Daily Brief

Black Friday 2023 brings significant discounts on various computer security products, including antivirus, VPNs, and online security courses. NordVPN, SurfShark, and ProtonVPN offer up to 85% off on multi-year subscription plans for their services. Avast, ESET, and Malwarebytes slash prices by up to 70%, providing affordable antivirus and VPN bundle options. Cybersecurity and IT skill courses from StackCommerce, PuralSight, and Udemy are heavily discounted, some as low as $9.99. Additional promotions include firewalls, password managers, and security keys from vendors such as Any.Run, Firewalla, Hak5, LastPass, and Yubico. The sales are time-sensitive, with many expiring at the end of November or on Cyber Monday. The article includes disclosures regarding affiliate links and partnerships which may earn commissions for BleepingComputer.com.

Researchers at Blackwing Intelligence identified vulnerabilities in fingerprint sensors used by several laptop manufacturers, which could allow unauthorized bypass of Windows Hello authentication. Affected laptops include models from Dell, Lenovo, and Microsoft, with the compromised sensors supplied by Goodix, Synaptics, and ELAN. The sensors use "match on chip" technology, which does not protect against malicious devices spoofing legitimate sensors to falsely indicate successful authentication. The Secure Device Connection Protocol (SDCP) by Microsoft, designed to create a secure communication channel, was found to be either unsupported or improperly implemented. Attack methods include exploiting SDCP absence, sensor spoofing with communication replay, and utilizing flawed TLS stacks. The Goodix sensor could be exploited by taking advantage of inconsistent enrollment operations between Windows and Linux, where the Linux environment does not use SDCP. To counter these vulnerabilities, the researchers suggest that manufacturers enable SDCP by default and subject fingerprint sensor implementations to audits by independent experts. The discovery follows a previous Windows Hello biometric bypass issue patched by Microsoft in July 2021, underscoring the ongoing need for robust security measures in biometric authentication systems.

US law enforcement recovered approximately $9 million from a "pig butchering" cryptocurrency scam affecting over 70 victims. Criminals enticed victims using fake investment companies and cryptocurrency exchanges before absconding with deposited funds. Techniques like chain hopping, coin swaps, and cross-chain bridges were used in attempts to launder the stolen money. The Secret Service and DOJ collaborated to trace the illicit funds to multiple wallet addresses tied to the criminal group. Despite successful asset recovery, no arrests or specific identities of the cybercriminals have been disclosed by the DOJ. Authorities stress continued efforts to protect the financial security of citizens and crack down on cyber-enabled financial fraud. The confiscated proceedings were returned to victims in the form of the stablecoin Tether, in partnership with the DOJ's National Cryptocurrency Enforcement Team.

North Korean threat actors impersonated job recruiters and seekers to distribute malware and infiltrate organizations globally. The campaigns, codenamed Contagious Interview and Wagemole by Palo Alto Networks' Unit 42, involve cryptocurrency theft, espionage, and financial gain. The first campaign uses fake job interviews to infect software developers with malware aimed at cryptocurrency theft and staging further attacks. Attackers also pose as job candidates, using GitHub to host resumes with forged identities to gain employment and conduct espionage. Two new cross-platform malware, BeaverTail and InvisibleFerret, can target Windows, Linux, and macOS, stealing information and facilitating remote control. Overlaps with previous North Korean operations, including Operation Dream Job and Sapphire Sleet, indicate a consistent pattern of strategic social engineering. The activities tie into broader North Korean strategies to bypass sanctions by deploying skilled IT workers who redirect their earnings to state weapons programs. The U.S. government advisory acknowledges North Korea's tactic of using IT worker employment to fund weapons programs, further highlighting the risks to global businesses.

Employees are adopting AI tools such as ChatGPT rapidly, with little oversight, which may increase productivity but poses security risks. Cybersecurity teams are under pressure to quickly adopt AI without proper security assessments, potentially leading to data breaches. Indie AI apps, favored for their freemium models, typically have less robust security measures, making them attractive targets for hackers. Connections between AI tools and enterprise SaaS systems can allow threat actors to access sensitive company data. The article cites the CircleCI data breach incident as an example, where a delay in noticing suspicious activity led to a significant data breach. Security researchers recommend that companies should enforce due diligence, revise application and data policies, and provide regular employee training. Vendor assessments of indie AI tools should include a rigorous look at their security posture and data privacy compliance. Building open communication and accessibility between cybersecurity teams and business units is vital for maintaining SaaS security in the face of AI adoption.

