Daily Brief

Sumo Logic, a SaaS log analytics company, detected unauthorized access on one of its AWS accounts due to a compromised credential. No customer data was ultimately compromised during the incident, which was first detected on November 3. Immediate actions were taken, including securing the infrastructure and rotating potentially exposed customer credentials. Sumo Logic advised all customers to rotate their credentials, especially API access keys, even if they were not directly impacted. Third-party forensic specialists were involved in the investigation to confirm the integrity of customer data and closure of the incident. The company plans to undertake additional evaluations to identify measures to prevent future incidents and strengthen overall security. The response to the incident was timely and transparent, with frequent updates to customers and praised by cybersecurity experts. Experts view this incident as a reminder of the importance of proactive security measures, such as regularly rotating API keys.

Citrix has reiterated to administrators the importance of invalidating all user sessions after applying patches for the CVE-2023-4966 vulnerability, known as 'Citrix Bleed'. The company previously patched the flaw in early October but active exploitation has occurred since at least late August 2023. Attackers have been stealing authentication tokens through this vulnerability, allowing them access to devices even after patches are applied. Mandiant revealed that exploited NetScaler sessions continue to pose a risk after patching, enabling network lateral movement or further account compromises. The warning follows reports that the LockBit ransomware group is leveraging the Citrix Bleed flaw, as highlighted by a joint advisory from CISA, the FBI, and others. Boeing disclosed an instance where LockBit 3.0 affiliates exploited CVE-2023-4966, leading to a significant data breach and subsequent leak on the dark web. CISA's malware analysis report indicates that the exploit has been used for malicious activities including saving registry hives and dumping LSASS process memory. It's reported that over 10,000 Citrix servers exposed to the internet were vulnerable to attacks a week prior to the advisory.

DarkGate and Pikabot malware have surged as successors to the dismantled Qakbot botnet, posing significant risks to enterprises. A complex phishing campaign, initially distributing DarkGate, added Pikabot as its main payload, showcasing advanced tactics reminiscent of Qakbot's methods. The phishing campaign exploits email trust by replying to or forwarding ongoing discussion threads, enticing users to download a ZIP file containing malware. The attackers have been trialing various droppers to infect systems; the campaign's primary payload shifted from DarkGate to Pikabot in October 2023. DarkGate supports multiple malicious functions, including remote access, cryptocurrency mining, and data theft, while PikaBot features robust anti-analysis measures and versatile payload delivery. Cofense emphasizes the sophistication of the threat actors behind these campaigns, advising organizations to acclimate to their Tactics, Techniques, and Procedures (TTPs).

Criminal IP, an AI SPERA-developed Cyber Threat Intelligence (CTI) search engine, has integrated with VirusTotal, providing IP address and URL scans. VirusTotal aggregates threat intel from over 70 antivirus engines and contributors, enhancing global cybersecurity through collective intelligence. Criminal IP specializes in real-time threat detection using AI to collect threat information primarily focusing on IP addresses and domains. As a VirusTotal contributor, Criminal IP aids in detecting suspicious IPs, domains, or URLs, and contributes additional detailed analysis for users. The newly added URL scan feature by Criminal IP on VirusTotal includes data extraction on network logs, associated IPs, and potential website vulnerabilities. Criminal IP offers tiered membership plans, from Free to Pro, to access its comprehensive threat intelligence services, accommodating different user needs. AI SPERA released Criminal IP in April 2023 after a year-long beta, creating partnerships with global security firms and achieving high compliance standards. Criminal IP provides multilingual support, reflecting its global user engagement and commitment to diverse cybersecurity communities.

A Software Bill of Materials (SBOM) is now essential to meet regulatory and buyer demands, providing a detailed list of an application's components and metadata. The U.S. Government's Executive Order from May 2021 stressed the importance of SBOMs in improving the nation's cybersecurity. Critics suggest that SBOMs may not offer a complete view of application attack surfaces due to their complexity and continuous evolution. The concept of an eXtended Software Bill of Materials (XBOM) has been introduced as a way to provide a more accurate and comprehensive understanding of applications, infrastructure, and pipelines. XBOMs aim to enhance SBOMs by offering a fuller inventory of application components, related risks, and tracking modifications over time. A webinar titled "Why You Need an XBOM: An eXtended Software Bill of Materials" is scheduled to discuss the limitations of SBOMs and the benefits of XBOMs for application and supply chain security. The webinar, sponsored by Apiiro, will take place on 28 November and aims to guide attendees on elevating their cybersecurity approach using XBOMs.

