Daily Brief

Zero2Automated offers a Black Friday to Cyber Monday 25% discount on malware analysis courses, including the 'Ultimate Malware Reverse Engineering Bundle'. Courses were created by renowned reverse engineers Vitali Kremez and Daniel Bunce, providing over 25 hours of content and a collaborative online community. The sale is available from November 23rd at 14:00 GMT to November 27th at 23:59 GMT, with the discount code BLACKFRIDAY. The course features lifetime access, over 1,000 peer/teacher interactions, and regular real-world malware challenges. The 'Ultimate Malware Reverse Engineering Bundle' includes three courses designed to take participants from beginner to advanced levels. Purchases include a 10% discount on IDA Pro Named License or IDA Home subscription, enhancing the toolkit for malware analysis. BleepingComputer endorses the quality of the course without receiving any commission, underscores the uniqueness and educational value of the content.

The UK and Republic of Korea (ROK) issued a joint advisory warning about North Korean cyberattacks on software supply chains. Attacks show increased sophistication, leveraging zero-day and N-day vulnerabilities, aiming at espionage and theft of intellectual property. Targets include government entities, the financial sector, and defense industries worldwide. Notable attacks include compromising the MagicLine4NX security software and exploiting a zero-day in the Windows version, while implementing a similar attack strategy on the 3CX desktop app for both Windows and macOS systems. The Lazarus group, associated with North Korea, has been identified as perpetrating these attacks, with motives aligned with North Korean state priorities. Microsoft also reported a supply chain attack on CyberLink's multimedia software, which targets systems not running specific EDR security solutions. Advisories recommend increased vigilance, application of security updates, enabling 2FA, and monitoring for anomalous network traffic to mitigate threats.

A new malware loader called WailingCrab is being delivered via emails with shipping-related themes. IBM X-Force researchers reveal WailingCrab consists of multiple components aimed at stealth and avoiding detection. The malware is attributed to the threat actor TA544, also known as Bamboo Spider or Zeus Panda, and is being used to deposit further malicious payloads. WailingCrab incorporates techniques such as utilizing legitimate hacked websites and platforms like Discord for command-and-control (C2) operations. Recent updates to the malware include utilizing MQTT, a lightweight messaging protocol, which is rare in the threat landscape for C2 communications, enhancing its evasiveness. The attack begins with an email containing a PDF attachment that leads to downloading a JavaScript file via Discord, ultimately installing a backdoor that communicates with the C2 server. Newer versions of WailingCrab encrypt the backdoor component and eliminate the need for payload retrieval from Discord, instead using MQTT for direct shellcode payload from C2. Discord has acknowledged the abuse of their CDN for malware distribution and plans to implement temporary file links to counteract misuse.

Ransomware attack on London & Zurich caused a significant service outage, starting on November 10, with the attack confirmed on November 14. Clients experienced major disruptions with direct debit payments, leading to cash flow issues and the necessity for short-term loans for at least one customer. Communication from London & Zurich has been sparse and unclear, causing uncertainty amongst clients regarding service restoration. The affected MSP managed to process its first payment since the attack began, leveraging bank loans and director funds to cover financial shortfalls. London & Zurich has stepped up recovery efforts, with API services restored and pending testing on other service areas, expecting full restoration by week's end. Some components of the service, such as customer password rotations, have been completed in anticipation of the direct debit portal going live by November 23. There is no definite timeline for service normalization, and the company has not provided details about the nature of the breach, the attackers, or the extent of data compromise.

An ongoing malware campaign is using zero-day vulnerabilities to infect routers and NVRs with a Mirai-based botnet, capable of conducting massive DDoS attacks. Akamai has detected the payload targeting devices with default admin credentials, installing Mirai variants upon successful exploitation. The zero-day vulnerabilities are currently undisclosed publicly to prevent further misuse, with patches expected to be released in the upcoming month. The botnet, named InfectedSlurs by Akamai, is identified as a variant of the JenX Mirai malware first seen in January 2018, and is linked to the hailBot Mirai variant identified by NSFOCUS in September 2023. Akamai also described a newly advanced web shell, wso-ng, which can stealthily execute commands and steal data, potentially aiding in cyber espionage activities. Attackers have adopted methods such as using legitimate but compromised domains for command-and-control and distribution of malware, with a significant attack involving WordPress sites disclosed by Infoblox in August 2023, attributed to the VexTrio threat actor.