Microsoft's bug bounty program marks a decade, disbursing $63 million to researchers, with substantial growth in the last five years. Aanchal Gupta, Microsoft's deputy CISO, underscores early resistance but stresses the program's importance in pre-release bug detection. The initiative's recent expansion includes increased rewards, with $13 million awarded to researchers in one year and new categories for serious risks. Katie Moussouris, a key advocate for Microsoft's program inception, reflects on implementing bug bounties amidst initial corporate reluctance. Moussouris emphasizes that while bug bounties are financially incentivizing, they should not replace secure software development processes. Moussouris calls for "concrete feedback loop" integration into secure development life cycles and setting meaningful metrics beyond cash payouts. The article challenges the efficacy of bug bounty programs, suggesting that more attention should be given to preventative measures and rapid vulnerability response.

The UK Information Commissioner's Office (ICO) demands website operators make rejecting cookies as simple as accepting them. The ICO targets advertising cookies, requiring clear consent choices for users and non-personalized ads if cookies are rejected. ICO issued guidance to prevent design strategies that trick users into providing more personal data than they intend. Companies have a 30-day deadline to comply with data protection regulations or face enforcement action and potential financial penalties. Non-compliant organizations could incur fines of up to £17.5 million or 4% of the annual worldwide turnover. The ICO critiques cookie consent banners, emphasizing the ease of opting out should match opting in. The ICO's stance aligns with EU directives on clear consent options for cookies, despite UK proposals in 2022 for an opt-out system.

The Atomic Stealer malware, typically targeting Windows systems, has now expanded its reach to macOS. Malwarebytes reports the use of a fake web browser update scheme, known as ClearFake, to deliver Atomic Stealer to Mac users. ClearFake, a relatively new malware distribution operation, employs compromised WordPress sites to issue fraudulent update alerts. Atomic Stealer is a stealer malware family sold for $1,000 per month, capable of extracting information from web browsers and cryptocurrency wallets. Malware distributors have been leveraging themes related to fake browser updates to spread various malware, including the ClearFake campaign targeting Mac systems. The method of propagation for this stealer malware includes malicious ads, search engine redirects, and drive-by downloads, among others. Updates to LummaC2 stealer include a unique anti-sandbox technique and claims of a persistent method to extract Google Account cookies that remain active even after password changes.

The LockBit ransomware group is exploiting a critical vulnerability in Citrix NetScaler ADC and Gateway appliances. U.S. and Australian agencies, including CISA, FBI, and ACSC, issued a joint advisory about the exploitation of the Citrix Bleed flaw. This vulnerability, identified as CVE-2023-4966, bypasses passwords and MFA, allowing session hijacking and elevated permissions for attackers. Despite a fix by Citrix last month, the flaw was weaponized as a zero-day exploit since August 2023. Mandiant reported that multiple groups are exploiting the vulnerability across various regions and industry verticals. LockBit utilizes the flaw for initial access, then deploys remote management tools for subsequent malicious activities. A comparative study of ransomware on Windows and Linux underscores the growing Linux ransomware threat to medium-to-large organizations, with a trend towards minimalism and stealth in attack execution.

Binance and CEO Changpeng Zhao plead guilty to financial crimes involving money laundering and sanctions evasion. The cryptocurrency exchange will pay $10 billion in fines and settlements to the US government. Binance failed to register as a money service business, violated anti-money laundering laws, and transacted with individuals in sanctioned countries. US Attorney General Merrick Garland stated that Binance chose profits over compliance with US laws to gain market share. The company knowingly allowed US users access to its platform even after the supposed cut-off in 2019. Binance must now implement robust anti-money laundering measures and report to US agencies for three years. Zhao resigns as CEO but will remain a majority shareholder; he faces personal fines amounting to $150 million, payable to the CFTC. Binance still confronts potential charges from the Securities and Exchange Commission, which was not part of the settlement.

