Daily Brief

The SANS Holiday Hack Challenge, a festive and educational cybersecurity event, has returned for the 2023 holiday season. Aimed at both aspiring and current cybersecurity professionals, the challenge offers hands-on experience in a variety of security tasks. The holiday period is often targeted by cyber criminals through phishing scams, DDoS attacks, and MFA fatigue exploitation. Participants in the Holiday Hack Challenge can learn to combat common holiday cyber threats while enjoying the season's festive spirit. The 2023 competition, 'Holiday Hack Challenge 2023: A Holiday Odyssey,' includes AI cybersecurity, defense, offense, web and cloud security, threat hunting, phishing analysis, and more. The challenge is inclusive, catering to all levels of expertise, and prizes are available for standout entries. Ed Skoudis, Director of the Holiday Hack Challenge, provides a preview and tips for success in an introductory YouTube video. Participants can start playing immediately by visiting the SANS event website, with added entertainment from cyber security-themed holiday music.

A new hacker group named GambleForce has been targeting Asia-Pacific firms with SQL injection attacks since September 2023. The threat actor targets the gambling, government, retail, and travel sectors, successfully breaching six out of 24 organizations. GambleForce employs basic but effective tactics, utilizing tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell and a Chinese version of the legitimate Cobalt Strike framework. They exploit vulnerable CMS and public-facing applications, including a known flaw in Joomla CMS, to steal sensitive user data. The origins of GambleForce are unclear, but the group has been using Chinese commands within their tools. Group-IB, a cybersecurity firm, has taken down GambleForce's command-and-control server and alerted affected victims. The article emphasizes the importance of secure coding practices and the ongoing risks of SQL injection attacks due to developers overlooking input security and data validation.

Microsoft received a court order to dismantle Storm-1152, responsible for creating and selling 750 million fake Microsoft accounts and tools. Storm-1152's cybercrime-as-a-service model enabled illegal activities, including phishing, ransomware, and DDoS attacks, by evading identity verification systems. Known threat groups like Octo Tempest used these fraudulent accounts for their ransomware and extortion operations. With collaboration from Arkose Labs, Microsoft identified three Vietnamese individuals responsible for the cybercrime network's infrastructure. The perpetrators operated a sophisticated service, offering custom pricing, instructional videos, customer support, and cryptocurrency cash-outs for their fraudulent products. This action taken by Microsoft is part of a crackdown on the use of fraudulent accounts that aid in various cybercrimes and attempts to fortify cybersecurity across platforms.

Microsoft's Digital Crimes Unit has seized domains from a Vietnam-based group, Storm-1152, which sold fraudulent Microsoft Outlook accounts. The cybercriminals were behind the creation of over 750 million bogus accounts, capitalizing on them by selling to other cyber actors. Storm-1152 also provided cybercrime-as-a-service tools, including an automatic CAPTCHA-solving service to facilitate the mass creation of fraudulent Microsoft email accounts. The fraudulent accounts have been used by various cybercrime gangs to infiltrate organizations and deploy ransomware, leading to damages in the hundreds of millions. Microsoft used a court order to shut down U.S.-based websites operated by Storm-1152 and sued individuals involved in the operations for their alleged roles. Microsoft aims to dismantle the broader cybercriminal infrastructure, attacking the tools and services that enable cyberattacks.

Volt Typhoon (Bronze Silhouette), a Chinese state-sponsored hacking collective, has been correlated with the malignant 'KV-botnet', infiltrating SOHO routers and VPN devices since 2022 to compromise high-value targets. The joint examination by Microsoft and the US government points to an intentional development of infrastructure that could potentially undermine US-Asia communications during future crises. The Black Lotus Labs investigation uncovered the botnet's attacks on specific network devices including Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, exploiting network edge vulnerabilities. The botnet has been utilized for a variety of incursions against telecoms, internet providers, US military entities, and others, with an observable surge in activity from August 2023 and a notable peak in mid-November 2023. KV-botnet operates distinctively based on the target value; the 'KV' cluster, presumably manual, focuses on high-value targets, whereas the 'JDY' uses broader, automated scans. The attack leverages multiple file types for the infection chain and the malware avoids detection by mimicking legitimate process names, predominantly residing in memory, complicating detection but diminishing persistence on hijacked devices. Lumen's Black Lotus Labs report correlates techniques, target preferences, and working times of KV-botnet with Volt Typhoon, further judging the reduction in botnet activity post-public disclosures as suspicious, hinting at the Chinese hackers' caution. Lumen has released indicators of compromise on GitHub to assist in the detection and prevention of KV-botnet infections, enhancing network security for threatened organizations.