Ensuring all team members are well-educated on cybersecurity threats is fundamental for effective incident response (IR). Regular training and incident simulations for IR teams are essential for preparedness against evolving cyber threats. Adopting a comprehensive IR plan with clear roles, responsibilities, and response strategies is crucial for coordinated action. Technology plays a pivotal role in IR; efficient logging, endpoint detection and response (EDR), and ample storage for data analysis are vital components. Identification of a breach involves balancing alert settings to avoid alert fatigue and documenting Indicators of Compromise (IOCs). Containment strategy should take into account security and business implications, focusing first on critical devices and assets. Eradication of threats should be thorough, aligning with organizational policies, and involve documentation and verification processes. Post-incident recovery should include monitoring for persistent IOCs and implementing root cause fixes to prevent future occurrences. Lessons learned are key for improving future IR capabilities, updating strategies, technologies, processes, and training programs.

Social engineering attacks are increasingly used by hackers to gain unauthorized access to sensitive data, exploiting human elements rather than technical vulnerabilities. An incident at MGM Resorts International highlighted this tactic, resulting in a substantial financial impact estimated at $100 million in lost revenue. Attackers at MGM persuaded an employee to reveal sensitive credentials over the phone, then escalated privileges to deploy ransomware within the IT systems. Similar techniques were used against an energy firm in the UK via AI voice impersonation and against Electronic Arts, leading to network breaches. To address these challenges, Specops offers Secure Service Desk, providing dynamic multi-factor authentication to ensure verifiable identity confirmation. Identity verification options include mobile or email codes, and integration with major Identity Access Management (IAM) tools, enhancing IT help desk security measures. Organizations are advised to strengthen their verification processes to protect against social engineering, with Specops offering free trials and demos of Secure Service Desk to demonstrate its effectiveness.

Akamai has discovered two zero-day vulnerabilities being used to distribute Mirai malware and create a DDoS-capable botnet. The zero-days allow for remote code execution and target routers and network video recorders using default passwords. Patches are expected in December; an interim fix includes changing default passwords to avoid vulnerability. Akamai's Security Intelligence Response Team (SIRT) has not named the affected vendors but published Snort and YARA rules to detect compromises. The campaign exploits common features that may be present across multiple products, possibly due to code reuse. The InfectedSlurs botnet, which includes older JenX and hailBot Mirai code, was undetected by honeypots until October. Links between the botnet and offensive language in its C2 domains, and past activities in DDoS attacks have been identified by Akamai researchers.

North Korean group Diamond Sleet has trojanized CyberLink software to launch a supply chain attack. Over 100 devices in Japan, Taiwan, Canada, and the U.S. affected by the modified CyberLink installer. The malicious installer checks to bypass detection by security tools and limits the time of execution. Microsoft linked the malware to C2 servers previously compromised by North Korean threat actors. The attackers targeted organizations in the defense, telecommunications, and financial sectors. Malware skips execution if security products from CrowdStrike, FireEye, or Tanium are detected. The campaign involves a downloader/loader that retrieves additional payloads disguised as PNG files. This incident follows reports of North Korean actors using fake job interviews and exploiting critical security flaws in JetBrains TeamCity for cyber espionage.

New Relic, a web tracking and analytics company, has alerted its customers to a cybersecurity incident. The company is engaging third-party cybersecurity experts to conduct an investigation into the event. Customers have been advised to be vigilant and monitor their accounts for any suspicious activity, indicating potential account compromise. Details about the nature of the incident, the extent of any data access, and specific customer actions required are currently scarce. New Relic has advised customers they will be contacted directly if any actions need to be taken on their part. The advisory's timing coincides with the US Thanksgiving holiday, which may impact the response from US-based customers. The Register's inquiries for more detailed information about the incident were not answered by New Relic.

