Daily Brief

A novel malware named Effluence has been discovered targeting Atlassian Confluence servers, exploiting a critical vulnerability. Effluence persists on infected systems even after the Confluence server has been patched, providing attackers with remote access capabilities. Patches for the vulnerability were released on October 31, but organizations are encouraged to investigate further, as the malware is challenging to detect. Unlike typical web shells, Effluence does not require the attacker to log into Confluence, instead hijacking the Apache Tomcat webserver to gain access. The malware allows for a comprehensive range of command executions, sharing similarities with the Godzilla web shell. Effluence does not leave obvious indicators of compromise, complicating efforts for defenders to identify infections. Manual review of installed plugins and monitoring of static pages and response sizes against baseline are recommended for detection. While Effluence mainly targets Confluence, there is potential for the malware to affect other Atlassian products through common APIs.

Proofpoint has identified a phishing campaign targeting Middle East government entities to deliver the IronWind malware. The campaign, active from July to October 2023, is attributed to TA402, also known as Molerats, Gaza Cyber Gang, and APT-C-23. TA402 uses compromised email accounts, Dropbox links, and file attachments (XLL, RAR) to distribute the malware and deploy advanced persistent threats. IronWind represents a tactical shift from previous campaigns that propagated the NimbleMamba backdoor, pointing to the group's evolving strategies. The malware triggers multi-stage sequences to contact attacker-controlled servers and download additional payloads, including the SharpSploit post-exploitation toolkit. Social engineering and geofencing are among the sophisticated techniques employed by TA402 to maintain targeted activity and avoid detection. Despite ongoing regional conflicts, TA402's operations continue, reflecting the group's commitment to collecting intelligence and engaging in cyber espionage.

Vietnamese hackers have been targeting Indian marketing professionals to hijack Facebook business accounts using new Delphi-powered malware. The attackers used Facebook sponsored ads to spread malicious ads and malware that steals login cookies and controls the victims' accounts. The malware campaign involved sending archive files with a malicious executable disguised as a PDF, which deploys a PowerShell script and a decoy PDF document. A rogue library named libEGL.dll is downloaded, which alters Chromium-based web browser shortcuts to load a rogue extension that hijacks Facebook business accounts. The rogue extension mimics the legitimate Google Docs Offline add-on, evading detection while stealing information from open tabs and Facebook accounts. Google filed a lawsuit against individuals in India and Vietnam for using Bard, Google's AI product interest, to spread malware and steal social media credentials. Earlier in the year, Meta reported deceptive browser extensions in official stores claiming to offer ChatGPT tools while Meta blocked over 1,000 unique malicious URLs from being shared on its services.

ETSI plans to make TETRA radio encryption algorithms public, allowing academic research and vulnerability testing. TETRA is used by government, law enforcement, and emergency services across Europe and the UK for secure communications. Security firm Midnight Blue revealed five critical vulnerabilities that could let attackers intercept TETRA communications. The decision to open source TETRA cryptographic algorithms followed unanimous agreement by the technical committee overseeing the standard. Opening the encryption algorithms to the public domain aims to increase security by enabling independent reviews and bug fixes. TEA 1, 2, 3, and 4 are the original set of TETRA Air Interface cryptographic algorithms, with three new quantum-resistant algorithms, TEA 5, 6, and 7, added in 2022. Researchers delayed the disclosure of vulnerabilities for 1.5 years due to the sensitive nature of TETRA networks and the complexity of implementing fixes. The move to publish the algorithms does not yet have a set date, but aims to enhance security measures against the future threat of quantum computing decryption.

The UK National Cyber Security Centre (NCSC) has declared that the cybersecurity resilience of critical national infrastructure (CNI) is not adequate. The annual report highlights the increasing threats, particularly from nation states such as Russia, China, Iran, and North Korea, and state-aligned actors. The NCSC is working towards enhancing security across CNI sectors in the face of evolving threats, aiming to keep pace with the adversaries and improve resilience. Serious cyber-attacks on critical services, such as Royal Mail International and NHS supplier Advanced, demonstrate the immediate risks to the UK's CNI. The report calls for a better baseline in cybersecurity across all CNI sectors by 2025, including the need for information sharing and international cooperation to build resilience. Commercial pressures on CNI operators, particularly in the private sector, can sometimes lead to cybersecurity being deprioritized in favor of shareholder value. International efforts and new regulations, including the US's Critical Infrastructure Act and the EU's NIS2, CER, and DORA, aim to improve CNI cybersecurity standards globally.

