Daily Brief

Companies now depend on SaaS applications for about 70% of their total software usage, increasing the importance of ensuring those applications are secure. SaaS applications store large volumes of data, therefore, it's critical to safeguard the organization's SaaS app stack and the data within it. The complexity of ensuring SaaS security arises due to a multitude of attack vectors and dynamic environments that require constant updates and adjustments. Applications are often managed by various business departments, making it challenging for the security team to exercise complete control. The webinar aims to equip attendees with the essential steps to successfully implement a robust SaaS security strategy. The webinar notably features Adaptive Shield's Senior Director of Customer Success, Effie Mansdorf, for insights on SaaS security.

Cyberattacks consistently target businesses for data theft; the stolen data being critical for the enforcement of ransom demands. Many organizations are investing heavily in improving their security from external attacks, focusing mostly on the perimeter defense and incoming traffic. Cybersecurity firm Blackfog is taking a different approach by implementing on-device anti data exfiltration (ADX) technology that uses AI-based behavioural analytics. The ADX technology restricts even the administrators from sending unauthorized data outside the network. Blackfog believes that this approach provides the optimum defense against ransomware and extortion by blocking the unauthorized outflow of data. The Register's Tim Phillips will host a webinar in conversation with Dr Darren Williams, CEO and Founder of Blackfog, on November 15 to discuss the role and efficiency of ADX technology in securing devices and data. The seminar aims to explain why traditional antivirus solutions are inadequate in stopping AI-enhanced intruders, making a case for innovative solutions like ADX technology.

Incoming digital identity legislation across Europe, the electronic IDentification, Authentication and trust Services (eIDAS) 2.0, is causing concerns over security and potential surveillance. Civil society groups warn that the new rules, designed to cover elements such as electronic signatures, time stamps, delivery services and website authentication, could make the internet less safe. Under the new regulations, browser makers must trust government-approved Certificate Authorities (CA) and not implement security controls beyond those specified by the European Telecommunications Standards Institute (ETSI). This could allow governments to intercept and decrypt secure HTTPS connections between users and websites, enabling them to monitor user activity. The Electronic Frontier Foundation warns that the new legislation “returns us to the dark ages of 2011, when certificate authorities could collaborate with governments to spy on encrypted traffic." 400 cyber security experts and NGOs have called for EU lawmakers to clarify that Article 45 in the new regulation cannot be used to override browser trust decisions. Tech companies Google and Mozilla have also voiced concerns over the legislative changes.

Cybersecurity researchers from Group-IB have traced links between a threat actor known as 'farnetwork' and several ransomware-as-a-service (RaaS) programs over the last four years. Farnetwork has been associated with ransomware projects including JSWORM, Nefilim, Karma, and Nemty, and was involved in developing and managing these RaaS models. In 2022, farnetwork is believed to have launched a botnet service providing degraded corporate networks to affiliates. Recruitment efforts for the farnetwork-managed Nokoyawa RaaS program were identified, with potential candidates encouraged to use stolen credentials to deploy ransomware and demand payment for decryption of encrypted files. The RaaS business model applied by farnetwork allows affiliates to receive 65% of a ransom amount, the botnet owner 20%, and potentially as little as 10% for the ransomware developer. Though the Nokoyawa RaaS operation ceased in October 2023, Group-IB researchers consider it likely that farnetwork will re-emerge under a new alias and with a new RaaS program.

Shared service provider TransForm has confirmed that a ransomware attack that disrupted operations at numerous hospitals in Ontario, Canada was caused by the DAIXIN Team. The attackers stole a database containing information on 5.6 million patient visits, affecting approximately 267,000 unique individuals. The attack occurred in late October, impacting five hospitals operating under TransForm, including Bluewater Health. Operational disruptions caused by the attack led healthcare providers to reschedule appointments and redirect non-emergency cases to other clinics. The perpetrators have started leaking samples of the stolen data and have stated their interest in selling the data to brokers. TransForm has announced they will not be paying the ransom and are currently investigating the scope and impact of the data breach. Regular updates will be provided on the matter. The stolen information does not include clinical records, however, the exact contents of the files are still under investigation.

