Daily Brief

As the year comes to a close, it's recommended to audit user roles and privileges in SaaS applications to enhance security. Offboarding employees need a thorough deprovisioning process from SaaS apps not linked to Single Sign-On (SSO) to prevent unauthorized access. Right-sizing permissions according to the principle of least privilege (POLP) reduces the attack surface and aligns access with job requirements. Dormant accounts, especially those with admin privileges or set up for external users, present a significant risk and should be reviewed and handled appropriately. Shared accounts for SaaS apps to save on license fees create added security risks, as they hinder detection of abnormal activity and the use of Multi-Factor Authentication (MFA) or SSO. Monitoring and preventing account sharing is crucial for security, using measures such as enforcing MFA or SSO and analyzing user behavior. Automation through a SaaS Security Posture Management (SSPM) platform can simplify monitoring and managing user permissions and accounts, and can identify at-risk accounts efficiently. Preparing for 2024 involves the active management of user accounts and permissions, which is a critical aspect of maintaining a secure and efficient SaaS environment.

A Belgian man, Hans Maria De Geetere, was charged by the US Justice Department for smuggling military-grade electronics to Russia and China. The indictment details export of controlled items including FPGA circuits and surveillance cameras critical for military applications. De Geetere's companies were added to the US Commerce Department's BIS Entity List and the Treasury Department's OFAC Specially Designated and Blocked Person List. This is part of a broader effort to prevent sensitive technologies from reaching China and Russia, as stated by US officials. De Geetere and an accomplice made over $1.2 million in wire payments as part of the smuggling operation and tried to conceal their actions. Eddy Johan Coopmans, De Geetere's co-conspirator in Florida, pleaded guilty to related charges in October 2022 and is awaiting sentencing. De Geetere could face a maximum penalty of 20 years in prison if convicted of all charges including conspiring to launder funds and making false statements.

A new Linux trojan named Krasue has been discovered attacking telecom companies in Thailand. Operating since at least 2021, Krasue is designed to maintain covert access to networks with a stealth approach. The malware’s initial infiltration method is unclear, possibly involving vulnerability exploitation or credential brute-force. Krasue's key mechanism is a rootkit based on open-source projects, allowing undetected persistence on hosts. The malware uses the Real Time Streaming Protocol for covert signals and can select its master C2 server for communication and commands. Source code similarities suggest a potential link between Krasue and another malware, XorDdos, possibly indicating common authors or shared source access. While the operators behind Krasue are not conclusively identified, the threat underscores the need for vigilant security practices in the industry.

Security researchers have identified a new remote access trojan named Krasue targeting Linux systems in the telecommunications sector, undetected since 2021. Krasue malware utilizes seven variants of a rootkit based on open-source code, allowing it to support multiple Linux kernel versions and stay hidden on affected servers. Group-IB reports that Krasue's main function appears to be maintaining persistent access to the host, indicating possible botnet deployment or sale to other threat actors. The distribution methods of the malware are not fully known but may involve exploiting vulnerabilities, brute force attacks, or masquerading as legitimate software. Krasue's activity seems to focus on telecommunications companies in Thailand, with the malware capable of hiding ports and processes, granting root access, and executing kill commands. The rootkit adopted by Krasue masquerades as an unsigned VMware driver and shares similarities with the rootkit used by another Linux malware called XorDdos. Communication with the command and control server is unusual, using RTSP—common in media streaming—highlighting a unique aspect of the malware. While the origin and specific threat actor behind Krasue remain unidentified, Group-IB has shared indicators of compromise and YARA rules to assist in detection and further research.

Meta has started the rollout of default end-to-end encryption for calls and personal messages in Messenger. This significant update required rebuilding the Messenger app, with a focus on privacy and safety. End-to-end encryption for group messaging is still in the testing phase and is not yet widely available. Encrypted chats feature "secret conversations" was introduced in 2016 but was not a default setting at that time. Instagram, also owned by Meta, supports end-to-end encryption for messages and calls but only in certain areas and not by default. Meta developed a new encrypted storage system called Labyrinth to help users manage messages and device changes securely, using a PIN as a recovery method. The move towards default encryption aligns with CEO Mark Zuckerberg's 2019 vision for a privacy-focused social networking experience.

