Daily Brief

An unidentified pro-Russia group has been using Cameo, a service where celebrities create personalized videos, to stage a disinformation campaign against Ukrainian President Volodymyr Zelensky. Hollywood celebrities, including Elijah Wood and Mike Tyson, have been tricked into making videos that were later edited to falsely associate Zelensky with substance addiction issues. The campaign, which started in July, misrepresents these videos as if they were posted by the celebrities themselves on their personal Instagram accounts, using special editing techniques to include Ukrainian flags and tags. The operation not only uses social media for spreading these videos but also involves Russian state media to enhance the campaign's credibility. Microsoft has observed an upsurge in digital propaganda tactics like these videos over the summer of 2023, including spoofed news reports from reputable media outlets. Previous reports have identified Russian-managed bot farms within Ukraine's borders that help proliferate these false narratives on a large scale. Russian and Ukrainian entities, as well as some western nations, have been engaging in digital warfare through influence operations, which are expected to increase as the conflict persists, especially in the context of attacks on critical infrastructure.

Researchers have discovered new anti-analysis techniques employed by GuLoader malware, complicating its examination. GuLoader, active since late 2019, deploys sophisticated obfuscation to deliver payloads while evading detection. Distributed primarily via phishing, this downloader hinders security with vectored exception handling to obfuscate execution flow. Check Point's recent findings indicate GuLoader's improved evasion features and that it's sold as undetectable by antiviruses. Similar updates and advancements in evasion methods are also noted in DarkGate, a malware sold on underground forums. Other RATs like Agent Tesla and AsyncRAT are using novel techniques, including steganography, to bypass security measures. An updated malware obfuscation engine, ScrubCrypt, is also reported to be in circulation, aiding the distribution of RedLine stealer malware.

Norton Healthcare was hit by a ransomware attack between May 7 and May 9, 2023, affecting personal data of patients, employees, and dependents. The breach exposed sensitive information such as Social Security numbers, dates of birth, health and insurance information, and possibly financial account details. Individuals affected by the breach will be provided with two years of free credit monitoring services. The healthcare system is cooperating with law enforcement and has engaged a forensic security firm to investigate and mitigate the cybersecurity incident. The attack was publicly claimed by the ransomware group BlackCat/ALPHV, which also leaked files containing personal information to substantiate the breach. The breach has not affected Norton Healthcare's medical record system or Norton MyChart, ensuring ongoing patient care and data integrity in these systems. Norton Healthcare represents a larger trend of ransomware assaults targeting U.S. healthcare providers, prompting government advisories on the threat to the sector.

Two competing bills regarding the reauthorization of Section 702 surveillance powers are advancing in the House, setting up a legislative showdown before the year-end deadline. Section 702 allows warrantless surveillance of foreign individuals' communications, but it has been misused to also surveil American citizens. The House Judiciary Committee approved the Protect Liberty and End Warrantless Surveillance Act (HR 6570), requiring intelligence agencies to obtain a warrant before querying US persons' data. The rival bill, the FISA Reform and Reauthorization Act of 2023 (HR 6611), passed unanimously in the House Intelligence Committee, lacks the strict warrant requirement and focuses on limiting FBI's query power and notification protocols. Mike Turner, Chair of the House Intel Committee, criticized the Judiciary Committee's bill for expanding rights of foreigners and potentially providing immunity from prosecution for serious crimes discovered under Section 702 collection. Civil liberties and digital privacy advocates oppose the Intelligence Committee's proposal and favor the Judiciary Committee's bill, emphasizing the importance of protecting Fourth Amendment rights against unlawful searches.

The ALPHV (aka BlackCat) ransomware group’s websites and Tor negotiation URLs have been inaccessible for over 30 hours. The outage has halted negotiations between the ransomware gang and its victims, suggesting a possible disruption to the gang’s operations. While not officially confirmed, there are rumors and indications that law enforcement might be behind the disruption, with references to potential actions by the FBI. The ALPHV admin claimed repair efforts are underway, but they have remained silent on the cause of the outage. The ALPHV ransomware operation is considered a rebrand of the DarkSide gang, known for the infamous Colonial Pipeline attack. The gang has a history of rebranding and relaunching its operations following intense law enforcement pressure and shutdowns. ALPHV's targeting of critical infrastructure firms has likely attracted renewed law enforcement attention and potential action.