A fraudulent cryptocurrency management app named Ledger Live Web3, published in the Microsoft Store, deceived multiple users resulting in a total loss of over $768,000 in cryptocurrency. The app has since been removed from the store. The fraudulent app, which had been present in the Microsoft store since October 19, was spotted by a blockchain enthusiast on November 5 and removed on the same day by Microsoft. Allegedly, the scam was relatively simple. The fraudster copied the description of the legitimate app almost word for word from the Apple Store and used the name "Official Dev" for the developer. The fraudulent app directed to a second cryptocurrency wallet during the scam that collected around $180,000 from victims. Despite the red flags and suspicious details, it is unclear how the app was allowed to be published on the Microsoft Store. Questions are being raised about the thoroughness of Microsoft’s app vetting process. Although modest in comparison to other cryptocurrency heists, the simple nature of the scam and the magnitude of the stolen amount is noteworthy.

North Korean group BlueNorOff, known for attacks on cryptocurrency exchanges and financial institutions, has launched new macOS malware targeting Apple users. The ObjCShellz malware can open remote shells on compromised systems and is quite different from previous payloads from BlueNorOff. The command-and-control (C2) domain linked to this malware mimics a legitimate cryptocurrency exchange's blog site in an effort to avoid detection. The malware assists in the post-exploitation phase, executing commands on infected Intel and Arm Macs. Last year, cybersecurity firm Kaspersky linked BlueNorOff to a series of attacks on cryptocurrency startups globally. In 2019, U.S. sanctioned BlueNorOff and two other North Korean hacker groups for funneling stolen funds to the North Korean government. BlueNorOff and Lazarus group were also involved in the largest ever crypto hack where they stole tokens worth over $617 million.

Microsoft's introduction of three optional Conditional Access policies aims to promote the implementation of multi-factor authentication (MFA) in businesses, initially releasing in a report-only mode. Within a 90-day review period, customers can opt out, otherwise the policies will be automatically enabled. The first and most emphasized policy will require privileged admin accounts to complete MFA when accessing Microsoft admin portals. Two additional policies cater to a smaller subset of customers, requiring MFA for all high-risk sign-ins or logins to cloud apps. While Microsoft is striving for a 100% MFA adoption rate, currently only 37% utilize it. However, an initiative that automatically applies basic security controls has seen over 80% of new customers retain MFA. The company cites that MFA can reduce account takeover risk by over 99%, and claim that customers with security defaults enabled experience 80% fewer compromises. The new policies provide clear, customizable guidance that customers can alter or disable according to individual requirements. Over time, Microsoft plans to offer policies tailored to specific organizations.

The UK government seeks to legislate a requirement for tech companies to inform it of new security technologies before they activate them and to disable these features when necessary. This was announced in the King's Speech and will likely mean that the Home Office could have access to data from major tech platforms for monitoring purposes. The Investigatory Powers (Amendment) Bill is set to reform the “notices regime” with the aim of better protecting public safety. The government asserts that this advance knowledge of new security measures could help mitigate egregious crimes such as child sexual exploitation, abuse, and terrorism. The restructuring of the bill includes the modification of conditions for the use of Internet Connections Records kept by service providers. This is meant to enhance detection of serious criminal activity and national security threats. The proposed legislation may necessitate that tech firms obtain prior approval from the UK government if they are considering updating the privacy features in their offerings, effectively creating a threat to end-to-end encryption. Critics argue this harms communication and transactional safety. Abigail Burke, from the Open Rights Group, warned these reforms could undermine the ability of companies to secure data and increase the odds of criminal attacks, and urged the government to engage with civil society and tech companies. The proposed changes followed the passing of the Online Safety Bill into law, which was met with vigorous objections from tech companies due to an infamous "spy clause."

Microsoft has introduced a new feature in the Authenticator app to block suspicious notifications during account login. The feature scrutinizes login details such as unfamiliar location or signs of anomalous activity, blocking these notifications from appearing to the user. Instead, a message prompts users to enter a code through the Authenticator app. This measure comes after the introduction of the “number matching” system in May, which required users to enter a number displayed on the login screen into their Authenticator app to approve the login. Hackers had been exploiting the push notification feature of the app by constantly attempting to log into a targeted account, with the hope of tiring the recipient into approving a login. Following the implementation of the new feature in September, Microsoft reported it has blocked over six million MFA notifications suspected of being initiated by hackers.

