Daily Brief

Google will begin testing a new "Tracking Protection" feature in Chrome to block third-party cookies for 1% of users from January 4, 2024. The feature aims to restrict cross-site tracking by disabling non-essential cookies by default, enhancing user privacy without compromising access to free content. Participants for the initial test are randomly selected and will be notified upon using Chrome on desktop or Android devices. Major browsers like Safari and Firefox have already implemented similar restrictions, but Google's approach seeks to balance privacy with continued support for ad-funded online services. Third-party cookies will be phased out for all Chrome users starting in Q3 2024, following initial testing and feedback. Google's Privacy Sandbox initiative will use data aggregation, limitations, and obfuscation instead of cross-site user identifiers to maintain privacy while still enabling targeted advertising and ad performance measurement. Google commits to evolving Chrome into a browser that's more private and accessible, underscoring the company's dedication to user privacy advancements.

NKAbuse, a new malware exploiting the NKN blockchain network, has been identified to perform DDoS attacks and act as a backdoor implant. The malware communicates using the NKN protocol with over 62,000 nodes to share commands and data exchange between compromised systems. Primarily targeting Linux systems including IoT devices, it leverages a six-year-old vulnerability in Apache Struts to infiltrate systems. NKAbuse is coded in Go and supports various CPU architectures without a self-propagation mechanism, relying on other methods for initial delivery. Persistence is achieved through cron jobs, and elevated privileges are required for its functions that include system information reporting, screenshot capture, file management, and command execution. The use of blockchain technology affords the botnet reliability and anonymity, signaling the potential for growth without a discernible command center. NKN co-founder expresses surprise and intent to understand and mitigate the misuse of their technology to ensure internet safety and neutrality.

Kraft Heinz is investigating claims of a cyberattack on a decommissioned marketing website after being listed on Snatch extortion group's data leak site. Snatch announced they breached Kraft Heinz, but no evidence or stolen data has been provided to substantiate these claims. As one of the largest food and beverage companies, Kraft Heinz operates globally with well-known brands such as Oscar Mayer and Philadelphia. Despite the extortion group's assertions, Kraft Heinz reports that their internal systems are functioning normally with no signs of a broader cyberattack. Snatch, historically known for ransomware activities, claims to have shifted focus from encrypting victims' files to solely data exfiltration and extortion. The United States Cybersecurity and Infrastructure Security Agency (CISA) identifies data on Snatch's website originating from both their operations and other ransomware groups, which contradicts Snatch Team's claim of not engaging in ransomware attacks.

NKAbuse, a novel multi-platform malware, leverages NKN (New Kind of Network) blockchain technology for stealthy communication, posing a new kind of threat. The malware primarily targets Linux devices in Mexico, Colombia, and Vietnam, and it has been seen exploiting an older Apache Struts vulnerability to infiltrate systems. NKAbuse can compromise various architectures including IoT devices, as well as MIPS, ARM, and x86 systems. It conducts hard-to-trace DDoS attacks, using the NKN protocol, which isn’t widely monitored by security tools, effectively hiding its source. The malware serves as a remote access trojan (RAT), allowing attackers to execute commands, exfiltrate data, and capture screenshots. Kaspersky's analysis reveals NKAbuse to be a sophisticated and versatile tool capable of a range of attack methodologies, complicating defense efforts. The use of blockchain to manage C2 (command and control) communications provides the attackers with resilience and obfuscation, which are not common in traditional DDoS botnets.

Microsoft took action against Storm-1152, a cybercrime group known for selling fraudulent Microsoft accounts. The operation involved seizing US-based websites that offered illegal services such as fake email accounts and CAPTCHA-solving tokens. Storm-1152 has been associated with significant financial gains from their activities, causing substantial losses for Microsoft customers. Court-ordered action was initiated after the group's activities were deemed harmful and were using Microsoft trademarks without authorization. The three individuals leading Storm-1152, all based in Vietnam, were identified in the legal proceedings. Their services were linked to notable attacks by Scattered Spider, including massive ransomware incursions against Las Vegas casinos. The action by Microsoft is part of ongoing efforts to fight cybercrime and mitigate its impacts on companies and the general public.

