Daily Brief

APT34, also known as OilRig, an Iranian state-sponsored hacking group, has intensified its cyber operations against entities in the United Arab Emirates and the Gulf. The group is utilizing a new backdoor targeting Microsoft Exchange servers to steal credentials and elevating privileges using the Windows CVE-2024-30088 flaw. The exploitation begins by uploading a web shell to a vulnerable web server, enabling remote code execution and deployment of additional hacking tools. OilRig's recent tactics also involve intercepting plaintext credentials during password changes and installing ‘ngrok’ for stealth communications. The malware, named 'StealHook', is used for credential theft and data exfiltration, leveraging legitimate email traffic from government servers to disguise illicit activities. There are observed similarities between StealHook and previously used backdoors, indicating an evolution of known tools rather than entirely new malware. The connection between OilRig and FOX Kitten suggests a potential future inclusion of ransomware attacks, raising further security concerns especially for the energy sector in the Middle East.

Education sector identified as primary target for nation-state cyberattacks, ransomware instances, and related criminal activities. Educational institutions are vulnerable due to containing sensitive data including health records, financial information, and proprietary research, coupled with inadequate cybersecurity resources. Microsoft's Cyber Signals report highlights significant risks, noting average weekly cyberattacks in the education sector exceed 2,500 attempts. Iranian and North Korean groups actively target schools, with tactics ranging from phishing and social engineering to sophisticated malware deployment. The most serious consequences involve intellectual property theft, espionage, and financial fraud, impacting U.S. and international universities. QR code exploitation identified as a rising method for initiating cyberattacks in educational surroundings. Microsoft emphasizes the necessity for robust cybersecurity measures including multi-factor authentication and user education to mitigate risks.

Iranian threat actor, OilRig, targets UAE and Gulf region using a Windows kernel flaw to escalate privileges, as observed by Trend Micro researchers. The group deploys a backdoor through Microsoft Exchange servers to steal credentials and leverages CVE-2024-30088 for privilege escalation. Identified aliases for OilRig include Earth Simnavaz, APT34, Crambus, and several others; the group is known for sophisticated cyber espionage. Their attack chains include deploying a new implant that exfiltrates credentials via on-premises Exchange servers and exploits recently patched vulnerabilities. The attackers gain initial network access through a vulnerable web server, deploying tools such as ngrok for persistence and lateral movement. The utilized privilege escalation further enables the delivery of the STEALHOOK backdoor to exfiltrate sensitive data. OilRig has employed tactics to extract sensitive credentials from domain controllers using the psgfilter.dll, which they have continuously refined for stealth and efficiency. Trend Micro highlights OilRig’s strategic focus on infiltrating key infrastructures in geopolitically sensitive areas to establish a persistent presence for ongoing espionage and possibly broader attacks.

Microsoft officially deprecated the PPTP and L2TP VPN protocols in future Windows Server versions, citing cybersecurity vulnerabilities. Companies are advised to transition to Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) for better security, speed, and reliability. PPTP is susceptible to brute force attacks, while L2TP needs proper configuration with IPsec to avoid security weaknesses. SSTP and IKEv2 offer superior encryption and faster connection speeds, suitable for complex network environments. Deprecation indicates these protocols will not undergo active development but will remain functional until potentially removed in the future. Microsoft released a support bulletin to help admins configure SSTP and IKEv2 amid this transition. Future Windows RRAS Server versions will not accept incoming PPTP and L2TP connections, though outgoing connections are still viable.

OpenAI disrupted over 20 cyber operations that exploited its AI chatbot, ChatGPT, for malicious purposes including malware development and misinformation. Proofpoint and HP Wolf detected initial misuse of AI tools by cybercriminals in creating sophisticated malware and scripts. Chinese threat group "SweetSpecter" and Iranian groups "CyberAv3ngers" and "Storm-0817" used ChatGPT to enhance cyber operations targeting governments and critical infrastructures. Uses of the AI included writing malware, scripting, vulnerability analysis, and phishing attacks to aid espionage and infrastructure disruption. OpenAI identified and banned accounts linked to these threat actors and shared indicators of compromise with cyber security partners. Although AI does not give new capabilities, it significantly enhances the efficiency of existing methods employed by cyber attackers, lowering the skill barrier for malicious activities. The incidents highlight the dual-use nature of AI technologies and the importance of monitoring and controlling AI tool abuse in cybersecurity environments.

