Daily Brief

An unknown attacker utilized PyPI to distribute 27 malware-laden packages posing as popular Python libraries. The malicious packages employed steganography to hide harmful payloads within image files, enhancing the attack's stealth. Download figures for these packages are in the thousands, with majority originating from countries including the U.S., China, and Germany. The malware aims to establish persistence, steal sensitive data, and access cryptocurrency wallets. Two specific packages, pystob and pywool, are noted for exfiltrating stolen data to a Discord webhook and seeking persistence via a VBS file in the Windows startup folder. ReversingLabs reports protestware npm packages spreading political messages depending on the geographic location of the host. GitGuardian identified numerous secrets (API keys, SSH keys, etc.) exposed in PyPI projects, heightening the risk of unauthorized access or social engineering attacks. In response to the increasing threat, the U.S. government, including CISA, NSA, and ODNI, has issued new guidance for software developers to mitigate software supply chain risks.

U.S. cybersecurity and intelligence agencies have issued a warning about a cybercriminal group known as Scattered Spider. Scattered Spider utilizes sophisticated social engineering, such as phishing and SIM swapping, to steal data and bypass multi-factor authentication. The group employs BlackCat/ALPHV ransomware and a variety of remote access tools and malware like AveMaria, Raccoon Stealer, and Vidar Stealer. Microsoft considers Scattered Spider one of the most dangerous financial criminal groups, and the FBI is aware of the identities of some members. The group is part of the Gen Z cybercrime ecosystem called the Com, which has engaged in swatting attacks and other violent activities. Scattered Spider has been observed monitoring incident response efforts to adapt to defense measures and maintain access. The U.S. government advises the implementation of phishing-resistant multi-factor authentication and robust incident recovery strategies to mitigate such threats.

Samsung Electronics UK has informed customers of a data breach affecting purchases made from July 1, 2019, to June 30, 2020. An unauthorized individual exploited a third-party application vulnerability, leading to the exposure of names, phone numbers, and addresses. This incident marks the third major data breach for Samsung globally in the past two years. The breach follows a serious incident in March 2022, where nearly 200GB of internal Samsung data was leaked by extortion group Lapsus$. Another breach occurred in the US in July 2022, with customer names, contact information, and product registration details compromised. Following these security incidents, a class action lawsuit was filed against Samsung, claiming the company collects and inadequately protects personal data. The lawsuit highlights customers being coerced into sharing data to maintain functionality of Samsung products, such as TVs and printers. Samsung has not provided a comment on the situation at the time of reporting.

The Cybersecurity and Infrastructure Security Agency (CISA) has added three actively exploited security flaws to its KEV catalog. The vulnerabilities include CVE-2023-1671, a pre-auth command injection issue, and CVE-2023-2551, a flaw in WLS Core Components compromising WebLogic Server. No in-the-wild attacks for CVE-2023-1671 and CVE-2023-2551 have been publicly reported yet. CVE-2023-36584 was used by pro-Russian APT group Storm-0978 in spear-phishing attacks targeting supporters of Ukraine's NATO admission efforts. Microsoft has patched CVE-2023-36584, which, along with CVE-2023-36884, formed part of an exploit chain delivering the PEAPOD malware variant of RomCom RAT. CISA advises federal agencies to apply the necessary fixes by December 7, 2023, to mitigate risks. Fortinet disclosed a critical command injection vulnerability (CVE-2023-36553) in FortiSIEM, with a fix available in newer versions of the software.

Rackspace has reported approximately $11 million in expenses due to a ransomware attack, according to its SEC filings. The cyberattack specifically targeted Rackspace's hosted Microsoft Exchange services, impacting small and mid-size business customers. The incident was caused by a critical Exchange privilege escalation bug (CVE-2022-41080) before Microsoft issued a patch. In addition to direct expenses, Rackspace is also facing several lawsuits demanding compensatory relief due to the service disruptions. Insurance has partly offset the incurred costs, with Rackspace receiving $5.4 million in insurance payouts during a nine-month period. The company is unable to predict the final financial impact or outcome of the pending legal cases. Rackspace declined to provide any additional information on the ransomware-related losses and ongoing legal battles outside of what is legally required in SEC filings. The initially reported total expenses had been inaccurately calculated, but Rackspace confirmed the figure stood at $10.9 million, subject to reductions from insurance proceeds.