Australia is developing a top-secret cloud system to enhance intelligence data sharing with US and UK intelligence agencies. Andrew Shearer, Australia's national intelligence director, announced plans for the cloud system at a US think tank event. The system aims for interoperability with existing intelligence clouds of the US and UK, allowing near-instant sharing of sensitive data. This initiative is a step towards enhanced collaborative efforts and collective problem-solving within the Five Eyes intelligence-sharing alliance. Australia is looking to adopt shared hardware and software standards and aims to learn from the experiences of the US and UK in implementing similar cloud infrastructures. Shearer emphasizes the potential benefits of joint work in AI technology among the Five Eyes nations but also recognizes the hesitation of security analysts to fully trust AI. The Australian intelligence community is increasingly working with Southeast Asian countries and observes aligned intelligence priorities with Japan and European nations. The collaborative effort is driven by the current global security challenges, including Russia's actions in Ukraine and climate change impacts, highlighting the need for shared approaches in intelligence.

A novel side-channel attack named SLAM developed by VUSec researchers exploits security enhancements in CPUs to extract sensitive data like root password hashes. SLAM targets Intel's upcoming Linear Address Masking (LAM), AMD's Upper Address Ignore (UAI), and Arm's Top Byte Ignore (TBI) features by using transient execution. The attack was demonstrated on an emulated LAM feature in an older generation Ubuntu system and has been shown to affect mainly future chip designs. This technique involves utilizing speculative execution to leak information from unmasked gadgets commonly found in the Linux kernel; traces left in cache states reveal the targeted data. Hundreds of exploitable gadgets that could be used in the SLAM attack have been identified by researchers in the Linux kernel. Arm responded that existing Spectre mitigations are sufficient, AMD referenced prior Spectre v2 mitigations, and Intel plans to release software guidance in conjunction with upcoming LAM-supporting processors. While awaiting comprehensive protections, Linux developers have issued patches to disable the LAM feature as a precautionary measure.

A Bluetooth authentication bypass vulnerability, identified as CVE-2023-45866, allows unauthorized keystroke injection into Apple, Android, and Linux devices. Discovered by Marc Newlin of SkySafe, the flaw requires no special hardware for exploitation and can be executed from a standard Linux machine. Details of the vulnerability and a proof-of-concept will be released by Newlin after patches have been fully implemented. This vulnerability is particularly alarming as it can bypass authentication methods on devices and execute arbitrary commands without the user's knowledge. The issue, which dates back to at least 2012, affects a range of systems from old Android versions to contemporary macOS and iOS devices when paired with a Magic Keyboard. Google has responded by providing fixes for Android 11 through 14, with Pixel devices receiving updates in December. Linux distributions, with the exception of ChromeOS, have left the necessary patch disabled by default, leaving many systems including Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine at risk. Apple confirmed the vulnerability but has yet to provide a timeline for patching the issue, and did not comment further on inquiries from The Register.

Governments around the world are using demands for mobile push notification records to spy on Apple and Google users. U.S. Senator Ron Wyden raised concerns to the DOJ about the use of push notifications as a surveillance tool. This covert data access method allows governments to link devices to accounts and view unencrypted notification content. Push notifications are delivered via vendor-managed gateways, giving Apple and Google insight into customer app usage. Wyden's office has investigated the issue after a tip-off in 2022 and seeks more transparency from tech giants. Apple has pledged to update their transparency reporting to reflect these government requests. Google affirms their commitment to user privacy and has been reporting on such government data requests. Both companies face restrictions by the U.S. government on disclosing information about these surveillance practices to the public.

Austal USA, a contractor for the U.S. Department of Defense and Department of Homeland Security, confirmed a cyberattack after data was leaked online. The company, involved in building ships for the U.S. Navy and Coast Guard, responded quickly to mitigate the incident, stating no operational impact occurred. The breach was publicly disclosed by the ransomware and data extortion group Hunters International, who claimed responsibility and leaked proof. Regulatory authorities, including the FBI and NCIS, were promptly informed and are investigating the extent of the information accessed. Austal USA asserted that no personal or classified information was compromised but continues to assess the full extent of the breach. Hunters International threatened to release more data, including compliance documents and engineering data, in the forthcoming days. The group is speculated to be a rebrand of Hive ransomware, which has shifted focus from encryption to data extortion. Over a dozen victims in various industries and regions are listed on the gang's data leak site, suggesting expansive operations.

