Daily Brief

Mozilla has revised its position and plans to implement Trusted Types in Firefox to combat DOM-based XSS (cross-site scripting) attacks. Trusted Types, aimed at preventing XSS vulnerabilities, have shown effectiveness on websites using Chrome and Edge since its introduction. DOM-XSS, once a top web security concern, has seen reduced occurrence in the Chromium ecosystem due to Trusted Types. Adoption of Trusted Types has led to a significant reduction of XSS issues on Google properties, falling from 30% of VRP rewards in 2018 to 4.1% in 2023. Despite Mozilla's positive stance, Firefox's integration of Trusted Types is pending due to some unresolved technical issues. Other major tech companies, such as Meta, have also supported Trusted Types, suggesting a push for broader browser and website adoption. Bruce Perens, an Open Source movement pioneer, advocated for Trusted Types, noting they help identify potential XSS vulnerabilities during web app development. Effective use of Trusted Types requires proper implementation by developers, emphasizing the importance of competent programming to safeguard against XSS.

The average cost of a data breach in 2023 reached an all-time high of $4.45 million, with healthcare experiencing the costliest incidents. Healthcare breaches cost almost double the next industry due to the valuable PHI data, operational focus over security, and stringent regulations. The United States, the Middle East, and Canada had the highest breach costs, reflecting the tendency of attackers to target wealthier regions. While 51% of organizations said they would increase security investment post-breach, most planned to allocate funds towards incident response and employee training. Deploying AI and automation in security saved organizations an average of $1.76 million per breach and reduced response time by 108 days. Data breaches involving multiple types of environments like hybrid clouds took longer to contain and cost an additional $750,000 on average. Internal breach detection by security teams and involvement of law enforcement authorities led to faster containment and cost reduction. Recommendations include building security into all software and hardware development stages, protecting data across environments, utilizing AI and automation, and having a strong incident response practice.

German police, with international partners, have disrupted the dark web platform 'Kingdom Market,' used for narcotic sales and malware distribution. 'Kingdom Market' was active since at least March 2021, offering illegal drugs, malware, criminal services, and forged documents, accessible via TOR and I2P. The platform had a significant scale, with 42,000 listed products and several hundred sellers, including 3,600 drug listings from Germany. Transactions on the site were conducted using cryptocurrencies such as Bitcoin and Litecoin, with the operators earning a commission. German authorities have initiated an investigation into the platform's seized servers, and legal actions are underway. An individual allegedly associated with 'Kingdom Market,' identified as Slovakian national Alan Bill, has been charged in the U.S. with identity theft and money laundering. The takedown of 'Kingdom Market' follows recent successful actions against other cybercrime operations, including the disruption of the BlackCat ransomware group's activities.

The Chameleon Android banking trojan's new variant disables fingerprint and facial recognition, coercing users to input PINs. The malware employs HTML tricks and disability of biometrics to gain control and capture device PINs, allowing unauthorized access. Initially imitating Australian entities, Chameleon now spreads via Zombinder, binding malware to legitimate apps undetected by antivirus software. A new attack vector prompts users to override Android 13's "Restricted setting" for Accessibility service utilization, a common malware exploit. Chameleon has enhanced its capabilities, such as scheduled tasks, to optimize periods of activity for malicious injections or data collection. ThreatFabric experts advise against downloading APKs from non-official sources and recommend maintaining Play Protect enabled for regular malware checks.

Hackers are exploiting a known Microsoft Office vulnerability (CVE-2017-11882) to disseminate Agent Tesla malware through phishing campaigns. The malware spreads via deceptive Excel attachments in emails disguised as invoices, prompting the execution of malicious code without further user interaction. Zscaler ThreatLabz and Fortinet FortiGuard Labs have reported on the phishing campaign, demonstrating the attackers' method of using a Visual Basic Script to download additional malicious files. The malware uses a steganography technique to hide a Base64-encoded DLL within a JPG image, which is then injected into a legitimate Windows process (RegAsm.exe) to avoid detection. Agent Tesla functions as a sophisticated keylogger and remote access trojan (RAT), designed to harvest and exfiltrate sensitive information from infected systems. This incident highlights ongoing security challenges as threat actors continue to leverage older vulnerabilities, underscoring the need for enterprises to adopt advanced security measures such as Zero Trust frameworks. The attack methodology aligns with a broader trend of cybercriminals repurposing old security flaws for new attacks, as observed in recent activities by the 8220 Gang and an increase in DarkGate malware campaigns.

