Daily Brief

Russian APT29, also known as Cozy Bear, targeted embassies with malware using a WinRAR exploit (CVE-2023-38831). Using a BMW car sale lure, APT29 delivered a malicious ZIP file containing a script that disguised its presence while executing a payload. The attacks affected multiple European countries, exploiting WinRAR versions prior to 6.23, allowing hidden execution of malicious code. APT29 utilized the Ngrok service's new feature of free static domains to stealthily communicate with the command and control server without detection. Previously, similar tactics were observed being used by other Russian groups, including APT28, to target political entities in the EU and Ukraine. The Ukrainian National Security and Defense Council report provides indicators of compromise to aid in the detection and prevention of similar attacks.

A group of academic researchers discovered a flaw that allows extraction of RSA keys from faulty SSH server signatures. SSH, a secure communication protocol, and RSA, a public-key cryptosystem, can have vulnerabilities stemming from hardware errors during signature computations. The Chinese Remainder Theorem (CRT), which optimizes RSA computations, can leak key information if an error occurs during signature creation. The issue resembles an already addressed vulnerability in older TLS versions, but it was previously believed that SSH was immune to such attacks. The researchers' lattice-based attack methodology had a 100% success rate in uncovering private keys from SSH servers with erroneous signatures. Devices with the largest number of exposed signatures came from Zyxel, although Cisco had already introduced mitigations in some of their software. The paper recommends signature validation before transmission as a countermeasure, noting that OpenSSH's reliance on OpenSSL for signature generation is safer.

The FCC has announced new rules to protect consumers from SIM-swapping attacks and port-out fraud. New regulations were introduced to prevent scammers from accessing personal data through unauthorized SIM changes or number porting. SIM swapping involves tricking carriers into redirecting a victim's service to a device controlled by the fraudster, leading to potential financial losses and identity theft. The FCC now requires wireless service providers to use secure authentication before transferring phone numbers and to alert customers of SIM changes or port-out requests. Providers must also implement additional measures to protect customers from unauthorized SIM swapping and port-out attempts. This regulatory response follows an increase in consumer complaints and FBI warnings regarding the financial and personal impact of these types of cybercrimes. According to the FBI's Internet Crime Complaint Center, there has been a significant rise in reported SIM-swapping incidents and financial losses since 2018.

The FCC has adopted new rules to protect consumers from SIM-swapping attacks and port-out fraud. SIM swapping involves tricking carriers to redirect a victim's phone service to a fraudster's device. Port-out fraud occurs when a scammer unauthorizedly transfers a victim's phone number to a new carrier. These types of fraud can lead to significant financial loss, identity theft, and unauthorized access to personal accounts. The FCC now requires wireless service providers to implement secure authentication before porting numbers and to alert customers of any SIM change requests. The updated regulations are a response to an increasing number of consumer complaints and financial harm related to SIM swapping and port-out fraud. The FBI reported a sharp increase in SIM-swapping incidents and losses, highlighting the rapidly growing threat to consumers.

A critical remote code execution vulnerability, CVE-2023-43177, was found in the CrushFTP enterprise suite. Unauthenticated attackers can exploit this vulnerability to access files, execute code, and obtain plain-text passwords. Converge security researchers discovered the vulnerability and the developers released a patch in CrushFTP version 10.5.2. Converge has now published a proof-of-concept exploit, highlighting the urgency for users to update their software. The exploit process involves using unauthenticated mass-assignment to gain control over user session properties and establish admin-level access. It is estimated that around 10,000 public-facing CrushFTP instances may be affected, with additional instances likely behind corporate firewalls. Ransomware actors, particularly Clop, have shown interest in exploiting such vulnerabilities in file transfer products. Despite the patch, further security measures are recommended to fully mitigate the risks associated with CrushFTP vulnerabilities.