The Idaho National Laboratory (INL), crucial for U.S. atomic energy and national security research, was targeted by a cyberattack from 'SiegedSec' hacktivist group. SiegedSec claims to have accessed and leaked extensive human resources data, which includes information on a vast number of personnel and associates. The leaked data were posted on hacker forums and Telegram, demonstrating SiegedSec's pattern of bypassing ransom negotiations in favor of public disclosure. Screenshots disseminated by the hackers suggested they had infiltrated INL systems to an extent that allowed them to create internal announcements about the breach. The INL spokesperson has confirmed the cyberattack without specifying details, stating that immediate measures were taken to safeguard affected data and federal law enforcement is investigating the incident. The compromised server supported INL’s Oracle HCM system, used for Human Resources applications, but there is no indication that any nuclear research information was accessed or disclosed. The attack on INL, a component of the U.S.'s critical infrastructure, is expected to result in increased attention and pursuit of SiegedSec by law enforcement agencies.

The Lumma information-stealer malware claims it can restore expired Google authentication cookies. Restored session cookies can lead to account hijacking, posing significant security risks. The alleged feature was announced on a cybercriminal forum and is exclusive to the malware's "Corporate" plan subscribers at $1,000/month. The functionality, which is designed to work once per key, allows unauthorized access to Google accounts even after sessions have expired. There is skepticism in the security community as the feature has not been independently verified, and Google has not commented on the potential exploit. Lumma's developers issued another update purportedly circumventing Google's defenses against cookie restoration. The similar feature is also found in another malware, Rhadamanthys, suggesting a potential common vulnerability exploited by cybercriminals. Users are advised to take precautions to avoid malware infections, as no definitive countermeasure by Google has been confirmed.

Microsoft has introduced a new bug bounty program targeting their Microsoft Defender platform, offering rewards ranging from $500 to $20,000. In certain cases, rewards could be higher at Microsoft's discretion, depending on the severity and quality of the reported security vulnerabilities. Top rewards will be given for critical severity reports that expose remote code execution vulnerabilities in the Microsoft Defender for Endpoint APIs. This program is part of Microsoft's effort to engage with the global security research community to enhance the security of their products. Microsoft also announced that over the past year, it has awarded nearly $59 million for eligible vulnerability reports across various bug bounty programs. The Microsoft Defender Bounty Program is currently focused on the Defender for Endpoint APIs but may expand to other Defender products and services in the future. Details and guidelines for the program, including a list of eligible vulnerabilities and information on reward distribution, are available on Microsoft's FAQ page.

AutoZone, a major automotive parts retailer and distributor, reported a data breach impacting 184,995 individuals. The breach was linked to the broader Clop ransomware gang exploiting a MOVEit file transfer zero-day vulnerability. Breach notification indicates personal data was exfiltrated, including full names and social security numbers. AutoZone is offering identity theft protection services and advises affected individuals to stay vigilant for the next 24 months. The leaked data attributed to the breach includes employee details, tax information, payroll documents, and more, but no customer data was present. Clop ransomware gang earlier claimed responsibility for the attack and published the stolen AutoZone data, which is being verified for authenticity. The MOVEit attacks are connected to an international cybercrime pattern, with expectations that Clop could gain $75 million in ransom payments.

CISA ordered US federal agencies to patch the 'Looney Tunables' Linux bug, an actively exploited vulnerability allowing root access. Qualys researchers discovered a buffer overflow in GNU C Library's dynamic loader, affecting Fedora, Ubuntu, and Debian distributions. Administrators urged to patch systems due to publicly available PoC exploits and active exploitation of the CVE-2023-4911 vulnerability. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, with a deadline for federal agencies to patch by December 12. The Kinsing malware campaign is exploiting the flaw to achieve root access in cloud environments, leading to further attacks and data theft. Attackers exploit vulnerabilities in PHPUnit to install a JavaScript web shell for persistent access and reconnaissance in cloud services. Kinsing attackers aim to harvest cloud service provider credentials and deploy crypto mining malware in cloud systems like Kubernetes, Docker APIs, Redis, and Jenkins.