security researcher Jiska Classen, who noted that it primarily aims to bolster security by limiting unauthorized access. When an iPhone reboots after inactivity, it enters a Before First Unlock (BFU) state, keeping the majority of its files encrypted and hence more secure from attackers or unlawful access. Classen's findings showed that after such a reboot, iPhones require a passcode to transition to an After First Unlock state where files become more accessible, thus preserving data security during the initial encrypted period. The feature has significant implications for both law enforcement and malicious entities, as access to data becomes much harder without active device manipulation within three days. Classen confirmed the reboot timer through a GitHub version history and Apple's Security Enclave Processor analysis, debunking any intra-device communication theories for triggering reboots. This security mechanism places stringent constraints on how data can be accessed, essentially requiring kernel code execution to prevent automatic reboot, thereby creating a heightened security environment.

Chinese threat actors, identified as Salt Typhoon, infiltrated T-Mobile as part of a widespread espionage campaign targeting U.S. telecom companies. Their aim was to access and potentially steal sensitive cellphone communications from high-value intelligence targets. T-Mobile reported no significant impact on their systems or customer data from this industry-wide attack. The U.S. government has described the campaign as a major breach, implicating actors affiliated with the People's Republic of China in compromising multiple telecom networks to steal customer data and intercept private communications. Salt Typhoon, also known as Earth Estries and other aliases, has been active since at least 2020, focusing on government and technology sectors globally including the U.S., Philippines, Taiwan, and Germany. The hackers employed sophisticated tools such as Cobalt Strike, TrillClient, and various backdoors to maintain persistent access and exfiltrate data. Techniques used include exploiting vulnerabilities in external services, using backdoors for lateral movement, and employing proxies to disguise traffic to command-and-control servers. Trend Micro highlighted the actor’s evolving tactics and adaptability in using both legitimate and malicious tools for long-term espionage.