Daily Brief

General Electric (GE) is investigating reports of an unauthorized breach of its development environment and potential data theft. A threat actor known as IntelBroker claimed to have breached GE’s systems, offering to sell access and stolen information on a hacking forum. The hacker advertised access to GE’s development and software pipelines along with DARPA-related military data for $500, but found no buyers. IntelBroker provided screenshots as evidence, showing what appears to be a database from GE Aviation, including details on military projects. GE confirmed their awareness of the claims and is currently conducting an investigation to assess and mitigate any potential impact on their systems. The hacker, IntelBroker, has a history of high-profile cyberattacks, including a breach of the Weee! grocery service and the theft of sensitive data from DC Health Link. A previous IntelBroker breach targeting DC Health Link led to congressional hearings due to the exposure of personal information of DC staff and their families.

A fake browser update campaign, ClearFake, previously targeting Windows, has now expanded to macOS, delivering Atomic Stealer malware. Threat analysts report that compromised websites are prompting macOS users to download malicious DMG files disguised as Safari updates. Atomic malware aims to steal sensitive information, including browser-stored passwords, cookies, credit card details, and cryptocurrency wallet data. The cybersecurity community had identified Atomic malware earlier this year, but it remains undetected by approximately 50% of antivirus engines on VirusTotal. Users are reminded that legitimate Safari updates come only through macOS’s Software Update feature, warning against downloading updates from website prompts. The new tactic of using the blockchain to distribute malware illustrates the evolution and sophistication of cyber threats facing both individuals and organizations.

A previously undocumented web shell, HrServ.dll, has been utilized in a sophisticated attack against an Afghan government organization, hinting at APT (advanced persistent threat) involvement. Kaspersky researchers discovered that the web shell features complex capabilities, such as custom encoding and in-memory execution, pointing to a high level of attacker sophistication. Analysis of the malware uncovered versions dating back to early 2021, suggesting a long-term, stealthy operation against the targeted entity. The attack leverages PAExec tool for initial access, then employs a deceptive scheduled task and a Windows batch script to set up the web shell for remote server control and subsequent exploitation tasks. HrServ.dll appears designed to mask its traffic as benign by mimicking Google services, complicating the task of network traffic analysis for security teams. Malicious HTTP requests handled by the web shell can initiate various actions, from creating and reading files to executing encoded data in stealthy, memory-resident threads. The attackers have shown an effort to erase forensic evidence post-compromise, highlighting a level of intention to avoid detection and analysis by security professionals. The identity of the attackers remains unknown, though the malware's characteristics suggest potential financial motives combined with APT-like tactical execution.

ownCloud has disclosed three critical security flaws affecting its file-sharing software, potentially leading to sensitive data disclosure and unauthorized file modifications. The first flaw originates from a third-party library in the 'graphapi' app, which could reveal PHP environment configuration details, including sensitive credentials. ownCloud advises users to delete a specific file, disable the 'phpinfo' function, and change passwords and access keys to mitigate the first vulnerability. The second vulnerability allows file access, modification, or deletion without authentication if the user's username is known and they have no signing-key configured. A third security issue permits attackers to redirect callbacks to a domain they control, due to improper access control within the oauth2 app's validation code. As temporary measures, disabling the "Allow Subdomains" option and adding hardening to the validation code are recommended to protect against the third flaw. An unrelated remote code execution vulnerability in CrushFTP software was also reported and patched, with a PoC exploit released that could allow attackers to gain administrator access without authentication.

North Korean Lazarus hacking group is confirmed to have used a zero-day vulnerability for a supply-chain attack. MagicLine4NX software, developed by South Korean Dream Security, was exploited, primarily targeting South Korean institutions. Attack involved embedding malicious scripts into a media outlet's website, initiating a 'watering hole' attack against selected IP ranges. The attackers obtained unauthorized access through the MagicLine4NX vulnerability, allowing lateral movement within organizations. Malicious code enabled reconnaissance, data theft, and further payload execution by connecting to C2 servers. Lazarus's supply chain attack patterns persist, with similar incidents reported against VoIP software maker 3CX and CyberLink. Stolen funds from such cyber operations allegedly support North Korea's state objectives, including cyber activities against the U.S. and South Korea.

