Daily Brief

Intel is being sued for not addressing a known security flaw in its AVX chip instruction set, which led to the recent "Downfall" vulnerability. Plaintiffs claim Intel was aware of the chip's susceptibility to side-channel attacks since 2018, but only patched the issue in 2023 after public disclosure. The Downfall vulnerability allows attackers to potentially read sensitive data, like encryption keys, from a computer's memory. Intel Core processors from the 6th to 11th generation are affected by the flaw, which can significantly slow down computer performance when patched. The lawsuit accuses Intel of failing to redesign its chips to be secure while speculatively executing AVX instructions, despite being aware of the problem. Secret buffers related to the AVX instructions were not publicly disclosed and these "backdoors" were not addressed by prior mitigations for earlier Spectre and Meltdown flaws. Plaintiffs using patched systems have experienced performance degradation in various applications and games. Intel has opted not to comment on the lawsuit.

Kyocera AVX Components Corporation experienced a data breach affecting 39,111 individuals due to a ransomware attack. Personal information such as full names and Social Security Numbers were compromised during the incident. The breach occurred between February 16 and March 30, 2023, with systems encryption and service disruptions noted on March 30, 2023. LockBit ransomware group claimed responsibility, publishing stolen data including sensitive documents and schematics. Kyocera AVX has started notifying affected individuals and is offering a free 12-month dark web monitoring and password leak service. There's currently no evidence of misuse of the stolen data, but Kyocera AVX warns affected individuals about potential risks of fraud and identity theft.

The Industrial & Commercial Bank of China (ICBC) is recuperating from a ransomware attack that affected U.S. Treasury settlements and equities clearing. The cyberattack spurred the Securities Industry and Financial Markets Association to alert its members, indicating widespread concern. ICBC's clearing customers faced significant disruptions, leading to a temporary suspension of orders and inbound FIX connections. Ongoing recovery efforts are in place, with financial sector participants and federal regulators maintaining vigilant communication. The U.S. Treasury is actively monitoring the cybersecurity breach and its potential ramifications across financial systems. No immediate response was available from an ICBC USA spokesperson, although industry experts have confirmed the ransomware attack. Dubbed 'Citrix Bleed', an unpatched security vulnerability on an ICBC's Citrix server is linked to the cyberattack. ICBC stands as the world's largest commercial bank by revenue, serving millions of individual and corporate customers globally.

SolarWinds has vehemently disputed the SEC's lawsuit concerning the SUNBURST cyberattack, contending the charges are legally and factually baseless. The company defends its cybersecurity posture pre-attack, refuting the SEC's claims of insufficient security controls and misrepresentation of their adherence to the NIST framework. SolarWinds accuses the SEC of attempting to extend its regulatory domain without the appropriate authority or expertise in cybersecurity regulation. The SEC lawsuit alleges misleading statements by SolarWinds and its CISO to investors about the company's security practices and known vulnerabilities. SolarWinds contends its investor disclosures were accurate and argues deep disclosures of security weaknesses could aid potential attackers, an industry-wide concern. The case highlights a complex issue of transparency versus security risk, with the potential to shape future cybersecurity practices and regulations. SolarWinds argues the SEC lawsuit could disincentivize internal discussions on cybersecurity risk improvement and drive skilled professionals away from the industry.

Lace Tempest threat actor exploited a zero-day vulnerability in SysAid IT support software, tracked as CVE-2023-47246. The flaw, a path traversal issue, could allow code execution and has been patched in version 23.3.36 of SysAid software. Exploitation involved Lace Tempest uploading a malicious WAR archive to deliver a web shell, enabling backdoor access and subsequent malware deployment. Attackers loaded Gracewire malware using a delivered PowerShell script and employed Cobalt Strike for post-exploitation activities. Organizations using SysAid are urged to apply the provided patches immediately to prevent potential ransomware attacks. The U.S. FBI has warned of ransomware attackers targeting third-party vendors and system tools for malicious activities, including the Silent Ransom Group's extortion methods. The FBI alert highlighted the ongoing trend of cybercriminals using legitimate tools for system compromise and extortion.