The Play ransomware strain is being offered as Ransomware-as-a-Service (RaaS) to cybercriminals. Adlumin's report highlights consistent tactics across various attacks, implying use by affiliate purchasers of the RaaS. Attacks feature the use of the same malware-hiding techniques, account creation passwords, and commands. Play ransomware exploits Microsoft Exchange Server vulnerabilities and uses double extortion tactics. The shift to RaaS indicates the evolution of Play from being operator-exclusive to commercially available for affiliates. The accessibility of RaaS kits equipped with tools and support is attracting a broader range of cyber attackers. Businesses and authorities are advised to prepare for an increase in cyber incidents due to the proliferation of RaaS offerings like Play.

Malwarebytes is offering a 50% discount on its Premium + Privacy VPN bundle for Black Friday through Cyber Monday, ending November 30th. The promotional bundle includes real-time malware protection, exploit protection, and behavior detection for ransomware attacks. Malwarebytes Premium actively monitors network connections to block communication with malicious sites and C2 servers. The Privacy VPN feature enables anonymous browsing and downloading, with access to 500 servers across 30+ countries. The VPN service is based on the WireGuard protocol known for modern, high-performance, secure VPN connections. The limited-time offer is aimed at consumers looking for comprehensive cyber protection at a reduced cost. BleepingComputer has a partnership with Malwarebytes and will earn a commission from purchases made via links in the article.

The Canadian government has confirmed a data breach occurred via third-party service providers offering relocation services. Current and former government employees, armed forces, and RCMP personnel data from as far back as 1999 could be compromised. The government is analyzing a large dataset to determine the extent of the breach and identify individuals at risk. Relocation service servers contained sensitive personal and financial information of those utilizing the service. Affected individuals are urged to change login credentials, enable multi-factor authentication, and monitor accounts for unusual activity. The government is offering preventative support such as credit monitoring and replacement of potentially compromised documents. There is little information about the attackers' methods and the full extent of the breach, although ransomware gang LockBit has claimed responsibility and demanded a ransom. Experts and authorities generally advise against paying ransoms to cybercriminals, as there is no guarantee of data recovery or non-release.

A new variant of the Agent Tesla malware leverages ZPAQ compression to evade detection in email-based attacks. The ZPAQ compression format is less commonly used and has been chosen for its better compression ratio and limited software support, which complicates detection. Agent Tesla, first noticed in 2014, is a .NET-based keylogger and RAT provided via a malware-as-a-service model, often infiltrating systems through phishing. Recent campaigns employ an outdated Microsoft Office vulnerability to deliver the payload, which masquerades as a legitimate PDF file in a ZPAQ compressed format. The delivered malicious .NET executable downloads and decrypts additional files, using common file extensions to disguise malicious network traffic. Once executed, Agent Tesla infects endpoints and obfuscates its activity using .NET Reactor; C2 communications are managed through Telegram. The use of ZPAQ suggests attackers are either targeting specific technically savvy individuals or experimenting with new methods to spread malware and undermine security measures.

EMEA organizations are encouraged to maintain constant vigilance against cyber threats through continuous training. Cybersecurity professionals need up-to-date knowledge on emerging threats and defense strategies. The SANS Institute offers a comprehensive course library for 2024 to enhance cybersecurity skills across the region. Training courses cover a wide array of topics including Cloud Security, DFIR, Offensive Operations, Leadership, OSINT, and ICS. Courses are accessible in various formats and locations, catering to professionals already in the field and those starting new careers. Attendees at SANS events gain practical insights from experts actively working in cybersecurity. Participants have the opportunity to earn GIAC certifications, validating their expertise in the rapidly evolving cyber landscape. The full catalogue of SANS 2024 EMEA training courses is available through the provided link for those interested in advancing their cybersecurity knowledge.