ownCloud, a widely-used open-source file sharing platform, has reported three critical security vulnerabilities, posing serious risks to its integrity and user data. The most severe flaw, CVE-2023-49103 with a CVSS score of 10, leads to the exposure of administrator passwords, mail server credentials, and other sensitive information in containerized environments. Users are urged to delete a specific file ('GetPhpInfo.php'), disable the 'phpinfo' function in Docker, and change all compromised secrets immediately. An authentication bypass flaw in the ownCloud core library allows unauthorized file access and modifications without authentication if the attacker knows the username and a signing-key is not in use. A subdomain validation bypass within the oauth2 library permits attackers to redirect callbacks to their own domains, which could facilitate phishing attacks. The ownCloud team has provided fixes and mitigations, including library updates, to address these critical issues. Administrators are encouraged to apply the security updates promptly to protect data from potential theft, unauthorized access, and phishing attacks.

The North Korean Lazarus hacking group exploited a zero-day vulnerability in the MagicLine4NX software, used widely in South Korea for secure logins. The zero-day vulnerability enabled the group to conduct a supply-chain attack against South Korean institutions. Attackers compromised a media outlet's website, embedding malicious scripts to perform 'watering hole' attacks, targeting specific IP ranges. After triggering the vulnerability, attackers gained control of the victim's computer and connected it to their command and control (C2) servers. The hackers deployed information-stealing code within the targeted organizations' servers, enabling reconnaissance and data exfiltration activities. These advanced persistent threat (APT) activities are part of North Korea's broader strategy, including cyber espionage and cryptocurrency theft to fund national priorities. Official advisories from NCSC, NIS, and CISA provide detailed analysis on the Lazarus group's tactics and the broader implications of their operations.

Cyberattack on CTS, a managed service provider (MSP) for UK law firms, causes significant service outage. The outage is affecting numerous law firms and disrupting property transactions. CTS is investigating the incident with help from a leading cyber forensics firm and working to restore services. The company is unable to provide a specific timeline for resolution and full restoration of affected systems. Ransomware attack suspected as between 80 and 200 law firms could be impacted based on client estimates. No evidence suggests that data integrity has been compromised; systems will remain offline until safety assurances are received. CTS offers services including cyber protection, attack detection, and employee security training. The National Cyber Security Centre (NCSC) had previously warned about the risks associated with using MSP services.

Security researcher discloses a critical code injection vulnerability in OpenCart (CVE-2023-47444) with a CVSS 3 score of 8.8. OpenCart's owner, Daniel Kerr, responds aggressively to the vulnerability report, dismissing it as a "non vulnerability." Researcher Mattia Brollo attempted to contact OpenCart through multiple official channels before resorting to a public GitHub issue. Despite initial resistance and offensive remarks, Kerr eventually merged a fix for the vulnerability into OpenCart's master branch. The incident recalls similar past issues with OpenCart's security practices, including weak password-hashing algorithms and encryption methods. OpenCart is a widely-used e-commerce platform, with competitors like WooCommerce and Shopify holding larger market shares. The history of security issue reports and OpenCart's responses suggest a pattern of dismissive behavior towards community feedback on security practices.

A new analysis has exposed a Telegram bot named Telekopye, utilized by cybercriminals to conduct large-scale phishing scams. The malicious Bot, called Telekopye, enables scammers to create fake websites, emails, and SMS messages. The group operating this scheme, dubbed Neanderthals, operates in a structured manner similar to a legitimate company, recruiting members and assigning roles. Neanderthals lure victims, termed Mammoths, into fraudulent transactions using sophisticated social engineering tactics. The scams involve posing as both buyers and sellers in online marketplaces, as well as conducting refund scams to double-charge victims. Cybersecurity firm Group-IB reported that the same operation, also known as Classiscam, has amassed $64.5 million since 2019. The Neanderthals conduct careful selection of potential victims and extensive market research to increase the success rate of the scams. The criminals employ techniques to remain anonymous such as using VPNs, proxies, and TOR, and have expanded their fraudulent activities to include real estate scams.

