Daily Brief

Security researchers have discovered a new cybersecurity tool called Predator AI, which targets cloud services and web applications. Predator AI can exploit common vulnerabilities in various web-based services, including AWS, Twilio, WordPress, Magento, OneSignal, Stripe, and PayPal. The toolkit includes over 11,000 lines of Python code and offers a GUI for executing its numerous functions, including the creation of information-stealing malware. Although the tool is supposedly for educational use, it harbors malicious features and is capable of creating undetectable malware for cybercrimes. Predator AI has an optional chat-bot assistant powered by OpenAI's ChatGPT, designed to answer operational questions and potentially handle requests. Despite its educational disclaimer, Predator AI presents serious risks and organizations should verify their defenses against the techniques it employs. Security experts advise vigilance over software capabilities as it may use code and attack methods found in other toolkits and continues to be actively developed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has cataloged a severe vulnerability in the Service Location Protocol (SLP) after evidence of active exploitation surfaced. The vulnerability, identified as CVE-2023-29552 with a CVSS score of 7.5, raises concerns over potential DoS amplification attacks. Security firms Bitsight and Curesec publicized the flaw in early April, highlighting its capability for a significant amplification factor in DoS attacks. Attackers can exploit this flaw by registering services and using spoofed UDP traffic to greatly amplify the impact of DoS attacks on networks and servers. The precise methods of exploitation have not been disclosed, though the acknowledged threat illustrates the potential for resource-limited attackers to cause considerable disruption. The CISA mandate requires federal agencies to implement prescribed mitigations, such as disabling SLP on systems within untrusted networks, by November 29, 2023. The alert emphasizes the urgency of addressing the flaw to defend against the documented real-world attacks exploiting this vulnerability.

Microsoft's new Windows 11 build now excludes firewall rules for SMB1 when creating new Server Message Block (SMB) shares, enhancing default network security. This change brings SMB firewall rules closer to the behaviour of the Windows Server "File Server" role, omitting inbound NetBIOS ports 137-139. Administrators can still make necessary configurations to the "File and Printer Sharing" group and modify the new firewall group. Microsoft plans future updates to remove inbound ICMP, LLMNR, and Spooler Service ports, restricting access to SMB sharing-necessary ports only. Alternative connections to an SMB server via TCP, QUIC, or RDMA over custom network ports are now supported by the SMB client, deviating from the hardcoded defaults. As part of recent security improvements, Windows 11 administrators can enforce encryption for all outbound connections via SMB client and configure systems to block sending NTLM data over SMB on remote outbound connections. These changes are part of Microsoft's extensive attempt to enhance Windows and Windows Server security following the disabling of the outdated SMB1 file-sharing protocol and strengthening defences against brute-force attacks with an SMB authentication rate limiter.

Microsoft and Meta are implementing different strategies to combat misinformation during the upcoming elections in 2024, though the efficacy of these strategies is yet to be determined. Microsoft's strategy entails launching a five-step election protection plan in the United States and other countries where critical elections will take place in 2024. One of these steps is the Content Credentials service which will make use of digital watermarking metadata for images and videos. Through Content Credentials, campaigns can assert the originality of an image or video, while also protecting against tampering by showing if it has been altered after its credentials were created. This service is set to be rolled out in spring of 2024. In addition to watermarking, Microsoft will also form a "Campaign Success Team" to advise political campaigns on AI and cyber influence, create an Election Communications Hub for election authorities, and collaborate with organizations that label news sources as authoritative. Meta's strategy is focused on advertising. They will require advertisers to disclose if a social issue, electoral, or political ad contains a digitally created or altered photorealistic image or video, or realistic sounding audio. Meta's new policy will take effect in 2024 and apply globally. Non-compliance with the new policy could result in the rejection of ads. While Microsoft has not detailed how it will police misinformation spread via its platforms, Meta plans to rely on "independent fact-checking partners" to review content.

Security and data analytics firm, Sumo Logic, experienced a security breach after its Amazon Web Services (AWS) account was compromised through stolen credentials. The company claims its systems and networks were not affected and customer data remained encrypted throughout the incident. Post the breach, the company locked down the accessible infrastructure and swapped potentially exposed credentials to avoid further breach. Sumo Logic has intensified monitoring and addressed potential vulnerabilities to forestall similar incidents in the future. The company has urged its customers to rotate the credentials used to access its services as a preventive measure. Sumo Logic will notify customers directly if evidence of malicious access to their accounts is found. The firm’s clientele includes major tech corporations like Samsung, Okta, SAP, Airbnb, and Toyota among others.