Ubiquiti users reported being able to access and receive notifications from other users' devices via the UniFi cloud platform. The issue was first spotted when a user received a notification from a camera they did not own, leading to concerns about privacy and security. Other users experienced similar issues, gaining complete access to devices and control panels that were not theirs, with the situation reverting to normal after refreshing the web page. Ubiquiti responded to inquiries, stating they are reviewing the situation and will issue a statement after thorough investigation. The company has since attributed the problem to a misconfiguration during a cloud infrastructure upgrade, which led to two groups of accounts having cross-access for a limited time. A total of 1,216 Ubiquiti accounts were affected, with the company identifying that only twelve accounts saw improper access, promising to notify impacted users via email.

Ten new Android banking trojans emerged in 2023, targeting 985 financial apps in 61 countries. Banking trojans aim to steal online bank account credentials, bypass two-factor authentication, and commit fraud. The malware often appears as utilities, games, or productivity apps and has been found to target personal data and social media. Among the updated existing families of malware are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper. The United States is the most targeted country, with 109 banking apps affected, followed by the UK with 48, and Italy with 44. Mobile security experts recommend only downloading apps from official stores, scrutinizing app permissions, and being cautious about external download requests.

Microsoft's Digital Crimes Unit has dismantled a Vietnamese cybercrime group, identified as Storm-1152, responsible for creating over 750 million fraudulent accounts. These accounts were sold to other cybercriminals who used them to commit ransomware attacks, data theft, and other cybercrimes globally. Storm-1152 offered services such as fraudulent Microsoft Outlook accounts and an automatic CAPTCHA-solving service, enabling widespread criminal activities online. Major cybercrime groups, including Storm-0252, Storm-0455, and Octo Tempest, utilized these fraudulent accounts in various attacks, causing damage estimated in the hundreds of millions of dollars. Microsoft seized the group’s U.S. infrastructure and took down key websites after obtaining a legal order, while also filing a lawsuit against individual members of the gang. The legal action is part of Microsoft's broader strategy to disrupt the cybercriminal ecosystem by targeting the tools and services that facilitate cyberattacks.

Discord has introduced support for security key multi-factor authentication (MFA) for enhanced user account protection. This security measure is now available to all Discord users, increasing defense against phishing and credential theft. Users can replace the old MFA options with WebAuthn, which includes biometrics and hardware security keys. The implementation of WebAuthn involved using native languages for mobile app development and creating a custom module for macOS. Although WebAuthn offers significant security advantages, legacy MFA options will remain available for users. Discord plans to expand its WebAuthn capabilities to enable password-less logins in the future.

The Idaho National Laboratory (INL), a U.S. Department of Energy research facility, suffered a data breach involving a cloud-based HR system. Personal information of over 45,000 current and former employees, dependents, and spouses was exfiltrated by attackers. Sensitive personal identification information (PII) compromised includes names, social security numbers, salary data, and banking details. The breach was limited to an off-site Oracle HCM test environment and did not impact the INL's internal networks or databases. The cybersecurity incident was confirmed on November 20 and did not affect employees hired after June 1, 2023. SiegedSec, a hacking group, claimed responsibility for the breach and leaked the data without negotiating or demanding a ransom. Cybersecurity authorities, including CISA and the FBI, are conducting a joint investigation to assess the full impact of the breach. Evidence of the breach was demonstrated via social media postings by the attackers, including a custom announcement made using INL's compromised system.