US-based research group IPVM has accused Hikvision of creating technology to monitor Muslim students fasting during Ramadan. Hikvision, on its LinkedIn page, confirmed winning a tender for a smart campus project but denied developing features to identify ethnic minorities. The government contract required the implementation of a "Smart Campus" system at Minjiang University, which included monitoring various student activities. The system reportedly has a feature for "Assisted Analysis Of Ethnic Minority Students," potentially alerting administrators about students who fast. The smart campus system tracks extensive personal details such as library activity, holiday travel, passport use, and party membership applications. Concerns are raised due to China's history of human rights violations against Muslim minorities, including bans on fasting for some government workers. Hikvision had previously been implicated in providing technology to identify Uyghur Muslims, a claim it denied, stating that such identification features were removed in 2018.

CISA has mandated federal agencies to fix critical vulnerabilities in Juniper Junos OS by November 17, 2023. The directive responds to active exploitation of five security flaws, potentially allowing remote code execution on affected devices. Juniper acknowledges confirmed exploitations and urges customers to update systems immediately. The exploitation details remain undisclosed, highlighting the urgency for mitigation. CISA also reports potential rebranding of Royal ransomware to BlackSuit, noting coding similarities. Cyfirma reveals critical exploit sales on darknet, indicating heightened risk from ransomware gangs. Healthcare organizations are targeted via ScreenConnect; hacking groups seek persistent access through remote access tools.

A recent academic study uncovered a method to compromise SSH server private RSA keys on certain devices by exploiting computational errors. The vulnerability does not affect systems using OpenSSL, LibreSSL, or OpenSSH, sparing a significant portion of internet-connected devices. Impersonation of devices through man-in-the-middle attacks could allow attackers to intercept user login information and monitor their activities. The research found that faulty signatures due to computational errors could be used to deduce private SSH keys by passive network monitoring. The team scanned billions of SSH records over seven years, identifying over 590,000 invalid RSA signatures and deriving private keys from 4,900 of them. Four manufacturers—Cisco, Zyxel, Hillstone Networks, and Mocana—were found to have products susceptible to key compromise; Cisco and Zyxel have since addressed the issue. The study suggests that certain Internet-of-Things devices and embedded systems may be at risk, and it calls for further research into potential vulnerabilities in IPsec implementations.

Google has filed a lawsuit against three individuals for distributing malware disguised as its Bard AI chatbot, intended to steal social media credentials from small businesses. The tech giant is seeking legal action for trademark infringement, citing the unauthorized use of its logos in fraudulent advertisements promoting the fake Bard download. Google aims to secure a court order preventing the scammers from establishing domains and to enable domain registrars in the US to disable such domains. If successful, the lawsuit could deter future scams and establish a clearer mechanism for addressing similar fraudulent activities. In a separate lawsuit, Google is combating another group for exploiting the DMCA takedown process by filing false copyright claims against competitors, which has led to the unjustified removal of content from Google Search. Additionally, a federal judge has dismissed some claims in a lawsuit against Meta's Llama language model, which authors and a comedian accused of copyright infringement; however, the judge offered the plaintiffs an opportunity to amend their complaint. Google has filed approximately 300 takedown notices related to the scam group and seeks damages, including profits made from the scam.

Cybercriminals exploited Ethereum's 'Create2' function to steal $60 million from 99,000 victims over six months. 'Create2' allows the pre-calculation of contract addresses, enabling the deployment of contracts that bypass wallet security alerts. The attackers trick victims into transferring assets to seemingly legitimate but malicious addresses created using 'Create2'. In one observed case, a victim lost $927,000 in GMX tokens after signing a transaction to a pre-computed address. Another method, 'address poisoning,' involves creating addresses similar to known ones, deceiving users into sending assets to the attackers. Scam Sniffer detected 11 victims of 'address poisoning,' with one losing $1.6 million in a single transaction. MetaMask and other crypto service providers have issued warnings about these kinds of sophisticated scams. The security community advises thorough verification of recipient addresses in all cryptocurrency transactions to prevent falling victim to such scams.