Two weeks ago, Russian state-owned Sberbank reported facing the largest Distributed Denial of Service (DDoS) attack in its history at a scale of one million requests per second (RPS). Sberbank, holding nearly one-third of all Russian assets, stated that the DDoS attack was approximately four times the size of any they had previously experienced. The bank asserts the attack was conducted by "new, very qualified criminals" whose methods and techniques were unfamiliar to them, indicating this may not have been the work of typical hacktivist groups. While significant, this attack does not match some of the most massive DDoS attacks seen recently, where new techniques are being used to generate a hundred times more impact, peaking at rates such as 398 million RPS for Google and 155 million RPS for Amazon. Sberbank previously reported facing large-scale DDoS attacks focussed on its online customer services in May 2022, successfully fending off a 450GB/sec attack generated by a botnet of 27,000 compromised devices. Another recent cyber incident saw Russia’s National Payment Card System's website compromised, but the organization asserted that no sensitive customer data was available on the website and the attack did not affect the payments system.

The FBI has warned that ransomware threat actors are exploiting vulnerabilities in third-party gaming vendors to hack into casino servers and increase their network permissions using legitimate system management tools. The targeted establishments include small and tribal casinos, where personal identifying information of employees and patrons is being encrypted. Ransomware group Silent Ransom Group (SRG) and 'Luna Moth' have been staging callback-phishing attacks to steal data and extort companies since June this year. The attackers convince the victim to install a system management tool under the pretense of pending account charges, which they later use to install other utilities for malicious purposes. The FBI has recommended various mitigation techniques, such as keeping offline backups, implementing policies for remote access, using multifactor authentication, network segmentation, and updating software components.

Cybersecurity company SafeBreach identified three methods to run fully undetectable cloud-based cryptocurrency miners on the Microsoft Azure Automation service without incurring charges. These methods could potentially be used for any task on Azure requiring code execution. The researchers were looking for an "ultimate crypto miner" offering unlimited access to resources, that required minimal maintenance, was cost-free and undetectable. They identified a bug in the Azure pricing calculator, allowing an unlimited number of jobs to be executed at no charge. An additional method involves creating a test-job for mining, marking it as 'Failed' and creating another dummy test-job, taking advantage of the fact that only one test can run at a time, hiding code execution in the Azure environment. A threat actor could use these methods to establish a reverse shell towards an external server and authenticate to the Automation endpoint. Code execution could also be achieved by using Azure Automation’s feature allowing users to upload custom Python packages. Microsoft has issued a fix for the pricing calculator bug, but stated the ability to exploit the method is 'by design'.

Atlassian has intensified its threat level for the recent improper authorization vulnerability in Confluence Data Center and Server, increasing its CVSS score from 9.1 to the maximum of 10. Initial assessments allowed for "significant data loss" but now it's understood an attacker could create an admin account with extended capabilities beyond just data loss. All versions of Confluence are affected by the vulnerability which has now been confirmed to be actively exploited. Security firm Rapid7 reported possible mass exploitation attempts beginning on November 5th and has highlighted the deployment of Cerber ransomware strain. Rapid exploitation attempts following the release of a patch highlight the speed at which adversaries work for distribution mechanisms for their exploits. Over 200,000 results were discovered on the "Confluence" search on Shodan, indicating how widely exposed the systems are on the internet. Atlassian advises immediate upgrade for all its vulnerable customers and provides temporary mitigations if upgrades are not possible immediately.

WhatsApp, owned by Meta, has introduced a new privacy feature named "Protect IP Address in Calls" to secure users' IP addresses during calls. This feature works by routing calls through WhatsApp servers, making it more difficult for bad actors to discern a caller's location. Despite adding an extra layer of privacy, this feature may lead to a slight decline in the quality of calls. Similar to Apple's iCloud Private Relay, the new feature has been under development since August 2023. The feature is aimed at enhancing privacy and security for its most privacy-conscious users. This introduction builds on a previously launched feature titled "Silence Unknown Callers," reducing the risk of zero-click attacks and spyware. WhatsApp's approach involves using a privacy token within a custom protocol to avoid processing data controlled by potential attackers.

WhatsApp is introducing a new feature designed to enhance the privacy of its users by allowing them to hide their location during calls. This is achieved by routing the call connection through WhatsApp's servers which hides the user's IP address. The feature, called "Protect IP Address in Calls", means that no caller's IP address metadata is accessible to other call participants. This obscures details of the user's internet service provider and their approximate geographical positioning. Importantly, though calls are being routed through WhatsApp's servers, privacy remains paramount as all calls are end-to-end encrypted, and the company is unable to listen in. Group calls are always relayed through WhatsApp's servers by default, adding an additional layer of privacy and security. This new feature follows the company's ongoing efforts to boost user privacy. Last year, WhatsApp rolled out a feature called "Silence Unknown Callers", which screens out calls from unknown contacts, effectively reducing the likelihood of spam, scam calls, or 'zero-click' attacks. WhatsApp's recently added "Chat Lock" feature also further secures private conversations by allowing users to block access to their most private exchanges.