Cybersecurity firm Cisco Talos has highlighted increased activity from the 8Base ransomware group, using a new variant of Phobos ransomware distributed by SmokeLoader malware. The Phobos variant is embedded in SmokeLoader payloads, which are decrypted and executed within the host's memory, a method that makes detection and analysis more difficult. 8Base's Phobos ransomware employs techniques to ensure persistence, neutralize data recovery options, and uses a configuration with over 70 options, including a UAC bypass. For enhanced speed, the malware fully encrypts files smaller than 1.5 MB and partially encrypts larger files, while an embedded RSA key offers a potential avenue for decrypting affected files. Connections between 8Base and RansomHouse have been noted, and Phobos is thought to be closely managed by a central authority and distributed as ransomware-as-a-service (RaaS). The report also mentions new developments in ransomware activity, including the advertising of the UBUD ransomware with anti-detection capabilities, and LockBit's updated negotiation tactics to streamline ransom demands based on victim company revenues. These findings come amidst reports of ransomware groups attempting to leverage government regulations to their advantage, as demonstrated by the BlackCat ransomware group's complaint to the SEC regarding a victim's delayed disclosure of a cyber attack.

Russian FSB-affiliated cyber espionage group deploys a USB worm, LitterDrifter, targeting Ukrainian entities. LitterDrifter spreads through USB drives and connects to Russian operatives’ command-and-control servers. The worm is an evolution of a previously reported PowerShell-based USB worm and uses decoy LNK files for distribution. Check Point reported possible infections outside Ukraine, with evidence from multiple countries detected on VirusTotal. The malware aids in rapid and large-scale sensitive data exfiltration, following up on successful infiltration. The NCSCC has linked similar state-sponsored campaigns targeting European embassies to Russian group APT29, which exploits a WinRAR vulnerability. Ukraine's CERT-UA has also reported a phishing campaign distributing Remcos RAT, part of a continuing pattern of Russian cyber attacks against Ukrainian state authorities.

The official Bloomberg Crypto Twitter account was hijacked to promote a phishing attack, redirecting users to a fake Discord server. A scammer used Bloomberg's old Telegram username to lure users into joining the counterfeit Bloomberg Discord with over 33,000 members. The fake Discord server used a bot to direct users to a phishing website designed to steal Discord credentials. The phishing site, disguised as a Discord verification service, attempted to capture login details by mimicking the legitimate AltDentifier bot. The malicious link was posted on the Bloomberg Crypto Twitter account and remained active for a brief period before being taken down. Threat actors target crypto community servers on Discord to gain access to accounts and promote scams, potentially leading to cryptocurrency theft. Bloomberg has not made an official statement and was not immediately available for comment regarding the incident.

Ransomware groups are targeting exposed Citrix Netscaler devices using the Citrix Bleed exploit (CVE-2023-4966) to infiltrate organizations, steal data, and encrypt files. Victims of these ransomware attacks include big names such as Toyota Financial Services, ICBC, DP World, Allen & Overy, and Boeing. LockBit and Medusa ransomware gangs, among others, are utilizing the vulnerability, with Medusa increasing its presence with a new blog for data leaks. Despite attacks dropping by 15.12% in October, there was still a significant 54.67% year-on-year increase in ransomware victims. The BlackCat ransomware gang went a step further by filing an SEC complaint against a company for not disclosing a cyberattack, a tactic which may see more use in ransomware extortion. The FBI and CISA have been active in issuing warnings about various ransomware threats, including Royal, Rhysida, and the Scattered Spider hacker collective. Ransomware attacks caused disruptions at major institutions such as the British Library and Toronto Public Library, highlighting the broad reach of these threats.

The official Twitter account for Bloomberg Crypto was compromised to redirect users to a phishing site. Attackers set up a fake Telegram channel and Discord server to lure victims into providing Discord credentials. The fake Discord server used a bot to prompt verification through a phishing website masquerading as AltDentifier. Victims were given 30 minutes to 'verify' their account on the bogus website to gain full server access. The phishing link aimed to steal Discord login details under the guise of server security measures. The malicious link was identified and removed within 30 minutes after a crypto fraud investigator reported it. Such phishing attacks on crypto communities are common, with scammers seeking to steal cryptocurrency assets. Bloomberg has not yet commented on the situation publicly.