The Royal ransomware gang has targeted over 350 organizations worldwide, with ransom demands exceeding $275 million since September 2022. The FBI and CISA updated their advisory to include the latest information on the Royal ransomware operation's methods and victims. The gang frequently uses phishing emails to gain initial access and executes data exfiltration and extortion before encrypting the victims' data. If ransoms are not paid, the Royal ransomware gang publishes the victims' data on a leak site. Advisories suggest Royal ransomware may be linked to, or considering a rebrand with, BlackSuit ransomware, which shares similar coding characteristics. Royal Ransomware has connections to the infamous Conti cybercrime gang and has shown an increased intensity in malicious activities since September 2022. The gang has the capability to encrypt Linux systems targeting VMware ESXi virtual machines and conducts callback phishing attacks for network infiltration.

Cyberattack targeted DP World Australia, causing significant disruption in Australian ports. DP World holds a pivotal role, managing about 10% of global container traffic with operations in 40 countries. The attack, occurring on November 10, impacted land-side freight, leaving about 30,000 containers immobile. Company's emergency protocols were activated; efforts involve cybersecurity experts to restore systems. Operations are resuming slowly; delayed goods include critical and time-sensitive items, with damages estimated in millions. An ongoing internal investigation is probing data access issues; no confirmation of data exfiltration yet. DP World Australia has contacted the Office of the Australian Information Commissioner amid concerns of potential personal information compromise.

CISA has issued a warning for federal agencies to address critical vulnerabilities in Juniper devices by updating or restricting access to the J-Web interface. The urgency comes after Juniper confirmed that the vulnerabilities (CVE-2023-36844 to CVE-2023-36847) have been actively exploited in the wild. ShadowServer and watchTowr Labs detected exploitation attempts and emphasized the ease of exploiting these flaws due to the crucial role JunOS devices play in networks. Over 10,000 Juniper devices with exposed J-Web interfaces were identified, necessitating immediate security upgrades. CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch Agencies (FCEB) to secure affected devices within four days. While the mandate mainly concerns U.S. federal agencies, CISA strongly advises all entities, including private companies, to prioritize fixing the vulnerabilities to prevent potential risks.

Israeli authorities have issued a warning about the BiBi wiper malware attacking Linux and Windows computer systems. Security firms ESET and SecurityJoes identified the Linux iteration of the malware in late October, attributing it to pro-Hamas hacktivists. Israel's CERT released an alert with indicators to help detect and prevent the malware, urging organizations to implement them in their security systems and report any detections. The wiper malware, without ransom or encryption, irreversibly destroys data by overwriting files and impairs system recovery by disabling backups and recovery modes. The Windows variant of BiBi avoids damaging system-critical .EXE, .DLL, and .SYS files, but renames other files with random bytes and characters to complicate restoration. Initial infection methods are currently unknown, but the malware is designed to use multiple threads for rapid execution, and uses simple obfuscation methods to bypass older antivirus detection. Connections have been drawn between the Karma hacktivist group, believed to be orchestrating the campaign, and previous Iranian hacker activities noted for similar data disruption tactics. Detection tools for the malware have been provided by BlackBerry, SecurityJoes, and Israel's CERT, including YARA rules and file hashes.

AI SPERA has integrated its Cyber Threat Intelligence search engine, Criminal IP, with Cisco SecureX/XDR to enhance cyber threat analysis. The integration aims to help organizations detect and mitigate threats more effectively by prioritizing risks and offering real-time insights. Cisco SecureX provides a unified platform with automation and intuitive threat detection and response capabilities. Through the integration, users can assess risks with enriched threat intelligence data, including real-time risk scores for IPs and domains. Features include access to detailed threat information such as open ports, vulnerabilities, WHOIS data, connected domains, phishing scores, and abuse history. This new capability will be available via the Integration Modules tab and can be accessed by contacting AI SPERA for the integration code. AI SPERA's service Criminal IP launched globally on April 17, 2023, and has established partnerships with major global security firms.