GitGuardian has introduced a service called HasMySecretLeaked to help developers determine if their sensitive data such as passwords and API keys are present in public GitHub repositories. Rather than combing through each secret, GitGuardian utilizes a fingerprinting method that encrypts and hashes secrets, only sharing a partial hash with their systems. By employing client-side encryption and hashing, GitGuardian ensures that actual secrets are never exposed during the checking process. Users can verify the security of the HasMySecretLeaked service by examining the web interface’s network activity or inspecting the open-source command-line interface (CLI) code. Since its launch, the HasMySecretLeaked service has been used to check over 9,000 secrets within the first few weeks. The service allows for free checking of up to five secrets per day via the web interface, with additional checks available through the GitGuardian shield CLI. GitGuardian’s initiative provides an example of how companies can enable customers to securely check for data exposure without compromising the data itself.

Cybersecurity researchers have identified a Rust-powered version of SysJoker, a cross-platform backdoor, targeting Israel. The backdoor has been attributed to a Hamas-linked threat actor amid the conflict with Israel. SysJoker gathers system information and can remotely execute commands, download, and execute new malware. The updated version of SysJoker employs Rust language and uses Microsoft's OneDrive for dynamic command-and-control server URLs. Check Point's analysis indicates that the use of OneDrive enables attackers to swiftly change C2 addresses, complicating detection efforts. The evolution of SysJoker includes enhanced evasion techniques, such as random sleep intervals. Two previously undetected, more complex SysJoker samples were discovered for Windows systems, featuring multi-stage execution. Connections between the updated SysJoker backdoor and Operation Electric Powder were found, hinting at consistent threat actor involvement over several years.

Kubernetes configuration secrets from several Fortune 500 firms, including two top blockchain companies, were exposed in public repositories. Aqua Security identified 438 records on GitHub with potential access credentials to container image registries, 46% of which had valid credentials. Access provided by the credentials included both pulling and pushing rights, often exposing private container images. Researchers noted that nearly half of the uncovered manually set passwords were weak, highlighting the need for robust organizational password policies. Despite inadvertent exposure, all AWS and Google Container Registry credentials were temporary and expired, negating the risk of unauthorized access. GitHub Container Registry's mandatory two-factor authentication provided added security against potential breaches. Some exposed keys had minimal privileges or were encrypted, reducing risks; however, this incident underlines general concerns about vulnerabilities and misconfigurations as major security issues within container environments.

Fidelity National Financial (FNF), a Fortune 500 insurance company, was the target of a significant ransomware attack. FNF was compelled to shut down key systems following the cybersecurity incident, affecting title insurance and other services. The attack's specifics, including the extent of data compromise, are under ongoing investigation. Ransomware group ALPHV/BlackCat claimed responsibility for the breach and has suggested it holds undisclosed information. The probable attack vector may have been a recently patched critical vulnerability in Citrix Netscaler devices, known as "CitrixBleed." Despite the availability of patches, many organizations were still exposed to the CitrixBleed vulnerability a month after the fix was released. The cyber incident disrupted operations not only for FNF but also for the broader real estate market, delaying home purchases and closings.

An ongoing phishing campaign, utilizing Russian-language Microsoft Word documents, has been identified as the work of a North Korean threat actor known as Konni. Konni, thought to be associated with Kimsuky (APT43), deploys malware through these documents to collect sensitive data from infected Windows devices. Recent attacks have exploited the WinRAR vulnerability (CVE-2023-38831) and used obfuscated scripts to install a Remote Access Trojan (RAT) and data harvesting batch scripts. The threat actor focuses on espionage, consistently refining their techniques to avoid detection while aiming to exfiltrate data. Fortinet has detailed the latest attack method, which involves a macro-enabled Word document that unleashes a sequence leading to the deployment of a DLL payload with data gathering and exfiltration functions. The North Korean cyber espionage group Konni, as well as other groups such as Lazarus and ScarCruft, have heightened their focus on Russian targets, including trading firms and missile engineering companies. Russian cybersecurity entity Solar reported that Asian threat actors, predominantly from China and North Korea, are principally accountable for attacks on Russian infrastructure.