LockBit ransomware group's leadership adjusts negotiation tactics due to affiliates' unsatisfactory ransom collection rates. The group experienced a decrease in ransom payments, citing less-experienced affiliates offering undue discounts and inconsistent negotiation outcomes. LockBit now enforces standardized guidelines on setting initial ransom amounts based on victim's annual revenue and limits discounts to a maximum of 50%. Affiliates previously had autonomy in negotiations, leading to victims refusing payment after observing the potential for steep discounts. Incident responders are documenting negotiation behaviors, which influences victims' decisions to reject payment offers if they perceive a lack of fairness. LockBit issued a survey prior to implementing new rules to guide all future negotiations with victims starting October 1, 2023. Security analysts emphasize the importance of monitoring ransomware group tactics as every negotiation carries unique aspects due to the affiliate-driven organizational structure.

Yamaha Motor's Philippines subsidiary experienced a ransomware attack, leading to the unauthorized access and partial leak of employee data. External security experts were engaged immediately after the incident was detected on October 25 to investigate and mitigate damage. While limited to a single server at Yamaha Motor Philippines, there has been no reported impact on the headquarters or other group subsidiaries. The incident was reported to Philippine authorities, and efforts are underway to determine the full impact of the attack. INC RANSOM gang has claimed responsibility for the breach, posting allegedly stolen data, around 37GB, on a dark web leak site. INC RANSOM, known for double extortion attacks since August 2023, typically breaches networks via spearphishing or exploiting vulnerabilities like Citrix NetScaler CVE-2023-3519. The threat actors engage in lateral movement within the network, data theft, and encryption of systems, followed by demanding ransom in return for decryption and other assurances. Victims face a 72-hour ultimatum to start negotiations, with the risk of public data disclosure if they refuse to comply with the ransom demands.

Google's Threat Analysis Group (TAG) identified a zero-day vulnerability in Zimbra Collaboration email server used to compromise government systems. Hackers exploited the flaw, CVE-2023-37580, to steal emails, credentials, and authentication tokens from government entities in various countries. The vulnerability, an XSS issue, was exploited by at least four separate threat actors beginning on June 29. Attackers managed to auto-forward emails and lead victims to phishing pages before an official patch was released by Zimbra. Google alerted Zimbra to the active security breaches, prompting the release of an emergency hotfix, later followed by an official patch. The report highlights the significance of timely security updates and the risks posed even by medium-severity vulnerabilities. Multiple similar XSS vulnerabilities have been used to attack mail servers in the past, underlining a pattern of exploiting email platforms for cyber espionage.

SonicWall, a cybersecurity firm, has acquired Solutions Granted, a Virginia-based Managed Security Service Provider (MSSP). The acquisition aims to meet customer demand for managed detection and response (MDR) and extended detection and response (XDR) services. SonicWall is now poised to offer U.S.-based Security Operations Center (SOC)-as-a-service for the first time. Solutions Granted's integration will provide capabilities in endpoint, cloud management, vulnerability assessment, and proven success in the managed security space. CEO Bob VanKirk emphasized the acquisition's crucial role in SonicWall's growth strategy and the importance of enhancing support for their partners in the cybersecurity market. All employees of Solutions Granted will join SonicWall post-acquisition, maintaining team integrity which both companies view as essential. SonicWall plans to develop an EU-based SOC to better address European partner needs while considering multiple factors such as language support and timezone coverage.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of new exploits targeting vulnerabilities in Microsoft, Sophos, and Oracle products. CISA has updated its Known Exploited Vulnerabilities catalog to include these actively exploited flaws, emphasizing the need for prompt action. Federal agencies are advised to apply security updates before December 7 to mitigate the risks associated with these vulnerabilities. CVE-2023-36584, a vulnerability within Microsoft systems, was addressed in the October 2023 Patch Tuesday updates but was not initially marked as actively exploited. A critical bug in Sophos Web Appliance, identified as CVE-2023-1671 and with a 9.8 severity score, allows for remote code execution on outdated software versions. Sophos Web Appliance is no longer supported since July 20, and customers are urged to switch to Sophos Firewall for continued web protection. While CISA's KEV catalog targets U.S. federal agencies, it also acts as a global alarm for companies to secure their systems against these vulnerabilities.