The FBI is dedicating significant resources to locate and neutralize the Scattered Spider cybercrime group, responsible for major casino hacks. Despite the lack of public arrests, substantial efforts are being made behind the scenes to counter this group's criminal activities. Scattered Spider is known for its high-profile network intrusions and ransom demands, targeting at least 100 organizations, including Caesars Entertainment and MGM Resorts. Victims face demands for large sums of money to prevent data leaks, with those refusing to pay experiencing severe operational disruptions and financial losses. The group also employs social engineering, SIM swapping scams, and MFA resets to gain network access, which has been linked to the ALPHV/BlackCat ransomware operation. A joint advisory from the FBI and CISA outlines Scattered Spider's tactics and urges victims to report incidents to improve collective cybersecurity defenses. The FBI and CISA stress the critical role of victim reporting in enabling law enforcement to take action against cybercriminals like Scattered Spider.

Long Beach, California, experienced a significant cyberattack, leading to a preemptive shutdown of its IT network. The attack occurred on November 14th, and officials are working with a cybersecurity firm and have notified the FBI. Essential services such as emergency responses are operational, but digital services may face disruptions. Although the exact nature of the attack hasn't been confirmed, it shares characteristics of a ransomware incident. There has been no immediate claim of responsibility from threat actors, and the potential for data theft remains uncertain. The cyberattack on Long Beach marks the 80th local government ransomware attack in the United States in 2023, with almost half involving data theft. Public city services may experience delays during the investigation and recovery efforts.

The FBI and CISA issued an advisory detailing the methods of 'Scattered Spider', a group linked to Russian ransomware operations. Investigators describe the group as young, English-speaking hackers with diverse talents, not formally organized but connected via online forums. An array of sophisticated social engineering techniques, including phishing and SIM swapping, are employed to access targeted networks. Scattered Spider engages in identity theft, both digitally and socially, by mimicking IT personnel and creating false online personas. This threat actor has been responsible for significant cyberattacks on corporations like MGM Casino and Caesars Entertainment, employing ransomware for extortion. Researchers have found the members capable of a wide range of cybercrimes, from technical hacking to advanced social engineering and issuing violent threats. The FBI is aware of the identities of several group members but has not yet proceeded with indictments or arrests. The advisory concludes with mitigation recommendations to counteract the techniques exploited by Scattered Spider, with an emphasis on testing security controls against MITRE ATT&CK techniques.

Rackspace has reported to the SEC that the ransomware attack recovery and associated costs have amounted to $12 million. The December 2022 ransomware incident disrupted its hosted Microsoft Exchange services, affecting numerous small and mid-sized business customers. The attack was attributed to the Play crew, exploiting an unpatched critical Exchange privilege escalation bug, CVE-2022-41080. Rackspace's recent 10-Q filing reveals $5.1 million in costs from April to September 30, 2023, for investigation, remediation, and legal fees. Insurance has offset some of the expenses, with payouts totaling $5.4 million. Rackspace faces several lawsuits seeking compensatory relief due to the service disruptions caused by the ransomware, but the outcomes and potential costs are uncertain. The company has declined to comment on its ransomware-related losses or ongoing legal matters, referencing its policy on pending litigation disclosures.

MySQL servers are being compromised by the 'Ddostf' botnet, affecting both Windows and Linux systems. AhnLab Security Emergency Response Center identified the campaign targeting MySQL servers to use them in a DDoS-as-a-Service scheme. Attackers exploit vulnerabilities in MySQL or brute-force weak admin credentials to control the servers. The botnet, of Chinese origin and detected approximately seven years ago, employs a variety of DDoS attack methods. Ddostf's flexibility in switching C2 (command and control) servers makes it particularly resilient to being disabled. Recommendations for administrators include applying updates and using strong, unique passwords to defend against the brute-force and vulnerability exploitations.