The FBI created a fictitious cryptocurrency company, NexFundAI, to investigate fraudulent activities within the cryptocurrency markets. Operation Token Mirrors led to the arrest and charging of 18 individuals and companies for market manipulation techniques such as wash trading. NexFundAI was advertised as a groundbreaking AI-integrated cryptocurrency, aimed at exposing corrupt market makers. Involved parties used deceptive practices to inflate the trading volume and prices of cryptocurrencies, misleading investors with manipulated market activities. Entities like ZM Quant, CLS Global, MyTrade, and Gotbit, along with certain top executives, have been implicated in these illegal schemes. Over $25 million in cryptocurrency assets have been seized, and numerous trading bots involved in the manipulation have been disabled. The operation highlights the ongoing vulnerability of retail investors in the crypto markets to institutional fraud and manipulation.

The US and UK governments issued a joint advisory warning of a significant Russian campaign targeting unpatched vulnerabilities. Russian hackers linked to the APT29 group, known for the SolarWinds breach, are extensively scanning internet-facing systems to exploit known vulnerabilities. The advisory lists 24 critical vulnerabilities frequently exploited by the attackers, including severe bugs in Cisco iOS and JetBrains TeamCity. Recommended preventive measures include patching systems promptly, proper system configuration to close unnecessary ports, and disabling internet-accessible services on non-essential systems. The advisory also emphasizes the importance of organizational vigilance and timely application of security updates to mitigate risks. Alongside this, there's a notable rise in phone-assisted phishing scams, with attackers leveraging social engineering through voice calls. CISA has advised entities using F5 Big-IP devices to encrypt persistent cookies to prevent attackers from exploiting them to identify and access network resources. GitLab released updates for several critical vulnerabilities affecting its Community and Enterprise editions, urging immediate installation.

Researchers at Palo Alto's Unit 42 observed that the INC ransomware group has been rebranded as Lynx after a three-month transition period. Since its emergence in July 2024, Lynx has shown a higher number of ransomware sample detections compared to INC, suggesting a rise in activity. A significant code overlap between INC and Lynx was found, with a 70.8 percent similarity in shared functions, indicating the repurposing of INC’s codebase. Despite a decrease in detections, INC is still active, having posted new entries on its online leak site as recently as October 4, indicating ongoing operations. Both INC and Lynx operate similar web-based leak platforms, which are nearly identical in design and accessibility, supporting speculations that they might be managed by the same individuals or group. Unit 42 cited the availability of INC's source code on cybercrime forums since March, which could lead to various adaptations of INC ransomware by other parties. Lynx publicly states it avoids targeting critical sectors like hospitals and governments, although its sincerity is questionable given INC’s past targets such as NHS Scotland and Leicester City Council.

US lawmakers are pressing for answers following reports of China's "Salt Typhoon" cyber group breaching major US telecom firms, including Verizon, AT&T, and Lumen Technologies. The breaches reportedly targeted systems used for wiretapping under the legal mandate from the Communications Assistance for Law Enforcement Act, highlighting vulnerabilities in systems intended for law enforcement. Regulators and lawmakers, including Senator Ron Wyden and the US House Select Committee on China, are demanding accountability and improved security measures from these telecom companies. Wyden has specifically called for updates to CALEA regulations and the implementation of stringent baseline security standards with harsh penalties for non-compliance. Despite the severity of the allegations, Verizon and AT&T have not provided comments on the breaches, and Lumen has not responded to inquiries. This incident comes on the heels of heightened scrutiny over Chinese espionage activities in the US, underlined by earlier compromises of critical infrastructure by another group, "Volt Typhoon." Lawmakers underscore the strategic and urgent need to bolster US cybersecurity defenses against sophisticated nation-state adversaries, particularly from China.

A novel malware campaign utilizing tax software themes targets the insurance and finance sectors via emails containing malicious GitHub links. The malicious use of reputable GitHub repositories to host malware goes against previous trends where threat actors would create new, less trusted repositories. This campaign sees attackers exploiting GitHub’s infrastructure by attaching malware payloads to issues or comments and then deleting them, leaving only the harmful link. The malware, which includes a Lua-based loader capable of establishing persistence and deploying further payloads, is particularly deceptive as GitHub is generally trusted. The phishing emails bypass traditional security email gateways (SEG) without using additional content obfuscation methods like QR codes. Related phishing techniques revealed by Barracuda Networks include the use of ASCIIand Unicode-based QR codes and blob URLs, aimed at evading security detection. In an accompanying trend, the Telekopye toolkit, previously used for online marketplace scams, now targets accommodation booking platforms, leveraging compromised accounts to exploit recent bookings. Law enforcement action in the region saw the arrest of cybercriminals associated with the Telekopye bot as they continued to evolve their phishing strategies, utilizing complex tools.