Google Ads has been misused to distribute a trojanized version of the CPU-Z tool, which delivers the Redline info-stealing malware. Malwarebytes analysts identified the campaign and linked it to previous malvertising operations that targeted users with malicious Notepad++ downloads. Victims are lured to a cloned Windows news site where a seemingly trustworthy 'Download now' button delivers a signed installer containing a malicious script. The FakeBat malware loader in the MSI file silently fetches and activates the Redline Stealer payload on the victim's system without triggering security warnings. Redline malware is capable of harvesting a wide array of personal data, including passwords, cookies, browser data, and cryptocurrency wallet information. Users are advised to exercise caution when clicking on Google Search ads and ensure the authenticity of the domain or employ ad-blockers to evade such threats.

A malicious campaign has been discovered using Google Ads to distribute a trojanized CPU-Z tool, which delivers Redline info-stealing malware. Malwarebytes analysts linked this malvertising operation to a previous one involving a fake Notepad++ update. The ad directs users to a convincing clone of WindowsReport, a legitimate Windows news site, which hosts the harmful download. The trojanized CPU-Z installer is signed with a valid certificate, reducing the likelihood of detection by security software. Victims who download and execute the file encounter the 'FakeBat' malware loader, which then retrieves and executes the Redline Stealer on the computer. Redline Stealer can collect a wide array of personal information from the victim’s machine, including passwords, cookies, and cryptocurrency wallet data. Users are advised to be cautious when clicking on promoted search results and to verify website authenticity or to use ad-blockers to prevent exposure to such threats.

A zero-day vulnerability in SysAid software has been exploited to launch Clop ransomware attacks. Microsoft’s Threat Intelligence Center identified the exploitation of the vulnerability, CVE-2023-47246, initially observed on November 2. The vulnerability allows attackers to perform unauthorized code execution on affected SysAid servers. Hackers gained access through a WAR file uploaded to the webroot, enabling them to deploy a webshell, execute scripts, and eventually download GraceWire malware. SysAid has issued a software update that patches the vulnerability, urging users to upgrade to version 23.3.36 or later. Attackers specifically checked for the absence of Sophos security products before proceeding with their malicious activities. Post-attack, threat actors attempted to delete evidence by removing activity logs and set up a Cobalt Strike listener for continued access. Indicators of compromise have been shared by SysAid, including file names, hashes, and IP addresses linked to the attack.

A new malvertising campaign is impersonating a legitimate Windows news portal to distribute a malicious version of a system profiling tool called CPU-Z. Fake sites are also targeting utilities like Notepad++, Citrix, and VNC Viewer, employing domain names and cloaking techniques to evade detection. When users click on the malicious ads, they are redirected to a fraudulent website that hosts a signed MSI installer with a harmful PowerShell script. The installer deploys a loader called FakeBat, which in turn installs RedLine Stealer to compromise the user's system. Cloaking methods show an innocuous blog to non-targeted users, concealing the malware distribution to targeted individuals. The misuse of Google Ads for distributing malware is part of a broader trend that includes other methods like AiTM phishing kits and the Wiki-Slack attack technique. eSentire highlights vulnerabilities in platforms like Slack where previews of Wikipedia links can be manipulated to point to malicious websites.

MOVEit cybercriminals have exploited a fresh zero-day vulnerability in on-prem SysAid IT service desk software, linked to affiliate Lace Tempest of the Cl0p ransomware gang. Microsoft's Threat Intelligence discovered the attack, which affected a limited number of SysAid customers, and immediately reported it to SysAid for patching. The attackers achieved code execution by uploading a WAR archive with a web shell into SysAid's Tomcat web service, allowing for PowerShell scripts to install malware and erase evidence. SysAid promptly released patches, and users are advised to upgrade to the fixed version, check for indicators of compromise, and monitor any suspicious file uploads or child processes spawned by Wrapper.exe. The affiliated Lace Tempest's sophisticated techniques are comparable to those of a nation-state Advanced Persistent Threat (APT) group, with a history of significant cyberattacks this year. Cl0p, known for ransomware with double extortion, has recently opted for pure data extortion without encryption, a shift in tactics echoing broader trends in the cybercrime landscape.