North Korean state-sponsored actors are targeting job seekers and employers in sophisticated hacking schemes, according to Palo Alto Networks' Unit 42. The "Contagious Interview" campaign lures software engineers into downloading malware-infected NPM packages from GitHub, ostensibly for job interviews. The "Wagemole" operation involves actors impersonating job applicants for espionage and financial gain, with high confidence in its link to North Korea. Discovered in December 2022, these schemes involve faux recruiters and job postings in tech fields like AI, cryptocurrency, and NFTs. Two previously unknown malware families, BeaverTail and InvisibleFerret, were used to steal information, including credit card and cryptocurrency wallet details. The objectives of these campaigns appear to include using compromised systems as platforms for additional attacks and stealing cryptocurrency. Unit 42 found fraudulent documents and well-maintained LinkedIn and GitHub profiles designed to make the fake personas seem legitimate. The US Justice Department and FBI note these tech workers contribute their earnings to North Korea's weapons funding, a concern echoed by South Korea's government.

Security researchers from Blackwing Intelligence have found ways to bypass Windows Hello's fingerprint authentication. The vulnerabilities were discovered in laptops from Dell, Lenovo, and Microsoft, using fingerprint sensors from different manufacturers. Blackwing Intelligence's work was commissioned by Microsoft's Offensive Research and Security Engineering group and presented at the BlueHat conference. The method involved booting a laptop into Linux, using a sensor's driver to store a new fingerprint with the same ID as a Windows user, and tricking the chip into using the Linux database through a man-in-the-middle device. The implementation flaws allow someone with physical access to a device to log in as the user associated with a fingerprint without actually having that person's fingerprint. Microsoft indicates that the issues have been addressed by vendors, and users should check for updates or errata. The researchers recommend that device makers should not include these design flaws and that users implement additional security measures, such as boot passwords.

Unusual cybercriminal group, self-identified as "gay furry hackers" known as SiegedSec, claims to have breached the Idaho National Laboratory's systems. The hackers reportedly stole and leaked personal data of employees, including Social Security numbers, addresses, and bank details. The cyberattack targeted a third-party vendor system associated with the lab’s cloud HR services. Idaho National Laboratory acknowledges the cyberattack, has involved law enforcement, and is taking action to secure employee data. The group has issued an odd ransom demand, offering to remove the leaked information if the lab engages in research to create "IRL catgirls," a nod to an internet meme. The INL is a critical part of America's nuclear research infrastructure, employing over 6,100 people and operating the world's densest concentration of nuclear reactors. Motivations for the attack remain ambiguous, with SiegedSec previously citing human rights issues and the enjoyment of leaks as reasons for their NATO breach.

Kansas Judicial Branch suffered a cybersecurity incident last month, resulting in stolen sensitive files containing confidential information. Hackers impacted the availability of systems including document submission, electronic payment systems, and case management systems for district and appellate courts. Over a month after the incident, vital court services remain offline, with no clear resolution timeline provided. The data theft includes Office of Judicial Administration files, district court case records, and possibly other confidential data. The incident has the hallmarks of a ransomware attack, including system disruption and threats to publish stolen data unless a ransom is paid. The specific type of cyberattack has not been disclosed, and no ransomware groups have claimed responsibility yet. The Kansas authority is estimating several weeks to restore all systems and plans to notify all individuals impacted by the data breach. The public statement characterized the incident as an attack against all Kansans and condemned the perpetrators.

Security researchers from Blackwing Intelligence bypassed Windows Hello fingerprint authentication on laptops from Dell, Lenovo, and Microsoft. The vulnerability was in the embedded fingerprint sensors on the Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15. These Match-on-Chip (MoC) sensors, which perform fingerprint matching internally, were exploited through man-in-the-middle (MiTM) attacks using a customized Raspberry Pi. Sensitive data and communication should have been protected by Microsoft’s Secure Device Connection Protocol (SDCP), but the protocol was not enabled on two devices and improperly implemented on the third. On the Dell and Lenovo laptops, attackers bypassed authentication by enrolling an attacker’s fingerprint using a legitimate user’s ID. On the Microsoft device, researchers spoofed the fingerprint sensor, taking advantage of unprotected cleartext USB communication. Blackwing Intelligence recommends that manufacturers enable and correctly implement SDCP to protect against such attacks. Microsoft notes an increase in users signing into Windows 10 with Windows Hello, highlighting the importance of securing biometric authentication methods.