NASA's Office of Inspector General (OIG) has found that while NASA has a comprehensive privacy program, there is room for improvement in protecting personal information. The audit revealed NASA is yet to fully implement Data Loss Prevention (DLP) in Microsoft 365, which is currently being rolled out. Between October 2021 and March 2023, users self-reported 118 data loss incidents, but the reports lacked consistency in identifying affected accounts and root causes. NASA's breach response plan is unclear due to conflicting instructions across several documents, resulting in uncertainty about when to form a Breach Response Team (BRT). Some BRT members are missing required annual training, including participation in breach response simulations. There's a lack of mandatory privacy role-based training for individuals assigned security and privacy roles. Inconsistencies in privacy reporting could lead to incomplete compliance with laws and policies, risking failure to notify the public about data collection and storage. NASA management has agreed to implement recommendations from the OIG report but will revisit the requirement for specific privacy and security role-based training, as the current plan to address this has been deemed not effective.

Google has issued updates for Chrome to patch a high-severity zero-day flaw, CVE-2023-7024, exploited in the wild. The vulnerability is a heap-based buffer overflow in the WebRTC framework that could lead to crashes or arbitrary code execution. Discovered by Google's Threat Analysis Group, details about the flaw are withheld to prevent further exploitation. This marks the eighth Chrome zero-day addressed in 2023, with overall disclosed vulnerabilities reaching 26,447 this year. The most prevalent vulnerability types in 2023 include remote code execution, security feature bypass, and buffer manipulation. Chrome users are urged to update to version 120.0.6099.129/130 for Windows or 120.0.6099.129 for macOS and Linux. Users of other Chromium-based browsers, such as Microsoft Edge and Brave, should apply updates as they are released.

IBM Security identified a JavaScript code injected into online banking sessions that stole login credentials, affecting 50,000 users at over 40 banks globally. The malware, believed to be related to DanaBot, enters via victims' PCs, often through spam emails, and becomes active when users access their bank's website. The script is sophisticated, with the ability to intercept multi-factor authentication tokens and communicate with a command-and-control server for specific actions. Attackers can manipulate user interactions by prompting for additional credentials such as phone numbers or two-factor tokens, and inject fake error messages or overlays to hinder user access. Threat actors used domain names purchased in December 2022 for the web injection campaign, which continues to surreptitiously harvest banking credentials. IBM emphasizes the importance of robust cybersecurity practices for banking customers, including strong, unique passwords and caution when downloading software. Additional malware dubbed JaskaGO also poses a threat to Windows and macOS by stealing data and targeting cryptocurrency wallets, with AT&T Alien Labs providing indicators of compromise.

Cryptocurrency scammers exploit a Twitter feature that allows modification of the account name in a tweet's URL, leading to potential scams. The URL's legitimacy is deterred by scammers changing the account name to resemble high-profile accounts while keeping the original tweet's status ID. Users are redirected to fraudulent promotions when clicking on the manipulated links which appear to come from legitimate organizations. Impersonated accounts observed include recognizable names in the crypto-space like Binance, the Ethereum Foundation, zkSync, and Chainlink. Scammers promote fake crypto giveaways and websites known for draining crypto wallets, exploiting unsuspecting victims. The tactic used by scammers involves creating misleading account names followed by a string of digits to appear as legitimate sources. Twitter users can reduce their exposure to such scams by employing the Quality Filter in their settings but at the risk of filtering out legitimate content. The deceptive links are particularly difficult to discern on mobile devices without an address bar, exacerbating the risk of falling for fraudulent promotions. Since this redirection is an inherent part of Twitter's functionality, users must remain vigilant by checking their address bar to avoid scams.

The Israel National Cyber Directorate (INCD) has issued a warning about phishing emails claiming to be security updates for F5 BIG-IP zero-day vulnerabilities that actually deploy data wipers. Hacktivist groups, including pro-Palestinian and Iranian activists, have been targeting Israeli organizations with theft and data-wiping attacks since October. A new data wiper named BiBi Wiper, which impacts both Linux and Windows systems, was identified in November and is believed to be the creation of pro-Hamas hackers. The phishing campaign misleadingly instructs recipients to download supposed security updates; these are in fact malicious files designed to wipe data on the affected systems. For Windows systems, the malicious file is an executable with the name 'F5UPDATER.exe', and for Linux, it is a shell script known as 'update.sh'. Though the intended function of these programs is to delete data from the devices, BleepingComputer found the Windows version to be inconsistent in achieving this goal. The INCD cautions against downloading files from unverified email sources and advises that security updates be obtained directly from the vendors' official channels.