Toyota Financial Services (TFS) confirms unauthorized system access in its Europe and Africa operations after Medusa ransomware gang's claims. Medusa ransomware demands $8 million from Toyota, threatens data leak, and exposes stolen samples including financial documents and passwords. TFS, a Toyota Motor Corporation subsidiary, offers financing in most markets where Toyota vehicles are sold. The breach potentially exploited an outdated Citrix Gateway endpoint vulnerability known as Citrix Bleed. Toyota Financial Services is collaborating with law enforcement and working to restore affected systems, starting with locations where the incident was contained. Security analyst Kevin Beaumont notes the possibility of other ransomware groups exploiting Citrix Bleed following recent similar breaches at major organizations.

A reflected cross-site scripting (XSS) vulnerability, CVE-2023-37580, in Zimbra email software was exploited by four hacker groups. Google Threat Analysis Group (TAG) reported the flaw was used to steal email data, credentials, and authentication tokens, often after the fix was posted on GitHub. Zimbra released patches on July 25, 2023, but exploitation was observed as early as June 29, two weeks before the advisory. The first group, TEMP_HERETIC, targeted a Greek government organization and deployed malware known as EmailThief. Winter Vivern exploited the flaw to attack Moldova and Tunisia government bodies, and previously has been linked to other email server vulnerabilities. A third unidentified group phished for Vietnamese government credentials, while a fourth compromised a Pakistani organization to exfiltrate Zimbra tokens. Google TAG stressed the urgency for organizations to apply server patches promptly and the trend of attackers exploiting mail server XSS vulnerabilities by monitoring open-source repositories.

Samsung Electronics has alerted some customers to a data breach involving their personal information. The breach specifically affected customers of the Samsung UK online store who made purchases from July 1, 2019, to June 30, 2020. A hacker exploited a vulnerability in a third-party application used by Samsung to gain access to customer data. Personal information compromised includes names, phone numbers, and addresses, but financial data and passwords remain secure. The breach is confined to the UK and does not impact U.S. customers, employees, or retailer data. Samsung has addressed the security issue and reported the incident to the UK's Information Commissioner's Office. This incident marks Samsung's third data breach within two years, with previous breaches in July 2022 and by Lapsus$ in March 2022.

Microsoft's October update (KB5031364) for Windows Server 2022 included fixes and changes but led to system crashes on VMware ESXi hosts. Affected virtual machines experienced a blue screen with Stop code "PNP DETECTED FATAL ERROR" upon booting after the update. To be susceptible, virtual machines needed to be on AMD Epyc processors, with specific IOMMU and security settings enabled. The problem was addressed in November's update (KB5032198), but widespread issues raised concerns about Microsoft's update quality. Administrators had to employ various workarounds before the fix, such as adjusting settings, removing files, or uninstalling the problematic update. This wasn't Microsoft's first problematic update, with previous incidents also impacting Hyper-V and VMware ESXi-hosted virtual machines. Concerns are mounting over the declining quality of Microsoft updates, emphasizing the need for caution and preparedness among system administrators.

Fortinet has alerted customers to a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2023-36553. This flaw enables remote, unauthenticated attackers to execute commands via crafted API requests, posing a significant security risk. The security breach impacts FortiSIEM, widely used across various sectors including healthcare, finance, retail, and government. The severity score assigned by Fortinet is 9.3, while NIST rates it higher at 9.8, indicating the seriousness of the vulnerability. CVE-2023-36553 is related to a previously addressed vulnerability, CVE-2023-34992, pointing to a recurring security challenge. Compromising such systems is particularly attractive to hackers, including state-sponsored groups, due to the access it provides to sensitive organizational networks. System administrators are urged to update affected systems to versions 6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, or 7.1.0 to mitigate the risk.