Researchers at Jamf have detected a new macOS malware in the wild, believed to be the creation of North Korea's state-sponsored hacker group known as BlueNoroff, APT38, or TA444. Named "ObjCShellz," this malware is part of a multi-stage campaign called RustBucket, aimed at organizations in the financial services sector. The exact scale or success of the campaign is not yet known. Although the malware is regarded as "simple," it has sophisticated remote shell capabilities sent from an attacker-controlled server, allowing sophisticated control and communication via a URL that mimics a legitimate cryptocurrency exchange. The RustBucket suite has been used in a series of attacks over the past six months, using a multi-stage approach and multiple unique strains to avoid detection and make analysis more difficult. This current malware has been developed for macOS despite Windows' larger market share, with attackers targeting users likely to hold access to cryptocurrency and work on related projects. The malware delivery involves disguising itself first as a PDF viewer app, requiring users to manually bypass Apple's security measure. The second app, also masked as a PDF viewer, can execute a malicious script when a particular PDF file is opened, establishing the attackers' command and control infrastructure for further payloads. The discovery of ObjCShellz as a potential next-stage payload underlines the ongoing development and complexity of these multistage campaigns.

Marina Bay Sands resort and casino in Singapore reported a data breach affecting the personal information of around 665,000 customers. The unauthorized access, discovered on October 20, compromised data belonging to members of the MBS loyalty program. Exposed data could potentially be used by attackers to target MBS customers in various scams, phishing, and social engineering attacks. The casino members (Sands Rewards Club) are believed to be unaffected by the breach. Following discovery of the breach, MBS reported the incident to Singaporean authorities and others in relevant countries. Although the scale of the attack remains unclear, it may be linked to a potential ransomware attack where threat actors steal data to extort money. As of now, no ransomware perpetrator has claimed responsibility. MBS has declined to comment further than the official statement on the issue, which affirmed that customers whose personal data was exposed will be individually informed.

The North Korea-affiliated group, BlueNoroff, has reportedly been responsible for a new macOS malware strain called ObjCShellz. This has been discovered as part of the RustBucket malware campaign. BlueNoroff, which is known under names such as APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima and TA444, is associated with the infamous Lazarus Group and is known for its focus on financial crime, specifically targeting banks and the crypto sector. The ObjCShellz malware is written in Objective-C and functions as a simple remote shell, executing commands sent from an attacker server. The exact method of initial access for the attack remains unknown, though it's speculated it may be delivered as a post-exploitation payload. This development of malware comes in the wake of similar discoveries, such as a new macOS malware called KANDYKORN used by the Lazarus Group to target blockchain engineers, and the RustBucket macOS malware, an AppleScript-based backdoor. The findings highlight the evolving nature of North Korea-sponsored groups, who continue to create bespoke malware for macOS and Linux platforms, and suggests the increase of macOS malware campaigns in the future.

IBM X-Force researchers have uncovered a new variant of the GootLoader malware, referred to as GootBot, which is renowned for facilitating lateral movement on compromised systems and evading detection. This new variant signifies a tactical shift, with the malicious payload introduced after a GootLoader infection, as opposed to using post-exploitation frameworks such as CobaltStrike. GootBot is described as an obfuscated PowerShell script designed to connect to compromised WordPress websites for command and control, and to receive further commands. Current campaigns are leveraging SEO-poisoned searches for business-related topics to direct potential victims to compromised sites that appear legitimate, where they are tricked into downloading the initial payload. The GootBot malware communicates with its command and control server every 60 seconds to obtain PowerShell tasks and to return the execution results to the server. According to the researchers, GootBot's ability to expand the scale of the attack and evade detection highlights the evolving, sophisticated tactics used by attackers to further their cybercriminal activities, which includes potential ransomware attacks linked to GootLoader.

Companies are increasingly moving to cloud and containerized web applications, with 97% of organizations making use of containers or planning to deploy them within a year. This shift, although beneficial, leaves an opening for cybercriminals as the pace of security upgrades struggles to keep with the new technology, especially in file upload security. Data breaches, compliance with regulations like the GDPR and malware are the major worries, with the company OPSWAT highlighting that the vulnerabilities exploited by malicious actors mostly originate from file uploads. Companies need a multi-layered security approach, utilizing multiple antivirus engines and File-Based Vulnerability Assessment technology to guard against malicious file uploads and detect application and file-based vulnerabilities before installation. Other security measures recommended include Deep Content Disarm and Reconstruction (CDR) to disarm active content and regenerate safe files as well as AI-enabled malware analysis for in-depth threat evaluation. Given the evolving threat landscape, organizations must integrate key file upload security technologies with their current infrastructure to guard against malicious file uploads and data loss.