Google has issued emergency updates to address a Chrome zero-day vulnerability, marking the eighth such patch this year. The vulnerability, identified as CVE-2023-7024, was being actively exploited, according to a security advisory. Updated versions have been released for Windows, Mac, and Linux, effectively mitigating the heap buffer overflow issue found in the WebRTC framework. Google's Threat Analysis Group, which focuses on defending against state-sponsored attacks, was credited with discovering the flaw. Google has not released detailed information on the exploitation of this vulnerability to prevent further misuse. Prior zero-days have included those leading to spyware deployment, with Google maintaining a policy of restricting access to bug details until fixes are widely disseminated.

Cybercriminals exploit the helpfulness of hotel staff by sending deceitful emails to obtain credentials. Email scams employ emotional manipulation and time pressure, urging staff to download malware disguised as supportive evidence or information. Fraudulent emails include complaints about fake issues during stays or elaborate requests linked to future bookings. Links in these emails redirect staff to legitimate cloud storage services hiding password-protected archives that contain credential-stealing malware. Stolen hotel management credentials are used to access the Booking.com partner portal and send legitimate-looking messages to customers, pressuring them for credit card details. The scam has raised demand for Booking.com credentials on underground forums, with prices up to $5,000 for valid information. Booking.com, while not breached itself, acknowledges the phishing attempts on partners and advises steps for customers to protect their information, such as verifying payment policies and not providing credit card information via phone, email, or text.

Cryptocurrency scammers manipulate a social media platform feature to impersonate notable accounts and promote scams. Fake giveaways and fraudulent Telegram channels are advertised, redirecting users to steal their cryptocurrencies and NFTs. Scammers alter legitimate post URLs by changing the account name while keeping the original status ID, which causes a redirect to the scam content. Security researchers highlight that this technique has been in use for at least two weeks, targeting followers of major cryptocurrency-related organizations. Accounts utilizing this scam tactic often have usernames formatted with a name followed by a series of digits (e.g., @name12345). The platform's Quality Filter can mitigate exposure to these scams, but it may inadvertently block desired content as well. Users are advised to inspect the address bar to confirm authenticity before engaging with posts that appear to be from prominent companies or individuals. Despite previous reports of potential for phishing with this feature, the platform has not implemented changes to prevent such abuse.

A new phishing attack on Instagram users employs a 'copyright infringement' ploy to obtain their 2FA backup codes. These attacks circumvent traditional 2FA protection by targeting the backup codes provided for emergency account access. The phishing emails impersonate Instagram's parent company, Meta, falsely alerting users of copyright complaints. Targets are lured to a fake Meta portal, then to an "Appeal Center" page, where they are tricked into providing login credentials and 8-digit backup codes. Trustwave analysts highlight the sophistication of these phishing attempts, despite some apparent signs of fraud that savvy users might notice. The phishing campaign's design and the urgency it conveys can effectively deceive many users into compromising their account security. Experts advise users to protect their backup codes with the same vigilance as their passwords and only use them on official Instagram pages.

Ivanti has released patches for 13 critical remote code execution (RCE) vulnerabilities in its Avalanche enterprise mobile device management (MDM) platform. The vulnerabilities were discovered by Tenable and Trend Micro's Zero Day Initiative, stemming from stack or heap-based buffer overflows. An attacker could exploit these flaws without authentication or user interaction, potentially causing a Denial of Service (DoS) or executing arbitrary code. Ivanti recommends users to update to Avalanche version 6.4.2 to mitigate the risks associated with the vulnerabilities, which affect all supported Avalanche versions from 6.3.1. In addition to the critical fixes, Ivanti also addressed eight mediumand high-severity issues susceptible to denial of service, remote code execution, and server-side request forgery (SSRF) attacks. Previously, Ivanti had patched similar critical buffer overflow vulnerabilities in August and had been targeted by state-affiliated hackers exploiting zero-day flaws in April. Mobile device management systems like Avalanche are high-value targets for cybercriminals and nation-state actors due to the expansive control over numerous devices they offer.