A report from Checkmarx revealed the existence of a new form of malware called BlazeStealer in seemingly harmless Python packages on the Python Package Index (PyPI) repository. The malware aims to steal sensitive information from compromised developer systems. Since January 2023, eight malicious packages have been detected on PyPI, with the latest being released in October. When installed, the packages retrieve a Python script which gets executed immediately, resulting in the malware running a Discord bot. The bot allows the threat actor to gather information such as web browser passwords, screenshots, etc., execute random commands, encrypt files and disable Microsoft Defender Antivirus on the infected system. It can also consume excessive CPU usage, insert a Windows Batch script in the startup directory to shut down the machine, and even cause a blue screen of death error. The majority of the rogue package downloads were traced back to the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. They were collectively downloaded 2,438 times before being removed. Checkmarx recommends developers vet packages before consumption, given that the open-source domain is fertile ground for hackers to exploit.

The Monero Project has disclosed that its community crowdfunding system (CCS) wallet was drained of 2,675.73 XMR (~$437,000) on September 1, 2021. The funds were drained via nine separate transactions, taking place within minutes. The team suspects that the breach might be related to ongoing wallet-draining attacks observed since April. Additional security measures have been applied to secure other Monero wallets, including enabling multisig protocol which requires more than one individual to authorize any given transaction. Monero’s breach is part of a wider phenomenon: earlier this year Atomic Wallet lost funds from more than 5,000 wallets in a single attack, attributing the breach to North Korean state-sponsored Lazarus Group. Discussion in the community suggests that the LastPass password manager breach could have been a factor in these wallet-draining attacks; most users affected had their seeds stored in LastPass. However, LastPass CEO Karim Toubba refutes these claims, stating there is no current evidence linking the company's security incidents to the ongoing cryptocurrency theft. The method used to execute these wallet-draining attacks remains unknown despite investigations, underscoring the need for enhanced security measures in the management of cryptocurrency wallets.

Growing use of generative AI in sales, marketing, IT executive, support and other operations comes with three main security concerns: the sensitivity of data used in gen AI scripts, the risky outcomes these tools might generate and the potential hazards tied to using third-party gen AI tools. Most organisations have started using generative AI tools to enhance their operations before they implement the necessary safeguards and cybersecurity constraints. Unregulated use of AI in organisations can potentially have significant negative impacts. An effective solution is not to cease the use of generative AI, but instead, stakeholders like MSPs, MSSP and vCISOs should take the initiative in flagging these security issues to their clients. Cynomi, a vCISO platform provider, offers a free guide detailing immediate preventative measures that service providers can implement to protect their consumers from generative AI-associated risks. As part of their job, these security service providers need to make their clients aware of the potential risks of generative AI, as well as teach them safe usage practices and effective tools. The purpose of the guide, "It's a Generative AI World: How vCISOs, MSPs and MSSPs Can Keep Their Customers Safe from Gen AI Risks," is to provide service providers with practical information to warn their customers about such threats and protect them against the potential negative impacts of generative AI deployment.

Russian-speaking threat actor 'farnetwork' has been associated with five ransomware groups, notably JSWORM, Nefilim, Karma, Nemty, and Nokoyawa, assuming roles in malware development and operations management. Group-IB has tracked farnetwork's activities back to January 2019, establishing links to different strains of ransomware. Their activities include promoting the ransomware-as-a-service (RaaS) programs and managing a botnet that allows affiliates access to compromised networks. Farnetwork recently shut down the Nokoyawa RaaS program after leaking data of 35 victims in October, although Group-IB suspects this move is a tactic to cover their tracks and emerge under a new brand. Farnetwork was an operations manager in the Nokoyawa ransomware where they recruited affiliates, promoted the RaaS program on darknet forums, and managed a botnet. The affiliations of farnetwork show that some ransomware operations are managed by individuals experienced in the business, who frequently rebrand to continue operations. These individuals often handle multiple elements of the ransomware chain, from development to deployment. Farnetwork was also responsible for testing potential associates by providing them with corporate account credentials stolen by info-stealers sold on the Underground Cloud of Logs (UCL) service. The potential affiliates' task was to escalate their network privileges, steal files, run the encryptor, and demand a ransom.