Researchers from the ASSET Research Group at the Singapore University of Technology and Design have uncovered 14 security flaws in 5G modems, termed "5Ghoul." The high-severity vulnerabilities impact both Android and iOS devices, including models from Samsung, Huawei, Apple, and more, totaling 714 smartphones from 24 brands. The vulnerabilities allow attackers to drop connections, freeze devices requiring manual reboots, or downgrade 5G connectivity to 4G by connecting to malicious base stations. The researchers disclosed the presence of an especially critical flaw, CVE-2023-33042, which affects Qualcomm modems and allows for DoS attacks and connectivity downgrades. MediaTek and Qualcomm have released patches for 12 of the 14 identified flaws, with two remaining confidential for security reasons. Due to the complexity of the software dependency chain, it can take over six months for 5G security patches to reach end-users through over-the-air updates.

Crowdstrike reports that over 50% of insider threats involve the use of privilege escalation vulnerabilities. Privilege escalation is a key tactic for insiders, enabling them to perform unauthorized activities, including installing software and compromising logs. Insider attacks are categorized into malicious intent, like financial motives or spite, and non-malicious incidents, such as installing software for troubleshooting. Financial impact of insider incidents is significant, costing on average $648,000 for malicious and $485,000 for non-malicious events. Rogue insiders often use vulnerabilities listed in the CISA Known Exploited Vulnerabilities Catalog (KEV), even if systems are patched. Examples include using CVE-2017-0213 to install uTorrent and games, and PwnKit to gain administrative rights for troubleshooting. Insider mistakes, such as mishandled exploit testing or downloading unvetted code, constitute nearly half of insider incidents, raising security risks. Fake proof-of-concept exploits and security tools can introduce malware, providing threat actors with access to corporate networks.

Amazon is pursuing legal action against the REKK fraud gang for running an Organized Retail Crime (ORC) operation that has pilfered millions of dollars through illicit refunds. The lawsuit implicates 20 REKK members and seven complicit former Amazon employees who facilitated fraudulent refund activities. REKK has advertised and promoted their fraudulent refund services through various online channels, including Telegram, Nulled, Reddit, and Discord. The fraudsters employed social engineering, system manipulation, and insider assistance to secure refunds for Amazon customers without returning the purchased items. REKK claims to have fraudulently refunded over 100,000 orders for more than 30,000 customers across various retailers, not exclusively Amazon. Amazon has dedicated significant resources to fighting such fraud, with over $1.2 billion spent last year on investigative efforts and a workforce exceeding 15,000 employees combatting theft, fraud, and abuse. The company has taken measures against detected fraudulent activities, including notifying customers, closing accounts, and preventing fraudsters from opening new accounts.

Interpol's ongoing investigation reveals human trafficking for cyber scam call centers reaching beyond Asia to South America and the Middle East. Operation Storm Makers II leads to hundreds of arrests and the rescue of over 140 individuals; however, many of the 360 investigations are still open. The trafficked individuals originate from various countries, including Malaysia and Uganda, with victims often subjected to severe abuse and exploitation. Scammers use fake job advertisements to lure victims into forced labor, pushing various online scams while facing abject abuse, including sexual exploitation and violence. The COVID-19 pandemic accelerated the spread of this crime due to increased remote work and joblessness, amplifying desperation for employment. Interpol emphasizes the need for stronger international police cooperation to combat the global human trafficking crisis linked to online cyber fraud. Recent operations have not only uncovered scam call center abuses but also wider trafficking issues, including the rescue of minors from prostitution and intercepting nearly 800 victims at border checkpoints.

A new batch of vulnerabilities dubbed "5Ghoul" has been discovered in Qualcomm and MediaTek 5G modems. 5Ghoul impacts 710 models of smartphones, routers, and USB modems from various brands, including Android and Apple devices. The vulnerabilities, arising from experiments with 5G modem firmware analysis, can be exploited over-the-air by mimicking a legitimate 5G base station. Ten of the 5Ghoul vulnerabilities have been disclosed, highlighting one (CVE-2023-33042) that forces a downgrade from 5G to the less secure 4G network. Devices experiencing loss of connectivity, inability to reconnect without a reboot, or unexplained fallback to 4G may indicate a 5Ghoul attack. Qualcomm and MediaTek have released security updates for the vulnerabilities; however, patch deployment to end users may be delayed due to complex software supply chains. Researchers note that some devices may never receive updates due to reaching the end of support before fixes are implemented.