A renewed BazarCall phishing campaign misuses Google Forms to send fake payment receipts. The emails imitate legitimate subscriptions and notification services to deceive users. Victims receive an email prompting them to cancel a non-existent expensive subscription. The typical approach instructs users to call a phone number, connecting them to fake customer support. Cybercriminals guide victims to unwittingly install BazarLoader malware on their systems. Google Forms' legitimacy allows attackers to bypass security tools, ensuring email delivery. The emails create urgency by requesting recipients to call within 24 hours to dispute charges. The BazarCall method has a history of facilitating initial access for subsequent ransomware attacks.

French authorities have arrested a Russian national suspected of laundering money for the Hive ransomware gang. The arrest was made possible through the efforts of the French Anti-Cybercrime Office (OFAC), which linked the suspect to digital wallets connected to ransom payments. During the arrest, approximately €570,000 worth of cryptocurrency assets were seized by the police. The operation was a collaborative effort involving Europol, Eurojust, and Cypriot authorities, including a search of the suspect's residence in Cyprus. Prior to the arrest, Hive's Tor websites were taken down by an international law enforcement operation that also led to the FBI infiltrating Hive's servers. The FBI managed to provide over 1,300 decryption keys to victims, preventing significant ransom payments. The U.S. State Department is offering a reward of up to $10 million for information linking the Hive ransomware group or other cybercriminals to foreign governments. A new ransomware-as-a-service group, Hunters International, has emerged following Hive's takedown, with significant code overlap suggesting a possible rebirth of the Hive group under a new name, though this is contested by Hunters International.

LockBit ransomware operation is actively recruiting affiliates and developers from disrupted operations BlackCat/ALPHV and NoEscape. NoEscape affiliates claimed an exit scam by its operators, raising concerns of lost ransom payments and operations shutdown. The BlackCat/ALPHV ransomware's infrastructure faced a 5-day outage, leading to speculation about a possible law enforcement operation. LockBit is offering its data leak site and negotiation panel for BlackCat and NoEscape affiliates to use if they have backups of stolen data. There are already signs of BlackCat/ALPHV's victims appearing on LockBit's data leak site, suggesting movement between groups. LockBit, considered the largest ransomware operation currently, benefits from competitors' troubles and sees these events as opportunities for expansion. The ransomware landscape remains dynamic, with the potential for rebranding and relocation of affiliates and developers from disrupted operations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of APT29 (linked to Russia's SVR) exploiting TeamCity servers since September 2023. APT29 previously involved in the SolarWinds breach and targeting of NATO countries' Microsoft 365 accounts. The exploited TeamCity vulnerability is CVE-2023-42793, a critical remote code execution flaw allowing attackers unauthenticated access. CISA believes the SVR is likely in the preparatory phase, exploiting initial access to escalate privileges, move laterally, and deploy backdoors for sustained network control. Around 800 TeamCity servers remain unpatched and vulnerable to exploitation, with some incidents leading to malicious code injection into software releases. The attackers' tactics include potential software supply chain attacks, with past exploitation by ransomware gangs and North Korean hackers (Lazarus and Andariel groups).

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in Apache Struts, identified as CVE-2023-50164. The Shadowserver scanning platform detected a limited number of IPs trying to exploit the vulnerability using public proof-of-concept exploit code. Apache Struts is widely used in both private and public sectors, including government agencies, for developing Java EE web applications. The vulnerability affects a wide range of Struts versions and could allow attackers to upload malicious files, gain unauthorized access, and cause significant operational disruptions. Apache released updated Struts versions on December 7 to patch the critical path traversal flaw that permits the RCE if exploited. A security researcher published a technical explanation and a second write-up with exploit code, increasing the risk of widespread exploitation. Cisco is evaluating which of its products using Apache Struts are vulnerable, including widely used platforms such as Identity Services Engine and Unified Communications Manager.