Cybercriminals are evolving their phishing attacks by using QR codes, CAPTCHAs, and steganography to deceive individuals and bypass security systems. Quishing, a combination of QR codes and phishing, allows attackers to embed malicious links inside QR codes, evading email spam filters and complicating their detection by security tools. CAPTCHA-based attacks involve tricking users with realistic-looking credential-harvesting forms on websites, protected by CAPTCHAs to thwart automated security tools and web crawlers. In one instance, attackers targeted employees of Halliburton Corporation by requiring a CAPTCHA and then mimicking a convincing Office 365 login page to collect user credentials. Steganography is utilized in phishing to hide harmful scripts in seemingly innocuous media files, such as images, which are delivered to unsuspecting victims via email attachments or illegitimate download links. ANY.RUN is a sandbox environment providing tools for analysis and detection of phishing techniques, offering insights into these sophisticated cyberattacks. ANY.RUN's current promotional offer aims to enhance cybersecurity measures against these increasingly prevalent and advanced phishing tactics.

Kinsing hackers are exploiting a critical vulnerability in Apache ActiveMQ to infect Linux systems. Infected systems suffer from illicit cryptocurrency mining and system performance degradation. The malware targets misconfigured container environments, using server resources for mining profits. The group also rapidly adapts to exploit newly revealed vulnerabilities in web applications. The recent campaign uses CVE-2023-46604, enabling remote code execution for malware installation. The Kinsing malware ensures persistence by loading a rootkit into the system’s library. Organizations using Apache ActiveMQ are urged to update to patched versions to prevent compromises.

A new malware campaign targeting Indian Android smartphone users has been discovered, using socially engineered messages to distribute fraudulent apps. Attackers are utilizing social media platforms, particularly WhatsApp and Telegram, to trick users into installing malicious apps by impersonating banks and government agencies. The fraudulent apps aim to harvest personal information, including banking details, payment card info, account credentials, and potentially intercept one-time passwords. The malware campaigns involve sending APK files through social media, creating a sense of urgency by falsely claiming users must update their permanent account number (PAN). Upon installation, these apps request sensitive information from the user and proceed to transmit the data to a command-and-control server or a specific phone number. The malware has additional capabilities such as hiding its icon from the home screen and reading and sending SMS messages to facilitate financial fraud. Variants of the trojan have also targeted users' credit card details and cryptocurrency wallet information. In light of increasing threats, Google and Samsung have introduced new security features to protect users against malicious app installations. Android users are reminded to be diligent about app permissions and the legitimacy of app developers.

A cyber-espionage campaign linked to the China-based Mustang Panda group has targeted a Philippines government entity during increased South China Sea tensions. Palo Alto Networks' Unit 42 identified three attacks in August 2023 mainly focusing on South Pacific organizations and used legitimate software to sideload malware. Mustang Panda, known by various aliases, uses spear-phishing to deliver malicious payloads and has been active since at least 2012, engaging in espionage against NGOs and governments globally. The Philippines government likely faced a security breach over five days in mid-August through compromised software designed to bypass antivirus solutions. The threat actor also disguised malware traffic as legitimate Microsoft communications for C2 connections and has consistently shown capability in persistent cyberespionage. In addition to the Mustang Panda activity, a South Korean APT actor named Higaisa has also been observed targeting Chinese users with phishing schemes and Rust-based malware.

The Tor Project recently removed several network relays to protect user safety and network security. Relays are essential for anonymizing traffic in the Tor network but were misused for a cryptocurrency scheme. Some relay operators were unaware they were part of a high-risk project or were operating in dangerous regions. The community has debated policies about relay operations and what constitutes policy violations. Profit-driven relay operations conflict with Tor's ethos of volunteerism and fighting against internet censorship. The Tor network could face risks of invasive centralization if for-profit operations scale up significantly. BleepingComputer sought more information from The Tor Project without a response. Unconfirmed reports suggest nearly a thousand blocked relays may be linked to a service known as ATor (AirTor).