Edge security is becoming increasingly complex due to the growing number of operational functions moving to distributed sites and devices. Networks with data hosted on the edges are at high risk, necessitating robust security measures to protect against breaches. Sectors like healthcare, energy, and manufacturing experience unique edge-related security challenges and often lack dedicated IT security specialists. Data breaches at the edge can have immediate and significant impacts on both organizations and individuals, with regulatory and data protection consequences. Dell Technologies' webinar, featuring Jeroen Mackenbach, emphasizes the importance of reimagining edge protection using a Zero Trust approach that verifies all devices consistently. A successful Zero Trust strategy at the edge requires massive scale operation, complete data and device visibility, and automation to manage security effectively. Dell's NativeEdge platform aims to reduce the attack surface and enhance trust, visibility, and automation in edge security management.

Atlassian has released security advisories concerning four critical remote code execution vulnerabilities affecting Confluence, Jira, and Bitbucket servers, along with an Atlassian Companion app for macOS. All vulnerabilities are rated as critical, with a severity score of at least 9.0 out of 10, although there are no reports of these issues being exploited in the wild. Atlassian urges system administrators to swiftly apply the updates due to the widespread use of their products within corporate IT environments. The four RCE vulnerabilities patched have unique identifiers, and updates are available to remediate these flaws. For CVE-2023-22523, Atlassian suggests a temporary workaround of blocking the communication port if the patch cannot be immediately applied or the Asset Discovery agents cannot be uninstalled. No mitigation is available for CVE-2023-22522, and Atlassian recommends backups and taking affected instances offline if patches can't be installed promptly. If the Atlassian Companion App patch for CVE-2023-22524 cannot be applied, removing the app is the recommended course of action.

Varonis introduces Athena AI, an advanced generative AI layer for the Varonis Data Security Platform, to significantly improve the capabilities of security teams in data protection. Athena AI allows users to perform thorough investigations and analysis efficiently using natural language, thus enhancing the skill set of all levels of defenders. The AI system provides two primary features: an AI SOC analyst for intelligent threat investigation and response, and a natural language search for easy access to data security insights. Athena AI combines large language models with specific insights from an organization's data, identities, and devices to produce customized alert response playbooks and remediation strategies. The AI is designed to aid in speeding up threat identification, providing remediation steps, and proactively improving security posture, while ensuring precision and privacy in its recommendations. Varonis emphasizes that their cloud-native platform respects data privacy, assuring data residency and not using customer data for model training or retaining it beyond short-term support needs. Athena AI is the latest in Varonis's lineup of AI-based security tools, continuing their commitment to empowering organizations in the battle against cyber threats by protecting sensitive data.

A supposed critical vulnerability in a D-Link router was removed from CISA's must-patch list after being declared a non-issue. CVE-2022-28958 was initially believed to be a severe remote code execution flaw, but further investigation revealed it was not exploitable. Two days after the National Vulnerability Database retracted the vulnerability status, CISA followed suit and delisted it in December. Security experts point out that the proof of concept for exploiting the flaw targeted the incorrect endpoint, rendering it ineffective. The botnet operator Moobot had incorporated the supposed flaw into its capabilities but found that it didn't work. Despite the early warnings and listings by MITRE and CISA, large-scale exploitation of CVE-2022-28958 never occurred. The incident highlights the need for accurate vulnerability reporting and verification to maintain trust in cybersecurity management systems.

Nissan is scrutinizing a cyberattack on its systems in Australia and New Zealand, possibly leading to a data breach. Personal information of customers from Nissan Oceania could be at risk following the cyber incident. The company has reacted by informing customers about the potential for scams and account hijacking. Nissan's global incident response team is currently assessing the impact and whether any personal data was accessed. The car manufacturer's website remains operational, but efforts to restore affected systems are ongoing. Dealership operations are reportedly unaffected, ensuring no interruptions in vehicle and service inquiries. Australian and New Zealand cyber resilience authorities have been informed of the situation, though they have yet to release official comments. Nissan has not released detailed information about the breach and continues its investigation to ascertain the full extent of the incident.