Network penetration testing, also known as "pentesting" or "ethical hacking," is a methodology where security experts simulate cyberattacks to identify vulnerabilities. There are misconceptions surrounding pentesting, such as it being a one-time activity, only for large corporations, or disruptive to business operations. Both internal and external types of pentesting serve as complementary defense mechanisms targeting different parts of an organization's network. Automated network penetration testing, like the vPenTest from Vonahi Security, offers a scalable and cost-effective alternative to manual testing. Automated testing allows for more frequent assessments of an organization's network, leading to more consistent identification of vulnerabilities with less human error. Embracing automated penetration testing tools can help businesses of all sizes improve their cybersecurity posture and comply with various standards. Vonahi Security provides a SaaS platform, vPenTest, that replicates manual testing and enables continuous, real-time evaluations of cybersecurity risks.

Ledger alerts users to avoid using web3 decentralized apps (dApps) due to a malicious supply chain attack on its 'Ledger dApp Connect Kit' library. The compromised library contained a JavaScript wallet drainer that siphoned $600,000 worth of cryptocurrency and NFTs from user wallets. Ledger has removed the infected version and released an updated, secure version of the Connect Kit. All projects which used the compromised package versions (1.1.5 1.1.7) must upgrade to the new version to ensure security. Users are advised to "Clear Sign" transactions and to be cautious of ongoing phishing attempts that exploit the situation. The breach occurred after a phishing attack on a former employee's NPMJS account enabled the attacker to publish malicious versions. While the hardware wallet and main software remain unaffected, there's an active investigation to assess the full impact of the attack. Ledger has reported the hacker's wallet addresses to authorities, with Tether freezing stolen assets, and plans to release a comprehensive report on the incident.

Cybersecurity researchers have discovered 116 malicious Python packages on the PyPI repository aimed at Windows and Linux systems. These packages, downloaded over 10,000 times since May 2023, can install backdoors for remote command execution and data theft. Malware includes variants of W4SP Stealer and clipboard monitoring tools to hijack cryptocurrency transactions. Attackers used sophisticated methods to embed malicious code, such as hiding PowerShell in setup files or obfuscating it in initialization files. The incidents highlight the increasing issue of compromised open-source packages used for supply chain attacks. Researchers from ESET stress the need for Python developers to scrutinize code for suspicious components before use. This advisory follows reports of npm packages targeting a financial institution, demonstrating ongoing risks in the software supply chain.

Active Directory (AD) is critical for identity management in organizations and is a prime target for cyberattacks due to the valuable credentials it holds. Attackers often exploit password vulnerabilities as an initial entry point to gain unauthorized access or take over an AD environment. Specops Password Policy can enhance AD security by enforcing robust password policies to combat attacks like Kerberoasting and password spraying. Kerberoasting targets service accounts by cracking encrypted service tickets offline, and strong password policies can mitigate this risk. Password spraying uses common passwords across multiple accounts, with third-party solutions recommended to enforce complex passwords and block likely options. Default credentials present a high security risk due to scripting of new user accounts or users with multiple accounts opting for the same password. Privilege escalation by attackers can lead to full network control, thus robust password policies especially for privileged accounts are crucial. Specops offers tools like Password Auditor to scan for weak or compromised passwords, and Password Policy to block usage of known breached passwords, increasing overall AD security.

Russian Foreign Intelligence Service (SVR) exploiting critical vulnerability in JetBrains TeamCity CI/CD server, similar to 2020's SolarWinds attack. International cybersecurity agencies, including the FBI, CISA, NSA, SKW, CERT Polska, and the UK's NCSC, issued a joint advisory on the ongoing threat. The vulnerability, CVE-2023-42793, allows for code manipulation, certificate signing, and compromising software build processes; North Korea was also seen exploiting it. Evidence of SVR activity includes backdoor installation and lateral movement within networks, using legitimate services like Dropbox to hide command and control (C2) traffic. Sophisticated malware GraphicalProton, among others, used by SVR for stealth and long-term access, often employing additional layers of encryption and obfuscation. Advisory lists extensive mitigations and indicators of compromise; Russian cyber espionage aligned with a decade-long strategy of intelligence gathering across various sectors. JetBrains responded with a software update for TeamCity and security patches for older versions, stressing that most instances are now patched.