North Korean threat actor Kimsuky has been actively targeting South Korean research institutes with spear-phishing campaigns to install backdoors. The campaigns deploy malicious JSE files containing obfuscated PowerShell scripts, Base64-encoded payloads, and decoy PDF documents. Malware functions include collecting system information and executing remote commands, effectively transforming infected systems into backdoors for further exploitation. Kimsuky, active since 2012, was recently sanctioned by the U.S. Treasury Department and has a history of cyber espionage focused on gathering intelligence. The group has expanded its operations beyond South Korea to Europe, Russia, and the U.S., with a particular interest in geopolitical and nuclear policy issues. The Lazarus Group, another North Korea-backed cyber actor, is implicated in phishing attacks on Telegram within the cryptocurrency community. A related Lazarus sub-cluster, Andariel, is accused of stealing anti-aircraft weapon system data and laundering ransomware proceeds through cryptocurrency exchanges. Andariel is also connected to the deployment of Maui ransomware, emphasizing the persistent and evolving threat posed by these nation-state actors.

Ransomware attacks have escalated in frequency and complexity, posing a significant threat to cybersecurity. Ransomware-as-a-Service (RaaS) enables individuals with minimal technical skills to perform ransomware attacks using subscription-based tools. Service providers in the RaaS market have created more efficient ransomware strains, causing the time from breach to file encryption to drop below 24 hours. RaaS operates with a customer base and business model akin to legitimate services, adopting competitive practices and feedback systems on the dark web. Payment for RaaS is often handled by providers in cryptocurrencies to maintain anonymity and can involve various schemes like flat rates or revenue sharing. To defend against RaaS, businesses are advised to maintain backups and disaster recovery plans, although these steps don't prevent data breaches. Proactive defense strategies, including penetration testing and partnering with PTaaS providers, are vital to addressing security vulnerabilities effectively. Employing Cyber Threat Intelligence and tools like Threat Compass are essential for real-time threat detection and analysis, enhancing organizational security.

A new Trojan-Proxy malware is infecting macOS users via trojanized cracked software from unauthorized websites. The malware camouflages as legitimate applications for multimedia, image editing, data recovery, and productivity. Kaspersky security experts warn that the malware can enable criminals to build proxy server networks or conduct illegal activities. Malicious .PKG installers, which demand admin permissions, deploy a post-install script to trigger the malware's activities. The malware disguises itself as the WindowServer process to avoid detection and connects to a C2 server using DNS-over-HTTPS. The Trojan-Proxy can redirect traffic through the compromised host, functioning as a proxy via TCP or UDP. Samples of the malware have been identified on VirusTotal since April 28, 2023. Users are advised to download software only from trusted sources to prevent infection by such malware.

WordPress has issued an update to rectify a critical vulnerability that could allow attackers to execute arbitrary code on compromised sites. The flaw is related to the WP_HTML_Token class, introduced in WordPress version 6.4, which enhanced HTML parsing in the block editor. Although the vulnerability is not directly exploitable in the core, it becomes critical when combined with vulnerable plugins, particularly in multisite setups. Wordfence has warned that if another plugin or theme has a PHP object injection vulnerability, it can be chained with this issue to gain control over a site. An exploitation chain for this vulnerability has been published on GitHub and included in the PHP Generic Gadget Chains project as of November 17. WordPress site owners are advised to manually check and update their installations to the latest version to prevent potential exploitation. Developers using the unserialize function in WordPress projects are encouraged by Patchstack to switch to safer alternatives like the json_encode and json_decode PHP functions.

Polish train manufacturer Newag SA has denied accusations of deliberately installing software designed to sabotage trains serviced by competitors. Security researchers hired by an independent maintenance firm, Serwis Pojazdów Szynowych, discovered that Newag's trains presented software-related issues after maintenance by third parties. The researchers reverse-engineered the train software and claimed to find functionality that would result in the train locking up under certain conditions, which Newag attributes to hacking. Despite Newag's assertions, the researchers presented their findings at a conference and plan to provide a detailed presentation at an upcoming international congress. CERT Poland was informed of these findings over a year ago and has alerted the relevant authorities, though no significant action appears to have been taken since then. The controversy has caught the attention of Poland’s former minister of digital affairs, hinting at the suggestion of sabotage that conflicts with Newag's cybercrime victimization stance.