Russian state hackers, identified as the Sandworm group, have adopted living-off-the-land (LOTL) techniques to disrupt critical industrial control systems, particularly in Ukraine. Sandworm's new methods facilitate quicker and resource-efficient attacks on power infrastructure, presenting an increased challenge for detection. Mandiant responded to an attack in Ukraine, attributing it to Sandworm, who accessed operational technology (OT) environments as early as June 2022. During an October 2022 power outage, Sandworm executed native MicroSCADA utility commands to disable substations, indicating a strategic use of LOTL techniques. Subsequently, Sandworm employed the CADDYWIPER data-destroying malware on IT environments but spared the SCADA system and hypervisor, hinting at possible operational miscoordination. Analysis revealed that the hackers prepared for system disruption several weeks in advance, possibly coordinating with missile strikes for greater impact. Mandiant asserts the evolution in Sandworm's OT arsenal suggests their capability to exploit OT systems from various vendors, increasing the threat to global infrastructures.

Wing Security has expanded its SaaS security capabilities to address the risks associated with email auto-forwarding rules that may harm data security. The company now offers integrations for Gmail and Outlook as part of its solution to identify and control unintended sharing of sensitive information via auto-forwarded emails. Auto-forwarding emails are widely used for efficiency but pose risks by potentially sharing confidential data with external parties without authorization. Wing's shadow IT discovery process is designed to identify and mitigate unauthorized SaaS application use within an organization, enhancing security and compliance. The company's solution includes connecting to major SaaS applications, scanning endpoints for SaaS signature detection, and the new email scanning feature to uncover SaaS usage. Customers benefit from the ability to not only detect risky behavior but also directly remediate issues within Wing's platform, securing their digital environments.

Iranian nation-state actors have implemented a new command-and-control (C2) framework, dubbed MuddyC2Go, targeting Israeli entities. MuddyC2Go, developed in the Go programming language, is associated with the state-sponsored group MuddyWater, linked to Iran's Ministry of Intelligence and Security. The C2 framework has likely been active since early 2020, and its use follows the exposure of PhonyC2, another C2 platform deployed by MuddyWater. Attacks typically commence with spear-phishing emails containing malicious files or links, ultimately leading to additional payload deliveries. To avoid email security detection, the attackers have begun using password-secured archives that distribute executables with built-in PowerShell scripts. These scripts connect to the MuddyWater C2 server, which sends out PowerShell scripts executed at regular intervals to wait for commands. Despite the full capabilities of MuddyC2Go being uncertain, it is presumed to play a key role in generating PowerShell payloads for post-exploitation actions. Security recommendations include disabling PowerShell if unnecessary, or otherwise, intensively monitoring PowerShell activities.

OpenAI's API and ChatGPT services have been disrupted due to DDoS attacks within the past 24 hours. These attacks caused periodic outages, leading to error messages for users attempting to access ChatGPT. OpenAI has been working on mitigating the outages caused by an "abnormal traffic pattern." The group known as Anonymous Sudan has claimed responsibility for the attacks, citing biasness in ChatGPT's responses. Anonymous Sudan has been active since January 2023 and has previously launched similar attacks against Microsoft services. The use of Layer 7 DDoS attacks has been effective in overloading the server and network resources of the targeted services. There are speculations among cybersecurity researchers of a potential false flag, suggesting possible links between Anonymous Sudan and Russia. OpenAI has not officially commented on the attribution of the attacks or the specific details of the ongoing outages.

Mandiant's intelligence team identified a coordinated cyberattack by Russia's Sandworm in conjunction with physical missile strikes as the cause of power outages in Ukraine. Cyber operatives gained access to the operational technology (OT) of a Ukrainian power plant and executed an attack that coincided with missile strikes, affecting about one-third of the country's power. Sandworm's intrusion tactics remain unclear, but their presence was detected for up to three months within the plant's SCADA system before initiating the power outage. The cyberattack involved the use of "a.iso" disc image to deliver a command that shut down substations, followed by a variant of the CaddyWiper data-wiping malware targeting the plant's IT environment. The timing of the cyberattack suggests possible coordination with Russian kinetic military operations, although Mandiant cannot conclusively confirm this. The report challenges the misconception that fears of Sandworm's potential to disrupt critical infrastructure may have been exaggerated, highlighting the diligence of Ukrainian defenders in mitigating such threats.