Phishing campaign known as BazaCall is using Google Forms to create authentic-looking emails to deceive victims. Attackers send emails impersonating subscription services like Netflix and Norton, pressuring recipients to call a support number. Once on the call, victims are tricked into granting remote access to their computers. Google Forms is chosen for phishing because it comes from a trusted domain, potentially bypassing email security systems. The response receipt feature in Google Forms allows attackers to receive a copy of the form, reinforcing the scam's legitimacy. The phishing technique using Google Forms can evade traditional security measures due to dynamically generated URLs. Proofpoint has identified a separate phishing campaign targeting recruiters with the More_eggs JavaScript backdoor by a group tracked as TA4557.

The increasing adoption of multi-cloud environments introduces complex management processes and potential visibility gaps that could be exploited by hackers. The dynamic nature of cloud services provisioning can create new vulnerabilities, particularly through minor misconfigurations leading to significant security incidents. Cloud security risks are constantly evolving, necessitating adaptive and nuanced approaches rather than one-size-fits-all solutions. Tim Phillips of The Register will host a webinar featuring Nabil Zoldjalali from Darktrace to discuss strategies for improving cloud security. The webinar aims to educate on identifying normal versus abnormal behaviour patterns in cloud environments to strengthen security postures. Emphasis will be on leveraging AI to achieve real-time understanding of cloud ecosystems and to formulate autonomous responses to security threats. The event is designed to help IT professionals build more robust defenses against both human error and cyber intrusions in cloud computing. Registration for the webinar includes a reminder for the live event, underscoring the importance of continual learning and vigilance in cybersecurity.

Google employs Clang sanitizers to enhance security within Android's cellular baseband, mitigating certain types of vulnerabilities. The sanitizers, Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), help catch undefined behaviors and are suitable for various architectures. Although these tools increase security, they introduce significant performance overhead, prompting selective implementation in critical areas. Google's efforts are part of a larger initiative to secure firmware against remote code execution by collaborating with ecosystem partners. While sanitizers offer substantial protection, they do not address all vulnerability types, leading to a push for coding in memory-safe languages like Rust. Google revealed the rewriting of the Android Virtualization Framework firmware in Rust, strengthening the protected VM root of trust. Researchers suggest that as operating systems become more secure, attackers may shift focus to lower-level components like the baseband.

Malware analysis is critical for understanding and combating cyber threats, with network traffic examination playing a key role. Decrypting HTTPS traffic is essential for tracking malware communication, achieved using a man-in-the-middle (MITM) proxy to monitor and intercept data exchange. An example includes analyzing AxilStealer, which used Telegram to exfiltrate stolen browser passwords; the MITM proxy decrypted the traffic, revealing the malware's actions. Identifying a malware's family can be challenging, especially with inactive servers, but tools like FakeNET can simulate server responses to trigger identification rules. Analyzing geo-targeted or evasive malware requires the use of residential proxies, enabling analysts to bypass restrictions and disguise sandbox environments. The ANY.RUN sandbox streamlines this process, providing an interactive platform with tools such as MITM proxies, FakeNET, residential proxies, and more for detailed analysis. ANY.RUN encourages adoption of their cloud-based sandbox technology by offering a robust 14-day trial period to evaluate its comprehensive features.

A new cybercrime marketplace named OLVX has become increasingly popular amongst hackers, offering various tools for online fraud and attacks. Unlike traditional dark web marketplaces, OLVX is hosted on the clearnet, expanding its accessibility and being promoted through search engine optimization (SEO). ZeroFox researchers observed a significant increase in both sellers and buyers on OLVX, driven by effective SEO, ads on hacking forums, and a dedicated Telegram channel. OLVX marketplace features a wide range of products, including custom cybercriminal toolkits and specialized files, which attract and retain a large customer base. The platform operates on a "deposit to direct payment" system accepting multiple cryptocurrencies, which poses a risk of an exit scam by the operators. Products on OLVX include various low-cost digital items, software, and services aimed at facilitating cybercrime activities. ZeroFox emphasizes the need for buyers to remain cautious, especially during the holiday shopping period, to avoid potential scams on OLVX.