CISA has reported that cyber threat actors are exploiting unencrypted persistent cookies from the F5 BIG-IP Local Traffic Manager to map internal networks. These cookies, crucial for load balancing by directing traffic consistently to the same server, contain sensitive details like IP addresses and port numbers. By deciphering these cookies, hackers can discover and potentially compromise other non-internet facing devices within the network. F5 documentation highlights the necessity of cookie persistence for maintaining client-to-server connections but also underscores the risks of unencrypted cookies. Since version 11.5.0, F5 has provided configuration options to encrypt cookies, although historically many systems remain vulnerable due to legacy settings. CISA urges administrators to implement stronger encryption settings and to audit their systems with tools like F5’s BIG-IP iHealth to detect and correct misconfigurations. Persistent cookies function unencrypted by default due to performance and legacy reasons, providing an attack vector for malicious actors to explore and exploit security gaps within a network’s infrastructure. CISA's alert serves as a critical reminder for enterprises using F5 BIG-IP to reassess their cryptographic measures and ensure proper security practices are followed.

CISA has reported that hackers are exploiting unencrypted F5 BIG-IP cookies to map devices within a network. The exploited cookies are from the F5 BIG-IP Local Traffic Manager (LTM) module, used primarily for load balancing and traffic management. These cookies, which are not encrypted by default, contain details like IP addresses and port numbers, aiding hackers in network discovery. CISA advises that from version 11.5.0, F5 provided an option to encrypt these cookies, yet many administrators have not enabled this setting. Persistent unencrypted cookies can potentially expose internal servers to scanning and subsequent exploitation of vulnerabilities. F5 has a diagnostic tool, BIG-IP iHealth, that helps administrators detect and rectify such misconfigurations. CISA recommends encrypting cookies and reviewing configurations to prevent unauthorized network mapping and potential data breaches.

Casio experienced a ransomware attack earlier this month which resulted in unauthorized network access and system disruptions. The attackers, identified as the Underground ransomware group, claimed responsibility and leaked documents stolen from Casio's systems. Sensitive information of employees, job candidates, and customers was confirmed to be compromised, although credit card information was not included. Casio's service systems such as CASIO ID and ClassPad.net were not affected as they are hosted on different server infrastructures. Casio urged those potentially impacted to be cautious of unsolicited emails and advised against spreading leaked information online to prevent further damage. The incident has been reported to law enforcement and Japan's Personal Information Protection Commission, which are now involved in the ongoing investigation and remediation efforts.

Two former RAC employees were given suspended sentences for selling accident victims' personal data. Debbie Okparavero and Maliha Islam illegally accessed and sold over 29,500 lines of personal data from RAC's systems. The data theft was detected through the company's security monitoring software, leading to their arrest and prosecution. Both individuals pleaded guilty to charges under the Computer Misuse Act 1990 and Data Protection Act 2018. They have been sentenced to six months in prison, suspended for 18 months, and 150 hours of community service. Further financial penalties will be considered at a Proceeds of Crime hearing in March 2025. This incident marks a repeat issue at RAC, with similar cases reported in 2021 and last year. The Information Commissioner's Office commended RAC for promptly reporting the breach, which facilitated swift legal action.

Poppy Gustafsson, the former CEO of cybersecurity firm Darktrace, has been appointed as the UK’s new investment minister by Prime Minister Keir Starmer. Gustafsson brings a wealth of business experience from her time at Darktrace, where she maintained leadership through various controversies and a significant public offering. Her appointment also includes a peerage and she will play a crucial role at the upcoming International Investment Summit. The Office for Investment will undergo expansions and adjustments to better position the UK as a top global investment destination. Criticism remains over Darktrace’s past under Gustafsson’s leadership, including issues around its business model and financial reporting. Despite past business challenges, Gustafsson successfully managed to finalize the sale of Darktrace for $5.3 billion. The UK government and various experts have praised the appointment, highlighting the importance of leveraging sector-specific expertise in governmental roles.